From 6caf7fb54d238c88ec91eb7438df85ae3b213074 Mon Sep 17 00:00:00 2001 From: Mark Burnett Date: Thu, 26 Oct 2017 10:36:11 -0500 Subject: [PATCH] Add initial chart for Promenade API Co-author: Mark Burnett Co-author: Samantha Blanco Change-Id: I2e6af00b7905d9070f79b8c536385ebdae877d50 --- Dockerfile | 20 +- charts/promenade/Chart.yaml | 4 + charts/promenade/requirements.yaml | 4 + charts/promenade/templates/configmap-bin.yaml | 32 +++ charts/promenade/templates/configmap-etc.yaml | 28 +++ .../promenade/templates/deployment-api.yaml | 62 ++++++ .../promenade/templates/job-ks-endpoints.yaml | 69 +++++++ .../promenade/templates/job-ks-service.yaml | 63 ++++++ charts/promenade/templates/job-ks-user.yaml | 67 +++++++ charts/promenade/templates/rbac.yaml | 37 ++++ .../templates/secret-keystone-env.yaml | 28 +++ charts/promenade/templates/service-api.yaml | 31 +++ charts/promenade/values.yaml | 183 ++++++++++++++++++ entrypoint.sh | 14 ++ etc/promenade/api-paste.ini | 2 +- examples/basic/ArmadaManifest.yaml | 1 + examples/basic/armada-resources.yaml | 47 +++++ examples/complete/ArmadaManifest.yaml | 1 + examples/complete/HostSystem.yaml | 2 +- examples/complete/armada-resources.yaml | 51 +++++ promenade/pki.py | 8 +- promenade/renderer.py | 4 +- requirements-direct.txt | 5 +- requirements-frozen.txt | 30 ++- tools/dev/get-token.sh | 20 ++ tools/dev/server.sh | 18 ++ tools/g2/lib/registry.sh | 4 + tools/g2/manifests/genesis.json | 2 +- .../bootstrap-armada-config.yaml | 48 +++++ tools/gate/default-config-env | 1 + 30 files changed, 867 insertions(+), 19 deletions(-) create mode 100644 charts/promenade/Chart.yaml create mode 100644 charts/promenade/requirements.yaml create mode 100644 charts/promenade/templates/configmap-bin.yaml create mode 100644 charts/promenade/templates/configmap-etc.yaml create mode 100644 charts/promenade/templates/deployment-api.yaml create mode 100644 charts/promenade/templates/job-ks-endpoints.yaml create mode 100644 charts/promenade/templates/job-ks-service.yaml create mode 100644 charts/promenade/templates/job-ks-user.yaml create mode 100644 charts/promenade/templates/rbac.yaml create mode 100644 charts/promenade/templates/secret-keystone-env.yaml create mode 100644 charts/promenade/templates/service-api.yaml create mode 100644 charts/promenade/values.yaml create mode 100755 entrypoint.sh create mode 100755 tools/dev/get-token.sh create mode 100755 tools/dev/server.sh diff --git a/Dockerfile b/Dockerfile index 5ae070c6..d5870bff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -# Copyright 2017 The Promenade Authors. +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,13 @@ FROM python:3.6 VOLUME /etc/promenade VOLUME /target -RUN mkdir /promenade -WORKDIR /promenade +RUN mkdir /opt/promenade +WORKDIR /opt/promenade + +ENV PORT 9000 +EXPOSE $PORT + +ENTRYPOINT ["/opt/promenade/entrypoint.sh"] RUN set -ex \ && curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \ @@ -27,10 +32,13 @@ RUN set -ex \ && apt-get install --no-install-recommends -y \ libyaml-dev \ rsync \ + && useradd -u 1000 -g users -d /opt/promenade promenade \ && rm -rf /var/lib/apt/lists/* -COPY requirements-frozen.txt /promenade +COPY requirements-frozen.txt /opt/promenade RUN pip install --no-cache-dir -r requirements-frozen.txt -COPY . /promenade -RUN pip install -e /promenade +COPY . /opt/promenade +RUN pip install -e /opt/promenade + +USER promenade diff --git a/charts/promenade/Chart.yaml b/charts/promenade/Chart.yaml new file mode 100644 index 00000000..11c4a0e5 --- /dev/null +++ b/charts/promenade/Chart.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +description: The Promenade API +name: promenade +version: 0.1.0 diff --git a/charts/promenade/requirements.yaml b/charts/promenade/requirements.yaml new file mode 100644 index 00000000..4b156320 --- /dev/null +++ b/charts/promenade/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/charts/promenade/templates/configmap-bin.yaml b/charts/promenade/templates/configmap-bin.yaml new file mode 100644 index 00000000..3cca7d17 --- /dev/null +++ b/charts/promenade/templates/configmap-bin.yaml @@ -0,0 +1,32 @@ +{{/* +# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} + +{{- if .Values.manifests.configmap_bin }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: promenade-bin +data: + ks-service.sh: | +{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }} + ks-endpoints.sh: | +{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }} + ks-user.sh: | +{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }} + ks-domain-user.sh: | +{{- include "helm-toolkit.scripts.keystone_domain_user" . | indent 4 }} +... +{{- end -}} diff --git a/charts/promenade/templates/configmap-etc.yaml b/charts/promenade/templates/configmap-etc.yaml new file mode 100644 index 00000000..13d78be0 --- /dev/null +++ b/charts/promenade/templates/configmap-etc.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + + +{{- if .Values.manifests.configmap_etc }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: promenade-etc +data: + api-paste.ini: |+ +{{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | indent 4 }} +{{- end }} diff --git a/charts/promenade/templates/deployment-api.yaml b/charts/promenade/templates/deployment-api.yaml new file mode 100644 index 00000000..ea3efef6 --- /dev/null +++ b/charts/promenade/templates/deployment-api.yaml @@ -0,0 +1,62 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment_api }} +{{- $envAll := . }} +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: promenade-api +spec: + replicas: {{ .Values.pod.replicas.api }} +{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "promenade" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + spec: + affinity: +{{ tuple $envAll "promenade" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + serviceAccountName: promenade + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }} + containers: + - name: promenade-api + image: {{ .Values.images.tags.api }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /opt/promenade/entrypoint.sh + - server + ports: + - name: api-public + containerPort: {{ .Values.network.api.port }} + volumeMounts: + - name: promenade-etc + mountPath: /etc/promenade/api-paste.ini + subPath: api-paste.ini + readOnly: true + volumes: + - name: promenade-etc + configMap: + name: promenade-etc + defaultMode: 0444 +{{- end }} diff --git a/charts/promenade/templates/job-ks-endpoints.yaml b/charts/promenade/templates/job-ks-endpoints.yaml new file mode 100644 index 00000000..182cd52c --- /dev/null +++ b/charts/promenade/templates/job-ks-endpoints.yaml @@ -0,0 +1,69 @@ +{{/* +# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} + +{{- if .Values.manifests.job_ks_endpoints }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.ks_endpoints }} + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: promenade-ks-endpoints +spec: + template: + metadata: + labels: +{{ tuple $envAll "promenade" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $osServiceType := tuple "kubernetesprovisioner" }} +{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} + - name: {{ $osServiceType }}-ks-endpoints-{{ $osServiceEndPoint }} + image: {{ $envAll.Values.images.tags.ks_endpoints }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/ks-endpoints.sh + volumeMounts: + - name: ks-endpoints-sh + mountPath: /tmp/ks-endpoints.sh + subPath: ks-endpoints.sh + readOnly: true + env: +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: OS_SVC_ENDPOINT + value: {{ $osServiceEndPoint }} + - name: OS_SERVICE_NAME + value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} + - name: OS_SERVICE_TYPE + value: {{ $osServiceType }} + - name: OS_SERVICE_ENDPOINT + value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} +{{- end }} +{{- end }} + volumes: + - name: ks-endpoints-sh + configMap: + name: promenade-bin + defaultMode: 0555 +{{- end -}} diff --git a/charts/promenade/templates/job-ks-service.yaml b/charts/promenade/templates/job-ks-service.yaml new file mode 100644 index 00000000..3236418d --- /dev/null +++ b/charts/promenade/templates/job-ks-service.yaml @@ -0,0 +1,63 @@ +{{/* +# copyright (c) 2017 at&t intellectual property. all rights reserved. +# +# licensed under the apache license, version 2.0 (the "license"); +# you may not use this file except in compliance with the license. +# you may obtain a copy of the license at +# +# http://www.apache.org/licenses/license-2.0 +# +# unless required by applicable law or agreed to in writing, software +# distributed under the license is distributed on an "as is" basis, +# without warranties or conditions of any kind, either express or implied. +# see the license for the specific language governing permissions and +# limitations under the license. */}} + +{{- if .Values.manifests.job_ks_service -}} + +{{- $envAll := . }} +{{- $ksAdminSecret := .Values.secrets.identity.admin }} +{{- $dependencies := .Values.dependencies.ks_service }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: promenade-ks-service +spec: + template: + metadata: + labels: +{{ tuple $envAll "promenade" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $osServiceType := tuple "kubernetesprovisioner" }} + - name: {{ $osServiceType }}-ks-service-registration + image: {{ $envAll.Values.images.tags.ks_service }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} + command: + - /tmp/ks-service.sh + volumeMounts: + - name: ks-service-sh + mountPath: /tmp/ks-service.sh + subPath: ks-service.sh + readOnly: true + env: +{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: OS_SERVICE_NAME + value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} + - name: OS_SERVICE_TYPE + value: {{ $osServiceType }} +{{- end }} + volumes: + - name: ks-service-sh + configMap: + name: promenade-bin + defaultMode: 0555 +{{- end -}} diff --git a/charts/promenade/templates/job-ks-user.yaml b/charts/promenade/templates/job-ks-user.yaml new file mode 100644 index 00000000..d20c6d3e --- /dev/null +++ b/charts/promenade/templates/job-ks-user.yaml @@ -0,0 +1,67 @@ +{{/* +# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} + +{{- if .Values.manifests.job_ks_user }} + +{{- $ksAdminSecret := .Values.secrets.identity.admin }} +{{- $ksUserSecret := .Values.secrets.identity.user }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.ks_user }} +apiVersion: batch/v1 +kind: Job +metadata: + name: promenade-ks-user +spec: + template: + metadata: + labels: +{{ tuple $envAll "drydock" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: promenade-ks-user + image: {{ .Values.images.tags.ks_user }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/ks-user.sh + volumeMounts: + - name: ks-user-sh + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true + env: +{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: SERVICE_OS_SERVICE_NAME + value: {{ $envAll.Values.endpoints.kubernetesprovisioner.name | quote }} + - name: SERVICE_OS_DOMAIN_NAME + value: {{ $envAll.Values.endpoints.identity.auth.user.project_domain_name | quote }} +{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} +{{- end }} + - name: SERVICE_OS_ROLE + value: {{ $envAll.Values.endpoints.identity.auth.user.role | quote }} + volumes: + - name: ks-user-sh + configMap: + name: promenade-bin + defaultMode: 0555 +{{- end -}} diff --git a/charts/promenade/templates/rbac.yaml b/charts/promenade/templates/rbac.yaml new file mode 100644 index 00000000..a303cfa8 --- /dev/null +++ b/charts/promenade/templates/rbac.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.rbac }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: promenade +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: promenade +subjects: + - kind: ServiceAccount + name: promenade + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/promenade/templates/secret-keystone-env.yaml b/charts/promenade/templates/secret-keystone-env.yaml new file mode 100644 index 00000000..94ea6e74 --- /dev/null +++ b/charts/promenade/templates/secret-keystone-env.yaml @@ -0,0 +1,28 @@ +{{/* +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.manifests.secret_keystone }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 }} +... +{{- end }} +{{- end }} diff --git a/charts/promenade/templates/service-api.yaml b/charts/promenade/templates/service-api.yaml new file mode 100644 index 00000000..8061bd3d --- /dev/null +++ b/charts/promenade/templates/service-api.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service_api }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: promenade-api +spec: + ports: + - name: http + port: {{ .Values.network.api.port }} + targetPort: {{ .Values.network.api.target_port }} + selector: +{{ tuple $envAll "promenade" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- end }} diff --git a/charts/promenade/values.yaml b/charts/promenade/values.yaml new file mode 100644 index 00000000..9aaa8ce2 --- /dev/null +++ b/charts/promenade/values.yaml @@ -0,0 +1,183 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +conf: + paste: + pipeline:main: + pipeline: authtoken promenade-api + filter:authtoken: + paste.filter_factory: keystonemiddleware.auth_token:filter_factory + filter:noauth: + forged_roles: admin + paste.filter_factory: promenade.control.middleware:no_auth_filter_factory + app:promenade-api: + paste.app_factory: promenade.promenade:paste_start_promenade + +images: + tags: + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 + promenade: quay.io/attcomdev/promenade:latest + ks_user: docker.io/kolla/ubuntu-source-kolla-toolbox:3.0.3 + ks_service: docker.io/kolla/ubuntu-source-kolla-toolbox:3.0.3 + ks_endpoints: docker.io/kolla/ubuntu-source-kolla-toolbox:3.0.3 + pull_policy: IfNotPresent + +labels: + node_selector_key: ucp-control-plane + node_selector_value: enabled + +manifests: + configmap_bin: true + configmap_etc: true + deployment_api: true + rbac: true + service_api: true + job_ks_endpoints: true + job_ks_service: true + job_ks_user: true + secret_keystone: true + +network: + api: + port: 80 + target_port: 9000 + ingress: + public: true + +dependencies: + ks_user: + services: + - service: identity + endpoint: internal + ks_service: + services: + - service: identity + endpoint: internal + ks_endpoints: + jobs: + - promenade-ks-service + services: + - service: identity + endpoint: internal + +secrets: + identity: + admin: promenade-keystone-admin + user: promenade-keystone-user + +endpoints: + cluster_domain_suffix: cluster.local + identity: + name: keystone + auth: + user: + region_name: RegionOne + role: admin + project_name: service + project_domain_name: default + user_domain_name: default + username: promenade + password: password + admin: + region_name: RegionOne + project_name: admin + password: password + username: admin + user_domain_name: default + project_domain_name: default + hosts: + default: keystone-api + public: keystone + host_fqdn_override: + default: null + path: + default: /v3 + scheme: + default: http + port: + admin: + default: 35357 + api: + default: 80 + + kubernetesprovisioner: + name: promenade + hosts: + default: promenade-api + port: + api: + default: 9000 + path: + default: /api/v1.0 + scheme: + default: http + host_fqdn_override: + default: null + +pod: + affinity: + anti: + type: + default: preferredDuringSchedulingIgnoredDuringExecution + topologyKey: + default: kubernetes.io/hostname + replicas: + api: 1 + lifecycle: + upgrades: + deployments: + revision_history: 3 + pod_replacement_strategy: RollingUpdate + rolling_update: + max_unavailable: 1 + max_surge: 3 + disruption_budget: + api: + min_available: 0 + termination_grace_period: + api: + timeout: 30 + resources: + enabled: false + api: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + jobs: + ks_user: + limits: + memory: "128Mi" + cpu: "100m" + requests: + memory: "128Mi" + cpu: "100m" + ks_service: + limits: + memory: "128Mi" + cpu: "100m" + requests: + memory: "128Mi" + cpu: "100m" + ks_endpoints: + limits: + memory: "128Mi" + cpu: "100m" + requests: + memory: "128Mi" + cpu: "100m" + +release_group: null diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 00000000..20e44c8a --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,14 @@ +#!/bin/bash +set -ex + +PORT=${PORT:-9000} + +if [ "$1" = 'server' ]; then + exec uwsgi \ + --http :${PORT} \ + --paste config:/etc/promenade/api-paste.ini \ + --enable-threads -L \ + --workers 4 +fi + +exec ${@} diff --git a/etc/promenade/api-paste.ini b/etc/promenade/api-paste.ini index 0577c18c..2776fb30 100644 --- a/etc/promenade/api-paste.ini +++ b/etc/promenade/api-paste.ini @@ -22,4 +22,4 @@ paste.filter_factory = keystonemiddleware.auth_token:filter_factory paste.app_factory = promenade.promenade:paste_start_promenade [pipeline:main] -pipeline = authtoken promenade-api +pipeline = promenade-api diff --git a/examples/basic/ArmadaManifest.yaml b/examples/basic/ArmadaManifest.yaml index 0806c11d..e7be8d80 100644 --- a/examples/basic/ArmadaManifest.yaml +++ b/examples/basic/ArmadaManifest.yaml @@ -14,4 +14,5 @@ data: - dns - kubernetes - kubernetes-rbac + - ucp-platform ... diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml index 04388b07..09394c52 100644 --- a/examples/basic/armada-resources.yaml +++ b/examples/basic/armada-resources.yaml @@ -66,6 +66,18 @@ data: - kubernetes-controller-manager - kubernetes-scheduler --- +schema: armada/ChartGroup/v1 +metadata: + schema: metadata/Document/v1 + name: ucp-platform + layeringDefinition: + abstract: false + layer: site +data: + description: UCP platform components + chart_group: + - promenade +--- schema: armada/Chart/v1 metadata: schema: metadata/Document/v1 @@ -984,4 +996,39 @@ data: location: /etc/genesis/armada/assets/charts subpath: rbac dependencies: [] +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: promenade + layeringDefinition: + abstract: false + layer: site +data: + chart_name: promenade + release: promenade + namespace: ucp + timeout: 600 + values: + conf: + paste: + pipeline:main: + pipeline: promenade-api + images: + tags: + api: quay.io/attcomdev/promenade:latest + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 + manifests: + job_ks_endpoints: false + job_ks_service: false + job_ks_user: false + secret_keystone: false + upgrade: + no_hooks: true + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: promenade + dependencies: + - helm-toolkit ... diff --git a/examples/complete/ArmadaManifest.yaml b/examples/complete/ArmadaManifest.yaml index 0895784c..c715c2d5 100644 --- a/examples/complete/ArmadaManifest.yaml +++ b/examples/complete/ArmadaManifest.yaml @@ -16,4 +16,5 @@ data: - kubernetes-rbac - ceph - ucp-infra + - ucp-platform ... diff --git a/examples/complete/HostSystem.yaml b/examples/complete/HostSystem.yaml index d066a72c..356f994e 100644 --- a/examples/complete/HostSystem.yaml +++ b/examples/complete/HostSystem.yaml @@ -53,7 +53,7 @@ data: =Fm3p -----END PGP PUBLIC KEY BLOCK----- additional: - - ceph-common=10.2.7-0ubuntu0.16.04.1 + - ceph-common=10.2.9-0ubuntu0.16.04.1 - curl - jq required: diff --git a/examples/complete/armada-resources.yaml b/examples/complete/armada-resources.yaml index d0b0fd0f..3a067dc5 100644 --- a/examples/complete/armada-resources.yaml +++ b/examples/complete/armada-resources.yaml @@ -95,6 +95,18 @@ data: - ucp-memcached - ucp-keystone --- +schema: armada/ChartGroup/v1 +metadata: + schema: metadata/Document/v1 + name: ucp-platform + layeringDefinition: + abstract: false + layer: site +data: + description: UCP platform components + chart_group: + - promenade +--- schema: armada/Chart/v1 metadata: schema: metadata/Document/v1 @@ -1273,4 +1285,43 @@ data: subpath: keystone dependencies: - helm-toolkit +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: promenade + layeringDefinition: + abstract: false + layer: site +data: + chart_name: promenade + release: promenade + namespace: ucp + timeout: 600 + values: + conf: + paste: + filter:authtoken: + paste.filter_factory: 'keystonemiddleware.auth_token:filter_factory' + admin_password: password + admin_tenant_name: service + admin_user: promenade + identity_uri: 'http://keystone-api.ucp.svc.cluster.local/' + service_token_roles_required: true + + images: + tags: + api: quay.io/attcomdev/promenade:latest + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 + ks_user: docker.io/kolla/ubuntu-source-kolla-toolbox:3.0.3 + ks_service: docker.io/kolla/ubuntu-source-kolla-toolbox:3.0.3 + ks_endpoints: docker.io/kolla/ubuntu-source-kolla-toolbox:3.0.3 + upgrade: + no_hooks: true + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: promenade + dependencies: + - helm-toolkit ... diff --git a/promenade/pki.py b/promenade/pki.py index cd5cd22b..e05e9e45 100644 --- a/promenade/pki.py +++ b/promenade/pki.py @@ -42,8 +42,8 @@ class PKI: }) self.certificate_authorities[ca_name] = result - return (self._wrap_ca(ca_name, result['cert']), self._wrap_ca_key( - ca_name, result['key'])) + return (self._wrap_ca(ca_name, result['cert']), + self._wrap_ca_key(ca_name, result['key'])) def generate_keypair(self, name): priv_result = self._openssl(['genrsa', '-out', 'priv.pem']) @@ -69,8 +69,8 @@ class PKI: 'csr.json': self.csr(name=cn, groups=groups, hosts=hosts), }) - return (self._wrap_cert(name, result['cert']), self._wrap_cert_key( - name, result['key'])) + return (self._wrap_cert(name, result['cert']), + self._wrap_cert_key(name, result['key'])) def csr(self, *, diff --git a/promenade/renderer.py b/promenade/renderer.py index f1286a79..46988865 100644 --- a/promenade/renderer.py +++ b/promenade/renderer.py @@ -31,13 +31,13 @@ def build_tarball_from_roles(config, *, roles, file_specs): def insert_charts_into_bundler(bundler): for root, _dirnames, filenames in os.walk( - '/promenade/charts', followlinks=True): + '/opt/promenade/charts', followlinks=True): for source_filename in filenames: source_path = os.path.join(root, source_filename) destination_path = os.path.join('etc/genesis/armada/assets/charts', os.path.relpath( source_path, - '/promenade/charts')) + '/opt/promenade/charts')) stat = os.stat(source_path) LOG.debug('Copying asset file %s (mode=%o)', source_path, stat.st_mode) diff --git a/requirements-direct.txt b/requirements-direct.txt index 9fb7fe6c..286a2850 100644 --- a/requirements-direct.txt +++ b/requirements-direct.txt @@ -4,8 +4,9 @@ jinja2==2.9.6 jsonpath-ng==1.4.3 jsonschema==2.6.0 keystonemiddleware==4.17.0 -oslo.context>=2.14.0 -PasteDeploy==1.5.2 +oslo.context==2.14.0 +pastedeploy==1.5.2 pbr==3.0.1 pyyaml==3.12 requests==2.18.4 +uwsgi==2.0.15 diff --git a/requirements-frozen.txt b/requirements-frozen.txt index 4b0a6174..d0c373b9 100644 --- a/requirements-frozen.txt +++ b/requirements-frozen.txt @@ -1,19 +1,45 @@ +Babel==2.5.1 certifi==2017.7.27.1 chardet==3.0.4 click==6.7 +debtcollector==1.18.0 decorator==4.1.2 falcon==1.2.0 idna==2.6 +iso8601==0.1.12 Jinja2==2.9.6 jsonpath-ng==1.4.3 jsonschema==2.6.0 +keystoneauth1==3.2.0 keystonemiddleware==4.17.0 MarkupSafe==1.0 -oslo.context==2.19.1 +monotonic==1.4 +msgpack-python==0.4.8 +netaddr==0.7.19 +netifaces==0.10.6 +oslo.config==5.0.0 +oslo.context==2.14.0 +oslo.i18n==3.18.0 +oslo.log==3.32.0 +oslo.serialization==2.21.2 +oslo.utils==3.31.0 PasteDeploy==1.5.2 pbr==3.0.1 ply==3.10 +positional==1.2.1 +pycadf==2.6.0 +pyinotify==0.9.6 +pyparsing==2.2.0 +python-dateutil==2.6.1 +python-keystoneclient==3.13.0 +python-mimeparse==1.6.0 +pytz==2017.3 PyYAML==3.12 requests==2.18.4 +rfc3986==1.1.0 six==1.11.0 -urllib3==1.22 \ No newline at end of file +stevedore==1.27.1 +urllib3==1.22 +uWSGI==2.0.15 +WebOb==1.7.3 +wrapt==1.10.11 diff --git a/tools/dev/get-token.sh b/tools/dev/get-token.sh new file mode 100755 index 00000000..939c85c5 --- /dev/null +++ b/tools/dev/get-token.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +set -e + +curl -is \ + -H "Content-Type: application/json" \ + -d ' +{ "auth": { + "identity": { + "methods": ["password"], + "password": { + "user": { + "name": "admin", + "domain": { "id": "default" }, + "password": "password" + } + } + } + } +}' \ + http://keystone-api.ucp.svc.cluster.local/v3/auth/tokens | grep 'X-Subject-Token' | awk '{print $2}' diff --git a/tools/dev/server.sh b/tools/dev/server.sh new file mode 100755 index 00000000..c11a5f3b --- /dev/null +++ b/tools/dev/server.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +set -eux + +SCRIPT_DIR=$(realpath $(dirname $0)) +SOURCE_DIR=$(realpath $SCRIPT_DIR/../..) + +echo === Building image === +docker build -t quay.io/attcomdev/promenade:latest ${SOURCE_DIR} + +export PROMENADE_DEBUG=${PROMENADE_DEBUG:-1} + +exec docker run \ + --rm -it \ + --publish 9000:9000 \ + --volume "${SOURCE_DIR}/etc/promenade":/etc/promenade \ + quay.io/attcomdev/promenade:latest \ + server diff --git a/tools/g2/lib/registry.sh b/tools/g2/lib/registry.sh index b4a0cdd6..12bfb789 100644 --- a/tools/g2/lib/registry.sh +++ b/tools/g2/lib/registry.sh @@ -29,6 +29,10 @@ registry_list_images() { registry_populate() { log Validating local registry is populated for image in $(registry_list_images); do + if [[ ${image} =~ promenade ]]; then + continue + fi + if ! docker pull "localhost:5000/${image}" &> /dev/null; then log Loading image "${image}" into local registry { diff --git a/tools/g2/manifests/genesis.json b/tools/g2/manifests/genesis.json index a9eeb957..d0a09086 100644 --- a/tools/g2/manifests/genesis.json +++ b/tools/g2/manifests/genesis.json @@ -29,7 +29,7 @@ } ], "vm": { - "memory": 8096, + "memory": 16192, "names": [ "n0" ], diff --git a/tools/gate/config-templates/bootstrap-armada-config.yaml b/tools/gate/config-templates/bootstrap-armada-config.yaml index 5d5047c9..4490e6a2 100644 --- a/tools/gate/config-templates/bootstrap-armada-config.yaml +++ b/tools/gate/config-templates/bootstrap-armada-config.yaml @@ -14,6 +14,7 @@ data: - dns - kubernetes - kubernetes-rbac + - ucp-services --- schema: armada/ChartGroup/v1 metadata: @@ -68,6 +69,18 @@ data: - kubernetes-rbac --- schema: armada/ChartGroup/v1 +metadata: + schema: metadata/Document/v1 + name: ucp-services + layeringDefinition: + abstract: false + layer: site +data: + description: UCP Services + chart_group: + - promenade +--- +schema: armada/ChartGroup/v1 metadata: schema: metadata/Document/v1 name: kubernetes @@ -963,4 +976,39 @@ data: location: /etc/genesis/armada/assets/charts subpath: rbac dependencies: [] +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: promenade + layeringDefinition: + abstract: false + layer: site +data: + chart_name: promenade + release: promenade + namespace: ucp + timeout: 600 + values: + conf: + paste: + pipeline:main: + pipeline: promenade-api + images: + tags: + api: ${IMAGE_PROMENADE} + dep_check: ${IMAGE_DEP_CHECK} + manifests: + job_ks_endpoints: false + job_ks_service: false + job_ks_user: false + secret_keystone: false + upgrade: + no_hooks: true + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: promenade + dependencies: + - helm-toolkit ... diff --git a/tools/gate/default-config-env b/tools/gate/default-config-env index 35cdff8a..f923f05a 100644 --- a/tools/gate/default-config-env +++ b/tools/gate/default-config-env @@ -4,6 +4,7 @@ IMAGE_CALICO_CTL=quay.io/calico/ctl:v1.6.1 IMAGE_CALICO_KUBE_CONTROLLERS=quay.io/calico/kube-controllers:v1.0.0 IMAGE_CALICO_NODE=quay.io/calico/node:v2.6.1 IMAGE_COREDNS=coredns/coredns:0.9.9 +IMAGE_DEP_CHECK=quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 IMAGE_ETCD=quay.io/coreos/etcd:v3.0.17 IMAGE_HELM=lachlanevenson/k8s-helm:v2.5.1 IMAGE_HYPERKUBE=gcr.io/google_containers/hyperkube-amd64:v1.8.0