This introduces a new document called `EncryptionPolicy` to configure
this behavior. It currently only supports using symmetric encryption
with `GPG`, but that should be available on all Ubuntu systems (which is
what we currently support) and should also be fairly reliable.
Change-Id: I06d4faa119b736773df0d8cbf0e7a23fd98edcdf
Depends-On: https://review.openstack.org/#/c/602175/
* Detect and re-use existing Certs/Keys
* Negative functional test for join with missing cert
* Positive functional test to generate cert after initial construction
* Extract some promenade test code into tools/g2/lib/promenade.sh
* Add timestamps to tar'd up files
Change-Id: Ib717785fc2c8f6cd1db1970ecdf1f5184ed40e92
Adds policy enforcement to validatedesign and adds testing for
validatedesign endpoint. Also fixes error when raising
ValidationException.
Change-Id: Ie48fc49a05f7890866d2dd3480c4d6333ef3a087
This avoids a tricky-to-debug situation where it can appear that
different labels (or even a different ip address) is applied to a host
than expected.
Change-Id: I29fc99581a85f9cd1275f5cc07dfcb1be0e98339
This PS resolves a recent issue with Deckhand in which missing
substitution sources cause Promenade to fail during genesis,
while using Deckhand to render documents. The fix involves
introducing a new flag called fail_on_missing_sub_src which
if False logs a warning rather than raises an exception
in the event that a substitution source document is missing.
Also adds better exception handling and logging around
Deckhand.
Example error:
Traceback (most recent call last):
File "/usr/local/bin/promenade", line 10, in <module>
sys.exit(promenade())
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/opt/promenade/promenade/cli.py", line 55, in genereate_certs
debug=debug, streams=config_files, substitute=True, validate=False)
File "/opt/promenade/promenade/config.py", line 49, in from_streams
return cls(documents=documents, **kwargs)
File "/opt/promenade/promenade/config.py", line 29, in __init__
documents = [dict(d) for d in deckhand_eng.render()]
File "/usr/local/lib/python3.6/site-packages/deckhand/engine/layering.py", line 485, in render
self.secrets_substitution.substitute_all(doc))
File "/usr/local/lib/python3.6/site-packages/deckhand/engine/secrets_manager.py", line 182, in substitute_all
document_name=document.name)
Depends-On: https://review.gerrithub.io/#/c/400880/
Change-Id: I4486535d4555ece54eb4d47bfb56472250f97ab4
* Add ability to fetch design from Deckhand
* Add functional testing for Deckhand design_ref integration
* Update complete example to work with changes to Ceph chart
Change-Id: Ice25a27b340e68a8ab38a23021cd91e032ca537b
This change includes several interconnected features:
* Migration to Deckhand-based configuration. This is integrated here,
because new configuration data were needed, so it would have been
wasted effort to either implement it in the old format or to update
the old configuration data to Dechkand format.
* Failing faster with stronger validation. Migration to Deckhand
configuration was a good opportunity to add schema validation, which
is a requirement in the near term anyway. Additionally, rendering
all templates up front adds an additional layer of "fail-fast".
* Separation of certificate generation and configuration assembly into
different commands. Combined with Deckhand substitution, this creates
a much clearer distinction between Promenade configuration and
deployable secrets.
* Migration of components to charts. This is a key step that will
enable support for dynamic node management. Additionally, this paves
the way for significant configurability in component deployment.
* Version of kubelet is configurable & controlled via download url.
* Restructuring templates to be more intuitive. Many of the templates
require changes or deletion due to the migration to charts.
* Installation of pre-configured useful tools on hosts, including calicoctl.
* DNS is now provided by coredns, which is highly configurable.
Change-Id: I9f2d8da6346f4308be5083a54764ce6035a2e10c
Sergiy Markin