This PS makes the following changes:
- uses deploy-k8s.sh from treasuremap
- makes sure the airskiff-deploy playbook is using 80Gb partition if
available
- adds available security updates to docker images
Change-Id: I0f330cb15ec32b12703f0bc6620b3f3c797a25bb
This PS delivers the following updates:
- fixed sample config and policy files generation in tox
- rolled back chart version incremention back to 0.2.0
Change-Id: I509030319a724b18bb21f45f7ede7c07ab18e894
- adjusted .gitignore to keep fresh egg-info and omit build artifacts
- fresh egg-info data is needed for promenade that depends on Deckhand
- restored deckhand-functional-uwsgi-py38 gate
- restored deckhand-integration-uwsgi-py38 gate
- made deckhand-airskiff-deployment gate voting ( treasuremap project
has been updated)
- removed bionic gates
- updated focal dockerfile
- added more binary deps into bindep.txt
- updated deckhand chart values to latest images - focal and wallaby
- fixed python code to compy with CVE's found by fresh version of bandit
- implemented pip freeze approach
- added tox -e freeze profile to manage it
- requirements-frozen.txt is now main file with requirements
- requirements-direct.txt is the file to control deps
- updated setup.cfg to adjust to newer version of setuptools
- fixed airskiff-deploy gate
- fixed docker-image-build playbook to restore Quay repo image publish
- updated other playbooks to include roles from zuul/base-jobs in order
to setup build hosts properly
- removed workaround with hardcoded dns resolver ip 10.96.0.10 as it
became obsolette due to recent fix in openstack-helm-infra
- adjusted tools/whitespace-linter.sh script
- tox.ini has been brought to compliance with tox4 requirements
- replaced str() calls with six.text_type() according to D325 Deckhand specific
commandment from Hacking.rst
- locked python-barbicanclient version with 5.2.0 because of breaking
changes in the upper versions
Change-Id: I1cd3c97e83569c4db7e958b3400bdd4b7ea5e668
update dockerfile for python deckhand install
add deckhand version to chart 1.0
add chart version 0.2.0
update all packages to latest in requirements.txt
update zuul jobs for focal and python 3.8
remove zuul job functional-uwsgi-py38 in favor of functional-docker-py38
update tox config
typecast to string in re.sub() function
add stestr to test-requirements.txt
add SQLAlchemy jsonpickle sphinx-rtd-theme stestr to requirements.txt
deprecated function: BarbicanException -> BarbicanClientException
fix mock import using unittest
fix import collections to collections.abc
fix for collections modules for older than python 3.10 versions.
deprecated function: json -> to_json
deprecated function: werkzeug.contrib.profiler ->
werkzeug.middleware.profiler
deprecated function: falcon.AIP -> falcon.App
deprecation warning: switch from resp.body to resp.text
rename fixtures to dh_fixtures because there is an imported module
fixtures
switch from stream.read to bounded_stream.read
deprecated function: falcon process_response needed additional parameter
deprecated function: falcon default_exception_handler changed parameter
order
move from MagicMock object to falcon test generated object to fix
incompatability with upgraded Falcon module.
Adjust gabbi tests to fix incompatability with upgraded DeepDiff module
update Makefile to execute ubuntu_focal
update HTK (helmtoolkit)
unpin barbican to pass integration tests
Use helm 3 in chart build.
`helm serve` is removed in helm 3 so this moves
to using local `file://` dependencies [0] instead.
Change-Id: I180416f480edea1b8968d80c993b3e1fcc95c08d
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0
Change-Id: I547a7f0e6106fee2f560b62671e1eceb312e5c4e
Updated obsolete uwsgi default configuration parameters for better
performance.
Increased number of worker threads to increase performance.
Uplifted uwsgi to the latest for bug fixes since 2018.
For more info please see:
https://uwsgi-docs.readthedocs.io/en/latest/ThingsToKnow.html
Change-Id: Ifedb9c6279e64be86deb6ec375810c5ecf97958a
Adds configmap-hash annotations to the job-db-init and job-db-sync
for configmap-bin and configmap-etc.
These annotations ensure that if configmaps change, the pods
are redeployed according to their upgrade strategy.
Change-Id: I8ff282d8279c934590d5308e9c26efaf65685e2b
This updates the deckhand chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I9bfd889b163e280cf17c4e7b49974a077e889f2f
Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ib0b21b33d8bf91ea6da4c2421cc81355cf2b23b1
Update apiversion for deployment to apps/v1
Add selector match labels to deployment
This patch is similar to https://review.opendev.org/#/c/638276/
These changes are required to install deckhand helm chart on k8s 1.16.0
Change-Id: Ifca6020dee953252629f42a1b04f384e959c0916
The patch introduces network policy configuration similar
to openstack-helm services. It allows users to configure
policies depending on the environment.
* Network policies are disabled by default.
* When enabled default policies allow all ingress and
egress traffic (i.e. policy set to {}), this may be
changed in future patch-sets.
Change-Id: I9ae69e84991f16891830fb7e044a06985eca9d0f
This PS adds pod anti-affinity to deckhand pods,
so that the scheduler can constrain pods against labels on other pods
running on the node. The default soft rule is in place so that if the
scheduler can’t satisfy the requirement, the pod will still
be scheduled.
Change-Id: Icab673726d0473662ccf45c4c576fe20912a1260
Implement container and pod level security context for the following
Deckhand resources:
- Deckhand server deployment
Change-Id: I23cd742cc3b76b4e5de67d3b8bb195ec3899fc0f
Adds functionality to read context marker and end-user
from request headers and log that information where
available, to aid in tracing transactions that span
multiple Airship components.
Change-Id: I35c9e56f84f29420c4f3c081453cb81aa892fa7d
This is to try to address stuck deckhand-api ponds that never
went to error state in an attempt to self-jolt the pod again.
Change-Id: I70bf57dde5d696bddc68caab2f54826803d82d28
1) UCP -> Airship
2) readthedocs.org -> readthedocs.io (there is redirect)
3) http -> https
4) attcomdev -> airshipit (repo on quay.io)
5) att-comdev -> openstack/airship-* (repo on github/openstack git)
6) many URLs have been verified and adjusted to be current
7) no need for 'en/latest/' path in URL of the RTD
8) added more info to some setup.cfg and setup.py files
9) ucp-integration docs are now in airship-in-a-bottle
10) various other minor fixes
Change-Id: I12b2fa8fbec37a483a0ad50382e08f51ed97533a
GET /revisions/{{revision_id}}/deepdiff/{{comparison_revision_id}}
- Added deepdiff api for generating diff between
two rendered documents.
- Deep diffing for data and metadata
- Refactor diff functions
- Client update
- Added unit testcases
- Added funtional testcases
- Doc update
Change-Id: Ib60fa60a3b33e9125a1595a999272ca595721b38
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. This can be used, for example, to force an
artificial manifest change in CICD scenarios, for upgradability
testing purposes.
Change-Id: I69d7dfebe457423c58dc297ec84d02ca62230020
This patch set adds TLS on overridden fqdns for public endpoints for
airship-deckhand. As cacerts are not loaded into the containers, this
only supports certificates that can be externally verified.
Change-Id: I41606129c8d59dfedcb648f5390985a31b690eec
This change modifies the internal Keystone API port in the Deckhand
chart from 80 to 5000 and removes the default admin port to match
the Keystone chart provided by OpenStack-Helm.
Change-Id: I3861e551ac9ad9fb008e8caf3cfa892ecd4fc657
This PS moves the chart to use secrets to store potentially sensitive
config information.
Depends-On: https://review.openstack.org/#/c/593732
Change-Id: I884a68b379beefa3aa73018613ac37c0f3ee089d
Signed-off-by: Pete Birley <pete@port.direct>
This updates Deckhand to be compatible with the current
OpenStack-Helm Helm Toolkit. This includes:
- Using HTK manifest templates
- Refactoring values.yaml structure
- Some other small cleanup
Change-Id: Ib7c2451b46fab20935edb1c768ac56cc6353aa16
This patch set updates the kubernetes-entrypoint image from
v0.3.0 to v0.3.1.
Change-Id: Ic278b8b91e3034173dfad805d1dc5af27e96c43e
Signed-off-by: Tin Lam <tin@irrational.io>
As part of ongoing effort to update the "application" and
"component" labels for the UCP components, there is a need
to align with the convention. We will update the label for
the deckhand API pod in this case.
Also updated helm_tk.sh to point to openstack-helm-infra for
reference to helm-toolkit as helm-toolkit has been removed
from the openstack-helm repo [0]
[0] https://review.openstack.org/#/c/558065/
Change-Id: I753c4ce653790250b79986c670224d0962f7676f
This is to stop the DH pod from being killed in production whenever
DH receives multiple concurrent requests from another service,
causing all its threads to become occupied with servicing those
requests, causing the liveness probe to fail, causing the DH pod
to be killed. This is highly undesirable and as a temporary
workaround we will drop the liveness probe altogether.
This partially reverts I1a1c107706862431e53668a864db622499e63c6f
Additional reading: Id2d4deaaf8bf73d6df4639810e6dee3acf79b05c
Change-Id: Ic81c0c1d6e3cd3ab3b326054b9c882962d240968
We will align the name with the rest of the UCP components, i.e.
change it from 'deckhand' to 'deckhand-api'
Change-Id: I4c65ac1e6371ffa80fd8b42cbe979d71b93e99c7
Updates Deckhand to use alembic to manage database upgrades.
Moves from creating tables at startup of Deckhand to the
db-sync job.
Change-Id: I6f4cb237fadc46fbee81d1c33096f48a720f589f
Under load, Deckhand will fail liveness checks with a 1 second timeout.
This Patchset extends the timout to 10 seconds and spaces the period
between checks to 20 seconds.
Adds labels to keystone user job.
Change-Id: Id2d4deaaf8bf73d6df4639810e6dee3acf79b05c
This sets multiple threads in Deckhand's chart config (4)
and set workers to just 1.
Deckhand's database is not configured to work with multiprocessing.
Currently there is a data race on acquiring shared SQLAlchemy
engine pooled connection strings when workers > 1. As a
workaround, we use multiple threads but only 1 worker. For more
information, see:
https://github.com/att-comdev/deckhand/issues/20
Change-Id: I60adeffff5461fdda957124232bc5a606baae413
This patch set updates the kubernetes-entrypoint image to version
3.0.3 inline of the chart used in OpenStack-Helm in [0]. This allows
the chart to use pod dependencies.
[0] https://review.openstack.org/#/c/554268/
Change-Id: I06c874bbe1b39271a94ce1c418c8b1317080dac5
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set does the following to enhance health/status checks
on the deckhand-api pod:
1) Add Liveness Probe
2) Update Readiness Probe
Change-Id: I1a1c107706862431e53668a864db622499e63c6f