meta-starlingx/meta-stx-flock/stx-openstack-armada-app/openstack-helm/0004-Nova-chart-Support-ephemeral-pool-creation.patch

   1 From 4f6701c4cab07d9f54012e2a143173803f97ff3d Mon Sep 17 00:00:00 2001
   2 From: Irina Mihai <irina.mihai@windriver.com>
   3 Date: Tue, 26 Feb 2019 17:43:53 +0000
   4 Subject: [PATCH 04] Nova chart: Support ephemeral pool creation
   5
   6 If libvirt images_type is rbd, then we need to have the
   7 images_rbd_pool present. These changes add a new job
   8 to make sure this pool exists.
   9
  10 Change-Id: Iee307cb54384d1c4583d00a8d28f7b1a0676d7d8
  11 Story: 2004922
  12 Task: 29285
  13 Signed-off-by: Irina Mihai <irina.mihai@windriver.com>
  14 (cherry picked from commit 0afcb0b37cdcf57436e44867bac9242d8684ce81)
  15 Signed-off-by: Robert Church <robert.church@windriver.com>
  16 ---
  17  nova/templates/bin/_nova-storage-init.sh.tpl |  75 +++++++++++++
  18  nova/templates/configmap-bin.yaml            |   4 +-
  19  nova/templates/job-storage-init.yaml         | 155 +++++++++++++++++++++++++++
  20  nova/values.yaml                             |  19 +++-
  21  4 files changed, 251 insertions(+), 2 deletions(-)
  22  create mode 100644 nova/templates/bin/_nova-storage-init.sh.tpl
  23  create mode 100644 nova/templates/job-storage-init.yaml
  24
  25 diff --git a/nova/templates/bin/_nova-storage-init.sh.tpl b/nova/templates/bin/_nova-storage-init.sh.tpl
  26 new file mode 100644
  27 index 0000000..f79fcff
  28 --- /dev/null
  29 +++ b/nova/templates/bin/_nova-storage-init.sh.tpl
  30 @@ -0,0 +1,75 @@
  31 +#!/bin/bash
  32 +
  33 +{{/*
  34 +Copyright 2019 The Openstack-Helm Authors.
  35 +
  36 +Licensed under the Apache License, Version 2.0 (the "License");
  37 +you may not use this file except in compliance with the License.
  38 +You may obtain a copy of the License at
  39 +
  40 +   http://www.apache.org/licenses/LICENSE-2.0
  41 +
  42 +Unless required by applicable law or agreed to in writing, software
  43 +distributed under the License is distributed on an "AS IS" BASIS,
  44 +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  45 +See the License for the specific language governing permissions and
  46 +limitations under the License.
  47 +*/}}
  48 +
  49 +set -x
  50 +if [ "x$STORAGE_BACKEND" == "xrbd" ]; then
  51 +  SECRET=$(mktemp --suffix .yaml)
  52 +  KEYRING=$(mktemp --suffix .keyring)
  53 +  function cleanup {
  54 +      rm -f ${SECRET} ${KEYRING}
  55 +  }
  56 +  trap cleanup EXIT
  57 +fi
  58 +
  59 +set -ex
  60 +if [ "x$STORAGE_BACKEND" == "xrbd" ]; then
  61 +  ceph -s
  62 +  function ensure_pool () {
  63 +    ceph osd pool stats $1 || ceph osd pool create $1 $2
  64 +    local test_version=$(ceph tell osd.* version | egrep -c "mimic|luminous" | xargs echo)
  65 +    if [[ ${test_version} -gt 0 ]]; then
  66 +      ceph osd pool application enable $1 $3
  67 +    fi
  68 +    size_protection=$(ceph osd pool get $1 nosizechange | cut -f2 -d: | tr -d '[:space:]')
  69 +    ceph osd pool set $1 nosizechange 0
  70 +    ceph osd pool set $1 size ${RBD_POOL_REPLICATION}
  71 +    ceph osd pool set $1 nosizechange ${size_protection}
  72 +    ceph osd pool set $1 crush_rule "${RBD_POOL_CRUSH_RULE}"
  73 +  }
  74 +  ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "nova-ephemeral"
  75 +
  76 +  if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
  77 +    echo "Cephx user client.${RBD_POOL_USER} already exist."
  78 +    echo "Update its cephx caps"
  79 +    ceph auth caps client.${RBD_POOL_USER} \
  80 +      mon "profile rbd" \
  81 +      osd "profile rbd"
  82 +    ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
  83 +  else
  84 +    # NOTE: Restrict Nova permissions to what is needed.
  85 +    # MON Read only and RBD access to the Nova ephemeral pool only.
  86 +    ceph auth get-or-create client.${RBD_POOL_USER} \
  87 +      mon "profile rbd" \
  88 +      osd "profile rbd" \
  89 +      -o ${KEYRING}
  90 +  fi
  91 +
  92 +  ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' ${KEYRING} | base64 -w0)
  93 +  cat > ${SECRET} <<EOF
  94 +apiVersion: v1
  95 +kind: Secret
  96 +metadata:
  97 +  name: "${RBD_POOL_SECRET}"
  98 +type: kubernetes.io/rbd
  99 +data:
 100 +  key: $( echo ${ENCODED_KEYRING} )
 101 +EOF
 102 +  kubectl apply --namespace ${NAMESPACE} -f ${SECRET}
 103 +
 104 +fi
 105 +
 106 diff --git a/nova/templates/configmap-bin.yaml b/nova/templates/configmap-bin.yaml
 107 index c58b90b..268434f 100644
 108 --- a/nova/templates/configmap-bin.yaml
 109 +++ b/nova/templates/configmap-bin.yaml
 110 @@ -1,5 +1,5 @@
 111  {{/*
 112 -Copyright 2017 The Openstack-Helm Authors.
 113 +Copyright 2017-2019 The Openstack-Helm Authors.
 114
 115  Licensed under the Apache License, Version 2.0 (the "License");
 116  you may not use this file except in compliance with the License.
 117 @@ -83,6 +83,8 @@ data:
 118  {{ tuple "bin/_nova-console-proxy-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 119    nova-console-proxy-init-assets.sh: |
 120  {{ tuple "bin/_nova-console-proxy-init-assets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 121 +  nova-storage-init.sh: |
 122 +{{ tuple "bin/_nova-storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 123    ssh-start.sh: |
 124  {{ tuple "bin/_ssh-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 125    cell-setup.sh: |
 126 diff --git a/nova/templates/job-storage-init.yaml b/nova/templates/job-storage-init.yaml
 127 new file mode 100644
 128 index 0000000..7d057fb
 129 --- /dev/null
 130 +++ b/nova/templates/job-storage-init.yaml
 131 @@ -0,0 +1,155 @@
 132 +{{/*
 133 +Copyright 2019 The Openstack-Helm Authors.
 134 +
 135 +Licensed under the Apache License, Version 2.0 (the "License");
 136 +you may not use this file except in compliance with the License.
 137 +You may obtain a copy of the License at
 138 +
 139 +   http://www.apache.org/licenses/LICENSE-2.0
 140 +
 141 +Unless required by applicable law or agreed to in writing, software
 142 +distributed under the License is distributed on an "AS IS" BASIS,
 143 +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 144 +See the License for the specific language governing permissions and
 145 +limitations under the License.
 146 +*/}}
 147 +
 148 +{{- if .Values.manifests.job_storage_init }}
 149 +{{- $envAll := . }}
 150 +
 151 +{{- $serviceAccountName := "nova-storage-init" }}
 152 +{{ tuple $envAll "storage_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 153 +---
 154 +apiVersion: rbac.authorization.k8s.io/v1beta1
 155 +kind: Role
 156 +metadata:
 157 +  name: {{ $serviceAccountName }}
 158 +rules:
 159 +  - apiGroups:
 160 +      - ""
 161 +    resources:
 162 +      - secrets
 163 +    verbs:
 164 +      - get
 165 +      - create
 166 +      - update
 167 +      - patch
 168 +---
 169 +apiVersion: rbac.authorization.k8s.io/v1beta1
 170 +kind: RoleBinding
 171 +metadata:
 172 +  name: {{ $serviceAccountName }}
 173 +roleRef:
 174 +  apiGroup: rbac.authorization.k8s.io
 175 +  kind: Role
 176 +  name: {{ $serviceAccountName }}
 177 +subjects:
 178 +  - kind: ServiceAccount
 179 +    name: {{ $serviceAccountName }}
 180 +    namespace: {{ $envAll.Release.Namespace }}
 181 +---
 182 +apiVersion: batch/v1
 183 +kind: Job
 184 +metadata:
 185 +  name: nova-storage-init
 186 +spec:
 187 +  template:
 188 +    metadata:
 189 +      labels:
 190 +{{ tuple $envAll "nova" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
 191 +    spec:
 192 +      serviceAccountName: {{ $serviceAccountName }}
 193 +      restartPolicy: OnFailure
 194 +      nodeSelector:
 195 +        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
 196 +      initContainers:
 197 +{{ tuple $envAll "storage_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
 198 +        {{ if or .Values.conf.ceph.enabled }}
 199 +        - name: ceph-keyring-placement
 200 +{{ tuple $envAll "nova_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
 201 +          securityContext:
 202 +            runAsUser: 0
 203 +          command:
 204 +            - /tmp/ceph-admin-keyring.sh
 205 +          volumeMounts:
 206 +            - name: etcceph
 207 +              mountPath: /etc/ceph
 208 +            - name: nova-bin
 209 +              mountPath: /tmp/ceph-admin-keyring.sh
 210 +              subPath: ceph-admin-keyring.sh
 211 +              readOnly: true
 212 +            {{- if empty .Values.conf.ceph.admin_keyring }}
 213 +            - name: ceph-keyring
 214 +              mountPath: /tmp/client-keyring
 215 +              subPath: key
 216 +              readOnly: true
 217 +            {{ end }}
 218 +        {{ end }}
 219 +      containers:
 220 +        {{- range $ephemeralPool := .Values.conf.ceph.ephemeral_storage.rbd_pools }}
 221 +        - name: nova-storage-init-{{- $ephemeralPool.rbd_pool_name }}
 222 +{{ tuple $envAll "nova_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
 223 +{{ tuple $envAll $envAll.Values.pod.resources.jobs.storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 224 +          env:
 225 +            - name: NAMESPACE
 226 +              valueFrom:
 227 +                fieldRef:
 228 +                  fieldPath: metadata.namespace
 229 +            {{ if and (eq $envAll.Values.conf.ceph.ephemeral_storage.type "rbd") $envAll.Values.conf.ceph.enabled }}
 230 +            - name: STORAGE_BACKEND
 231 +              value: {{ $envAll.Values.conf.ceph.ephemeral_storage.type }}
 232 +            - name: RBD_POOL_NAME
 233 +              value: {{ $ephemeralPool.rbd_pool_name | quote }}
 234 +            - name: RBD_POOL_USER
 235 +              value: {{ $ephemeralPool.rbd_user | quote }}
 236 +            - name: RBD_POOL_CRUSH_RULE
 237 +              value: {{ $ephemeralPool.rbd_crush_rule | quote }}
 238 +            - name: RBD_POOL_REPLICATION
 239 +              value: {{ $ephemeralPool.rbd_replication | quote }}
 240 +            - name: RBD_POOL_CHUNK_SIZE
 241 +              value: {{ $ephemeralPool.rbd_chunk_size | quote }}
 242 +            - name: RBD_POOL_SECRET
 243 +              value: {{ $envAll.Values.secrets.ephemeral | quote }}
 244 +            {{- end }}
 245 +          command:
 246 +            - /tmp/nova-storage-init.sh
 247 +          volumeMounts:
 248 +            - name: nova-bin
 249 +              mountPath: /tmp/nova-storage-init.sh
 250 +              subPath: nova-storage-init.sh
 251 +              readOnly: true
 252 +            {{ if or $envAll.Values.conf.ceph.enabled }}
 253 +            - name: etcceph
 254 +              mountPath: /etc/ceph
 255 +            - name: ceph-etc
 256 +              mountPath: /etc/ceph/ceph.conf
 257 +              subPath: ceph.conf
 258 +              readOnly: true
 259 +            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
 260 +            - name: ceph-keyring
 261 +              mountPath: /tmp/client-keyring
 262 +              subPath: key
 263 +              readOnly: true
 264 +            {{- end }}
 265 +            {{- end }}
 266 +        {{- end }}
 267 +      volumes:
 268 +        - name: nova-bin
 269 +          configMap:
 270 +            name: nova-bin
 271 +            defaultMode: 0555
 272 +        {{ if or .Values.conf.ceph.enabled }}
 273 +        - name: etcceph
 274 +          emptyDir: {}
 275 +        - name: ceph-etc
 276 +          configMap:
 277 +            name: {{ .Values.ceph_client.configmap }}
 278 +            defaultMode: 0444
 279 +        {{- if empty .Values.conf.ceph.admin_keyring }}
 280 +        - name: ceph-keyring
 281 +          secret:
 282 +            secretName: {{ .Values.ceph_client.user_secret_name }}
 283 +        {{- end }}
 284 +        {{- end }}
 285 +{{- end }}
 286 +
 287 diff --git a/nova/values.yaml b/nova/values.yaml
 288 index 7ba2925..97ef1b5 100644
 289 --- a/nova/values.yaml
 290 +++ b/nova/values.yaml
 291 @@ -87,6 +87,7 @@ images:
 292      nova_service_cleaner: 'docker.io/port/ceph-config-helper:v1.10.3'
 293      nova_spiceproxy: docker.io/openstackhelm/nova:ocata-ubuntu_xenial
 294      nova_spiceproxy_assets: 'docker.io/kolla/ubuntu-source-nova-spicehtml5proxy:ocata'
 295 +    nova_storage_init: 'docker.io/port/ceph-config-helper:v1.10.3'
 296      test: docker.io/xrally/xrally-openstack:1.3.0
 297      image_repo_sync: docker.io/docker:17.07.0
 298    local_registry:
 299 @@ -556,6 +557,14 @@ conf:
 300        user: "cinder"
 301        keyring: null
 302        secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
 303 +    ephemeral_storage:
 304 +      type: rbd
 305 +      rbd_pools:
 306 +      - rbd_pool_name: ephemeral
 307 +        rbd_user: ephemeral
 308 +        rbd_crush_rule: 0
 309 +        rbd_replication: 3
 310 +        rbd_chunk_size: 64
 311    ssh: |
 312      Host *
 313        StrictHostKeyChecking no
 314 @@ -1797,6 +1806,7 @@ secrets:
 315      placement:
 316        placement:
 317          public: placement-tls-public
 318 +  ephemeral: nova-ephemeral
 319
 320  # typically overridden by environmental
 321  # values, but should include all endpoints
 322 @@ -2482,7 +2492,13 @@ pod:
 323          limits:
 324            memory: "1024Mi"
 325            cpu: "2000m"
 326 -
 327 +      storage_init:
 328 +        requests:
 329 +          memory: "128Mi"
 330 +          cpu: "100m"
 331 +        limits:
 332 +          memory: "1024Mi"
 333 +          cpu: "2000m"
 334  network_policy:
 335    nova:
 336      # TODO(lamt): Need to tighten this ingress for security.
 337 @@ -2545,6 +2561,7 @@ manifests:
 338    job_ks_placement_service: true
 339    job_ks_placement_user: true
 340    job_cell_setup: true
 341 +  job_storage_init: true
 342    pdb_metadata: true
 343    pdb_placement: true
 344    pdb_osapi: true
 345 --
 346 2.7.4
 347