diff --git a/.charts.yml b/.charts.yml index 33e36a233..75dd2c253 100644 --- a/.charts.yml +++ b/.charts.yml @@ -85,6 +85,10 @@ charts: version: 4.10.1 repository: url: https://kubernetes.github.io/ingress-nginx + - name: ironic + version: 0.2.14 + repository: *openstack_helm_repository + dependencies: *openstack_helm_dependencies - name: keycloak version: 21.4.1 repository: diff --git a/charts/ironic/Chart.yaml b/charts/ironic/Chart.yaml new file mode 100644 index 000000000..9a1a84775 --- /dev/null +++ b/charts/ironic/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +appVersion: v1.0.0 +description: OpenStack-Helm Ironic +home: https://docs.openstack.org/ironic/latest/ +icon: https://www.openstack.org/themes/openstack/images/project-mascots/Ironic/OpenStack_Project_Ironic_vertical.png +maintainers: +- name: OpenStack-Helm Authors +name: ironic +sources: +- https://opendev.org/openstack/ironic +- https://opendev.org/openstack/openstack-helm +version: 0.2.14 diff --git a/charts/ironic/charts/helm-toolkit/Chart.yaml b/charts/ironic/charts/helm-toolkit/Chart.yaml new file mode 100644 index 000000000..e827e99f5 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +appVersion: v1.0.0 +description: OpenStack-Helm Helm-Toolkit +home: https://docs.openstack.org/openstack-helm +icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png +maintainers: +- name: OpenStack-Helm Authors +name: helm-toolkit +sources: +- https://opendev.org/openstack/openstack-helm-infra +- https://opendev.org/openstack/openstack-helm +version: 0.2.64 diff --git a/charts/ironic/charts/helm-toolkit/requirements.lock b/charts/ironic/charts/helm-toolkit/requirements.lock new file mode 100644 index 000000000..808bd945e --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/requirements.lock @@ -0,0 +1,3 @@ +dependencies: [] +digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 +generated: '0001-01-01T00:00:00Z' diff --git a/charts/ironic/charts/helm-toolkit/requirements.yaml b/charts/ironic/charts/helm-toolkit/requirements.yaml new file mode 100644 index 000000000..27fb08a13 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/requirements.yaml @@ -0,0 +1,15 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +dependencies: [] +... diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl new file mode 100644 index 000000000..12b84dec1 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl @@ -0,0 +1,58 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves database, or basic auth, style endpoints +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + auth: + admin: + username: root + password: password + service_username: + username: username + password: password + hosts: + default: mariadb + host_fqdn_override: + default: null + path: /dbname + scheme: mysql+pymysql + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} +return: | + mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname +*/}} + +{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $userclass := index . 2 -}} +{{- $port := index . 3 -}} +{{- $context := index . 4 -}} +{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }} +{{- $endpointUser := index $userMap "username" }} +{{- $endpointPass := index $userMap "password" }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl new file mode 100644 index 000000000..b7cf28738 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl @@ -0,0 +1,121 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves endpoint string suitible for use with oslo.messaging transport url + See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_messaging: + auth: + cinder: + username: cinder + password: password + statefulset: + replicas: 2 + name: rabbitmq-rabbitmq + hosts: + default: rabbitmq + host_fqdn_override: + default: null + path: /cinder + scheme: rabbit + port: + amqp: + default: 5672 + usage: | + {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }} + return: | + rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_messaging: + auth: + cinder: + username: cinder + password: password + statefulset: null + hosts: + default: rabbitmq + host_fqdn_override: + default: null + path: /cinder + scheme: rabbit + port: + amqp: + default: 5672 + usage: | + {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }} + return: | + rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_messaging: + auth: + cinder: + username: cinder + password: password + statefulset: + replicas: 2 + name: rabbitmq-rabbitmq + hosts: + default: rabbitmq + host_fqdn_override: + default: rabbitmq.openstackhelm.org + path: /cinder + scheme: rabbit + port: + amqp: + default: 5672 + usage: | + {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }} + return: | + rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder +*/}} + +{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $userclass := index . 2 -}} +{{- $port := index . 3 -}} +{{- $context := index . 4 -}} +{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }} +{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}} +{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }} +{{- $endpointUser := index $userMap "username" }} +{{- $endpointPass := index $userMap "password" }} +{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $local := dict "endpointCredsAndHosts" list -}} +{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }} +{{- $endpointHostPrefix := $ssMap.name }} +{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }} +{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }} +{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }} +{{- end }} +{{- else }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }} +{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }} +{{- end }} +{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }} +{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl new file mode 100644 index 000000000..fb8bbe7d3 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl @@ -0,0 +1,90 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves either the fully qualified hostname, of if defined in the host field + IPv4 for an endpoint. +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + mariadb.default.svc.cluster.local + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: + host: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + mariadb.default.svc.cluster.local + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: 127.0.0.1 + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + 127.0.0.1 + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: + host: 127.0.0.1 + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + return: | + 127.0.0.1 +*/}} + +{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointScheme := $endpointMap.scheme }} +{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }} +{{- if kindIs "map" $context.Values.__endpointHost }} +{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }} +{{- end }} +{{- $endpointHost := $context.Values.__endpointHost }} +{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }} +{{- $endpointHostname := printf "%s" $endpointHost }} +{{- printf "%s" $endpointHostname -}} +{{- else }} +{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{- printf "%s" $endpointHostname -}} +{{- end }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl new file mode 100644 index 000000000..447efe766 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl @@ -0,0 +1,41 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the port for an endpoint +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +return: | + 3306 +*/}} + +{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $typeYamlSafe := $type | replace "-" "_" }} +{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }} +{{- $endpointPortMAP := index $endpointMap.port $port }} +{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }} +{{- printf "%1.f" $endpointPort -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl new file mode 100644 index 000000000..3a268c0f7 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl @@ -0,0 +1,36 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Gets the token for an endpoint +values: | + endpoints: + keystone: + auth: + admin: + token: zh78JzXgw6YUKy2e +usage: | + {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }} +return: | + zh78JzXgw6YUKy2e +*/}} + +{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}} +{{- $type := index . 0 -}} +{{- $userName := index . 1 -}} +{{- $context := index . 2 -}} +{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }} +{{- printf "%s" $serviceToken -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl new file mode 100644 index 000000000..6877b7bfb --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl @@ -0,0 +1,59 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves 'hostname:port' for an endpoint +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + port: + mysql: + default: 3306 + usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} + return: | + mariadb.default.svc.cluster.local:3306 + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: 127.0.0.1 + host_fqdn_override: + default: null + port: + mysql: + default: 3306 + usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} + return: | + 127.0.0.1:3306 +*/}} + +{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- printf "%s:%s" $endpointHostname $endpointPort -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl new file mode 100644 index 000000000..26374e348 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl @@ -0,0 +1,76 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the fully qualified hostname for an endpoint +examples: + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + return: | + mariadb.default.svc.cluster.local + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: mariadb.openstackhelm.openstack.org + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + return: | + mariadb.openstackhelm.openstack.org + - values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: + host: mariadb.openstackhelm.openstack.org + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + return: | + mariadb.openstackhelm.openstack.org +*/}} + +{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} +{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }} +{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }} +{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }} +{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }} +{{- end }} +{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }} +{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }} +{{- printf "%s" $endpointHostname -}} +{{- else }} +{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }} +{{- printf "%s" $endpointHostname -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl new file mode 100644 index 000000000..9d6039377 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl @@ -0,0 +1,40 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the namespace scoped hostname for an endpoint +values: | + endpoints: + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null +usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} +return: | + mariadb.default +*/}} + +{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }} +{{- printf "%s" $endpointClusterHostname -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl new file mode 100644 index 000000000..cc4d4de62 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl @@ -0,0 +1,38 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the namespace scoped hostname for an endpoint +values: | + endpoints: + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null +usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }} +return: | + default +*/}} + +{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }} +{{- printf "%s" $namespace -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl new file mode 100644 index 000000000..f23c624f5 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl @@ -0,0 +1,61 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the short hostname for an endpoint +examples: + - values: | + endpoints: + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + return: | + mariadb + - values: | + endpoints: + oslo_db: + hosts: + default: + host: mariadb + host_fqdn_override: + default: null + usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + return: | + mariadb +*/}} + +{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointScheme := $endpointMap.scheme }} +{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }} +{{- if kindIs "map" $context.Values.__endpointHost }} +{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }} +{{- end }} +{{- $endpointHost := $context.Values.__endpointHost }} +{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }} +{{- printf "%s" $type -}} +{{- else }} +{{- $endpointHostname := printf "%s" $endpointHost }} +{{- printf "%s" $endpointHostname -}} +{{- end }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl new file mode 100644 index 000000000..e31c0ebe6 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl @@ -0,0 +1,34 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves the service name for an service type +values: | + endpoints: + identity: + name: keystone +usage: | + {{ tuple identity . | include "keystone_endpoint_name_lookup" }} +return: | + "keystone" +*/}} + +{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}} +{{- $type := index . 0 -}} +{{- $context := index . 1 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- $endpointName := index $endpointMap "name" }} +{{- $endpointName | quote -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl new file mode 100644 index 000000000..b2ec6486c --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl @@ -0,0 +1,48 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# FIXME(portdirect): it appears the port input here serves no purpose, +# and should be removed. In addition this function is bugged, do we use it? + +{{/* +abstract: | + Resolves the path for an endpoint +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + path: + default: /dbname + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +return: | + /dbname +*/}} + +{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- if kindIs "string" $endpointMap.path }} +{{- printf "%s" $endpointMap.path | default "/" -}} +{{- else -}} +{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }} +{{- printf "%s" $endpointPath -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl new file mode 100644 index 000000000..b35cb0b74 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl @@ -0,0 +1,55 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# FIXME(portdirect): it appears the port input here serves no purpose, +# and should be removed. In addition this function is bugged, do we use it? + +{{/* +abstract: | + Resolves the scheme for an endpoint +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + scheme: + default: + mysql+pymysql + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +return: | + mysql+pymysql +*/}} + +# This function returns the scheme for a service, it takes an tuple +# input in the form: service-type, endpoint-class, port-name. eg: +# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" } +# will return the scheme setting for this particular endpoint. In other words, for most endpoints +# it will return either 'http' or 'https' + +{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }} +{{- if kindIs "string" $endpointMap.scheme }} +{{- printf "%s" $endpointMap.scheme | default "http" -}} +{{- else -}} +{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }} +{{- printf "%s" $endpointScheme -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl new file mode 100644 index 000000000..8d0819cd1 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl @@ -0,0 +1,52 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + This function helps resolve uri style endpoints. It will omit the port for + http when 80 is used, and 443 in the case of https. +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: null + path: /dbname + scheme: mysql+pymysql + port: + mysql: + default: 3306 +usage: | + {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} +return: | + mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname +*/}} + +{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $port := index . 2 -}} +{{- $context := index . 3 -}} +{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }} +{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }} +{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}} +{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}} +{{- else -}} +{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/ironic/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl new file mode 100644 index 000000000..cf2ef3874 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl @@ -0,0 +1,61 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + This function returns endpoint ":" pair from an endpoint + definition. This is used in kubernetes-entrypoint to support dependencies + between different services in different namespaces. + returns: the endpoint namespace and the service name, delimited by a colon + + Normally, the service name is constructed dynamically from the hostname + however when an ip address is used as the hostname, we default to + namespace:endpointCategoryName in order to construct a valid service name + however this can be overridden to a custom service name by defining + .service.name within the endpoint definition +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + namespace: foo + hosts: + default: mariadb + host_fqdn_override: + default: null +usage: | + {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }} +return: | + foo:mariadb +*/}} + +{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $typeYamlSafe := $type | replace "-" "_" }} +{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }} +{{- with $endpointMap -}} +{{- $endpointName := index .hosts $endpoint | default .hosts.default }} +{{- $endpointNamespace := .namespace | default $context.Release.Namespace }} +{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }} +{{- if .service.name }} +{{- printf "%s:%s" $endpointNamespace .service.name -}} +{{- else -}} +{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}} +{{- end -}} +{{- else -}} +{{- printf "%s:%s" $endpointNamespace $endpointName -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl new file mode 100644 index 000000000..18453eef4 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl @@ -0,0 +1,111 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for kubernete ceph storageclass +examples: + - values: | + manifests: + storageclass: true + storageclass: + rbd: + provision_storage_class: true + provisioner: "ceph.com/rbd" + metadata: + default_storage_class: true + name: general + parameters: + #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup + pool: rbd + admin_id: admin + ceph_configmap_name: "ceph-etc" + admin_secret_name: "pvc-ceph-conf-combined-storageclass" + admin_secret_namespace: ceph + user_id: admin + user_secret_name: "pvc-ceph-client-key" + image_format: "2" + image_features: layering + cephfs: + provision_storage_class: true + provisioner: "ceph.com/cephfs" + metadata: + name: cephfs + parameters: + admin_id: admin + admin_secret_name: "pvc-ceph-cephfs-client-key" + admin_secret_namespace: ceph + usage: | + {{- range $storageclass, $val := .Values.storageclass }} + {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }} + {{- end }} + return: | + --- + apiVersion: storage.k8s.io/v1 + kind: StorageClass + metadata: + annotations: + storageclass.kubernetes.io/is-default-class: "true" + name: general + provisioner: ceph.com/rbd + parameters: + monitors: ceph-mon..svc.:6789 + adminId: admin + adminSecretName: pvc-ceph-conf-combined-storageclass + adminSecretNamespace: ceph + pool: rbd + userId: admin + userSecretName: pvc-ceph-client-key + image_format: "2" + image_features: layering + --- + apiVersion: storage.k8s.io/v1 + kind: StorageClass + metadata: + name: cephfs + provisioner: ceph.com/cephfs + parameters: + monitors: ceph-mon..svc.:6789 + adminId: admin + adminSecretName: pvc-ceph-cephfs-client-key + adminSecretNamespace: ceph +*/}} + +{{- define "helm-toolkit.manifests.ceph-storageclass" -}} +{{- $envAll := index . "envAll" -}} +{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}} +{{- if empty $monHost -}} +{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}} +{{- end -}} +{{- $storageclassData := index . "storageclass_data" -}} +--- +{{- if $storageclassData.provision_storage_class }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: +{{- if $storageclassData.metadata.default_storage_class }} + annotations: + storageclass.kubernetes.io/is-default-class: "true" +{{- end }} + name: {{ $storageclassData.metadata.name }} +provisioner: {{ $storageclassData.provisioner }} +parameters: + monitors: {{ $monHost }} +{{- range $attr, $value := $storageclassData.parameters }} + {{ $attr }}: {{ $value | quote }} +{{- end }} +allowVolumeExpansion: true + +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_certificates.tpl new file mode 100644 index 000000000..8be771e6c --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_certificates.tpl @@ -0,0 +1,108 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a certificate using jetstack +examples: + - values: | + endpoints: + dashboard: + host_fqdn_override: + default: + host: null + tls: + secretName: keystone-tls-api + issuerRef: + name: ca-issuer + duration: 2160h + organization: + - ACME + commonName: keystone-api.openstack.svc.cluster.local + privateKey: + size: 2048 + usages: + - server auth + - client auth + dnsNames: + - cluster.local + issuerRef: + name: ca-issuer + usage: | + {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}} + {{ $opts | include "helm-toolkit.manifests.certificates" }} + return: | + --- + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: keystone-tls-api + namespace: NAMESPACE + spec: + commonName: keystone-api.openstack.svc.cluster.local + dnsNames: + - cluster.local + duration: 2160h + issuerRef: + name: ca-issuer + privateKey: + size: 2048 + organization: + - ACME + secretName: keystone-tls-api + usages: + - server auth + - client auth +*/}} + +{{- define "helm-toolkit.manifests.certificates" -}} +{{- $envAll := index . "envAll" -}} +{{- $service := index . "service" -}} +{{- $type := index . "type" | default "" -}} +{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}} +{{/* Put in some sensible default value if one is not provided by values.yaml */}} +{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter. + This allows user to use other HTK method to determine the URI and pass that into this method.*/}} +{{- if not (hasKey $slice "dnsNames") -}} +{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}} +{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}} +{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}} +{{- end -}} +{{/* Default privateKey size to 4096. This can be overridden. */}} +{{- if not (hasKey $slice "privateKey") -}} +{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}} +{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}} +{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}} +{{- end -}} +{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}} +{{- if not (hasKey $slice "duration") -}} +{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}} +{{- end -}} +{{/* Default renewBefore to 15 days. This can be overridden. */}} +{{- if not (hasKey $slice "renewBefore") -}} +{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}} +{{- end -}} +{{/* Default the usage to server auth and client auth. This can be overridden. */}} +{{- if not (hasKey $slice "usages") -}} +{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}} +{{- end -}} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }} + namespace: {{ $envAll.Release.Namespace }} +spec: +{{ $slice | toYaml | indent 2 }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_ingress.tpl new file mode 100644 index 000000000..cacb4b813 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_ingress.tpl @@ -0,0 +1,729 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for a services ingress rules. +examples: + - values: | + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: barbican + host_fqdn_override: + default: null + public: + host: barbican.openstackhelm.example + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "pathType" "Prefix" ) -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx" + rules: + - host: barbican + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican-namespace-fqdn + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx" + tls: + - secretName: barbican-tls-public + hosts: + - barbican.openstackhelm.example + rules: + - host: barbican.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican-cluster-fqdn + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx-cluster" + tls: + - secretName: barbican-tls-public + hosts: + - barbican.openstackhelm.example + rules: + - host: barbican.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - values: | + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: + host: barbican + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + host_fqdn_override: + default: null + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "pathType" "Prefix" ) -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx" + tls: + - secretName: barbican-tls-public + hosts: + - barbican + - barbican.default + - barbican.default.svc.cluster.local + rules: + - host: barbican + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - values: | + cert_issuer_type: issuer + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "https" + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + internal: barbican-tls-api + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: + host: barbican + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + host_fqdn_override: + default: null + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + certs: + barbican_tls_api: + secretName: barbican-tls-api + issuerRef: + name: ca-issuer + kind: Issuer + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" "pathType" "Prefix" ) -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + cert-manager.io/issuer: ca-issuer + certmanager.k8s.io/issuer: ca-issuer + nginx.ingress.kubernetes.io/backend-protocol: https + nginx.ingress.kubernetes.io/secure-backends: "true" + spec: + ingressClassName: "nginx" + tls: + - secretName: barbican-tls-public-certmanager + hosts: + - barbican + - barbican.default + - barbican.default.svc.cluster.local + rules: + - host: barbican + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + + - values: | + network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "https" + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + internal: barbican-tls-api + endpoints: + cluster_domain_suffix: cluster.local + key_manager: + name: barbican + hosts: + default: barbican-api + public: + host: barbican + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + host_fqdn_override: + default: null + path: + default: / + scheme: + default: http + public: https + port: + api: + default: 9311 + public: 80 + certs: + barbican_tls_api: + secretName: barbican-tls-api + issuerRef: + name: ca-issuer + kind: ClusterIssuer + usage: | + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" "pathType" "Prefix" ) -}} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: barbican + annotations: + cert-manager.io/cluster-issuer: ca-issuer + certmanager.k8s.io/cluster-issuer: ca-issuer + nginx.ingress.kubernetes.io/backend-protocol: https + nginx.ingress.kubernetes.io/secure-backends: "true" + spec: + ingressClassName: "nginx" + tls: + - secretName: barbican-tls-public-certmanager + hosts: + - barbican + - barbican.default + - barbican.default.svc.cluster.local + rules: + - host: barbican + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + - host: barbican.default.svc.cluster.local + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: barbican-api + port: + name: b-api + # Sample usage for multiple DNS names associated with the same public + # endpoint and certificate + - values: | + endpoints: + cluster_domain_suffix: cluster.local + grafana: + name: grafana + hosts: + default: grafana-dashboard + public: grafana + host_fqdn_override: + public: + host: grafana.openstackhelm.example + tls: + dnsNames: + - grafana-alt.openstackhelm.example + crt: "BASE64 ENCODED CERT" + key: "BASE64 ENCODED KEY" + network: + grafana: + ingress: + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + secrets: + tls: + grafana: + grafana: + public: grafana-tls-public + usage: | + {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" "pathType" "Prefix" -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + return: | + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: grafana + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx" + rules: + - host: grafana + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana.default + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana.default.svc.cluster.local + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: grafana-namespace-fqdn + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx" + tls: + - secretName: grafana-tls-public + hosts: + - grafana.openstackhelm.example + - grafana-alt.openstackhelm.example + rules: + - host: grafana.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana-alt.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: grafana-cluster-fqdn + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + + spec: + ingressClassName: "nginx-cluster" + tls: + - secretName: grafana-tls-public + hosts: + - grafana.openstackhelm.example + - grafana-alt.openstackhelm.example + rules: + - host: grafana.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + - host: grafana-alt.openstackhelm.example + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana-dashboard + port: + name: dashboard + +*/}} + +{{- define "helm-toolkit.manifests.ingress._host_rules" -}} +{{- $vHost := index . "vHost" -}} +{{- $backendName := index . "backendName" -}} +{{- $backendPort := index . "backendPort" -}} +{{- $pathType := index . "pathType" -}} +- host: {{ $vHost }} + http: + paths: + - path: / + pathType: {{ $pathType }} + backend: + service: + name: {{ $backendName }} + port: +{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }} + number: {{ $backendPort | int }} +{{- else }} + name: {{ $backendPort | quote }} +{{- end }} +{{- end }} + +{{- define "helm-toolkit.manifests.ingress" -}} +{{- $envAll := index . "envAll" -}} +{{- $backendService := index . "backendService" | default "api" -}} +{{- $backendServiceType := index . "backendServiceType" -}} +{{- $backendPort := index . "backendPort" -}} +{{- $endpoint := index . "endpoint" | default "public" -}} +{{- $pathType := index . "pathType" | default "Prefix" -}} +{{- $certIssuer := index . "certIssuer" | default "" -}} +{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{- $certIssuerType := "cluster-issuer" -}} +{{- if $envAll.Values.cert_issuer_type }} +{{- $certIssuerType = $envAll.Values.cert_issuer_type }} +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $ingressName }} + annotations: +{{- if $certIssuer }} + cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }} + certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }} +{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}} +{{- if (hasKey $slice "duration") }} + cert-manager.io/duration: {{ index $slice "duration" }} +{{- end }} +{{- end }} +{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }} +spec: + ingressClassName: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }} +{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }} +{{- if $certIssuer }} +{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }} + tls: + - secretName: {{ printf "%s-ing" $secretName }} + hosts: +{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }} + - {{ $vHost }} +{{- end }} +{{- else }} +{{- if hasKey $host $endpoint }} +{{- $endpointHost := index $host $endpoint }} +{{- if kindIs "map" $endpointHost }} +{{- if hasKey $endpointHost "tls" }} +{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }} +{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }} + tls: + - secretName: {{ $secretName }} + hosts: +{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }} + - {{ $vHost }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + rules: +{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }} +{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort "pathType" $pathType }} +{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }} +{{- end }} +{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }} +{{- $ingressConf := $envAll.Values.network -}} +{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }} +{{- range $key2, $ingressController := $ingressClasses }} +{{- $vHosts := list $hostNameFull }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }} + annotations: +{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }} +spec: + ingressClassName: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }} +{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }} +{{- if hasKey $host $endpoint }} +{{- $endpointHost := index $host $endpoint }} +{{- if kindIs "map" $endpointHost }} +{{- if hasKey $endpointHost "tls" }} +{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }} +{{- $vHosts = append $vHosts $v }} +{{- end }} +{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }} + tls: + - secretName: {{ $secretName }} + hosts: +{{- range $vHost := $vHosts }} + - {{ $vHost }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + rules: +{{- range $vHost := $vHosts }} +{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort "pathType" $pathType }} +{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl new file mode 100644 index 000000000..6b77004f0 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl @@ -0,0 +1,142 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db creation and user management. +# It can be used in charts dict created similar to the following: +# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -} +# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" } + +{{- define "helm-toolkit.manifests.job_bootstrap" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $podVolMounts := index . "podVolMounts" | default false -}} +{{- $podVols := index . "podVols" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}} +{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}} +{{- $openrc := index . "openrc" | default "true" -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }} +{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }} + labels: +{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: bootstrap + image: {{ $envAll.Values.images.tags.bootstrap }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{- if eq $openrc "true" }} + env: +{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} +{{- end }} + command: + - /bin/bash + - -c + - /tmp/bootstrap.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: bootstrap-sh + mountPath: /tmp/bootstrap.sh + subPath: bootstrap.sh + readOnly: true + - name: etc-service + mountPath: {{ dir $configFile | quote }} + - name: bootstrap-conf + mountPath: {{ $configFile | quote }} + subPath: {{ base $configFile | quote }} + readOnly: true + - name: bootstrap-conf + mountPath: {{ $logConfigFile | quote }} + subPath: {{ base $logConfigFile | quote }} + readOnly: true +{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- if $podVolMounts }} +{{ $podVolMounts | toYaml | indent 12 }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: bootstrap-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: etc-service + emptyDir: {} + - name: bootstrap-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- if $podVols }} +{{ $podVols | toYaml | indent 8 }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl new file mode 100644 index 000000000..2b7ff2cdc --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl @@ -0,0 +1,171 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db creation and user management. +# It can be used in charts dict created similar to the following: +# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -} +# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" } +# +# If the service does not use oslo then the db can be managed with: +# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -} +# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -} +# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" } + +{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}} +{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }} +{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }} + labels: +{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $dbToDrop := $dbsToDrop }} +{{ $dbToDropType := default "oslo" $dbToDrop.inputType }} + - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }} + image: {{ $envAll.Values.images.tags.db_drop }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: ROOT_DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToDrop.adminSecret | quote }} + key: DB_CONNECTION +{{- if eq $dbToDropType "oslo" }} + - name: OPENSTACK_CONFIG_FILE + value: {{ $dbToDrop.configFile | quote }} + - name: OPENSTACK_CONFIG_DB_SECTION + value: {{ $dbToDrop.configDbSection | quote }} + - name: OPENSTACK_CONFIG_DB_KEY + value: {{ $dbToDrop.configDbKey | quote }} +{{- end }} +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" +{{- end }} +{{- if eq $dbToDropType "secret" }} + - name: DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToDrop.userSecret | quote }} + key: DB_CONNECTION +{{- end }} + command: + - /tmp/db-drop.py + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: db-drop-sh + mountPath: /tmp/db-drop.py + subPath: db-drop.py + readOnly: true + +{{- if eq $dbToDropType "oslo" }} + - name: etc-service + mountPath: {{ dir $dbToDrop.configFile | quote }} + - name: db-drop-conf + mountPath: {{ $dbToDrop.configFile | quote }} + subPath: {{ base $dbToDrop.configFile | quote }} + readOnly: true + - name: db-drop-conf + mountPath: {{ $dbToDrop.logConfigFile | quote }} + subPath: {{ base $dbToDrop.logConfigFile | quote }} + readOnly: true +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: db-drop-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} +{{- $local := dict "configMapBinFirst" true -}} +{{- range $key1, $dbToDrop := $dbsToDrop }} +{{- $dbToDropType := default "oslo" $dbToDrop.inputType }} +{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }} +{{- $_ := set $local "configMapBinFirst" false }} + - name: etc-service + emptyDir: {} + - name: db-drop-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl new file mode 100644 index 000000000..b8a1dce3b --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl @@ -0,0 +1,170 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db creation and user management. +# It can be used in charts dict created similar to the following: +# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -} +# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" } +# +# If the service does not use oslo then the db can be managed with: +# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -} +# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -} +# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" } + +{{- define "helm-toolkit.manifests.job_db_init_mysql" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}} +{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }} +{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }} + labels: +{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $dbToInit := $dbsToInit }} +{{ $dbToInitType := default "oslo" $dbToInit.inputType }} + - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }} + image: {{ $envAll.Values.images.tags.db_init }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: ROOT_DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToInit.adminSecret | quote }} + key: DB_CONNECTION +{{- if eq $dbToInitType "oslo" }} + - name: OPENSTACK_CONFIG_FILE + value: {{ $dbToInit.configFile | quote }} + - name: OPENSTACK_CONFIG_DB_SECTION + value: {{ $dbToInit.configDbSection | quote }} + - name: OPENSTACK_CONFIG_DB_KEY + value: {{ $dbToInit.configDbKey | quote }} +{{- end }} +{{- if eq $dbToInitType "secret" }} + - name: DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $dbToInit.userSecret | quote }} + key: DB_CONNECTION +{{- end }} +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" +{{- end }} + command: + - /tmp/db-init.py + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: db-init-sh + mountPath: /tmp/db-init.py + subPath: db-init.py + readOnly: true +{{- if eq $dbToInitType "oslo" }} + - name: etc-service + mountPath: {{ dir $dbToInit.configFile | quote }} + - name: db-init-conf + mountPath: {{ $dbToInit.configFile | quote }} + subPath: {{ base $dbToInit.configFile | quote }} + readOnly: true + - name: db-init-conf + mountPath: {{ $dbToInit.logConfigFile | quote }} + subPath: {{ base $dbToInit.logConfigFile | quote }} + readOnly: true +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: db-init-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} +{{- $local := dict "configMapBinFirst" true -}} +{{- range $key1, $dbToInit := $dbsToInit }} +{{- $dbToInitType := default "oslo" $dbToInit.inputType }} +{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }} +{{- $_ := set $local "configMapBinFirst" false }} + - name: etc-service + emptyDir: {} + - name: db-init-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl new file mode 100644 index 000000000..4696c88fd --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl @@ -0,0 +1,138 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for db migration and management. +# It can be used in charts dict created similar to the following: +# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -} +# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" } + +{{- define "helm-toolkit.manifests.job_db_sync" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} +{{- $podVolMounts := index . "podVolMounts" | default false -}} +{{- $podVols := index . "podVols" | default false -}} +{{- $podEnvVars := index . "podEnvVars" | default false -}} +{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }} +{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }} + labels: +{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }} + image: {{ $dbToSync.image | quote }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{- if $podEnvVars }} + env: +{{ $podEnvVars | toYaml | indent 12 }} +{{- end }} + command: + - /bin/bash + - -c + - /tmp/db-sync.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: db-sync-sh + mountPath: /tmp/db-sync.sh + subPath: db-sync.sh + readOnly: true + - name: etc-service + mountPath: {{ dir $dbToSync.configFile | quote }} + - name: db-sync-conf + mountPath: {{ $dbToSync.configFile | quote }} + subPath: {{ base $dbToSync.configFile | quote }} + readOnly: true + - name: db-sync-conf + mountPath: {{ $dbToSync.logConfigFile | quote }} + subPath: {{ base $dbToSync.logConfigFile | quote }} + readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- if $podVolMounts }} +{{ $podVolMounts | toYaml | indent 12 }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: db-sync-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: etc-service + emptyDir: {} + - name: db-sync-conf + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- if $podVols }} +{{ $podVols | toYaml | indent 8 }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl new file mode 100644 index 000000000..d69c9e6ec --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl @@ -0,0 +1,131 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for keystone service management. +# It can be used in charts dict created similar to the following: +# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -} +# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" } + +{{- define "helm-toolkit.manifests.job_ks_endpoints" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $serviceTypes := index . "serviceTypes" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $restartPolicy_ := "OnFailure" -}} +{{- if hasKey $envAll.Values "jobs" -}} +{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}} +{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }} +{{- end }} +{{- end }} +{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }} +{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }} + labels: +{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: {{ $restartPolicy }} + {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $osServiceType := $serviceTypes }} +{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} + - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }} + image: {{ $envAll.Values.images.tags.ks_endpoints }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/ks-endpoints.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: ks-endpoints-sh + mountPath: /tmp/ks-endpoints.sh + subPath: ks-endpoints.sh + readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: OS_SVC_ENDPOINT + value: {{ $osServiceEndPoint | quote }} + - name: OS_SERVICE_NAME + value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} + - name: OS_SERVICE_TYPE + value: {{ $osServiceType | quote }} + - name: OS_SERVICE_ENDPOINT + value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} +{{- end }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: ks-endpoints-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl new file mode 100644 index 000000000..9604c6372 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl @@ -0,0 +1,125 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for keystone service management. +# It can be used in charts dict created similar to the following: +# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -} +# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" } + +{{- define "helm-toolkit.manifests.job_ks_service" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $serviceTypes := index . "serviceTypes" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $restartPolicy_ := "OnFailure" -}} +{{- if hasKey $envAll.Values "jobs" -}} +{{- if hasKey $envAll.Values.jobs "ks_service" -}} +{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }} +{{- end }} +{{- end }} +{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }} +{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }} + labels: +{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: {{ $restartPolicy }} + {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $osServiceType := $serviceTypes }} + - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }} + image: {{ $envAll.Values.images.tags.ks_service }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/ks-service.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: ks-service-sh + mountPath: /tmp/ks-service.sh + subPath: ks-service.sh + readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: OS_SERVICE_NAME + value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} + - name: OS_SERVICE_TYPE + value: {{ $osServiceType | quote }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: ks-service-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl new file mode 100644 index 000000000..58dcdc5c6 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl @@ -0,0 +1,155 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for keystone user management. +# It can be used in charts dict created similar to the following: +# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" } +# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" } + +{{/* + # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml: + # example: + # values: | + # pod: + # security_context: + # ks_user: + # pod: + # runAsUser: 65534 + # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values: + # example: + # values: | + # pod: + # security_context: + # ks_user: + # container: + # ks-user: + # runAsUser: 65534 + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false +*/}} + +{{- define "helm-toolkit.manifests.job_ks_user" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $serviceUser := index . "serviceUser" | default $serviceName -}} +{{- $secretBin := index . "secretBin" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} +{{- $restartPolicy_ := "OnFailure" -}} +{{- if hasKey $envAll.Values "jobs" -}} +{{- if hasKey $envAll.Values.jobs "ks_user" -}} +{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }} +{{- end }} +{{- end }} +{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }} +{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }} + labels: +{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} +{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + restartPolicy: {{ $restartPolicy }} + {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: ks-user + image: {{ $envAll.Values.images.tags.ks_user }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/ks-user.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: ks-user-sh + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: SERVICE_OS_SERVICE_NAME + value: {{ $serviceName | quote }} +{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }} +{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} +{{- end }} + - name: SERVICE_OS_ROLES + {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }} + {{- if kindIs "slice" $serviceOsRoles }} + value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }} + {{- else }} + value: {{ $serviceOsRoles | quote }} + {{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: ks-user-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl new file mode 100644 index 000000000..2cfadafe3 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl @@ -0,0 +1,130 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.manifests.job_rabbit_init" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $serviceUser := index . "serviceUser" | default $serviceName -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }} +{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }} + labels: +{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} + restartPolicy: OnFailure + {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: rabbit-init + image: {{ $envAll.Values.images.tags.rabbit_init | quote }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/rabbit-init.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: rabbit-init-sh + mountPath: /tmp/rabbit-init.sh + subPath: rabbit-init.sh + readOnly: true +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} + env: + - name: RABBITMQ_ADMIN_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $envAll.Values.secrets.oslo_messaging.admin }} + key: RABBITMQ_CONNECTION + - name: RABBITMQ_USER_CONNECTION + valueFrom: + secretKeyRef: + name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }} + key: RABBITMQ_CONNECTION +{{- if $envAll.Values.conf.rabbitmq }} + - name: RABBITMQ_AUXILIARY_CONFIGURATION + value: {{ toJson $envAll.Values.conf.rabbitmq | quote }} +{{- end }} +{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }} + - name: RABBITMQ_X509 + value: "REQUIRE X509" + - name: USER_CERT_PATH + value: {{ $tlsPath | quote }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: rabbit-init-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl new file mode 100644 index 000000000..b5fdc09c3 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl @@ -0,0 +1,148 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for linking an s3 bucket to an s3 user. +# It can be used in charts dict created similar to the following: +# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" } +# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" } + +{{- define "helm-toolkit.manifests.job_s3_bucket" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}} +{{- $s3Bucket := index . "s3Bucket" | default $serviceName }} +{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}} +{{- $tlsCertificatePath := index . "tlsCertificatePath" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }} +{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }} + labels: +{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} + restartPolicy: OnFailure + {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: s3-bucket + image: {{ $envAll.Values.images.tags.s3_bucket }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/create-s3-bucket.sh + env: +{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }} +{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }} +{{- end }} +{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }} + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: s3-bucket-sh + mountPath: /tmp/create-s3-bucket.sh + subPath: create-s3-bucket.sh + readOnly: true + - name: etcceph + mountPath: /etc/ceph + - name: ceph-etc + mountPath: /etc/ceph/ceph.conf + subPath: ceph.conf + readOnly: true + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + mountPath: /tmp/client-keyring + subPath: key + readOnly: true + {{ end }} +{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }} + - name: {{ $tlsCertificateSecret }} + mountPath: {{ $tlsCertificatePath }} + subPath: ca.crt + readOnly: true +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: s3-bucket-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: etcceph + emptyDir: {} + - name: ceph-etc + configMap: + name: {{ $configMapCeph | quote }} + defaultMode: 0444 + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + secret: + secretName: pvc-ceph-client-key + {{ end }} +{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }} + - name: {{ $tlsCertificateSecret }} + secret: + secretName: {{ $tlsCertificateSecret }} + defaultMode: 292 +{{- end }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl new file mode 100644 index 000000000..77d1a71e9 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl @@ -0,0 +1,160 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for s3 user management. +# It can be used in charts dict created similar to the following: +# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" } +# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" } + +{{- define "helm-toolkit.manifests.job_s3_user" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }} +{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }} + labels: +{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook-delete-policy": before-hook-creation + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ tuple $serviceAccountName $envAll | include "helm-toolkit.snippets.custom_job_annotations" | indent 4 -}} +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} + restartPolicy: OnFailure + {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: ceph-keyring-placement + image: {{ $envAll.Values.images.tags.ceph_key_placement }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} + command: + - /tmp/ceph-admin-keyring.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: etcceph + mountPath: /etc/ceph + - name: ceph-keyring-sh + mountPath: /tmp/ceph-admin-keyring.sh + subPath: ceph-admin-keyring.sh + readOnly: true + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + mountPath: /tmp/client-keyring + subPath: key + readOnly: true + {{ end }} + containers: + - name: s3-user + image: {{ $envAll.Values.images.tags.s3_user }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /bin/bash + - -c + - /tmp/create-s3-user.sh + env: +{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }} +{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }} +{{- end }} +{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }} + - name: RGW_HOST + value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }} + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: create-s3-user-sh + mountPath: /tmp/create-s3-user.sh + subPath: create-s3-user.sh + readOnly: true + - name: etcceph + mountPath: /etc/ceph + - name: ceph-etc + mountPath: /etc/ceph/ceph.conf + subPath: ceph.conf + readOnly: true + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + mountPath: /tmp/client-keyring + subPath: key + readOnly: true + {{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: create-s3-user-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: ceph-keyring-sh + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + - name: etcceph + emptyDir: {} + - name: ceph-etc + configMap: + name: {{ $configMapCeph | quote }} + defaultMode: 0444 + {{- if empty $envAll.Values.conf.ceph.admin_keyring }} + - name: ceph-keyring + secret: + secretName: pvc-ceph-client-key + {{ end }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl new file mode 100644 index 000000000..0906df4c9 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl @@ -0,0 +1,119 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for the image repo sync jobs. +# It can be used in charts dict created similar to the following: +# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -} +# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" } + +{{- define "helm-toolkit.manifests.job_image_repo_sync" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $jobAnnotations := index . "jobAnnotations" -}} +{{- $jobLabels := index . "jobLabels" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} +{{- $podVolMounts := index . "podVolMounts" | default false -}} +{{- $podVols := index . "podVols" | default false -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $secretBin := index . "secretBin" -}} +{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} +{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }} +{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }} + labels: +{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook-delete-policy": before-hook-creation +{{- if $jobAnnotations }} +{{ toYaml $jobAnnotations | indent 4 }} +{{- end }} +spec: + backoffLimit: {{ $backoffLimit }} +{{- if $activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $activeDeadlineSeconds }} +{{- end }} + template: + metadata: + labels: +{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{- if $jobLabels }} +{{ toYaml $jobLabels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }} + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} +{{- if $tolerationsEnabled }} +{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{- end}} + initContainers: +{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: image-repo-sync +{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: LOCAL_REPO + value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" + - name: IMAGE_SYNC_LIST + value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}" + command: + - /bin/bash + - -c + - /tmp/image-repo-sync.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: bootstrap-sh + mountPath: /tmp/image-repo-sync.sh + subPath: image-repo-sync.sh + readOnly: true + - name: docker-socket + mountPath: /var/run/docker.sock +{{- if $podVolMounts }} +{{ $podVolMounts | toYaml | indent 12 }} +{{- end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: bootstrap-sh +{{- if $secretBin }} + secret: + secretName: {{ $secretBin | quote }} + defaultMode: 0555 +{{- else }} + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +{{- end }} + - name: docker-socket + hostPath: + path: /var/run/docker.sock +{{- if $podVols }} +{{ $podVols | toYaml | indent 8 }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_network_policy.tpl new file mode 100644 index 000000000..405197ab7 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_network_policy.tpl @@ -0,0 +1,238 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a network policy manifest for services. +values: | + endpoints: + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns_tcp: + default: 53 + dns: + default: 53 + protocol: UDP + network_policy: + myLabel: + podSelector: + matchLabels: + component: api + ingress: + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - to: + - namespaceSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 +usage: | + {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }} + {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}} +return: | + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + spec: + policyTypes: + - Ingress + - Egress + podSelector: + matchLabels: + application: myLabel + component: api + ingress: + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - to: + - podSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + spec: + policyTypes: + - Ingress + - Egress + podSelector: + matchLabels: + application: myApp + component: myComp + ingress: + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - to: + - podSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 +*/}} + +{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}} +{{- $envAll := index . "envAll" -}} +{{- $name := index . "name" -}} +{{- $labels := index . "labels" | default nil -}} +{{- $label := index . "key" | default (index . "label") -}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $label | replace "_" "-" }}-netpol + namespace: {{ $envAll.Release.Namespace }} +spec: +{{- if hasKey (index $envAll.Values "network_policy") $label }} + policyTypes: +{{- $is_egress := false -}} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}} +{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}} +{{- $is_egress = true -}} +{{- end -}} +{{- end -}} +{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }} + - Egress +{{ end -}} +{{- $is_ingress := false -}} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}} +{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}} +{{- $is_ingress = true -}} +{{- end -}} +{{- end -}} +{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }} + - Ingress +{{ end -}} +{{- end }} + podSelector: + matchLabels: +{{- if empty $labels }} + {{ $name }}: {{ $label }} +{{- else }} +{{ range $k, $v := $labels }} + {{ $k }}: {{ $v }} +{{- end }} +{{- end }} +{{- if hasKey (index $envAll.Values "network_policy") $label }} +{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }} +{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }} +{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }} +{{ end }} +{{ end }} +{{ end }} +{{- if hasKey (index $envAll.Values "network_policy") $label }} + egress: +{{- range $key, $value := $envAll.Values.endpoints }} +{{- if kindIs "map" $value }} +{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }} + - to: +{{- if index $value "namespace" }} + - namespaceSelector: + matchLabels: + name: {{ index $value "namespace" }} +{{- else if index $value "hosts" }} +{{- $defaultValue := index $value "hosts" "internal" }} +{{- if hasKey (index $value "hosts") "internal" }} +{{- $a := split "-" $defaultValue }} + - podSelector: + matchLabels: + application: {{ printf "%s" (index $a._0) | default $defaultValue }} +{{- else }} +{{- $defaultValue := index $value "hosts" "default" }} +{{- $a := split "-" $defaultValue }} + - podSelector: + matchLabels: + application: {{ printf "%s" (index $a._0) | default $defaultValue }} +{{- end }} +{{- end }} +{{- if index $value "port" }} + ports: +{{- range $k, $v := index $value "port" }} +{{- if $k }} +{{- range $pk, $pv := $v }} +{{- if and $pv (ne $pk "protocol") }} + - port: {{ $pv }} + protocol: {{ $v.protocol | default "TCP" }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- if index $envAll.Values.network_policy $label "egress" }} +{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }} +{{- end }} +{{- end }} +{{- if hasKey (index $envAll.Values "network_policy") $label }} +{{- if index $envAll.Values.network_policy $label "ingress" }} + ingress: +{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl new file mode 100644 index 000000000..7ad505b55 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl @@ -0,0 +1,78 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for a authenticating a registry with a secret +examples: + - values: | + annotations: + secret: + oci_image_registry: + {{ $serviceName }}: + custom.tld/key: "value" + secrets: + oci_image_registry: + {{ $serviceName }}: {{ $keyName }} + endpoints: + oci_image_registry: + name: oci-image-registry + auth: + enabled: true + {{ $serviceName }}: + name: {{ $userName }} + password: {{ $password }} + usage: | + {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}} + return: | + --- + apiVersion: v1 + kind: Secret + metadata: + name: {{ $secretName }} + annotations: + custom.tld/key: "value" + type: kubernetes.io/dockerconfigjson + data: + dockerconfigjson: {{ $dockerAuth }} +*/}} + +{{- define "helm-toolkit.manifests.secret_registry" }} +{{- $envAll := index . "envAll" }} +{{- $registryUser := index . "registryUser" }} +{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }} +{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }} +{{/* +We only use "host:port" when port is non-null, else just use "host" +*/}} +{{- $registryPort := "" }} +{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }} +{{- if $port }} +{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $registryPort = printf ":%s" $port }} +{{- end }} +{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }} +{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }} +{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + annotations: +{{ tuple "oci_image_registry" $registryUser $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ $dockerAuth }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl new file mode 100644 index 000000000..c80034030 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl @@ -0,0 +1,119 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a manifest for a services public tls secret +examples: + - values: | + annotations: + secret: + tls: + key_manager_api_public: + custom.tld/key: "value" + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + key_manager: + host_fqdn_override: + public: + tls: + crt: | + FOO-CRT + key: | + FOO-KEY + ca: | + FOO-CA_CRT + usage: | + {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}} + return: | + --- + apiVersion: v1 + kind: Secret + metadata: + name: barbican-tls-public + annotations: + custom.tld/key: "value" + type: kubernetes.io/tls + data: + tls.key: Rk9PLUtFWQo= + tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo= + + - values: | + secrets: + tls: + key_manager: + api: + public: barbican-tls-public + endpoints: + key_manager: + host_fqdn_override: + public: + tls: + crt: | + FOO-CRT + FOO-INTERMEDIATE_CRT + FOO-CA_CRT + key: | + FOO-KEY + usage: | + {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}} + return: | + --- + apiVersion: v1 + kind: Secret + metadata: + name: barbican-tls-public + type: kubernetes.io/tls + data: + tls.key: Rk9PLUtFWQo= + tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg== +*/}} + +{{- define "helm-toolkit.manifests.secret_ingress_tls" }} +{{- $envAll := index . "envAll" }} +{{- $endpoint := index . "endpoint" | default "public" }} +{{- $backendServiceType := index . "backendServiceType" }} +{{- $backendService := index . "backendService" | default "api" }} +{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }} +{{- if hasKey $host $endpoint }} +{{- $endpointHost := index $host $endpoint }} +{{- if kindIs "map" $endpointHost }} +{{- if hasKey $endpointHost "tls" }} +{{- if and $endpointHost.tls.key $endpointHost.tls.crt }} + +{{- $customAnnotationKey := printf "%s_%s_%s" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} + annotations: +{{ tuple "tls" $customAnnotationKey $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }} +type: kubernetes.io/tls +data: + tls.key: {{ $endpointHost.tls.key | b64enc }} +{{- if $endpointHost.tls.ca }} + tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }} +{{- else }} + tls.crt: {{ $endpointHost.tls.crt | b64enc }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/ironic/charts/helm-toolkit/templates/manifests/_service-ingress.tpl new file mode 100644 index 000000000..d2e7c0e8b --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/manifests/_service-ingress.tpl @@ -0,0 +1,43 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This function creates a manifest for a services ingress rules. +# It can be used in charts dict created similar to the following: +# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -} +# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" } + +{{- define "helm-toolkit.manifests.service_ingress" -}} +{{- $envAll := index . "envAll" -}} +{{- $backendServiceType := index . "backendServiceType" -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + ports: + - name: http + port: 80 + - name: https + port: 443 + selector: + app: ingress-api +{{- if index $envAll.Values.endpoints $backendServiceType }} +{{- if index $envAll.Values.endpoints $backendServiceType "ip" }} +{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }} + clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl new file mode 100644 index 000000000..bf1465b23 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl @@ -0,0 +1,35 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- define "helm-toolkit.scripts.create_s3_bucket" }} +#!/bin/bash +set -e +CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST" +if [ "$RGW_PROTO" = "http" ]; then + CONNECTION_ARGS+=" --no-ssl" +else + CONNECTION_ARGS+=" --no-check-certificate" +fi +ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY" +USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY" +function check_rgw_s3_bucket () { + s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET +} +function create_rgw_s3_bucket () { + s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET +} +function modify_bucket_acl () { + s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME +} +check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl ) +{{- end }} \ No newline at end of file diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl new file mode 100644 index 000000000..08796d29c --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl @@ -0,0 +1,65 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- define "helm-toolkit.scripts.create_s3_user" }} +#!/bin/bash +set -e +function create_s3_user () { + echo "Creating s3 user and key pair" + radosgw-admin user create \ + --uid=${S3_USERNAME} \ + --display-name=${S3_USERNAME} \ + --key-type=s3 \ + --access-key ${S3_ACCESS_KEY} \ + --secret-key ${S3_SECRET_KEY} +} +function update_s3_user () { + # Retrieve old access keys, if they exist + old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \ + | jq -r '.keys[].access_key' || true) + + if [[ ! -z ${old_access_keys} ]]; then + for access_key in $old_access_keys; do + # If current access key is the same as the key supplied, do nothing. + if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then + echo "Current user and key pair exists." + continue + else + # If keys differ, remove previous key + radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key + fi + done + fi + + # Perform one more additional check to account for scenarios where multiple + # key pairs existed previously, but one existing key was the supplied key + current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \ + | jq -r '.keys[].access_key' || true) + + # If the supplied key does not exist, modify the user + if [[ -z ${current_access_key} ]]; then + # Modify user with new access and secret keys + echo "Updating existing user's key pair" + radosgw-admin user modify \ + --uid=${S3_USERNAME}\ + --access-key ${S3_ACCESS_KEY} \ + --secret-key ${S3_SECRET_KEY} + fi +} +user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true) +if [[ -z ${user_exists} ]]; then + create_s3_user +else + update_s3_user +fi +{{- end }} \ No newline at end of file diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl new file mode 100644 index 000000000..03884fa18 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl @@ -0,0 +1,142 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.db_drop" }} +#!/usr/bin/env python + +# Drops db and user for an OpenStack Service: +# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain +# SQLAlchemy strings for the root connection to the database and the one you +# wish the service to use. Alternatively, you can use an ini formatted config +# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string +# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by +# OPENSTACK_CONFIG_DB_SECTION. + +import os +import sys +try: + import ConfigParser + PARSER_OPTS = {} +except ImportError: + import configparser as ConfigParser + PARSER_OPTS = {"strict": False} +import logging +from sqlalchemy import create_engine + +# Create logger, console handler and formatter +logger = logging.getLogger('OpenStack-Helm DB Drop') +logger.setLevel(logging.DEBUG) +ch = logging.StreamHandler() +ch.setLevel(logging.DEBUG) +formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') + +# Set the formatter and add the handler +ch.setFormatter(formatter) +logger.addHandler(ch) + + +# Get the connection string for the service db root user +if "ROOT_DB_CONNECTION" in os.environ: + db_connection = os.environ['ROOT_DB_CONNECTION'] + logger.info('Got DB root connection') +else: + logger.critical('environment variable ROOT_DB_CONNECTION not set') + sys.exit(1) + +mysql_x509 = os.getenv('MARIADB_X509', "") +ssl_args = {} +if mysql_x509: + ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', + 'key': '/etc/mysql/certs/tls.key', + 'cert': '/etc/mysql/certs/tls.crt'}} + +# Get the connection string for the service db +if "OPENSTACK_CONFIG_FILE" in os.environ: + os_conf = os.environ['OPENSTACK_CONFIG_FILE'] + if "OPENSTACK_CONFIG_DB_SECTION" in os.environ: + os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set') + sys.exit(1) + if "OPENSTACK_CONFIG_DB_KEY" in os.environ: + os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set') + sys.exit(1) + try: + config = ConfigParser.RawConfigParser(**PARSER_OPTS) + logger.info("Using {0} as db config source".format(os_conf)) + config.read(os_conf) + logger.info("Trying to load db config from {0}:{1}".format( + os_conf_section, os_conf_key)) + user_db_conn = config.get(os_conf_section, os_conf_key) + logger.info("Got config from {0}".format(os_conf)) + except: + logger.critical("Tried to load config from {0} but failed.".format(os_conf)) + raise +elif "DB_CONNECTION" in os.environ: + user_db_conn = os.environ['DB_CONNECTION'] + logger.info('Got config from DB_CONNECTION env var') +else: + logger.critical('Could not get db config, either from config file or env var') + sys.exit(1) + +# Root DB engine +try: + root_engine_full = create_engine(db_connection) + root_user = root_engine_full.url.username + root_password = root_engine_full.url.password + drivername = root_engine_full.url.drivername + host = root_engine_full.url.host + port = root_engine_full.url.port + root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) + root_engine = create_engine(root_engine_url, connect_args=ssl_args) + connection = root_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1} as {2}".format( + host, port, root_user)) +except: + logger.critical('Could not connect to database as root user') + raise + +# User DB engine +try: + user_engine = create_engine(user_db_conn, connect_args=ssl_args) + # Get our user data out of the user_engine + database = user_engine.url.database + user = user_engine.url.username + password = user_engine.url.password + logger.info('Got user db config') +except: + logger.critical('Could not get user database config') + raise + +# Delete DB +try: + root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database)) + logger.info("Deleted database {0}".format(database)) +except: + logger.critical("Could not drop database {0}".format(database)) + raise + +# Delete DB User +try: + root_engine.execute("DROP USER IF EXISTS {0}".format(user)) + logger.info("Deleted user {0}".format(user)) +except: + logger.critical("Could not delete user {0}".format(user)) + raise + +logger.info('Finished DB Management') +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_db-init.py.tpl new file mode 100644 index 000000000..6027b9515 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_db-init.py.tpl @@ -0,0 +1,156 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.db_init" }} +#!/usr/bin/env python + +# Creates db and user for an OpenStack Service: +# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain +# SQLAlchemy strings for the root connection to the database and the one you +# wish the service to use. Alternatively, you can use an ini formatted config +# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string +# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by +# OPENSTACK_CONFIG_DB_SECTION. + +import os +import sys +try: + import ConfigParser + PARSER_OPTS = {} +except ImportError: + import configparser as ConfigParser + PARSER_OPTS = {"strict": False} +import logging +from sqlalchemy import create_engine + +# Create logger, console handler and formatter +logger = logging.getLogger('OpenStack-Helm DB Init') +logger.setLevel(logging.DEBUG) +ch = logging.StreamHandler() +ch.setLevel(logging.DEBUG) +formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') + +# Set the formatter and add the handler +ch.setFormatter(formatter) +logger.addHandler(ch) + + +# Get the connection string for the service db root user +if "ROOT_DB_CONNECTION" in os.environ: + db_connection = os.environ['ROOT_DB_CONNECTION'] + logger.info('Got DB root connection') +else: + logger.critical('environment variable ROOT_DB_CONNECTION not set') + sys.exit(1) + +mysql_x509 = os.getenv('MARIADB_X509', "") +ssl_args = {} +if mysql_x509: + ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', + 'key': '/etc/mysql/certs/tls.key', + 'cert': '/etc/mysql/certs/tls.crt'}} + +# Get the connection string for the service db +if "OPENSTACK_CONFIG_FILE" in os.environ: + os_conf = os.environ['OPENSTACK_CONFIG_FILE'] + if "OPENSTACK_CONFIG_DB_SECTION" in os.environ: + os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set') + sys.exit(1) + if "OPENSTACK_CONFIG_DB_KEY" in os.environ: + os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY'] + else: + logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set') + sys.exit(1) + try: + config = ConfigParser.RawConfigParser(**PARSER_OPTS) + logger.info("Using {0} as db config source".format(os_conf)) + config.read(os_conf) + logger.info("Trying to load db config from {0}:{1}".format( + os_conf_section, os_conf_key)) + user_db_conn = config.get(os_conf_section, os_conf_key) + logger.info("Got config from {0}".format(os_conf)) + except: + logger.critical("Tried to load config from {0} but failed.".format(os_conf)) + raise +elif "DB_CONNECTION" in os.environ: + user_db_conn = os.environ['DB_CONNECTION'] + logger.info('Got config from DB_CONNECTION env var') +else: + logger.critical('Could not get db config, either from config file or env var') + sys.exit(1) + +# Root DB engine +try: + root_engine_full = create_engine(db_connection) + root_user = root_engine_full.url.username + root_password = root_engine_full.url.password + drivername = root_engine_full.url.drivername + host = root_engine_full.url.host + port = root_engine_full.url.port + root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) + root_engine = create_engine(root_engine_url, connect_args=ssl_args) + connection = root_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1} as {2}".format( + host, port, root_user)) +except: + logger.critical('Could not connect to database as root user') + raise + +# User DB engine +try: + user_engine = create_engine(user_db_conn, connect_args=ssl_args) + # Get our user data out of the user_engine + database = user_engine.url.database + user = user_engine.url.username + password = user_engine.url.password + logger.info('Got user db config') +except: + logger.critical('Could not get user database config') + raise + +# Create DB +try: + root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database)) + logger.info("Created database {0}".format(database)) +except: + logger.critical("Could not create database {0}".format(database)) + raise + +# Create DB User +try: + root_engine.execute( + "CREATE USER IF NOT EXISTS \'{0}\'@\'%%\' IDENTIFIED BY \'{1}\' {2}".format( + user, password, mysql_x509)) + root_engine.execute( + "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\'".format(database, user)) + logger.info("Created user {0} for {1}".format(user, database)) +except: + logger.critical("Could not create user {0} for {1}".format(user, database)) + raise + +# Test connection +try: + connection = user_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format( + host, port, database, user)) +except: + logger.critical('Could not connect to database as user') + raise + +logger.info('Finished DB Management') +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl new file mode 100644 index 000000000..4d7dfaa37 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl @@ -0,0 +1,69 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- define "helm-toolkit.scripts.pg_db_init" }} +#!/bin/bash +set -ex + +if [[ ! -v DB_HOST ]]; then + echo "environment variable DB_HOST not set" + exit 1 +elif [[ ! -v DB_ADMIN_USER ]]; then + echo "environment variable DB_ADMIN_USER not set" + exit 1 +elif [[ ! -v PGPASSWORD ]]; then + echo "environment variable PGPASSWORD not set" + exit 1 +elif [[ ! -v DB_PORT ]]; then + echo "environment variable DB_PORT not set" + exit 1 +elif [[ ! -v USER_DB_USER ]]; then + echo "environment variable USER_DB_USER not set" + exit 1 +elif [[ ! -v USER_DB_PASS ]]; then + echo "environment variable USER_DB_PASS not set" + exit 1 +elif [[ ! -v USER_DB_NAME ]]; then + echo "environment variable USER_DB_NAME not set" + exit 1 +else + echo "Got DB connection info" +fi + +pgsql_superuser_cmd () { + DB_COMMAND="$1" + if [[ ! -z $2 ]]; then + EXPORT PGDATABASE=$2 + fi + /usr/bin/psql \ + -h ${DB_HOST} \ + -p ${DB_PORT} \ + -U ${DB_ADMIN_USER} \ + --command="${DB_COMMAND}" +} + +#create db +pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME" + +#create db user +pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \ + pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';" + +#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user. +pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'" + +#give permissions to user +pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;" + +#revoke all privileges from PUBLIC role +pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;" +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl new file mode 100644 index 000000000..e41abe327 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl @@ -0,0 +1,24 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.image_repo_sync" }} +#!/bin/sh +set -ex + +IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do + docker pull ${IMAGE} + docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE} + docker push ${LOCAL_REPO}/${IMAGE} +done +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl new file mode 100644 index 000000000..8755cd5f3 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl @@ -0,0 +1,72 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_domain_user" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +# Manage domain +SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \ + --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \ + "${SERVICE_OS_DOMAIN_NAME}") + +# Display domain +openstack domain show "${SERVICE_OS_DOMAIN_ID}" + +# Manage user +SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \ + --domain="${SERVICE_OS_DOMAIN_ID}" \ + --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \ + --password="${SERVICE_OS_PASSWORD}" \ + "${SERVICE_OS_USERNAME}") + +# Manage user password (we do this to ensure the password is updated if required) +openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}" + +# Display user +openstack user show "${SERVICE_OS_USERID}" + +# Manage role +SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \ + "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \ + "${SERVICE_OS_ROLE}" ) + +# Manage user role assignment +openstack role add \ + --domain="${SERVICE_OS_DOMAIN_ID}" \ + --user="${SERVICE_OS_USERID}" \ + --user-domain="${SERVICE_OS_DOMAIN_ID}" \ + "${SERVICE_OS_ROLE_ID}" + +# Display user role assignment +openstack role assignment list \ + --role="${SERVICE_OS_ROLE_ID}" \ + --user-domain="${SERVICE_OS_DOMAIN_ID}" \ + --user="${SERVICE_OS_USERID}" +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl new file mode 100644 index 000000000..e400bcd55 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl @@ -0,0 +1,79 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_endpoints" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +# Get Service ID +OS_SERVICE_ID=$( openstack service list -f csv --quote none | \ + grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \ + sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" ) + +# Get Endpoint ID if it exists +OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \ + grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \ + awk -F ',' '{ print $1 }' ) + +# Making sure only a single endpoint exists for a service within a region +if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then + echo "More than one endpoint found, cleaning up" + for ENDPOINT_ID in $OS_ENDPOINT_ID; do + openstack endpoint delete ${ENDPOINT_ID} + done + unset OS_ENDPOINT_ID +fi + +# Determine if Endpoint needs updated +if [[ ${OS_ENDPOINT_ID} ]]; then + OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url) + if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then + echo "Endpoints Match: no action required" + OS_ENDPOINT_UPDATE="False" + else + echo "Endpoints Dont Match: removing existing entries" + openstack endpoint delete ${OS_ENDPOINT_ID} + OS_ENDPOINT_UPDATE="True" + fi +else + OS_ENDPOINT_UPDATE="True" +fi + +# Update Endpoint if required +if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then + OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \ + --region="${OS_REGION_NAME}" \ + "${OS_SERVICE_ID}" \ + ${OS_SVC_ENDPOINT} \ + "${OS_SERVICE_ENDPOINT}" ) +fi + +# Display the Endpoint +openstack endpoint show ${OS_ENDPOINT_ID} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl new file mode 100644 index 000000000..8356b3623 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl @@ -0,0 +1,76 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_service" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +# Service boilerplate description +OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service" + +# Get Service ID if it exists +unset OS_SERVICE_ID + +# FIXME - There seems to be an issue once in a while where the +# openstack service list fails and encounters an error message such as: +# Unable to establish connection to +# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens: +# ('Connection aborted.', OSError("(104, 'ECONNRESET')",)) +# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank +# and it would attempt to create a new service when it was not needed. +# This duplciate service would sometimes be used by other services such as +# Horizon and would give an 'Invalid Service Catalog' error. +# This loop allows for a 'retry' of the openstack service list in an +# attempt to get the service list as expected if it does ecounter an error. +# This loop and recheck can be reverted once the underlying issue is addressed. + +# If OS_SERVICE_ID is blank then wait a few seconds to give it +# additional time and try again +for i in $(seq 3) +do + OS_SERVICE_ID=$( openstack service list -f csv --quote none | \ + grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \ + sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" ) + + # If the service was found, go ahead and exit successfully. + if [[ -n "${OS_SERVICE_ID}" ]]; then + exit 0 + fi + + sleep 2 +done + +# If we've reached this point and a Service ID was not found, +# then create the service +OS_SERVICE_ID=$(openstack service create -f value -c id \ + --name="${OS_SERVICE_NAME}" \ + --description "${OS_SERVICE_DESC}" \ + --enable \ + "${OS_SERVICE_TYPE}") +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl new file mode 100644 index 000000000..b45f79834 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl @@ -0,0 +1,108 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.keystone_user" }} +#!/bin/bash + +# Copyright 2017 Pete Birley +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +shopt -s nocasematch + +if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]] +then + PROJECT_DOMAIN_ID="default" +else + # Manage project domain + PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \ + --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \ + "${SERVICE_OS_PROJECT_DOMAIN_NAME}") +fi + +if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]] +then + USER_DOMAIN_ID="default" +else + # Manage user domain + USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \ + --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \ + "${SERVICE_OS_USER_DOMAIN_NAME}") +fi + +shopt -u nocasematch + +# Manage user project +USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" +USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \ + --domain="${PROJECT_DOMAIN_ID}" \ + --description="${USER_PROJECT_DESC}" \ + "${SERVICE_OS_PROJECT_NAME}"); + +# Manage user +USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}" +USER_ID=$(openstack user create --or-show --enable -f value -c id \ + --domain="${USER_DOMAIN_ID}" \ + --project-domain="${PROJECT_DOMAIN_ID}" \ + --project="${USER_PROJECT_ID}" \ + --description="${USER_DESC}" \ + "${SERVICE_OS_USERNAME}"); + +# Manage user password (we do this in a seperate step to ensure the password is updated if required) +set +x +echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}" +openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}" +set -x + +function ks_assign_user_role () { + if [[ "$SERVICE_OS_ROLE" == "admin" ]] + then + USER_ROLE_ID="$SERVICE_OS_ROLE" + else + USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}"); + fi + + # Manage user role assignment + openstack role add \ + --user="${USER_ID}" \ + --user-domain="${USER_DOMAIN_ID}" \ + --project-domain="${PROJECT_DOMAIN_ID}" \ + --project="${USER_PROJECT_ID}" \ + "${USER_ROLE_ID}" +} + +# Manage user service role +IFS=',' +for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do + ks_assign_user_role +done + +# Manage user member role +: ${MEMBER_OS_ROLE:="member"} +export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \ + "${MEMBER_OS_ROLE}"); +ks_assign_user_role +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl new file mode 100644 index 000000000..3739f9554 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl @@ -0,0 +1,111 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.rabbit_init" }} +#!/bin/bash +set -e +# Extract connection details +RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $2}' | \ + awk -F'[:/]' '{print $1}') +RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $2}' | \ + awk -F'[:/]' '{print $2}') + +# Extract Admin User creadential +RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $4}') +RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $5}') + +# Extract User creadential +RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $4}') +RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \ + awk -F'[@]' '{print $1}' | \ + awk -F'[//:]' '{print $5}') + +# Extract User vHost +RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \ + awk -F'[@]' '{print $2}' | \ + awk -F'[:/]' '{print $3}') +# Resolve vHost to / if no value is set +RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}" + +function rabbitmqadmin_cli () { + if [ -n "$RABBITMQ_X509" ] + then + rabbitmqadmin \ + --ssl \ + --ssl-disable-hostname-verification \ + --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \ + --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \ + --ssl-key-file="${USER_CERT_PATH}/tls.key" \ + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} + else + rabbitmqadmin \ + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} + fi +} + +echo "Managing: User: ${RABBITMQ_USERNAME}" +rabbitmqadmin_cli \ + declare user \ + name="${RABBITMQ_USERNAME}" \ + password="${RABBITMQ_PASSWORD}" \ + tags="user" + +echo "Deleting Guest User" +rabbitmqadmin_cli \ + delete user \ + name="guest" || true + +if [ "${RABBITMQ_VHOST}" != "/" ] +then + echo "Managing: vHost: ${RABBITMQ_VHOST}" + rabbitmqadmin_cli \ + declare vhost \ + name="${RABBITMQ_VHOST}" +else + echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}" +fi + +echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}" +rabbitmqadmin_cli \ + declare permission \ + vhost="${RABBITMQ_VHOST}" \ + user="${RABBITMQ_USERNAME}" \ + configure=".*" \ + write=".*" \ + read=".*" + +if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ] +then + echo "Applying additional configuration" + echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json + rabbitmqadmin_cli import /tmp/rmq_definitions.json +fi + +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl new file mode 100644 index 000000000..c08d32075 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl @@ -0,0 +1,88 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.rally_test" -}} +#!/bin/bash +set -ex +{{- $rallyTests := index . 0 }} + +: "${RALLY_ENV_NAME:="openstack-helm"}" +: "${OS_INTERFACE:="public"}" +: "${RALLY_CLEANUP:="true"}" + +if [ "x$RALLY_CLEANUP" == "xtrue" ]; then + function rally_cleanup { + openstack user delete \ + --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \ + "${SERVICE_OS_USERNAME}" +{{ $rallyTests.clean_up | default "" | indent 4 }} + } + trap rally_cleanup EXIT +fi + +function create_or_update_db () { + revisionResults=$(rally db revision) + if [ $revisionResults = "None" ] + then + rally db create + else + rally db upgrade + fi +} + +create_or_update_db + +cat > /tmp/rally-config.json << EOF +{ + "openstack": { + "auth_url": "${OS_AUTH_URL}", + "region_name": "${OS_REGION_NAME}", + "endpoint_type": "${OS_INTERFACE}", + "admin": { + "username": "${OS_USERNAME}", + "password": "${OS_PASSWORD}", + "user_domain_name": "${OS_USER_DOMAIN_NAME}", + "project_name": "${OS_PROJECT_NAME}", + "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}" + }, + "users": [ + { + "username": "${SERVICE_OS_USERNAME}", + "password": "${SERVICE_OS_PASSWORD}", + "project_name": "${SERVICE_OS_PROJECT_NAME}", + "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}", + "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}" + } + ], + "https_insecure": false, + "https_cacert": "${OS_CACERT}" + } +} +EOF +rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}" +rm -f /tmp/rally-config.json +rally deployment use "${RALLY_ENV_NAME}" +rally deployment check +{{- if $rallyTests.run_tempest }} +rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest +SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')" +rally verify start --pattern "tempest.api.${SERVICE_TYPE}*" +rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force +{{- end }} +rally task validate /etc/rally/rally_tests.yaml +rally task start /etc/rally/rally_tests.yaml +rally task sla-check +rally env cleanup +rally deployment destroy --deployment "${RALLY_ENV_NAME}" +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl new file mode 100644 index 000000000..695cb2e47 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl @@ -0,0 +1,701 @@ +{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }} +#!/bin/bash + +# This file contains a database backup framework which database scripts +# can use to perform a backup. The idea here is that the database-specific +# functions will be implemented by the various databases using this script +# (like mariadb, postgresql or etcd for example). The database-specific +# script will need to first "source" this file like this: +# source /tmp/backup_main.sh +# +# Then the script should call the main backup function (backup_databases): +# backup_databases [scope] +# [scope] is an optional parameter, defaulted to "all". If only one specific +# database is required to be backed up then this parameter will +# contain the name of the database; otherwise all are backed up. +# +# The framework will require the following variables to be exported: +# +# export DB_NAMESPACE Namespace where the database(s) reside +# export DB_NAME Name of the database system +# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups +# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups +# export ARCHIVE_DIR Local location where the backup tarballs should +# be stored. (full directory path) +# export BACK_UP_MODE Determines the mode of backup taken. +# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false +# otherwise +# export CONTAINER_NAME Name of the container on the RGW to store +# the backup tarball. +# export STORAGE_POLICY Name of the storage policy defined on the +# RGW which is intended to store backups. +# RGW access variables: +# export OS_REGION_NAME Name of the region the RGW resides in +# export OS_AUTH_URL Keystone URL associated with the RGW +# export OS_PROJECT_NAME Name of the project associated with the +# keystone user +# export OS_USERNAME Name of the keystone user +# export OS_PASSWORD Password of the keystone user +# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to +# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to +# export OS_IDENTITY_API_VERSION Keystone API version to use +# +# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote +# in case of any temporary failures. +# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup +# to remote to stagger backups being sent to RGW +# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup +# to remote to stagger backups being sent to RGW. +# A random number between min and max delay is generated +# to set the delay. +# +# RGW backup throttle limits variables: +# export THROTTLE_BACKUPS_ENABLED Boolean variableto control backup functionality +# export THROTTLE_LIMIT Number of simultaneous RGW upload sessions +# export THROTTLE_LOCK_EXPIRE_AFTER Time in seconds to expire flag file is orphaned +# export THROTTLE_RETRY_AFTER Time in seconds to wait before retry +# export THROTTLE_CONTAINER_NAME Name of RGW container to place flag falies into +# +# The database-specific functions that need to be implemented are: +# dump_databases_to_directory [scope] +# where: +# is the full directory path to dump the database files +# into. This is a temporary directory for this backup only. +# is the full directory path where error logs are to be +# written by the application. +# [scope] set to "all" if all databases are to be backed up; or +# set to the name of a specific database to be backed up. +# This optional parameter is defaulted to "all". +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to dump the database file(s) to the specified +# directory path. If this function completes successfully (returns 0), the +# framework will automatically tar/zip the files in that directory and +# name the tarball appropriately according to the proper conventions. +# +# verify_databases_backup_archives [scope] +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to verify the database backup archives. If this function +# completes successfully (returns 0), the +# framework will automatically starts remote backup upload. +# +# +# The functions in this file will take care of: +# 1) Calling "dump_databases_to_directory" and then compressing the files, +# naming the tarball properly, and then storing it locally at the specified +# local directory. +# 2) Sending the tarball built to the remote gateway, to be stored in the +# container configured to store database backups. +# 3) Removing local backup tarballs which are older than the number of days +# specified by the "LOCAL_DAYS_TO_KEEP" variable. +# 4) Removing remote backup tarballs (from the remote gateway) which are older +# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable. +# 5) Controlling remote storage gateway load from client side and throttling it +# by using a dedicated RGW container to store flag files defining upload session +# in progress +# +# Note: not using set -e in this script because more elaborate error handling +# is needed. + +log_backup_error_exit() { + MSG=$1 + ERRCODE=${2:-0} + log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}" + rm -f $ERR_LOG_FILE + rm -rf $TMP_DIR + exit 0 +} + +log_verify_backup_exit() { + MSG=$1 + ERRCODE=${2:-0} + log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}" + rm -f $ERR_LOG_FILE + # rm -rf $TMP_DIR + exit 0 +} + + +log() { + #Log message to a file or stdout + #TODO: This can be convert into mail alert of alert send to a monitoring system + #Params: $1 log level + #Params: $2 service + #Params: $3 message + #Params: $4 Destination + LEVEL=$1 + SERVICE=$2 + MSG=$3 + DEST=$4 + DATE=$(date +"%m-%d-%y %H:%M:%S") + if [[ -z "$DEST" ]]; then + echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" + else + echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST + fi +} + +# Generate a random number between MIN_DELAY_SEND_REMOTE and +# MAX_DELAY_SEND_REMOTE +random_number() { + diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1)) + echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} )) +} + +#Get the day delta since the archive file backup +seconds_difference() { + ARCHIVE_DATE=$( date --date="$1" +%s ) + if [[ $? -ne 0 ]]; then + SECOND_DELTA=0 + fi + CURRENT_DATE=$( date +%s ) + SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE)) + if [[ "$SECOND_DELTA" -lt 0 ]]; then + SECOND_DELTA=0 + fi + echo $SECOND_DELTA +} + +# Send the specified tarball file at the specified filepath to the +# remote gateway. +send_to_remote_server() { + FILEPATH=$1 + FILE=$2 + + # Grab the list of containers on the remote site + RESULT=$(openstack container list 2>&1) + + if [[ $? -eq 0 ]]; then + echo $RESULT | grep $CONTAINER_NAME + if [[ $? -ne 0 ]]; then + # Find the swift URL from the keystone endpoint list + SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}') + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog." + return 2 + fi + + # Get a token from keystone + TOKEN=$(openstack token issue -f value -c id) + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to get keystone token." + return 2 + fi + + # Create the container + RES_FILE=$(mktemp -p /tmp) + curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \ + -H "X-Auth-Token: ${TOKEN}" \ + -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE + + if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then + log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}" + cat $RES_FILE + rm -f $RES_FILE + return 2 + fi + rm -f $RES_FILE + + swift stat $CONTAINER_NAME + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation." + return 2 + fi + fi + else + echo $RESULT | grep -E "HTTP 401|HTTP 403" + if [[ $? -eq 0 ]]; then + log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}" + return 1 + else + echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50" + if [[ $? -eq 0 ]]; then + log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}" + # In this case, keystone or the site/node may be temporarily down. + # Return slightly different error code so the calling code can retry + return 2 + else + log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}" + return 1 + fi + fi + fi + + # load balance delay + DELAY=$((1 + ${RANDOM} % 30)) + echo "Sleeping for ${DELAY} seconds to spread the load in time..." + sleep ${DELAY} + + #--------------------------------------------------------------------------- + # Remote backup throttling + export THROTTLE_BACKUPS_ENABLED=$(echo $THROTTLE_BACKUPS_ENABLED | sed 's/"//g') + if $THROTTLE_BACKUPS_ENABLED; then + # Remove Quotes from the constants which were added due to reading + # from secret. + export THROTTLE_LIMIT=$(echo $THROTTLE_LIMIT | sed 's/"//g') + export THROTTLE_LOCK_EXPIRE_AFTER=$(echo $THROTTLE_LOCK_EXPIRE_AFTER | sed 's/"//g') + export THROTTLE_RETRY_AFTER=$(echo $THROTTLE_RETRY_AFTER | sed 's/"//g') + export THROTTLE_CONTAINER_NAME=$(echo $THROTTLE_CONTAINER_NAME | sed 's/"//g') + + # load balance delay + RESULT=$(openstack container list 2>&1) + + if [[ $? -eq 0 ]]; then + echo $RESULT | grep $THROTTLE_CONTAINER_NAME + if [[ $? -ne 0 ]]; then + # Find the swift URL from the keystone endpoint list + SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}') + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog." + return 2 + fi + + # Get a token from keystone + TOKEN=$(openstack token issue -f value -c id) + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to get keystone token." + return 2 + fi + + # Create the container + RES_FILE=$(mktemp -p /tmp) + curl -g -i -X PUT ${SWIFT_URL}/${THROTTLE_CONTAINER_NAME} \ + -H "X-Auth-Token: ${TOKEN}" \ + -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE + + if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then + log WARN "${DB_NAME}_backup" "Unable to create container ${THROTTLE_CONTAINER_NAME}" + cat $RES_FILE + rm -f $RES_FILE + return 2 + fi + rm -f $RES_FILE + + swift stat $THROTTLE_CONTAINER_NAME + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to retrieve container ${THROTTLE_CONTAINER_NAME} details after creation." + return 2 + fi + fi + else + echo $RESULT | grep -E "HTTP 401|HTTP 403" + if [[ $? -eq 0 ]]; then + log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}" + return 1 + else + echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50" + if [[ $? -eq 0 ]]; then + log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}" + # In this case, keystone or the site/node may be temporarily down. + # Return slightly different error code so the calling code can retry + return 2 + else + log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}" + return 1 + fi + fi + fi + + NUMBER_OF_SESSIONS=$(openstack object list $THROTTLE_CONTAINER_NAME -f value | wc -l) + log INFO "${DB_NAME}_backup" "There are ${NUMBER_OF_SESSIONS} remote sessions right now." + while [[ ${NUMBER_OF_SESSIONS} -ge ${THROTTLE_LIMIT} ]] + do + log INFO "${DB_NAME}_backup" "Current number of active uploads is ${NUMBER_OF_SESSIONS}>=${THROTTLE_LIMIT}!" + log INFO "${DB_NAME}_backup" "Retrying in ${THROTTLE_RETRY_AFTER} seconds...." + sleep ${THROTTLE_RETRY_AFTER} + NUMBER_OF_SESSIONS=$(openstack object list $THROTTLE_CONTAINER_NAME -f value | wc -l) + log INFO "${DB_NAME}_backup" "There are ${NUMBER_OF_SESSIONS} remote sessions right now." + done + + # Create a lock file in THROTTLE_CONTAINER + THROTTLE_FILEPATH=$(mktemp -d) + THROTTLE_FILE=${CONTAINER_NAME}.lock + date +%s > $THROTTLE_FILEPATH/$THROTTLE_FILE + + # Create an object to store the file + openstack object create --name $THROTTLE_FILE $THROTTLE_CONTAINER_NAME $THROTTLE_FILEPATH/$THROTTLE_FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Cannot create throttle container object ${THROTTLE_FILE}!" + return 2 + fi + + swift post $THROTTLE_CONTAINER_NAME $THROTTLE_FILE -H "X-Delete-After:${THROTTLE_LOCK_EXPIRE_AFTER}" + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Cannot set throttle container object ${THROTTLE_FILE} expiration header!" + return 2 + fi + openstack object show $THROTTLE_CONTAINER_NAME $THROTTLE_FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to retrieve throttle container object $THROTTLE_FILE after creation." + return 2 + fi + fi + + #--------------------------------------------------------------------------- + + # Create an object to store the file + openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!" + return 2 + fi + + openstack object show $CONTAINER_NAME $FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation." + return 2 + fi + + # Remote backup verification + MD5_REMOTE=$(openstack object show $CONTAINER_NAME $FILE -f json | jq -r ".etag") + MD5_LOCAL=$(cat ${FILEPATH}/${FILE} | md5sum | awk '{print $1}') + log INFO "${DB_NAME}_backup" "Obtained MD5 hash for the file $FILE in container $CONTAINER_NAME." + log INFO "${DB_NAME}_backup" "Local MD5 hash is ${MD5_LOCAL}." + log INFO "${DB_NAME}_backup" "Remote MD5 hash is ${MD5_REMOTE}." + if [[ "${MD5_LOCAL}" == "${MD5_REMOTE}" ]]; then + log INFO "${DB_NAME}_backup" "The local backup & remote backup MD5 hash values are matching for file $FILE in container $CONTAINER_NAME." + else + log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup MD5 hash values" + return 2 + fi + rm -f ${REMOTE_FILE} + + #--------------------------------------------------------------------------- + # Remote backup throttling + export THROTTLE_BACKUPS_ENABLED=$(echo $THROTTLE_BACKUPS_ENABLED | sed 's/"//g') + if $THROTTLE_BACKUPS_ENABLED; then + # Remove flag file + # Delete an object to remove the flag file + openstack object delete $THROTTLE_CONTAINER_NAME $THROTTLE_FILE + if [[ $? -ne 0 ]]; then + log WARN "${DB_NAME}_backup" "Cannot delete throttle container object ${THROTTLE_FILE}" + return 0 + else + log INFO "${DB_NAME}_backup" "The throttle container object ${THROTTLE_FILE} has been successfully removed." + fi + rm -f ${THROTTLE_FILEPATH}/${THROTTLE_FILE} + fi + + #--------------------------------------------------------------------------- + + log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully." + return 0 +} + +# This function attempts to store the built tarball to the remote gateway, +# with built-in logic to handle error cases like: +# 1) Network connectivity issues - retries for a specific amount of time +# 2) Authorization errors - immediately logs an ERROR and returns +store_backup_remotely() { + FILEPATH=$1 + FILE=$2 + + count=1 + while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do + # Store the new archive to the remote backup storage facility. + send_to_remote_server $FILEPATH $FILE + SEND_RESULT="$?" + + # Check if successful + if [[ $SEND_RESULT -eq 0 ]]; then + log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW." + return 0 + elif [[ $SEND_RESULT -eq 2 ]]; then + if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then + log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \ + "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting." + break + fi + # Temporary failure occurred. We need to retry + log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue." + sleep_time=$(random_number) + log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..." + sleep ${sleep_time} + log INFO "${DB_NAME}_backup" "Retrying..." + else + log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting." + break + fi + + # Increment the counter + count=$((count+1)) + done + + return 1 +} + + +function get_archive_date(){ +# get_archive_date function returns correct archive date +# for different formats of archives' names +# the old one: ....tar.gz +# the new one: ..
...tar.gz + local A_FILE="$1" + awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z" +} + +# This function takes a list of archives' names as an input +# and creates a hash table where keys are number of seconds +# between current date and archive date (see seconds_difference), +# and values are space separated archives' names +# +# +------------+---------------------------------------------------------------------------------------------------------+ +# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" | +# +------------+---------------------------------------------------------------------------------------------------------+ +# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" | +# +------------+---------------------------------------------------------------------------------------------------------+ +# <...> +# +------------+---------------------------------------------------------------------------------------------------------+ +# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" | +# +------------+---------------------------------------------------------------------------------------------------------+ +# We will use the explained above data stracture to cover rare, but still +# possible case, when we have several backups of the same date. E.g. +# one manual, and one automatic. + +declare -A fileTable +create_hash_table() { +unset fileTable +fileList=$@ + for ARCHIVE_FILE in ${fileList}; do + # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00) + # to take in account a possibility, that we can have more than one scheduled + # backup per day. + ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE}) + ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D) + log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}" + INDEX=$(seconds_difference ${ARCHIVE_DATE}) + if [[ -z fileTable[${INDEX}] ]]; then + fileTable[${INDEX}]=${ARCHIVE_FILE} + else + fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}" + fi + echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}" + done +} + +function get_backup_prefix() { +# Create list of all possible prefixes in a format: +# . to cover a possible situation +# when different backups of different databases and/or +# namespaces share the same local or remote storage. + ALL_FILES=($@) + PREFIXES=() + for fname in ${ALL_FILES[@]}; do + prefix=$(basename ${fname} | cut -d'.' -f1,2 ) + for ((i=0; i<${#PREFIXES[@]}; i++)) do + if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then + prefix="" + break + fi + done + if [[ ! -z ${prefix} ]]; then + PREFIXES+=(${prefix}) + fi + done +} + +remove_old_local_archives() { + SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400)) + log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)" + if [[ -d $ARCHIVE_DIR ]]; then + count=0 + # We iterate over the hash table, checking the delta in seconds (hash keys), + # and minimum number of backups we must have in place. List of keys has to be sorted. + for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do + ARCHIVE_FILE=${fileTable[${INDEX}]} + if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then + ((count++)) + log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}." + else + log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}." + rm -f ${ARCHIVE_FILE} + if [[ $? -ne 0 ]]; then + # Log error but don't exit so we can finish the script + # because at this point we haven't sent backup to RGW yet + log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}" + fi + fi + done + else + log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist." + fi +} + +prepare_list_of_remote_backups() { + BACKUP_FILES=$(mktemp -p /tmp) + DB_BACKUP_FILES=$(mktemp -p /tmp) + openstack object list $CONTAINER_NAME > $BACKUP_FILES + if [[ $? -ne 0 ]]; then + log_backup_error_exit \ + "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW" + fi + # Filter out other types of backup files + cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES +} + +# The logic implemented with this function is absolutely similar +# to the function remove_old_local_archives (see above) +remove_old_remote_archives() { + count=0 + SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400)) + log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)" + for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do + ARCHIVE_FILE=${fileTable[${INDEX}]} + if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then + ((count++)) + log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}." + else + log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW" + openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \ + "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}" + fi + done + + # Cleanup now that we're done. + for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do + if [[ -f ${fd} ]]; then + rm -f ${fd} + else + log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}" + fi + done +} + +# Main function to backup the databases. Calling functions need to supply: +# 1) The directory where the final backup will be kept after it is compressed. +# 2) A temporary directory to use for placing database files to be compressed. +# Note: this temp directory will be deleted after backup is done. +# 3) Optional "scope" parameter indicating what database to back up. Defaults +# to "all". +backup_databases() { + SCOPE=${1:-"all"} + + # Create necessary directories if they do not exist. + mkdir -p $ARCHIVE_DIR || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!" + export TMP_DIR=$(mktemp -d) || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot create temp directory!" + + # Create temporary log file + export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot create log file!" + + # It is expected that this function will dump the database files to the $TMP_DIR + dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE + + # If successful, there should be at least one file in the TMP_DIR + if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then + cat $ERR_LOG_FILE + log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention." + fi + + log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..." + + NOW=$(date +"%Y-%m-%dT%H:%M:%SZ") + if [[ -z "${BACK_UP_MODE}" ]]; then + TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz" + else + TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz" + fi + + cd $TMP_DIR || log_backup_error_exit \ + "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR" + + #Archive the current database files + tar zcvf $ARCHIVE_DIR/$TARBALL_FILE * + if [[ $? -ne 0 ]]; then + log_backup_error_exit \ + "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created." + fi + + # Get the size of the file + ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}') + + log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully." + + cd $ARCHIVE_DIR + + #Only delete the old archive after a successful archive + export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g') + if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then + get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz) + for ((i=0; i<${#PREFIXES[@]}; i++)); do + echo "Working with prefix: ${PREFIXES[i]}" + create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz) + remove_old_local_archives + done + fi + + # Local backup verification process + + # It is expected that this function will verify the database backup files + if verify_databases_backup_archives ${SCOPE}; then + log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..." + else + # If successful, there should be at least one file in the TMP_DIR + if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then + cat $ERR_LOG_FILE + fi + log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention." + exit 1 + fi + + # Remove the temporary directory and files as they are no longer needed. + rm -rf $TMP_DIR + rm -f $ERR_LOG_FILE + + # Remote backup + REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g') + if $REMOTE_BACKUP; then + # Remove Quotes from the constants which were added due to reading + # from secret. + export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g') + export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g') + export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g') + export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g') + + store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE + if [[ $? -ne 0 ]]; then + # This error should print first, then print the summary as the last + # thing that the user sees in the output. + log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW." + echo "==================================================================" + echo "Local backup successful, but could not send to remote RGW." + echo "Backup archive name: $TARBALL_FILE" + echo "Backup archive size: $ARCHIVE_SIZE" + echo "==================================================================" + # Because the local backup was successful, exit with 0 so the pod will not + # continue to restart and fill the disk with more backups. The ERRORs are + # logged and alerting system should catch those errors and flag the operator. + exit 0 + fi + + #Only delete the old archive after a successful archive + if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then + prepare_list_of_remote_backups + get_backup_prefix $(cat $DB_BACKUP_FILES) + for ((i=0; i<${#PREFIXES[@]}; i++)); do + echo "Working with prefix: ${PREFIXES[i]}" + create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]}) + remove_old_remote_archives + done + fi + + echo "==================================================================" + echo "Local backup and backup to remote RGW successful!" + echo "Backup archive name: $TARBALL_FILE" + echo "Backup archive size: $ARCHIVE_SIZE" + echo "==================================================================" + else + # Remote backup is not enabled. This is ok; at least we have a local backup. + log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled." + + echo "==================================================================" + echo "Local backup successful!" + echo "Backup archive name: $TARBALL_FILE" + echo "Backup archive size: $ARCHIVE_SIZE" + echo "==================================================================" + fi +} +{{- end }} \ No newline at end of file diff --git a/charts/ironic/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl new file mode 100644 index 000000000..093dd2cc9 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl @@ -0,0 +1,616 @@ +{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }} +#!/bin/bash + +# This file contains a database restore framework which database scripts +# can use to perform a backup. The idea here is that the database-specific +# functions will be implemented by the various databases using this script +# (like mariadb, postgresql or etcd for example). The database-specific +# script will need to first "source" this file like this: +# source /tmp/restore_main.sh +# +# Then the script should call the main CLI function (cli_main): +# cli_main +# where: +# is the list of arguments given by the user +# +# The framework will require the following variables to be exported: +# +# export DB_NAMESPACE Namespace where the database(s) reside +# export DB_NAME Name of the database system +# export ARCHIVE_DIR Location where the backup tarballs should +# be stored. (full directory path which +# should already exist) +# export CONTAINER_NAME Name of the container on the RGW where +# the backups are stored. +# RGW access variables: +# export OS_REGION_NAME Name of the region the RGW resides in +# export OS_AUTH_URL Keystone URL associated with the RGW +# export OS_PROJECT_NAME Name of the project associated with the +# keystone user +# export OS_USERNAME Name of the keystone user +# export OS_PASSWORD Password of the keystone user +# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to +# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to +# export OS_IDENTITY_API_VERSION Keystone API version to use +# +# The database-specific functions that need to be implemented are: +# get_databases +# where: +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the database +# names into, one database per line +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the database names from the +# uncompressed database files found in the given "tmp_dir", which is +# the staging directory for database restore. The database names +# should be written to the given "db_file", one database name per +# line. +# +# get_tables +# is the name of the database to get the tables from +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the table +# names into, one table per line +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the table names from the given +# database, found in the uncompressed database files located in the +# given "tmp_dir", which is the staging directory for database restore. +# The table names should be written to the given "table_file", one +# table name per line. +# +# get_rows +# is the name of the table to get the rows from +# is the name of the database the table resides in +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the table +# row data into, one row (INSERT statement) per line +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the rows from the given table +# in the given database, found in the uncompressed database files +# located in the given "tmp_dir", which is the staging directory for +# database restore. The table rows should be written to the given +# "rows_file", one row (INSERT statement) per line. +# +# get_schema +# is the name of the table to get the schema from +# is the name of the database the table resides in +# is the full directory path where the decompressed +# database files reside +# is the full path of the file to write the table +# schema data into +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to extract the schema from the given table +# in the given database, found in the uncompressed database files +# located in the given "tmp_dir", which is the staging directory for +# database restore. The table schema and related alterations and +# grant information should be written to the given "schema_file". +# +# restore_single_db +# where: +# is the name of the database to be restored +# is the full directory path where the decompressed +# database files reside +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to restore the database given as "db_name" +# using the database files located in the "tmp_dir". The framework +# will delete the "tmp_dir" and the files in it after the restore is +# complete. +# +# restore_all_dbs +# where: +# is the full directory path where the decompressed +# database files reside +# returns: 0 if no errors; 1 if any errors occurred +# +# This function is expected to restore all of the databases which +# are backed up in the database files located in the "tmp_dir". The +# framework will delete the "tmp_dir" and the files in it after the +# restore is complete. +# +# The functions in this file will take care of: +# 1) The CLI parameter parsing for the arguments passed in by the user. +# 2) The listing of either local or remote archive files at the request +# of the user. +# 3) The retrieval/download of an archive file located either in the local +# file system or remotely stored on an RGW. +# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user +# chooses to restore a database or all databases. +# 5) The framework will call "get_databases" when it needs a list of +# databases when the user requests a database list or when the user +# requests to restore a single database (to ensure it exists in the +# archive). Similarly, the framework will call "get_tables", "get_rows", +# or "get_schema" when it needs that data requested by the user. +# + +usage() { + ret_val=$1 + echo "Usage:" + echo "Restore command options" + echo "=============================" + echo "help" + echo "list_archives [remote]" + echo "list_databases [remote]" + echo "list_tables [remote]" + echo "list_rows [remote]" + echo "list_schema [remote]" + echo "restore [remote]" + echo " where = | ALL" + echo "delete_archive [remote]" + clean_and_exit $ret_val "" +} + +#Exit cleanly with some message and return code +clean_and_exit() { + RETCODE=$1 + MSG=$2 + + # Clean/remove temporary directories/files + rm -rf $TMP_DIR + rm -f $RESULT_FILE + + if [[ "x${MSG}" != "x" ]]; then + echo $MSG + fi + exit $RETCODE +} + +determine_resulting_error_code() { + RESULT="$1" + + echo ${RESULT} | grep "HTTP 404" + if [[ $? -eq 0 ]]; then + echo "Could not find the archive: ${RESULT}" + return 1 + else + echo ${RESULT} | grep "HTTP 401" + if [[ $? -eq 0 ]]; then + echo "Could not access the archive: ${RESULT}" + return 1 + else + echo ${RESULT} | grep "HTTP 503" + if [[ $? -eq 0 ]]; then + echo "RGW service is unavailable. ${RESULT}" + # In this case, the RGW may be temporarily down. + # Return slightly different error code so the calling code can retry + return 2 + else + echo ${RESULT} | grep "ConnectionError" + if [[ $? -eq 0 ]]; then + echo "Could not reach the RGW: ${RESULT}" + # In this case, keystone or the site/node may be temporarily down. + # Return slightly different error code so the calling code can retry + return 2 + else + echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}" + return 1 + fi + fi + fi + fi + return 0 +} + +# Retrieve a list of archives from the RGW. +retrieve_remote_listing() { + RESULT=$(openstack container show $CONTAINER_NAME 2>&1) + if [[ $? -eq 0 ]]; then + # Get the list, ensureing that we only pick up the right kind of backups from the + # requested namespace + openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list + if [[ $? -ne 0 ]]; then + echo "Container object listing could not be obtained." + return 1 + else + echo "Archive listing successfully retrieved." + fi + else + determine_resulting_error_code "${RESULT}" + return $? + fi + return 0 +} + +# Retrieve a single archive from the RGW. +retrieve_remote_archive() { + ARCHIVE=$1 + + RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1) + if [[ $? -ne 0 ]]; then + determine_resulting_error_code "${RESULT}" + return $? + else + echo "Archive $ARCHIVE successfully retrieved." + fi + return 0 +} + +# Delete an archive from the RGW. +delete_remote_archive() { + ARCHIVE=$1 + + RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1) + if [[ $? -ne 0 ]]; then + determine_resulting_error_code "${RESULT}" + return $? + else + echo "Archive ${ARCHIVE} successfully deleted." + fi + return 0 +} + +# Display all archives +list_archives() { + REMOTE=$1 + + if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then + retrieve_remote_listing + if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then + echo + echo "All Archives from RGW Data Store" + echo "==============================================" + cat $TMP_DIR/archive_list | sort + clean_and_exit 0 "" + else + clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW." + fi + elif [[ "x${REMOTE}" == "x" ]]; then + if [[ -d $ARCHIVE_DIR ]]; then + archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort) + echo + echo "All Local Archives" + echo "==============================================" + for archive in $archives + do + echo $archive | cut -d '/' -f8- + done + clean_and_exit 0 "" + else + clean_and_exit 1 "ERROR: Local archive directory is not available." + fi + else + usage 1 + fi +} + +# Retrieve the archive from the desired location and decompress it into +# the restore directory +get_archive() { + ARCHIVE_FILE=$1 + REMOTE=$2 + + if [[ "x$REMOTE" == "xremote" ]]; then + echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..." + retrieve_remote_archive $ARCHIVE_FILE + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE" + fi + elif [[ "x$REMOTE" == "x" ]]; then + if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then + cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not copy local archive to restore directory." + fi + else + clean_and_exit 1 "ERROR: Local archive file could not be found." + fi + else + usage 1 + fi + + echo "Decompressing archive $ARCHIVE_FILE..." + cd $TMP_DIR + tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Archive decompression failed." + fi +} + +# Display all databases from an archive +list_databases() { + ARCHIVE_FILE=$1 + REMOTE=$2 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the database listing will be put into + # the given file one database per line + get_databases $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Databases in the $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Display all tables of a database from an archive +list_tables() { + ARCHIVE_FILE=$1 + DATABASE=$2 + REMOTE=$3 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the database listing will be put into + # the given file one table per line + get_tables $DATABASE $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Display all rows of the given database table from an archive +list_rows() { + ARCHIVE_FILE=$1 + DATABASE=$2 + TABLE=$3 + REMOTE=$4 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the database listing will be put into + # the given file one table per line + get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Display the schema information of the given database table from an archive +list_schema() { + ARCHIVE_FILE=$1 + DATABASE=$2 + TABLE=$3 + REMOTE=$4 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + # Get the archive from the source location (local/remote) + get_archive $ARCHIVE_FILE $REMOTE + + # Expectation is that the schema information will be placed into + # the given schema file. + get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi + + if [[ -f "$RESULT_FILE" ]]; then + echo " " + echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE" + echo "================================================================================" + cat $RESULT_FILE + else + clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE." + fi +} + +# Delete an archive +delete_archive() { + ARCHIVE_FILE=$1 + REMOTE=$2 + WHERE="local" + + if [[ -n ${REMOTE} ]]; then + WHERE="remote" + fi + + if [[ "${WHERE}" == "remote" ]]; then + delete_remote_archive ${ARCHIVE_FILE} + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}" + fi + else # Local + if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then + rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE} + if [[ $? -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not delete local archive." + fi + else + clean_and_exit 1 "ERROR: Local archive file could not be found." + fi + fi + + echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage." +} + + +# Return 1 if the given database exists in the database file. 0 otherwise. +database_exists() { + DB=$1 + + grep "${DB}" ${RESULT_FILE} + if [[ $? -eq 0 ]]; then + return 1 + fi + return 0 +} + +# This is the main CLI interpreter function +cli_main() { + ARGS=("$@") + + # Create the ARCHIVE DIR if it's not already there. + mkdir -p $ARCHIVE_DIR + + # Create temp directory for a staging area to decompress files into + export TMP_DIR=$(mktemp -d) + + # Create a temp file for storing list of databases (if needed) + export RESULT_FILE=$(mktemp -p /tmp) + + case "${ARGS[0]}" in + "help") + usage 0 + ;; + + "list_archives") + if [[ ${#ARGS[@]} -gt 2 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 1 ]]; then + list_archives + else + list_archives ${ARGS[1]} + fi + clean_and_exit 0 + ;; + + "list_databases") + if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 2 ]]; then + list_databases ${ARGS[1]} + else + list_databases ${ARGS[1]} ${ARGS[2]} + fi + ;; + + "list_tables") + if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 3 ]]; then + list_tables ${ARGS[1]} ${ARGS[2]} + else + list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} + fi + ;; + + "list_rows") + if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 4 ]]; then + list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} + else + list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]} + fi + ;; + + "list_schema") + if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 4 ]]; then + list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} + else + list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]} + fi + ;; + + "restore") + REMOTE="" + if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 4 ]]; then + REMOTE=${ARGS[3]} + fi + + ARCHIVE=${ARGS[1]} + DB_SPEC=${ARGS[2]} + + #Get all the databases in that archive + get_archive $ARCHIVE $REMOTE + + if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then + # Expectation is that the database listing will be put into + # the given file one database per line + get_databases $TMP_DIR $RESULT_FILE + if [[ "$?" -ne 0 ]]; then + clean_and_exit 1 "ERROR: Could not get the list of databases to restore." + fi + + if [[ ! $DB_NAMESPACE == "kube-system" ]]; then + #check if the requested database is available in the archive + database_exists $DB_SPEC + if [[ $? -ne 1 ]]; then + clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist." + fi + fi + + echo "Restoring Database $DB_SPEC And Grants" + restore_single_db $DB_SPEC $TMP_DIR + if [[ "$?" -eq 0 ]]; then + echo "Single database restored successfully." + else + clean_and_exit 1 "ERROR: Single database restore failed." + fi + clean_and_exit 0 "" + else + echo "Restoring All The Databases. This could take a few minutes..." + restore_all_dbs $TMP_DIR + if [[ "$?" -eq 0 ]]; then + echo "All databases restored successfully." + else + clean_and_exit 1 "ERROR: Database restore failed." + fi + clean_and_exit 0 "" + fi + ;; + "delete_archive") + if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then + usage 1 + elif [[ ${#ARGS[@]} -eq 2 ]]; then + delete_archive ${ARGS[1]} + else + delete_archive ${ARGS[1]} ${ARGS[2]} + fi + ;; + *) + usage 1 + ;; + esac + + clean_and_exit 0 "" +} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_custom_job_annotations.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_custom_job_annotations.tpl new file mode 100644 index 000000000..fc426142f --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_custom_job_annotations.tpl @@ -0,0 +1,76 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Adds custom annotations to the job spec of a component. +examples: + - values: | + annotations: + job: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + keystone_domain_manage: + another.tld/foo: "bar" + usage: | + {{ tuple "keystone_domain_manage" . | include "helm-toolkit.snippets.custom_job_annotations" }} + return: | + another.tld/foo: bar + - values: | + annotations: + job: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + keystone_domain_manage: + another.tld/foo: "bar" + usage: | + {{ tuple "keystone_bootstrap" . | include "helm-toolkit.snippets.custom_job_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" + - values: | + annotations: + job: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + keystone_domain_manage: + another.tld/foo: "bar" + keystone_bootstrap: + usage: | + {{ tuple "keystone_bootstrap" . | include "helm-toolkit.snippets.custom_job_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" +*/}} + +{{- define "helm-toolkit.snippets.custom_job_annotations" -}} +{{- $envAll := index . 1 -}} +{{- $component := index . 0 | replace "-" "_" -}} +{{- if (hasKey $envAll.Values "annotations") -}} +{{- if (hasKey $envAll.Values.annotations "job") -}} +{{- $annotationsMap := $envAll.Values.annotations.job -}} +{{- $defaultAnnotations := dict -}} +{{- if (hasKey $annotationsMap "default" ) -}} +{{- $defaultAnnotations = $annotationsMap.default -}} +{{- end -}} +{{- $annotations := index $annotationsMap $component | default $defaultAnnotations -}} +{{- if (not (empty $annotations)) -}} +{{- toYaml $annotations -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_custom_pod_annotations.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_custom_pod_annotations.tpl new file mode 100644 index 000000000..ecff6e96a --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_custom_pod_annotations.tpl @@ -0,0 +1,76 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Adds custom annotations to the pod spec of a component. +examples: + - values: | + annotations: + pod: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + nova_compute: + another.tld/foo: "bar" + usage: | + {{ tuple "nova_compute" . | include "helm-toolkit.snippets.custom_pod_annotations" }} + return: | + another.tld/foo: bar + - values: | + annotations: + pod: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + nova_compute: + another.tld/foo: "bar" + usage: | + {{ tuple "nova_api" . | include "helm-toolkit.snippets.custom_pod_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" + - values: | + annotations: + pod: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + nova_compute: + another.tld/foo: "bar" + nova_api: + usage: | + {{ tuple "nova_api" . | include "helm-toolkit.snippets.custom_pod_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" +*/}} + +{{- define "helm-toolkit.snippets.custom_pod_annotations" -}} +{{- $component := index . 0 -}} +{{- $envAll := index . 1 -}} +{{- if (hasKey $envAll.Values "annotations") -}} +{{- if (hasKey $envAll.Values.annotations "pod") -}} +{{- $annotationsMap := $envAll.Values.annotations.pod -}} +{{- $defaultAnnotations := dict -}} +{{- if (hasKey $annotationsMap "default" ) -}} +{{- $defaultAnnotations = $annotationsMap.default -}} +{{- end -}} +{{- $annotations := index $annotationsMap $component | default $defaultAnnotations -}} +{{- if (not (empty $annotations)) -}} +{{- toYaml $annotations -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_custom_secret_annotations.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_custom_secret_annotations.tpl new file mode 100644 index 000000000..19c438088 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_custom_secret_annotations.tpl @@ -0,0 +1,81 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Adds custom annotations to the secret spec of a component. +examples: + - values: | + annotations: + secret: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + identity: + admin: + another.tld/foo: "bar" + usage: | + {{ tuple "identity" "admin" . | include "helm-toolkit.snippets.custom_secret_annotations" }} + return: | + another.tld/foo: bar + - values: | + annotations: + secret: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + identity: + admin: + another.tld/foo: "bar" + usage: | + {{ tuple "oslo_db" "admin" . | include "helm-toolkit.snippets.custom_secret_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" + - values: | + annotations: + secret: + default: + custom.tld/key: "value" + custom.tld/key2: "value2" + identity: + admin: + another.tld/foo: "bar" + oslo_db: + admin: + usage: | + {{ tuple "oslo_db" "admin" . | include "helm-toolkit.snippets.custom_secret_annotations" }} + return: | + custom.tld/key: "value" + custom.tld/key2: "value2" +*/}} + +{{- define "helm-toolkit.snippets.custom_secret_annotations" -}} +{{- $secretType := index . 0 -}} +{{- $userClass := index . 1 | replace "-" "_" -}} +{{- $envAll := index . 2 -}} +{{- if (hasKey $envAll.Values "annotations") -}} +{{- if (hasKey $envAll.Values.annotations "secret") -}} +{{- $annotationsMap := index $envAll.Values.annotations.secret $secretType | default dict -}} +{{- $defaultAnnotations := dict -}} +{{- if (hasKey $envAll.Values.annotations.secret "default" ) -}} +{{- $defaultAnnotations = $envAll.Values.annotations.secret.default -}} +{{- end -}} +{{- $annotations := index $annotationsMap $userClass | default $defaultAnnotations -}} +{{- if (not (empty $annotations)) -}} +{{- toYaml $annotations -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_image.tpl new file mode 100644 index 000000000..029c93de5 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_image.tpl @@ -0,0 +1,60 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Resolves an image reference to a string, and its pull policy +values: | + images: + tags: + test_image: docker.io/port/test:version-foo + image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 + pull_policy: IfNotPresent + local_registry: + active: true + exclude: + - image_foo + endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 +usage: | + {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }} +return: | + image: "localhost:5000/docker.io/port/test:version-foo" + imagePullPolicy: IfNotPresent +*/}} + +{{- define "helm-toolkit.snippets.image" -}} +{{- $envAll := index . 0 -}} +{{- $image := index . 1 -}} +{{- $imageTag := index $envAll.Values.images.tags $image -}} +{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}} +{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}} +image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }} +{{- else -}} +image: {{ $imageTag | quote }} +{{- end }} +imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl new file mode 100644 index 000000000..2f209fe63 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl @@ -0,0 +1,142 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a set of container enviorment variables, equivlant to an openrc for + use with keystone based command line clients. +values: | + secrets: + identity: + admin: example-keystone-admin +usage: | + {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }} +return: | + - name: OS_IDENTITY_API_VERSION + value: "3" + - name: OS_AUTH_URL + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_AUTH_URL + - name: OS_REGION_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_REGION_NAME + - name: OS_INTERFACE + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_INTERFACE + - name: OS_ENDPOINT_TYPE + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_INTERFACE + - name: OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_PROJECT_DOMAIN_NAME + - name: OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_PROJECT_NAME + - name: OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_USER_DOMAIN_NAME + - name: OS_USERNAME + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_USERNAME + - name: OS_PASSWORD + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_PASSWORD + - name: OS_CACERT + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_CACERT +*/}} + +{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }} +{{- $useCA := .useCA -}} +{{- $ksUserSecret := .ksUserSecret }} +- name: OS_IDENTITY_API_VERSION + value: "3" +- name: OS_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_AUTH_URL +- name: OS_REGION_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_REGION_NAME +- name: OS_INTERFACE + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_INTERFACE +- name: OS_ENDPOINT_TYPE + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_INTERFACE +- name: OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_DOMAIN_NAME +- name: OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_NAME +- name: OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USER_DOMAIN_NAME +- name: OS_USERNAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USERNAME +- name: OS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PASSWORD +- name: OS_DEFAULT_DOMAIN + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_DEFAULT_DOMAIN +{{- if $useCA }} +- name: OS_CACERT + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_CACERT +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl new file mode 100644 index 000000000..f6276576c --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.keystone_secret_openrc" }} +{{- $userClass := index . 0 -}} +{{- $identityEndpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }} +OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }} +OS_REGION_NAME: {{ $userContext.region_name | b64enc }} +OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }} +OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }} +OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }} +OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }} +OS_USERNAME: {{ $userContext.username | b64enc }} +OS_PASSWORD: {{ $userContext.password | b64enc }} +OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }} +{{- if $userContext.cacert }} +OS_CACERT: {{ $userContext.cacert | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl new file mode 100644 index 000000000..648711beb --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl @@ -0,0 +1,90 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a set of container enviorment variables, for use with the keystone + user management jobs. +values: | + secrets: + identity: + service_user: example-keystone-user +usage: | + {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }} +return: | + - name: SERVICE_OS_REGION_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_REGION_NAME + - name: SERVICE_OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_PROJECT_DOMAIN_NAME + - name: SERVICE_OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_PROJECT_NAME + - name: SERVICE_OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_USER_DOMAIN_NAME + - name: SERVICE_OS_USERNAME + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_USERNAME + - name: SERVICE_OS_PASSWORD + valueFrom: + secretKeyRef: + name: example-keystone-user + key: OS_PASSWORD +*/}} + +{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }} +{{- $ksUserSecret := .ksUserSecret }} +- name: SERVICE_OS_REGION_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_REGION_NAME +- name: SERVICE_OS_PROJECT_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_DOMAIN_NAME +- name: SERVICE_OS_PROJECT_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PROJECT_NAME +- name: SERVICE_OS_USER_DOMAIN_NAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USER_DOMAIN_NAME +- name: SERVICE_OS_USERNAME + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_USERNAME +- name: SERVICE_OS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_PASSWORD +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl new file mode 100644 index 000000000..8ca102806 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl @@ -0,0 +1,68 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders a configmap used for loading custom AppArmor profiles. +values: | + pod: + mandatory_access_control: + type: apparmor + configmap_apparmor: true + apparmor_profiles: |- + my_apparmor-v1.profile: |- + #include + profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) { + + } +usage: | + {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }} +return: | +apiVersion: v1 +kind: ConfigMap +metadata: + name: releaseName-myComponent-apparmor + namespace: myNamespace +data: + my_apparmor-v1.profile: |- + #include + profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) { + + } +*/}} +{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}} +{{- $envAll := index . "envAll" -}} +{{- $component := index . "component" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}} +{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }} +{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}} +{{- if $envAll.Values.conf.apparmor_profiles }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $mapName }} + namespace: {{ $envAll.Release.Namespace }} +data: +{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl new file mode 100644 index 000000000..f231fe659 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl @@ -0,0 +1,75 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders the init container used for apparmor loading. +values: | + images: + tags: + apparmor_loader: my-repo.io/apparmor-loader:1.0.0 + pod: + mandatory_access_control: + type: apparmor + configmap_apparmor: true + apparmor-loader: unconfined +usage: | + {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }} +return: | + - name: apparmor-loader + image: my-repo.io/apparmor-loader:1.0.0 + args: + - /profiles + securityContext: + privileged: true + volumeMounts: + - name: sys + mountPath: /sys + readOnly: true + - name: includes + mountPath: /etc/apparmor.d + readOnly: true + - name: profiles + mountPath: /profiles + readOnly: true +*/}} +{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}} +{{- $envAll := index . "envAll" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}} +{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}} +{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }} +- name: apparmor-loader + image: {{ $envAll.Values.images.tags.apparmor_loader }} + args: + - /profiles + securityContext: + privileged: true + volumeMounts: + - name: sys + mountPath: /sys + readOnly: true + - name: includes + mountPath: /etc/apparmor.d + readOnly: true + - name: profiles + mountPath: /profiles + readOnly: true +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl new file mode 100644 index 000000000..baebaa3cb --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl @@ -0,0 +1,68 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders the volumes used by the apparmor loader. +values: | + pod: + mandatory_access_control: + type: apparmor + configmap_apparmor: true +inputs: | + envAll: "Environment or Context." + component: "Name of the component used for the name of configMap." + requireSys: "Boolean. True if it needs the hostpath /sys in volumes." +usage: | + {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }} +return: | +- name: sys + hostPath: + path: /sys +- name: includes + hostPath: + path: /etc/apparmor.d +- name: profiles + configMap: + name: RELEASENAME-keystone-apparmor + defaultMode: 0555 +*/}} +{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}} +{{- $envAll := index . "envAll" -}} +{{- $component := index . "component" -}} +{{- $requireSys := index . "requireSys" | default false -}} +{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}} +{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}} +{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }} +{{- if $requireSys }} +- name: sys + hostPath: + path: /sys +{{- end }} +- name: includes + hostPath: + path: /etc/apparmor.d +- name: profiles + configMap: + name: {{ $configName | quote }} + defaultMode: 0555 +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl new file mode 100644 index 000000000..4741497e2 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl @@ -0,0 +1,48 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders securityContext for a Kubernetes container. + For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core +examples: + - values: | + pod: + security_context: + myApp: + container: + foo: + runAsUser: 34356 + readOnlyRootFilesystem: true + usage: | + {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }} + return: | + securityContext: + readOnlyRootFilesystem: true + runAsUser: 34356 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}} +{{- $envAll := index . "envAll" -}} +{{- $application := index . "application" -}} +{{- $container := index . "container" -}} +{{- if hasKey $envAll.Values.pod "security_context" }} +{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }} +{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }} +securityContext: +{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl new file mode 100644 index 000000000..bed712e59 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl @@ -0,0 +1,209 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a container definition for use with the kubernetes-entrypoint image + from stackanetes. +values: | + images: + tags: + dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 + pull_policy: IfNotPresent + local_registry: + active: true + exclude: + - dep_check + dependencies: + dynamic: + common: + local_image_registry: + jobs: + - calico-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + calico_node: + services: + - endpoint: internal + service: etcd + custom_resources: + - apiVersion: argoproj.io/v1alpha1 + kind: Workflow + name: wf-example + fields: + - key: "status.phase" + value: "Succeeded" + endpoints: + local_image_registry: + namespace: docker-registry + hosts: + default: localhost + node: localhost + etcd: + hosts: + default: etcd + # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not + # specififed then the following will be used as defaults: + # pod: + # security_context: + # kubernetes_entrypoint: + # container: + # kubernetes_entrypoint: + # runAsUser: 65534 + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + pod: + security_context: + kubernetes_entrypoint: + container: + kubernetes_entrypoint: + runAsUser: 0 + readOnlyRootFilesystem: false +usage: | + {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }} +return: | + - name: init + image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0" + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsUser: 0 + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INTERFACE_NAME + value: eth0 + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ + - name: DEPENDENCY_SERVICE + value: "default:etcd,docker-registry:localhost" + - name: DEPENDENCY_JOBS + value: "calico-image-repo-sync" + - name: DEPENDENCY_DAEMONSET + value: "" + - name: DEPENDENCY_CONTAINER + value: "" + - name: DEPENDENCY_POD_JSON + value: "" + - name: DEPENDENCY_CUSTOM_RESOURCE + value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]" + command: + - kubernetes-entrypoint + volumeMounts: + [] +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}} +Values: + pod: + security_context: + kubernetes_entrypoint: + container: + kubernetes_entrypoint: + runAsUser: 65534 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false +{{- end -}} + +{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $mounts := index . 2 -}} + +{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}} +{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- else -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- end -}} +{{- else -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}} +{{- else -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}} +{{- end -}} +{{- end -}} + +{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}} +{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}} +{{- else -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }} +{{- range $deps.custom_resources }} +{{- $_ := set . "namespace" $envAll.Release.Namespace -}} +{{- end -}} +{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }} +{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }} +- name: init +{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }} +{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INTERFACE_NAME + value: eth0 + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ + - name: DEPENDENCY_SERVICE + value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}" +{{- if $deps.jobs -}} + {{- if kindIs "string" (index $deps.jobs 0) }} + - name: DEPENDENCY_JOBS + value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}" + {{- else }} + - name: DEPENDENCY_JOBS_JSON + value: {{- toJson $deps.jobs | quote -}} + {{- end -}} +{{- end }} + - name: DEPENDENCY_DAEMONSET + value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}" + - name: DEPENDENCY_CONTAINER + value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}" + - name: DEPENDENCY_POD_JSON + value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }} + - name: DEPENDENCY_CUSTOM_RESOURCE + value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }} + command: + - kubernetes-entrypoint + volumeMounts: +{{ toYaml $mounts | indent 4 }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl new file mode 100644 index 000000000..34a7da33a --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl @@ -0,0 +1,20 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- $component := index . 2 -}} +{{ print "-l application=" $application " -l component=" $component }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl new file mode 100644 index 000000000..92d3ea5cb --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl @@ -0,0 +1,60 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders mandatory access control annotations for a list of containers + driven by values.yaml. As of now, it can only generate an apparmor + annotation, but in the future could generate others. +values: | + pod: + mandatory_access_control: + type: apparmor + myPodName: + myContainerName: localhost/myAppArmor + mySecondContainerName: localhost/secondProfile # optional + myThirdContainerName: localhost/thirdProfile # optional +usage: | + {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }} +return: | + container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor + container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile + container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile +note: | + The number of container underneath is a variable arguments. It loops through + all the container names specified. +*/}} +{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}} +{{- $envAll := index . "envAll" -}} +{{- $podName := index . "podName" -}} +{{- $containerNames := index . "containerNames" -}} +{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}} +{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}} +{{- if $macType -}} +{{- if eq $macType "apparmor" -}} +{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}} +{{- range $name := $containerNames -}} +{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}} +{{- if $apparmorProfile }} +container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl new file mode 100644 index 000000000..48b53fa10 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl @@ -0,0 +1,51 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders a set of standardised labels +values: | + release_group: null + pod: + labels: + default: + label1.example.com: value + bar: + label2.example.com: bar +usage: | + {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }} +return: | + release_group: RELEASE-NAME + application: foo + component: bar + label1.example.com: value + label2.example.com: bar +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- $component := index . 2 -}} +release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }} +application: {{ $application }} +component: {{ $component }} +{{- if ($envAll.Values.pod).labels }} +{{- if hasKey $envAll.Values.pod.labels $component }} +{{ index $envAll.Values.pod "labels" $component | toYaml }} +{{- end -}} +{{- if hasKey $envAll.Values.pod.labels "default" }} +{{ $envAll.Values.pod.labels.default | toYaml }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl new file mode 100644 index 000000000..fabbcf8d9 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl @@ -0,0 +1,89 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders kubernetes anti affinity rules, this function supports both hard + 'requiredDuringSchedulingIgnoredDuringExecution' and soft + 'preferredDuringSchedulingIgnoredDuringExecution' types. +values: | + pod: + affinity: + anti: + topologyKey: + default: kubernetes.io/hostname + type: + default: requiredDuringSchedulingIgnoredDuringExecution + weight: + default: 10 +usage: | + {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }} +return: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: release_group + operator: In + values: + - RELEASE-NAME + - key: application + operator: In + values: + - appliction_x + - key: component + operator: In + values: + - component_y + topologyKey: kubernetes.io/hostname +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}} +{{- $envAll := index . "envAll" -}} +{{- $application := index . "application" -}} +{{- $component := index . "component" -}} +{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}} +{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}} +{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}} +{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }} +{{- end -}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- $component := index . 2 -}} +{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }} +{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }} +podAntiAffinity: +{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}} +{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }} + {{ $antiAffinityType }}: + - podAffinityTerm: + labelSelector: + matchExpressions: +{{ $matchExpressions | indent 10 }} + topologyKey: {{ $antiAffinityKey }} +{{- if $envAll.Values.pod.affinity.anti.weight }} + weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }} +{{- else }} + weight: 10 +{{- end -}} +{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }} + {{ $antiAffinityType }}: + - labelSelector: + matchExpressions: +{{ $matchExpressions | indent 8 }} + topologyKey: {{ $antiAffinityKey }} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl new file mode 100644 index 000000000..74173dcef --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl @@ -0,0 +1,45 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders image pull secrets for a pod +values: | + pod: + image_pull_secrets: + default: + - name: some-pull-secret + bar: + - name: another-pull-secret +usage: | + {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }} +return: | + imagePullSecrets: + - name: some-pull-secret + - name: another-pull-secret +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}} +{{- $envAll := index . 0 -}} +{{- $application := index . 1 -}} +{{- if ($envAll.Values.pod).image_pull_secrets }} +imagePullSecrets: +{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }} +{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }} +{{- end -}} +{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }} +{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl new file mode 100644 index 000000000..90a7a6517 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl @@ -0,0 +1,69 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}} +{{- $envAll := index . 0 -}} +{{- $deps := index . 1 -}} +{{- $saName := index . 2 | replace "_" "-" }} +{{- $saNamespace := index . 3 -}} +{{- $releaseName := $envAll.Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $releaseName }}-{{ $saName }} + namespace: {{ $saNamespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} +subjects: + - kind: ServiceAccount + name: {{ $saName }} + namespace: {{ $saNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} + namespace: {{ $saNamespace }} +rules: + - apiGroups: + - "" + - extensions + - batch + - apps + verbs: + - get + - list + resources: + {{- range $k, $v := $deps -}} + {{ if eq $v "daemonsets" }} + - daemonsets + {{- end -}} + {{ if eq $v "jobs" }} + - jobs + {{- end -}} + {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }} + - pods + {{- end -}} + {{ if eq $v "services" }} + - services + - endpoints + {{- end -}} + {{ if eq $v "secrets" }} + - secrets + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl new file mode 100644 index 000000000..bc2045e5f --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl @@ -0,0 +1,75 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $saName := index . 2 -}} +{{- $saNamespace := $envAll.Release.Namespace }} +{{- $randomKey := randAlphaNum 32 }} +{{- $allNamespace := dict $randomKey "" }} + +{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}} +{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- else -}} +{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}} +{{- end -}} +{{- else -}} +{{- if eq $component "pod_dependency" -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}} +{{- else -}} +{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}} +{{- end -}} +{{- end -}} +{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $saName }} + namespace: {{ $saNamespace }} +{{- if $envAll.Values.manifests.secret_registry }} +{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }} +imagePullSecrets: + - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }} +{{- end -}} +{{- end -}} +{{- range $k, $v := $deps -}} +{{- if eq $k "services" }} +{{- range $serv := $v }} +{{- $endpointMap := index $envAll.Values.endpoints $serv.service }} +{{- $endpointNS := $endpointMap.namespace | default $saNamespace }} +{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }} +{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }} +{{- end -}} +{{- end -}} +{{- else if and (eq $k "jobs") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }} +{{- else if and (eq $k "daemonset") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }} +{{- else if and (eq $k "pod") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }} +{{- else if and (eq $k "secret") $v }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }} +{{- end -}} +{{- end -}} +{{- $_ := unset $allNamespace $randomKey }} +{{- range $ns, $vv := $allNamespace }} +{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }} +{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl new file mode 100644 index 000000000..3a4fbaa8b --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl @@ -0,0 +1,67 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders securityContext for a Kubernetes pod. + For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core +examples: + - values: | + pod: + # NOTE: The 'user' key is deprecated, and will be removed shortly. + user: + myApp: + uid: 34356 + security_context: + myApp: + pod: + runAsNonRoot: true + usage: | + {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }} + return: | + securityContext: + runAsUser: 34356 + runAsNonRoot: true + - values: | + pod: + security_context: + myApp: + pod: + runAsUser: 34356 + runAsNonRoot: true + usage: | + {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }} + return: | + securityContext: + runAsNonRoot: true + runAsUser: 34356 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}} +{{- $envAll := index . "envAll" -}} +{{- $application := index . "application" -}} +securityContext: +{{- if hasKey $envAll.Values.pod "user" }} +{{- if hasKey $envAll.Values.pod.user $application }} +{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }} + runAsUser: {{ index $envAll.Values.pod.user $application "uid" }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if hasKey $envAll.Values.pod "security_context" }} +{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }} +{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl new file mode 100644 index 000000000..7470760e0 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl @@ -0,0 +1,55 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders kubernetes liveness and readiness probes for containers +values: | + pod: + probes: + api: + default: + readiness: + enabled: true + params: + initialDelaySeconds: 30 + timeoutSeconds: 30 +usage: | + {{- define "probeTemplate" }} + httpGet: + path: /status + port: 9090 + {{- end }} + {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }} +return: | + readinessProbe: + httpGet: + path: /status + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_probe" -}} +{{- $envAll := index . "envAll" -}} +{{- $component := index . "component" -}} +{{- $container := index . "container" -}} +{{- $type := index . "type" -}} +{{- $probeTemplate := index . "probeTemplate" -}} +{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}} +{{- if $probeOpts.enabled -}} +{{- $probeOverides := index $probeOpts "params" | default dict -}} +{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl new file mode 100644 index 000000000..24d30cf32 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl @@ -0,0 +1,53 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Note: This function is deprecated and will be removed in the future. + +abstract: | + Renders kubernetes resource limits for pods +values: | + pod: + resources: + enabled: true + api: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + hugepages-1Gi: "1Gi" + +usage: | + {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }} +return: | + resources: + limits: + cpu: "2000m" + memory: "1024Mi" + hugepages-1Gi: "1Gi" + requests: + cpu: "100m" + memory: "128Mi +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_resources" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- if $envAll.Values.pod.resources.enabled -}} +resources: +{{ toYaml $component | trim | indent 2 }} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl new file mode 100644 index 000000000..555ffb051 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl @@ -0,0 +1,47 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders seccomp annotations for a list of containers driven by values.yaml. +values: | + pod: + seccomp: + myPodName: + myContainerName: localhost/mySeccomp + mySecondContainerName: localhost/secondProfile # optional + myThirdContainerName: localhost/thirdProfile # optional +usage: | + {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }} +return: | + container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp + container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile + container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile +note: | + The number of container underneath is a variable arguments. It loops through + all the container names specified. +*/}} +{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}} +{{- $envAll := index . "envAll" -}} +{{- $podName := index . "podName" -}} +{{- $containerNames := index . "containerNames" -}} +{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}} +{{- range $name := $containerNames -}} +{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}} +{{- if $seccompProfile }} +container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl new file mode 100644 index 000000000..e4af6a62a --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl @@ -0,0 +1,45 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders kubernetes tolerations for pods +values: | + pod: + tolerations: + api: + enabled: true + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + - key: node-role.kubernetes.io/node + operator: Exists + +usage: | + {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }} +return: | + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + - key: node-role.kubernetes.io/node + operator: Exists +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $pod := index $envAll.Values.pod.tolerations $component }} +tolerations: +{{ toYaml $pod.tolerations }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl new file mode 100644 index 000000000..69cee4721 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl @@ -0,0 +1,33 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}} +{{- $envAll := index . 0 -}} +{{- $component := index . 1 -}} +{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}} +{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}} +{{- with $upgradeMap -}} +{{- if .enabled }} +minReadySeconds: {{ .min_ready_seconds }} +updateStrategy: + type: {{ $pod_replacement_strategy }} + {{- if $pod_replacement_strategy }} + {{- if eq $pod_replacement_strategy "RollingUpdate" }} + rollingUpdate: + maxUnavailable: {{ .max_unavailable }} + {{- end }} + {{- end }} +{{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl new file mode 100644 index 000000000..be28cdb80 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl @@ -0,0 +1,27 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}} +{{- $envAll := index . 0 -}} +{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}} +revisionHistoryLimit: {{ .revision_history }} +strategy: + type: {{ .pod_replacement_strategy }} + {{- if eq .pod_replacement_strategy "RollingUpdate" }} + rollingUpdate: + maxUnavailable: {{ .rolling_update.max_unavailable }} + maxSurge: {{ .rolling_update.max_surge }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl new file mode 100644 index 000000000..f897023fe --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl @@ -0,0 +1,51 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders upgradeStrategy configuration for Kubernetes statefulsets. + See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + Types: + - RollingUpdate (default) + - OnDelete + Partitions: + - Stage updates to a statefulset by keeping pods at current version while + allowing mutations to statefulset's .spec.template +values: | + pod: + lifecycle: + upgrades: + statefulsets: + pod_replacement_strategy: RollingUpdate + partition: 2 +usage: | + {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }} +return: | + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: 2 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}} +{{- $envAll := index . 0 -}} +{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}} +updateStrategy: + type: {{ .pod_replacement_strategy }} + {{ if .partition -}} + rollingUpdate: + partition: {{ .partition }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl new file mode 100644 index 000000000..fc74c6fb4 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl @@ -0,0 +1,68 @@ +{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}} +{{/* + +Inserts a bash function definition mon_host_from_k8s_ep() which can be used +to construct a mon_hosts value from the given namespaced endpoint. + +Usage (e.g. in _script.sh.tpl): + #!/bin/bash + + : "${NS:=ceph}" + : "${EP:=ceph-mon-discovery}" + + {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }} + + MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP") + + if [ -z "$MON_HOST" ]; then + # deal with failure + else + sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf + fi +*/}} +{{` +# Construct a mon_hosts value from the given namespaced endpoint +# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0] +# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0] +# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0] +# The entries for all IPs will be joined with commas +mon_host_from_k8s_ep() { + local ns=$1 + local ep=$2 + + if [ -z "$ns" ] || [ -z "$ep" ]; then + return 1 + fi + + # We don't want shell expansion for the go-template expression + # shellcheck disable=SC2016 + kubectl get endpoints -n "$ns" "$ep" -o go-template=' + {{- $sep := "" }} + {{- range $_,$s := .subsets }} + {{- $v2port := 0 }} + {{- $v1port := 0 }} + {{- range $_,$port := index $s "ports" }} + {{- if (eq $port.name "mon-msgr2") }} + {{- $v2port = $port.port }} + {{- else if (eq $port.name "mon") }} + {{- $v1port = $port.port }} + {{- end }} + {{- end }} + {{- range $_,$address := index $s "addresses" }} + {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }} + {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }} + {{- if (and $v2port $v1port) }} + {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }} + {{- $sep = "," }} + {{- else if $v2port }} + {{- printf "%s[%s]" $sep $v2endpoint }} + {{- $sep = "," }} + {{- else if $v1port }} + {{- printf "%s[%s]" $sep $v1endpoint }} + {{- $sep = "," }} + {{- end }} + {{- end }} + {{- end }}' +} +`}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl new file mode 100644 index 000000000..fec41f85d --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl @@ -0,0 +1,33 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# Appends annotations for configuring prometheus scrape jobs via pod +# annotations. The required annotations are: +# * `prometheus.io/scrape`: Only scrape pods that have a value of `true` +# * `prometheus.io/path`: If the metrics path is not `/metrics` override this. +# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the +# pod's declared ports (default is a port-free target if none are declared). + +{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}} +{{- $config := index . 0 -}} +{{- if $config.scrape }} +prometheus.io/scrape: {{ $config.scrape | quote }} +{{- end }} +{{- if $config.path }} +prometheus.io/path: {{ $config.path | quote }} +{{- end }} +{{- if $config.port }} +prometheus.io/port: {{ $config.port | quote }} +{{- end }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl new file mode 100644 index 000000000..a827c4bef --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl @@ -0,0 +1,35 @@ +{{/* +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# Appends annotations for configuring prometheus scrape endpoints via +# annotations. The required annotations are: +# * `prometheus.io/scrape`: Only scrape services that have a value of `true` +# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need +# to set this to `https` & most likely set the `tls_config` of the scrape config. +# * `prometheus.io/path`: If the metrics path is not `/metrics` override this. +# * `prometheus.io/port`: If the metrics are exposed on a different port to the +# service then set this appropriately. + +{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}} +{{- $config := index . 0 -}} +{{- if $config.scrape }} +prometheus.io/scrape: {{ $config.scrape | quote }} +{{- end }} +{{- if $config.scheme }} +prometheus.io/scheme: {{ $config.scheme | quote }} +{{- end }} +{{- if $config.path }} +prometheus.io/path: {{ $config.path | quote }} +{{- end }} +{{- if $config.port }} +prometheus.io/port: {{ $config.port | quote }} +{{- end }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_release_uuid.tpl new file mode 100644 index 000000000..253920b77 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_release_uuid.tpl @@ -0,0 +1,29 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Reneders an attonation key and value for a release +values: | + release_uuid: null +usage: | + {{ tuple . | include "helm-toolkit.snippets.release_uuid" }} +return: | + "openstackhelm.openstack.org/release_uuid": "" +*/}} + +{{- define "helm-toolkit.snippets.release_uuid" -}} +{{- $envAll := index . 0 -}} +"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl new file mode 100644 index 000000000..a3169ce9f --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }} +{{- $s3AdminSecret := .s3AdminSecret }} +- name: S3_ADMIN_USERNAME + valueFrom: + secretKeyRef: + name: {{ $s3AdminSecret }} + key: S3_ADMIN_USERNAME +- name: S3_ADMIN_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ $s3AdminSecret }} + key: S3_ADMIN_ACCESS_KEY +- name: S3_ADMIN_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ $s3AdminSecret }} + key: S3_ADMIN_SECRET_KEY +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_bucket_user_env_vars_rook.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_bucket_user_env_vars_rook.tpl new file mode 100644 index 000000000..08521e0fe --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_bucket_user_env_vars_rook.tpl @@ -0,0 +1,28 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.rgw_s3_bucket_user_env_vars_rook" }} +{{- range $s3Bucket := .Values.storage.s3.buckets }} +- name: {{ printf "%s_S3_ACCESS_KEY" ($s3Bucket.client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3Bucket.name }} + key: AWS_ACCESS_KEY_ID +- name: {{ printf "%s_S3_SECRET_KEY" ($s3Bucket.client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3Bucket.name }} + key: AWS_SECRET_ACCESS_KEY +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl new file mode 100644 index 000000000..a611a5e75 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl @@ -0,0 +1,29 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }} +{{- range $client, $config := .Values.storage.s3.clients -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }} +type: Opaque +data: +{{- range $key, $value := $config.auth }} + {{ $key | upper }}: {{ $value | toString | b64enc}} +{{- end }} + +{{ end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl new file mode 100644 index 000000000..a3dd4314b --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl @@ -0,0 +1,34 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }} +{{- range $client, $user := .Values.storage.s3.clients }} +{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }} +- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3secret }} + key: USERNAME +- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3secret }} + key: ACCESS_KEY +- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }} + valueFrom: + secretKeyRef: + name: {{ $s3secret }} + key: SECRET_KEY +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_tls_volume.tpl new file mode 100644 index 000000000..41fe3d96d --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_tls_volume.tpl @@ -0,0 +1,47 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +abstract: | + Renders a secret volume for tls. + + Dictionary Parameters: + enabled: boolean check if you want to conditional disable this snippet (optional) + name: name of the volume (required) + secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional) + +values: | + manifests: + certificates: true + +usage: | + {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume" -}} + +return: | + - name: glance-tls-api + secret: + secretName: glance-tls-api + defaultMode: 292 +*/}} +{{- define "helm-toolkit.snippets.tls_volume" }} +{{- $enabled := index . "enabled" -}} +{{- $name := index . "name" -}} +{{- $secretName := index . "secretName" | default $name -}} +{{- if and $enabled (ne $name "") }} +- name: {{ $name }} + secret: + secretName: {{ $secretName }} + defaultMode: 292 +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl new file mode 100644 index 000000000..9cfa81950 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl @@ -0,0 +1,82 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +abstract: | + Renders a volume mount for TLS key, cert and CA. + + Dictionary Parameters: + enabled: boolean check if you want to conditional disable this snippet (optional) + name: name that of the volume and should match the volume name (required) + path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required) + certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}. + the default is the full set. (optional) + +values: | + manifests: + certificates: true + +usage: | + {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} + +return: | + - name: glance-tls-api + mountPath: /etc/glance/certs/tls.crt + subPath: tls.crt + readOnly: true + - name: glance-tls-api + mountPath: /etc/glance/certs/tls.key + subPath: tls.key + readOnly: true + - name: glance-tls-api + mountPath: /etc/glance/certs/ca.crt + subPath: ca.crt + readOnly: true + +abstract: | + This mounts a specific issuing CA only for service validation + +usage: | + {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} + +return: | + - name: glance-tls-api + mountPath: /etc/ssl/certs/openstack-helm.crt + subPath: ca.crt + readOnly: true +*/}} +{{- define "helm-toolkit.snippets.tls_volume_mount" }} +{{- $enabled := index . "enabled" -}} +{{- $name := index . "name" -}} +{{- $path := index . "path" | default "" -}} +{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }} +{{- if $enabled }} +{{- if and (eq $path "") (ne $name "") }} +- name: {{ $name }} + mountPath: "/etc/ssl/certs/openstack-helm.crt" + subPath: ca.crt + readOnly: true +{{- else }} +{{- if ne $name "" }} +{{- range $key, $value := $certs }} +- name: {{ $name }} + mountPath: {{ printf "%s/%s" $path $value }} + subPath: {{ $value }} + readOnly: true +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/ironic/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl new file mode 100644 index 000000000..6e9d5a184 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl @@ -0,0 +1,87 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders out configuration sections into a format suitable for incorporation + into a config-map. Allowing various forms of input to be rendered out as + appropriate. +values: | + conf: + inputs: + - foo + - bar + some: + config_to_render: | + #We can use all of gotpl here: eg macros, ranges etc. + {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }} + config_to_complete: + #here we can fill out params, but things need to be valid yaml as input + '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}' + static_config: + #this is just passed though as yaml to the configmap + foo: bar +usage: | + {{- $envAll := . }} + --- + apiVersion: v1 + kind: ConfigMap + metadata: + name: application-etc + data: + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }} + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }} + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }} +return: | + --- + apiVersion: v1 + kind: ConfigMap + metadata: + name: application-etc + data: + config_to_render.conf: | + #We can use all of gotpl here: eg macros, ranges etc. + foo,bar + + config_to_complete.yaml: | + 'RELEASE-NAME': 'default-namespace' + + static_config.yaml: | + foo: bar +*/}} + +{{- define "helm-toolkit.snippets.values_template_renderer" -}} +{{- $envAll := index . "envAll" -}} +{{- $template := index . "template" -}} +{{- $key := index . "key" -}} +{{- $format := index . "format" | default "configMap" -}} +{{- with $envAll -}} +{{- $templateRendered := tpl ( $template | toYaml ) . }} +{{- if eq $format "Secret" }} +{{- if hasPrefix "|\n" $templateRendered }} +{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }} +{{- else }} +{{ $key }}: {{ $templateRendered | b64enc }} +{{- end -}} +{{- else }} +{{- if hasPrefix "|\n" $templateRendered }} +{{ $key }}: | +{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }} +{{- else }} +{{ $key }}: | +{{ $templateRendered | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/ironic/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl new file mode 100644 index 000000000..6d617a182 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl @@ -0,0 +1,94 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Produces a certificate from a certificate authority. If the "encode" parameter + is true, base64 encode the values for inclusion in a Kubernetes secret. +values: | + test: + hosts: + names: + - barbican.openstackhelm.example + - barbican.openstack.svc.cluster.local + ips: + - 127.0.0.1 + - 192.168.0.1 + life: 3 + # Use ca.crt and ca.key to build a customized ca, if they are provided. + # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided. + ca: + crt: | + + key: | + +usage: | + {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }} +return: | + ca: | + + crt: | + + exp: 2018-09-01T10:56:07.895392915-00:00 + key: | + +*/}} + +{{- define "helm-toolkit.utils.tls_generate_certs" -}} +{{- $params := index . "params" -}} +{{- $encode := index . "encode" | default false -}} +{{- $local := dict -}} + +{{- $_hosts := $params.hosts.names | default list }} +{{- if kindIs "string" $params.hosts.names }} +{{- $_ := set $local "certHosts" (list $params.hosts.names) }} +{{- else }} +{{- $_ := set $local "certHosts" $_hosts }} +{{- end }} + +{{- $_ips := $params.hosts.ips | default list }} +{{- if kindIs "string" $params.hosts.ips }} +{{- $_ := set $local "certIps" (list $params.hosts.ips) }} +{{- else }} +{{- $_ := set $local "certIps" $_ips }} +{{- end }} + +{{- if hasKey $params "ca" }} +{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }} +{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }} +{{- $_ := set $local "ca" $ca }} +{{- end }} +{{- else }} +{{- $ca := genCA (first $local.certHosts) (int $params.life) }} +{{- $_ := set $local "ca" $ca }} +{{- end }} + +{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }} +{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }} +{{- $certificate := dict -}} +{{- if $encode -}} +{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}} +{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}} +{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}} +{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}} +{{- $_ := b64enc $expDate | set $certificate "exp" -}} +{{- else -}} +{{- $_ := set $certificate "crt" $rawCert.Cert -}} +{{- $_ := set $certificate "key" $rawCert.Key -}} +{{- $_ := set $certificate "ca" $local.ca.Cert -}} +{{- $_ := set $certificate "caKey" $local.ca.Key -}} +{{- $_ := set $certificate "exp" $expDate -}} +{{- end -}} +{{- $certificate | toYaml }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl new file mode 100644 index 000000000..e26501f80 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl @@ -0,0 +1,46 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a comma separated list of namespace:service pairs. +values: | + dependencies: + static: + api: + services: + - endpoint: internal + service: oslo_cache + - endpoint: internal + service: oslo_db + endpoints: + oslo_db: + namespace: foo + hosts: + default: mariadb + oslo_cache: + namespace: bar + hosts: + default: memcache +usage: | + {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }} +return: | + bar:memcache,foo:mariadb +*/}} + +{{- define "helm-toolkit.utils.comma_joined_service_list" -}} +{{- $deps := index . 0 -}} +{{- $envAll := index . 1 -}} +{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_configmap_templater.tpl new file mode 100644 index 000000000..7095c1937 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_configmap_templater.tpl @@ -0,0 +1,30 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.configmap_templater" }} +{{- $keyRoot := index . 0 -}} +{{- $configTemplate := index . 1 -}} +{{- $context := index . 2 -}} +{{ if $keyRoot.override -}} +{{ $keyRoot.override | indent 4 }} +{{- else -}} +{{- if $keyRoot.prefix -}} +{{ $keyRoot.prefix | indent 4 }} +{{- end }} +{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} +{{- if $keyRoot.append -}} +{{ $keyRoot.append | indent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl new file mode 100644 index 000000000..40359f0f4 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl @@ -0,0 +1,269 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.daemonset_overrides" }} + {{- $daemonset := index . 0 }} + {{- $daemonset_yaml := index . 1 }} + {{- $configmap_include := index . 2 }} + {{- $configmap_name := index . 3 }} + {{- $context := index . 4 }} + {{- $_ := unset $context ".Files" }} + {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }} + {{- $_ := set $context.Values "__daemonset_list" list }} + {{- $_ := set $context.Values "__default" dict }} + {{- if hasKey $context.Values.conf "overrides" }} + {{- range $key, $val := $context.Values.conf.overrides }} + + {{- if eq $key $daemonset_root_name }} + {{- range $type, $type_data := . }} + + {{- if eq $type "hosts" }} + {{- range $host_data := . }} + {{/* dictionary that will contain all info needed to generate this + iteration of the daemonset */}} + {{- $current_dict := dict }} + + {{/* set daemonset name */}} + {{/* Note: long hostnames can cause the 63 char name limit to be + exceeded. Truncate the hostname if hostname > 20 char */}} + {{- if gt (len $host_data.name) 20 }} + {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }} + {{- else }} + {{- $_ := set $current_dict "name" $host_data.name }} + {{- end }} + + {{/* apply overrides */}} + {{- $override_conf_copy := $host_data.conf }} + {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}} + {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }} + {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }} + {{- $root_conf_copy2 := dict "conf" $merged_dict }} + {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }} + {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }} + {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }} + {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }} + + {{/* Schedule to this host explicitly. */}} + {{- $nodeSelector_dict := dict }} + + {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }} + {{- $_ := set $nodeSelector_dict "operator" "In" }} + + {{- $values_list := list $host_data.name }} + {{- $_ := set $nodeSelector_dict "values" $values_list }} + + {{- $list_aggregate := list $nodeSelector_dict }} + {{- $_ := set $current_dict "matchExpressions" $list_aggregate }} + + {{/* store completed daemonset entry/info into global list */}} + {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }} + {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }} + + {{- end }} + {{- end }} + + {{- if eq $type "labels" }} + {{- $_ := set $context.Values "__label_list" . }} + {{- range $label_data := . }} + {{/* dictionary that will contain all info needed to generate this + iteration of the daemonset. */}} + {{- $_ := set $context.Values "__current_label" dict }} + + {{/* set daemonset name */}} + {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }} + + {{/* apply overrides */}} + {{- $override_conf_copy := $label_data.conf }} + {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}} + {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }} + {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }} + {{- $root_conf_copy2 := dict "conf" $merged_dict }} + {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }} + {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }} + {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }} + {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }} + + {{/* Schedule to the provided label value(s) */}} + {{- $label_dict := omit $label_data.label "NULL" }} + {{- $_ := set $label_dict "operator" "In" }} + {{- $list_aggregate := list $label_dict }} + {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }} + + {{/* Do not schedule to other specified labels, with higher + precedence as the list position increases. Last defined label + is highest priority. */}} + {{- $other_labels := without $context.Values.__label_list $label_data }} + {{- range $label_data2 := $other_labels }} + {{- $label_dict := omit $label_data2.label "NULL" }} + + {{- $_ := set $label_dict "operator" "NotIn" }} + + {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }} + {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }} + {{- end }} + {{- $_ := set $context.Values "__label_list" $other_labels }} + + {{/* Do not schedule to any other specified hosts */}} + {{- range $type, $type_data := $val }} + {{- if eq $type "hosts" }} + {{- range $host_data := . }} + {{- $label_dict := dict }} + + {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }} + {{- $_ := set $label_dict "operator" "NotIn" }} + + {{- $values_list := list $host_data.name }} + {{- $_ := set $label_dict "values" $values_list }} + + {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }} + {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }} + {{- end }} + {{- end }} + {{- end }} + + {{/* store completed daemonset entry/info into global list */}} + {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }} + {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }} + {{- $_ := unset $context.Values "__current_label" }} + + {{- end }} + {{- end }} + {{- end }} + + {{/* scheduler exceptions for the default daemonset */}} + {{- $_ := set $context.Values.__default "matchExpressions" list }} + + {{- range $type, $type_data := . }} + {{/* Do not schedule to other specified labels */}} + {{- if eq $type "labels" }} + {{- range $label_data := . }} + {{- $default_dict := omit $label_data.label "NULL" }} + + {{- $_ := set $default_dict "operator" "NotIn" }} + + {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }} + {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }} + {{- end }} + {{- end }} + {{/* Do not schedule to other specified hosts */}} + {{- if eq $type "hosts" }} + {{- range $host_data := . }} + {{- $default_dict := dict }} + + {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }} + {{- $_ := set $default_dict "operator" "NotIn" }} + + {{- $values_list := list $host_data.name }} + {{- $_ := set $default_dict "values" $values_list }} + + {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }} + {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + + {{/* generate the default daemonset */}} + + {{/* set name */}} + {{- $_ := set $context.Values.__default "name" "default" }} + + {{/* no overrides apply, so copy as-is */}} + {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }} + {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }} + {{- $context_values := omit $context.Values "conf" }} + {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }} + {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }} + {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }} + + {{/* add to global list */}} + {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }} + {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }} + + {{- range $current_dict := $context.Values.__daemonset_list }} + + {{- $context_novalues := omit $context "Values" }} + {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }} + {{- $_ := set $current_dict "nodeData" $merged_dict }} + {{/* Deep copy original daemonset_yaml */}} + {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }} + + {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}} + {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }} + {{/* labels may contain underscores which would be invalid here, so we replace them with dashes + there may be other valid label names which would make for an invalid DNS-1123 name + but these will be easier to handle in future with sprig regex* functions + (not availabile in helm 2.5.1) */}} + {{- $name_format2 := $name_format1 | replace "_" "-" }} + {{/* To account for the case where the same label is defined multiple times in overrides + (but with different label values), we add a sha of the scheduling data to ensure + name uniqueness */}} + {{- $_ := set $current_dict "dns_1123_name" dict }} + {{- if hasKey $current_dict "matchExpressions" }} + {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }} + {{- else }} + {{- $_ := set $current_dict "dns_1123_name" $name_format2 }} + {{- end }} + + {{/* set daemonset metadata name */}} + {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }} + {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }} + + {{/* cross-reference configmap name to container volume definitions */}} + {{- $_ := set $context.Values "__volume_list" list }} + {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }} + {{- $_ := set $context.Values "__volume" $current_volume }} + {{- if hasKey $context.Values.__volume "secret" }} + {{- if eq $context.Values.__volume.secret.secretName $configmap_name }} + {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }} + {{- end }} + {{- end }} + {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }} + {{- $_ := set $context.Values "__volume_list" $updated_list }} + {{- end }} + {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }} + + + {{/* populate scheduling restrictions */}} + {{- if hasKey $current_dict "matchExpressions" }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }} + {{- $match_exprs := dict }} + {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }} + {{- $appended_match_expr := list $match_exprs }} + {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }} + {{- end }} + + {{/* input value hash for current set of values overrides */}} + {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }} + {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }} + {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }} + {{- $values_hash := $cmap | quote | sha256sum }} + {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }} + + {{/* generate configmap */}} +--- +{{ $cmap }} + {{/* generate daemonset yaml */}} +--- +{{ $context.Values.__daemonset_yaml | toYaml }} + {{- end }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl new file mode 100644 index 000000000..4a88dd8df --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl @@ -0,0 +1,40 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.dependency_resolver" }} +{{- $envAll := index . "envAll" -}} +{{- $dependencyMixinParam := index . "dependencyMixinParam" -}} +{{- $dependencyKey := index . "dependencyKey" -}} +{{- if $dependencyMixinParam -}} +{{- $_ := set $envAll.Values "pod_dependency" dict -}} +{{- if kindIs "string" $dependencyMixinParam }} +{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }} +{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}} +{{- else }} +{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }} +{{- end }} +{{- else if kindIs "slice" $dependencyMixinParam }} +{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }} +{{- range $k, $v := $dependencyMixinParam -}} +{{- if ( index $envAll.Values.dependencies.dynamic.targeted $v ) }} +{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}} +{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}} +{{- end }} +{{- end }} +{{- end }} +{{- else -}} +{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}} +{{- end -}} +{{ $envAll.Values.pod_dependency | toYaml }} +{{- end }} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_hash.tpl new file mode 100644 index 000000000..d871b6267 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_hash.tpl @@ -0,0 +1,21 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.hash" -}} +{{- $name := index . 0 -}} +{{- $context := index . 1 -}} +{{- $last := base $context.Template.Name }} +{{- $wtf := $context.Template.Name | replace $last $name -}} +{{- include $wtf $context | sha256sum | quote -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_host_list.tpl new file mode 100644 index 000000000..0c32136a8 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_host_list.tpl @@ -0,0 +1,44 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns a list of unique hosts for an endpoint, in yaml. +values: | + endpoints: + cluster_domain_suffix: cluster.local + oslo_db: + hosts: + default: mariadb + host_fqdn_override: + default: mariadb +usage: | + {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }} +return: | + hosts: + - mariadb + - mariadb.default +*/}} + +{{- define "helm-toolkit.utils.host_list" -}} +{{- $type := index . 0 -}} +{{- $endpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} +{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}} +{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }} +{{- dict "hosts" $host_list | toYaml }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_image_sync_list.tpl new file mode 100644 index 000000000..51923b6cb --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_image_sync_list.tpl @@ -0,0 +1,25 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.image_sync_list" -}} +{{- $imageExcludeList := .Values.images.local_registry.exclude -}} +{{- $imageDict := .Values.images.tags -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := $imageDict -}} +{{- if not $local.first -}},{{- end -}} +{{- if (not (has $k $imageExcludeList )) -}} +{{- index $imageDict $k -}} +{{- $_ := set $local "first" false -}} +{{- end -}}{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl new file mode 100644 index 000000000..5eb578559 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl @@ -0,0 +1,31 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of values into a comma separated string +values: | + test: + - foo + - bar +usage: | + {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }} +return: | + foo,bar +*/}} + +{{- define "helm-toolkit.utils.joinListWithComma" -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl new file mode 100644 index 000000000..3bc68192d --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of values into a comma seperated string with single quotes + around each value. +values: | + test: + - foo + - bar +usage: | + {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }} +return: | + 'foo','bar' +*/}} + +{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl new file mode 100644 index 000000000..40ebb1564 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl @@ -0,0 +1,32 @@ +{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of prefixed values into a space separated string +values: | + test: + - foo + - bar +usage: | + {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }} +return: | + prefixfoo prefixbar +*/}} + +{{- define "helm-toolkit.utils.joinListWithPrefix" -}} +{{- $prefix := index . 0 -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl new file mode 100644 index 000000000..59122807f --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl @@ -0,0 +1,31 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Joins a list of values into a space separated string +values: | + test: + - foo + - bar +usage: | + {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }} +return: | + foo bar +*/}} + +{{- define "helm-toolkit.utils.joinListWithSpace" -}} +{{- $local := dict "first" true -}} +{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_merge.tpl new file mode 100644 index 000000000..ea8054664 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_merge.tpl @@ -0,0 +1,135 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Takes a tuple of values and merges into the first (target) one each subsequent +(source) one in order. If all values to merge are maps, then the tuple can be +passed as is and the target will be the result, otherwise pass a map with a +"values" key containing the tuple of values to merge, and the merge result will +be assigned to the "result" key of the passed map. + +When merging maps, for each key in the source, if the target does not define +that key, the source value is assigned. If both define the key, then the key +values are merged using this algorithm (recursively) and the result is assigned +to the target key. Slices are merged by appending them and removing any +duplicates, and when passing a map to this function and including a +"merge_same_named" key set to true, then map items from the slices with the same +value for the "name" key will be merged with each other. Any other values are +merged by simply keeping the source, and throwing away the target. +*/}} + +{{- define "helm-toolkit.utils.merge" -}} + {{- $local := dict -}} + {{- $_ := set $local "merge_same_named" false -}} + {{- if kindIs "map" $ -}} + {{- $_ := set $local "values" $.values -}} + {{- if hasKey $ "merge_same_named" -}} + {{- $_ := set $local "merge_same_named" $.merge_same_named -}} + {{- end -}} + {{- else -}} + {{- $_ := set $local "values" $ -}} + {{- end -}} + + {{- $target := first $local.values -}} + {{- range $item := rest $local.values -}} + {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}} + {{- $_ := include "helm-toolkit.utils._merge" $call -}} + {{- $_ := set $local "result" $call.result -}} + {{- end -}} + + {{- if kindIs "map" $ -}} + {{- $_ := set $ "result" $local.result -}} + {{- end -}} +{{- end -}} + +{{- define "helm-toolkit.utils._merge" -}} + {{- $local := dict -}} + + {{- $_ := set $ "result" $.source -}} + + {{/* + TODO: Should we `fail` when trying to merge a collection (map or slice) with + either a different kind of collection or a scalar? + */}} + + {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}} + {{- range $key, $sourceValue := $.source -}} + {{- if not (hasKey $.target $key) -}} + {{- $_ := set $local "newTargetValue" $sourceValue -}} + {{- if kindIs "map" $sourceValue -}} + {{- $copy := dict -}} + {{- $call := dict "target" $copy "source" $sourceValue -}} + {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}} + {{- $_ := set $local "newTargetValue" $copy -}} + {{- end -}} + {{- else -}} + {{- $targetValue := index $.target $key -}} + {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}} + {{- $_ := include "helm-toolkit.utils._merge" $call -}} + {{- $_ := set $local "newTargetValue" $call.result -}} + {{- end -}} + {{- $_ := set $.target $key $local.newTargetValue -}} + {{- end -}} + {{- $_ := set $ "result" $.target -}} + {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}} + {{- $call := dict "target" $.target "source" $.source -}} + {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}} + {{- if $.merge_same_named -}} + {{- $_ := set $local "result" list -}} + {{- $_ := set $local "named_items" dict -}} + {{- range $item := $call.result -}} + {{- $_ := set $local "has_name_key" false -}} + {{- if kindIs "map" $item -}} + {{- if hasKey $item "name" -}} + {{- $_ := set $local "has_name_key" true -}} + {{- end -}} + {{- end -}} + + {{- if $local.has_name_key -}} + {{- if hasKey $local.named_items $item.name -}} + {{- $named_item := index $local.named_items $item.name -}} + {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}} + {{- $_ := include "helm-toolkit.utils._merge" $call -}} + {{- else -}} + {{- $copy := dict -}} + {{- $copy_call := dict "target" $copy "source" $item -}} + {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}} + {{- $_ := set $local.named_items $item.name $copy -}} + {{- $_ := set $local "result" (append $local.result $copy) -}} + {{- end -}} + {{- else -}} + {{- $_ := set $local "result" (append $local.result $item) -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- $_ := set $local "result" $call.result -}} + {{- end -}} + {{- $_ := set $ "result" (uniq $local.result) -}} + {{- end -}} +{{- end -}} + +{{- define "helm-toolkit.utils._merge.shallow" -}} + {{- range $key, $value := $.source -}} + {{- $_ := set $.target $key $value -}} + {{- end -}} +{{- end -}} + +{{- define "helm-toolkit.utils._merge.append_slice" -}} + {{- $local := dict -}} + {{- $_ := set $local "result" $.target -}} + {{- range $value := $.source -}} + {{- $_ := set $local "result" (append $local.result $value) -}} + {{- end -}} + {{- $_ := set $ "result" $local.result -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_template.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_template.tpl new file mode 100644 index 000000000..da56aa0ee --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_template.tpl @@ -0,0 +1,21 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.utils.template" -}} +{{- $name := index . 0 -}} +{{- $context := index . 1 -}} +{{- $last := base $context.Template.Name }} +{{- $wtf := $context.Template.Name | replace $last $name -}} +{{ include $wtf $context }} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_to_ini.tpl new file mode 100644 index 000000000..a159364e7 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_to_ini.tpl @@ -0,0 +1,51 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns INI formatted output from yaml input +values: | + conf: + paste: + filter:debug: + use: egg:oslo.middleware#debug + filter:request_id: + use: egg:oslo.middleware#request_id + filter:build_auth_context: + use: egg:keystone#build_auth_context +usage: | + {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }} +return: | + [filter:build_auth_context] + use = egg:keystone#build_auth_context + [filter:debug] + use = egg:oslo.middleware#debug + [filter:request_id] + use = egg:oslo.middleware#request_id +*/}} + +{{- define "helm-toolkit.utils.to_ini" -}} +{{- range $section, $values := . -}} +{{- if kindIs "map" $values -}} +[{{ $section }}] +{{range $key, $value := $values -}} +{{- if kindIs "slice" $value -}} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }} +{{else -}} +{{ $key }} = {{ $value }} +{{end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl new file mode 100644 index 000000000..885a86cc7 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl @@ -0,0 +1,46 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns yaml formatted to be used in k8s templates as container + env vars injected via secrets. This requires a secret- template to + be defined in the chart that can be used to house the desired secret + variables. For reference, see the fluentd chart. +values: | + test: + secrets: + foo: bar + +usage: | + {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }} +return: | + - name: foo + valueFrom: + secretKeyRef: + name: "my-release-name-env-secret" + key: foo +*/}} + +{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}} +{{- $context := index . 0 -}} +{{- $secrets := index . 1 -}} +{{ range $key, $config := $secrets -}} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }} + key: {{ $key }} +{{ end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl new file mode 100644 index 000000000..829dca6e0 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl @@ -0,0 +1,39 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns key value pair formatted to be used in k8s templates as container + env vars. +values: | + test: + foo: bar +usage: | + {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }} +return: | + - name: foo + value: "bar" +*/}} + +{{- define "helm-toolkit.utils.to_k8s_env_vars" -}} +{{range $key, $value := . -}} +{{- if kindIs "slice" $value -}} +- name: {{ $key }} + value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }} +{{else -}} +- name: {{ $key }} + value: {{ $value | quote }} +{{ end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_to_kv_list.tpl new file mode 100644 index 000000000..91bdeb692 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_to_kv_list.tpl @@ -0,0 +1,42 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns key value pair in INI format (key = value) +values: | + conf: + libvirt: + log_level: 3 +usage: | + {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }} +return: | + log_level = 3 +*/}} + +{{- define "helm-toolkit.utils.to_kv_list" -}} +{{- range $key, $value := . -}} +{{- if kindIs "slice" $value }} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }} +{{- else if kindIs "string" $value }} +{{- if regexMatch "^[0-9]+$" $value }} +{{ $key }} = {{ $value }} +{{- else }} +{{ $key }} = {{ $value | quote }} +{{- end }} +{{- else }} +{{ $key }} = {{ $value }} +{{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/ironic/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl new file mode 100644 index 000000000..622a86230 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl @@ -0,0 +1,75 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Returns OSLO.conf formatted output from yaml input +values: | + conf: + keystone: + DEFAULT: # Keys at this level are used for section headings + max_token_size: 255 + oslo_messaging_notifications: + driver: # An example of a multistring option's syntax + type: multistring + values: + - messagingv2 + - log + oslo_messaging_notifications_stein: + driver: # An example of a csv option's syntax + type: csv + values: + - messagingv2 + - log + security_compliance: + password_expires_ignore_user_ids: + # Values in a list will be converted to a comma separated key + - "123" + - "456" +usage: | + {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }} +return: | + [DEFAULT] + max_token_size = 255 + [oslo_messaging_notifications] + driver = messagingv2 + driver = log + [oslo_messaging_notifications_stein] + driver = messagingv2,log + [security_compliance] + password_expires_ignore_user_ids = 123,456 +*/}} + +{{- define "helm-toolkit.utils.to_oslo_conf" -}} +{{- range $section, $values := . -}} +{{- if kindIs "map" $values -}} +[{{ $section }}] +{{ range $key, $value := $values -}} +{{- if kindIs "slice" $value -}} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }} +{{ else if kindIs "map" $value -}} +{{- if eq $value.type "multistring" }} +{{- range $k, $multistringValue := $value.values -}} +{{ $key }} = {{ $multistringValue }} +{{ end -}} +{{ else if eq $value.type "csv" -}} +{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }} +{{ end -}} +{{- else -}} +{{ $key }} = {{ $value }} +{{ end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/ironic/charts/helm-toolkit/values.yaml b/charts/ironic/charts/helm-toolkit/values.yaml new file mode 100644 index 000000000..681a92b69 --- /dev/null +++ b/charts/ironic/charts/helm-toolkit/values.yaml @@ -0,0 +1,16 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for utils. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value diff --git a/charts/ironic/requirements.lock b/charts/ironic/requirements.lock new file mode 100644 index 000000000..43aa382fd --- /dev/null +++ b/charts/ironic/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: helm-toolkit + repository: https://tarballs.openstack.org/openstack-helm-infra + version: 0.2.64 +digest: sha256:4c00b9bfa1d3dc0426a82ec22f51b440e838c55cbd1f81dbf7de5b28471f6141 +generated: '0001-01-01T00:00:00Z' diff --git a/charts/ironic/requirements.yaml b/charts/ironic/requirements.yaml new file mode 100644 index 000000000..ddafbfc88 --- /dev/null +++ b/charts/ironic/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: +- name: helm-toolkit + repository: https://tarballs.openstack.org/openstack-helm-infra + version: 0.2.64 diff --git a/charts/ironic/templates/bin/_bootstrap.sh.tpl b/charts/ironic/templates/bin/_bootstrap.sh.tpl new file mode 100644 index 000000000..50bf6ca04 --- /dev/null +++ b/charts/ironic/templates/bin/_bootstrap.sh.tpl @@ -0,0 +1,35 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +{{ $source_base := .Values.bootstrap.image.source_base | default "" }} +{{ range $name, $opts := .Values.bootstrap.image.structured }} +{{ $source := empty $source_base | ternary $opts.source (printf "%s/%s" $source_base $opts.source) }} +openstack image show {{ $name | quote }} -fvalue -cid || ( + IMAGE_LOC=$(mktemp) + curl --fail -sSL {{ $source }} -o ${IMAGE_LOC} + openstack image create {{ $name | quote }} \ + --disk-format {{ $opts.disk_format }} \ + --container-format {{ $opts.container_format }} \ + --file ${IMAGE_LOC} \ + {{ if $opts.properties -}} {{ range $k, $v := $opts.properties }}--property {{$k}}={{$v}} {{ end }}{{ end -}} \ + --{{ $opts.visibility | default "public" }} + rm -f ${IMAGE_LOC} +) +{{ else }} +{{ .Values.bootstrap.image.script | default "echo 'Not Enabled'" }} +{{ end }} diff --git a/charts/ironic/templates/bin/_db-sync.sh.tpl b/charts/ironic/templates/bin/_db-sync.sh.tpl new file mode 100644 index 000000000..6431532c6 --- /dev/null +++ b/charts/ironic/templates/bin/_db-sync.sh.tpl @@ -0,0 +1,19 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +ironic-dbsync upgrade diff --git a/charts/ironic/templates/bin/_ironic-api.sh.tpl b/charts/ironic/templates/bin/_ironic-api.sh.tpl new file mode 100644 index 000000000..0d8fde722 --- /dev/null +++ b/charts/ironic/templates/bin/_ironic-api.sh.tpl @@ -0,0 +1,36 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +COMMAND="${@:-start}" +{{- if and (.Values.bootstrap.object_store.enabled) (.Values.bootstrap.object_store.openstack.enabled) }} +OPTIONS=" --config-file /tmp/pod-shared/swift.conf" +{{- end }} +{{- if and (.Values.bootstrap.network.enabled) (.Values.bootstrap.network.openstack.enabled) }} +OPTIONS="${OPTIONS} --config-file /tmp/pod-shared/cleaning-network.conf" +{{- end }} + +function start () { + exec ironic-api \ + --config-file /etc/ironic/ironic.conf \ + ${OPTIONS} +} + +function stop () { + kill -TERM 1 +} + +$COMMAND diff --git a/charts/ironic/templates/bin/_ironic-conductor-http-init.sh.tpl b/charts/ironic/templates/bin/_ironic-conductor-http-init.sh.tpl new file mode 100644 index 000000000..7acce1a55 --- /dev/null +++ b/charts/ironic/templates/bin/_ironic-conductor-http-init.sh.tpl @@ -0,0 +1,37 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +if [ "x" == "x${PROVISIONER_INTERFACE}" ]; then + echo "Provisioner interface is not set" + exit 1 +fi + +function net_pxe_addr { + ip addr | awk "/inet / && /${PROVISIONER_INTERFACE}/{print \$2; exit }" +} +function net_pxe_ip { + echo $(net_pxe_addr) | awk -F '/' '{ print $1; exit }' +} +PXE_IP=$(net_pxe_ip) + +if [ "x" == "x${PXE_IP}" ]; then + echo "Could not find IP for pxe to bind to" + exit 1 +fi + +sed "s|OSH_PXE_IP|${PXE_IP}|g" /etc/nginx/nginx.conf > /tmp/pod-shared/nginx.conf diff --git a/charts/ironic/templates/bin/_ironic-conductor-http.sh.tpl b/charts/ironic/templates/bin/_ironic-conductor-http.sh.tpl new file mode 100644 index 000000000..6a97b41a0 --- /dev/null +++ b/charts/ironic/templates/bin/_ironic-conductor-http.sh.tpl @@ -0,0 +1,21 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +mkdir -p /var/lib/openstack-helm/httpboot +cp -v /tmp/pod-shared/nginx.conf /etc/nginx/nginx.conf +exec nginx -g 'daemon off;' diff --git a/charts/ironic/templates/bin/_ironic-conductor-init.sh.tpl b/charts/ironic/templates/bin/_ironic-conductor-init.sh.tpl new file mode 100644 index 000000000..6555865b5 --- /dev/null +++ b/charts/ironic/templates/bin/_ironic-conductor-init.sh.tpl @@ -0,0 +1,55 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +if [ "x" == "x${PROVISIONER_INTERFACE}" ]; then + echo "Provisioner interface is not set" + exit 1 +fi + +function net_pxe_addr { + ip addr | awk "/inet / && /${PROVISIONER_INTERFACE}/{print \$2; exit }" +} +function net_pxe_ip { + echo $(net_pxe_addr) | awk -F '/' '{ print $1; exit }' +} +PXE_IP=$(net_pxe_ip) + +if [ "x" == "x${PXE_IP}" ]; then + echo "Could not find IP for pxe to bind to" + exit 1 +fi + +tee /tmp/pod-shared/conductor-local-ip.conf << EOF +[DEFAULT] + +# IP address of this host. If unset, will determine the IP +# programmatically. If unable to do so, will use "127.0.0.1". +# (string value) +my_ip = ${PXE_IP} + +[pxe] +# IP address of ironic-conductor node's TFTP server. (string +# value) +tftp_server = ${PXE_IP} + +[deploy] +# ironic-conductor node's HTTP server URL. Example: +# http://192.1.2.3:8080 (string value) +# from .deploy.ironic.http_url +http_url = http://${PXE_IP}:{{ tuple "baremetal" "internal" "pxe_http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +EOF diff --git a/charts/ironic/templates/bin/_ironic-conductor-pxe-init.sh.tpl b/charts/ironic/templates/bin/_ironic-conductor-pxe-init.sh.tpl new file mode 100644 index 000000000..c70a2f040 --- /dev/null +++ b/charts/ironic/templates/bin/_ironic-conductor-pxe-init.sh.tpl @@ -0,0 +1,60 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +. /etc/os-release +HOST_OS=${HOST_OS:="${ID}"} +FILEPATH=${FILEPATH:-/usr/lib/ipxe} + +if [ "x$ID" == "xubuntu" ]; then + #NOTE(portdirect): this works around a limitation in Kolla images + if ! dpkg -l ipxe; then + apt-get update + apt-get install ipxe -y + fi + + FILEPATH=/usr/lib/ipxe + +elif [ "x$ID" == "xcentos" ]; then + + if ! yum list installed ipxe-bootimgs >/dev/null 2>&1; then + yum update --nogpgcheck -y + yum install ipxe-bootimgs syslinux-tftpboot --nogpgcheck -y + fi + + FILEPATH=/usr/share/ipxe + +fi + +mkdir -p /var/lib/openstack-helm/tftpboot +mkdir -p /var/lib/openstack-helm/tftpboot/master_images + +for FILE in undionly.kpxe ipxe.efi pxelinux.0 snponly.efi; do + if [ -f /usr/lib/ipxe/$FILE ]; then + cp -v /usr/lib/ipxe/$FILE /var/lib/openstack-helm/tftpboot + fi + + # ipxe and pxe support for CentOS + if [ "x$ID" == "xcentos" ]; then + if [ -f /var/lib/tftpboot/$FILE ]; then + cp -v /var/lib/tftpboot/$FILE /var/lib/openstack-helm/tftpboot + fi + if [ -f /usr/share/ipxe/$FILE ]; then + cp -v /usr/share/ipxe/$FILE /var/lib/openstack-helm/tftpboot + fi + fi +done diff --git a/charts/ironic/templates/bin/_ironic-conductor-pxe.sh.tpl b/charts/ironic/templates/bin/_ironic-conductor-pxe.sh.tpl new file mode 100644 index 000000000..19451abf5 --- /dev/null +++ b/charts/ironic/templates/bin/_ironic-conductor-pxe.sh.tpl @@ -0,0 +1,37 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +function net_pxe_addr { + ip addr | awk "/inet / && /${PROVISIONER_INTERFACE}/{print \$2; exit }" +} +function net_pxe_ip { + echo $(net_pxe_addr) | awk -F '/' '{ print $1; exit }' +} +PXE_IP=$(net_pxe_ip) + +if [ "x" == "x${PXE_IP}" ]; then + echo "Could not find IP for pxe to bind to" + exit 1 +fi + +ln -s /var/lib/openstack-helm/tftpboot /tftpboot +exec /usr/sbin/in.tftpd \ + --verbose \ + --foreground \ + --user root \ + --address ${PXE_IP}:69 \ + --map-file /tftp-map-file /tftpboot diff --git a/charts/ironic/templates/bin/_ironic-conductor.sh.tpl b/charts/ironic/templates/bin/_ironic-conductor.sh.tpl new file mode 100644 index 000000000..ac09fbd4e --- /dev/null +++ b/charts/ironic/templates/bin/_ironic-conductor.sh.tpl @@ -0,0 +1,32 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +mkdir -p /var/lib/openstack-helm/ironic/images +mkdir -p /var/lib/openstack-helm/ironic/master_images + +{{- if and (.Values.bootstrap.object_store.enabled) (.Values.bootstrap.object_store.openstack.enabled) }} +OPTIONS=" --config-file /tmp/pod-shared/swift.conf" +{{- end }} +{{- if and (.Values.bootstrap.network.enabled) (.Values.bootstrap.network.openstack.enabled) }} +OPTIONS="${OPTIONS} --config-file /tmp/pod-shared/cleaning-network.conf" +{{- end }} + +exec ironic-conductor \ + --config-file /etc/ironic/ironic.conf \ + --config-file /tmp/pod-shared/conductor-local-ip.conf \ + ${OPTIONS} diff --git a/charts/ironic/templates/bin/_manage-cleaning-network.sh.tpl b/charts/ironic/templates/bin/_manage-cleaning-network.sh.tpl new file mode 100644 index 000000000..f5d690e36 --- /dev/null +++ b/charts/ironic/templates/bin/_manage-cleaning-network.sh.tpl @@ -0,0 +1,48 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +if ! openstack network show ${neutron_network_name}; then + IRONIC_NEUTRON_CLEANING_NET_ID=$(openstack network create -f value -c id \ + --share \ + --provider-network-type flat \ + --provider-physical-network ${neutron_provider_network} \ + ${neutron_network_name}) +else + IRONIC_NEUTRON_CLEANING_NET_ID=$(openstack network show ${neutron_network_name} -f value -c id) +fi + +SUBNETS=$(openstack network show $IRONIC_NEUTRON_CLEANING_NET_ID -f value -c subnets) +if [ "x${SUBNETS}" != "x[]" ]; then + for SUBNET in ${SUBNETS}; do + CURRENT_SUBNET=$(openstack subnet show $SUBNET -f value -c name) + if [ "x${CURRENT_SUBNET}" == "x${neutron_subnet_name}" ]; then + openstack subnet show ${neutron_subnet_name} + SUBNET_EXISTS=true + fi + done +fi + +if [ "x${SUBNET_EXISTS}" != "xtrue" ]; then + openstack subnet create \ + --gateway ${neutron_subnet_gateway%/*} \ + --allocation-pool start=${neutron_subnet_alloc_start},end=${neutron_subnet_alloc_end} \ + --dns-nameserver ${neutron_subnet_dns_nameserver} \ + --subnet-range ${neutron_subnet_cidr} \ + --network ${neutron_network_name} \ + ${neutron_subnet_name} +fi diff --git a/charts/ironic/templates/bin/_retreive-cleaning-network.sh.tpl b/charts/ironic/templates/bin/_retreive-cleaning-network.sh.tpl new file mode 100644 index 000000000..d096995bd --- /dev/null +++ b/charts/ironic/templates/bin/_retreive-cleaning-network.sh.tpl @@ -0,0 +1,23 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +IRONIC_NEUTRON_CLEANING_NET_ID=$(openstack network show ${neutron_network_name} -f value -c id) +tee /tmp/pod-shared/cleaning-network.conf <- +# {{ +# [ +# { +# "ip_address": ironic_bare_metal_network_ip +# } +# ] +# if ironic_bare_metal_network_ip is defined else omit +# }} + +# - name: Set binding for ports +# changed_when: false +# ansible.builtin.shell: | +# openstack port set \ +# --host {{ ansible_fqdn }} \ +# ironic-{{ inventory_hostname_short }} +# environment: +# OS_CLOUD: atmosphere + +- name: Upload images + ansible.builtin.include_role: + name: glance_image + loop: + - name: "{{ ironic_python_agent_deploy_kernel_name }}" + url: "{{ ironic_python_agent_deploy_kernel_url }}" + format: aki + - name: "{{ ironic_python_agent_deploy_ramdisk_name }}" + url: "{{ ironic_python_agent_deploy_ramdisk_url }}" + format: ari + vars: + glance_image_name: "{{ item.name }}" + glance_image_url: "{{ item.url }}" + glance_image_container_format: "{{ item.format }}" + glance_image_disk_format: "{{ item.format }}" + +- name: Get details on the kernel image + run_once: true + openstack.cloud.image_info: + cloud: atmosphere + image: "{{ ironic_python_agent_deploy_kernel_name }}" + register: ironic_python_agent_deploy_kernel + +- name: Get details on the ramdisk image + run_once: true + openstack.cloud.image_info: + cloud: atmosphere + image: "{{ ironic_python_agent_deploy_ramdisk_name }}" + register: ironic_python_agent_deploy_ramdisk + +- name: Deploy Helm chart + run_once: true + kubernetes.core.helm: + name: "{{ ironic_helm_release_name }}" + chart_ref: "{{ ironic_helm_chart_ref }}" + release_namespace: "{{ ironic_helm_release_namespace }}" + create_namespace: true + kubeconfig: /etc/kubernetes/admin.conf + values: "{{ _ironic_helm_values | combine(ironic_helm_values, recursive=True) }}" + +- name: Create Ingress + ansible.builtin.include_role: + name: openstack_helm_ingress + vars: + openstack_helm_ingress_endpoint: baremetal + openstack_helm_ingress_service_name: ironic-api + openstack_helm_ingress_service_port: 6385 + openstack_helm_ingress_annotations: "{{ ironic_ingress_annotations }}" diff --git a/roles/ironic/tasks/network/create.yml b/roles/ironic/tasks/network/create.yml new file mode 100644 index 000000000..8032983ae --- /dev/null +++ b/roles/ironic/tasks/network/create.yml @@ -0,0 +1,35 @@ +# Copyright (c) 2022 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Create bare metal network + run_once: true + openstack.cloud.network: + cloud: atmosphere + # Network settings + name: "{{ ironic_bare_metal_network_name }}" + provider_physical_network: "{{ ironic_bare_metal_network_provider_physical_network }}" + provider_network_type: "{{ ironic_bare_metal_network_provider_network_type }}" + provider_segmentation_id: "{{ ironic_bare_metal_network_provider_segmentation_id }}" + register: ironic_bare_metal_network + +- name: Create bare metal network subnet + run_once: true + openstack.cloud.subnet: + cloud: atmosphere + # Subnet settings + network_name: "{{ ironic_bare_metal_subnet_name }}" + name: "{{ ironic_bare_metal_subnet_name }}" + cidr: "{{ ironic_bare_metal_subnet_cidr }}" + allocation_pool_start: "{{ ironic_bare_metal_subnet_allocation_pool_start | default(omit) }}" + allocation_pool_end: "{{ ironic_bare_metal_subnet_allocation_pool_end | default(omit) }}" diff --git a/roles/ironic/tasks/network/lookup.yml b/roles/ironic/tasks/network/lookup.yml new file mode 100644 index 000000000..00d8f45c4 --- /dev/null +++ b/roles/ironic/tasks/network/lookup.yml @@ -0,0 +1,31 @@ +# Copyright (c) 2022 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Gather information about a bare metal network + run_once: true + openstack.cloud.networks_info: + cloud: atmosphere + # Network settings + name: "{{ ironic_bare_metal_network_name }}" + register: ironic_bare_metal_networks_info + +- name: Assert that we match a single network only + run_once: true + assert: + that: + - ironic_bare_metal_networks_info.openstack_networks | length == 1 + +- name: Set fact with bare metal network information + ansible.builtin.set_fact: + ironic_bare_metal_network: "{{ ironic_bare_metal_networks_info.openstack_networks[0] }}" diff --git a/roles/ironic/vars/main.yml b/roles/ironic/vars/main.yml new file mode 100644 index 000000000..a965b1bd1 --- /dev/null +++ b/roles/ironic/vars/main.yml @@ -0,0 +1,78 @@ +# Copyright (c) 2023 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +_ironic_helm_values: + endpoints: "{{ openstack_helm_endpoints }}" + images: + tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('ironic') }}" + bootstrap: + image: + enabled: false + network: + enabled: false + object_store: + enabled: false + dependencies: + static: + api: + jobs: + - ironic-db-sync + - ironic-ks-user + - ironic-ks-endpoints + - ironic-rabbit-init + # NOTE(mnaser): We're managing all the networks via Ansible. + # - ironic-manage-cleaning-network + conductor: + jobs: + - ironic-db-sync + - ironic-ks-user + - ironic-ks-endpoints + - ironic-rabbit-init + # NOTE(mnaser): We're managing all the networks via Ansible. + # - ironic-manage-cleaning-network + conf: + ironic: + DEFAULT: + log_config_append: null + enabled_network_interfaces: flat,neutron + default_network_interface: flat + conductor: + clean_step_priority_override: deploy.erase_devices_express:5 + deploy_kernel: "{{ ironic_python_agent_deploy_kernel.openstack_image.id }}" + deploy_ramdisk: "{{ ironic_python_agent_deploy_ramdisk.openstack_image.id }}" + deploy: + erase_devices_priority: 0 + erase_devices_metadata_priority: 0 + neutron: + cleaning_network: "{{ ironic_bare_metal_network_name }}" + inspection_network: "{{ ironic_bare_metal_network_name }}" + provisioning_network: "{{ ironic_bare_metal_network_name }}" + rescuing_network: "{{ ironic_bare_metal_network_name }}" + pxe: + kernel_append_params: "ipa-insecure=true systemd.journald.forward_to_console=yes" + service_catalog: + valid_interfaces: public + pod: + affinity: + anti: + type: + conductor: requiredDuringSchedulingIgnoredDuringExecution + replicas: + api: 3 + conductor: 3 + manifests: + ingress_api: false + service_ingress_api: false + # NOTE(mnaser): We're managing all the networks via Ansible. + job_manage_cleaning_network: false