openstack/openstack-helm
Code Issues Proposed changes

Implement requested feedback in PR#91

Browse Source 
- Split out osapi and metadata api to remove unnecessary security privileges

- Prune dependencies

- Fix static imagePullPolicies

- Remove extraneous start.sh imported accidently from keystone chart
This commit is contained in:
Alan Meadows 2017-01-09 07:49:44 -08:00
parent 8afa729ffb
commit 88a85ae7d5
13 changed files with 136 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
nova/templates/bin/_start-osapi.sh.tpl Normal file
View File

@ -0,0 +1,21 @@
#!/bin/sh
#
# start nova-api-osapi service
#
# this helper script ensures our osapi service does not try to call iptables which requires privileged or NET_ADMIN privileges
# by stubbing in a fake iptables scripts
echo <<EOF>/tmp/iptables
#!/bin/sh
# nova-api-metadata trys to run some iptables commands
# This enables the api-only container to run without NET_ADMIN privileges
true
EOF
# make it executable and copy it over whatever iptables may be underneath in this image
chmod +x /tmp/iptables
cp -p /tmp/iptables /sbin/iptables
cp -p /tmp/iptables /sbin/iptables-restore
cp -p /tmp/iptables /sbin/iptables-save
exec nova-api--config-file /etc/nova/nova.conf

12
nova/templates/bin/_start.sh.tpl
View File

@ -1,12 +0,0 @@
#!/bin/bash
set -ex
# link our keystone wsgi to apaches running config
ln -s /configmaps/wsgi-keystone.conf /etc/apache2/sites-enabled/wsgi-keystone.conf
# Loading Apache2 ENV variables
source /etc/apache2/envvars
rm -rf /var/run/apache2/*
APACHE_DIR="apache2"
apache2 -DFOREGROUND

4
nova/templates/configmap-bin.yaml
View File

@ -7,8 +7,8 @@ data:
{{ tuple "bin/_db-sync.sh.tpl" . | include "template" | indent 4 }} {{ tuple "bin/_db-sync.sh.tpl" . | include "template" | indent 4 }}
init.sh: | init.sh: |
{{ tuple "bin/_init.sh.tpl" . | include "template" | indent 4 }} {{ tuple "bin/_init.sh.tpl" . | include "template" | indent 4 }}
start.sh: | start-osapi.sh: |
{{ tuple "bin/_start.sh.tpl" . | include "template" | indent 4 }} {{ tuple "bin/_start-osapi.sh.tpl" . | include "template" | indent 4 }}
post.sh: | post.sh: |
{{ tuple "bin/_post.sh.tpl" . | include "template" | indent 4 }} {{ tuple "bin/_post.sh.tpl" . | include "template" | indent 4 }}
libvirt.sh: | libvirt.sh: |

9
nova/templates/daemonset-compute.yaml
View File

@ -59,15 +59,6 @@ spec:
- nova-compute - nova-compute
- --config-file - --config-file
- /etc/nova/nova.conf - /etc/nova/nova.conf
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts: volumeMounts:
- name: novaconf - name: novaconf
mountPath: /etc/nova/nova.conf mountPath: /etc/nova/nova.conf

13
nova/templates/deployment-api.yaml → nova/templates/deployment-api-metadata.yaml
View File

@ -46,17 +46,16 @@ spec:
image: {{ .Values.image.api }} image: {{ .Values.image.api }}
# https://bugs.launchpad.net/kolla-mesos/+bug/1546007 # https://bugs.launchpad.net/kolla-mesos/+bug/1546007
securityContext: securityContext:
privileged: true capabilities:
add:
- NET_ADMIN
command: command:
- nova-api - nova-api-metadata --config-file=/etc/nova/nova.conf
- --config-file
- /etc/nova/nova.conf
ports: ports:
- containerPort: {{ .Values.network.port.api }}
- containerPort: {{ .Values.network.port.metadata }} - containerPort: {{ .Values.network.port.metadata }}
readinessProbe: readinessProbe:
tcpSocket: tcpSocket:
port: {{ .Values.network.port.api }} port: {{ .Values.network.port.osapi }}
volumeMounts: volumeMounts:
- name: novaconf - name: novaconf
mountPath: /etc/nova/nova.conf mountPath: /etc/nova/nova.conf
@ -67,4 +66,4 @@ spec:
name: nova-etc name: nova-etc
items: items:
- key: nova.conf - key: nova.conf
path: nova.conf path: nova.conf

75
nova/templates/deployment-api-osapi.yaml Normal file
View File

@ -0,0 +1,75 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nova-osapi
spec:
replicas: {{ .Values.control_replicas }}
template:
metadata:
labels:
app: nova-osapi
annotations:
pod.beta.kubernetes.io/init-containers: '[
{
"name": "init",
"image": "{{ .Values.image.entrypoint }}",
"imagePullPolicy": "{{ .Values.image.pull_policy }}",
"env": [
{
"name": "NAMESPACE",
"value": "{{ .Release.Namespace }}"
},
{
"name": "INTERFACE_NAME",
"value": "eth0"
},
{
"name": "DEPENDENCY_SERVICE",
"value": "{{ include "joinListWithColon" .Values.dependencies.api.service }}"
},
{
"name": "DEPENDENCY_JOBS",
"value": "{{ include "joinListWithColon" .Values.dependencies.api.jobs }}"
},
{
"name": "COMMAND",
"value": "echo done"
}
]
}
]'
spec:
nodeSelector:
{{ .Values.labels.control_node_selector_key }}: {{ .Values.labels.control_node_selector_value }}
containers:
- name: nova-osapi
image: {{ .Values.image.api }}
command:
- bash
- /tmp/start-osapi.sh
ports:
- containerPort: {{ .Values.network.port.osapi }}
readinessProbe:
tcpSocket:
port: {{ .Values.network.port.osapi }}
volumeMounts:
- name: novaconf
mountPath: /etc/nova/nova.conf
subPath: nova.conf
volumeMounts:
- name: startsh
mountPath: /tmp/start-osapi.sh
subPath: start-osapi.sh
volumes:
- name: novaconf
configMap:
name: nova-etc
items:
- key: nova.conf
path: nova.conf
- name: startsh
configMap:
name: nova-bin
items:
- key: start-osapi.sh
path: start-osapi.sh

2
nova/templates/etc/_nova.conf.tpl
View File

@ -9,7 +9,7 @@ force_config_drive = {{ .Values.nova.default.force_config_drive }}
state_path = /var/lib/nova state_path = /var/lib/nova
osapi_compute_listen = {{ .Values.network.ip_address }} osapi_compute_listen = {{ .Values.network.ip_address }}
osapi_compute_listen_port = {{ .Values.network.port.api }} osapi_compute_listen_port = {{ .Values.network.port.osapi }}
osapi_compute_workers = {{ .Values.nova.default.osapi_workers }} osapi_compute_workers = {{ .Values.nova.default.osapi_workers }}
workers = {{ .Values.nova.default.osapi_workers }} workers = {{ .Values.nova.default.osapi_workers }}

4
nova/templates/job-db-sync.yaml
View File

@ -10,7 +10,7 @@ spec:
{ {
"name": "init", "name": "init",
"image": "{{ .Values.image.entrypoint }}", "image": "{{ .Values.image.entrypoint }}",
"imagePullPolicy": "{{ .Values.image.pull_policy }}", "imagePullPolicy": "{{ .Values.image.pull_policy }}",
"env": [ "env": [
{ {
"name": "NAMESPACE", "name": "NAMESPACE",
@ -36,7 +36,7 @@ spec:
containers: containers:
- name: nova-db-sync - name: nova-db-sync
image: {{ .Values.image.db_sync }} image: {{ .Values.image.db_sync }}
imagePullPolicy: Always imagePullPolicy: {{ .Values.image.pull_policy }}
command: command:
- bash - bash
- /tmp/db-sync.sh - /tmp/db-sync.sh

2
nova/templates/job-init.yaml
View File

@ -36,7 +36,7 @@ spec:
containers: containers:
- name: nova-init - name: nova-init
image: {{ .Values.image.init }} image: {{ .Values.image.init }}
imagePullPolicy: Always imagePullPolicy: {{ .Values.image.pull_policy }}
command: command:
- bash - bash
- /tmp/init.sh - /tmp/init.sh

2
nova/templates/job-post.yaml
View File

@ -36,7 +36,7 @@ spec:
containers: containers:
- name: nova-post - name: nova-post
image: {{ .Values.image.post }} image: {{ .Values.image.post }}
imagePullPolicy: Always imagePullPolicy: {{ .Values.image.pull_policy }}
command: command:
- bash - bash
- /tmp/post.sh - /tmp/post.sh

4
nova/templates/service-api.yaml → nova/templates/service-metadata.yaml
View File

@ -1,11 +1,9 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: nova-api name: nova-metadata
spec: spec:
ports: ports:
- name: nova-api
port: {{ .Values.network.port.api }}
- name: nova-metadata - name: nova-metadata
port: {{ .Values.network.port.metadata }} port: {{ .Values.network.port.metadata }}
selector: selector:

13
nova/templates/service-osapi.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
# alanmeadows(TODO): refactor to nova-osapi
# which requires updating other charts
# dependencies
name: nova-api
spec:
ports:
- name: nova-osapi
port: {{ .Values.network.port.osapi }}
selector:
app: nova-osapi

35
nova/values.yaml
View File

@ -13,16 +13,16 @@ control_replicas: 1
compute_replicas: 1 compute_replicas: 1
image: image:
init: quay.io/stackanetes/stackanetes-kolla-toolbox:barcelona init: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
db_sync: quay.io/stackanetes/stackanetes-nova-api:barcelona db_sync: quay.io/stackanetes/stackanetes-nova-api:newton
api: quay.io/stackanetes/stackanetes-nova-api:barcelona api: quay.io/stackanetes/stackanetes-nova-api:newton
conductor: quay.io/stackanetes/stackanetes-nova-conductor:barcelona conductor: quay.io/stackanetes/stackanetes-nova-conductor:newton
scheduler: quay.io/stackanetes/stackanetes-nova-scheduler:barcelona scheduler: quay.io/stackanetes/stackanetes-nova-scheduler:newton
novncproxy: quay.io/stackanetes/stackanetes-nova-novncproxy:barcelona novncproxy: quay.io/stackanetes/stackanetes-nova-novncproxy:newton
consoleauth: quay.io/stackanetes/stackanetes-nova-consoleauth:barcelona consoleauth: quay.io/stackanetes/stackanetes-nova-consoleauth:newton
compute: quay.io/stackanetes/stackanetes-nova-compute:barcelona compute: quay.io/stackanetes/stackanetes-nova-compute:newton
libvirt: quay.io/stackanetes/stackanetes-nova-libvirt:barcelona libvirt: quay.io/stackanetes/stackanetes-nova-libvirt:newton
post: quay.io/stackanetes/stackanetes-kolla-toolbox:barcelona post: quay.io/stackanetes/stackanetes-kolla-toolbox:newton
entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0 entrypoint: quay.io/stackanetes/kubernetes-entrypoint:v0.1.0
pull_policy: "IfNotPresent" pull_policy: "IfNotPresent"
@ -40,7 +40,7 @@ network:
other_domains: "" other_domains: ""
port: port:
api: 8774 osapi: 8774
metadata: 8775 metadata: 8775
novncproxy: 6080 novncproxy: 6080
@ -51,7 +51,6 @@ nova:
metadata_workers: 8 metadata_workers: 8
conductor_workers: 8 conductor_workers: 8
force_config_drive: True force_config_drive: True
drain_timeout: 60
database: database:
address: "mariadb" address: "mariadb"
@ -103,7 +102,6 @@ memcached:
dependencies: dependencies:
api: api:
jobs: jobs:
- mariadb-seed
- keystone-db-sync - keystone-db-sync
- nova-init - nova-init
- nova-db-sync - nova-db-sync
@ -121,6 +119,7 @@ dependencies:
- nova-init - nova-init
- keystone-init - keystone-init
- mariadb-seed - mariadb-seed
- keystone-db-sync
service: service:
- mariadb - mariadb
post: post:
@ -130,7 +129,7 @@ dependencies:
- mariadb-seed - mariadb-seed
service: service:
- mariadb - mariadb
- nova-api - keystone-api
init: init:
jobs: jobs:
- mariadb-seed - mariadb-seed
@ -138,9 +137,7 @@ dependencies:
- mariadb - mariadb
compute: compute:
jobs: jobs:
- nova-init
- nova-post - nova-post
- nova-db-sync
service: service:
- keystone-api - keystone-api
- nova-api - nova-api
@ -164,17 +161,11 @@ dependencies:
- mariadb - mariadb
scheduler: scheduler:
jobs: jobs:
- mariadb-seed
- keystone-db-sync
- nova-init
- nova-db-sync - nova-db-sync
service: service:
- mariadb - mariadb
conductor: conductor:
jobs: jobs:
- mariadb-seed
- keystone-db-sync
- nova-init
- nova-db-sync - nova-db-sync
service: service:
- mariadb - mariadb