From 1ecc905b65a8fda8f6f855e58afd3c81081dce0f Mon Sep 17 00:00:00 2001 From: Renis Date: Sat, 3 Feb 2018 21:16:34 -0800 Subject: [PATCH] Rabbitmq Credential Management - This PS implements job to create new user for each chart Change-Id: I7335ba4ad4bc9f70871100dbd9e6f030049abe07 --- barbican/templates/configmap-bin.yaml | 2 + barbican/templates/job-rabbit-init.yaml | 19 +++++ barbican/templates/secret-rabbitmq.yaml | 30 +++++++ barbican/values.yaml | 24 +++++- ceilometer/templates/configmap-bin.yaml | 2 + ceilometer/templates/job-rabbit-init.yaml | 19 +++++ ceilometer/templates/secret-rabbitmq.yaml | 30 +++++++ ceilometer/values.yaml | 24 +++++- cinder/templates/configmap-bin.yaml | 2 + cinder/templates/job-rabbit-init.yaml | 19 +++++ cinder/templates/secret_rabbitmq.yaml | 30 +++++++ cinder/values.yaml | 24 +++++- congress/templates/configmap-bin.yaml | 2 + congress/templates/job-rabbit-init.yaml | 19 +++++ congress/templates/secret-rabbitmq.yaml | 30 +++++++ congress/values.yaml | 24 +++++- glance/templates/configmap-bin.yaml | 2 + glance/templates/job-rabbit-init.yaml | 19 +++++ glance/templates/secret-rabbitmq.yaml | 30 +++++++ glance/values.yaml | 25 +++++- heat/templates/configmap-bin.yaml | 2 + heat/templates/job-rabbit-init.yaml | 19 +++++ heat/templates/secret-rabbitmq.yaml | 30 +++++++ heat/values.yaml | 24 +++++- .../manifests/_job-rabbit-init.yaml.tpl | 74 +++++++++++++++++ .../templates/scripts/_rabbit-init.sh.tpl | 67 ++++++++++++++++ ironic/templates/configmap-bin.yaml | 2 + ironic/templates/job-rabbit-init.yaml | 19 +++++ ironic/templates/secret-rabbitmq.yaml | 30 +++++++ ironic/values.yaml | 24 +++++- keystone/templates/configmap-bin.yaml | 2 + keystone/templates/job-rabbit-init.yaml | 19 +++++ keystone/templates/secret-rabbitmq.yaml | 30 +++++++ keystone/values.yaml | 24 +++++- magnum/templates/configmap-bin.yaml | 2 + magnum/templates/job-rabbit-init.yaml | 19 +++++ magnum/templates/secret-rabbitmq.yaml | 30 +++++++ magnum/values.yaml | 25 +++++- mistral/templates/configmap-bin.yaml | 2 + mistral/templates/job-rabbit-init.yaml | 19 +++++ mistral/templates/secret-rabbitmq.yaml | 30 +++++++ mistral/values.yaml | 24 +++++- neutron/templates/configmap-bin.yaml | 2 + neutron/templates/job-rabbit-init.yaml | 19 +++++ neutron/templates/secret_rabbitmq.yaml | 30 +++++++ neutron/values.yaml | 35 +++++++- nova/templates/configmap-bin.yaml | 2 + nova/templates/job-rabbit-init.yaml | 19 +++++ nova/templates/secret_rabbitmq.yaml | 30 +++++++ nova/values.yaml | 31 +++++++- senlin/templates/configmap-bin.yaml | 2 + senlin/templates/job-rabbit-init.yaml | 19 +++++ senlin/templates/secret-rabbitmq.yaml | 30 +++++++ senlin/values.yaml | 24 +++++- tools/deployment/armada/generate-passwords.sh | 14 ++-- .../armada/multinode/armada-osh.yaml | 79 ++++++++++++------- 56 files changed, 1181 insertions(+), 48 deletions(-) create mode 100644 barbican/templates/job-rabbit-init.yaml create mode 100644 barbican/templates/secret-rabbitmq.yaml create mode 100644 ceilometer/templates/job-rabbit-init.yaml create mode 100644 ceilometer/templates/secret-rabbitmq.yaml create mode 100644 cinder/templates/job-rabbit-init.yaml create mode 100644 cinder/templates/secret_rabbitmq.yaml create mode 100644 congress/templates/job-rabbit-init.yaml create mode 100644 congress/templates/secret-rabbitmq.yaml create mode 100644 glance/templates/job-rabbit-init.yaml create mode 100644 glance/templates/secret-rabbitmq.yaml create mode 100644 heat/templates/job-rabbit-init.yaml create mode 100644 heat/templates/secret-rabbitmq.yaml create mode 100644 helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl create mode 100644 helm-toolkit/templates/scripts/_rabbit-init.sh.tpl create mode 100644 ironic/templates/job-rabbit-init.yaml create mode 100644 ironic/templates/secret-rabbitmq.yaml create mode 100644 keystone/templates/job-rabbit-init.yaml create mode 100644 keystone/templates/secret-rabbitmq.yaml create mode 100644 magnum/templates/job-rabbit-init.yaml create mode 100644 magnum/templates/secret-rabbitmq.yaml create mode 100644 mistral/templates/job-rabbit-init.yaml create mode 100644 mistral/templates/secret-rabbitmq.yaml create mode 100644 neutron/templates/job-rabbit-init.yaml create mode 100644 neutron/templates/secret_rabbitmq.yaml create mode 100644 nova/templates/job-rabbit-init.yaml create mode 100644 nova/templates/secret_rabbitmq.yaml create mode 100644 senlin/templates/job-rabbit-init.yaml create mode 100644 senlin/templates/secret-rabbitmq.yaml diff --git a/barbican/templates/configmap-bin.yaml b/barbican/templates/configmap-bin.yaml index 8ef11d7126..87608f7a14 100644 --- a/barbican/templates/configmap-bin.yaml +++ b/barbican/templates/configmap-bin.yaml @@ -42,4 +42,6 @@ data: {{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }} ks-user.sh: | {{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/barbican/templates/job-rabbit-init.yaml b/barbican/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..9d6ad6192d --- /dev/null +++ b/barbican/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "barbican" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/barbican/templates/secret-rabbitmq.yaml b/barbican/templates/secret-rabbitmq.yaml new file mode 100644 index 0000000000..8ca01d12f6 --- /dev/null +++ b/barbican/templates/secret-rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "barbican" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/barbican/values.yaml b/barbican/values.yaml index de8797667c..0fe9fdc889 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -35,6 +35,7 @@ images: ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton barbican_api: docker.io/openstackhelm/barbican:newton + rabbit_init: docker.io/rabbitmq:3.7-management pull_policy: "IfNotPresent" pod: @@ -108,6 +109,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" ks_endpoints: requests: memory: "128Mi" @@ -195,6 +203,10 @@ dependencies: services: - endpoint: internal service: identity + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal conf: paste: @@ -390,6 +402,9 @@ secrets: oslo_db: admin: barbican-db-admin barbican: barbican-db-user + oslo_messaging: + admin: barbican-rabbitmq-admin + barbican: barbican-rabbitmq-user endpoints: cluster_domain_suffix: cluster.local @@ -459,9 +474,12 @@ endpoints: default: 3306 oslo_messaging: auth: - barbican: + admin: username: rabbitmq password: password + barbican: + username: barbican + password: password hosts: default: rabbitmq host_fqdn_override: @@ -471,6 +489,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 oslo_cache: hosts: default: memcached @@ -489,6 +509,7 @@ manifests: job_db_init: true job_db_sync: true job_db_drop: false + job_rabbit_init: true job_ks_endpoints: true job_ks_service: true job_ks_user: true @@ -496,5 +517,6 @@ manifests: pod_test: true secret_db: true secret_keystone: true + secret_rabbitmq: true service_ingress_api: true service_api: true diff --git a/ceilometer/templates/configmap-bin.yaml b/ceilometer/templates/configmap-bin.yaml index b4bcf38d57..67a300caaf 100644 --- a/ceilometer/templates/configmap-bin.yaml +++ b/ceilometer/templates/configmap-bin.yaml @@ -51,4 +51,6 @@ data: {{ tuple "bin/_ceilometer-compute.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} ceilometer-notification.sh: | {{ tuple "bin/_ceilometer-notification.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/ceilometer/templates/job-rabbit-init.yaml b/ceilometer/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..e9a6a45b8f --- /dev/null +++ b/ceilometer/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "ceilometer" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/ceilometer/templates/secret-rabbitmq.yaml b/ceilometer/templates/secret-rabbitmq.yaml new file mode 100644 index 0000000000..94aaf2d522 --- /dev/null +++ b/ceilometer/templates/secret-rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "ceilometer" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml index a41699074b..ea05c9f5ea 100644 --- a/ceilometer/values.yaml +++ b/ceilometer/values.yaml @@ -46,6 +46,7 @@ images: db_init_mongodb: docker.io/mongo:3.4.9-jessie db_init: docker.io/kolla/ubuntu-source-ceilometer-api:3.0.3 ceilometer_db_sync: docker.io/kolla/ubuntu-source-ceilometer-api:3.0.3 + rabbit_init: docker.io/rabbitmq:3.7-management ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton @@ -1576,6 +1577,10 @@ dependencies: services: - endpoint: internal service: identity + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal notification: jobs: - ceilometer-db-init-mongodb @@ -1612,6 +1617,9 @@ secrets: mongodb: admin: ceilometer-mongodb-admin ceilometer: ceilometer-mongodb-user + oslo_messaging: + admin: ceilometer-rabbitmq-admin + ceilometer: ceilometer-rabbitmq-user bootstrap: enabled: false @@ -1768,9 +1776,12 @@ endpoints: default: 11211 oslo_messaging: auth: - ceilometer: + admin: username: rabbitmq password: password + ceilometer: + username: ceilometer + password: password hosts: default: rabbitmq host_fqdn_override: @@ -1780,6 +1791,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 pod: affinity: @@ -1886,6 +1899,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" ks_endpoints: requests: memory: "124Mi" @@ -1931,10 +1951,12 @@ manifests: job_ks_endpoints: true job_ks_service: true job_ks_user: true + job_rabbit_init: true pdb_api: true pod_rally_test: true secret_db: true secret_keystone: true secret_mongodb: true + secret_rabbitmq: true service_api: true service_ingress_api: true diff --git a/cinder/templates/configmap-bin.yaml b/cinder/templates/configmap-bin.yaml index b0701c6609..acbdf47387 100644 --- a/cinder/templates/configmap-bin.yaml +++ b/cinder/templates/configmap-bin.yaml @@ -61,4 +61,6 @@ data: bootstrap.sh: | {{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- end }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/cinder/templates/job-rabbit-init.yaml b/cinder/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..e4a7266d27 --- /dev/null +++ b/cinder/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "cinder" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/cinder/templates/secret_rabbitmq.yaml b/cinder/templates/secret_rabbitmq.yaml new file mode 100644 index 0000000000..5f8a22bd34 --- /dev/null +++ b/cinder/templates/secret_rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "cinder" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/cinder/values.yaml b/cinder/values.yaml index b3f2b6b6bd..70fca277ad 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -47,6 +47,7 @@ images: db_init: docker.io/openstackhelm/heat:newton cinder_db_sync: docker.io/openstackhelm/cinder:newton db_drop: docker.io/openstackhelm/heat:newton + rabbit_init: docker.io/rabbitmq:3.7-management ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton @@ -154,6 +155,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" db_init: requests: memory: "128Mi" @@ -568,6 +576,10 @@ dependencies: services: - endpoint: internal service: identity + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal scheduler: jobs: - cinder-db-sync @@ -622,6 +634,9 @@ secrets: rbd: backup: cinder-backup-rbd-keyring volume: cinder-volume-rbd-keyring + oslo_messaging: + admin: cinder-rabbitmq-admin + cinder: cinder-rabbitmq-user # We use a different layout of the endpoints here to account for versioning # this swaps the service name and type, and should be rolled out to other @@ -762,9 +777,12 @@ endpoints: default: 3306 oslo_messaging: auth: - cinder: + admin: username: rabbitmq password: password + cinder: + username: cinder + password: password hosts: default: rabbitmq host_fqdn_override: @@ -774,6 +792,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 oslo_cache: hosts: default: memcached @@ -796,6 +816,7 @@ manifests: job_bootstrap: true job_clean: true job_db_init: true + job_rabbit_init: true job_db_sync: true job_db_drop: false job_ks_endpoints: true @@ -807,5 +828,6 @@ manifests: pvc_backup: true secret_db: true secret_keystone: true + secret_rabbitmq: true service_api: true service_ingress_api: true diff --git a/congress/templates/configmap-bin.yaml b/congress/templates/configmap-bin.yaml index 32af460f40..ff7603d79e 100644 --- a/congress/templates/configmap-bin.yaml +++ b/congress/templates/configmap-bin.yaml @@ -46,4 +46,6 @@ data: {{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }} ks-user.sh: | {{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/congress/templates/job-rabbit-init.yaml b/congress/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..0b7d0feca1 --- /dev/null +++ b/congress/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "congress" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/congress/templates/secret-rabbitmq.yaml b/congress/templates/secret-rabbitmq.yaml new file mode 100644 index 0000000000..9c629ea9d4 --- /dev/null +++ b/congress/templates/secret-rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "congress" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/congress/values.yaml b/congress/values.yaml index ba172c7cea..a28c8f0861 100644 --- a/congress/values.yaml +++ b/congress/values.yaml @@ -41,6 +41,7 @@ images: db_init: docker.io/openstackhelm/heat:newton congress_db_sync: docker.io/openstackhelm/congress:newton db_drop: docker.io/openstackhelm/heat:newton + rabbit_init: docker.io/rabbitmq:3.7-management ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton @@ -130,6 +131,10 @@ dependencies: services: - endpoint: internal service: identity + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal policy_engine: jobs: - congress-db-sync @@ -159,6 +164,9 @@ secrets: admin: congress-db-admin congress: congress-db-user rbd: images-rbd-keyring + oslo_messaging: + admin: congress-rabbitmq-admin + congress: congress-rabbitmq-user bootstrap: enabled: false @@ -242,9 +250,12 @@ endpoints: default: 11211 oslo_messaging: auth: - congress: + admin: username: rabbitmq password: password + congress: + username: congress + password: password hosts: default: rabbitmq host_fqdn_override: @@ -254,6 +265,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 policy: datasource_services: @@ -403,6 +416,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" ks_user: requests: memory: "128Mi" @@ -450,6 +470,7 @@ manifests: job_db_init: true job_db_sync: true job_ds_create: true + job_rabbit_init: true job_ks_endpoints: true job_ks_service: true job_ks_user: true @@ -457,3 +478,4 @@ manifests: secret_keystone: true service_api: true service_ingress_api: true + secret_rabbitmq: true diff --git a/glance/templates/configmap-bin.yaml b/glance/templates/configmap-bin.yaml index a272b4d779..bf8dea148b 100644 --- a/glance/templates/configmap-bin.yaml +++ b/glance/templates/configmap-bin.yaml @@ -55,4 +55,6 @@ data: {{ tuple "bin/_clean-image.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} clean-secrets.sh: | {{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/glance/templates/job-rabbit-init.yaml b/glance/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..de06a8d5ff --- /dev/null +++ b/glance/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "glance" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/glance/templates/secret-rabbitmq.yaml b/glance/templates/secret-rabbitmq.yaml new file mode 100644 index 0000000000..d58651260c --- /dev/null +++ b/glance/templates/secret-rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "glance" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/glance/values.yaml b/glance/values.yaml index 27cf8321fc..7393eb7e4e 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -46,6 +46,7 @@ images: ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton + rabbit_init: docker.io/rabbitmq:3.7-management glance_api: docker.io/openstackhelm/glance:newton glance_registry: docker.io/openstackhelm/glance:newton # Bootstrap image requires curl @@ -356,6 +357,10 @@ dependencies: services: - endpoint: internal service: identity + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal registry: jobs: - glance-storage-init @@ -390,6 +395,10 @@ secrets: admin: glance-db-admin glance: glance-db-user rbd: images-rbd-keyring + oslo_messaging: + admin: glance-rabbitmq-admin + glance: glance-rabbitmq-user + # typically overriden by environmental # values, but should include all endpoints @@ -493,9 +502,12 @@ endpoints: default: 11211 oslo_messaging: auth: - glance: + admin: username: rabbitmq password: password + glance: + username: glance + password: password hosts: default: rabbitmq host_fqdn_override: @@ -505,6 +517,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 ceph_object_store: name: radosgw namespace: ceph @@ -632,6 +646,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" bootstrap: requests: memory: "128Mi" @@ -663,12 +684,14 @@ manifests: job_ks_service: true job_ks_user: true job_storage_init: true + job_rabbit_init: true pdb_api: true pdb_registry: true pod_rally_test: true pvc_images: true secret_db: true secret_keystone: true + secret_rabbitmq: true service_ingress_api: true service_ingress_registry: true service_api: true diff --git a/heat/templates/configmap-bin.yaml b/heat/templates/configmap-bin.yaml index 6a79419c99..b7079ba7bd 100644 --- a/heat/templates/configmap-bin.yaml +++ b/heat/templates/configmap-bin.yaml @@ -52,4 +52,6 @@ data: {{ tuple "bin/_heat-engine.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} heat-engine-cleaner.sh: | {{ tuple "bin/_heat-engine-cleaner.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/heat/templates/job-rabbit-init.yaml b/heat/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..154993ccb8 --- /dev/null +++ b/heat/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "heat" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/heat/templates/secret-rabbitmq.yaml b/heat/templates/secret-rabbitmq.yaml new file mode 100644 index 0000000000..65da5ef843 --- /dev/null +++ b/heat/templates/secret-rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "heat" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/heat/values.yaml b/heat/values.yaml index 2e4a6802e5..d8848e1e64 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -42,6 +42,7 @@ images: db_init: docker.io/openstackhelm/heat:newton heat_db_sync: docker.io/openstackhelm/heat:newton db_drop: docker.io/openstackhelm/heat:newton + rabbit_init: docker.io/rabbitmq:3.7-management ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton @@ -365,6 +366,10 @@ dependencies: services: - endpoint: internal service: identity + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal trusts: jobs: - heat-ks-user @@ -384,6 +389,9 @@ secrets: oslo_db: admin: heat-db-admin heat: heat-db-user + oslo_messaging: + admin: heat-rabbitmq-admin + heat: heat-rabbitmq-user # typically overriden by environmental # values, but should include all endpoints @@ -510,9 +518,12 @@ endpoints: default: 11211 oslo_messaging: auth: - heat: + admin: username: rabbitmq password: password + heat: + username: heat + password: password hosts: default: rabbitmq host_fqdn_override: @@ -522,6 +533,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 pod: user: @@ -664,6 +677,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" tests: requests: memory: "128Mi" @@ -706,11 +726,13 @@ manifests: job_ks_user_domain: true job_ks_user_trustee: true job_ks_user: true + job_rabbit_init: true pdb_api: true pdb_cfn: true pdb_cloudwatch: true secret_db: true secret_keystone: true + secret_rabbitmq: true service_api: true service_cfn: true service_cloudwatch: true diff --git a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl new file mode 100644 index 0000000000..bbbde4f8b4 --- /dev/null +++ b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl @@ -0,0 +1,74 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.manifests.job_rabbit_init" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} +{{- $dependencies := index . "dependencies" | default $envAll.Values.dependencies.static.rabbit_init -}} +{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $serviceUser := index . "serviceUser" | default $serviceName -}} +{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} + +{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }} +spec: + template: + metadata: + labels: +{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName | quote }} + restartPolicy: OnFailure + nodeSelector: +{{ toYaml $nodeSelector | indent 8 }} + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: rabbit-init + image: {{ $envAll.Values.images.tags.rabbit_init | quote }} + imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/rabbit-init.sh + volumeMounts: + - name: rabbit-init-sh + mountPath: /tmp/rabbit-init.sh + subPath: rabbit-init.sh + readOnly: true + env: + - name: RABBITMQ_ADMIN_CONNECTION + valueFrom: + secretKeyRef: + name: {{ $envAll.Values.secrets.oslo_messaging.admin }} + key: RABBITMQ_CONNECTION + - name: RABBITMQ_USER_CONNECTION + valueFrom: + secretKeyRef: + name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }} + key: RABBITMQ_CONNECTION + volumes: + - name: rabbit-init-sh + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + +{{- end -}} diff --git a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl new file mode 100644 index 0000000000..6c45dba444 --- /dev/null +++ b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl @@ -0,0 +1,67 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.scripts.rabbit_init" }} +#!/bin/bash +set -ex + +# Extract connection details +RABBIT_HOSTNAME=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $2}' \ + | awk -F'[:/]' '{print $1}'` +RABBIT_PORT=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $2}' \ + | awk -F'[:/]' '{print $2}'` + +# Extract Admin User creadential +RABBITMQ_ADMIN_USERNAME=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $1}' \ + | awk -F'[//:]' '{print $4}'` +RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $1}' \ + | awk -F'[//:]' '{print $5}'` + +# Extract User creadential +RABBITMQ_USERNAME=`echo $RABBITMQ_USER_CONNECTION | awk -F'[@]' '{print $1}' \ + | awk -F'[//:]' '{print $4}'` +RABBITMQ_PASSWORD=`echo $RABBITMQ_USER_CONNECTION | awk -F'[@]' '{print $1}' \ + | awk -F'[//:]' '{print $5}'` + +# Using admin creadential, list current rabbitmq users +rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \ + --username=$RABBITMQ_ADMIN_USERNAME --password=$RABBITMQ_ADMIN_PASSWORD \ + list users + +# if user already exist, credentials will be overwritten +# Using admin creadential, adding new admin rabbitmq user" +rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \ + --username=$RABBITMQ_ADMIN_USERNAME --password=$RABBITMQ_ADMIN_PASSWORD \ + declare user name=$RABBITMQ_USERNAME password=$RABBITMQ_PASSWORD \ + tags="administrator" + +# Declare permissions for new user +rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \ + --username=$RABBITMQ_ADMIN_USERNAME --password=$RABBITMQ_ADMIN_PASSWORD \ + declare permission vhost="/" user=$RABBITMQ_USERNAME \ + configure=".*" write=".*" read=".*" + +# Using new user creadential, list current rabbitmq users +rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \ + --username=$RABBITMQ_USERNAME --password=$RABBITMQ_PASSWORD \ + list users + +# Using new user creadential, list permissions +rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \ + --username=$RABBITMQ_USERNAME --password=$RABBITMQ_PASSWORD \ + list permissions + +{{- end }} diff --git a/ironic/templates/configmap-bin.yaml b/ironic/templates/configmap-bin.yaml index ef919405a5..c74b4f8a08 100644 --- a/ironic/templates/configmap-bin.yaml +++ b/ironic/templates/configmap-bin.yaml @@ -54,4 +54,6 @@ data: {{ tuple "bin/_ironic-conductor-http.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} ironic-conductor-http-init.sh: | {{ tuple "bin/_ironic-conductor-http-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/ironic/templates/job-rabbit-init.yaml b/ironic/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..b46dbaeb23 --- /dev/null +++ b/ironic/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "ironic" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/ironic/templates/secret-rabbitmq.yaml b/ironic/templates/secret-rabbitmq.yaml new file mode 100644 index 0000000000..211c5890b4 --- /dev/null +++ b/ironic/templates/secret-rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "ironic" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/ironic/values.yaml b/ironic/values.yaml index 1d608d5af8..66cda3da71 100644 --- a/ironic/values.yaml +++ b/ironic/values.yaml @@ -39,6 +39,7 @@ images: ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton + rabbit_init: docker.io/rabbitmq:3.7-management ironic_api: docker.io/openstackhelm/ironic:newton ironic_conductor: docker.io/openstackhelm/ironic:newton ironic_pxe: docker.io/openstackhelm/ironic:newton @@ -209,6 +210,10 @@ dependencies: services: - endpoint: internal service: identity + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal manage_cleaning_network: services: - endpoint: internal @@ -222,6 +227,9 @@ secrets: oslo_db: admin: ironic-db-admin ironic: ironic-db-user + oslo_messaging: + admin: ironic-rabbitmq-admin + ironic: ironic-rabbitmq-user # typically overriden by environmental # values, but should include all endpoints @@ -336,9 +344,12 @@ endpoints: default: 11211 oslo_messaging: auth: - ironic: + admin: username: rabbitmq password: password + ironic: + username: ironic + password: password hosts: default: rabbitmq host_fqdn_override: @@ -348,6 +359,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 network: name: neutron hosts: @@ -457,6 +470,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" tests: requests: memory: "128Mi" @@ -477,9 +497,11 @@ manifests: job_ks_service: true job_ks_user: true job_manage_cleaning_network: true + job_rabbit_init: true pdb_api: true secret_db: true secret_keystone: true + secret_rabbitmq: true service_api: true service_ingress_api: true statefulset_conductor: true diff --git a/keystone/templates/configmap-bin.yaml b/keystone/templates/configmap-bin.yaml index 95ba454871..99d3a6652f 100644 --- a/keystone/templates/configmap-bin.yaml +++ b/keystone/templates/configmap-bin.yaml @@ -45,4 +45,6 @@ data: {{ tuple "bin/_domain-manage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} domain-manage.sh: | {{ tuple "bin/_domain-manage.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/keystone/templates/job-rabbit-init.yaml b/keystone/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..758bd06ca0 --- /dev/null +++ b/keystone/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "keystone" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/keystone/templates/secret-rabbitmq.yaml b/keystone/templates/secret-rabbitmq.yaml new file mode 100644 index 0000000000..1c03bb59e2 --- /dev/null +++ b/keystone/templates/secret-rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "keystone" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/keystone/values.yaml b/keystone/values.yaml index 254cc6f07d..d2abe1d364 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -35,6 +35,7 @@ images: keystone_db_sync: docker.io/openstackhelm/keystone:newton db_drop: docker.io/openstackhelm/heat:newton ks_user: docker.io/openstackhelm/heat:newton + rabbit_init: docker.io/rabbitmq:3.7-management keystone_fernet_setup: docker.io/openstackhelm/keystone:newton keystone_fernet_rotate: docker.io/openstackhelm/keystone:newton keystone_credential_setup: docker.io/openstackhelm/keystone:newton @@ -111,6 +112,10 @@ dependencies: services: - endpoint: internal service: oslo_db + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal domain_manage: services: - endpoint: internal @@ -223,6 +228,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" tests: requests: memory: "128Mi" @@ -734,6 +746,9 @@ secrets: oslo_db: admin: keystone-db-admin keystone: keystone-db-user + oslo_messaging: + admin: keystone-rabbitmq-admin + keystone: keystone-rabbitmq-user # typically overriden by environmental # values, but should include all endpoints @@ -794,9 +809,12 @@ endpoints: oslo_messaging: namespace: null auth: - keystone: + admin: username: rabbitmq password: password + keystone: + username: keystone + password: password hosts: default: rabbitmq host_fqdn_override: @@ -806,6 +824,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 oslo_cache: namespace: null hosts: @@ -830,11 +850,13 @@ manifests: job_db_drop: false job_domain_manage: true job_fernet_setup: true + job_rabbit_init: true pdb_api: true pod_rally_test: true secret_credential_keys: true secret_db: true secret_fernet_keys: true secret_keystone: true + secret_rabbitmq: true service_ingress_api: true service_api: true diff --git a/magnum/templates/configmap-bin.yaml b/magnum/templates/configmap-bin.yaml index e83fa067f2..7129a3b3d5 100644 --- a/magnum/templates/configmap-bin.yaml +++ b/magnum/templates/configmap-bin.yaml @@ -42,4 +42,6 @@ data: {{ tuple "bin/_magnum-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} magnum-conductor.sh: | {{ tuple "bin/_magnum-conductor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/magnum/templates/job-rabbit-init.yaml b/magnum/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..758778519b --- /dev/null +++ b/magnum/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "magnum" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/magnum/templates/secret-rabbitmq.yaml b/magnum/templates/secret-rabbitmq.yaml new file mode 100644 index 0000000000..fe335be3f6 --- /dev/null +++ b/magnum/templates/secret-rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "magnum" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/magnum/values.yaml b/magnum/values.yaml index 6f4f06779c..82c608f948 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -36,6 +36,7 @@ images: db_init: docker.io/openstackhelm/heat:newton magnum_db_sync: docker.io/openstackhelm/magnum:newton db_drop: docker.io/openstackhelm/heat:newton + rabbit_init: docker.io/rabbitmq:3.7-management ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton @@ -186,7 +187,10 @@ dependencies: services: - endpoint: internal service: identity - + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal # Names of secrets used by bootstrap and environmental checks secrets: identity: @@ -195,6 +199,9 @@ secrets: oslo_db: admin: magnum-db-admin magnum: magnum-db-user + oslo_messaging: + admin: magnum-rabbitmq-admin + magnum: magnum-rabbitmq-user # typically overriden by environmental # values, but should include all endpoints @@ -275,9 +282,12 @@ endpoints: default: 11211 oslo_messaging: auth: - magnum: + admin: username: rabbitmq password: password + magnum: + username: magnum + password: password hosts: default: rabbitmq host_fqdn_override: @@ -287,6 +297,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 pod: user: @@ -391,6 +403,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" tests: requests: memory: "128Mi" @@ -411,9 +430,11 @@ manifests: job_ks_endpoints: true job_ks_service: true job_ks_user: true + job_rabbit_init: true pdb_api: true secret_db: true secret_keystone: true + secret_rabbitmq: true service_api: true service_ingress_api: true statefulset_conductor: true diff --git a/mistral/templates/configmap-bin.yaml b/mistral/templates/configmap-bin.yaml index 04a5055b85..825a7aabaf 100644 --- a/mistral/templates/configmap-bin.yaml +++ b/mistral/templates/configmap-bin.yaml @@ -46,4 +46,6 @@ data: {{ tuple "bin/_mistral-event-engine.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} mistral-executor.sh: | {{ tuple "bin/_mistral-executor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/mistral/templates/job-rabbit-init.yaml b/mistral/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..2ff81cdb39 --- /dev/null +++ b/mistral/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "mistral" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/mistral/templates/secret-rabbitmq.yaml b/mistral/templates/secret-rabbitmq.yaml new file mode 100644 index 0000000000..2108936663 --- /dev/null +++ b/mistral/templates/secret-rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "mistral" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/mistral/values.yaml b/mistral/values.yaml index 34a8a0cdc4..b0dc5741bd 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -43,6 +43,7 @@ images: db_init: docker.io/openstackhelm/heat:newton mistral_db_sync: docker.io/kolla/ubuntu-source-mistral-api:3.0.3 db_drop: docker.io/openstackhelm/heat:newton + rabbit_init: docker.io/rabbitmq:3.7-management ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton @@ -139,6 +140,10 @@ dependencies: services: - endpoint: internal service: identity + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal # Names of secrets used by bootstrap and environmental checks secrets: @@ -148,6 +153,9 @@ secrets: oslo_db: admin: mistral-db-admin mistral: mistral-db-user + oslo_messaging: + admin: mistral-rabbitmq-admin + mistral: mistral-rabbitmq-user # typically overriden by environmental # values, but should include all endpoints @@ -220,9 +228,12 @@ endpoints: default: 3306 oslo_messaging: auth: - mistral: + admin: username: rabbitmq password: password + mistral: + username: mistral + password: password hosts: default: rabbitmq host_fqdn_override: @@ -232,6 +243,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 oslo_cache: hosts: default: memcached @@ -434,6 +447,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" tests: requests: memory: "128Mi" @@ -455,9 +475,11 @@ manifests: job_ks_endpoints: true job_ks_service: true job_ks_user: true + job_rabbit_init: true pdb_api: true secret_db: true secret_keystone: true + secret_rabbitmq: true service_ingress_api: true service_api: true statefulset_engine: true diff --git a/neutron/templates/configmap-bin.yaml b/neutron/templates/configmap-bin.yaml index cafa223ef4..7e4f922ae1 100644 --- a/neutron/templates/configmap-bin.yaml +++ b/neutron/templates/configmap-bin.yaml @@ -63,4 +63,6 @@ data: {{ tuple "bin/_neutron-openvswitch-agent-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} neutron-server.sh: | {{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/neutron/templates/job-rabbit-init.yaml b/neutron/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..5e1b7285fb --- /dev/null +++ b/neutron/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "neutron" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/neutron/templates/secret_rabbitmq.yaml b/neutron/templates/secret_rabbitmq.yaml new file mode 100644 index 0000000000..95aa1eb47f --- /dev/null +++ b/neutron/templates/secret_rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "neutron" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/neutron/values.yaml b/neutron/values.yaml index 9523a58114..509a4c200c 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -26,6 +26,7 @@ images: db_init: docker.io/openstackhelm/heat:newton neutron_db_sync: docker.io/openstackhelm/neutron:newton db_drop: docker.io/openstackhelm/heat:newton + rabbit_init: docker.io/rabbitmq:3.7-management ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton @@ -157,6 +158,8 @@ dependencies: service: oslo_db dhcp: daemonset: null + jobs: + - neutron-rabbit-init services: - endpoint: internal service: oslo_messaging @@ -178,8 +181,14 @@ dependencies: services: - endpoint: internal service: identity + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal l3: daemonset: null + jobs: + - neutron-rabbit-init services: - endpoint: internal service: oslo_messaging @@ -188,6 +197,8 @@ dependencies: - endpoint: internal service: compute lb_agent: + jobs: + - neutron-rabbit-init services: - endpoint: internal service: oslo_messaging @@ -195,6 +206,8 @@ dependencies: service: network metadata: daemonset: null + jobs: + - neutron-rabbit-init services: - endpoint: internal service: oslo_messaging @@ -205,6 +218,8 @@ dependencies: - endpoint: public service: compute_metadata ovs_agent: + jobs: + - neutron-rabbit-init daemonset: - openvswitch-vswitchd - openvswitch-db @@ -218,6 +233,7 @@ dependencies: - neutron-db-sync - neutron-ks-user - neutron-ks-endpoints + - neutron-rabbit-init services: - endpoint: internal service: oslo_db @@ -367,6 +383,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" db_sync: requests: memory: "128Mi" @@ -1040,6 +1063,9 @@ secrets: oslo_db: admin: neutron-db-admin neutron: neutron-db-user + oslo_messaging: + admin: neutron-rabbitmq-admin + neutron: neutron-rabbitmq-user # typically overriden by environmental # values, but should include all endpoints @@ -1065,8 +1091,11 @@ endpoints: default: 3306 oslo_messaging: auth: + admin: + username: rabbitmq + password: password neutron: - username: rabbitmq + username: neutron password: password hosts: default: rabbitmq @@ -1077,6 +1106,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 oslo_cache: hosts: default: memcached @@ -1197,9 +1228,11 @@ manifests: job_ks_endpoints: true job_ks_service: true job_ks_user: true + job_rabbit_init: true pdb_server: true pod_rally_test: true secret_db: true secret_keystone: true + secret_rabbitmq: true service_ingress_server: true service_server: true diff --git a/nova/templates/configmap-bin.yaml b/nova/templates/configmap-bin.yaml index b892dc449b..efb24cc67a 100644 --- a/nova/templates/configmap-bin.yaml +++ b/nova/templates/configmap-bin.yaml @@ -79,4 +79,6 @@ data: {{ tuple "bin/_ssh-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} cell-setup.sh: | {{ tuple "bin/_cell-setup.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/nova/templates/job-rabbit-init.yaml b/nova/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..441d13ddb8 --- /dev/null +++ b/nova/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "nova" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/nova/templates/secret_rabbitmq.yaml b/nova/templates/secret_rabbitmq.yaml new file mode 100644 index 0000000000..623b6779f2 --- /dev/null +++ b/nova/templates/secret_rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "nova" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/nova/values.yaml b/nova/values.yaml index 88fe543f4c..3acc561dfa 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -65,6 +65,7 @@ images: db_drop: docker.io/openstackhelm/heat:newton db_init: docker.io/openstackhelm/heat:newton dep_check: 'quay.io/stackanetes/kubernetes-entrypoint:v0.2.1' + rabbit_init: docker.io/rabbitmq:3.7-management ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton @@ -199,6 +200,7 @@ dependencies: - nova-db-sync - nova-ks-user - nova-ks-endpoints + - nova-rabbit-init services: - endpoint: internal service: oslo_messaging @@ -217,6 +219,7 @@ dependencies: cell_setup: jobs: - nova-db-sync + - nova-rabbit-init services: - endpoint: internal service: oslo_messaging @@ -231,6 +234,7 @@ dependencies: - libvirt jobs: - nova-db-sync + - nova-rabbit-init services: - endpoint: internal service: oslo_messaging @@ -243,6 +247,7 @@ dependencies: compute_ironic: jobs: - nova-db-sync + - nova-rabbit-init services: - endpoint: internal service: oslo_messaging @@ -257,6 +262,7 @@ dependencies: conductor: jobs: - nova-db-sync + - nova-rabbit-init services: - endpoint: internal service: oslo_messaging @@ -269,6 +275,7 @@ dependencies: consoleauth: jobs: - nova-db-sync + - nova-rabbit-init services: - endpoint: internal service: oslo_messaging @@ -306,6 +313,10 @@ dependencies: services: - endpoint: internal service: identity + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal novncproxy: jobs: - nova-db-sync @@ -315,6 +326,7 @@ dependencies: scheduler: jobs: - nova-db-sync + - nova-rabbit-init services: - endpoint: internal service: oslo_messaging @@ -1048,6 +1060,9 @@ secrets: oslo_db_cell0: admin: nova-db-api-admin nova: nova-db-api-user + oslo_messaging: + admin: nova-rabbitmq-admin + nova: nova-rabbitmq-user # typically overriden by environmental # values, but should include all endpoints @@ -1107,9 +1122,12 @@ endpoints: default: 3306 oslo_messaging: auth: - nova: + admin: username: rabbitmq password: password + nova: + username: nova + password: password hosts: default: rabbitmq host_fqdn_override: @@ -1119,6 +1137,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 oslo_cache: hosts: default: memcached @@ -1493,6 +1513,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" db_sync: requests: memory: "128Mi" @@ -1563,6 +1590,7 @@ manifests: job_db_init_placement: true job_db_sync: true job_db_drop: false + job_rabbit_init: true job_ks_endpoints: true job_ks_service: true job_ks_user: true @@ -1578,6 +1606,7 @@ manifests: secret_db: true secret_keystone: true secret_keystone_placement: true + secret_rabbitmq: true service_ingress_metadata: true service_ingress_placement: true service_ingress_osapi: true diff --git a/senlin/templates/configmap-bin.yaml b/senlin/templates/configmap-bin.yaml index 2d89780fb3..be92adf09e 100644 --- a/senlin/templates/configmap-bin.yaml +++ b/senlin/templates/configmap-bin.yaml @@ -42,4 +42,6 @@ data: {{ tuple "bin/_senlin-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} senlin-engine.sh: | {{ tuple "bin/_senlin-engine.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbit-init.sh: | +{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- end }} diff --git a/senlin/templates/job-rabbit-init.yaml b/senlin/templates/job-rabbit-init.yaml new file mode 100644 index 0000000000..2c2ff26a87 --- /dev/null +++ b/senlin/templates/job-rabbit-init.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.job_rabbit_init }} +{{- $rmqUserJob := dict "envAll" . "serviceName" "senlin" -}} +{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} +{{- end }} diff --git a/senlin/templates/secret-rabbitmq.yaml b/senlin/templates/secret-rabbitmq.yaml new file mode 100644 index 0000000000..0eb1463255 --- /dev/null +++ b/senlin/templates/secret-rabbitmq.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_rabbitmq }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "senlin" }} +{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- end }} +{{- end }} diff --git a/senlin/values.yaml b/senlin/values.yaml index de3b875228..43b69d6780 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -36,6 +36,7 @@ images: db_init: docker.io/openstackhelm/heat:newton senlin_db_sync: docker.io/openstackhelm/senlin:newton db_drop: docker.io/openstackhelm/heat:newton + rabbit_init: docker.io/rabbitmq:3.7-management ks_user: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton @@ -198,6 +199,10 @@ dependencies: services: - endpoint: internal service: identity + rabbit_init: + services: + - service: oslo_messaging + endpoint: internal # Names of secrets used by bootstrap and environmental checks secrets: @@ -207,6 +212,9 @@ secrets: oslo_db: admin: senlin-db-admin senlin: senlin-db-user + oslo_messaging: + admin: senlin-rabbitmq-admin + senlin: senlin-rabbitmq-user # typically overriden by environmental # values, but should include all endpoints @@ -287,9 +295,12 @@ endpoints: default: 11211 oslo_messaging: auth: - senlin: + admin: username: rabbitmq password: password + senlin: + username: senlin + password: password hosts: default: rabbitmq host_fqdn_override: @@ -299,6 +310,8 @@ endpoints: port: amqp: default: 5672 + http: + default: 15672 pod: user: @@ -403,6 +416,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + rabbit_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" tests: requests: memory: "128Mi" @@ -423,9 +443,11 @@ manifests: job_ks_endpoints: true job_ks_service: true job_ks_user: true + job_rabbit_init: true pdb_api: true secret_db: true secret_keystone: true + secret_rabbitmq: true service_ingress_api: true service_api: true statefulset_engine: true diff --git a/tools/deployment/armada/generate-passwords.sh b/tools/deployment/armada/generate-passwords.sh index 6107841724..8ec5486790 100755 --- a/tools/deployment/armada/generate-passwords.sh +++ b/tools/deployment/armada/generate-passwords.sh @@ -17,13 +17,15 @@ set -xe passwords="DB_ADMIN_PASSWORD ELASTICSEARCH_ADMIN_PASSWORD GRAFANA_DB_PASSWORD GRAFANA_SESSION_DB_PASSWORD \ - GRAFANA_ADMIN_PASSWORD KIBANA_ADMIN_PASSWORD KEYSTONE_RABBITMQ_PASSWORD KEYSTONE_DB_PASSWORD \ - KEYSTONE_ADMIN_PASSWORD SWIFT_USER_PASSWORD GLANCE_RABBITMQ_PASSWORD GLANCE_DB_PASSWORD \ - GLANCE_USER_PASSWORD CINDER_RABBITMQ_PASSWORD CINDER_DB_PASSWORD CINDER_USER_PASSWORD \ - NOVA_RABBITMQ_PASSWORD NOVA_DB_PASSWORD NOVA_USER_PASSWORD NOVA_PLACEMENT_USER_PASSWORD \ - NEUTRON_RABBITMQ_PASSWORD NEUTRON_DB_PASSWORD NEUTRON_USER_PASSWORD HEAT_RABBITMQ_PASSWORD \ + GRAFANA_ADMIN_PASSWORD KIBANA_ADMIN_PASSWORD KEYSTONE_RABBITMQ_ADMIN_PASSWORD KEYSTONE_DB_PASSWORD \ + KEYSTONE_ADMIN_PASSWORD SWIFT_USER_PASSWORD GLANCE_RABBITMQ_ADMIN_PASSWORD GLANCE_DB_PASSWORD \ + GLANCE_USER_PASSWORD CINDER_RABBITMQ_ADMIN_PASSWORD CINDER_DB_PASSWORD CINDER_USER_PASSWORD \ + NOVA_RABBITMQ_ADMIN_PASSWORD NOVA_DB_PASSWORD NOVA_USER_PASSWORD NOVA_PLACEMENT_USER_PASSWORD \ + NEUTRON_RABBITMQ_ADMIN_PASSWORD NEUTRON_DB_PASSWORD NEUTRON_USER_PASSWORD HEAT_RABBITMQ_ADMIN_PASSWORD \ HEAT_DB_PASSWORD HEAT_USER_PASSWORD HEAT_TRUSTEE_PASSWORD HEAT_STACK_PASSWORD \ - BARBICAN_RABBITMQ_PASSWORD BARBICAN_DB_PASSWORD BARBICAN_USER_PASSWORD OPENSTACK_EXPORTER_USER_PASSWORD" + BARBICAN_RABBITMQ_ADMIN_PASSWORD BARBICAN_DB_PASSWORD BARBICAN_USER_PASSWORD OPENSTACK_EXPORTER_USER_PASSWORD \ + KEYSTONE_RABBITMQ_USER_PASSWORD GLANCE_RABBITMQ_USER_PASSWORD CINDER_RABBITMQ_USER_PASSWORD NOVA_RABBITMQ_USER_PASSWORD \ + NEUTRON_RABBITMQ_USER_PASSWORD HEAT_RABBITMQ_USER_PASSWORD BARBICAN_RABBITMQ_USER_PASSWORD" for password in $passwords do diff --git a/tools/deployment/armada/multinode/armada-osh.yaml b/tools/deployment/armada/multinode/armada-osh.yaml index 376f1e4dba..5cde9c4707 100644 --- a/tools/deployment/armada/multinode/armada-osh.yaml +++ b/tools/deployment/armada/multinode/armada-osh.yaml @@ -212,8 +212,8 @@ data: oslo_messaging: auth: user: - username: keystone-rabbitmq - password: ${KEYSTONE_RABBITMQ_PASSWORD} + username: keystone-rabbitmq-admin + password: ${KEYSTONE_RABBITMQ_ADMIN_PASSWORD} hosts: default: keystone-rabbitmq prometheus_rabbitmq_exporter: @@ -295,9 +295,14 @@ data: password: ${KEYSTONE_DB_PASSWORD} oslo_messaging: auth: + admin: + username: keystone-rabbitmq-admin + password: ${KEYSTONE_RABBITMQ_ADMIN_PASSWORD} keystone: - username: keystone-rabbitmq - password: ${KEYSTONE_RABBITMQ_PASSWORD} + username: keystone-rabbitmq-user + password: ${KEYSTONE_RABBITMQ_USER_PASSWORD} + hosts: + default: keystone-rabbitmq labels: api: node_selector_key: openstack-control-plane @@ -444,8 +449,8 @@ data: oslo_messaging: auth: user: - username: glance-rabbitmq - password: ${GLANCE_RABBITMQ_PASSWORD} + username: glance-rabbitmq-admin + password: ${GLANCE_RABBITMQ_ADMIN_PASSWORD} hosts: default: glance-rabbitmq prometheus_rabbitmq_exporter: @@ -527,9 +532,12 @@ data: default: glance-memcached oslo_messaging: auth: + admin: + username: glance-rabbitmq-admin + password: ${GLANCE_RABBITMQ_ADMIN_PASSWORD} glance: - username: glance-rabbitmq - password: ${GLANCE_RABBITMQ_PASSWORD} + username: glance-rabbitmq-user + password: ${GLANCE_RABBITMQ_USER_PASSWORD} hosts: default: glance-rabbitmq labels: @@ -618,8 +626,8 @@ data: oslo_messaging: auth: user: - username: cinder-rabbitmq - password: ${CINDER_RABBITMQ_PASSWORD} + username: cinder-rabbitmq-admin + password: ${CINDER_RABBITMQ_ADMIN_PASSWORD} hosts: default: cinder-rabbitmq prometheus_rabbitmq_exporter: @@ -701,9 +709,12 @@ data: default: cinder-memcached oslo_messaging: auth: + admin: + username: cinder-rabbitmq-admin + password: ${CINDER_RABBITMQ_ADMIN_PASSWORD} cinder: - username: cinder-rabbitmq - password: ${CINDER_RABBITMQ_PASSWORD} + username: cinder-rabbitmq-user + password: ${CINDER_RABBITMQ_USER_PASSWORD} hosts: default: cinder-rabbitmq labels: @@ -841,8 +852,8 @@ data: oslo_messaging: auth: user: - username: nova-rabbitmq - password: ${NOVA_RABBITMQ_PASSWORD} + username: nova-rabbitmq-admin + password: ${NOVA_RABBITMQ_ADMIN_PASSWORD} hosts: default: nova-rabbitmq prometheus_rabbitmq_exporter: @@ -953,9 +964,12 @@ data: default: nova-memcached oslo_messaging: auth: + admin: + username: nova-rabbitmq-admin + password: ${NOVA_RABBITMQ_ADMIN_PASSWORD} nova: - username: nova-rabbitmq - password: ${NOVA_RABBITMQ_PASSWORD} + username: nova-rabbitmq-user + password: ${NOVA_RABBITMQ_USER_PASSWORD} hosts: default: nova-rabbitmq labels: @@ -1065,8 +1079,8 @@ data: oslo_messaging: auth: user: - username: neutron-rabbitmq - password: ${NEUTRON_RABBITMQ_PASSWORD} + username: neutron-rabbitmq-admin + password: ${NEUTRON_RABBITMQ_ADMIN_PASSWORD} hosts: default: neutron-rabbitmq prometheus_rabbitmq_exporter: @@ -1146,9 +1160,12 @@ data: default: neutron-memcached oslo_messaging: auth: + admin: + username: neutron-rabbitmq-admin + password: ${NEUTRON_RABBITMQ_ADMIN_PASSWORD} neutron: - username: neutron-rabbitmq - password: ${NEUTRON_RABBITMQ_PASSWORD} + username: neutron-rabbitmq-user + password: ${NEUTRON_RABBITMQ_USER_PASSWORD} hosts: default: neutron-rabbitmq pod: @@ -1260,8 +1277,8 @@ data: oslo_messaging: auth: user: - username: heat-rabbitmq - password: ${HEAT_RABBITMQ_PASSWORD} + username: heat-rabbitmq-admin + password: ${HEAT_RABBITMQ_ADMIN_PASSWORD} hosts: default: heat-rabbitmq prometheus_rabbitmq_exporter: @@ -1343,9 +1360,12 @@ data: default: heat-memcached oslo_messaging: auth: + admin: + username: heat-rabbitmq-admin + password: ${HEAT_RABBITMQ_ADMIN_PASSWORD} heat: - username: heat-rabbitmq - password: ${HEAT_RABBITMQ_PASSWORD} + username: heat-rabbitmq-user + password: ${HEAT_RABBITMQ_USER_PASSWORD} hosts: default: heat-rabbitmq labels: @@ -1429,8 +1449,8 @@ data: oslo_messaging: auth: user: - username: barbican-rabbitmq - password: ${BARBICAN_RABBITMQ_PASSWORD} + username: barbican-rabbitmq-admin + password: ${BARBICAN_RABBITMQ_ADMIN_PASSWORD} hosts: default: barbican-rabbitmq prometheus_rabbitmq_exporter: @@ -1508,9 +1528,12 @@ data: default: barbican-memcached oslo_messaging: auth: + admin: + username: barbican-rabbitmq-admin + password: ${BARBICAN_RABBITMQ_ADMIN_PASSWORD} barbican: - username: barbican-rabbitmq - password: ${BARBICAN_RABBITMQ_PASSWORD} + username: barbican-rabbitmq-user + password: ${BARBICAN_RABBITMQ_USER_PASSWORD} hosts: default: barbican-rabbitmq labels: