This PS makes the following changes:
- uses deploy-k8s.sh from treasuremap
- makes sure the airskiff-deploy playbook is using 80Gb partition if
available
- adds available security updates to docker images
Change-Id: I0f330cb15ec32b12703f0bc6620b3f3c797a25bb
- adjusted .gitignore to keep fresh egg-info and omit build artifacts
- fresh egg-info data is needed for promenade that depends on Deckhand
- restored deckhand-functional-uwsgi-py38 gate
- restored deckhand-integration-uwsgi-py38 gate
- made deckhand-airskiff-deployment gate voting ( treasuremap project
has been updated)
- removed bionic gates
- updated focal dockerfile
- added more binary deps into bindep.txt
- updated deckhand chart values to latest images - focal and wallaby
- fixed python code to compy with CVE's found by fresh version of bandit
- implemented pip freeze approach
- added tox -e freeze profile to manage it
- requirements-frozen.txt is now main file with requirements
- requirements-direct.txt is the file to control deps
- updated setup.cfg to adjust to newer version of setuptools
- fixed airskiff-deploy gate
- fixed docker-image-build playbook to restore Quay repo image publish
- updated other playbooks to include roles from zuul/base-jobs in order
to setup build hosts properly
- removed workaround with hardcoded dns resolver ip 10.96.0.10 as it
became obsolette due to recent fix in openstack-helm-infra
- adjusted tools/whitespace-linter.sh script
- tox.ini has been brought to compliance with tox4 requirements
- replaced str() calls with six.text_type() according to D325 Deckhand specific
commandment from Hacking.rst
- locked python-barbicanclient version with 5.2.0 because of breaking
changes in the upper versions
Change-Id: I1cd3c97e83569c4db7e958b3400bdd4b7ea5e668
Updated obsolete uwsgi default configuration parameters for better
performance.
Increased number of worker threads to increase performance.
Uplifted uwsgi to the latest for bug fixes since 2018.
For more info please see:
https://uwsgi-docs.readthedocs.io/en/latest/ThingsToKnow.html
Change-Id: Ifedb9c6279e64be86deb6ec375810c5ecf97958a
This updates the deckhand chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I9bfd889b163e280cf17c4e7b49974a077e889f2f
Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ib0b21b33d8bf91ea6da4c2421cc81355cf2b23b1
The patch introduces network policy configuration similar
to openstack-helm services. It allows users to configure
policies depending on the environment.
* Network policies are disabled by default.
* When enabled default policies allow all ingress and
egress traffic (i.e. policy set to {}), this may be
changed in future patch-sets.
Change-Id: I9ae69e84991f16891830fb7e044a06985eca9d0f
This PS adds pod anti-affinity to deckhand pods,
so that the scheduler can constrain pods against labels on other pods
running on the node. The default soft rule is in place so that if the
scheduler can’t satisfy the requirement, the pod will still
be scheduled.
Change-Id: Icab673726d0473662ccf45c4c576fe20912a1260
Implement container and pod level security context for the following
Deckhand resources:
- Deckhand server deployment
Change-Id: I23cd742cc3b76b4e5de67d3b8bb195ec3899fc0f
Adds functionality to read context marker and end-user
from request headers and log that information where
available, to aid in tracing transactions that span
multiple Airship components.
Change-Id: I35c9e56f84f29420c4f3c081453cb81aa892fa7d
1) UCP -> Airship
2) readthedocs.org -> readthedocs.io (there is redirect)
3) http -> https
4) attcomdev -> airshipit (repo on quay.io)
5) att-comdev -> openstack/airship-* (repo on github/openstack git)
6) many URLs have been verified and adjusted to be current
7) no need for 'en/latest/' path in URL of the RTD
8) added more info to some setup.cfg and setup.py files
9) ucp-integration docs are now in airship-in-a-bottle
10) various other minor fixes
Change-Id: I12b2fa8fbec37a483a0ad50382e08f51ed97533a
GET /revisions/{{revision_id}}/deepdiff/{{comparison_revision_id}}
- Added deepdiff api for generating diff between
two rendered documents.
- Deep diffing for data and metadata
- Refactor diff functions
- Client update
- Added unit testcases
- Added funtional testcases
- Doc update
Change-Id: Ib60fa60a3b33e9125a1595a999272ca595721b38
This patch set adds TLS on overridden fqdns for public endpoints for
airship-deckhand. As cacerts are not loaded into the containers, this
only supports certificates that can be externally verified.
Change-Id: I41606129c8d59dfedcb648f5390985a31b690eec
This change modifies the internal Keystone API port in the Deckhand
chart from 80 to 5000 and removes the default admin port to match
the Keystone chart provided by OpenStack-Helm.
Change-Id: I3861e551ac9ad9fb008e8caf3cfa892ecd4fc657
This updates Deckhand to be compatible with the current
OpenStack-Helm Helm Toolkit. This includes:
- Using HTK manifest templates
- Refactoring values.yaml structure
- Some other small cleanup
Change-Id: Ib7c2451b46fab20935edb1c768ac56cc6353aa16
This patch set updates the kubernetes-entrypoint image from
v0.3.0 to v0.3.1.
Change-Id: Ic278b8b91e3034173dfad805d1dc5af27e96c43e
Signed-off-by: Tin Lam <tin@irrational.io>
Updates Deckhand to use alembic to manage database upgrades.
Moves from creating tables at startup of Deckhand to the
db-sync job.
Change-Id: I6f4cb237fadc46fbee81d1c33096f48a720f589f
This sets multiple threads in Deckhand's chart config (4)
and set workers to just 1.
Deckhand's database is not configured to work with multiprocessing.
Currently there is a data race on acquiring shared SQLAlchemy
engine pooled connection strings when workers > 1. As a
workaround, we use multiple threads but only 1 worker. For more
information, see:
https://github.com/att-comdev/deckhand/issues/20
Change-Id: I60adeffff5461fdda957124232bc5a606baae413
This patch set updates the kubernetes-entrypoint image to version
3.0.3 inline of the chart used in OpenStack-Helm in [0]. This allows
the chart to use pod dependencies.
[0] https://review.openstack.org/#/c/554268/
Change-Id: I06c874bbe1b39271a94ce1c418c8b1317080dac5
Signed-off-by: Tin Lam <tin@irrational.io>
- Seeing issues with a lot of Drydock
requests timing out and it seems to be a
downstream issue with pulling Deckhand
docs
- Add jsonpath cacheing as the jsonpath-ng
parser was consuming 54s of the total 56s
runtime of a rendered-documents GET call.
With caching, the call is taking closer to 2s.
- All add a .dockerignore file to make image
building a little faster
Change-Id: I6ef84ffd946dcf2713b4f7570b985156deb1d697
We are getting the following error [1] in Armada after [0]
was merged due to missing values in values.yaml
This patch set is meant to correct that
[0] https://review.gerrithub.io/#/c/398810/
[1] Error Messages
2018-02-08 07:02:54.481 1 ERROR armada grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with (StatusCode.UNKNOWN, render error in "deckhand/deployment.yaml": template: deckhand/deployment.yaml:36:62: executing "deckhand/deployment.yaml" at <include "helm-toolki...>: error calling include: template: deckhand/charts/helm-toolkit/utils/_hash.tpl:22:4: executing "helm-toolkit.utils.hash" at <include $wtf $contex...>: error calling include: template: deckhand/configmap-etc.yaml:37:20: executing "deckhand/configmap-etc.yaml" at <.Values.conf.deckhan...>: can't evaluate field api_endpoint in type interface {})>
Change-Id: Ie0aad8c2668924589fbad8865c973d86cb8779f7
- Support configured Postgres admin password
- Use secrets for database job environment setup
- Remove superuser rights from deckhand user
Change-Id: I9d8eee1af864b0e99ee7c8a01a6bba84cfcb67f9
This is to update the logging values that get provided to logging.conf
to be in line with logging in containers: outputting logging messages
to stdout and stderr.
Change-Id: Ib780a35c51cb6ba0cbb66ee8b2ea1836b83b9a61
This p.s. will allow multi-thread/worker parameters to be
configurable in the Deckhand chart so that the values can
be injected into the pod environment. This is a follow up
to the comments made in [0].
Note also that we will need multiple workers in order to
handle concurrent requests from Armada and DryDock to DeckHand
for the rendered document. Multi-threads with single worker
did not work as expected. Test results from our lab environment
suggests that 4 single-threaded workers will be sufficient
for our purpose. Hence we will use that as default override
values for now.
[0] https://review.gerrithub.io/#/c/393679/
Change-Id: I228713ec7b2ec305cbc2c761bc77125ea98e7dfa
This ps removes the last references to Kolla-Toolbox which is not
required for keystone management jobs.
Change-Id: Icc7575847c4c8b6a7893d3fd6e07bbb8264ed6b0
There has been recent changes to the Helm Toolkit which broke
the DeckHand Chart
The changes in Helm Toolkit were made to the 'images' definition
in values.yaml to facilitate adding the option to prefix image
name etc
This P.S. updates the DeckHand Chart to align with the recent
changes in Helm Toolkit
Change-Id: I0c9ddfd8b06be7dedcd030d94e381bf4e3f1d210