airship/maas
Code Issues Proposed changes

Upgrade MAAS to 3.5

Browse Source 
This PS upgrades maas to version maas version 3.5 (jammy)

Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
Change-Id: If5fffa59f547d4b19d7c0f086204800e9144d952
This commit is contained in:
Anselme, Schubert (sa246v)
2023-04-03 09:54:18 -04:00
committed by Sergiy Markin
parent b7062cd81a
commit 4d3ec058d8
53 changed files with 1381 additions and 309 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -7,4 +7,5 @@ build/
.vscode/ .vscode/
charts/deps charts/deps/
!charts/deps/.gitkeep

112
.zuul.yaml
View File

@@ -16,13 +16,13 @@
- airship-maas-lint-ws - airship-maas-lint-ws
- airship-maas-chart-build-gate - airship-maas-chart-build-gate
- airship-maas-chart-build-latest-htk - airship-maas-chart-build-latest-htk
- airship-maas-docker-build-gate-bionic - airship-maas-docker-build-gate
- airship-maas-lint-yaml - airship-maas-lint-yaml
gate: gate:
jobs: jobs:
- airship-maas-lint-ws - airship-maas-lint-ws
- airship-maas-chart-build-gate - airship-maas-chart-build-gate
- airship-maas-docker-build-gate-bionic - airship-maas-docker-build-gate
- airship-maas-lint-yaml - airship-maas-lint-yaml
post: post:
jobs: jobs:
@@ -47,14 +47,14 @@
Lints all files for trailing whitespace Lints all files for trailing whitespace
run: tools/gate/playbooks/zuul-linter.yaml run: tools/gate/playbooks/zuul-linter.yaml
timeout: 300 timeout: 300
nodeset: airship-maas-single-node nodeset: airship-maas-single-node-jammy
- job: - job:
name: airship-maas-chart-build-gate name: airship-maas-chart-build-gate
description: Build charts using pinned Helm toolkit. description: Build charts using pinned Helm toolkit.
run: tools/gate/playbooks/helm-linter.yaml run: tools/gate/playbooks/helm-linter.yaml
timeout: 600 timeout: 600
nodeset: airship-maas-single-node nodeset: airship-maas-single-node-jammy
vars: vars:
HTK_COMMIT: 49c117443391cec75e0bd52bb4a9d033325927ad HTK_COMMIT: 49c117443391cec75e0bd52bb4a9d033325927ad
@@ -64,17 +64,17 @@
voting: false voting: false
run: tools/gate/playbooks/helm-linter.yaml run: tools/gate/playbooks/helm-linter.yaml
timeout: 600 timeout: 600
nodeset: airship-maas-single-node nodeset: airship-maas-single-node-jammy
vars: vars:
HTK_COMMIT: master HTK_COMMIT: master
- job: - job:
name: airship-maas-docker-build-gate-bionic name: airship-maas-docker-build-gate
timeout: 1800 timeout: 3600
run: tools/gate/playbooks/docker-image-build.yaml run: tools/gate/playbooks/docker-image-build.yaml
nodeset: airship-maas-single-node nodeset: airship-maas-single-node-jammy
files: files:
- '^images/.*' - "^images/.*"
vars: vars:
publish: false publish: false
tags: tags:
@@ -88,17 +88,17 @@
run: tools/gate/playbooks/lint-yaml.yaml run: tools/gate/playbooks/lint-yaml.yaml
nodeset: airship-maas-single-node nodeset: airship-maas-single-node
irrelevant-files: irrelevant-files:
- '^charts/maas/templates/.*' - "^charts/maas/templates/.*"
- job: - job:
name: airship-maas-docker-publish name: airship-maas-docker-publish
timeout: 1800 timeout: 3600
run: tools/gate/playbooks/docker-image-build.yaml run: tools/gate/playbooks/docker-image-build.yaml
nodeset: airship-maas-single-node nodeset: airship-maas-single-node-jammy
secrets: secrets:
- airship_maas_quay_creds - airship_maas_quay_creds
irrelevant-files: irrelevant-files:
- '^images/.*' - "^images/.*"
vars: vars:
publish: true publish: true
tags: tags:
@@ -142,53 +142,53 @@
git_mirror_repository: airshipit/maas git_mirror_repository: airshipit/maas
secrets: secrets:
- name: git_mirror_credentials - name: git_mirror_credentials
secret: maas-airshipit-github-secret secret: maas-airshipit-github-secret-2023-03-23
pass-to-parent: true pass-to-parent: true
- secret: - secret:
name: maas-airshipit-github-secret name: maas-airshipit-github-secret-2023-03-23
data: data:
user: git user: git
host: github.com host: github.com
host_key: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== host_key: github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
ssh_key: !encrypted/pkcs1-oaep ssh_key: !encrypted/pkcs1-oaep
- WjZJqgndvx9apoPz8nA1sJ324cYE7JyGQYjzYevbJO95t/oqcuI3lKl7MJ7CVnbYXcuVO - Ctq8uiBKJa7YVWphZu4y/M7cajpPKKIx9kc0xM8fIfkUBWG++JXFjvqVMn1wolfBCbfw5
f9gy1hqnF1dpi2vB/eO3xevj95pU61XPyR5HcJiI25CyVv1R0lEf6m160nTkliYOIpPR6 fSqNyEazE+Vr8Gk/9iwpgD13b7O+ar7CfY/HmkjeqRQYqGDEsBzCKEksK4zjzzRBufqpC
jVqU6ciE2fpTiQ6wPBQHBnguTJsNRulBsjnbpzzvKG3L0Li1RV+j2tP7JyCzsrwbbXCe3 DpulFkPSR9RoiQKuIv2C3n3afJkXgWPosdF9akluHRK5gzm7ayWkvoWEVQDkG1JaIrg6F
27bwQD1ZnhOH6oDA1LDpqVLhcFbTW/A1UnCn5gRt3Z0I+Av49yw3fN3e1RP9p5wOiLXGm R/v12ADusA1RKYqbRyHR5RVV9CJqu4RImvZvXBGau6H+0zZQLCATnUZH8vEjiu/GVFlcz
022lzm59SnEc3jWlmMaySzBs4KyUABI7Xc7uENl+erYbe8Hb52rPPvbwPYRnSymh2V4h/ Z7Zy6pGSFsxxlSqibcPwYR/CwQBOc+WDQQZ0zD1LfI+64K4t17VcxEtL0S/x07PKfKKmr
SVqwbDOQ1p1ogS1mHk03HPFDMgsdoOG6LtvgLBEgWDFE04Qw350dVypL+MzsgZwVIQq21 hYDQLR6Zg7uSzoloW27r3hUP1PcHjdGRF4u21EToT+7BVb2yPBfNS+W2i+NX1VQrWTGqP
sVpfMHJF4A9GqYjHZLJSngVJVKf3sYFnvYEP6L3DUiDa3jvLRpo/lAnr1UNdV4VOZHqah lvmCz0A7bEn7PmHvPhtUwoSX2ZW0nqXdpTiDLpn1/Q+VpkCdMEMT42VeuuYTVvbxAtEaU
ZCZuJ0OELi4lakHbh4LSEc4n+a0yev8Z1azH5pkpgZhLrAjaWnhgZiyfHifWCvTyRG27P 195LHICPH/6r6o4C57/3ouLcuTKAQr7u2Wnn/7MyPVBtFRnOtjX1t/Hil42QVaHFtbjun
s6Xph5P0E2sRwIfdK2wnVSA5RDSvdh00z72Bh72k726lQHulFs1TsTtwYo+cpdQNM87Xh ov/GEnKqdPH1S/2XfPlgIVwgjI4k2LRWRm0F2HLrXiSfZrjofCbLFuBZKK23zHaUFrI8P
uW+99Z0ntzLO53EsyiQRy9c8PYXX8FrK+KGPrhJ/dztPcB68njY2v/ypTB7YOs= QyyyET/Sdo8qpOFEpfzdFD0fH8NqU7mt5Ka/F1d2uYJmhCbRX1kpcSXqo+RFgA=
- icA8YhdGSbPCzGGmRpm4LsUIQzSXaFCapcsG9gNf7KVUfkcWApVaK9b3fylw8e50lQ5Cx - OxJZdG9DkL9I9ecTx56HAF05I3GbGbXUUF2yDeA26uXUHJRFp8y/llfGyt2G6gUlZ6apM
5OAGOElXvAMW7NijsPD3c5TztB/rIunsOGhN/k9+x5c8fNoWBSXlwtf28pJ1iAEIoyozZ ti7oC4tnsxdTt83vRx2O/p+SF7PYoQuYf+6d2+6CFBB58g4bV6JfncVyRyIAWtHRDMWFo
FN9esz/XbFUke7tM73Fg7DJaS8FUeA4SNr4O+Y8hM74hYxUPidkuR8r+yKNcp9hLM6czT kY9YYc1pFPQZ6m+mdi7SMsjLHWZwos/Xh+tBpyUyKdKC7aoNUZiAWDYAUPnIjQamB+QXm
jx7WmPO5+1ZFvPva2qKzOc27SEPPSkl0t6MIg9wPTQCUcxiQj38ZapDQInV4ozTJVRW0W 8tzfbvhqz33DcFlrBiR0SC8XkOlm88gPtxVftJEiugyQPRfDvjG3Q6Zo4gRAsTfslQQAF
YuHaSnGIUhudfuHVvnA9A3VgVpgz+Jgpv92KjD/kKA6JQdIA4K9G/05qGrf9k45fFUe0b gjENyXoSGUcvQREh237vLBdqLskke6qpeVb2769omaSdh/Fh0d1f6pjw2BCfMfcNz8GYe
h+Wnuta8h50BzZ8n8tLHQxf+B7e30JLbK962ywUpnc9LryfnWrV5CPneREz8tfs9iq3i6 1HIATlj1PFFPCnI+BVzH/mr81PdWx5k31sMgI85vcucDBw7XQiBpCiJUzy4ZRrDyFupNt
m7jyl3xi9PtZ/qBqHX3oP2vim+GWSvOT209S9XxDZWMzhRsO2NuySgepwYYipOYQgwoq4 oEajwkexnYSJAVD87brH4N76uRUCqBHMbaXZubZlXupkzDQov1R8UOcYv5zf0UQri+Bq7
ViqzYYCGrGpUDGWzu0GtYw3HGSBle1izmiPNh+CpUUPPUnZ6v3dNsxOYiqy1DaHFxiNdy dyEbVZXxleyWlW62GDu1rsFdwmKdcGLoBLdzmI8ZVHXp82DT926o8dLBDpGRahbAu0M7c
xttyZFUzVxrIGY7Ju+R1bxMs3HHUtxZcPVpEuCukq3ucCfsM9s6+lKBhUhELNO4NIULM9 A7i0VbtSmrXifD8tkMo9s9vJ82gl6VL4UUSimAfKEzpnMZxdoFEWlbivOOhAjsRBjk5wR
kEFVn/kjqAlQoPFuI2brHwJ0ELJE+djKf8a/d72HngF5hUzMNeZ/H4P9RZlq2E= JvusSAVfpTRWXcD9rtFlwO6G9njsbTt+rWVpT+uKOxB+c2eceTJXwGyHo9vVdU=
- GrHLGoP4HZyVFx0FUxSE1yv6PYWsAQuGJfzkG86dr60TzAT64tTaf23ZhI+lGwfJQZkMd - k83gdcIAOl0ga4oFzSFMq5KdrafmnRLbfRwaCdc0GfrKxT6MusVIY1axFnOjyKxhzANhA
LdzpAPdDMCAxCLiB5HUylo2dIzLKPtNgMmK/KNpVdX1ehWHlm+f0r70LJ7Ft2lSGZfNbh d0UzuOTedDxmBsKvddX4Ridkj9dpbaP6csqz/4rce1p0cgoD7opr9td1UU95HcYBO61Qm
Dkp1JBhFc+p6b0pxz3OZaGKD/uy/sAAVyx6pkwO2Lyxx3LAprA2syWUj9/OWkCFGZpQ4R 7914nWPDNludEn09+YEsMsiylSx6fBx7hkAAg+fC4TQQDJf+SA47pyZN7RRqtpJ7MLy6h
aLBy5IBBXMvaCaQC4OrSzSLlKErXNq+guj9z5pa7ct4xNs5ZRK77Fp/o3Ch3WP7XwaFbT UViKVYfEep3zlJn1coBylrQ0atT59kNYxYLzvPmUnYVTibibmR2Kqg91c6wm4bfwcFOgL
/jX8yDQEzOyV/ZufH2kdmum8oV9iLbjS410jOEqvBmJ8oU5TKztz3wreo6gHnb/Ipmqbe eKdP02RRWhQSCPCEeOJ5aDqKfgBrUKXYQ3ZellHaBOn9BHrKnJMD4pEpffQLkv+YJM7xq
iGVOHSp+VYM2CsJ1WNxYiAxfgjiXDeGdFw2HsdZRA5x2WSKmTuJE8PWLMjn9I3qQzTJSb SfHArdJ7wnvn3NXxktWZN6qvDO0sgLMCyKGj4Q0+DA5cleY1aaQ5n3IH4VbtacqkO8TJi
16Rb1l/NptL2VrfLitDykhIIlrvKWUf3t1fJ4SLMeqpn4pee4Z+WFTiNutc0rzdOJIl5I iSUlhzHolYuTfijWDIQ3NbjO4i47XXn9LEvpeGjB2ridMflb9s1q/v3b9XC8h+8Dz3XsH
9MsiGf+stSTd+SOl327geM9ay7Jnxa/orjVrHff3EfCJkWPGqTBno7asNz18xfQARmym0 RM2248CPaWGSrQvJ90pr88sWb0e1VHWIxkTvSiu90iZeUn0OYnyyAPThZDkGqt6VCUsGF
OJVPsVSvwXgWNPlbb9kcmvX6NwAPsUdqylgBbl9BWlTklhWUzrT5fFxlrmbVA6fe/9isR EK+lnxoE9v9kNN7eCwLAQtUqLoTGj+c+OtNtC65lyVQXQWd+ca7rQ6XMlIlzOU8X/Z4no
Ye7KnKzbTZJoKSRWmCHIsm48tBLxWgTt95md7phMwqsPQD3YY12xkszRn92KfM= bw/EWFCYGJxkZp4KWH/zurvpvWEvknxVWnH7HTEMRxQvstczuOcensZn6WLBk4=
- Br6y0uCDii7X5kvCulc/kuYwm6ysaOfu3r7iWxshcPw2Up+WdltWRIa+dBcR9pDm/FNwa - VUITbduRP6LvFR0Fwiam0+2V68F3mIpGSYjRCzcSpIHjecng6n+FiHKM5CG1pPQV3uOOp
iWPVyrL7qvavLgRQT7M0GdECFo6Y6D19Qvt2WPSpcD5MwphZdrAU8ENKlBtm8MhMnWA9T bL7uRCx6cSHG8gfrjR3PD8xf1VR/K5redHosWOSXUz7+dSPhObQA/VaTi92BUMKu3rdjJ
XWBLBH0BSFRU2GpGk+7zC4cUnKo3uV3fc7AtXW7W076kGoWy01z4EtgL5P+s7SLPMKCyA rJhiEOPSVl+QxsJzWt+6pGHuOyLOGkOBycwjBRTG1plUA8thgoTIl2srDKP3728YjvfBq
CH969Hnz1zDn8BebTaM45gc6fPX5f1o0haPF22XDOb+/I3CiAfH9fA0HYWzZqForvLV5J MCK6JhwelPKLCWEeVYCeyLoF2eqEqqxSfbFiDdtqnXAF4fNUsHuVMHF9Cz+NGJ1o/EgS2
6LZ8kxDWzmvxnEFiggT3Zc/jNi74bQ0YVrI5RoplNbvqiSpuszl4HpWBogr9ybkIbU1BT tio1Om3VEbgViPtdhNCyU9NZMEtO+5KpNoiV1rIA7Na+I5K1clztt3ax94muKJqjj+04f
fVX2l09NN4v5eWxfQGjdQpuuxSUN1pY2aCIcluxjELkZ0ACqqHVL6swaATxWIe1xZwPLb Q4J2h1zR+1Lok43mEest+wjVRsfyTXf8jMHOJ9QF10Z+26UwDUKSgRP+jm+Lx8QUMKyi7
3qn21OV4RqAf1BFPttYsLIH3+bX0A6302LcYZcHtmse+B2rQAu2c4XsSL1H8ClRji/4Wm R+1g0gyQqvxgUqIt35TeRu3tgX+50TQBKX0RFIatUuiCG1FuKB6q2VmjjA5L8M+gEZwO4
LFXQPCLteeVlb3feYffA3Vzjn0pnltRb6QulKNtaWp0viG1w88+aiJvyKP4MGJrzOnEQk fm17RWjM2EbRdFuNmPymrHSvc3gWTUe25nPbKDpovPhU0K1493QZgYLUqmlvh7RRw4eHa
iFGqB42WTLr2N6vzw5SIVpk3CvqlVIfvSUet8NikwH96NXMNzW5vwkGdzxoop2A44MIoW GHLQTPtXMpsrl+c3A/2hpXcUvYHhmxvlFLla7p0mgmD2uNB5wRDqU88p/ub0z0jHCLO5Q
mZq8KcKOaK+KH3mr7XeipxaHt74P8EhnQuOtXrcCbTEkByWdzm55UM7aPQNeoc= +izMoqA6r8FuVMjccHc8DEwZcsuQ3jvZk1XCxY3mAkPHiAoyxvQtxfNeRuBZw0=

11
Makefile
View File

@@ -15,13 +15,10 @@
DOCKER_REGISTRY ?= quay.io DOCKER_REGISTRY ?= quay.io
REGION_SUFFIX ?= maas-region REGION_SUFFIX ?= maas-region
IMG_COMMON_DIR ?= images IMG_COMMON_DIR ?= images
REGION_IMG_DIR ?= images/maas-region-controller
RACK_SUFFIX ?= maas-rack RACK_SUFFIX ?= maas-rack
RACK_IMG_DIR ?= images/maas-rack-controller
CACHE_SUFFIX ?= maas-cache CACHE_SUFFIX ?= maas-cache
CACHE_IMG_DIR ?= images/sstream-cache
IMAGE_PREFIX ?= airshipit IMAGE_PREFIX ?= airshipit
IMAGE_TAG ?= untagged IMAGE_TAG ?= latest
PROXY ?= http://proxy.foo.com:8000 PROXY ?= http://proxy.foo.com:8000
NO_PROXY ?= localhost,127.0.0.1,.svc.cluster.local NO_PROXY ?= localhost,127.0.0.1,.svc.cluster.local
USE_PROXY ?= false USE_PROXY ?= false
@@ -29,12 +26,12 @@ PUSH_IMAGE ?= false
# use this variable for image labels added in internal build process # use this variable for image labels added in internal build process
LABEL ?= org.airshipit.build=community LABEL ?= org.airshipit.build=community
COMMIT ?= $(shell git rev-parse HEAD) COMMIT ?= $(shell git rev-parse HEAD)
IMAGE_NAME := maas-rack-controller maas-region-controller sstream-cache IMAGE_NAME := maas-rack-controller-jammy maas-region-controller-jammy sstream-cache-jammy
BUILD_DIR := $(shell mktemp -d) BUILD_DIR := $(shell mktemp -d)
HELM := $(BUILD_DIR)/helm HELM := $(BUILD_DIR)/helm
SSTREAM_IMAGE := "https://images.maas.io/ephemeral-v3/stable/" SSTREAM_IMAGE := "https://images.maas.io/ephemeral-v3/stable/"
SSTREAM_RELEASE := "bionic" SSTREAM_RELEASE := "jammy"
UBUNTU_BASE_IMAGE ?= ubuntu:18.04 UBUNTU_BASE_IMAGE ?= quay.io/airshipit/ubuntu:jammy
USE_CACHED_IMG ?= false USE_CACHED_IMG ?= false
DOCKER_EXTRA_ARGS ?= DOCKER_EXTRA_ARGS ?=

4
charts/maas/Chart.yaml
View File

@@ -12,10 +12,12 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
---
apiVersion: v1 apiVersion: v1
description: Chart to run Canonical MaaS description: Chart to run Canonical MaaS
name: maas name: maas
version: 0.1.5 version: 0.1.6
appVersion: 3.5.3
home: https://docs.ubuntu.com/maas home: https://docs.ubuntu.com/maas
sources: sources:
- https://git.launchpad.net/maas - https://git.launchpad.net/maas

6
charts/maas/requirements.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: helm-toolkit
repository: file://../deps/helm-toolkit
version: 2024.2.0
digest: sha256:68a561f57ba60b9f040679cd768b0abb8d5b48175f0da0977d168d31667e8635
generated: "2025-03-18T21:30:44.577523-04:00"

1
charts/maas/requirements.yaml
View File

@@ -12,6 +12,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
---
dependencies: dependencies:
- name: helm-toolkit - name: helm-toolkit
repository: file://../deps/helm-toolkit repository: file://../deps/helm-toolkit

5
charts/maas/templates/bin/_db-sync.sh.tpl
View File

@@ -16,7 +16,8 @@
set -ex set -ex
rm -f /var/run/rsyslogd.pid # error: rsyslog: Unrecognized service
service rsyslog restart rm -f /var/run/rsyslogd.pid || true
service rsyslog restart || true
maas-region dbupgrade maas-region dbupgrade

19
charts/maas/templates/bin/_enable-tls.sh.tpl Normal file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
maas config-tls enable --yes --cacert /etc/maas/ssl/ca.crt /etc/maas/ssl/tls.key /etc/maas/ssl/tls.crt

75
charts/maas/templates/bin/_export-secret-key.sh.tpl Normal file
View File

@@ -0,0 +1,75 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
function clear_secret {
wget \
--server-response \
--ca-certificate=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
--header='Content-Type: application/json' \
--header="Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
--method=DELETE \
https://kubernetes.default.svc.cluster.local/api/v1/namespaces/${MAAS_REGION_SECRET_NAMESPACE}/secrets/${MAAS_REGION_SECRET}
}
function post_secret {
wget \
--server-response \
--ca-certificate=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
--header='Content-Type: application/json' \
--header="Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
--method=POST \
--body-file=/tmp/secret.json \
https://kubernetes.default.svc.cluster.local/api/v1/namespaces/${MAAS_REGION_SECRET_NAMESPACE}/secrets \
2>&1
}
SECRET=$(cat /var/lib/maas/secret)
if [ "x$SECRET" != "x" ]; then
ENCODED_SECRET=$(echo -n $SECRET | base64 -w 0)
cat <<EOS > /tmp/secret.json
{
"apiVersion": "v1",
"kind": "Secret",
"type": "Opaque",
"metadata": {
"name": "${MAAS_REGION_SECRET}"
},
"data": {
"REGION_SECRET": "$ENCODED_SECRET"
}
}
EOS
while true; do
export result=$(post_secret)
if [ ! -z "$(echo "$result" | grep -i '201 Created')" ]; then
echo 'Secret created'
break
elif [ ! -z "$(echo "$result" | grep -i '409 Conflict')" ]; then
echo 'Secret exists, clearing before trying again'
clear_secret
else
echo 'Secret creation failed'
echo $result
fi
sleep 15
done
else
echo "Failed to get key from maas."
exit 1
fi

248
charts/maas/templates/bin/_import-boot-resources.sh.tpl
View File

@@ -23,173 +23,161 @@ JOB_TIMEOUT=${JOB_TIMEOUT:-900}
RETRY_TIMER=${RETRY_TIMER:-30} RETRY_TIMER=${RETRY_TIMER:-30}
function timer { function timer {
retry_wait=$1 retry_wait=$1
shift shift
while [[ ${JOB_TIMEOUT} -gt 0 ]] while [[ ${JOB_TIMEOUT} -gt 0 ]]; do
do "$@"
"$@" rc=$?
rc=$? if [ $rc -eq 0 ]; then
if [ $rc -eq 0 ] return $rc
then else
return $rc JOB_TIMEOUT=$((JOB_TIMEOUT - retry_wait))
else sleep $retry_wait
JOB_TIMEOUT=$(($JOB_TIMEOUT - $retry_wait)) fi
sleep $retry_wait done
fi
done
return 124 return 124
} }
function import_resources { function import_resources {
check_for_download check_for_download
rc=$? rc=$?
if [ $rc -ne 0 ] if [ $rc -ne 0 ]; then
then echo "Starting image import try ${import_tries}..."
echo "Starting image import try ${import_tries}..." maas ${ADMIN_USERNAME} boot-resources import
maas ${ADMIN_USERNAME} boot-resources import sleep 30
sleep 30 check_for_download
check_for_download rc=$?
rc=$? fi
fi
return $rc return $rc
} }
function start_import { function start_import {
timer "$RETRY_TIMER" import_resources timer "$RETRY_TIMER" import_resources
} }
function check_for_download { function check_for_download {
if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; then
then echo -e '\nBoot resources currently importing\n'
echo -e '\nBoot resources currently importing\n' return 1
return 1 else
else synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq '.[] | select( .type | contains("Synced")) | .name ' | grep -c $MAAS_DEFAULT_DISTRO)
synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq ".[] | select( .type | contains(\"Synced\")) | .name " | grep -c $MAAS_DEFAULT_DISTRO) if [[ $synced_imgs -gt 0 ]]; then
if [[ $synced_imgs -gt 0 ]] echo 'Boot resources have completed importing'
then return 0
echo 'Boot resources have completed importing' else
return 0 echo 'Import failed!'
else return 1
echo 'Import failed!' fi
return 1 fi
fi
fi
} }
function check_then_set_single { function check_then_set_single {
option="$1" option="$1"
value="$2" value="$2"
cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"') cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"')
desired_val=$(echo ${value} | tr -d '"') desired_val=$(echo ${value} | tr -d '"')
if [[ $cur_val != $desired_val ]] if [[ $cur_val != $desired_val ]]; then
then echo "Setting MAAS option ${option} to ${desired_val}"
echo "Setting MAAS option ${option} to ${desired_val}" maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val}
maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val} return $?
return $? else
else echo "MAAS option ${option} already set to ${cur_val}"
echo "MAAS option ${option} already set to ${cur_val}" return 0
return 0 fi
fi
} }
function check_then_set { function check_then_set {
option=$1 option=$1
value=$2 value=$2
timer "$RETRY_TIMER" check_then_set_single "$option" "$value" timer "$RETRY_TIMER" check_then_set_single "$option" "$value"
} }
# Get rack controllers reporting a healthy rackd # Get rack controllers reporting a healthy rackd
function get_active_rack_controllers { function get_active_rack_controllers {
maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id' maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id'
} }
function check_for_rack_sync_single { function check_for_rack_sync_single {
sync_list="" sync_list=""
rack_list=$(get_active_rack_controllers) rack_list=$(get_active_rack_controllers)
for rack_id in ${rack_list} for rack_id in ${rack_list}; do
do selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name")
selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name") synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"')
synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"') if [[ $synced_ctlr == "true" && -n ${selected_imgs} ]]; then
if [[ $synced_ctlr == "true" && ! -z ${selected_imgs} ]] sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq)
then else
sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq) maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id}
else fi
maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id} if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$') == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]]; then
fi return 0
if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$' ) == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]] fi
then done
return 0
fi
done
return 1 return 1
} }
function check_for_rack_sync { function check_for_rack_sync {
timer "$RETRY_TIMER" check_for_rack_sync_single timer "$RETRY_TIMER" check_for_rack_sync_single
} }
function configure_proxy { function configure_proxy {
check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED} check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED}
check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED} check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED}
check_then_set http_proxy ${MAAS_PROXY_SERVER} check_then_set http_proxy ${MAAS_PROXY_SERVER}
check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT} check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT}
} }
function configure_ntp { function configure_ntp {
check_then_set ntp_servers ${MAAS_NTP_SERVERS} check_then_set ntp_servers ${MAAS_NTP_SERVERS}
check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY} check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY}
} }
function configure_dns { function configure_dns {
check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED} check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED}
check_then_set upstream_dns ${MAAS_DNS_SERVERS} check_then_set upstream_dns ${MAAS_DNS_SERVERS}
} }
function configure_syslog { function configure_syslog {
check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG} check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG}
} }
function configure_images { function configure_images {
check_for_rack_sync check_for_rack_sync
if [[ $? -eq 124 ]] if [[ $? -eq 124 ]]; then
then echo "Timed out waiting for rack controller sync."
echo "Timed out waiting for rack controller sync." return 1
return 1 fi
fi
check_then_set default_osystem ${MAAS_DEFAULT_OS} check_then_set default_osystem ${MAAS_DEFAULT_OS}
check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO} check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO} check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL} check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL}
} }
function configure_boot_sources { function configure_boot_sources {
if [[ $USE_IMAGE_CACHE == 'true' ]] if [[ $USE_IMAGE_CACHE == 'true' ]]; then
then maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/
maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/ fi
fi
selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')" selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')"
if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}" if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}"; then
then # Need to start an import to get the availability data
# Need to start an import to get the availability data maas "$ADMIN_USERNAME" boot-resources import
maas "$ADMIN_USERNAME" boot-resources import if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \
if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \ release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then
release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then return 1
return 1 fi
fi fi
fi
} }
function create_extra_commissioning_script { function create_extra_commissioning_script {
@@ -215,21 +203,26 @@ EOF
} }
function configure_extra_settings { function configure_extra_settings {
{{- range $k, $v := .Values.conf.maas.extra_settings }} {{- range $k, $v := .Values.conf.maas.extra_settings }}
check_then_set {{$k}} {{$v}} check_then_set {{$k}} {{$v}}
{{- else }} {{- else }}
: No additional MAAS config : No additional MAAS config
{{- end }} {{- end }}
} }
function maas_login { function maas_login {
KEY=$(maas-region apikey --username=${ADMIN_USERNAME}) KEY=$(maas-region apikey --username=${ADMIN_USERNAME})
if [ -z "$KEY" ] if [ -z "$KEY" ]; then
then return 1
return 1 fi
fi {{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY maas login --insecure ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
return $? {{- else if .Values.conf.maas.tls.enabled }}
maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
{{- else }}
maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
{{- end }}
return $?
} }
timer "$RETRY_TIMER" maas_login timer "$RETRY_TIMER" maas_login
@@ -245,10 +238,9 @@ create_extra_commissioning_script
timer "$RETRY_TIMER" configure_boot_sources timer "$RETRY_TIMER" configure_boot_sources
start_import start_import
if [[ $? -eq 0 ]] if [[ $? -eq 0 ]]; then
then configure_images
configure_images
else else
echo "Image import FAILED!" echo "Image import FAILED!"
exit 1 exit 1
fi fi

23
charts/maas/templates/bin/_import-ca-cert.sh.tpl Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
sleep 15
# Import MaaS CA Certificate
cp -f /etc/maas/certificates/ca.crt /usr/local/share/ca-certificates/ca.crt
update-ca-certificates

91
charts/maas/templates/bin/_maas-test.sh.tpl
View File

@@ -18,78 +18,75 @@
set -ex set -ex
function check_boot_images { function check_boot_images {
if maas local boot-resources is-importing | grep -q 'true'; if maas local boot-resources is-importing | grep -q 'true'; then
then echo -e '\nBoot resources currently importing\n'
echo -e '\nBoot resources currently importing\n' return 1
return 1 else
else synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced)
synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced) if [[ $synced_imgs -gt 0 ]]; then
if [[ $synced_imgs -gt 0 ]] echo 'Boot resources have completed importing'
then return 0
echo 'Boot resources have completed importing' else
return 0 return 1
else fi
return 1 fi
fi
fi
} }
function check_rack_controllers { function check_rack_controllers {
rack_cnt=$(maas local rack-controllers read | grep -c hostname) rack_cnt=$(maas local rack-controllers read | grep -c hostname)
if [[ $rack_cnt -gt 0 ]] if [[ $rack_cnt -gt 0 ]]; then
then echo "Found $rack_cnt rack controllers."
echo "Found $rack_cnt rack controllers." return 0
return 0 else
else return 1
return 1 fi
fi
} }
function check_admin_api { function check_admin_api {
if maas local version read; if maas local version read; then
then echo 'Admin API is responding'
echo 'Admin API is responding' return 0
return 0 else
else return 1
return 1 fi
fi
} }
function establish_session { function establish_session {
maas login local ${MAAS_URL} ${MAAS_API_KEY} maas login local ${MAAS_URL} ${MAAS_API_KEY}
return $? return $?
} }
# Import CA Certificate
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
update-ca-certificates
{{- end }}
establish_session establish_session
if [[ $? -ne 0 ]] if [[ $? -ne 0 ]]; then
then echo "MAAS API login FAILED!"
echo "MAAS API login FAILED!" exit 1
exit 1
fi fi
check_boot_images check_boot_images
if [[ $? -eq 1 ]] if [[ $? -eq 1 ]]; then
then echo "Image import test FAILED!"
echo "Image import test FAILED!" exit 1
exit 1
fi fi
check_rack_controllers check_rack_controllers
if [[ $? -eq 1 ]] if [[ $? -eq 1 ]]; then
then echo "Rack controller query FAILED!"
echo "Rack controller query FAILED!" exit 1
exit 1
fi fi
check_admin_api check_admin_api
if [[ $? -eq 1 ]] if [[ $? -eq 1 ]]; then
then echo "Admin API response FAILED!"
echo "Admin API response FAILED!" exit 1
exit 1
fi fi
echo "MAAS Validation SUCCESS!" echo "MAAS Validation SUCCESS!"

32
charts/maas/templates/certificate-maas-ingress.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled .Values.cert_manager.create }}
{{- $envAll := . }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.secrets.maas_ingress_cert }}
spec:
secretName: {{ .Values.secrets.maas_ingress_cert }}
commonName: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
issuerRef:
kind: {{ .Values.cert_manager.issuer.kind }}
name: {{ .Values.cert_manager.issuer.name }}
dnsNames:
- {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{ end }}

35
charts/maas/templates/certificate-maas.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled }}
{{- $envAll := . }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.secrets.maas_cert }}
spec:
secretName: {{ .Values.secrets.maas_cert }}
commonName: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
issuerRef:
kind: {{ .Values.cert_manager.issuer.kind }}
name: {{ .Values.cert_manager.issuer.name }}
dnsNames:
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc.cluster.local
{{ end }}

9
charts/maas/templates/configmap-bin.yaml
View File

@@ -23,6 +23,9 @@ metadata:
data: data:
db-init.sh: |+ db-init.sh: |+
{{- include "helm-toolkit.scripts.pg_db_init" . | indent 4 }} {{- include "helm-toolkit.scripts.pg_db_init" . | indent 4 }}
#set maasdb owner to maas
pgsql_superuser_cmd "ALTER DATABASE $USER_DB_NAME OWNER to $USER_DB_USER;"
db-sync.sh: |+ db-sync.sh: |+
{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bootstrap-admin-user.sh: | bootstrap-admin-user.sh: |
@@ -35,6 +38,8 @@ data:
{{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
export-api-key.sh: | export-api-key.sh: |
{{ tuple "bin/_export-api-key.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_export-api-key.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
export-secret-key.sh: |
{{ tuple "bin/_export-secret-key.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
register-rack-controller.sh: | register-rack-controller.sh: |
{{ tuple "bin/_register-rack-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_register-rack-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
maas-test.sh: | maas-test.sh: |
@@ -49,3 +54,7 @@ data:
{{ tuple "bin/_maas-vip-configure.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_maas-vip-configure.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
start-syslog.sh: | start-syslog.sh: |
{{ tuple "bin/_start-syslog.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_start-syslog.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- if .Values.conf.maas.tls.enabled }}
enable-tls.sh: |
{{ tuple "bin/_enable-tls.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

2
charts/maas/templates/deployment-ingress-errors.yaml
View File

@@ -15,7 +15,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
{{- if .Values.manifests.rack_statefulset }} {{- if and .Values.manifests.maas_ingress .Values.manifests.rack_statefulset }}
{{- $envAll := . }} {{- $envAll := . }}
{{- $labels := tuple $envAll "maas" "ingress-errors" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}} {{- $labels := tuple $envAll "maas" "ingress-errors" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
{{- $serviceAccountName := "maas-ingress-errors" }} {{- $serviceAccountName := "maas-ingress-errors" }}

45
charts/maas/templates/ingress-region.yaml
View File

@@ -20,8 +20,16 @@ apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
name: maas-region-api name: maas-region-api
annotations:
{{ toYaml .Values.network.region_api.ingress.annotations | indent 4 }}
spec: spec:
ingressClassName: {{ .Values.network.region_api.ingress.classes.cluster | quote }} ingressClassName: {{ .Values.network.region_api.ingress.classes.cluster | quote }}
{{- if .Values.conf.maas.tls.enabled }}
tls:
- secretName: maas-region-api-tls
hosts:
- {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{ end }}
rules: rules:
- host: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} - host: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
http: http:
@@ -55,6 +63,43 @@ spec:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port: port:
name: region-api name: region-api
{{- else if (and .Values.conf.maas.ingress_disable_gui .Values.conf.maas.tls.enabled) }}
- path: /MAAS/api
pathType: Prefix
backend:
service:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port:
name: region-api-tls
- path: /MAAS/images-stream
pathType: Prefix
backend:
service:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port:
name: region-api-tls
- path: /MAAS/metadata
pathType: Prefix
backend:
service:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port:
name: region-api-tls
- path: /MAAS/rpc
pathType: Prefix
backend:
service:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port:
name: region-api-tls
{{- else if .Values.conf.maas.tls.enabled }}
- path: /
pathType: Prefix
backend:
service:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port:
name: region-api-tls
{{- else }} {{- else }}
- path: / - path: /
pathType: Prefix pathType: Prefix

79
charts/maas/templates/job-enable-tls.yaml Normal file
View File

@@ -0,0 +1,79 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.conf.maas.tls.enabled }}
{{- $envAll := . }}
{{- $serviceAccountName := "maas-enable-tls" }}
{{ tuple $envAll "enable_tls" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: maas-enable-tls
labels:
{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec:
template:
metadata:
labels:
{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-enable-tls" "containerNames" (list "init" "maas-enable-tls") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "enable_tls" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
initContainers:
{{ tuple $envAll "enable_tls" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: maas-enable-tls
image: {{ .Values.images.tags.enable_tls }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.enable_tls | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "enable_tls" "container" "maas_enable_tls" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/enable-tls.sh
volumeMounts:
- name: maas-bin
mountPath: /tmp/enable-tls.sh
subPath: enable-tls.sh
readOnly: true
- name: maas-etc
mountPath: /etc/maas/regiond.conf
subPath: regiond.conf
readOnly: true
- name: maas-tls
mountPath: /etc/maas/ssl
readOnly: true
volumes:
- name: maas-bin
configMap:
name: maas-bin
defaultMode: 0555
- name: maas-etc
configMap:
name: maas-etc
defaultMode: 0444
- name: maas-tls
secret:
secretName: {{ .Values.secrets.maas_cert }}
defaultMode: 0444
{{ end }}

23
charts/maas/templates/job-import.yaml
View File

@@ -46,6 +46,15 @@ spec:
- name: region-import-resources - name: region-import-resources
image: {{ .Values.images.tags.maas_region }} image: {{ .Values.images.tags.maas_region }}
imagePullPolicy: {{ .Values.images.pull_policy }} imagePullPolicy: {{ .Values.images.pull_policy }}
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- sleep 15; update-ca-certificates
{{- end }}
env: env:
- name: USE_IMAGE_CACHE - name: USE_IMAGE_CACHE
value: {{ .Values.conf.cache.enabled | quote }} value: {{ .Values.conf.cache.enabled | quote }}
@@ -100,6 +109,12 @@ spec:
- /tmp/import-boot-resources.sh - /tmp/import-boot-resources.sh
{{ dict "envAll" $envAll "component" "import-resources" "container" "region-import-resources" "type" "readiness" "probeTemplate" (include "jobreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} {{ dict "envAll" $envAll "component" "import-resources" "container" "region-import-resources" "type" "readiness" "probeTemplate" (include "jobreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
volumeMounts: volumeMounts:
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/ca.crt
subPath: ca.crt
readOnly: true
{{- end }}
- name: maas-bin - name: maas-bin
mountPath: /tmp/import-boot-resources.sh mountPath: /tmp/import-boot-resources.sh
subPath: import-boot-resources.sh subPath: import-boot-resources.sh
@@ -125,3 +140,11 @@ spec:
configMap: configMap:
name: maas-etc name: maas-etc
defaultMode: 0444 defaultMode: 0444
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: ca.crt
{{ end }}

14
charts/maas/templates/secret-region.yaml → charts/maas/templates/secret-maas-tls.yaml
View File

@@ -1,5 +1,5 @@
{{/* {{/*
Copyright 2017 The Openstack-Helm Authors. Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@@ -14,14 +14,16 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create (eq .Values.cert_manager.enabled false) }}
{{- $envAll := . }} {{- $envAll := . }}
{{- $secretName := index $envAll.Values.secrets.maas_region "name" }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ $secretName }} name: {{ .Values.secrets.certificate }}
type: Opaque type: kubernetes/tls
data: data:
REGION_SECRET: |- ca.crt: {{ .Values.conf.maas.tls.ca | b64enc }}
{{ $envAll.Values.secrets.maas_region.value | b64enc | indent 4 }} tls.crt: {{ .Values.conf.maas.tls.cert | b64enc }}
tls.key: {{ .Values.conf.maas.tls.key | b64enc }}
{{ end }}

4
charts/maas/templates/service-ingress-headless.yaml
View File

@@ -24,6 +24,10 @@ spec:
ports: ports:
- name: http - name: http
port: 80 port: 80
{{- if .Values.conf.maas.tls.enabled }}
- name: https
port: 443
{{- end }}
selector: selector:
{{ tuple . "maas" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple . "maas" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
... ...

20
charts/maas/templates/service-region.yaml
View File

@@ -28,6 +28,14 @@ spec:
{{ if .Values.network.region_api.node_port.enabled }} {{ if .Values.network.region_api.node_port.enabled }}
nodePort: {{ tuple "maas_region" "nodeport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} nodePort: {{ tuple "maas_region" "nodeport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ end }} {{ end }}
{{- if .Values.conf.maas.tls.enabled }}
- name: region-api-tls
port: {{ tuple "maas_region" "secure" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
targetPort: {{ tuple "maas_region" "podporttls" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.network.region_api.node_port.enabled }}
nodePort: {{ tuple "maas_region" "nodeporttls" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ end }}
{{- end }}
- name: region-proxy - name: region-proxy
port: {{ tuple "maas_region" "internal" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple "maas_region" "internal" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
targetPort: {{ tuple "maas_region" "podport" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} targetPort: {{ tuple "maas_region" "podport" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@@ -41,6 +49,18 @@ spec:
- name: region-syslog - name: region-syslog
port: 514 port: 514
targetPort: {{ tuple "maas_region" "podport" "region_syslog" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} targetPort: {{ tuple "maas_region" "podport" "region_syslog" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- name: temporal-server
port: 5271
targetPort: 5271
- name: temporal-matching
port: 5272
targetPort: 5272
- name: temporal-history
port: 5273
targetPort: 5273
- name: temporal-worker
port: 5274
targetPort: 5274
selector: selector:
{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{ if or .Values.network.region_proxy.node_port.enabled .Values.network.region_api.node_port.enabled }} {{ if or .Values.network.region_proxy.node_port.enabled .Values.network.region_api.node_port.enabled }}

24
charts/maas/templates/statefulset-rack.yaml
View File

@@ -71,6 +71,15 @@ spec:
image: {{ .Values.images.tags.maas_rack }} image: {{ .Values.images.tags.maas_rack }}
imagePullPolicy: {{ .Values.images.pull_policy }} imagePullPolicy: {{ .Values.images.pull_policy }}
tty: true tty: true
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- sleep 15; update-ca-certificates
{{- end }}
{{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env: env:
- name: MAAS_ENDPOINT - name: MAAS_ENDPOINT
@@ -97,7 +106,6 @@ spec:
{{- if not .Values.conf.maas.cgroups.disable_cgroups_rack }} {{- if not .Values.conf.maas.cgroups.disable_cgroups_rack }}
- mountPath: /sys/fs/cgroup - mountPath: /sys/fs/cgroup
name: host-sys-fs-cgroup name: host-sys-fs-cgroup
readOnly: true
{{- end }} {{- end }}
- mountPath: /run - mountPath: /run
name: pod-run name: pod-run
@@ -113,6 +121,12 @@ spec:
mountPath: /usr/sbin/ntpd mountPath: /usr/sbin/ntpd
subPath: ntpd.sh subPath: ntpd.sh
readOnly: true readOnly: true
{{- end }}
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/ca.crt
subPath: ca.crt
readOnly: true
{{- end }} {{- end }}
- name: maas-bin - name: maas-bin
mountPath: /tmp/start.sh mountPath: /tmp/start.sh
@@ -185,6 +199,14 @@ spec:
configMap: configMap:
name: maas-etc name: maas-etc
defaultMode: 0444 defaultMode: 0444
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: ca.crt
{{ end }}
{{ if $mounts_maas_rack.volumes }}{{ toYaml $mounts_maas_rack.volumes | indent 8 }}{{ end }} {{ if $mounts_maas_rack.volumes }}{{ toYaml $mounts_maas_rack.volumes | indent 8 }}{{ end }}
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:

87
charts/maas/templates/statefulset-region.yaml
View File

@@ -17,9 +17,53 @@
{{- $serviceAccountName := "maas-region" }} {{- $serviceAccountName := "maas-region" }}
{{- $mounts_maas_region := .Values.pod.mounts.maas_region.maas_region }} {{- $mounts_maas_region := .Values.pod.mounts.maas_region.maas_region }}
{{- $mounts_maas_region_init := .Values.pod.mounts.maas_region.init_container }} {{- $mounts_maas_region_init := .Values.pod.mounts.maas_region.init_container }}
{{ tuple $envAll "region_controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} {{ tuple $envAll "region_controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $envAll.Release.Name }}-{{ $envAll.Release.Namespace }}-{{ $serviceAccountName }}-export
namespace: {{ $envAll.Release.Namespace }}
rules:
- apiGroups:
- ""
- extensions
- batch
- apps
verbs:
- get
- list
resources:
- services
- endpoints
- jobs
- pods
- apiGroups:
- ""
verbs:
- get
- create
- update
- delete
resources:
- secrets
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $envAll.Release.Name }}-{{ $serviceAccountName }}-export
namespace: {{ $envAll.Release.Namespace }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $envAll.Release.Name }}-{{ $envAll.Release.Namespace }}-{{ $serviceAccountName }}-export
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
@@ -94,12 +138,29 @@ spec:
image: {{ .Values.images.tags.maas_region }} image: {{ .Values.images.tags.maas_region }}
imagePullPolicy: {{ .Values.images.pull_policy }} imagePullPolicy: {{ .Values.images.pull_policy }}
tty: true tty: true
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- sleep 15; update-ca-certificates; /tmp/export-secret-key.sh
{{ tuple $envAll $envAll.Values.pod.resources.maas_region | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.maas_region | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "region" "container" "maas_region" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "region" "container" "maas_region" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: MAAS_REGION_SECRET_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MAAS_REGION_SECRET
value: {{ .Values.secrets.maas_region.name }}
ports: ports:
- name: region-api - name: region-api
containerPort: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} containerPort: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- if .Values.conf.maas.tls.enabled }}
- name: region-api-tls
containerPort: {{ tuple "maas_region" "podporttls" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
- name: region-proxy - name: region-proxy
containerPort: {{ tuple "maas_region" "podport" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} containerPort: {{ tuple "maas_region" "podport" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
readinessProbe: readinessProbe:
@@ -111,7 +172,6 @@ spec:
{{- if not .Values.conf.maas.cgroups.disable_cgroups_region }} {{- if not .Values.conf.maas.cgroups.disable_cgroups_region }}
- mountPath: /sys/fs/cgroup - mountPath: /sys/fs/cgroup
name: host-sys-fs-cgroup name: host-sys-fs-cgroup
readOnly: true
{{- end }} {{- end }}
- mountPath: /run - mountPath: /run
name: pod-run name: pod-run
@@ -119,9 +179,15 @@ spec:
name: pod-run-lock name: pod-run-lock
- mountPath: /tmp - mountPath: /tmp
name: pod-tmp name: pod-tmp
- name: maas-region-secret {{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
mountPath: /var/lib/maas/secret - name: ca-cert
subPath: REGION_SECRET mountPath: /usr/local/share/ca-certificates/ca.crt
subPath: ca.crt
readOnly: true
{{- end }}
- name: maas-bin
mountPath: /tmp/export-secret-key.sh
subPath: export-secret-key.sh
readOnly: true readOnly: true
- name: maas-etc - name: maas-etc
mountPath: /etc/bind/named.conf.options mountPath: /etc/bind/named.conf.options
@@ -200,9 +266,14 @@ spec:
configMap: configMap:
name: maas-bin name: maas-bin
defaultMode: 0555 defaultMode: 0555
- name: maas-region-secret {{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
secret: secret:
secretName: {{ .Values.secrets.maas_region.name }} secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: ca.crt
{{ end }}
{{- if $mounts_maas_region.volumes }}{{ toYaml $mounts_maas_region.volumes | indent 8 }}{{ end }} {{- if $mounts_maas_region.volumes }}{{ toYaml $mounts_maas_region.volumes | indent 8 }}{{ end }}
{{- if .Values.manifests.maas_syslog }} {{- if .Values.manifests.maas_syslog }}
volumeClaimTemplates: volumeClaimTemplates:

20
charts/maas/templates/tests/test-maas-init.yaml
View File

@@ -38,7 +38,11 @@ spec:
- name: maas-api-test - name: maas-api-test
env: env:
- name: 'MAAS_URL' - name: 'MAAS_URL'
value: {{ tuple "maas_region" "internal" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} {{- if empty .Values.conf.maas.url.maas_url }}
value: {{ tuple "maas_region" "public" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
{{- else }}
value: {{ .Values.conf.maas.url.maas_url }}
{{- end }}
- name: 'MAAS_API_KEY' - name: 'MAAS_API_KEY'
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@@ -50,6 +54,12 @@ spec:
{{ dict "envAll" $envAll "application" "api_test" "container" "maas_api_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "api_test" "container" "maas_api_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
command: ["/tmp/maas-test.sh"] command: ["/tmp/maas-test.sh"]
volumeMounts: volumeMounts:
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/ca.crt
subPath: ca.crt
readOnly: true
{{- end }}
- name: maas-bin - name: maas-bin
mountPath: /tmp/maas-test.sh mountPath: /tmp/maas-test.sh
subPath: maas-test.sh subPath: maas-test.sh
@@ -59,5 +69,13 @@ spec:
configMap: configMap:
name: maas-bin name: maas-bin
defaultMode: 0555 defaultMode: 0555
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: ca.crt
{{ end }}
... ...
{{- end }} {{- end }}

86
charts/maas/values.yaml
View File

@@ -17,6 +17,7 @@
# This is a YAML-formatted file. # This is a YAML-formatted file.
# Declare variables to be passed into your templates. # Declare variables to be passed into your templates.
---
dependencies: dependencies:
static: static:
maas_ingress: {} maas_ingress: {}
@@ -29,6 +30,7 @@ dependencies:
endpoint: monitor endpoint: monitor
jobs: jobs:
- maas-export-api-key - maas-export-api-key
- maas-export-secret-key
region_controller: region_controller:
jobs: jobs:
- maas-db-sync - maas-db-sync
@@ -74,6 +76,12 @@ dependencies:
endpoint: internal endpoint: internal
- service: maas_ingress - service: maas_ingress
endpoint: monitor endpoint: monitor
enable_tls:
jobs:
- maas-bootstrap-admin-user
services:
- service: maas_region
endpoint: internal
network_policy: network_policy:
maas: maas:
@@ -96,18 +104,19 @@ manifests:
images: images:
tags: tags:
db_init: docker.io/postgres:9.5 db_init: docker.io/library/postgres:14.5
db_sync: quay.io/airshipit/maas-region-controller:latest db_sync: quay.io/airshipit/maas-region-controller:latest
maas_rack: quay.io/airshipit/maas-rack-controller:latest maas_rack: quay.io/airshipit/maas-rack-controller:latest
maas_region: quay.io/airshipit/maas-region-controller:latest maas_region: quay.io/airshipit/maas-region-controller:latest
bootstrap: quay.io/airshipit/maas-region-controller:latest bootstrap: quay.io/airshipit/maas-region-controller:latest
export_api_key: quay.io/airshipit/maas-region-controller:latest export_api_key: quay.io/airshipit/maas-region-controller:latest
maas_cache: quay.io/airshipit/sstream-cache:latest maas_cache: quay.io/airshipit/sstream-cache:latest
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1 ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1
ingress_vip: docker.io/busybox:latest ingress_vip: docker.io/busybox:latest
error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0 error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0
maas_syslog: quay.io/airshipit/maas-region-controller:latest maas_syslog: quay.io/airshipit/maas-region-controller:latest
enable_tls: quay.io/airshipit/maas-region-controller:latest
pull_policy: IfNotPresent pull_policy: IfNotPresent
local_registry: local_registry:
# TODO(portdirect): this chart does not yet support local image cacheing # TODO(portdirect): this chart does not yet support local image cacheing
@@ -119,7 +128,7 @@ jobs:
import_boot_resources: import_boot_resources:
try_limit: 1 try_limit: 1
retry_timer: 10 retry_timer: 10
#default timeout: 15 minutes # default timeout: 15 minutes
timeout: 900 timeout: 900
labels: labels:
@@ -222,12 +231,12 @@ conf:
logfile: nodeboot.log logfile: nodeboot.log
logrotate: logrotate:
# How many rotated logs to keep # How many rotated logs to keep
rotate: '30' rotate: "30"
# Size threshold when a log should rotate # Size threshold when a log should rotate
size: '100M' size: "100M"
# levels (emerg,alert,crit,error,warning,notice,info,debug) # levels (emerg,alert,crit,error,warning,notice,info,debug)
# use 'info' as default when overwritting the default # use 'info' as default when overwritting the default
log_level: 'info' log_level: "info"
maas: maas:
override: override:
append: append:
@@ -262,9 +271,9 @@ conf:
# An external proxy server to use # An external proxy server to use
proxy_server: null proxy_server: null
images: images:
default_os: 'ubuntu' default_os: "ubuntu"
default_image: 'bionic' default_image: "focal"
default_kernel: 'ga-18.04' default_kernel: "ga-20.04"
credentials: credentials:
secret: secret:
namespace: maas namespace: maas
@@ -292,8 +301,15 @@ conf:
# enlist_commissioning: if true, directly go into commissioning during enlistment # enlist_commissioning: if true, directly go into commissioning during enlistment
enlist_commissioning: false enlist_commissioning: false
# system user for console login/recovery in early phases of deployment # system user for console login/recovery in early phases of deployment
system_user: 'root' system_user: "root"
system_passwd: 'password' system_passwd: "password"
tls:
enabled: false
create: false
insecure: false # set to true to allow self-signed certs
ca: ""
cert: ""
key: ""
drivers: null drivers: null
#### If you populates drivers, it will replace the 3rd party driver #### If you populates drivers, it will replace the 3rd party driver
#### info that comes with MaaS. see structure below if it is needed #### info that comes with MaaS. see structure below if it is needed
@@ -339,8 +355,9 @@ secrets:
admin: maas-admin admin: maas-admin
maas_region: maas_region:
name: maas-region-secret name: maas-region-secret
value: 3858f62230ac3c915f300c664312c63f
ssh_key: ssh-private-key ssh_key: ssh-private-key
maas_cert: maas-region-api-tls
maas_ingress_cert: maas-region-api-ingress-tls
pod: pod:
mandatory_access_control: mandatory_access_control:
@@ -389,19 +406,19 @@ pod:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
capabilities: capabilities:
add: add:
- 'NET_ADMIN' - "NET_ADMIN"
- 'SYS_MODULE' - "SYS_MODULE"
runAsUser: 0 runAsUser: 0
maas_ingress_vip: maas_ingress_vip:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
capabilities: capabilities:
add: add:
- 'NET_ADMIN' - "NET_ADMIN"
maas_ingress: maas_ingress:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
capabilities: capabilities:
add: add:
- 'NET_BIND_SERVICE' - "NET_BIND_SERVICE"
ingress_errors: ingress_errors:
pod: pod:
runAsUser: 65534 runAsUser: 65534
@@ -455,12 +472,12 @@ pod:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
capabilities: capabilities:
add: add:
- 'DAC_READ_SEARCH' - "DAC_READ_SEARCH"
- 'NET_ADMIN' - "NET_ADMIN"
- 'SYS_ADMIN' - "SYS_ADMIN"
- 'SYS_PTRACE' - "SYS_PTRACE"
- 'SYS_RESOURCE' - "SYS_RESOURCE"
- 'SYS_TIME' - "SYS_TIME"
region: region:
pod: pod:
runAsUser: 0 runAsUser: 0
@@ -471,12 +488,12 @@ pod:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
capabilities: capabilities:
add: add:
- 'SYS_ADMIN' - "SYS_ADMIN"
- 'NET_ADMIN' - "NET_ADMIN"
- 'SYS_PTRACE' - "SYS_PTRACE"
- 'SYS_TIME' - "SYS_TIME"
- 'SYS_RESOURCE' - "SYS_RESOURCE"
- 'DAC_READ_SEARCH' - "DAC_READ_SEARCH"
api_test: api_test:
pod: pod:
runAsUser: 0 runAsUser: 0
@@ -659,7 +676,6 @@ endpoints:
syslog: syslog:
public: 514 public: 514
podport: 514 podport: 514
maas_db: maas_db:
auth: auth:
admin: admin:
@@ -690,12 +706,15 @@ endpoints:
path: path:
default: /MAAS default: /MAAS
scheme: scheme:
default: 'http' default: "http"
port: port:
region_api: region_api:
default: 80 default: 80
secure: 443
nodeport: 31900 nodeport: 31900
nodeporttls: 31901
podport: 5240 podport: 5240
podporttls: 5443
public: 80 public: 80
region_proxy: region_proxy:
default: 8000 default: 8000
@@ -722,3 +741,10 @@ endpoints:
default: http default: http
host_fqdn_override: host_fqdn_override:
default: null default: null
cert_manager:
enabled: false
create: false
issuer:
kind: ClusterIssuer
name: ca-issuer

27
images/maas-rack-controller-jammy/3.5_ipmi_error.patch Normal file
View File

@@ -0,0 +1,27 @@
diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py
index 752ae66..e8f1632 100644
--- a/src/provisioningserver/drivers/power/ipmi.py
+++ b/src/provisioningserver/drivers/power/ipmi.py
@@ -155,6 +155,13 @@ IPMI_ERRORS = {
),
"exception": PowerConnError,
},
+ "BMC error": {
+ "message": (
+ "Device not responding correctly while performing power action."
+ " MAAS performed several retries. Please wait and try again."
+ ),
+ "exception": PowerConnError,
+ },
"could not find inband device": {
"message": (
"An inband device could not be found."
@@ -321,7 +328,7 @@ class IPMIPowerDriver(PowerDriver):
),
]
ip_extractor = make_ip_extractor("power_address")
- wait_time = (4, 8, 16, 32)
+ wait_time = (4, 4, 8, 8, 16, 16, 32, 32)
def detect_missing_packages(self):
if not shell.has_command_available("ipmipower"):

13
images/maas-rack-controller-jammy/3.5_nic_filter.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py
index 6124f68..fb1fa0b 100644
--- a/src/provisioningserver/utils/network.py
+++ b/src/provisioningserver/utils/network.py
@@ -1187,6 +1187,8 @@ def get_all_interfaces_definition(
# interfaces for guests. By themselves, they're not useful for MAAS to
# manage.
"tunnel",
+ # Always exclude non-specific ethernet interfaces.
+ "ethernet",
]
if not running_in_container():
# When not running in a container, we should be able to identify

12
images/maas-rack-controller-jammy/3.5_redfish_retries.patch Normal file
View File

@@ -0,0 +1,12 @@
diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py
index e46d930..dbe17a3 100644
--- a/src/provisioningserver/drivers/power/redfish.py
+++ b/src/provisioningserver/drivers/power/redfish.py
@@ -175,6 +175,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase):
make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE),
]
ip_extractor = make_ip_extractor("power_address")
+ wait_time = (4, 8, 16, 32)
def detect_missing_packages(self):
# no required packages

12
images/maas-rack-controller-jammy/3.5_secure_headers.patch Normal file
View File

@@ -0,0 +1,12 @@
diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
index d30156b..3a04ecb 100644
--- a/src/twisted/web/server.py
+++ b/src/twisted/web/server.py
@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized):
self.site = self.channel.site
# set various default headers
- self.setHeader(b"server", version)
self.setHeader(b"date", http.datetimeToString())
# Resource Identification

9
images/maas-rack-controller-jammy/3.5_transfer_trusted_only.patch Normal file
View File

@@ -0,0 +1,9 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..0cca0fe8d 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -18,3 +18,4 @@ allow-recursion { trusted; };
{{if not upstream_allow_query_cache}}
allow-query-cache { trusted; };
{{endif}}
+allow-transfer { trusted; };

93
images/maas-rack-controller-jammy/Dockerfile Normal file
View File

@@ -0,0 +1,93 @@
ARG FROM=quay.io/airshipit/ubuntu:jammy
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
LABEL org.opencontainers.image.url='https://airshipit.org'
LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas'
LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas'
LABEL org.opencontainers.image.vendor='The Airship Authors'
LABEL org.opencontainers.image.licenses='Apache-2.0'
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY
ARG http_proxy
ARG https_proxy
ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
ENV MAAS_VERSION 1:3.5.4-16349-g.4dbbed5f4-0ubuntu1~22.04.1
RUN apt-get -qq update \
&& apt-get install -y \
avahi-daemon \
isc-dhcp-server \
jq \
libvirt-clients \
libvirt-daemon-system\
patch \
software-properties-common \
sudo \
systemd \
ca-certificates \
# Don't start any optional services except for the few we need.
# (specifically, don't start avahi-daemon, isc-dhcp-server, or libvirtd)
&& find /etc/systemd/system \
/lib/systemd/system \
-path '*.wants/*' \
-not -name '*journald*' \
-not -name '*systemd-tmpfiles*' \
-not -name '*systemd-user-sessions*' \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/3.5 \
&& apt-get install -y \
maas-rack-controller=$MAAS_VERSION \
&& rm -rf /var/lib/apt/lists/*
# Preserve the directory structure, permissions, and contents of /var/lib/maas
RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
# register ourselves with the region controller
COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack-controller.service
RUN systemctl enable register-rack-controller.service
# Patch so that Calico interfaces are ignored
COPY 3.5_nic_filter.patch /tmp/3.5_nic_filter.patch
COPY 3.5_secure_headers.patch /tmp/3.5_secure_headers.patch
# Patch so maas knows that "BMC error" is retriable
COPY 3.5_ipmi_error.patch /tmp/3.5_ipmi_error.patch
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
COPY 3.5_redfish_retries.patch /tmp/3.5_redfish_retries.patch
# Patch to restrict access to zone transfers
COPY 3.5_transfer_trusted_only.patch /tmp/3.5_transfer_trusted_only.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.5_nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.5_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.5_ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.5_redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.5_transfer_trusted_only.patch
# echo journalctl logs to the container's stdout
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
RUN systemctl enable journalctl-to-tty.service
# quiet sudo for the maas user
RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
# avoid triggering bind9 high cpu utilization bug
RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns
# fix chronyd.pid permission
COPY scripts/override.chrony.conf /etc/systemd/system/chrony.service.d/override.conf
# fix httpproxy.sock permission
COPY scripts/maas-http-watcher.service /etc/systemd/system/maas-http-watcher.service
COPY scripts/maas-http-watcher.path /etc/systemd/system/maas-http-watcher.path
RUN systemctl enable maas-http-watcher.service
# initalize systemd
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

1
images/maas-rack-controller-jammy/README.md Normal file
View File

@@ -0,0 +1 @@
[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-rack) Ubuntu MaaS Rack Controller

13
images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service Normal file
View File

@@ -0,0 +1,13 @@
[Unit]
Description=Journald console log streamer
Requires=systemd-journald.service
After=systemd-journald.service
[Service]
Restart=always
RestartSec=0
ExecStart=/bin/journalctl -f
StandardOutput=tty
[Install]
WantedBy=basic.target

5
images/maas-rack-controller-jammy/scripts/maas-http-watcher.path Normal file
View File

@@ -0,0 +1,5 @@
[Path]
PathModified=/var/run/maas/httpproxy.sock
[Install]
WantedBy=multi-user.target

9
images/maas-rack-controller-jammy/scripts/maas-http-watcher.service Normal file
View File

@@ -0,0 +1,9 @@
[Unit]
Description=MAAS HTTP server and reverse proxy server
After=network.target
[Service]
ExecStart=bash -c 'until (stat -f /var/run/maas/httpproxy.sock); do sleep 60; done; chmod o+rw /var/run/maas/httpproxy.sock'
[Install]
WantedBy=multi-user.target

3
images/maas-rack-controller-jammy/scripts/override.chrony.conf Normal file
View File

@@ -0,0 +1,3 @@
[Service]
ExecStartPre=-mkdir -p /var/log/chrony
ExecStartPre=-chown root /var/run/chrony

12
images/maas-rack-controller-jammy/scripts/register-rack-controller.service Normal file
View File

@@ -0,0 +1,12 @@
[Unit]
Description=Register with MaaS Region Controller
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
PassEnvironment=MAAS_ENDPOINT MAAS_REGION_SECRET MAAS_API_KEY HOST_MOUNT_PATH
ExecStart=/usr/local/bin/register-rack-controller.sh
[Install]
WantedBy=multi-user.target

70
images/maas-region-controller-jammy/3.5_configure_ipmi_user.patch Normal file
View File

@@ -0,0 +1,70 @@
diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
index 9d032ee..b01a12a 100755
--- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
+++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
@@ -129,17 +129,27 @@ class BMCConfig(metaclass=ABCMeta):
"""Returns boolean value of whether the BMC was detected."""
def add_bmc_user(self):
- """Add the specified BMC user and (re)set its password.
-
- Should set the username and password, even if it hasn't been
- changed.
- """
- # MAAS is the default user and will always be passed to the script.
- if self.username not in (None, "maas"):
- print(
- "WARNING: Unable to set a specific username or password on %s!"
- % self
- )
+ """Create/configure an IPMI user, but with several tries"""
+ attempt = 1
+ max_attempts = 5
+ backoff_amount = 30
+ exceptions_caught = []
+ while attempt <= max_attempts:
+ print("INFO: Attempt to add IPMI BMC user - %s" % attempt)
+ try:
+ self._add_bmc_user()
+ except Exception as e:
+ exceptions_caught.append(e)
+ if (attempt + 1) > max_attempts:
+ # This is our last attempt, exiting
+ print("ERROR: Unable to add BMC user!\n{}".format(exceptions_caught), file=sys.stderr)
+ sys.exit(1)
+
+ if self.password is None:
+ time.sleep(attempt * backoff_amount)
+ else:
+ return
+ attempt += 1
def configure(self):
"""Configure the BMC for use."""
@@ -188,7 +198,7 @@ class IPMIBase(BMCConfig):
first_unused = section_name
return first_unused
- def add_bmc_user(self):
+ def _add_bmc_user(self):
if not self.username:
self.username = "maas"
user_number = self._pick_user_number(self.username)
@@ -212,7 +222,7 @@ class IPMIBase(BMCConfig):
if self._bmc_config[user_number].get(key) != value:
self._bmc_set(user_number, key, value)
except Exception:
- pass
+ raise
else:
self.password = password
# Not all user settings are available on all BMC keys, its
@@ -227,8 +237,6 @@ class IPMIBase(BMCConfig):
"Yes",
)
return
- print("ERROR: Unable to add BMC user!", file=sys.stderr)
- sys.exit(1)
def _bmc_get_config(self, section=None):
"""Fetch and cache all BMC settings."""

31
images/maas-region-controller-jammy/3.5_kernel_package.patch Normal file
View File

@@ -0,0 +1,31 @@
diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py
index 72a7c86..4559326 100644
--- a/src/maasserver/preseed.py
+++ b/src/maasserver/preseed.py
@@ -254,7 +254,26 @@ def compose_curtin_kernel_preseed(node):
if node.get_osystem() == "custom":
return []
+ # previous logic to retrieve kpackage parameter
kpackage = BootResource.objects.get_kpackage_for_node(node)
+
+ # determine if this node has kernel parameters applied by drydock
+ # and override kpackage if we discover the right properties
+ kernel_opt_tag = "%s_kp" % (node.hostname)
+ if kernel_opt_tag in node.tag_names():
+
+ # the tag exists, retrieve it
+ kernel_opts = node.tags.get(name=kernel_opt_tag).kernel_opts
+
+ # parse the string and find our package param value
+ # e.g. kernel_package=linux-image-4.15.0-34-generic
+ kparams = kernel_opts.split()
+ kdict = dict(
+ kparam.split("=", 1) for kparam in kparams if "=" in kparam
+ )
+ if "kernel_package" in kdict:
+ kpackage = kdict["kernel_package"]
+
if kpackage:
kernel_config = {"kernel": {"package": kpackage, "mapping": {}}}
return [yaml.safe_dump(kernel_config)]

13
images/maas-region-controller-jammy/3.5_partitiontable_does_not_exist.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py
index 4302d8d..f0e51c8 100644
--- a/src/maasserver/api/partitions.py
+++ b/src/maasserver/api/partitions.py
@@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler):
device = BlockDevice.objects.get_block_device_or_404(
system_id, device_id, request.user, NodePermission.view
)
- partition_table = device.partitiontable_set.get()
+ partition_table = device.get_partitiontable()
if partition_table is None:
return []
else:

10
images/maas-region-controller-jammy/3.5_proxy_acl.patch Normal file
View File

@@ -0,0 +1,10 @@
18,24c18
< http_access allow maas_proxy_manager localhost
< http_access deny maas_proxy_manager
< http_access deny !Safe_ports
< http_access deny CONNECT !SSL_ports
< http_access allow localnet
< http_access allow localhost
< http_access deny all
---
> http_access allow all

24
images/maas-region-controller-jammy/3.5_regex_tags.patch Normal file
View File

@@ -0,0 +1,24 @@
diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py
index 2cbaa9d..bb83b4b 100644
--- a/src/maasserver/models/ownerdata.py
+++ b/src/maasserver/models/ownerdata.py
@@ -17,7 +17,7 @@ from django.db.models import (
from maasserver.models.cleansave import CleanSave
-DATA_KEY_RE = re.compile(r"[\w.-]+$")
+#DATA_KEY_RE = re.compile(r"[\w.-]+$")
class OwnerDataManager(Manager):
@@ -32,8 +32,8 @@ class OwnerDataManager(Manager):
if value is None:
to_remove.add(key)
else:
- if not DATA_KEY_RE.match(key):
- raise ValueError("Invalid character in key name")
+ # if not DATA_KEY_RE.match(key):
+ # raise ValueError("Invalid character in key name")
self.update_or_create(
node=node, key=key, defaults={"value": value}

17
images/maas-region-controller-jammy/3.5_route.patch Normal file
View File

@@ -0,0 +1,17 @@
diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py
index 1203e6b..5475b18 100644
--- a/src/maasserver/preseed_network.py
+++ b/src/maasserver/preseed_network.py
@@ -307,7 +307,11 @@ class InterfaceConfiguration:
def _get_matching_routes(self, source):
"""Return all route objects matching `source`."""
- return {route for route in self.routes if route.source == source}
+ return {
+ route
+ for route in self.routes
+ if str(route.source.cidr) == str(source.cidr)
+ }
def _generate_addresses(self):
"""Generate the various addresses needed for this interface."""

12
images/maas-region-controller-jammy/3.5_secure_headers.patch Normal file
View File

@@ -0,0 +1,12 @@
diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
index d30156b..3a04ecb 100644
--- a/src/twisted/web/server.py
+++ b/src/twisted/web/server.py
@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized):
self.site = self.channel.site
# set various default headers
- self.setHeader(b"server", version)
self.setHeader(b"date", http.datetimeToString())
# Resource Identification

9
images/maas-region-controller-jammy/3.5_transfer_trusted_only.patch Normal file
View File

@@ -0,0 +1,9 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..0cca0fe8d 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -18,3 +18,4 @@ allow-recursion { trusted; };
{{if not upstream_allow_query_cache}}
allow-query-cache { trusted; };
{{endif}}
+allow-transfer { trusted; };

93
images/maas-region-controller-jammy/Dockerfile Normal file
View File

@@ -0,0 +1,93 @@
ARG FROM=quay.io/airshipit/ubuntu:jammy
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
LABEL org.opencontainers.image.url='https://airshipit.org'
LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas'
LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas'
LABEL org.opencontainers.image.vendor='The Airship Authors'
LABEL org.opencontainers.image.licenses='Apache-2.0'
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY
ARG http_proxy
ARG https_proxy
ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
ENV MAAS_VERSION 1:3.5.4-16349-g.4dbbed5f4-0ubuntu1~22.04.1
RUN apt-get -qq update \
&& apt-get install -y \
avahi-daemon \
jq \
patch \
software-properties-common \
sudo \
systemd \
cron \
ca-certificates \
bind9-dnsutils \
# Don't start any optional services except for the few we need.
# (specifically, don't start avahi-daemon)
&& find /etc/systemd/system \
/lib/systemd/system \
-path '*.wants/*' \
-not -name '*journald*' \
-not -name '*systemd-tmpfiles*' \
-not -name '*systemd-user-sessions*' \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/3.5 \
&& apt-get install -y \
maas-region-api=$MAAS_VERSION \
# tcpdump is required by /usr/lib/maas/beacon-monitor
tcpdump \
&& rm -rf /var/lib/apt/lists/*
# Preserve the directory structure, permissions, and contents of /var/lib/maas
RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
# MAAS workarounds
COPY 3.5_route.patch /tmp/3.5_route.patch
COPY 3.5_kernel_package.patch /tmp/3.5_kernel_package.patch
# sh8121att: allow all requests via the proxy to allow it to work
# behind ingress
COPY 3.5_proxy_acl.patch /tmp/3.5_proxy_acl.patch
# Patch to add retrying to MaaS BMC user setup, and improve exception handling
COPY 3.5_configure_ipmi_user.patch /tmp/3.5_configure_ipmi_user.patch
COPY 3.5_secure_headers.patch /tmp/3.5_secure_headers.patch
COPY 3.5_partitiontable_does_not_exist.patch /tmp/3.5_partitiontable_does_not_exist.patch
# Allow tags with '/' symbols
COPY 3.5_regex_tags.patch /tmp/3.5_regex_tags.patch
# Patch to restrict access to zone transfers
COPY 3.5_transfer_trusted_only.patch /tmp/3.5_transfer_trusted_only.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.5_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.5_kernel_package.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.5_configure_ipmi_user.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.5_proxy_acl.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.5_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.5_partitiontable_does_not_exist.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.5_regex_tags.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.5_transfer_trusted_only.patch
# echo journalctl logs to the container's stdout
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
RUN systemctl enable journalctl-to-tty.service
# quiet sudo for the maas user
RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
# avoid triggering bind9 high cpu utilization bug
RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns
# fix chronyd.pid permission
COPY override.chrony.conf /etc/systemd/system/chrony.service.d/override.conf
# initalize systemd
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

1
images/maas-region-controller-jammy/README.md Normal file
View File

@@ -0,0 +1 @@
[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-region) Ubuntu MaaS Region Controller

13
images/maas-region-controller-jammy/journalctl-to-tty.service Normal file
View File

@@ -0,0 +1,13 @@
[Unit]
Description=Journald console log streamer
Requires=systemd-journald.service
After=systemd-journald.service
[Service]
Restart=always
RestartSec=0
ExecStart=/bin/journalctl -f
StandardOutput=tty
[Install]
WantedBy=basic.target

3
images/maas-region-controller-jammy/override.chrony.conf Normal file
View File

@@ -0,0 +1,3 @@
[Service]
ExecStartPre=-mkdir -p /var/log/chrony
ExecStartPre=-chown root /var/run/chrony

49
images/sstream-cache-jammy/Dockerfile Normal file
View File

@@ -0,0 +1,49 @@
ARG FROM=quay.io/airshipit/ubuntu:jammy
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
LABEL org.opencontainers.image.url='https://airshipit.org'
LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas'
LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas'
LABEL org.opencontainers.image.vendor='The Airship Authors'
LABEL org.opencontainers.image.licenses='Apache-2.0'
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY
ARG http_proxy
ARG https_proxy
ARG no_proxy
ARG SSTREAM_IMAGE=https://images.maas.io/ephemeral-v3/stable/
ARG SSTREAM_RELEASE=jammy
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get -qq update && \
apt-get install -y --no-install-recommends \
apache2 \
file \
gpgv \
python3-certifi \
simplestreams \
ubuntu-cloudimage-keyring
RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \
/var/www/html/maas/images/ephemeral-v3/daily 'arch=amd64' "release~${SSTREAM_RELEASE}" --max=1 --progress
RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \
/var/www/html/maas/images/ephemeral-v3/daily 'os~(grub*|pxelinux)' --max=1 --progress
RUN sh -c 'echo "" > /etc/apache2/ports.conf'
ENV APACHE_RUN_USER=www-data
ENV APACHE_RUN_GROUP=www-data
ENV APACHE_PID_FILE=/var/run/apache2.pid
ENV APACHE_RUN_DIR=/var/run/
ENV APACHE_LOCK_DIR=/var/lock
ENV APACHE_LOG_DIR=/var/log/
ENV LANG=C
ENTRYPOINT ["/usr/sbin/apache2"]
CMD ["-E", "/dev/stderr","-c","ErrorLog /dev/stderr","-c","Listen 8888","-c","ServerRoot /etc/apache2","-c","DocumentRoot /var/www/html","-D","FOREGROUND"]

31
images/sstream-cache/Dockerfile
View File

@@ -1,4 +1,4 @@
ARG FROM=ubuntu:18.04 ARG FROM=public.ecr.aws/docker/library/ubuntu:bionic
FROM ${FROM} FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
@@ -18,15 +18,16 @@ ARG no_proxy
ARG SSTREAM_IMAGE=https://images.maas.io/ephemeral-v3/stable/ ARG SSTREAM_IMAGE=https://images.maas.io/ephemeral-v3/stable/
ARG SSTREAM_RELEASE=bionic ARG SSTREAM_RELEASE=bionic
ENV DEBIAN_FRONTEND noninteractive ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get -qq update && \ RUN apt-get -qq update && \
apt install -y simplestreams \ apt-get install -y --no-install-recommends \
apache2 \ apache2 \
gpgv \ file \
ubuntu-cloudimage-keyring \ gpgv \
python-certifi --no-install-recommends \ python3-certifi \
file simplestreams \
ubuntu-cloudimage-keyring
RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \ RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \
/var/www/html/maas/images/ephemeral-v3/daily 'arch=amd64' "release~${SSTREAM_RELEASE}" --max=1 --progress /var/www/html/maas/images/ephemeral-v3/daily 'arch=amd64' "release~${SSTREAM_RELEASE}" --max=1 --progress
@@ -36,13 +37,13 @@ RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg $
RUN sh -c 'echo "" > /etc/apache2/ports.conf' RUN sh -c 'echo "" > /etc/apache2/ports.conf'
ENV APACHE_RUN_USER www-data ENV APACHE_RUN_USER=www-data
ENV APACHE_RUN_GROUP www-data ENV APACHE_RUN_GROUP=www-data
ENV APACHE_PID_FILE /var/run/apache2.pid ENV APACHE_PID_FILE=/var/run/apache2.pid
ENV APACHE_RUN_DIR /var/run/ ENV APACHE_RUN_DIR=/var/run/
ENV APACHE_LOCK_DIR /var/lock ENV APACHE_LOCK_DIR=/var/lock
ENV APACHE_LOG_DIR /var/log/ ENV APACHE_LOG_DIR=/var/log/
ENV LANG C ENV LANG=C
ENTRYPOINT ["/usr/sbin/apache2"] ENTRYPOINT ["/usr/sbin/apache2"]
CMD ["-E", "/dev/stderr","-c","ErrorLog /dev/stderr","-c","Listen 8888","-c","ServerRoot /etc/apache2","-c","DocumentRoot /var/www/html","-D","FOREGROUND"] CMD ["-E", "/dev/stderr","-c","ErrorLog /dev/stderr","-c","Listen 8888","-c","ServerRoot /etc/apache2","-c","DocumentRoot /var/www/html","-D","FOREGROUND"]

27
tools/gate/playbooks/docker-image-build.yaml
View File

@@ -13,6 +13,12 @@
# limitations under the License. # limitations under the License.
- hosts: primary - hosts: primary
roles:
- bindep
- ensure-docker
- ensure-python
- ensure-pip
tasks: tasks:
- include_vars: vars.yaml - include_vars: vars.yaml
@@ -40,9 +46,19 @@
debug: debug:
var: image_tags var: image_tags
- name: docker install - name: Install Docker python module for ansible docker login
include_role: block:
name: ensure-docker - pip:
name: docker
executable: pip3
become: True
- name: Install tox python module for ansible docker login
block:
- pip:
name: tox
executable: pip3
become: True
- name: Make images - name: Make images
when: not publish when: not publish
@@ -65,9 +81,10 @@
- name: Publish images - name: Publish images
block: block:
- docker_login: - docker_login:
username: "{{ airship_maas_quay_creds.username }}" username: "{{ airship_armada_quay_creds.username }}"
password: "{{ airship_maas_quay_creds.password }}" password: "{{ airship_armada_quay_creds.password }}"
registry_url: "https://quay.io/api/v1/" registry_url: "https://quay.io/api/v1/"
api_version: "1.43"
- make: - make:
chdir: "{{ zuul.project.src_dir }}" chdir: "{{ zuul.project.src_dir }}"