diff --git a/global/profiles/host/nc-cp-adv.yaml b/global/profiles/host/nc-cp-adv.yaml
index 3ec273361..e9e71c765 100755
--- a/global/profiles/host/nc-cp-adv.yaml
+++ b/global/profiles/host/nc-cp-adv.yaml
@@ -135,8 +135,8 @@ data:
hugepagesz: '1G'
hugepages: '20'
transparent_hugepage: 'never'
- kernel_package: 'linux-image-4.15.0-64-generic'
- console: 'ttyS1,115200n8'
+ kernel_package: 'linux-image-4.15.0-140-generic'
+ console: 'ttyS0,115200n8 console=tty0'
cgroup_disable: 'hugetlb'
amd_iommu: 'on'
intel_iommu: 'on'
diff --git a/global/profiles/host/nc-cp.yaml b/global/profiles/host/nc-cp.yaml
index 7d66b0c39..1d747e4ed 100644
--- a/global/profiles/host/nc-cp.yaml
+++ b/global/profiles/host/nc-cp.yaml
@@ -87,8 +87,8 @@ data:
image: 'bionic'
kernel: 'ga-18.04'
kernel_params:
- kernel_package: 'linux-image-4.15.0-64-generic'
- console: 'ttyS1,115200n8'
+ kernel_package: 'linux-image-4.15.0-140-generic'
+ console: 'ttyS0,115200n8 console=tty0'
cgroup_disable: 'hugetlb'
metadata:
owner_data:
diff --git a/global/profiles/host/nc-p1-adv.yaml b/global/profiles/host/nc-p1-adv.yaml
index bc7f5105a..cda979c9e 100755
--- a/global/profiles/host/nc-p1-adv.yaml
+++ b/global/profiles/host/nc-p1-adv.yaml
@@ -135,8 +135,8 @@ data:
hugepagesz: 'hardwareprofile:hugepages.dpdk.size'
hugepages: 'hardwareprofile:hugepages.dpdk.count'
transparent_hugepage: 'never'
- kernel_package: 'linux-image-4.15.0-64-generic'
- console: 'ttyS1,115200n8'
+ kernel_package: 'linux-image-4.15.0-140-generic'
+ console: 'ttyS0,115200n8 console=tty0'
amd_iommu: 'on'
intel_iommu: 'on'
iommu: 'pt'
diff --git a/global/profiles/host/nc-p1.yaml b/global/profiles/host/nc-p1.yaml
index 103eb32b3..84211e207 100644
--- a/global/profiles/host/nc-p1.yaml
+++ b/global/profiles/host/nc-p1.yaml
@@ -101,8 +101,8 @@ data:
image: 'bionic'
kernel: 'ga-18.04'
kernel_params:
- kernel_package: 'linux-image-4.15.0-64-generic'
- console: 'ttyS1,115200n8'
+ kernel_package: 'linux-image-4.15.0-140-generic'
+ console: 'ttyS0,115200n8 console=tty0'
intel_iommu: 'on'
iommu: 'pt'
amd_iommu: 'on'
diff --git a/global/profiles/kubernetes-host.yaml b/global/profiles/kubernetes-host.yaml
index 257a8dc10..a323bf62e 100644
--- a/global/profiles/kubernetes-host.yaml
+++ b/global/profiles/kubernetes-host.yaml
@@ -216,12 +216,12 @@ metadata:
pattern: PAUSE_IMAGE
# CRI tool
-# - src:
-# schema: pegleg/SoftwareVersions/v1
-# name: software-versions
-# path: .files.crictl
-# dest:
-# path: .files[9].tar_url
+ - src:
+ schema: pegleg/SoftwareVersions/v1
+ name: software-versions
+ path: .files.crictl
+ dest:
+ path: .files[9].tar_url
data:
# see (and update if needed)
# type/cruiser/profiles/kubernetes-host.yaml (data.files)
@@ -336,12 +336,17 @@ data:
mode: 0400
content: |-
version = 2
- disabled_plugins = ["restart"]
- [plugins.cri]
- systemd_cgroup = true
+ [debug]
+ level = "warn"
+
+ [plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "PAUSE_IMAGE"
+ [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+ runtime_type = "io.containerd.runc.v2"
+ [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+ SystemdCgroup = true
# .files[9]
- path: /usr/bin/crictl
tar_path: crictl
diff --git a/global/software/charts/kubernetes/core/apiserver.yaml b/global/software/charts/kubernetes/core/apiserver.yaml
index ec5f6f8e9..a7d28905a 100644
--- a/global/software/charts/kubernetes/core/apiserver.yaml
+++ b/global/software/charts/kubernetes/core/apiserver.yaml
@@ -168,6 +168,15 @@ data:
release_group: clcp-kubernetes-apiserver
values:
pod:
+ mandatory_access_control:
+ type: apparmor
+ kubernetes_apiserver_anchor:
+ anchor: runtime/default
+ kube-apiserver:
+ init: runtime/default
+ apiserver-key-rotate: runtime/default
+ apiserver:
+ apiserver: runtime/default
lifecycle:
upgrades:
daemonsets:
diff --git a/global/software/charts/kubernetes/core/chart-group.yaml b/global/software/charts/kubernetes/core/chart-group.yaml
index 6e8560d53..001dcbd5b 100644
--- a/global/software/charts/kubernetes/core/chart-group.yaml
+++ b/global/software/charts/kubernetes/core/chart-group.yaml
@@ -9,6 +9,7 @@ metadata:
storagePolicy: cleartext
data:
description: Kubernetes components
+ sequenced: true
chart_group:
- kubernetes-apiserver
- kubernetes-controller-manager
diff --git a/global/software/charts/kubernetes/core/controller-manager.yaml b/global/software/charts/kubernetes/core/controller-manager.yaml
index 8609f2ce3..cb53ecaa2 100644
--- a/global/software/charts/kubernetes/core/controller-manager.yaml
+++ b/global/software/charts/kubernetes/core/controller-manager.yaml
@@ -120,6 +120,12 @@ data:
network:
kubernetes_netloc: 127.0.0.1:6553
pod:
+ mandatory_access_control:
+ type: apparmor
+ kubernetes-controller-manager-anchor:
+ anchor: runtime/default
+ controller-manager:
+ controller-manager: runtime/default
lifecycle:
upgrades:
daemonsets:
diff --git a/global/software/charts/kubernetes/dns/coredns.yaml b/global/software/charts/kubernetes/dns/coredns.yaml
index 755555faf..afffb781d 100644
--- a/global/software/charts/kubernetes/dns/coredns.yaml
+++ b/global/software/charts/kubernetes/dns/coredns.yaml
@@ -125,6 +125,12 @@ data:
# and Deployment-managed pods as we transition to DaemonSet.
replicas:
coredns: 2
+ mandatory_access_control:
+ type: apparmor
+ coredns:
+ coredns: runtime/default
+ coredns-health: runtime/default
+ coredns-test: runtime/default
labels:
coredns:
# NOTE(mb874d): This is the label specified in the IPDD
diff --git a/global/software/charts/kubernetes/etcd/etcd.yaml b/global/software/charts/kubernetes/etcd/etcd.yaml
index 0333bab15..b15625417 100644
--- a/global/software/charts/kubernetes/etcd/etcd.yaml
+++ b/global/software/charts/kubernetes/etcd/etcd.yaml
@@ -98,6 +98,14 @@ data:
release_group: clcp-kubernetes-etcd
values:
pod:
+ mandatory_access_control:
+ type: apparmor
+ etcd-anchor:
+ etcdctl: runtime/default
+ etcd:
+ etcd-test: runtime/default
+ etcd-backup:
+ etcd-backup: runtime/default
lifecycle:
upgrades:
daemonsets:
diff --git a/global/software/charts/kubernetes/haproxy/haproxy.yaml b/global/software/charts/kubernetes/haproxy/haproxy.yaml
index 6e12c6db1..96cac3db2 100644
--- a/global/software/charts/kubernetes/haproxy/haproxy.yaml
+++ b/global/software/charts/kubernetes/haproxy/haproxy.yaml
@@ -63,6 +63,15 @@ data:
enabled: true
min_ready_seconds: 0
max_unavailable: '50%'
+ mandatory_access_control:
+ type: apparmor
+ haproxy-anchor:
+ haproxy-perms: runtime/default
+ anchor: runtime/default
+ kubernetes:
+ haproxy-haproxy-test: runtime/default
+ haproxy:
+ haproxy: runtime/default
security_context:
haproxy:
pod:
diff --git a/global/software/charts/osh/openstack-ceph-config/ceph-config.yaml b/global/software/charts/osh/openstack-ceph-config/ceph-config.yaml
index ffae11c75..4ee3c6119 100644
--- a/global/software/charts/osh/openstack-ceph-config/ceph-config.yaml
+++ b/global/software/charts/osh/openstack-ceph-config/ceph-config.yaml
@@ -74,6 +74,15 @@ data:
test:
enabled: true
values:
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ clcp-openstack-ceph-config-ceph-ns-key-generator:
+ ceph-storage-keys-generator: runtime/default
+ init: runtime/default
+ clcp-openstack-ceph-config-test:
+ ceph-provisioner-helm-test: runtime/default
+ init: runtime/default
labels:
job:
node_selector_key: openstack-control-plane
diff --git a/global/software/charts/osh/openstack-cinder/cinder.yaml b/global/software/charts/osh/openstack-cinder/cinder.yaml
index 98fbf232f..489c60cdd 100644
--- a/global/software/charts/osh/openstack-cinder/cinder.yaml
+++ b/global/software/charts/osh/openstack-cinder/cinder.yaml
@@ -225,6 +225,38 @@ data:
jobs:
- clcp-openstack-rabbitmq-cluster-wait
pod:
+ mandatory_access_control:
+ type: apparmor
+ cinder-api:
+ cinder-api: runtime/default
+ ceph-coordination-volume-perms: runtime/default
+ init: runtime/default
+ cinder-backup:
+ cinder-backup: runtime/default
+ ceph-coordination-volume-perms: runtime/default
+ init: runtime/default
+ cinder-scheduler:
+ cinder-scheduler: runtime/default
+ ceph-coordination-volume-perms: runtime/default
+ init: runtime/default
+ cinder-volume:
+ cinder-volume: runtime/default
+ ceph-coordination-volume-perms: runtime/default
+ init-cinder-conf: runtime/default
+ init: runtime/default
+ cinder-backup-storage-init:
+ cinder-backup-storage-init: runtime/default
+ init: runtime/default
+ cinder-test:
+ init: runtime/default
+ cinder-test: runtime/default
+ cinder-test-ks-user: runtime/default
+ cinder-create-internal-tenant:
+ init: runtime/default
+ create-internal-tenant: runtime/default
+ cinder-volume-usage-audit:
+ cinder-volume-usage-audit: runtime/default
+ init: runtime/default
replicas:
api: 3
volume: 3
@@ -243,11 +275,25 @@ data:
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 50%
+ useHostNetwork:
+ volume: true
+ backup: true
security_context:
cinder_volume:
container:
cinder_volume:
allowPrivilegeEscalation: true
+ privileged: true
+ readOnlyRootFilesystem: false
+ cinder_backup:
+ container:
+ cinder_backup:
+ privileged: true
+ cinder_api:
+ container:
+ cinder_api:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
labels:
api:
node_selector_key: openstack-control-plane
@@ -270,7 +316,69 @@ data:
ceph_client:
configmap: tenant-ceph-etc
user_secret_name: pvc-tceph-client-key
+ network:
+ api:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ nginx.ingress.kubernetes.io/configuration-snippet: |
+ more_set_headers "X-Content-Type-Options: nosniff";
+ more_set_headers "X-Frame-Options: deny";
+ more_set_headers "Content-Security-Policy: default-src 'self'";
+ more_set_headers "X-Permitted-Cross-Domain-Policies: none";
+ more_set_headers "X-XSS-Protection: 1; mode=block";
+ endpoints:
+ ingress:
+ port:
+ ingress:
+ default: 443
conf:
+ software:
+ apache2:
+ binary: apache2
+ start_parameters: -DFOREGROUND
+ site_dir: /etc/apache2/sites-enabled
+ conf_dir: /etc/apache2/conf-enabled
+ mods_dir: /etc/apache2/mods-available
+ a2enmod:
+ - ssl
+ a2dismod: null
+ mpm_event: |
+
+ ServerLimit 1024
+ StartServers 32
+ MinSpareThreads 32
+ MaxSpareThreads 256
+ ThreadsPerChild 25
+ MaxRequestsPerChild 128
+ ThreadLimit 720
+
+ wsgi_cinder: |
+ {{- $portInt := tuple "volume" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ Listen {{ $portInt }}
+
+ ServerName {{ printf "%s.%s.svc.%s" "cinder-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
+ WSGIDaemonProcess cinder-api processes=1 threads=1 user=cinder display-name=%{GROUP}
+ WSGIProcessGroup cinder-api
+ WSGIScriptAlias / /var/www/cgi-bin/cinder/cinder-wsgi
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ AllowEncodedSlashes On
+ = 2.4>
+ ErrorLogFormat "%{cu}t %M"
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ ErrorLog /dev/stdout
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+
+ SSLEngine on
+ SSLCertificateFile /etc/cinder/certs/tls.crt
+ SSLCertificateKeyFile /etc/cinder/certs/tls.key
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+ SSLHonorCipherOrder on
+
ceph:
pools:
backup:
diff --git a/global/software/charts/osh/openstack-compute-kit/libvirt.yaml b/global/software/charts/osh/openstack-compute-kit/libvirt.yaml
index 4967e8f5c..fee73eac2 100644
--- a/global/software/charts/osh/openstack-compute-kit/libvirt.yaml
+++ b/global/software/charts/osh/openstack-compute-kit/libvirt.yaml
@@ -64,6 +64,15 @@ data:
type: apparmor
libvirt-libvirt-default:
libvirt: localhost/libvirt-v1
+ resources:
+ enabled: true
+ libvirt:
+ requests:
+ memory: "4096Mi"
+ cpu: "4000m"
+ limits:
+ memory: "4096Mi"
+ cpu: "4000m"
ceph_client:
configmap: tenant-ceph-etc
user_secret_name: pvc-tceph-client-key
diff --git a/global/software/charts/osh/openstack-compute-kit/openvswitch.yaml b/global/software/charts/osh/openstack-compute-kit/openvswitch.yaml
index d7a28c02b..f40a76fd5 100644
--- a/global/software/charts/osh/openstack-compute-kit/openvswitch.yaml
+++ b/global/software/charts/osh/openstack-compute-kit/openvswitch.yaml
@@ -60,6 +60,14 @@ data:
node_selector_key: openvswitch
node_selector_value: enabled
pod:
+ mandatory_access_control:
+ type: apparmor
+ openvswitch-vswitchd:
+ openvswitch-vswitchd: runtime/default
+ openvswitch-vswitchd-modules: runtime/default
+ openvswitch-db:
+ openvswitch-db: runtime/default
+ openvswitch-db-perms: runtime/default
probes:
ovs_db:
ovs_db:
diff --git a/global/software/charts/osh/openstack-ingress-controller/ingress.yaml b/global/software/charts/osh/openstack-ingress-controller/ingress.yaml
index 0079d3252..0be3fd941 100644
--- a/global/software/charts/osh/openstack-ingress-controller/ingress.yaml
+++ b/global/software/charts/osh/openstack-ingress-controller/ingress.yaml
@@ -55,6 +55,14 @@ data:
node_selector_key: openstack-control-plane
node_selector_value: enabled
pod:
+ mandatory_access_control:
+ type: apparmor
+ ingress-error-pages:
+ init: runtime/default
+ ingress-error-pages: runtime/default
+ ingress-server:
+ init: runtime/default
+ ingress: runtime/default
replicas:
ingress: 2
error_page: 2
diff --git a/global/software/charts/osh/openstack-mariadb/mariadb.yaml b/global/software/charts/osh/openstack-mariadb/mariadb.yaml
index f18a6cea5..be1590dfd 100644
--- a/global/software/charts/osh/openstack-mariadb/mariadb.yaml
+++ b/global/software/charts/osh/openstack-mariadb/mariadb.yaml
@@ -135,6 +135,120 @@ data:
size: 30Gi
backup:
size: 50Gi
+ conf:
+ database:
+ 00_base: |
+ [mysqld]
+ # Charset
+ character_set_server=utf8
+ collation_server=utf8_general_ci
+ skip-character-set-client-handshake
+ # Logging
+ slow_query_log=off
+ slow_query_log_file=/var/log/mysql/mariadb-slow.log
+ log_warnings=2
+ # General logging has huge performance penalty therefore is disabled by default
+ general_log=off
+ general_log_file=/var/log/mysql/mariadb-error.log
+ long_query_time=3
+ log_queries_not_using_indexes=on
+ # Networking
+ bind_address=0.0.0.0
+ port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ # When a client connects, the server will perform hostname resolution,
+ # and when DNS is slow, establishing the connection will become slow as well.
+ # It is therefore recommended to start the server with skip-name-resolve to
+ # disable all DNS lookups. The only limitation is that the GRANT statements
+ # must then use IP addresses only.
+ skip_name_resolve
+ # Tuning
+ user=mysql
+ max_allowed_packet=256M
+ open_files_limit=10240
+ max_connections=8192
+ max-connect-errors=1000000
+ # General security settings
+ # Reference link below:
+ # https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/general-security-issues.html
+ # secure_file_priv is set to '/home' because it is read-only, which will
+ # disable this feature completely.
+ secure_file_priv=/home
+ local_infile=0
+ symbolic_links=0
+ sql_mode="STRICT_ALL_TABLES,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
+ ## Generally, it is unwise to set the query cache to be larger than 64-128M
+ ## as the costs associated with maintaining the cache outweigh the performance
+ ## gains.
+ ## The query cache is a well known bottleneck that can be seen even when
+ ## concurrency is moderate. The best option is to disable it from day 1
+ ## by setting query_cache_size=0 (now the default on MySQL 5.6)
+ ## and to use other ways to speed up read queries: good indexing, adding
+ ## replicas to spread the read load or using an external cache.
+ query_cache_size=0
+ query_cache_type=0
+ sync_binlog=0
+ thread_cache_size=16
+ table_open_cache=2048
+ table_definition_cache=1024
+ #
+ # InnoDB
+ #
+ # The buffer pool is where data and indexes are cached: having it as large as possible
+ # will ensure you use memory and not disks for most read operations.
+ # Typical values are 50..75% of available RAM.
+ # TODO(tomasz.paszkowski): This needs to by dynamic based on available RAM.
+ innodb_buffer_pool_size=1024M
+ innodb_doublewrite=0
+ innodb_file_format=Barracuda
+ innodb_file_per_table=1
+ innodb_flush_method=O_DIRECT
+ innodb_io_capacity=500
+ innodb_locks_unsafe_for_binlog=1
+ innodb_log_file_size=128M
+ innodb_old_blocks_time=1000
+ innodb_read_io_threads=8
+ innodb_write_io_threads=8
+ # Clustering
+ binlog_format=ROW
+ default-storage-engine=InnoDB
+ innodb_autoinc_lock_mode=2
+ innodb_flush_log_at_trx_commit=2
+ wsrep_cluster_name={{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" | replace "." "_" }}
+ wsrep_on=1
+ wsrep_provider=/usr/lib/galera/libgalera_smm.so
+ wsrep_provider_options="evs.suspect_timeout=PT30S; gmcast.peer_timeout=PT15S; gmcast.listen_addr=tcp://0.0.0.0:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ wsrep_slave_threads=12
+ wsrep_sst_auth={{ .Values.endpoints.oslo_db.auth.sst.username }}:{{ .Values.endpoints.oslo_db.auth.sst.password }}
+ wsrep_sst_method=mariabackup
+ {{ if .Values.manifests.certificates }}
+ # TLS
+ ssl_ca=/etc/mysql/certs/ca.crt
+ ssl_key=/etc/mysql/certs/tls.key
+ ssl_cert=/etc/mysql/certs/tls.crt
+ # tls_version = TLSv1.2,TLSv1.3
+ {{ end }}
+ [mysqldump]
+ max-allowed-packet=16M
+ [client]
+ default_character_set=utf8
+ protocol=tcp
+ port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.manifests.certificates }}
+ # TLS
+ ssl_ca=/etc/mysql/certs/ca.crt
+ ssl_key=/etc/mysql/certs/tls.key
+ ssl_cert=/etc/mysql/certs/tls.crt
+ # tls_version = TLSv1.2,TLSv1.3
+ ssl-verify-server-cert=false
+ {{ end }}
+ backup:
+ enabled: true
+ days_to_keep: 3
+ remote_backup:
+ enabled: true
+ container_name: DOMAIN
+ days_to_keep: 14
+ storage_policy: ncbackup_pt
monitoring:
prometheus:
enabled: true
diff --git a/global/software/charts/osh/openstack-memcached/memcached.yaml b/global/software/charts/osh/openstack-memcached/memcached.yaml
index 38f1bf43d..7634dcd1f 100644
--- a/global/software/charts/osh/openstack-memcached/memcached.yaml
+++ b/global/software/charts/osh/openstack-memcached/memcached.yaml
@@ -70,6 +70,14 @@ data:
node_selector_key: openstack-control-plane
node_selector_value: enabled
pod:
+ mandatory_access_control:
+ type: apparmor
+ prometheus_memcached_exporter:
+ init: runtime/default
+ memcached-exporter: runtime/default
+ memcached:
+ init: runtime/default
+ memcached: runtime/default
lifecycle:
upgrades:
deployments:
diff --git a/global/software/charts/osh/openstack-rabbitmq/rabbitmq.yaml b/global/software/charts/osh/openstack-rabbitmq/rabbitmq.yaml
index 5e6a7093f..0b255b8e6 100644
--- a/global/software/charts/osh/openstack-rabbitmq/rabbitmq.yaml
+++ b/global/software/charts/osh/openstack-rabbitmq/rabbitmq.yaml
@@ -101,6 +101,23 @@ data:
anti:
type:
server: requiredDuringSchedulingIgnoredDuringExecution
+ resources:
+ enabled: true
+ server:
+ requests:
+ memory: "8192Mi"
+ cpu: "12000m"
+ limits:
+ memory: "8192Mi"
+ cpu: "12000m"
+ network:
+ management:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ nginx.ingress.kubernetes.io/configuration-snippet: |
+ more_set_headers "X-XSS-Protection: 1; mode=block";
+ more_set_headers "X-Frame-Options: deny";
labels:
server:
node_selector_key: openstack-control-plane
diff --git a/global/software/charts/osh/openstack-tenant-ceph/ceph-client.yaml b/global/software/charts/osh/openstack-tenant-ceph/ceph-client.yaml
index eca179880..d329698e6 100644
--- a/global/software/charts/osh/openstack-tenant-ceph/ceph-client.yaml
+++ b/global/software/charts/osh/openstack-tenant-ceph/ceph-client.yaml
@@ -160,6 +160,58 @@ data:
pod:
replicas:
mgr: 3
+ resources:
+ enabled: true
+ mds:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "2Gi"
+ cpu: "2000m"
+ mgr:
+ requests:
+ memory: "2Gi"
+ cpu: "2000m"
+ limits:
+ memory: "8Gi"
+ cpu: "4000m"
+ checkdns:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ image_repo_sync:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ rbd_pool:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ tests:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
conf:
features:
mds: false
diff --git a/global/software/charts/osh/openstack-tenant-ceph/ceph-ingress.yaml b/global/software/charts/osh/openstack-tenant-ceph/ceph-ingress.yaml
index 44f2a1768..af0a05b70 100644
--- a/global/software/charts/osh/openstack-tenant-ceph/ceph-ingress.yaml
+++ b/global/software/charts/osh/openstack-tenant-ceph/ceph-ingress.yaml
@@ -53,6 +53,14 @@ data:
node_selector_key: tenant-ceph-control-plane
node_selector_value: enabled
pod:
+ mandatory_access_control:
+ type: apparmor
+ ingress-error-pages:
+ init: runtime/default
+ ingress-error-pages: runtime/default
+ ingress-server:
+ init: runtime/default
+ ingress: runtime/default
replicas:
ingress: 2
error_page: 2
diff --git a/global/software/charts/ucp/apiserver-webhook/apiserver-webhook.yaml b/global/software/charts/ucp/apiserver-webhook/apiserver-webhook.yaml
index 6e9be8350..bd89661c8 100644
--- a/global/software/charts/ucp/apiserver-webhook/apiserver-webhook.yaml
+++ b/global/software/charts/ucp/apiserver-webhook/apiserver-webhook.yaml
@@ -254,6 +254,11 @@ data:
release_group: clcp-ucp-apiserver-webhook
values:
pod:
+ mandatory_access_control:
+ type: apparmor
+ apiserver-webhook:
+ apiserver: runtime/default
+ webhook: runtime/default
replicas:
api: 1
affinity:
@@ -271,6 +276,18 @@ data:
kubernetes_apiserver:
node_selector_key: kubernetes-apiserver
node_selector_value: enabled
+ network:
+ api:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
+ nginx.ingress.kubernetes.io/ssl-redirect: "true"
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+ nginx.ingress.kubernetes.io/configuration-snippet: |
+ more_set_headers "X-XSS-Protection: 1; mode=block";
+ more_set_headers "X-Frame-Options: deny";
conf:
policy:
- resource:
@@ -298,38 +315,6 @@ data:
- type: role
values:
- utility_exec
- - nonresource:
- verbs:
- - get
- path: "/api"
- match:
- - type: role
- values:
- - utility_exec
- - nonresource:
- verbs:
- - get
- path: "/api/*"
- match:
- - type: role
- values:
- - utility_exec
- - nonresource:
- verbs:
- - get
- path: "/apis"
- match:
- - type: role
- values:
- - utility_exec
- - nonresource:
- verbs:
- - get
- path: "/apis/*"
- match:
- - type: role
- values:
- - utility_exec
- resource:
verbs:
- "*"
@@ -389,14 +374,6 @@ data:
- type: role
values:
- admin_k8scluster
- - nonresource:
- verbs:
- - "*"
- path: "*"
- match:
- - type: role
- values:
- - admin_k8scluster
- resource:
resources:
- pods
@@ -706,6 +683,141 @@ data:
- type: role
values:
- admin_k8scluster_viewer
+ # gatekeeper constraints can be viewed
+ - resource:
+ verbs:
+ - get
+ - list
+ resources:
+ - "*"
+ version: constraints.gatekeeper.sh
+ namespace: "*"
+ match:
+ - type: role
+ values:
+ - gatekeeper_constraint_reader
+ # argo workflows can be viewed, created, and deleted in the aqua namespace
+ - resource:
+ verbs:
+ - create
+ - get
+ - list
+ - delete
+ - watch
+ resources:
+ - workflows
+ version: argoproj.io
+ namespace: aqua
+ match:
+ - type: role
+ values:
+ - aqua_bathysphere
+ # Every built-in or custom resource can be get/list in aqua namespace
+ - resource:
+ verbs:
+ - get
+ - list
+ resources:
+ - '*'
+ version: '*'
+ namespace: aqua
+ match:
+ - type: role
+ values:
+ - aqua_bathysphere
+ # To enable discovery when using Kubectl get/list command on nodes
+ - resource:
+ verbs:
+ - get
+ - list
+ resources:
+ - nodes
+ version: ''
+ namespace: "*"
+ match:
+ - type: role
+ values:
+ - aqua_bathysphere
+ # TestResultRef custom resources can be fully managed in the aqua namespace
+ - resource:
+ verbs:
+ - get
+ - list
+ - create
+ - delete
+ - watch
+ - update
+ - patch
+ resources:
+ - testresultrefs
+ version: 'aqua.att.com'
+ namespace: aqua
+ match:
+ - type: role
+ values:
+ - aqua_bathysphere
+ - nonresource:
+ verbs:
+ - get
+ path: "/api"
+ match:
+ - type: role
+ values:
+ - utility_exec
+ - admin_k8scluster_viewer
+ - kube-system-viewer
+ - nonresource:
+ verbs:
+ - get
+ path: "/api/*"
+ match:
+ - type: role
+ values:
+ - utility_exec
+ - admin_k8scluster_viewer
+ - kube-system-viewer
+ - nonresource:
+ verbs:
+ - get
+ path: "/apis"
+ match:
+ - type: role
+ values:
+ - utility_exec
+ - admin_k8scluster_viewer
+ - kube-system-viewer
+ - nonresource:
+ verbs:
+ - get
+ path: "/apis/*"
+ match:
+ - type: role
+ values:
+ - utility_exec
+ - admin_k8scluster_viewer
+ - kube-system-viewer
+ - nonresource:
+ verbs:
+ - get
+ path: "/version"
+ match:
+ - type: role
+ values:
+ - utility_exec
+ - admin_k8scluster_viewer
+ - kube-system-viewer
+ - nonresource:
+ verbs:
+ - "*"
+ path: "*"
+ match:
+ - type: role
+ values:
+ - admin
+ - admin_k8scluster
+ - admin_k8scluster_editor
+ - aqua_bathysphere
+ - kube-system-admin
apiserver:
encryption_provider:
file: encryption_provider.yaml
diff --git a/global/software/charts/ucp/armada/armada.yaml b/global/software/charts/ucp/armada/armada.yaml
index f9d083e23..1738b7ea3 100644
--- a/global/software/charts/ucp/armada/armada.yaml
+++ b/global/software/charts/ucp/armada/armada.yaml
@@ -96,6 +96,14 @@ data:
release_group: clcp-ucp-armada
values:
pod:
+ mandatory_access_control:
+ type: apparmor
+ armada-api:
+ init: runtime/default
+ armada-api: runtime/default
+ tiller: runtime/default
+ armada-api-test:
+ armada-api-test: runtime/default
affinity:
anti:
type:
diff --git a/global/software/charts/ucp/ceph-config/ceph-config.yaml b/global/software/charts/ucp/ceph-config/ceph-config.yaml
index 7e1410510..3bf5df4db 100644
--- a/global/software/charts/ucp/ceph-config/ceph-config.yaml
+++ b/global/software/charts/ucp/ceph-config/ceph-config.yaml
@@ -7,6 +7,8 @@ metadata:
abstract: false
layer: global
storagePolicy: cleartext
+ labels:
+ name: ucp-ceph-config
substitutions:
# Chart source
- src:
@@ -75,6 +77,15 @@ data:
test:
enabled: true
values:
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ clcp-ucp-ceph-config-ceph-ns-key-generator:
+ ceph-storage-keys-generator: runtime/default
+ init: runtime/default
+ clcp-ucp-ceph-config-test:
+ ceph-provisioner-helm-test: runtime/default
+ init: runtime/default
labels:
job:
node_selector_key: ucp-control-plane
diff --git a/global/software/charts/ucp/ceph/ceph-client-update.yaml b/global/software/charts/ucp/ceph/ceph-client-update.yaml
index f01f2c0bf..c7f3e7da2 100644
--- a/global/software/charts/ucp/ceph/ceph-client-update.yaml
+++ b/global/software/charts/ucp/ceph/ceph-client-update.yaml
@@ -56,7 +56,7 @@ metadata:
# Secrets
- dest:
- path: .values.conf.ceph.global.fsid
+ path: .values.conf.ceph.global.fsid
src:
schema: deckhand/Passphrase/v1
name: ceph_fsid
@@ -112,27 +112,27 @@ data:
namespace: ceph
deployment:
ceph: true
- bootstrap:
- # Placed here to run after main ceph compoents laid down/updated
- enabled: true
- script: |
- set -x
- DESIRED_VERSION="nautilus"
- ADDITIONAL_VERSIONS=1
- while [ $ADDITIONAL_VERSIONS -gt 0 ]; do
- sleep 5
- ADDITIONAL_VERSIONS=$(ceph tell osd.* version --format json | awk -F 'osd.[0-9]*: ' '/^osd/ { print $2}' | jq -r '.version' | awk '{ print $(NF-1) }' | uniq | grep -v ${DESIRED_VERSION} | wc -l )
- done
- while [[ `ceph pg ls | tail -n +2 | grep -v "active+\|NOTE"` ]]
- do
- sleep 5
- done
ceph_mgr_enabled_modules:
- restful
- status
- prometheus
- balancer
- iostat
+ bootstrap:
+ # Placed here to run after main ceph compoents laid down/updated
+ enabled: true
+ script: |
+ set -x
+ DESIRED_VERSION="octopus"
+ ADDITIONAL_VERSIONS=1
+ while [ $ADDITIONAL_VERSIONS -gt 0 ]; do
+ sleep 5
+ ADDITIONAL_VERSIONS=$(ceph tell osd.* version --format json | awk -F 'osd.[0-9]*: ' '/^osd/ { print $2}' | jq -r '.release' | uniq | grep -v ${DESIRED_VERSION} | wc -l )
+ done
+ while [[ `ceph pg stat -f json | jq -r ".pg_summary.num_pgs"` -eq 0 ]] || [[ `ceph pg ls -f json | jq -r '.pg_stats[].state' | grep -v "active"` ]]
+ do
+ sleep 5
+ done
jobs:
pool_checkPGs:
# Run once a month at midnight of the first day of the month
@@ -146,7 +146,29 @@ data:
# Skip new job if previous job still active
execPolicy: Forbid
startingDeadlineSecs: 60
+ rbd_pool:
+ restartPolicy: Never
pod:
+ mandatory_access_control:
+ type: apparmor
+ ceph-checkdns:
+ ceph-checkdns: runtime/default
+ init: runtime/default
+ ceph-mds:
+ ceph-mds: runtime/default
+ ceph-init-dirs: runtime/default
+ ceph-mgr:
+ ceph-mgr: runtime/default
+ ceph-init-dirs: runtime/default
+ ceph-rbd-pool:
+ ceph-rbd-pool: runtime/default
+ init: runtime/default
+ ceph-client-bootstrap:
+ ceph-client-bootstrap: runtime/default
+ init: runtime/default
+ ceph-client-test:
+ ceph-cluster-helm-test: runtime/default
+ init: runtime/default
affinity:
anti:
type:
@@ -154,12 +176,79 @@ data:
replicas:
mds: 3
mgr: 3
+ lifecycle:
+ upgrades:
+ deployments:
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 50%
+ resources:
+ enabled: true
+ mds:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "2Gi"
+ cpu: "2000m"
+ mgr:
+ requests:
+ memory: "2Gi"
+ cpu: "2000m"
+ limits:
+ memory: "8Gi"
+ cpu: "4000m"
+ checkdns:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ image_repo_sync:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ rbd_pool:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ tests:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
conf:
features:
- pg_autoscaler: false
+ # NOTE(st053q): If autoscaler is disabled, then
+ # mon_pg_warn_max_object_skew should not be 0 in ceph.conf
+ pg_autoscaler: true
+ cluster_flags:
+ unset: "noup"
pool:
spec:
+ # Health metrics pool
+ - name: device_health_metrics
+ application: mgr_devicehealth
+ replication: 3
+ percent_total_data: 5
# RBD pool
- name: rbd
application: rbd
@@ -225,10 +314,15 @@ data:
target:
osd: 1
pg_per_osd: 100
+ pg_num_min: 1
protected: true
- # Quota at 10000 to ensure that all pools have quotas greater
- # than the cluster's capacity. 1000 would get some to about 85%
- quota: 10000
+ # NOTE: 'quota' represents a scaler for effective capacity of cluster
+ # as a percent value. Setting it to anything more than 100 will mean
+ # that if all pools completely use their quotas, total data stored is
+ # more than capacity. For example quota at 10000 would ensure that
+ # EVERY pool can exceed cluster capacity. Set to 85 in order to maintain
+ # healthy state and allow data move in case of failures.
+ quota: 85
default:
# NOTE(alanmeadows): This is required ATM for bootstrapping a Ceph
@@ -242,6 +336,8 @@ data:
# cluster with only one OSD. Depending on OSD targeting & site
# configuration this can be changed.
osd_pool_default_size: 1
+ mon_pg_warn_min_per_osd: 0
+ mon_pg_warn_max_object_skew: 0
dependencies:
- ceph-htk
...
diff --git a/global/software/charts/ucp/ceph/ceph-client.yaml b/global/software/charts/ucp/ceph/ceph-client.yaml
index 7423b63f7..a1823a9a7 100644
--- a/global/software/charts/ucp/ceph/ceph-client.yaml
+++ b/global/software/charts/ucp/ceph/ceph-client.yaml
@@ -56,7 +56,7 @@ metadata:
# Secrets
- dest:
- path: .values.conf.ceph.global.fsid
+ path: .values.conf.ceph.global.fsid
src:
schema: deckhand/Passphrase/v1
name: ceph_fsid
@@ -118,9 +118,81 @@ data:
- balancer
- iostat
pod:
+ mandatory_access_control:
+ type: apparmor
+ ceph-checkdns:
+ ceph-checkdns: runtime/default
+ init: runtime/default
+ ceph-mds:
+ ceph-mds: runtime/default
+ ceph-init-dirs: runtime/default
+ ceph-mgr:
+ ceph-mgr: runtime/default
+ ceph-init-dirs: runtime/default
+ ceph-rbd-pool:
+ ceph-rbd-pool: runtime/default
+ init: runtime/default
+ ceph-client-bootstrap:
+ ceph-client-bootstrap: runtime/default
+ init: runtime/default
+ ceph-client-test:
+ ceph-cluster-helm-test: runtime/default
+ init: runtime/default
replicas:
mds: 1
mgr: 1
+ resources:
+ enabled: true
+ mds:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "2Gi"
+ cpu: "2000m"
+ mgr:
+ requests:
+ memory: "2Gi"
+ cpu: "2000m"
+ limits:
+ memory: "8Gi"
+ cpu: "4000m"
+ checkdns:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ image_repo_sync:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ rbd_pool:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
+ tests:
+ requests:
+ memory: "512Mi"
+ cpu: "500m"
+ limits:
+ memory: "1Gi"
+ cpu: "1000m"
jobs:
pool_checkPGs:
# Run once a month at midnight of the first day of the month
@@ -134,11 +206,20 @@ data:
# Skip new job if previous job still active
execPolicy: Forbid
startingDeadlineSecs: 60
+ rbd_pool:
+ restartPolicy: Never
conf:
features:
pg_autoscaler: false
+ cluster_flags:
+ set: "noup"
pool:
spec:
+ # Health metrics pool
+ - name: device_health_metrics
+ application: mgr_devicehealth
+ replication: 3
+ percent_total_data: 5
# RBD pool
- name: rbd
application: rbd
@@ -205,9 +286,13 @@ data:
osd: 1
pg_per_osd: 100
protected: true
- # Quota at 10000 to ensure that all pools have quotas greater
- # than the cluster's capacity. 1000 would get some to about 85%
- quota: 10000
+ # NOTE: 'quota' represents a scaler for effective capacity of cluster
+ # as a percent value. Setting it to anything more than 100 will mean
+ # that if all pools completely use their quotas, total data stored is
+ # more than capacity. For example quota at 10000 would ensure that
+ # EVERY pool can exceed cluster capacity. Set to 85 in order to maintain
+ # healthy state and allow data move in case of failures.
+ quota: 85
default:
# NOTE(alanmeadows): This is required ATM for bootstrapping a Ceph
# cluster with only one OSD. Depending on OSD targeting & site
@@ -220,6 +305,9 @@ data:
# cluster with only one OSD. Depending on OSD targeting & site
# configuration this can be changed.
osd_pool_default_size: 1
+ mon_pg_warn_min_per_osd: 0
+ mon_pg_warn_max_object_skew: 0
+
manifests:
cronjob_defragosds: false
dependencies:
diff --git a/global/software/charts/ucp/ceph/ceph-ingress.yaml b/global/software/charts/ucp/ceph/ceph-ingress.yaml
index f8fb117ca..fdb3d3861 100644
--- a/global/software/charts/ucp/ceph/ceph-ingress.yaml
+++ b/global/software/charts/ucp/ceph/ceph-ingress.yaml
@@ -3,8 +3,6 @@ schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: ucp-ceph-ingress
- labels:
- name: ucp-ceph-ingress-global
layeringDefinition:
abstract: false
layer: global
@@ -53,6 +51,14 @@ data:
node_selector_key: ucp-control-plane
node_selector_value: enabled
pod:
+ mandatory_access_control:
+ type: apparmor
+ ingress-error-pages:
+ init: runtime/default
+ ingress-error-pages: runtime/default
+ ingress-server:
+ init: runtime/default
+ ingress: runtime/default
replicas:
ingress: 2
error_page: 2
@@ -61,6 +67,9 @@ data:
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 20m
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+ nginx.ingress.kubernetes.io/configuration-snippet: |
+ more_set_headers "X-XSS-Protection: 1; mode=block";
+ more_set_headers "X-Frame-Options: deny";
dependencies:
- ucp-ingress-htk
...
diff --git a/global/software/charts/ucp/ceph/ceph-mon.yaml b/global/software/charts/ucp/ceph/ceph-mon.yaml
index 006e19940..adb91c3bf 100644
--- a/global/software/charts/ucp/ceph/ceph-mon.yaml
+++ b/global/software/charts/ucp/ceph/ceph-mon.yaml
@@ -54,7 +54,7 @@ metadata:
# Secrets
- dest:
- path: .values.conf.ceph.global.fsid
+ path: .values.conf.ceph.global.fsid
src:
schema: deckhand/Passphrase/v1
name: ceph_fsid
@@ -84,6 +84,42 @@ data:
labels:
release_group: clcp-ucp-ceph-mon
values:
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ ceph-mon:
+ ceph-init-dirs: runtime/default
+ ceph-mon: runtime/default
+ ceph-log-ownership: runtime/default
+ ceph-mon-check:
+ ceph-mon: runtime/default
+ init: runtime/default
+ ceph-bootstrap:
+ ceph-bootstrap: runtime/default
+ init: runtime/default
+ ceph-storage-keys-generator:
+ ceph-storage-keys-generator: runtime/default
+ init: runtime/default
+ ceph-mon-keyring-generator:
+ ceph-mon-keyring-generator: runtime/default
+ init: runtime/default
+ ceph-mgr-keyring-generator:
+ init: runtime/default
+ ceph-mgr-keyring-generator: runtime/default
+ ceph-mds-keyring-generator:
+ init: runtime/default
+ ceph-mds-keyring-generator: runtime/default
+ ceph-osd-keyring-generator:
+ ceph-osd-keyring-generator: runtime/default
+ init: runtime/default
+ lifecycle:
+ upgrades:
+ daemonsets:
+ pod_replacement_strategy: RollingUpdate
+ mon:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
labels:
job:
node_selector_key: ucp-control-plane
@@ -103,6 +139,8 @@ data:
ceph:
global:
mon_data_avail_warn: 30
+ mon_pg_warn_min_per_osd: 0
+ mon_pg_warn_max_object_skew: 0
dependencies:
- ceph-htk
...
diff --git a/global/software/charts/ucp/ceph/ceph-osd.yaml b/global/software/charts/ucp/ceph/ceph-osd.yaml
index 16827c371..2ecf403a9 100644
--- a/global/software/charts/ucp/ceph/ceph-osd.yaml
+++ b/global/software/charts/ucp/ceph/ceph-osd.yaml
@@ -49,7 +49,7 @@ metadata:
# Secrets
- dest:
- path: .values.conf.ceph.global.fsid
+ path: .values.conf.ceph.global.fsid
src:
schema: deckhand/Passphrase/v1
name: ceph_fsid
@@ -62,11 +62,10 @@ data:
protected:
continue_processing: false
wait:
- timeout: 7200
+ timeout: 900
labels:
release_group: clcp-ucp-ceph-osd
- resources:
- - type: daemonset
+ resources: []
native:
enabled: false
install:
@@ -79,18 +78,37 @@ data:
labels:
release_group: clcp-ucp-ceph-osd
component: test
+ - type: job
+ labels:
+ release_group: clcp-ucp-ceph-osd
+ component: post-apply
test:
- enabled: true
+ enabled: false
values:
+# Custom Apparmor Profile needs to be fixed in NC 2.2
pod:
mandatory_access_control:
type: apparmor
ceph-osd-default:
ceph-osd-default: unconfined
+ ceph-init-dirs: unconfined
+ ceph-log-ownership: unconfined
+ osd-init: unconfined
+ ceph-osd-test:
+ init: unconfined
+ ceph-cluster-helm-test: unconfined
+ ceph-osd-post-apply:
+ ceph-osd-post-apply: runtime/default
+ init: runtime/default
+ lifecycle:
+ upgrades:
+ daemonsets:
+ pod_replacement_strategy: OnDelete
deploy:
tool: "ceph-volume"
manifests:
cronjob_defragosds: false
+ job_post_apply: false
labels:
osd:
node_selector_key: ceph-osd
@@ -120,9 +138,10 @@ data:
osd_crush_chooseleaf_type: 0
ceph:
osd:
- osd_op_num_threads_per_hdd: 2
- osd_op_num_threads_per_ssd: 4
+ osd_op_num_threads_per_shard_hdd: 1
+ osd_op_num_threads_per_shard_ssd: 2
osd_max_backfills: 10
+ osd_scrub_auto_repair: true
dependencies:
- ceph-htk
...
diff --git a/global/software/charts/ucp/ceph/ceph-provisioners-update.yaml b/global/software/charts/ucp/ceph/ceph-provisioners-update.yaml
index 805d65285..aa7cda076 100644
--- a/global/software/charts/ucp/ceph/ceph-provisioners-update.yaml
+++ b/global/software/charts/ucp/ceph/ceph-provisioners-update.yaml
@@ -88,6 +88,12 @@ data:
provisioner:
node_selector_key: ucp-control-plane
node_selector_value: enabled
+ csi_rbd_plugin:
+ node_selector_key: ceph-osd
+ node_selector_value: enabled
+ test:
+ node_selector_key: ceph-osd
+ node_selector_value: enabled
endpoints:
ceph_mon:
namespace: ceph
@@ -96,9 +102,34 @@ data:
client_secrets: false
rbd_provisioner: true
cephfs_provisioner: false
+ csi: true
bootstrap:
enabled: true
pod:
+ mandatory_access_control:
+ type: apparmor
+ ceph-cephfs-provisioner:
+ ceph-cephfs-provisioner: runtime/default
+ init: runtime/default
+ ceph-cepfs-client-key-generator:
+ ceph-storage-keys-generator: runtime/default
+ ceph-rbd-provisioner:
+ ceph-rbd-provisioner: runtime/default
+ init: runtime/default
+ ceph-provisioner-test:
+ init: runtime/default
+ ceph-provisioner-helm-test: runtime/default
+ ceph-rbd-csi-provisioner:
+ ceph-rbd-provisioner: runtime/default
+ init: runtime/default
+ ceph-rbd-snapshotter: runtime/default
+ ceph-rbd-attacher: runtime/default
+ csi-resizer: runtime/default
+ csi-rbdplugin: runtime/default
+ ceph-rbd-plugin:
+ driver-registrar: runtime/default
+ csi-rbdplugin: runtime/default
+ init: runtime/default
affinity:
anti:
type:
diff --git a/global/software/charts/ucp/ceph/ceph-provisioners.yaml b/global/software/charts/ucp/ceph/ceph-provisioners.yaml
index bf175fa28..674317b1a 100644
--- a/global/software/charts/ucp/ceph/ceph-provisioners.yaml
+++ b/global/software/charts/ucp/ceph/ceph-provisioners.yaml
@@ -50,7 +50,7 @@ metadata:
# Secrets
- dest:
- path: .values.conf.ceph.global.fsid
+ path: .values.conf.ceph.global.fsid
src:
schema: deckhand/Passphrase/v1
name: ceph_fsid
@@ -88,6 +88,12 @@ data:
provisioner:
node_selector_key: ucp-control-plane
node_selector_value: enabled
+ csi_rbd_plugin:
+ node_selector_key: ceph-osd
+ node_selector_value: enabled
+ test:
+ node_selector_key: ceph-osd
+ node_selector_value: enabled
endpoints:
ceph_mon:
namespace: ceph
@@ -96,12 +102,36 @@ data:
client_secrets: false
rbd_provisioner: true
cephfs_provisioner: false
+ csi: true
bootstrap:
enabled: true
pod:
+ mandatory_access_control:
+ type: apparmor
+ ceph-cephfs-provisioner:
+ ceph-cephfs-provisioner: runtime/default
+ init: runtime/default
+ ceph-cepfs-client-key-generator:
+ ceph-storage-keys-generator: runtime/default
+ ceph-rbd-provisioner:
+ ceph-rbd-provisioner: runtime/default
+ init: runtime/default
+ ceph-rbd-csi-provisioner:
+ ceph-rbd-provisioner: runtime/default
+ init: runtime/default
+ ceph-rbd-snapshotter: runtime/default
+ ceph-rbd-attacher: runtime/default
+ csi-resizer: runtime/default
+ csi-rbdplugin: runtime/default
+ ceph-rbd-plugin:
+ driver-registrar: runtime/default
+ csi-rbdplugin: runtime/default
+ init: runtime/default
+ ceph-provisioner-test:
+ init: runtime/default
+ ceph-provisioner-helm-test: runtime/default
replicas:
rbd_provisioner: 1
-
conf:
ceph:
global:
diff --git a/global/software/charts/ucp/ceph/ceph-rgw.yaml b/global/software/charts/ucp/ceph/ceph-rgw.yaml
index 14dc15bad..cf2473546 100644
--- a/global/software/charts/ucp/ceph/ceph-rgw.yaml
+++ b/global/software/charts/ucp/ceph/ceph-rgw.yaml
@@ -136,6 +136,27 @@ data:
bootstrap:
enabled: false
pod:
+ mandatory_access_control:
+ type: apparmor
+ ceph-rgw:
+ init: runtime/default
+ ceph-rgw: runtime/default
+ ceph-init-dirs: runtime/default
+ ceph-rgw-init: runtime/default
+ ceph-rgw-bootstrap:
+ ceph-keyring-placement: runtime/default
+ init: runtime/default
+ ceph-rgw-bootstrap: runtime/default
+ ceph-rgw-storage-init:
+ ceph-keyring-placement: runtime/default
+ init: runtime/default
+ ceph-rgw-storage-init: runtime/default
+ ceph-rgw-s3-admin:
+ ceph-keyring-placement: runtime/default
+ init: runtime/default
+ create-s3-admin: runtime/default
+ ceph-rgw-test:
+ ceph-rgw-ks-validation: runtime/default
affinity:
anti:
type:
@@ -146,12 +167,22 @@ data:
rgw_ks:
enabled: true
config:
- rgw_keystone_accepted_roles: "admin, _member_, member"
+ rgw_keystone_accepted_roles: "admin, member, swift_pool_ro, swift_pool_admin, swift_admin"
ceph_client:
configmap: ceph-etc
secrets:
keyrings:
admin: pvc-ceph-client-key
+ network:
+ api:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ nginx.ingress.kubernetes.io/proxy-body-size: "0"
+ nginx.ingress.kubernetes.io/proxy-max-temp-file-size: "0"
+ nginx.ingress.kubernetes.io/configuration-snippet: |
+ more_set_headers "X-Content-Type-Options: nosniff";
+ more_set_headers "X-Frame-Options: deny";
dependencies:
- ceph-htk
...
diff --git a/global/software/charts/ucp/core/ingress.yaml b/global/software/charts/ucp/core/ingress.yaml
index 8ed26f7de..f09198b6e 100644
--- a/global/software/charts/ucp/core/ingress.yaml
+++ b/global/software/charts/ucp/core/ingress.yaml
@@ -53,6 +53,14 @@ data:
node_selector_key: ucp-control-plane
node_selector_value: enabled
pod:
+ mandatory_access_control:
+ type: apparmor
+ ingress-error-pages:
+ init: runtime/default
+ ingress-error-pages: runtime/default
+ ingress-server:
+ init: runtime/default
+ ingress: runtime/default
affinity:
anti:
type:
@@ -65,5 +73,8 @@ data:
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 20m
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+ nginx.ingress.kubernetes.io/configuration-snippet: |
+ more_set_headers "X-XSS-Protection: 1; mode=block";
+ more_set_headers "X-Frame-Options: deny";
dependencies:
- ucp-ingress-htk
diff --git a/global/software/charts/ucp/core/mariadb.yaml b/global/software/charts/ucp/core/mariadb.yaml
index c14b8c526..3249a37f2 100644
--- a/global/software/charts/ucp/core/mariadb.yaml
+++ b/global/software/charts/ucp/core/mariadb.yaml
@@ -39,6 +39,7 @@ metadata:
path: .ucp.prometheus_mysql_exporter
dest:
path: .values.endpoints.prometheus_mysql_exporter
+
# Accounts
- src:
schema: pegleg/AccountCatalogue/v1
@@ -103,6 +104,15 @@ metadata:
name: ucp_oslo_db_exporter_password
path: .
+ # Forming the container name for database backups to go into
+ - dest:
+ - path: .values.conf.backup.remote_backup.container_name
+ pattern: DOMAIN
+ src:
+ schema: pegleg/CommonAddresses/v1
+ name: common-addresses
+ path: .dns.ingress_domain
+
data:
chart_name: ucp-mariadb
release: ucp-mariadb
@@ -129,6 +139,15 @@ data:
size: 30Gi
backup:
size: 50Gi
+ conf:
+ backup:
+ enabled: true
+ days_to_keep: 3
+ remote_backup:
+ enabled: true
+ container_name: DOMAIN
+ days_to_keep: 14
+ storage_policy: ncbackup_pt
monitoring:
prometheus:
enabled: true
@@ -146,6 +165,36 @@ data:
node_selector_key: ucp-control-plane
node_selector_value: enabled
pod:
+ security_context:
+ server:
+ container:
+ mariadb:
+ allowPrivilegeEscalation: false
+ mandatory_access_control:
+ type: apparmor
+ mariadb-ingress-error-pages:
+ init: runtime/default
+ ingress-error-pages: runtime/default
+ mariadb-ingress:
+ init: runtime/default
+ ingress: runtime/default
+ mariadb-server:
+ init: runtime/default
+ mariadb-perms: runtime/default
+ mariadb: runtime/default
+ mariadb-backup:
+ init: runtime/default
+ backup-perms: runtime/default
+ mariadb-backup: runtime/default
+ mariadb-test:
+ init: runtime/default
+ mariadb-test: runtime/default
+ prometheus-mysql-exporter:
+ init: runtime/default
+ mysql-exporter: runtime/default
+ create-sql-user:
+ init: runtime/default
+ exporter-create-sql-user: runtime/default
affinity:
anti:
type:
@@ -154,8 +203,14 @@ data:
server: 1
ingress: 1
manifests:
+ # Enable automated backups
cron_job_mariadb_backup: true
+ # Not needing to create a keystone user - it should already be created on CH
+ job_ks_user: false
+ # Backing up to local PVC in addition to CH backups
pvc_backup: true
+ # Enable backup/restore secrets
+ secret_backup_restore: true
dependencies:
- mariadb-htk
...
diff --git a/global/software/charts/ucp/core/postgresql.yaml b/global/software/charts/ucp/core/postgresql.yaml
index d4ebb4a43..6e7649e98 100644
--- a/global/software/charts/ucp/core/postgresql.yaml
+++ b/global/software/charts/ucp/core/postgresql.yaml
@@ -26,14 +26,6 @@ metadata:
dest:
path: .values.images.tags
- # PostgreSQL log level
- - src:
- schema: nc/CorridorConfig/v1
- name: corridor-config
- path: .airship.log_level
- dest:
- path: .values.conf.postgresql.logging.log_level
-
# Endpoints
- src:
schema: pegleg/EndpointCatalogue/v1
@@ -61,12 +53,6 @@ metadata:
path: .ucp.postgres.admin
dest:
path: .values.endpoints.postgresql.auth.admin
- - src:
- schema: pegleg/AccountCatalogue/v1
- name: ucp_service_accounts
- path: .ucp.postgres.replica
- dest:
- path: .values.endpoints.postgresql.auth.replica
- src:
schema: pegleg/AccountCatalogue/v1
name: ucp_service_accounts
@@ -79,12 +65,6 @@ metadata:
path: .ucp.prometheus_postgresql_exporter.user
dest:
path: .values.endpoints.prometheus_postgresql_exporter.auth.user
- - src:
- schema: pegleg/AccountCatalogue/v1
- name: ucp_service_accounts
- path: .ucp.postgres.replica.username
- dest:
- path: .values.secrets.pki.replication.hosts.names[0]
- src:
schema: pegleg/AccountCatalogue/v1
name: ucp_service_accounts
@@ -99,12 +79,6 @@ metadata:
schema: deckhand/Passphrase/v1
name: ucp_postgres_admin_password
path: .
- - dest:
- path: .values.endpoints.postgresql.auth.replica.password
- src:
- schema: deckhand/Passphrase/v1
- name: ucp_postgres_replica_password
- path: .
- dest:
path: .values.endpoints.postgresql.auth.exporter.password
src:
@@ -123,20 +97,6 @@ metadata:
schema: deckhand/Passphrase/v1
name: ucp_postgres_audit_password
path: .
- - dest:
- - path: .values.secrets.pki.replication.ca.crt
- - path: .values.secrets.pki.server.ca.crt
- src:
- schema: deckhand/CertificateAuthority/v1
- name: patroni-replication
- path: .
- - dest:
- - path: .values.secrets.pki.replication.ca.key
- - path: .values.secrets.pki.server.ca.key
- src:
- schema: deckhand/CertificateAuthorityKey/v1
- name: patroni-replication
- path: .
# POD IPs
- src:
@@ -146,6 +106,15 @@ metadata:
dest:
path: .values.secrets.pki.pod_cidr
+ # Forming the container name for database backups to go into
+ - src:
+ schema: pegleg/CommonAddresses/v1
+ name: common-addresses
+ path: .dns.ingress_domain
+ dest:
+ - path: .values.conf.backup.remote_backup.container_name
+ pattern: DOMAIN
+
data:
chart_name: ucp-postgresql
release: ucp-postgresql
@@ -167,11 +136,30 @@ data:
- type: job
labels:
release_group: clcp-ucp-postgresql
+ - type: cronjob
+ labels:
+ release_group: clcp-ucp-postgresql
create: []
post:
create: []
values:
pod:
+ mandatory_access_control:
+ type: apparmor
+ postgresql:
+ postgresql: runtime/default
+ set-volume-perms: runtime/default
+ init: runtime/default
+ postgresql-backup:
+ postgresql-backup: runtime/default
+ backup-perms: runtime/default
+ init: runtime/default
+ prometheus-postgresql-exporter:
+ postgresql-exporter: runtime/default
+ init: runtime/default
+ prometheus-postgresql-exporter-create-user:
+ prometheus-postgresql-exporter-create-user: runtime/default
+ init: runtime/default
affinity:
anti:
type:
@@ -188,8 +176,44 @@ data:
postgresql:
max_connections: 1000
shared_buffers: 2GB
+ log_connections: 'off'
+ log_disconnections: 'off'
+ # disable archiving
+ archive_mode: 'off'
+ # disable wal senders (required with wal_level minimal)
+ max_wal_senders: 0
+ # to avoid filling up pgdata/pg_xlog, limit to 32 wal files (16 MB each), i.e. 512MB
+ max_wal_size: 32
+ # to avoid filling up pgdata/pg_commit_ts, don't track commit timestamps
+ track_commit_timestamp: 'off'
+ # don't explicitly force a minimum # of wal files to keep
+ wal_keep_segments: 0
+ # retain enough data to recover from a crash or immediate shutdown
+ wal_level: minimal
+ # don't force writes for hint bit modifications
+ wal_log_hints: 'off'
+ pg_hba: |
+ host all all 127.0.0.1/32 trust
+ host all postgresql-admin 0.0.0.0/0 md5
+ host all postgres 0.0.0.0/0 md5
+ host all psql_exporter 0.0.0.0/0 md5
+ host postgres postgresql_exporter 0.0.0.0/0 md5
+ host deckhand deckhand 0.0.0.0/0 md5
+ host maasdb maas 0.0.0.0/0 md5
+ host airflow airflow 0.0.0.0/0 md5
+ host shipyard shipyard 0.0.0.0/0 md5
+ host drydock drydock 0.0.0.0/0 md5
+ local all all trust
+ host all all 0.0.0.0/0 reject
backup:
- pg_dumpall_options: --inserts
+ pg_dumpall_options: '--inserts --clean'
+ enabled: true
+ days_to_keep: 3
+ remote_backup:
+ enabled: true
+ container_name: DOMAIN
+ days_to_keep: 14
+ storage_policy: ncbackup_pt
development:
enabled: false
labels:
@@ -206,8 +230,14 @@ data:
node_selector_key: ucp-control-plane
node_selector_value: enabled
manifests:
+ # Enable automated backups
cron_job_postgresql_backup: true
+ # Not needing to create a keystone user - it should already be created on CH
+ job_ks_user: false
+ # Still backing up to local PVC in addition to CH backups
pvc_backup: true
+ # Enable backup/restore secrets
+ secret_backup_restore: true
secrets:
pki:
server:
diff --git a/global/software/charts/ucp/core/rabbitmq.yaml b/global/software/charts/ucp/core/rabbitmq.yaml
index a0843b5c2..023126469 100644
--- a/global/software/charts/ucp/core/rabbitmq.yaml
+++ b/global/software/charts/ucp/core/rabbitmq.yaml
@@ -86,12 +86,44 @@ data:
volume:
size: 5Gi
pod:
+ mandatory_access_control:
+ type: apparmor
+ rabbitmq-cluster-wait:
+ init: runtime/default
+ rabbitmq-cookie: runtime/default
+ rabbitmq-rabbitmq-cluster-wait: runtime/default
+ rabbitmq:
+ init: runtime/default
+ rabbitmq-password: runtime/default
+ rabbitmq-cookie: runtime/default
+ rabbitmq-perms: runtime/default
+ rabbitmq: runtime/default
+ prometheus-rabbitmq-exporter:
+ init: runtime/default
+ rabbitmq-exporter: runtime/default
+ rabbitmq-rabbitmq-test:
+ rabbitmq-rabbitmq-test: runtime/default
+ init: runtime/default
affinity:
anti:
type:
default: requiredDuringSchedulingIgnoredDuringExecution
replicas:
server: 1
+ resources:
+ enabled: true
+ server:
+ requests:
+ memory: "8192Mi"
+ cpu: "12000m"
+ limits:
+ memory: "8192Mi"
+ cpu: "12000m"
+ security_context:
+ server:
+ container:
+ rabbitmq:
+ allowPrivilegeEscalation: false
labels:
server:
node_selector_key: ucp-control-plane
diff --git a/global/software/charts/ucp/deckhand/barbican.yaml b/global/software/charts/ucp/deckhand/barbican.yaml
index 6f3597b3b..9286bc0d7 100644
--- a/global/software/charts/ucp/deckhand/barbican.yaml
+++ b/global/software/charts/ucp/deckhand/barbican.yaml
@@ -127,6 +127,12 @@ metadata:
schema: deckhand/Passphrase/v1
name: ucp_oslo_messaging_password
path: .
+ - dest:
+ path: .values.conf.barbican.simple_crypto_plugin.kek
+ src:
+ schema: deckhand/Passphrase/v1
+ name: ucp_barbican_kek
+ path: .
data:
chart_name: ucp-barbican
release: ucp-barbican
@@ -151,11 +157,14 @@ data:
post:
create: []
values:
+ helm3_hook: false
conf:
barbican:
DEFAULT:
max_allowed_request_size_in_bytes: 256000
max_allowed_secret_in_bytes: 256000
+ simple_crypto_plugin:
+ kek: ""
policy:
secret_project_match: project_id:%(target.secret.project_id)s
secret_creator_user: user_id:%(target.secret.creator_id)s
@@ -231,10 +240,14 @@ data:
node_selector_key: ucp-control-plane
node_selector_value: enabled
pod:
- apparmor:
- barbican:
- barbican: localhost/docker-default
- init: localhost/docker-default
+ mandatory_access_control:
+ type: apparmor
+ barbican-api:
+ barbican-api: runtime/default
+ init: runtime/default
+ barbican-test:
+ init: runtime/default
+ barbican-test: runtime/default
affinity:
anti:
type:
diff --git a/global/software/charts/ucp/deckhand/deckhand.yaml b/global/software/charts/ucp/deckhand/deckhand.yaml
index 6e6f3520e..63d0c14f4 100644
--- a/global/software/charts/ucp/deckhand/deckhand.yaml
+++ b/global/software/charts/ucp/deckhand/deckhand.yaml
@@ -154,6 +154,19 @@ data:
anti:
type:
default: requiredDuringSchedulingIgnoredDuringExecution
+ mandatory_access_control:
+ type: apparmor
+ deckhand-api:
+ init: runtime/default
+ deckhand-api: runtime/default
+ deckhand-db-init:
+ init: runtime/default
+ deckhand-db-init: runtime/default
+ deckhand-db-sync:
+ init: runtime/default
+ deckhand-db-sync: runtime/default
+ deckhand-api-test:
+ deckhand-api-test: runtime/default
replicas:
deckhand: 1
security_context:
diff --git a/global/software/charts/ucp/drydock/drydock.yaml b/global/software/charts/ucp/drydock/drydock.yaml
index bf29f3d5c..2654e702b 100644
--- a/global/software/charts/ucp/drydock/drydock.yaml
+++ b/global/software/charts/ucp/drydock/drydock.yaml
@@ -144,6 +144,21 @@ data:
# TODO(sh8121): Refactor chart to support stricter security
# but still support libvirt+ssh for virtual testing
pod:
+ mandatory_access_control:
+ type: apparmor
+ drydock-api:
+ init: runtime/default
+ drydock-api: runtime/default
+ drydock-db-init:
+ init: runtime/default
+ drydock-db-init: runtime/default
+ drydock-db-sync:
+ init: runtime/default
+ drydock-db-sync: runtime/default
+ drydock-api-test:
+ drydock-api-test: runtime/default
+ drydock-auth-test:
+ drydock-auth-test: runtime/default
security_context:
drydock:
pod:
@@ -156,8 +171,9 @@ data:
ingress:
annotations:
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
- classes:
- cluster: "maas-ingress"
+ nginx.ingress.kubernetes.io/configuration-snippet: |
+ more_set_headers "X-XSS-Protection: 1; mode=block";
+ more_set_headers "X-Frame-Options: deny";
drydock:
node_port:
enabled: false
@@ -166,6 +182,8 @@ data:
threads: 1
workers: 1
drydock:
+ DEFAULT:
+ poll_interval: 30
database:
pool_size: 200
plugins:
diff --git a/global/software/charts/ucp/drydock/maas.yaml b/global/software/charts/ucp/drydock/maas.yaml
index 4f1f5ed08..cc2a3252c 100644
--- a/global/software/charts/ucp/drydock/maas.yaml
+++ b/global/software/charts/ucp/drydock/maas.yaml
@@ -51,6 +51,12 @@ metadata:
path: .
dest:
path: .values.secrets.maas_region.value
+ - src:
+ schema: nc/CorridorConfig/v1
+ name: corridor-config
+ path: .airship.log_level
+ dest:
+ path: .values.conf.syslog.log_level
# Endpoint substitutions
- src:
@@ -147,6 +153,43 @@ data:
release_group: clcp-maas
values:
pod:
+ mandatory_access_control:
+ type: apparmor
+ maas-rack:
+ maas-rack: runtime/default
+ init: runtime/default
+ maas-region:
+ maas-region: runtime/default
+ maas-cache: runtime/default
+ init: runtime/default
+ maas-syslog:
+ syslog: runtime/default
+ logrotate: runtime/default
+ init: runtime/default
+ maas-ingress:
+ maas-ingress-vip: runtime/default
+ maas-ingress: runtime/default
+ init: runtime/default
+ maas-ingress-vip-init: runtime/default
+ maas-ingress-errors:
+ maas-ingress-errors: runtime/default
+ maas-bootstrap-admin-user:
+ maas-bootstrap-admin-user: runtime/default
+ init: runtime/default
+ maas-db-init:
+ maas-db-init: runtime/default
+ init: runtime/default
+ maas-db-sync:
+ maas-db-sync: runtime/default
+ init: runtime/default
+ maas-export-api-key:
+ exporter: runtime/default
+ init: runtime/default
+ maas-import-resources:
+ region-import-resources: runtime/default
+ init: runtime/default
+ maas-api-test:
+ maas-api-test: runtime/default
affinity:
anti:
type:
@@ -171,7 +214,12 @@ data:
enabled: false
conf:
cache:
- enabled: false
+ enabled: true
+ cloudconfig:
+ override: true
+ sections:
+ bootcmd:
+ - "rm -fr /var/lib/apt/lists"
maas:
credentials:
secret:
@@ -189,6 +237,14 @@ data:
default_os: 'ubuntu'
default_image: 'bionic'
default_kernel: 'ga-18.04'
+ force_gpt: true
+ extra_settings:
+ # disable network discovery completely
+ network_discovery: disabled
+ active_discovery_interval: 0
+ # disable creation of root account with default password
+ system_user: null
+ system_passwd: null
dependencies:
- maas-htk
...
diff --git a/global/software/charts/ucp/promenade/promenade.yaml b/global/software/charts/ucp/promenade/promenade.yaml
index 3455979ee..b97dabe2a 100644
--- a/global/software/charts/ucp/promenade/promenade.yaml
+++ b/global/software/charts/ucp/promenade/promenade.yaml
@@ -34,13 +34,6 @@ metadata:
dest:
path: .values.images.tags.monitoring_image
- - src:
- schema: pegleg/SoftwareVersions/v1
- name: software-versions
- path: .images.kubernetes.hyperkube
- dest:
- path: .values.images.tags.hyperkube
-
# Endpoints
- src:
@@ -118,6 +111,14 @@ data:
anti:
type:
default: requiredDuringSchedulingIgnoredDuringExecution
+ mandatory_access_control:
+ type: apparmor
+ promenade-api:
+ promenade-util: runtime/default
+ promenade-api: runtime/default
+ promenade:
+ init: runtime/default
+ promenade-api-test: runtime/default
replicas:
api: 1
security_context:
diff --git a/global/software/charts/ucp/shipyard/shipyard.yaml b/global/software/charts/ucp/shipyard/shipyard.yaml
index f43e61c1a..bf58726b5 100644
--- a/global/software/charts/ucp/shipyard/shipyard.yaml
+++ b/global/software/charts/ucp/shipyard/shipyard.yaml
@@ -276,6 +276,38 @@ data:
anti:
type:
default: requiredDuringSchedulingIgnoredDuringExecution
+ mandatory_access_control:
+ type: apparmor
+ shipyard-api:
+ init: runtime/default
+ shipyard-api: runtime/default
+ airflow-web: runtime/default
+ airflow-worker:
+ init: runtime/default
+ worker-perms: runtime/default
+ airflow-worker: runtime/default
+ airflow-scheduler: runtime/default
+ airflow-logrotate: runtime/default
+ airflow-scheduler:
+ init: runtime/default
+ airflow-scheduler: runtime/default
+ shipyard-db-auxiliary:
+ init: runtime/default
+ shipyard-db-auxiliary: runtime/default
+ shipyard-db-init:
+ init: runtime/default
+ shipyard-db-init: runtime/default
+ shipyard-db-sync:
+ init: runtime/default
+ shipyard-db-sync: runtime/default
+ airflow-db-init:
+ init: runtime/default
+ airflow-db-init: runtime/default
+ airflow-db-sync:
+ init: runtime/default
+ airflow-db-sync: runtime/default
+ shipyard-api-test:
+ shipyard-api-test: runtime/default
replicas:
shipyard:
api: 1
@@ -293,6 +325,9 @@ data:
ingress:
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+ nginx.ingress.kubernetes.io/configuration-snippet: |
+ more_set_headers "X-XSS-Protection: 1; mode=block";
+ more_set_headers "X-Frame-Options: deny";
airflow:
web:
enable_node_port: false
@@ -300,6 +335,8 @@ data:
shipyard:
keystone_authtoken:
memcache_security_strategy: None
+ requests_config:
+ deckhand_client_read_timeout: 300
rabbitmq:
# adding rmq policy to mirror messages from celery queues
# TODO: the vhost should be sourced from the same place as the config of the queue (endpoints)
diff --git a/global/software/charts/ucp/ucp-openstack-exporter/prometheus-openstack-exporter.yaml b/global/software/charts/ucp/ucp-openstack-exporter/prometheus-openstack-exporter.yaml
index f0cb6aacc..29feccf6f 100644
--- a/global/software/charts/ucp/ucp-openstack-exporter/prometheus-openstack-exporter.yaml
+++ b/global/software/charts/ucp/ucp-openstack-exporter/prometheus-openstack-exporter.yaml
@@ -84,6 +84,14 @@ data:
release_group: clcp-ucp-prometheus-openstack-exporter
values:
pod:
+ mandatory_access_control:
+ type: apparmor
+ prometheus-openstack-exporter:
+ openstack-metrics-exporter: runtime/default
+ init: runtime/default
+ prometheus-openstack-exporter-ks-user:
+ prometheus-openstack-exporter-ks-user: runtime/default
+ init: runtime/default
resources:
enabled: true
prometheus_openstack_exporter:
diff --git a/global/software/charts/utilities/chart-group.yaml b/global/software/charts/utilities/chart-group.yaml
index 9e67ecca1..38f686303 100644
--- a/global/software/charts/utilities/chart-group.yaml
+++ b/global/software/charts/utilities/chart-group.yaml
@@ -18,6 +18,5 @@ data:
- compute-utility
- etcdctl-utility
- mysqlclient-utility
- - ncct-utility
- openstack-utility
- postgresql-utility
diff --git a/global/software/charts/utilities/ncct-utility.yaml b/global/software/charts/utilities/ncct-utility.yaml
deleted file mode 100644
index b17c3f209..000000000
--- a/global/software/charts/utilities/ncct-utility.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
----
-schema: armada/Chart/v1
-metadata:
- schema: metadata/Document/v1
- name: ncct-utility
- layeringDefinition:
- abstract: false
- layer: global
- labels:
- name: ncct-utility-global
- component: utility
- storagePolicy: cleartext
- substitutions:
- # Chart source
- - src:
- schema: pegleg/SoftwareVersions/v1
- name: software-versions
- path: .charts.utility.ncct-utility
- dest:
- path: .source
- # Images
- - src:
- schema: pegleg/SoftwareVersions/v1
- name: software-versions
- path: .images.utility.ncct-utility
- dest:
- path: .values.images.tags
- # Location corridor
- - src:
- schema: nc/CorridorConfig/v1
- name: corridor-config
- path: .utility.always_log_user
- dest:
- path: .values.conf.utility.always_log_user
-data:
- chart_name: ncct-utility
- release: ncct-utility
- namespace: utility
- protected:
- continue_processing: false
- wait:
- timeout: 600
- labels:
- release_group: clcp-ncct-utility
- install:
- no_hooks: false
- upgrade:
- no_hooks: false
- values:
- labels:
- utility:
- node_selector_key: utility
- node_selector_value: enabled
- manifests:
- configmap_bin: true
- configmap_ncct_etc: true
- deployment_ncct_utility: true
- job_image_repo_sync: false
-...
diff --git a/global/software/config/versions.yaml b/global/software/config/versions.yaml
index 4b91084ea..1c225e224 100644
--- a/global/software/config/versions.yaml
+++ b/global/software/config/versions.yaml
@@ -79,7 +79,7 @@ data:
kubernetes:
apiserver:
location: https://opendev.org/airship/promenade
- reference: b65930f205b77f28507dee9296aead00e24f2a18
+ reference: 27f181a9d30294030d695b747b2e4560ffbd29be
subpath: charts/apiserver
type: git
apiserver-htk:
@@ -110,62 +110,32 @@ data:
type: git
controller-manager:
location: https://opendev.org/airship/promenade
- reference: b65930f205b77f28507dee9296aead00e24f2a18
+ reference: 27f181a9d30294030d695b747b2e4560ffbd29be
subpath: charts/controller_manager
type: git
controller-manager-htk:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 844d2cd16d865df1779524a0623503a6c92e12ec
+ reference: 96b751465abac477517e9ec2f7fca0b64c9dd22a
subpath: helm-toolkit
type: git
coredns:
location: https://opendev.org/airship/promenade
- reference: b65930f205b77f28507dee9296aead00e24f2a18
+ reference: 27f181a9d30294030d695b747b2e4560ffbd29be
subpath: charts/coredns
type: git
coredns-htk:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 844d2cd16d865df1779524a0623503a6c92e12ec
+ reference: 96b751465abac477517e9ec2f7fca0b64c9dd22a
subpath: helm-toolkit
type: git
etcd:
location: https://opendev.org/airship/promenade
- reference: c83f7b8a3e2a61c76422c75a163260e56817852a
+ reference: 27f181a9d30294030d695b747b2e4560ffbd29be
subpath: charts/etcd
type: git
etcd-htk:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 844d2cd16d865df1779524a0623503a6c92e12ec
- subpath: helm-toolkit
- type: git
- haproxy:
- location: https://opendev.org/airship/promenade
- reference: 9db70cea913443855578736d0d640989c8453b5e
- subpath: charts/haproxy
- type: git
- haproxy-htk:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: 844d2cd16d865df1779524a0623503a6c92e12ec
- subpath: helm-toolkit
- type: git
- ingress:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: 781e65ac5dde325b3771859c41709633cff32a42
- subpath: ingress
- type: git
- ingress-htk:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: 3dd0eb0cdf54387447f07a4ec6be9582c457a1a8
- subpath: helm-toolkit
- type: git
- proxy:
- location: https://opendev.org/airship/promenade
- reference: b65930f205b77f28507dee9296aead00e24f2a18
- subpath: charts/proxy
- type: git
- proxy-htk:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: 844d2cd16d865df1779524a0623503a6c92e12ec
+ reference: 96b751465abac477517e9ec2f7fca0b64c9dd22a
subpath: helm-toolkit
type: git
falco:
@@ -178,9 +148,39 @@ data:
reference: 22ef25ab295d6b7c6797cfffaa77cf181c673e9b
subpath: helm-toolkit
type: git
+ haproxy:
+ location: https://opendev.org/airship/promenade
+ reference: 27f181a9d30294030d695b747b2e4560ffbd29be
+ subpath: charts/haproxy
+ type: git
+ haproxy-htk:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: 96b751465abac477517e9ec2f7fca0b64c9dd22a
+ subpath: helm-toolkit
+ type: git
+ ingress:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: f08d30df6b871044135534eedf76c8f2760d9923
+ subpath: ingress
+ type: git
+ ingress-htk:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: 3dd0eb0cdf54387447f07a4ec6be9582c457a1a8
+ subpath: helm-toolkit
+ type: git
+ proxy:
+ location: https://opendev.org/airship/promenade
+ reference: 27f181a9d30294030d695b747b2e4560ffbd29be
+ subpath: charts/proxy
+ type: git
+ proxy-htk:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: 844d2cd16d865df1779524a0623503a6c92e12ec
+ subpath: helm-toolkit
+ type: git
scheduler:
location: https://opendev.org/airship/promenade
- reference: b65930f205b77f28507dee9296aead00e24f2a18
+ reference: 27f181a9d30294030d695b747b2e4560ffbd29be
subpath: charts/scheduler
type: git
scheduler-htk:
@@ -191,12 +191,12 @@ data:
osh:
barbican:
location: https://opendev.org/openstack/openstack-helm
- reference: d467d685a3863edc5fed7c352961b3235a5e3a99
+ reference: 9bdd4fe96f46e3a4fb30ae7910dd970ca0a82c76
subpath: barbican
type: git
cinder:
location: https://opendev.org/openstack/openstack-helm
- reference: d467d685a3863edc5fed7c352961b3235a5e3a99
+ reference: 2002b9368dc8f3f9d9737803c147534ae3e5258c
subpath: cinder
type: git
cinder-htk:
@@ -206,7 +206,7 @@ data:
type: git
glance:
location: https://opendev.org/openstack/openstack-helm
- reference: d467d685a3863edc5fed7c352961b3235a5e3a99
+ reference: 2002b9368dc8f3f9d9737803c147534ae3e5258c
subpath: glance
type: git
glance-htk:
@@ -216,7 +216,7 @@ data:
type: git
heat:
location: https://opendev.org/openstack/openstack-helm
- reference: d467d685a3863edc5fed7c352961b3235a5e3a99
+ reference: 4aa7a3026706758d22dc3e7002a2a0bffcfd84ea
subpath: heat
type: git
heat-htk:
@@ -231,7 +231,7 @@ data:
type: git
horizon:
location: https://opendev.org/openstack/openstack-helm
- reference: d467d685a3863edc5fed7c352961b3235a5e3a99
+ reference: 4aa7a3026706758d22dc3e7002a2a0bffcfd84ea
subpath: horizon
type: git
horizon-htk:
@@ -241,7 +241,7 @@ data:
type: git
ingress:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 781e65ac5dde325b3771859c41709633cff32a42
+ reference: f08d30df6b871044135534eedf76c8f2760d9923
subpath: ingress
type: git
ingress-htk:
@@ -251,7 +251,7 @@ data:
type: git
keystone:
location: https://opendev.org/openstack/openstack-helm
- reference: d467d685a3863edc5fed7c352961b3235a5e3a99
+ reference: 28d0a56e46129276559a4ddb2dea32c35b10b58e
subpath: keystone
type: git
keystone-htk:
@@ -261,7 +261,7 @@ data:
type: git
libvirt:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 781e65ac5dde325b3771859c41709633cff32a42
+ reference: 167b9eb1a8f063174864bd9d12f327d8f0c34885
subpath: libvirt
type: git
libvirt-htk:
@@ -271,7 +271,7 @@ data:
type: git
mariadb:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: b482b57e6ea85eceef02787cb2e8eb884cceb80c
+ reference: 6dd39da6ad7ffd744ecff423e99637aadd9c0414
subpath: mariadb
type: git
mariadb-htk:
@@ -281,7 +281,7 @@ data:
type: git
memcached:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 781e65ac5dde325b3771859c41709633cff32a42
+ reference: c60c138777edc0cc35ccb7fcd8a13b57093a7ee1
subpath: memcached
type: git
memcached-htk:
@@ -291,8 +291,7 @@ data:
type: git
neutron:
location: https://opendev.org/openstack/openstack-helm
- #reference: 915276f4f75422f707418f71422c7383bbffe728
- reference: d2abe39d498f48c4721e26aca19e81189bc8891b
+ reference: 2a9e91589d1d03279cafb4f836056b228c2bc425
subpath: neutron
type: git
neutron-htk:
@@ -302,7 +301,7 @@ data:
type: git
nova:
location: https://opendev.org/openstack/openstack-helm
- reference: f9dbba70438e065de784075408666abb08414e00
+ reference: 4aa7a3026706758d22dc3e7002a2a0bffcfd84ea
subpath: nova
type: git
nova-htk:
@@ -312,7 +311,7 @@ data:
type: git
openvswitch:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: d0b32ed88ad652d9c2226466a13bac8b28038399
+ reference: f08d30df6b871044135534eedf76c8f2760d9923
subpath: openvswitch
type: git
openvswitch-htk:
@@ -322,7 +321,7 @@ data:
type: git
rabbitmq:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 749e2be9f5245ff0ad634a593820c353061b6544
+ reference: 1a8536fd5d9c3c05a0c4b5cd0e6e4a502c9c53bc
subpath: rabbitmq
type: git
rabbitmq-htk:
@@ -341,39 +340,9 @@ data:
subpath: helm-toolkit
type: git
osh_addons:
- ranger:
- type: git
- location: https://opendev.org/openstack/openstack-helm-addons
- reference: 80b8ec444afb6be4861c1a536420b02bb5a1bb40
- subpath: ranger
- ranger-htk:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: b0ee64420436d3acf239446a7b0b3300bb624f9a
- subpath: helm-toolkit
- type: git
- ranger-agent:
- type: git
- location: https://opendev.org/openstack/openstack-helm-addons
- reference: 80b8ec444afb6be4861c1a536420b02bb5a1bb40
- subpath: ranger-agent
- ranger-agent-htk:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: b0ee64420436d3acf239446a7b0b3300bb624f9a
- subpath: helm-toolkit
- type: git
- sonobuoy:
- type: git
- location: https://opendev.org/openstack/openstack-helm-addons
- reference: b60acc330716eb1c6325bfa6ca8080f9d5528c4c
- subpath: sonobuoy
- sonobuoy-htk:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: 992e82fc1dbcca989f171b7679cee96a924259de
- subpath: helm-toolkit
- type: git
ingress:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 2ac08b59b4b2658175e7ad83708e254a4dc4ffbd
+ reference: f08d30df6b871044135534eedf76c8f2760d9923
subpath: ingress
type: git
ingress-htk:
@@ -383,7 +352,7 @@ data:
type: git
mariadb:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: a4568f31e2e9d09c8f318a9d938c9a16f0da59ef
+ reference: ba601e0cba1bb584fe3bce07f96f8e5b98b12889
subpath: mariadb
type: git
mariadb-htk:
@@ -393,7 +362,7 @@ data:
type: git
mini-mirror:
location: https://opendev.org/openstack/openstack-helm-addons
- reference: aad032a9b567775cff2b82abb98004d124bba203
+ reference: 1c2d9373f2c6f39ef2aaeff83799906f1aae2f2a
subpath: mini-mirror
type: git
mini-mirror-htk:
@@ -401,10 +370,50 @@ data:
reference: af270934d44ab3f0eb2462cde7626eb2c6a1f967
subpath: helm-toolkit
type: git
+ ranger:
+ location: https://opendev.org/openstack/openstack-helm-addons
+ reference: b5cbc370781417cda449ba008c747ccf6d9794b9
+ subpath: ranger
+ type: git
+ ranger-agent:
+ location: https://opendev.org/openstack/openstack-helm-addons
+ reference: fc9b28b3e2e1be0a2b5171074c5dd8f43e3a0a6f
+ subpath: ranger-agent
+ type: git
+ ranger-agent-htk:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: b0ee64420436d3acf239446a7b0b3300bb624f9a
+ subpath: helm-toolkit
+ type: git
+ ranger-htk:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: b0ee64420436d3acf239446a7b0b3300bb624f9a
+ subpath: helm-toolkit
+ type: git
+ sonobuoy:
+ location: https://opendev.org/openstack/openstack-helm-addons
+ reference: b60acc330716eb1c6325bfa6ca8080f9d5528c4c
+ subpath: sonobuoy
+ type: git
+ sonobuoy-htk:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: 992e82fc1dbcca989f171b7679cee96a924259de
+ subpath: helm-toolkit
+ type: git
osh_infra:
+ ceph-rgw:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: 20cf2db961a05285a751b3bc96b8fa4e51e3b412
+ subpath: ceph-rgw
+ type: git
+ ceph-rgw-htk:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: eacf93722136636dcfbd2b68c59b71f071ffc085
+ subpath: helm-toolkit
+ type: git
elasticsearch:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: ddd5a74319142b14d42271da6727e76637133869
+ reference: a2c1eea8a982de777fa430efdf188d556630f3f0
subpath: elasticsearch
type: git
elasticsearch-htk:
@@ -414,7 +423,7 @@ data:
type: git
fluentd:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: ddd5a74319142b14d42271da6727e76637133869
+ reference: 59164428d305bf72dd67733a184266fd1217c153
subpath: fluentd
type: git
fluentd-htk:
@@ -424,7 +433,7 @@ data:
type: git
grafana:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: ddd5a74319142b14d42271da6727e76637133869
+ reference: 128c3f748aee3ae72cccca0ff17a71ac1ed5c2fb
subpath: grafana
type: git
grafana-htk:
@@ -434,7 +443,7 @@ data:
type: git
kibana:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: ddd5a74319142b14d42271da6727e76637133869
+ reference: b62a46336c1b6ca86e48710ba85c9320f3075fd5
subpath: kibana
type: git
kibana-htk:
@@ -454,7 +463,7 @@ data:
type: git
nagios:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: ddd5a74319142b14d42271da6727e76637133869
+ reference: a6a9146de4996aafb7148009de8ee584fb44dfa0
subpath: nagios
type: git
nagios-htk:
@@ -464,7 +473,7 @@ data:
type: git
podsecuritypolicy:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: a0315caffaa7327cc3c8b4e8d60f6fb46b57e4a6
+ reference: b19c7f21c9aab072fd101228737b3cec0e0b0963
subpath: podsecuritypolicy
type: git
podsecuritypolicy-htk:
@@ -474,7 +483,7 @@ data:
type: git
prometheus:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: ddd5a74319142b14d42271da6727e76637133869
+ reference: daca15441ba750d78d0e698e4a89016060d03bd0
subpath: prometheus
type: git
prometheus-htk:
@@ -484,7 +493,7 @@ data:
type: git
prometheus_kube_state_metrics:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: ddd5a74319142b14d42271da6727e76637133869
+ reference: af712da8635c22962ff5cd205918a13a66989913
subpath: prometheus-kube-state-metrics
type: git
prometheus_kube_state_metrics-htk:
@@ -494,7 +503,7 @@ data:
type: git
prometheus_node_exporter:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: ddd5a74319142b14d42271da6727e76637133869
+ reference: c61fc590fbca886bf86288c03e78727e9889cb33
subpath: prometheus-node-exporter
type: git
prometheus_node_exporter-htk:
@@ -502,19 +511,9 @@ data:
reference: a78ee39dcb9209a4ba6cc87f2989481a9fa63fc1
subpath: helm-toolkit
type: git
- prometheus_process_exporter:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: ddd5a74319142b14d42271da6727e76637133869
- subpath: prometheus-process-exporter
- type: git
- prometheus_process_exporter-htk:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: a78ee39dcb9209a4ba6cc87f2989481a9fa63fc1
- subpath: helm-toolkit
- type: git
prometheus_openstack_exporter:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: ddd5a74319142b14d42271da6727e76637133869
+ reference: a6a9146de4996aafb7148009de8ee584fb44dfa0
subpath: prometheus-openstack-exporter
type: git
prometheus_openstack_exporter-htk:
@@ -522,20 +521,20 @@ data:
reference: a78ee39dcb9209a4ba6cc87f2989481a9fa63fc1
subpath: helm-toolkit
type: git
- ceph-rgw:
+ prometheus_process_exporter:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: eacf93722136636dcfbd2b68c59b71f071ffc085
- subpath: ceph-rgw
+ reference: f8c5d0676904cdb05de80234cb8659bde856420a
+ subpath: prometheus-process-exporter
type: git
- ceph-rgw-htk:
+ prometheus_process_exporter-htk:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: eacf93722136636dcfbd2b68c59b71f071ffc085
+ reference: a78ee39dcb9209a4ba6cc87f2989481a9fa63fc1
subpath: helm-toolkit
type: git
ucp:
apiserver-webhook:
location: https://opendev.org/airship/promenade
- reference: b65930f205b77f28507dee9296aead00e24f2a18
+ reference: 27f181a9d30294030d695b747b2e4560ffbd29be
subpath: charts/apiserver-webhook
type: git
apiserver-webhook-htk:
@@ -545,7 +544,7 @@ data:
type: git
armada:
location: https://opendev.org/airship/armada
- reference: e88cbafd62e8a4528e05450607399d2216654841
+ reference: a3f11e5873bc5b97de579c627d7b57e3bc9f655e
subpath: charts/armada
type: git
armada-htk:
@@ -555,7 +554,7 @@ data:
type: git
barbican:
location: https://opendev.org/openstack/openstack-helm
- reference: def68865a28f0819d08812d02839ba70483d0e10
+ reference: 9bdd4fe96f46e3a4fb30ae7910dd970ca0a82c76
subpath: barbican
type: git
barbican-htk:
@@ -565,7 +564,7 @@ data:
type: git
ceph-client:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 8d9b7fdd2b146dc8a1578d6ee23c79aa3116f87e
+ reference: dd39a0f7e08c9eee861b9fa23e9587d440b76c43
subpath: ceph-client
type: git
ceph-htk:
@@ -575,57 +574,27 @@ data:
type: git
ceph-mon:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 8d9b7fdd2b146dc8a1578d6ee23c79aa3116f87e
+ reference: 4eee89ccba75a34b222d2f828129d0d5f26ffd23
subpath: ceph-mon
type: git
ceph-osd:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 8d9b7fdd2b146dc8a1578d6ee23c79aa3116f87e
+ reference: 4ed24de14b562607742a246906b48fba647d3ce8
subpath: ceph-osd
type: git
ceph-provisioners:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 8d9b7fdd2b146dc8a1578d6ee23c79aa3116f87e
+ reference: 4ed24de14b562607742a246906b48fba647d3ce8
subpath: ceph-provisioners
type: git
ceph-rgw:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 2f8ea3977ba31a4576ffb9bf98282d0586d1aa25
- subpath: ceph-rgw
- type: git
- tenant-ceph-client:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: 8d9b7fdd2b146dc8a1578d6ee23c79aa3116f87e
- subpath: ceph-client
- type: git
- tenant-ceph-htk:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: 8d9b7fdd2b146dc8a1578d6ee23c79aa3116f87e
- subpath: helm-toolkit
- type: git
- tenant-ceph-mon:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: 8d9b7fdd2b146dc8a1578d6ee23c79aa3116f87e
- subpath: ceph-mon
- type: git
- tenant-ceph-osd:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: 8d9b7fdd2b146dc8a1578d6ee23c79aa3116f87e
- subpath: ceph-osd
- type: git
- tenant-ceph-provisioners:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: 8d9b7fdd2b146dc8a1578d6ee23c79aa3116f87e
- subpath: ceph-provisioners
- type: git
- tenant-ceph-rgw:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: 2f8ea3977ba31a4576ffb9bf98282d0586d1aa25
+ reference: 20cf2db961a05285a751b3bc96b8fa4e51e3b412
subpath: ceph-rgw
type: git
deckhand:
location: https://opendev.org/airship/deckhand
- reference: b35371e241d10637659895b53b81be5fa91343c1
+ reference: 0545625da9f83c123de854fa2c6ff05b941d56e7
subpath: charts/deckhand
type: git
deckhand-htk:
@@ -635,7 +604,7 @@ data:
type: git
divingbell:
location: https://opendev.org/airship/divingbell
- reference: fe0a034ec7d60351c1600de76eb6e28df6e59882
+ reference: d657f7968c296cfb7565e144b2420eabf47ef9f9
subpath: divingbell
type: git
divingbell-htk:
@@ -645,7 +614,7 @@ data:
type: git
drydock:
location: https://opendev.org/airship/drydock
- reference: 576f1b04886c30f3779c856abeded1c171873fc9
+ reference: 63f7783da2824709f86bbc56ee2140ed293c450f
subpath: charts/drydock
type: git
drydock-htk:
@@ -655,7 +624,7 @@ data:
type: git
ingress:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 781e65ac5dde325b3771859c41709633cff32a42
+ reference: f08d30df6b871044135534eedf76c8f2760d9923
subpath: ingress
type: git
ingress-htk:
@@ -665,7 +634,7 @@ data:
type: git
keystone:
location: https://opendev.org/openstack/openstack-helm
- reference: d467d685a3863edc5fed7c352961b3235a5e3a99
+ reference: 28d0a56e46129276559a4ddb2dea32c35b10b58e
subpath: keystone
type: git
keystone-htk:
@@ -675,7 +644,7 @@ data:
type: git
maas:
location: https://opendev.org/airship/maas
- reference: 9acebfc2b4e8fab651aec7a9f16407c2d5023f0a
+ reference: 35fa3175e3d2873d3a7e21cdc793e9d153df7886
subpath: charts/maas
type: git
maas-htk:
@@ -685,17 +654,17 @@ data:
type: git
mariadb:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: b482b57e6ea85eceef02787cb2e8eb884cceb80c
+ reference: 6dd39da6ad7ffd744ecff423e99637aadd9c0414
subpath: mariadb
type: git
mariadb-htk:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: b482b57e6ea85eceef02787cb2e8eb884cceb80c
+ reference: 27f181a9d30294030d695b747b2e4560ffbd29be
subpath: helm-toolkit
type: git
memcached:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 781e65ac5dde325b3771859c41709633cff32a42
+ reference: c60c138777edc0cc35ccb7fcd8a13b57093a7ee1
subpath: memcached
type: git
memcached-htk:
@@ -705,7 +674,7 @@ data:
type: git
postgresql:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: c18ee59aff4481d7c4d7a1a074c4bd4184602bd6
+ reference: 25aa3690252c605d237c187524d0adf73a8424e5
subpath: postgresql
type: git
postgresql-htk:
@@ -715,7 +684,7 @@ data:
type: git
promenade:
location: https://opendev.org/airship/promenade
- reference: b65930f205b77f28507dee9296aead00e24f2a18
+ reference: 27f181a9d30294030d695b747b2e4560ffbd29be
subpath: charts/promenade
type: git
promenade-htk:
@@ -725,7 +694,7 @@ data:
type: git
rabbitmq:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 749e2be9f5245ff0ad634a593820c353061b6544
+ reference: 1a8536fd5d9c3c05a0c4b5cd0e6e4a502c9c53bc
subpath: rabbitmq
type: git
rabbitmq-htk:
@@ -735,7 +704,7 @@ data:
type: git
shipyard:
location: https://opendev.org/airship/shipyard
- reference: 0cbb5cf9b7ea7e517e034e3ccb105b183ada08d9
+ reference: 796f2ddcca35ad168c5c6c08221d5724dadfffba
subpath: charts/shipyard
type: git
shipyard-htk:
@@ -743,9 +712,39 @@ data:
reference: 926348fe2476051f9ca825916db333f81c0139b7
subpath: helm-toolkit
type: git
+ tenant-ceph-client:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: dd39a0f7e08c9eee861b9fa23e9587d440b76c43
+ subpath: ceph-client
+ type: git
+ tenant-ceph-htk:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: 8d9b7fdd2b146dc8a1578d6ee23c79aa3116f87e
+ subpath: helm-toolkit
+ type: git
+ tenant-ceph-mon:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: 4eee89ccba75a34b222d2f828129d0d5f26ffd23
+ subpath: ceph-mon
+ type: git
+ tenant-ceph-osd:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: 4ed24de14b562607742a246906b48fba647d3ce8
+ subpath: ceph-osd
+ type: git
+ tenant-ceph-provisioners:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: 4ed24de14b562607742a246906b48fba647d3ce8
+ subpath: ceph-provisioners
+ type: git
+ tenant-ceph-rgw:
+ location: https://opendev.org/openstack/openstack-helm-infra
+ reference: 20cf2db961a05285a751b3bc96b8fa4e51e3b412
+ subpath: ceph-rgw
+ type: git
tiller:
location: https://opendev.org/airship/armada
- reference: da0f6e61ba9e8d40e96db616c0fafb0fdbcb9417
+ reference: a3f11e5873bc5b97de579c627d7b57e3bc9f655e
subpath: charts/tiller
type: git
tiller-htk:
@@ -756,7 +755,7 @@ data:
utility:
calicoctl-utility:
location: https://opendev.org/airship/porthole
- reference: 744e4bb10acccaa8722f9e05fb0a39a1b5b35731
+ reference: 88d87ff37338b2fbf09baec78f3d73160eaa14c3
subpath: charts/calicoctl-utility
type: git
calicoctl-utility-htk:
@@ -764,19 +763,9 @@ data:
reference: a78ee39dcb9209a4ba6cc87f2989481a9fa63fc1
subpath: helm-toolkit
type: git
- ncct-utility:
- location: https://opendev.org/airship/porthole
- reference: 744e4bb10acccaa8722f9e05fb0a39a1b5b35731
- subpath: charts/calicoctl-utility
- type: git
- ncct-utility-htk:
- location: https://opendev.org/openstack/openstack-helm-infra
- reference: a78ee39dcb9209a4ba6cc87f2989481a9fa63fc1
- subpath: helm-toolkit
- type: git
ceph-utility:
location: https://opendev.org/airship/porthole
- reference: 744e4bb10acccaa8722f9e05fb0a39a1b5b35731
+ reference: a8b0517a4f2be0c81495167df63f065fc1e4db88
subpath: charts/ceph-utility
type: git
ceph-utility-htk:
@@ -786,7 +775,7 @@ data:
type: git
compute-utility:
location: https://opendev.org/airship/porthole
- reference: 744e4bb10acccaa8722f9e05fb0a39a1b5b35731
+ reference: a8b0517a4f2be0c81495167df63f065fc1e4db88
subpath: charts/compute-utility
type: git
compute-utility-htk:
@@ -796,7 +785,7 @@ data:
type: git
etcdctl-utility:
location: https://opendev.org/airship/porthole
- reference: 744e4bb10acccaa8722f9e05fb0a39a1b5b35731
+ reference: 002e070eb7d69d483cc3909f9e13c370ca9d84d9
subpath: charts/etcdctl-utility
type: git
etcdctl-utility-htk:
@@ -806,27 +795,27 @@ data:
type: git
mysqlclient-utility:
location: https://opendev.org/airship/porthole
- reference: 744e4bb10acccaa8722f9e05fb0a39a1b5b35731
+ reference: 002e070eb7d69d483cc3909f9e13c370ca9d84d9
subpath: charts/mysqlclient-utility
type: git
mysqlclient-utility-htk:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 22ef25ab295d6b7c6797cfffaa77cf181c673e9b
+ reference: 486ad9a25f03ba888a247fb8d856bb9a33a29937
subpath: helm-toolkit
type: git
openstack-utility:
location: https://opendev.org/airship/porthole
- reference: 9f9d8d39be8708e18d4d3d2a518f09fa890b050e
+ reference: 1f478c6c5d09809ecad491d5e55ccbd708c41217
subpath: charts/openstack-utility
type: git
openstack-utility-htk:
location: https://opendev.org/openstack/openstack-helm-infra
- reference: 22ef25ab295d6b7c6797cfffaa77cf181c673e9b
+ reference: 486ad9a25f03ba888a247fb8d856bb9a33a29937
subpath: helm-toolkit
type: git
postgresql-utility:
location: https://opendev.org/airship/porthole
- reference: 0546a3aff7af4541e07630589a15a3d172c8ff5c
+ reference: 002e070eb7d69d483cc3909f9e13c370ca9d84d9
subpath: charts/postgresql-utility
type: git
postgresql-utility-htk:
@@ -836,32 +825,31 @@ data:
type: git
files:
kubernetes: https://dl.k8s.io/v1.17.2/kubernetes-node-linux-amd64.tar.gz
+ crictl: https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.22.0/crictl-v1.22.0-linux-amd64.tar.gz
images_refs:
images:
alpine: &alpine docker.io/alpine:3.6
busybox: &busybox docker.io/busybox:1.28.3
alpine-38: &alpine-38 docker.io/alpine:3.8
airflow: &airflow quay.io/airshipit/airflow:f0f876afef07f62cd38fbce8b775cfc741e0bf52-ubuntu_xenial
- armada: &armada quay.io/airshipit/armada:268d7a39580407911a0a39e34eebcc4540c1deaa-ubuntu_bionic
+ armada: &armada quay.io/airshipit/armada:7ef4b8643b5ec5216a8f6726841e156c0aa54a1a-ubuntu_bionic
barbican: &barbican docker.io/openstackhelm/barbican@sha256:4c44bb9e5d29224007b2ef52c1ce4ff756e655efe9c6e9a95b2e98f4f501499e
#ceph_daemon: &ceph_daemon docker.io/openstackhelm/ceph-daemon:ubuntu_bionic-20191216
- ceph_daemon: &ceph_daemon docker.io/openstackhelm/ceph-daemon:ubuntu_bionic-20200521
+ ceph_daemon: &ceph_daemon docker.io/openstackhelm/ceph-daemon:ubuntu_bionic-20210902
- ceph-utility: &ceph-utility quay.io/airshipit/porthole-ceph-utility:744e4bb10acccaa8722f9e05fb0a39a1b5b35731-ubuntu_bionic
+ ceph-utility: &ceph-utility quay.io/airshipit/porthole-ceph-utility:e7a6644b3af8bddd94d20ca35f388ae605203416-ubuntu_bionic
- calicoctl-utility: &calicoctl-utility quay.io/airshipit/porthole-calicoctl-utility:744e4bb10acccaa8722f9e05fb0a39a1b5b35731-ubuntu_bionic
- calico: &calico quay.io/calico/cni:v3.4.0
- calico_ctl: &calico_ctl docker.io/calico/ctl:v3.4.0
- calico_kube_controllers: &calico_kube_controllers quay.io/calico/kube-controllers:v3.4.0
- calico_node: &calico_node quay.io/calico/node:v3.4.0
+ calicoctl-utility: &calicoctl-utility quay.io/airshipit/porthole-calicoctl-utility:e7a6644b3af8bddd94d20ca35f388ae605203416-ubuntu_bionic
+ calico: &calico quay.io/calico/cni:v3.8.9
+ calico_ctl: &calico_ctl docker.io/calico/ctl:v3.8.9
+ calico_kube_controllers: &calico_kube_controllers quay.io/calico/kube-controllers:v3.8.9
+ calico_node: &calico_node quay.io/calico/node:v3.8.9
calico_dep_check: &calico_dep_check quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
- ncct-utility: &ncct-utility quay.io/airshipit/porthole-calicoctl-utility:744e4bb10acccaa8722f9e05fb0a39a1b5b35731-ubuntu_bionic
+ compute-utility: &compute-utility quay.io/airshipit/porthole-compute-utility:e7a6644b3af8bddd94d20ca35f388ae605203416-ubuntu_bionic
- compute-utility: &compute-utility quay.io/airshipit/porthole-compute-utility:744e4bb10acccaa8722f9e05fb0a39a1b5b35731-ubuntu_bionic
-
- postgresql-utility: &postgresql-utility quay.io/airshipit/porthole-postgresql-utility:744e4bb10acccaa8722f9e05fb0a39a1b5b35731-ubuntu_bionic
+ postgresql-utility: &postgresql-utility quay.io/airshipit/porthole-postgresql-utility:e7a6644b3af8bddd94d20ca35f388ae605203416-ubuntu_bionic
coredns: &coredns docker.io/coredns/coredns:1.6.4
@@ -875,82 +863,82 @@ data:
elasticsearch: &elasticsearch docker.io/openstackhelm/elasticsearch-s3:7_1_0-20191119
- etcd: &etcd quay.io/coreos/etcd:v3.4.6
+ etcd: &etcd quay.io/coreos/etcd:v3.4.8
- etcdctl: &etcdctl-utility quay.io/airshipit/porthole-etcdctl-utility:744e4bb10acccaa8722f9e05fb0a39a1b5b35731-ubuntu_bionic
+ etcdctl: &etcdctl-utility quay.io/airshipit/porthole-etcdctl-utility:e7a6644b3af8bddd94d20ca35f388ae605203416-ubuntu_bionic
falco: &falco docker.io/falcosecurity/falco:0.12.1
fluentd: &fluentd docker.io/openstackhelm/fluentd:debian-20190903
- helm: &helm docker.io/lachlanevenson/k8s-helm:v2.14.1
+ helm: &helm docker.io/lachlanevenson/k8s-helm:v2.16.9
- httpd: &httpd docker.io/library/httpd:2.4
+ httpd: &httpd docker.io/library/httpd:2.4.46
hyperkube_amd64: &hyperkube_amd64 gcr.io/google-containers/hyperkube-amd64:v1.17.2
image_repo_sync: &image_repo_sync docker.io/docker:17.07.0
- ingress_controller: &ingress_controller quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0
+ ingress_controller: &ingress_controller quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.32.0
- ingress_module_init: &ingress_module_init docker.io/openstackhelm/neutron:ocata-ubuntu_xenial-20200521
+ ingress_module_init: &ingress_module_init docker.io/openstackhelm/neutron:train-ubuntu_bionic-20210414
- ingress_routed_vip: &ingress_routed_vip docker.io/openstackhelm/neutron:ocata-ubuntu_xenial-20200521
+ ingress_routed_vip: &ingress_routed_vip docker.io/openstackhelm/neutron:train-ubuntu_bionic-20210414
- ingress_error_pages: &ingress_error_pages gcr.io/google-containers/defaultbackend-amd64@sha256:0b07d6e1652b97d6f68fb63e42342921cd2c7bb4560881353a04e827cb65cf80
+ ingress_error_pages: &ingress_error_pages gcr.io/google-containers/defaultbackend-amd64@sha256:865b0c35e6da393b8e80b7e3799f777572399a4cff047eb02a81fa6e7a48ed4b
- ingress_error_pages_404: &ingress_error_pages_404 gcr.io/google-containers/ingress-gce-404-server-with-metrics-amd64@sha256:d83d8a481145d0eb71f8bd71ae236d1c6a931dd3bdcaf80919a8ec4a4d8aff74
+ ingress_error_pages_404: &ingress_error_pages_404 gcr.io/google-containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0@sha256:d83d8a481145d0eb71f8bd71ae236d1c6a931dd3bdcaf80919a8ec4a4d8aff74
- ingress_controller_mariadb: &ingress_controller_mariadb quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0
+ ingress_controller_mariadb: &ingress_controller_mariadb quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.32.0
- k8s-keystone-auth: &k8s-keystone-auth docker.io/k8scloudprovider/k8s-keystone-auth:v0.3.0
+ k8s-keystone-auth: &k8s-keystone-auth docker.io/k8scloudprovider/k8s-keystone-auth:v1.18.0
- kibana: &kibana docker.elastic.co/kibana/kibana-oss:7.1.0
+ kibana: &kibana docker.elastic.co/kibana/kibana-oss:7.9.2
- libvirt: &libvirt docker.io/openstackhelm/libvirt:ubuntu_bionic-20200623
+ libvirt: &libvirt docker.io/openstackhelm/libvirt:ubuntu_bionic-20210227
mariadb_db: &mariadb_db docker.io/openstackhelm/mariadb:10.2.18
- maas_rack_controller: &maas_rack_controller quay.io/airshipit/maas-rack-controller:03ebbaaca3f38ab49a5993b506761a4abfd19d89
+ maas_rack_controller: &maas_rack_controller quay.io/airshipit/maas-rack-controller:840b482373df163ba088b91c278f2a58fd599b7b
- maas_region_controller: &maas_region_controller quay.io/airshipit/maas-region-controller:03ebbaaca3f38ab49a5993b506761a4abfd19d89
+ maas_region_controller: &maas_region_controller quay.io/airshipit/maas-region-controller:840b482373df163ba088b91c278f2a58fd599b7b
maas_ingress: &maas_ingress docker-prod-local.artifactory.mirantis.com/mirantis/kubernetes-ingress-nginx/nginx-ingress-controller-amd64@sha256:fe510f97b02566e21685b7b108422370ca67a8a44099ce7e968a778c0ba06e0b
- memcached: &memcached docker.io/library/memcached:1.5.17
+ memcached: &memcached docker.io/library/memcached:1.6.6-alpine
#mos_cinder: &mos_cinder openstackhelm/cinder:stein-ubuntu_bionic-20200513
- mos_cinder: &mos_cinder openstackhelm/cinder:stein-ubuntu_bionic-20200306
- mos_cinder_storage_init: &mos_cinder_storage_init docker.io/openstackhelm/ceph-config-helper:ubuntu_xenial-20191119
+ mos_cinder: &mos_cinder docker.io/openstackhelm/cinder:train-ubuntu_bionic-20200612
+ mos_cinder_storage_init: &mos_cinder_storage_init docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20200416
#mos_glance: &mos_glance openstackhelm/glance:stein-ubuntu_bionic-20200513
- mos_glance: &mos_glance quay.io/attcomdev/glance-nc:stein-ubuntu_bionic
+ mos_glance: &mos_glance docker.io/openstackhelm/glance:train-ubuntu_bionic-20200612
#mos_heat: &mos_heat docker.io/deepakdt/heat:stein-ubuntu_bionic-taas
- mos_heat: &mos_heat quay.io/attcomdev/heat-nc:stein-ubuntu_bionic
+ mos_heat: &mos_heat docker.io/openstackhelm/heat:train-ubuntu_bionic-20200612
- mos_heat_nova: &mos_heat_nova docker.io/openstackhelm/heat:stein-ubuntu_bionic-20200612
- mos_horizon: &mos_horizon docker.io/openstackhelm/horizon:stein-ubuntu_bionic-20200612
+ mos_heat_nova: &mos_heat_nova docker.io/openstackhelm/heat:train-ubuntu_bionic-20200612
+ mos_horizon: &mos_horizon docker.io/openstackhelm/horizon:train-ubuntu_bionic-20200612
- mos_keystone: &mos_keystone docker.io/openstackhelm/keystone:stein-ubuntu_bionic-20200612
+ mos_keystone: &mos_keystone docker.io/openstackhelm/keystone:train-ubuntu_bionic-20200612
#mos_neutron: &mos_neutron docker.io/imarijitbose/stein_neutron_bionic
- mos_neutron: &mos_neutron quay.io/attcomdev/neutron-nc:stein-ubuntu_bionic
+ mos_neutron: &mos_neutron docker.io/openstackhelm/neutron:train-ubuntu_bionic-20200612
- mos_neutron_sriov: &mos_neutron_sriov docker.io/openstackhelm/neutron:stein-ubuntu_bionic-20200515
- mos_nova: &mos_nova quay.io/attcomdev/nova-nc:stein-ubuntu_bionic
+ mos_neutron_sriov: &mos_neutron_sriov docker.io/openstackhelm/neutron:train-ubuntu_bionic-20200612
+ mos_nova: &mos_nova docker.io/openstackhelm/nova:train-ubuntu_bionic-20200612
- mysqlclient-utility: &mysqlclient-utility quay.io/airshipit/porthole-mysqlclient-utility:744e4bb10acccaa8722f9e05fb0a39a1b5b35731-ubuntu_bionic
+ mysqlclient-utility: &mysqlclient-utility quay.io/airshipit/porthole-mysqlclient-utility:e7a6644b3af8bddd94d20ca35f388ae605203416-ubuntu_bionic
- nova_novncproxy: &nova_novncproxy docker.io/openstackhelm/nova:stein-ubuntu_bionic-20200612
+ nova_novncproxy: &nova_novncproxy docker.io/openstackhelm/nova:train-ubuntu_bionic-20200612
- nova_spiceproxy: &nova_spiceproxy docker.io/openstackhelm/nova:stein-ubuntu_bionic-20200612
+ nova_spiceproxy: &nova_spiceproxy docker.io/openstackhelm/nova:train-ubuntu_bionic-20200612
#openvswitch: &openvswitch docker.io/deepakdt/openvswitch:ovs2.11.1-dpdk18.11.3-ubuntu_bionic-dpdk
- openvswitch: &openvswitch quay.io/attcomdev/openvswitch-nc:ubuntu_bionic
+ openvswitch: &openvswitch docker.io/openstackhelm/openvswitch:ubuntu_bionic-20200722
- openstack-utility: &openstack-utility quay.io/airshipit/porthole-openstack-utility:744e4bb10acccaa8722f9e05fb0a39a1b5b35731-ubuntu_bionic
+ openstack-utility: &openstack-utility quay.io/airshipit/porthole-openstack-utility:e7a6644b3af8bddd94d20ca35f388ae605203416-ubuntu_bionic
- pegleg: &pegleg quay.io/airshipit/pegleg@sha256:fc61ffb6a1456edef6c251371467f424c65521be63bfe79db173ece509f7d197
- nc-swissknife: &nc-swissknife quay.io/airshipit/pegleg@sha256:fc61ffb6a1456edef6c251371467f424c65521be63bfe79db173ece509f7d197
+ pegleg: &pegleg quay.io/airshipit/pegleg@sha256:0ca3b708c37425e4e05627443dbd39d2ed27cf06193d2cc3bcb5b985b260d79d
+ nc-swissknife: &nc-swissknife quay.io/airshipit/pegleg@sha256:0ca3b708c37425e4e05627443dbd39d2ed27cf06193d2cc3bcb5b985b260d79d
patroni: &patroni docker-prod-local.artifactory.mirantis.com/nc/patroni:9.6.15-bionic-1567439806207
@@ -969,7 +957,7 @@ data:
prometheus_postgresql_exporter_create_user: &prometheus_postgresql_exporter_create_user docker.io/library/postgres:9.5
rabbitmq_mgmt: &rabbitmq_mgmt docker.io/library/rabbitmq:3.7.15-management
rabbitmq: &rabbitmq docker.io/library/rabbitmq:3.7.15
- rabbitmq_exporter: &rabbitmq_exporter docker.io/kbudde/rabbitmq-exporter:v0.21.0
+ rabbitmq_exporter: &rabbitmq_exporter docker.io/kbudde/rabbitmq-exporter:v1.0.0-RC7.1
rally_test: &rally_test docker.io/xrally/xrally-openstack:1.3.0
#rbd_provisioner: &rbd_provisioner docker.io/openstackhelm/ceph-rbd-provisioner:ubuntu_bionic-20191216
rbd_provisioner: &rbd_provisioner docker.io/openstackhelm/ceph-rbd-provisioner:ubuntu_bionic-20200521
@@ -977,11 +965,11 @@ data:
shipyard: &shipyard quay.io/airshipit/shipyard:0b29f89d3fc284fe483c58f102574c687034468d-ubuntu_xenial
sstream_cache: &sstream_cache quay.io/airshipit/sstream-cache:03ebbaaca3f38ab49a5993b506761a4abfd19d89
- storage_init: &storage_init docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20191216
- #storage_init: &storage_init docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20200521
+ #storage_init: &storage_init docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20191216
+ storage_init: &storage_init docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20200521
- tiller: &tiller gcr.io/kubernetes-helm/tiller@sha256:4554a65fb8278d93f1c2c1f335ddbfcd6faa016c24b97e8de46c6b8fc1e9e7f5
- osh_heat: &osh_heat docker.io/openstackhelm/heat:stein-ubuntu_bionic-20200612
+ tiller: &tiller ghcr.io/helm/tiller@sha256:fffff22d7b397fa5d5461c0c554584aa9d1d3631952244bfb9795f2e094d10dd
+ osh_heat: &osh_heat docker.io/openstackhelm/heat:train-ubuntu_bionic-20200612
node_exporter: &node_exporter docker.io/prom/node-exporter:v0.15.0
process_exporter: &process_exporter docker.io/ncabatoff/process-exporter:0.2.11
@@ -1153,9 +1141,6 @@ data:
calicoctl-utility:
calicoctl_utility: *calicoctl-utility
image_repo_sync: *image_repo_sync
- ncct-utility:
- ncct_utility: *ncct-utility
- image_repo_sync: *image_repo_sync
compute-utility:
compute_utility: *compute-utility
image_repo_sync: *image_repo_sync
@@ -1737,14 +1722,14 @@ data:
- main
gpgkey: ""
named:
- runtime: containerd=1.2.10-1~u18.04+mcp
+ runtime: containerd=1.5.2-0ubuntu1~18.04.2
socat: socat
unnamed:
- bsd-mailx
- ceph-common
- chrony
- docker-ce=18.09.9-1~u18.04+mcp
- - linux-modules-extra-4.15.0-64
+ - linux-modules-extra-4.15.0-140-generic
- jq
validation:
@@ -1759,6 +1744,5 @@ data:
# NC release to reboot the nodes after the completion of the Shipyard site-update. In
# the MOP update, you should also link to the following wiki page:
# https://wiki.web.att.com/display/CCPdev/i40e+Driver+upgrades
- #location: https://ARTIFACTS_DOMAIN/artifactory/soureforgeie40/i40e/i40e-2.9.24.tar.gz
- location: https://downloads.sourceforge.net/project/e1000/i40e%20stable/2.11.25/i40e-2.11.25.tar.gz
+ location: https://netactuate.dl.sourceforge.net/project/e1000/i40e%20stable/2.12.6/i40e-2.12.6.tar.gz
...
diff --git a/tools/airship b/tools/airship
index c5032800b..7e3c733a3 100755
--- a/tools/airship
+++ b/tools/airship
@@ -164,6 +164,7 @@ NO_PROXY=${NO_PROXY:-}
# Promenade specific variables for downloading hyperkube image to generate genesis.sh
PROMENADE_TMP=${PROMENADE_TMP:-}
PROMENADE_TMP_LOCAL=${PROMENADE_TMP_LOCAL:-}
+PROMENADE_ENCRYPTION_KEY=${PROMENADE_ENCRYPTION_KEY:-}
EOF
# extract Hyperkube binary before running Promenade container
diff --git a/type/cruiser/profiles/host/nc-cp-primary-adv.yaml b/type/cruiser/profiles/host/nc-cp-primary-adv.yaml
index f11e03f96..84e0d524c 100755
--- a/type/cruiser/profiles/host/nc-cp-primary-adv.yaml
+++ b/type/cruiser/profiles/host/nc-cp-primary-adv.yaml
@@ -15,6 +15,10 @@ metadata:
- method: merge
path: .
data:
+ platform:
+ kernel_params:
+ # isolcpus for ovs dpdk pmd use
+ isolcpus: 4-7,48-51
metadata:
owner_data:
openstack-ranger-agent: enabled
diff --git a/type/cruiser/profiles/host/nc-cp-secondary-adv.yaml b/type/cruiser/profiles/host/nc-cp-secondary-adv.yaml
index 865226edb..90619eb04 100755
--- a/type/cruiser/profiles/host/nc-cp-secondary-adv.yaml
+++ b/type/cruiser/profiles/host/nc-cp-secondary-adv.yaml
@@ -17,6 +17,10 @@ metadata:
- method: replace
path: .metadata.owner_data
data:
+ platform:
+ kernel_params:
+ # isolcpus for ovs dpdk pmd use
+ isolcpus: 4-7,48-51
metadata:
owner_data:
# Additional label to global