diff --git a/charts/deckhand/.helmignore b/charts/deckhand/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/charts/deckhand/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/deckhand/Chart.yaml b/charts/deckhand/Chart.yaml new file mode 100644 index 00000000..a7c98ae9 --- /dev/null +++ b/charts/deckhand/Chart.yaml @@ -0,0 +1,27 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: A Helm chart for Deckhand +name: deckhand +version: 0.1.0 +keywords: +- deckhand +home: https://github.com/att-comdev/deckhand +sources: +- https://github.com/att-comdev/aic-helm +- https://git.openstack.org/cgit/openstack/openstack-helm +maintainers: +- name: att-comdev +engine: gotpl diff --git a/charts/deckhand/requirements.yaml b/charts/deckhand/requirements.yaml new file mode 100644 index 00000000..53782e69 --- /dev/null +++ b/charts/deckhand/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/charts/deckhand/templates/bin/_db-init.sh.tpl b/charts/deckhand/templates/bin/_db-init.sh.tpl new file mode 100644 index 00000000..635465e1 --- /dev/null +++ b/charts/deckhand/templates/bin/_db-init.sh.tpl @@ -0,0 +1,33 @@ +#!/bin/bash + +set -ex +export HOME=/tmp + +# Extract the DB string from deckhand.conf and get the +# value of the DB host and port +db_string=`grep -i '^connection =' ${DECKHAND_CONFIG_FILE}` +db_fqdn=`echo ${db_string#*@} | cut -f1 -d"."` +db_port=`echo ${db_string#*@} | grep -o "[0-9]\+"` + +pgsql_superuser_cmd () { + DB_COMMAND="$1" + if [[ ! -z $2 ]]; then + EXPORT PGDATABASE=$2 + fi + + psql \ + -h $db_fqdn \ + -p $db_port \ + -U ${ROOT_DB_USER} \ + --command="${DB_COMMAND}" +} + +# Create db +pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME'" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $DB_NAME" + +# Create db user +pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$DB_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \ + pgsql_superuser_cmd "CREATE ROLE ${DB_USER} LOGIN PASSWORD '$DB_PASS';" && pgsql_superuser_cmd "ALTER USER ${DB_USER} WITH SUPERUSER" + +# Grant permissions to user +pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME to $DB_USER;" diff --git a/charts/deckhand/templates/bin/_db-sync.sh.tpl b/charts/deckhand/templates/bin/_db-sync.sh.tpl new file mode 100644 index 00000000..8d4d26ea --- /dev/null +++ b/charts/deckhand/templates/bin/_db-sync.sh.tpl @@ -0,0 +1,6 @@ +#!/bin/bash +# Pending inputs on what need to be done for db-sync + +set -ex +export HOME=/tmp + diff --git a/charts/deckhand/templates/configmap-bin.yaml b/charts/deckhand/templates/configmap-bin.yaml new file mode 100644 index 00000000..993de471 --- /dev/null +++ b/charts/deckhand/templates/configmap-bin.yaml @@ -0,0 +1,29 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: deckhand-bin +data: + ks-service.sh: | +{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }} + ks-endpoints.sh: | +{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }} + ks-user.sh: | +{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }} + ks-domain-user.sh: | +{{- include "helm-toolkit.scripts.keystone_domain_user" . | indent 4 }} + db-init.sh: |+ +{{ tuple "bin/_db-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + db-sync.sh: |+ +{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} diff --git a/charts/deckhand/templates/configmap-etc.yaml b/charts/deckhand/templates/configmap-etc.yaml new file mode 100644 index 00000000..641ee9f2 --- /dev/null +++ b/charts/deckhand/templates/configmap-etc.yaml @@ -0,0 +1,72 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- $envAll := . }} + +{{- if empty .Values.conf.deckhand.keystone_authtoken.auth_uri -}} +{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.deckhand.keystone_authtoken "auth_uri" | quote | trunc 0 -}} +{{- end -}} + +# FIXME fix for broken keystonemiddleware oslo config gen in newton - will remove in future +{{- if empty .Values.conf.deckhand.keystone_authtoken.auth_url -}} +{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.deckhand.keystone_authtoken "auth_url" | quote | trunc 0 -}} +{{- end -}} + +# Add endpoint URI lookup for Deckhand Postgresql DB Connection +{{- if empty .Values.conf.deckhand.database.connection -}} +{{- tuple "postgresql" "internal" "user" "postgresql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.deckhand.database "connection" | quote | trunc 0 -}} +{{- end -}} + +# Add endpoint URI lookup for memcached servers Connection +{{- if empty .Values.conf.deckhand.keystone_authtoken.memcached_servers -}} +{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.deckhand.keystone_authtoken "memcached_servers" | quote | trunc 0 -}} +{{- end -}} + +{{- $userIdentity := .Values.endpoints.identity.auth.user -}} + +{{- if empty .Values.conf.deckhand.keystone_authtoken.project_name -}} +{{- set .Values.conf.deckhand.keystone_authtoken "project_name" $userIdentity.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.deckhand.keystone_authtoken.project_domain_name -}} +{{- set .Values.conf.deckhand.keystone_authtoken "project_domain_name" $userIdentity.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.deckhand.keystone_authtoken.user_domain_name -}} +{{- set .Values.conf.deckhand.keystone_authtoken "user_domain_name" $userIdentity.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.deckhand.keystone_authtoken.username -}} +{{- set .Values.conf.deckhand.keystone_authtoken "username" $userIdentity.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.deckhand.keystone_authtoken.password -}} +{{- set .Values.conf.deckhand.keystone_authtoken "password" $userIdentity.password | quote | trunc 0 -}} +{{- end -}} + +# Set a random string as secret key. +{{- if empty .Values.conf.deckhand.keystone_authtoken.memcache_secret_key -}} +{{- randAlphaNum 64 | set .Values.conf.deckhand.keystone_authtoken "memcache_secret_key" | quote | trunc 0 -}} +{{- end -}} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: deckhand-etc +data: + deckhand.conf: |+ +{{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.deckhand | indent 4 }} + logging.conf: |+ +{{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | indent 4 }} + deckhand-paste.ini: |+ +{{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.paste | indent 4 }} + policy.yaml: |+ +{{ toYaml .Values.conf.policy | indent 4 }} diff --git a/charts/deckhand/templates/deployment.yaml b/charts/deckhand/templates/deployment.yaml new file mode 100644 index 00000000..46c80d1c --- /dev/null +++ b/charts/deckhand/templates/deployment.yaml @@ -0,0 +1,80 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.deployment }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.deckhand }} +{{- $mounts_deckhand := .Values.pod.mounts.deckhand.deckhand }} +{{- $mounts_deckhand_init := .Values.pod.mounts.deckhand.init_container }} +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: deckhand +spec: + replicas: {{ .Values.pod.replicas.deckhand }} +{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "deckhand-api" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + spec: + nodeSelector: + {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.deckhand.timeout | default "30" }} + restartPolicy: Always + initContainers: +{{ tuple $envAll $dependencies $mounts_deckhand_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: deckhand + image: {{ .Values.images.deckhand }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + ports: + - containerPort: {{ .Values.network.port }} + readinessProbe: + tcpSocket: + port: {{ .Values.network.port }} + volumeMounts: + - name: etc-deckhand + mountPath: /etc/deckhand + - name: deckhand-etc + mountPath: /etc/deckhand/deckhand.conf + subPath: deckhand.conf + readOnly: true + - name: deckhand-etc + mountPath: /etc/deckhand/logging.conf + subPath: logging.conf + readOnly: true + - name: deckhand-etc + mountPath: /etc/deckhand/deckhand-paste.ini + subPath: deckhand-paste.ini + readOnly: true + - name: deckhand-etc + mountPath: /etc/deckhand/policy.yaml + subPath: policy.yaml + readOnly: true +{{ if $mounts_deckhand.volumeMounts }}{{ toYaml $mounts_deckhand.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: etc-deckhand + emptyDir: {} + - name: deckhand-etc + configMap: + name: deckhand-etc + defaultMode: 0444 +{{ if $mounts_deckhand.volumes }}{{ toYaml $mounts_deckhand.volumes | indent 8 }}{{ end }} +{{- end }} diff --git a/charts/deckhand/templates/ingress-api.yaml b/charts/deckhand/templates/ingress-api.yaml new file mode 100644 index 00000000..40410743 --- /dev/null +++ b/charts/deckhand/templates/ingress-api.yaml @@ -0,0 +1,47 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.ingress_api }} +{{- $envAll := . }} +{{- if .Values.network.ingress.public }} +{{- $backendServiceType := "deckhand" }} +{{- $backendPort := "http" }} +{{- $ingressName := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $hostName := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{- $hostNameNamespaced := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} +{{- $hostNameFull := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ $ingressName }} + annotations: + kubernetes.io/ingress.class: "nginx" + ingress.kubernetes.io/rewrite-target: / +spec: + rules: +{{- range $key1, $vHost := tuple $hostName $hostNameNamespaced $hostNameFull }} + - host: {{ $vHost }} + http: + paths: + - path: / + backend: + serviceName: {{ $backendName }} + servicePort: {{ $backendPort }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/deckhand/templates/job-db-init.yaml b/charts/deckhand/templates/job-db-init.yaml new file mode 100644 index 00000000..d42f9950 --- /dev/null +++ b/charts/deckhand/templates/job-db-init.yaml @@ -0,0 +1,85 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.job_db_init }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.db_init }} +{{- $mounts_deckhand_db_init := .Values.pod.mounts.deckhand_db_init.deckhand_db_init }} +{{- $mounts_deckhand_db_init_init := .Values.pod.mounts.deckhand_db_init.init_container }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: deckhand-db-init +spec: + template: + metadata: + labels: +{{ tuple $envAll "deckhand" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies $mounts_deckhand_db_init_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: deckhand-db-init + image: {{ .Values.images.db_init | quote }} + imagePullPolicy: {{ .Values.images.pull_policy | quote }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: ROOT_DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.admin }} + key: DB_CONNECTION + - name: DECKHAND_CONFIG_FILE + value: /etc/deckhand/deckhand.conf + - name: DB_NAME + value: {{ .Values.database.postgresql.db_name }} + - name: DB_USER + value: {{ .Values.endpoints.postgresql.auth.user.username }} + - name: DB_PASS + value: {{ .Values.endpoints.postgresql.auth.user.password }} + - name: ROOT_DB_USER + value: {{ .Values.database.postgresql.db_root_user }} + command: + - /tmp/db-init.sh + volumeMounts: + - name: deckhand-bin + mountPath: /tmp/db-init.sh + subPath: db-init.sh + readOnly: true + - name: etc-deckhand + mountPath: /etc/deckhand + - name: deckhand-etc + mountPath: /etc/deckhand/deckhand.conf + subPath: deckhand.conf + readOnly: true +{{ if $mounts_deckhand_db_init.volumeMounts }}{{ toYaml $mounts_deckhand_db_init.volumeMounts | indent 10 }}{{ end }} + volumes: + - name: etc-deckhand + emptyDir: {} + - name: deckhand-etc + configMap: + name: deckhand-etc + defaultMode: 0444 + - name: deckhand-bin + configMap: + name: deckhand-bin + defaultMode: 0555 +{{ if $mounts_deckhand_db_init.volumes }}{{ toYaml $mounts_deckhand_db_init.volumes | indent 6 }}{{ end }} +{{- end }} diff --git a/charts/deckhand/templates/job-db-sync.yaml b/charts/deckhand/templates/job-db-sync.yaml new file mode 100644 index 00000000..08cb29db --- /dev/null +++ b/charts/deckhand/templates/job-db-sync.yaml @@ -0,0 +1,83 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.job_db_sync }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.db_sync }} +{{- $mounts_deckhand_db_sync := .Values.pod.mounts.deckhand_db_sync.deckhand_db_sync }} +{{- $mounts_deckhand_db_sync_init := .Values.pod.mounts.deckhand_db_sync.init_container }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: deckhand-db-sync +spec: + template: + metadata: + labels: +{{ tuple $envAll "deckhand" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies $mounts_deckhand_db_sync_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: deckhand-db-sync + image: {{ .Values.images.db_sync }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: ROOT_DB_CONNECTION + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.admin }} + key: DB_CONNECTION + - name: DECKHAND_CONFIG_FILE + value: /etc/deckhand/deckhand.conf + - name: DB_NAME + value: {{ .Values.database.postgresql.db_name }} + - name: DB_USER + value: {{ .Values.endpoints.postgresql.auth.user.username }} + - name: DB_PASS + value: {{ .Values.endpoints.postgresql.auth.user.password }} + command: + - /tmp/db-sync.sh + volumeMounts: + - name: deckhand-bin + mountPath: /tmp/db-sync.sh + subPath: db-sync.sh + readOnly: true + - name: etc-deckhand + mountPath: /etc/deckhand + - name: deckhand-etc + mountPath: /etc/deckhand/deckhand.conf + subPath: deckhand.conf + readOnly: true +{{ if $mounts_deckhand_db_sync.volumeMounts }}{{ toYaml $mounts_deckhand_db_sync.volumeMounts | indent 10 }}{{ end }} + volumes: + - name: etc-deckhand + emptyDir: {} + - name: deckhand-etc + configMap: + name: deckhand-etc + defaultMode: 0444 + - name: deckhand-bin + configMap: + name: deckhand-bin + defaultMode: 0555 +{{ if $mounts_deckhand_db_sync.volumes }}{{ toYaml $mounts_deckhand_db_sync.volumes | indent 6 }}{{ end }} +{{- end }} diff --git a/charts/deckhand/templates/job-ks-endpoints.yaml b/charts/deckhand/templates/job-ks-endpoints.yaml new file mode 100644 index 00000000..69dec1bf --- /dev/null +++ b/charts/deckhand/templates/job-ks-endpoints.yaml @@ -0,0 +1,66 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.job_ks_endpoints }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.ks_endpoints }} + +apiVersion: batch/v1 +kind: Job +metadata: + name: deckhand-ks-endpoints +spec: + template: + metadata: + labels: +{{ tuple $envAll "deckhand" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $osServiceType := tuple "deckhand" }} +{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} + - name: {{ $osServiceType }}-ks-endpoints-{{ $osServiceEndPoint }} + image: {{ $envAll.Values.images.ks_endpoints }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/ks-endpoints.sh + volumeMounts: + - name: ks-endpoints-sh + mountPath: /tmp/ks-endpoints.sh + subPath: ks-endpoints.sh + readOnly: true + env: +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: OS_SVC_ENDPOINT + value: {{ $osServiceEndPoint }} + - name: OS_SERVICE_NAME + value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} + - name: OS_SERVICE_TYPE + value: {{ $osServiceType }} + - name: OS_SERVICE_ENDPOINT + value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} +{{- end }} +{{- end }} + volumes: + - name: ks-endpoints-sh + configMap: + name: deckhand-bin + defaultMode: 0555 +{{- end -}} + diff --git a/charts/deckhand/templates/job-ks-service.yaml b/charts/deckhand/templates/job-ks-service.yaml new file mode 100644 index 00000000..50c8d45a --- /dev/null +++ b/charts/deckhand/templates/job-ks-service.yaml @@ -0,0 +1,60 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.job_ks_service -}} + +{{- $envAll := . }} +{{- $ksAdminSecret := .Values.secrets.identity.admin }} +{{- $dependencies := .Values.dependencies.ks_service }} + +apiVersion: batch/v1 +kind: Job +metadata: + name: deckhand-ks-service +spec: + template: + metadata: + labels: +{{ tuple $envAll "deckhand" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +{{- range $key1, $osServiceType := tuple "deckhand" }} + - name: {{ $osServiceType }}-ks-service-registration + image: {{ $envAll.Values.images.ks_service }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} + command: + - /tmp/ks-service.sh + volumeMounts: + - name: ks-service-sh + mountPath: /tmp/ks-service.sh + subPath: ks-service.sh + readOnly: true + env: +{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: OS_SERVICE_NAME + value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} + - name: OS_SERVICE_TYPE + value: {{ $osServiceType }} +{{- end }} + volumes: + - name: ks-service-sh + configMap: + name: deckhand-bin + defaultMode: 0555 +{{- end -}} diff --git a/charts/deckhand/templates/job-ks-user.yaml b/charts/deckhand/templates/job-ks-user.yaml new file mode 100644 index 00000000..9a55bd91 --- /dev/null +++ b/charts/deckhand/templates/job-ks-user.yaml @@ -0,0 +1,61 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.job_ks_user }} + +{{- $ksAdminSecret := .Values.secrets.identity.admin }} +{{- $ksUserSecret := .Values.secrets.identity.user }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.ks_user }} +apiVersion: batch/v1 +kind: Job +metadata: + name: deckhand-ks-user +spec: + template: + spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: deckhand-ks-user + image: {{ .Values.images.ks_user }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/ks-user.sh + volumeMounts: + - name: ks-user-sh + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true + env: +{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: SERVICE_OS_SERVICE_NAME + value: {{ $envAll.Values.endpoints.deckhand.name | quote }} + - name: SERVICE_OS_DOMAIN_NAME + value: {{ $envAll.Values.endpoints.identity.auth.user.project_domain_name | quote }} +{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} +{{- end }} + - name: SERVICE_OS_ROLE + value: {{ $envAll.Values.endpoints.identity.auth.user.role | quote }} + volumes: + - name: ks-user-sh + configMap: + name: deckhand-bin + defaultMode: 0555 +{{- end -}} diff --git a/charts/deckhand/templates/secret-db.yaml b/charts/deckhand/templates/secret-db.yaml new file mode 100644 index 00000000..4ca68e30 --- /dev/null +++ b/charts/deckhand/templates/secret-db.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_db }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.postgresql $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "postgresql" "internal" $userClass "postgresql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} +{{- end }} diff --git a/charts/deckhand/templates/secret-keystone-env.yaml b/charts/deckhand/templates/secret-keystone-env.yaml new file mode 100644 index 00000000..94ea6e74 --- /dev/null +++ b/charts/deckhand/templates/secret-keystone-env.yaml @@ -0,0 +1,28 @@ +{{/* +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.manifests.secret_keystone }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 }} +... +{{- end }} +{{- end }} diff --git a/charts/deckhand/templates/service-ingress.yaml b/charts/deckhand/templates/service-ingress.yaml new file mode 100644 index 00000000..20a9f0d2 --- /dev/null +++ b/charts/deckhand/templates/service-ingress.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service_ingress }} +{{- $envAll := . }} +{{- if .Values.network.ingress.public }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple "deckhand" "public" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + ports: + - name: http + port: 9000 + selector: + app: ingress-api +{{- end }} +{{- end }} diff --git a/charts/deckhand/templates/service.yaml b/charts/deckhand/templates/service.yaml new file mode 100644 index 00000000..3ea50699 --- /dev/null +++ b/charts/deckhand/templates/service.yaml @@ -0,0 +1,43 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple "deckhand" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + ports: + {{ if .Values.network.enable_node_port }} + - name: http + nodePort: {{ .Values.network.node_port }} + port: {{ .Values.network.port }} + protocol: TCP + targetPort: {{ .Values.network.port }} + {{ else }} + - name: http + port: {{ .Values.network.port }} + protocol: TCP + targetPort: {{ .Values.network.port }} + {{ end }} + selector: +{{ tuple $envAll "deckhand-api" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + {{ if .Values.network.enable_node_port }} + type: NodePort + {{ end }} +{{- end }} diff --git a/charts/deckhand/values.yaml b/charts/deckhand/values.yaml new file mode 100644 index 00000000..558821fa --- /dev/null +++ b/charts/deckhand/values.yaml @@ -0,0 +1,329 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file provides defaults for deckhand + +labels: + node_selector_key: ucp-control-plane + node_selector_value: enabled + +images: + deckhand: quay.io/attcomdev/deckhand:latest + dep_check: docker.io/kolla/ubuntu-source-kubernetes-entrypoint:4.0.0 + db_init: docker.io/postgres:9.5 + db_sync: docker.io/postgres:9.5 + ks_user: docker.io/kolla/ubuntu-source-kolla-toolbox:3.0.3 + ks_service: docker.io/kolla/ubuntu-source-kolla-toolbox:3.0.3 + ks_endpoints: docker.io/kolla/ubuntu-source-kolla-toolbox:3.0.3 + pull_policy: "IfNotPresent" + +release_group: null + +network: + ingress: + public: true + port: 9000 + node_port: 31902 + enable_node_port: false + +dependencies: + db_init: + services: + - service: postgresql + endpoint: internal + db_sync: + jobs: + - deckhand-db-init + services: + - service: postgresql + endpoint: internal + ks_user: + services: + - service: identity + endpoint: internal + ks_service: + services: + - service: identity + endpoint: internal + ks_endpoints: + jobs: + - deckhand-ks-service + services: + - service: identity + endpoint: internal + deckhand: + jobs: + - deckhand-ks-endpoints + - deckhand-ks-user + - deckhand-ks-endpoints + services: + - service: identity + endpoint: internal + - service: key_manager + endpoint: internal + +# typically overriden by environmental +# values, but should include all endpoints +# required by this chart +endpoints: + cluster_domain_suffix: cluster.local + identity: + name: keystone + auth: + user: + region_name: RegionOne + role: admin + project_name: service + project_domain_name: default + user_domain_name: default + username: deckhand + password: password + admin: + region_name: RegionOne + project_name: admin + password: password + username: admin + user_domain_name: default + project_domain_name: default + hosts: + default: keystone-api + public: keystone + path: + default: /v3 + scheme: + default: http + port: + admin: + default: 35357 + api: + default: 80 + host_fqdn_override: + default: null + deckhand: + name: deckhand + hosts: + default: deckhand-int + public: deckhand-api + port: + api: + default: 9000 + path: + default: /api/v1.0 + scheme: + default: http + host_fqdn_override: + default: null + postgresql: + name: postgresql + auth: + admin: + username: deckhand + password: password + user: + username: deckhand + password: password + hosts: + default: postgresql + path: /deckhand + scheme: postgresql+psycopg2 + port: + postgresql: + default: 5432 + host_fqdn_override: + default: null + key_manager: + name: barbican + hosts: + default: barbican-api + public: barbican + host_fqdn_override: + default: null + path: + default: /v1 + scheme: + default: http + port: + api: + default: 9311 + public: 80 + oslo_cache: + hosts: + default: memcached + host_fqdn_override: + default: null + port: + memcache: + default: 11211 + +secrets: + identity: + admin: deckhand-keystone-admin + user: deckhand-keystone-user + postgresql: + admin: deckhand-db-admin + user: deckhand-db-user + +database: + postgresql: + db_name: deckhand + db_root_user: postgres + +conf: + policy: + admin_api: role:admin + deckhand:create_cleartext_documents: rule:admin_api + deckhand:create_encrypted_documents: rule:admin_api + deckhand:list_cleartext_documents: rule:admin_api + deckhand:list_encrypted_documents: rule:admin_api + deckhand:show_revision: rule:admin_api + deckhand:list_revisions: rule:admin_api + deckhand:delete_revisions: rule:admin_api + deckhand:show_revision_diff: rule:admin_api + deckhand:create_tag: rule:admin_api + deckhand:show_tag: rule:admin_api + deckhand:list_tags: rule:admin_api + deckhand:delete_tag: rule:admin_api + deckhand:delete_tags: rule:admin_api + paste: + filter:authtoken: + paste.filter_factory: keystonemiddleware.auth_token:filter_factory + filter:debug: + use: egg:oslo.middleware#debug + filter:cors: + paste.filter_factory: oslo_middleware.cors:filter_factory + oslo_config_project: deckhand + filter:request_id: + paste.filter_factory: oslo_middleware:RequestId.factory + app:api: + paste.app_factory: deckhand.service:deckhand_app_factory + pipeline:deckhand_api: + pipeline: authtoken api + deckhand: + DEFAULT: + debug: true + log_file: deckhand.log + use_stderr: true + use_syslog: true + database: + connection: + keystone_authtoken: + delay_auth_decision: true + auth_type: password + auth_version: v3 + memcache_security_strategy: ENCRYPT + oslo_policy: + policy_file: policy.yaml + policy_default_rule: default + policy_dirs: policy.d + logging: + loggers: + keys: 'root, deckhand' + handlers: + keys: 'file, null, syslog' + formatters: + keys: 'simple, context' + logger_deckhand: + level: DEBUG + handlers: file + qualname: deckhand + logger_root: + level: WARNING + handlers: null + handler_file: + class: FileHandler + level: DEBUG + args: "('deckhand.log', 'w+')" + formatter: context + handler_null: + class: 'logging.NullHandler' + formatter: context + args: '()' + handler_syslog: + class: 'handlers.SysLogHandler' + level: ERROR + args: "('/dev/log', handlers.SysLogHandler.LOG_USER)" + formatter_context: + class: 'oslo_log.formatters.ContextFormatter' + formatter_simple: + format: "%(asctime)s.%(msecs)03d %(process)d %(levelname)s: %(message)s" +pod: + mounts: + deckhand_db_init: + init_container: null + deckhand_db_init: + deckhand_db_sync: + init_container: null + deckhand_db_sync: + deckhand: + init_container: null + deckhand: + lifecycle: + upgrades: + deployments: + revision_history: 3 + pod_replacement_strategy: RollingUpdate + rolling_update: + max_unavailable: 1 + max_surge: 3 + termination_grace_period: + deckhand: + timeout: 30 + replicas: + deckhand: 1 + resources: + enabled: false + api: + limits: + memory: "128Mi" + cpu: "100m" + requests: + memory: "128Mi" + cpu: "100m" + jobs: + ks_user: + limits: + memory: "128Mi" + cpu: "100m" + requests: + memory: "128Mi" + cpu: "100m" + ks_service: + limits: + memory: "128Mi" + cpu: "100m" + requests: + memory: "128Mi" + cpu: "100m" + ks_endpoints: + limits: + memory: "128Mi" + cpu: "100m" + requests: + memory: "128Mi" + cpu: "100m" +manifests: + configmap_bin: true + configmap_etc: true + deployment: true + job_db_init: true + job_db_sync: true + job_ks_endpoints: true + job_ks_service: true + job_ks_user: true + secret_db: true + secret_keystone: true + service_api: true + ingress_api: true + service: true + service_ingress: true