openstack-helm/nova/templates/daemonset-compute.yaml
Andrii Ostapenko 44d263b2bf Enable templates linting
- braces
- brackets
- colons
- commas
- comments
- hyphens
- indentation
- key-duplicates

with corresponding code changes.

Also disable enforcement for document-(start|end) rules and
disables warnings to increase readability.

* Unrestrict octal values rule since benefits of file modes readability
  exceed possible issues with yaml 1.2 adoption in future k8s versions.
  These issues will be addressed when/if they occur.

Change-Id: Ic5e327cf40c4b09c90738baff56419a6cef132da
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-07-11 00:52:51 +00:00

512 lines
22 KiB
YAML

{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "novaComputeLivenessProbeTemplate" }}
exec:
command:
- python
- /tmp/health-probe.py
- --config-file
- /etc/nova/nova.conf
- --service-queue-name
- compute
- --liveness-probe
{{- if .Values.pod.use_fqdn.compute }}
- --use-fqdn
{{- end }}
{{- end }}
{{- define "novaComputeReadinessProbeTemplate" }}
exec:
command:
- python
- /tmp/health-probe.py
- --config-file
- /etc/nova/nova.conf
- --service-queue-name
- compute
{{- if .Values.pod.use_fqdn.compute }}
- --use-fqdn
{{- end }}
{{- end }}
{{- define "nova.compute.daemonset" }}
{{- $daemonset := index . 0 }}
{{- $configMapName := index . 1 }}
{{- $serviceAccountName := index . 2 }}
{{- $envAll := index . 3 }}
{{- with $envAll }}
{{- $mounts_nova_compute := .Values.pod.mounts.nova_compute.nova_compute }}
{{- $mounts_nova_compute_init := .Values.pod.mounts.nova_compute.init_container }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: nova-compute
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
{{ tuple $envAll $daemonset | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
template:
metadata:
labels:
{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute" "init" "nova-compute-init" "nova-compute-vnc-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
nodeSelector:
{{ .Values.labels.agent.compute.node_selector_key }}: {{ .Values.labels.agent.compute.node_selector_value }}
hostNetwork: true
hostPID: true
dnsPolicy: ClusterFirstWithHostNet
initContainers:
{{ tuple $envAll "pod_dependency" $mounts_nova_compute_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: nova-compute-init
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: NOVA_USER_UID
value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
command:
- /tmp/nova-compute-init.sh
terminationMessagePath: /var/log/termination-log
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: nova-bin
mountPath: /tmp/nova-compute-init.sh
subPath: nova-compute-init.sh
readOnly: true
- name: varlibnova
mountPath: /var/lib/nova
- name: pod-shared
mountPath: /tmp/pod-shared
{{- if .Values.conf.ceph.enabled }}
- name: ceph-perms
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "ceph_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- chown
- -R
- "nova:"
- /etc/ceph
terminationMessagePath: /var/log/termination-log
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: etcceph
mountPath: /etc/ceph
{{- if empty .Values.conf.ceph.cinder.keyring }}
- name: ceph-admin-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "ceph_admin_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/ceph-admin-keyring.sh
terminationMessagePath: /var/log/termination-log
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: etcceph
mountPath: /etc/ceph
- name: nova-bin
mountPath: /tmp/ceph-admin-keyring.sh
subPath: ceph-admin-keyring.sh
readOnly: true
{{- if empty .Values.conf.ceph.admin_keyring }}
- name: ceph-keyring
mountPath: /tmp/client-keyring
subPath: key
readOnly: true
{{ end }}
{{ end }}
- name: ceph-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: CEPH_CINDER_USER
value: "{{ .Values.conf.ceph.cinder.user }}"
{{- if .Values.conf.ceph.cinder.keyring }}
- name: CEPH_CINDER_KEYRING
value: "{{ .Values.conf.ceph.cinder.keyring }}"
{{ end }}
- name: LIBVIRT_CEPH_SECRET_UUID
value: "{{ .Values.conf.ceph.secret_uuid }}"
command:
- /tmp/ceph-keyring.sh
terminationMessagePath: /var/log/termination-log
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: etcceph
mountPath: /etc/ceph
- name: nova-bin
mountPath: /tmp/ceph-keyring.sh
subPath: ceph-keyring.sh
- name: ceph-etc
mountPath: /etc/ceph/ceph.conf.template
subPath: ceph.conf
readOnly: true
{{ end }}
{{- if eq .Values.console.console_kind "novnc"}}
- name: nova-compute-vnc-init
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_vnc_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/nova-console-compute-init.sh
terminationMessagePath: /var/log/termination-log
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: nova-bin
mountPath: /tmp/nova-console-compute-init.sh
subPath: nova-console-compute-init.sh
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
{{ end }}
{{- if eq .Values.console.console_kind "spice"}}
- name: nova-compute-spice-init
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_spice_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/nova-console-compute-init.sh
terminationMessagePath: /var/log/termination-log
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: nova-bin
mountPath: /tmp/nova-console-compute-init.sh
subPath: nova-console-compute-init.sh
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
{{ end }}
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
- name: tungstenfabric-compute-init
image: {{ .Values.images.tags.tf_compute_init }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "tungstenfabric_compute_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
volumeMounts:
- name: tf-plugin-shared
mountPath: /opt/plugin
- name: tf-plugin-bin
mountPath: /opt/plugin/bin
{{- end }}
containers:
- name: nova-compute
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
securityContext:
privileged: true
env:
{{- if .Values.conf.ceph.enabled }}
- name: CEPH_CINDER_USER
value: "{{ .Values.conf.ceph.cinder.user }}"
{{- if .Values.conf.ceph.cinder.keyring }}
- name: CEPH_CINDER_KEYRING
value: "{{ .Values.conf.ceph.cinder.keyring }}"
{{ end }}
- name: LIBVIRT_CEPH_SECRET_UUID
value: "{{ .Values.conf.ceph.secret_uuid }}"
{{ end }}
- name: RPC_PROBE_TIMEOUT
value: "{{ .Values.pod.probes.rpc_timeout }}"
- name: RPC_PROBE_RETRIES
value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
command:
- /tmp/nova-compute.sh
terminationMessagePath: /var/log/termination-log
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: nova-bin
mountPath: /tmp/nova-compute.sh
subPath: nova-compute.sh
readOnly: true
- name: nova-bin
mountPath: /tmp/health-probe.py
subPath: health-probe.py
readOnly: true
- name: nova-etc
mountPath: /etc/nova/nova.conf
subPath: nova-compute.conf
readOnly: true
{{- if .Values.conf.nova.DEFAULT.log_config_append }}
- name: nova-etc
mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
readOnly: true
{{- end }}
- name: nova-etc
mountPath: /etc/nova/api-paste.ini
subPath: api-paste.ini
readOnly: true
- name: nova-etc
mountPath: /etc/nova/policy.yaml
subPath: policy.yaml
readOnly: true
- name: nova-etc
# NOTE (Portdirect): We mount here to override Kollas
# custom sudoers file when using Kolla images, this
# location will also work fine for other images.
mountPath: /etc/sudoers.d/kolla_nova_sudoers
subPath: nova_sudoers
readOnly: true
- name: nova-etc
mountPath: /etc/nova/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "compute" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/nova/rootwrap.d/%s.filters" $filePrefix }}
- name: nova-etc
mountPath: {{ $rootwrapFile }}
subPath: {{ base $rootwrapFile }}
readOnly: true
{{- end }}
{{- end }}
- name: nova-etc
mountPath: /root/.ssh/config
subPath: ssh-config
readOnly: true
- name: nova-ssh
mountPath: /root/.ssh/id_rsa
subPath: ssh-key-private
{{- if .Values.conf.ceph.enabled }}
- name: etcceph
mountPath: /etc/ceph
{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
mountPropagation: Bidirectional
{{- end }}
{{- if and ( empty .Values.conf.ceph.cinder.keyring ) ( empty .Values.conf.ceph.admin_keyring )}}
- name: ceph-keyring
mountPath: /tmp/client-keyring
subPath: key
readOnly: true
{{ end }}
{{ end }}
- mountPath: /lib/modules
name: libmodules
readOnly: true
- name: varlibnova
mountPath: /var/lib/nova
{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
mountPropagation: Bidirectional
{{- end }}
- name: varliblibvirt
mountPath: /var/lib/libvirt
{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
mountPropagation: Bidirectional
{{- end }}
- name: run
mountPath: /run
- name: cgroup
mountPath: /sys/fs/cgroup
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
- name: machine-id
mountPath: /etc/machine-id
readOnly: true
{{- if .Values.conf.enable_iscsi }}
- name: host-rootfs
mountPath: /mnt/host-rootfs
- name: usrlocalsbin
mountPath: /usr/local/sbin
- name: etciscsi
mountPath: /etc/iscsi
{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
mountPropagation: Bidirectional
{{- end }}
- name: dev
mountPath: /dev
{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
mountPropagation: Bidirectional
{{- end }}
- name: nova-bin
mountPath: /usr/local/sbin/iscsiadm
subPath: iscsiadm
{{- end }}
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
- name: tf-plugin-shared
mountPath: /opt/plugin
readOnly: true
- name: tf-plugin-bin
mountPath: /usr/sbin
readOnly: true
- name: nova-bin
mountPath: /usr/local/lib/python2.7/site-packages/tf-plugin.pth
subPath: tf-plugin.pth
readOnly: true
- name: nova-bin
mountPath: /var/lib/openstack/lib/python2.7/site-packages/tf-plugin.pth
subPath: tf-plugin.pth
readOnly: true
- name: nova-bin
mountPath: /var/lib/openstack/lib/python3.6/site-packages/tf-plugin.pth
subPath: tf-plugin.pth
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.network.sshd.enabled }}
- name: nova-compute-ssh
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
securityContext:
privileged: true
env:
- name: KEY_TYPES
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }}
- name: SSH_PORT
value: {{ .Values.network.ssh.port | quote }}
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
ports:
- containerPort: {{ .Values.network.ssh.port }}
command:
- /tmp/ssh-start.sh
terminationMessagePath: /var/log/termination-log
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: varlibnova
mountPath: /var/lib/nova
- name: varliblibvirt
mountPath: /var/lib/libvirt
- name: nova-ssh
mountPath: /root/.ssh/id_rsa.pub
subPath: ssh-key-public
- name: nova-ssh
mountPath: /root/.ssh/authorized_keys
subPath: ssh-key-public
- name: nova-bin
mountPath: /tmp/ssh-start.sh
subPath: ssh-start.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: nova-bin
configMap:
name: nova-bin
defaultMode: 0555
- name: nova-etc
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: nova-ssh
secret:
secretName: nova-ssh
defaultMode: 0400
{{- if .Values.conf.ceph.enabled }}
- name: etcceph
hostPath:
path: /var/lib/openstack-helm/compute/nova
- name: ceph-etc
configMap:
name: {{ .Values.ceph_client.configmap }}
defaultMode: 0444
{{- if and ( empty .Values.conf.ceph.cinder.keyring ) ( empty .Values.conf.ceph.admin_keyring ) }}
- name: ceph-keyring
secret:
secretName: {{ .Values.ceph_client.user_secret_name }}
{{ end }}
{{ end }}
- name: libmodules
hostPath:
path: /lib/modules
- name: varlibnova
hostPath:
path: /var/lib/nova
- name: varliblibvirt
hostPath:
path: /var/lib/libvirt
- name: run
hostPath:
path: /run
- name: cgroup
hostPath:
path: /sys/fs/cgroup
- name: pod-shared
emptyDir: {}
- name: machine-id
hostPath:
path: /etc/machine-id
{{- if .Values.conf.enable_iscsi }}
- name: host-rootfs
hostPath:
path: /
- name: etciscsi
hostPath:
path: /etc/iscsi
- name: dev
hostPath:
path: /dev
- name: usrlocalsbin
emptyDir: {}
{{- end }}
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
- name: tf-plugin-shared
emptyDir: {}
- name: tf-plugin-bin
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
{{- end }}
{{- end }}
{{- if .Values.manifests.daemonset_compute }}
{{- $envAll := . }}
{{- $daemonset := "compute" }}
{{- $configMapName := "nova-etc" }}
{{- $serviceAccountName := "nova-compute" }}
{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "compute" -}}
{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "nova.compute.daemonset" | toString | fromYaml }}
{{- $configmap_yaml := "nova.configmap.etc" }}
{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
{{- end }}