From 6915e6225fd1dd121bccb3142a257a67536ed947 Mon Sep 17 00:00:00 2001 From: sunil mehra Date: Wed, 3 Sep 2025 14:24:53 +0530 Subject: [PATCH] feature: Add Zaqar Chart This change adds zaqar chart to OpenStack-Helm. Change-Id: Id2be3df9f389da9cbeb8ba5f0fce943f9f69f2b2 Co-Authored-By: Vladimir Kozhukalov Signed-off-by: sunil mehra Signed-off-by: Vladimir Kozhukalov --- doc/source/chart/openstack_charts.rst | 1 + doc/source/install/openstack.rst | 19 +- releasenotes/config.yaml | 1 + .../notes/zaqar-e43f9b2ace992d92.yaml | 15 + tools/deployment/component/redis/redis.sh | 30 + tools/deployment/component/zaqar/zaqar.sh | 33 + .../component/zaqar/zaqar_smoke_test.sh | 29 + .../zaqar/2025.1-ubuntu_jammy.yaml | 12 + .../zaqar/2025.1-ubuntu_noble.yaml | 12 + zaqar/Chart.yaml | 36 + zaqar/templates/bin/_bootstrap.sh.tpl | 18 + zaqar/templates/bin/_db-sync.sh.tpl | 22 + zaqar/templates/bin/_zaqar-test.sh.tpl | 47 ++ zaqar/templates/bin/_zaqar_api.sh.tpl | 29 + zaqar/templates/configmap-bin.yaml | 44 ++ zaqar/templates/configmap-etc.yaml | 56 ++ zaqar/templates/deployment-api.yaml | 151 ++++ zaqar/templates/ingress-api.yaml | 26 + zaqar/templates/job-bootstrap.yaml | 21 + zaqar/templates/job-db-drop.yaml | 24 + zaqar/templates/job-db-init.yaml | 33 + zaqar/templates/job-db-sync.yaml | 32 + zaqar/templates/job-image-repo-sync.yaml | 25 + zaqar/templates/job-ks-endpoints.yaml | 32 + zaqar/templates/job-ks-service.yaml | 32 + zaqar/templates/job-ks-user.yaml | 32 + zaqar/templates/network_policy.yaml | 16 + zaqar/templates/pdb-api.yaml | 33 + zaqar/templates/pod-rally-test.yaml | 106 +++ zaqar/templates/pod-test.yaml | 74 ++ zaqar/templates/secret-db.yaml | 35 + zaqar/templates/secret-ingress-tls.yaml | 17 + zaqar/templates/secret-keystone.yaml | 30 + zaqar/templates/secret-ks-etc.yaml | 27 + zaqar/templates/secret-registry.yaml | 17 + zaqar/templates/service-api.yaml | 37 + zaqar/templates/service-ingress-api.yaml | 18 + zaqar/values.yaml | 671 ++++++++++++++++++ zuul.d/2025.1.yaml | 11 + zuul.d/base.yaml | 21 + zuul.d/project.yaml | 1 + 41 files changed, 1924 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/zaqar-e43f9b2ace992d92.yaml create mode 100755 tools/deployment/component/redis/redis.sh create mode 100755 tools/deployment/component/zaqar/zaqar.sh create mode 100755 tools/deployment/component/zaqar/zaqar_smoke_test.sh create mode 100644 values_overrides/zaqar/2025.1-ubuntu_jammy.yaml create mode 100644 values_overrides/zaqar/2025.1-ubuntu_noble.yaml create mode 100644 zaqar/Chart.yaml create mode 100644 zaqar/templates/bin/_bootstrap.sh.tpl create mode 100644 zaqar/templates/bin/_db-sync.sh.tpl create mode 100644 zaqar/templates/bin/_zaqar-test.sh.tpl create mode 100644 zaqar/templates/bin/_zaqar_api.sh.tpl create mode 100644 zaqar/templates/configmap-bin.yaml create mode 100644 zaqar/templates/configmap-etc.yaml create mode 100644 zaqar/templates/deployment-api.yaml create mode 100644 zaqar/templates/ingress-api.yaml create mode 100644 zaqar/templates/job-bootstrap.yaml create mode 100644 zaqar/templates/job-db-drop.yaml create mode 100644 zaqar/templates/job-db-init.yaml create mode 100644 zaqar/templates/job-db-sync.yaml create mode 100644 zaqar/templates/job-image-repo-sync.yaml create mode 100644 zaqar/templates/job-ks-endpoints.yaml create mode 100644 zaqar/templates/job-ks-service.yaml create mode 100644 zaqar/templates/job-ks-user.yaml create mode 100644 zaqar/templates/network_policy.yaml create mode 100644 zaqar/templates/pdb-api.yaml create mode 100644 zaqar/templates/pod-rally-test.yaml create mode 100644 zaqar/templates/pod-test.yaml create mode 100644 zaqar/templates/secret-db.yaml create mode 100644 zaqar/templates/secret-ingress-tls.yaml create mode 100644 zaqar/templates/secret-keystone.yaml create mode 100644 zaqar/templates/secret-ks-etc.yaml create mode 100644 zaqar/templates/secret-registry.yaml create mode 100644 zaqar/templates/service-api.yaml create mode 100644 zaqar/templates/service-ingress-api.yaml create mode 100644 zaqar/values.yaml diff --git a/doc/source/chart/openstack_charts.rst b/doc/source/chart/openstack_charts.rst index 35c4d12d11..80d6fe5a5a 100644 --- a/doc/source/chart/openstack_charts.rst +++ b/doc/source/chart/openstack_charts.rst @@ -33,3 +33,4 @@ OpenStack charts options tacker tempest watcher + zaqar diff --git a/doc/source/install/openstack.rst b/doc/source/install/openstack.rst index da50a3bdc1..068ec5c486 100644 --- a/doc/source/install/openstack.rst +++ b/doc/source/install/openstack.rst @@ -472,8 +472,8 @@ To deploy the Blazar service run the following: .. code-block:: bash helm upgrade --install blazar openstack-helm/blazar \ - --namespace=openstack - $(helm osh get-values-overrides -p ${OVERRIDES_DIR} -c blazar ${FEATURES}) + --namespace=openstack \ + $(helm osh get-values-overrides -p ${OVERRIDES_DIR} -c blazar ${FEATURES}) helm osh wait-for-pods openstack @@ -495,4 +495,19 @@ To deploy the OpenStack Freezer, use the following: --namespace=openstack \ $(helm osh get-values-overrides -p ${OVERRIDES_DIR} -c freezer ${FEATURES}) +Zaqar +~~~~~ + +Zaqar is the messaging service for OpenStack. It provides a multi-tenant, RESTful and +WebSocket-based message queue service that allows applications and services to communicate +asynchronously. + +To deploy the Zaqar service use the following: + +.. code-block:: bash + + helm upgrade --install zaqar openstack-helm/zaqar \ + --namespace=openstack \ + $(helm osh get-values-overrides -p ${OVERRIDES_DIR} -c zaqar ${FEATURES}) + helm osh wait-for-pods openstack diff --git a/releasenotes/config.yaml b/releasenotes/config.yaml index d7cc3f1efe..fe8c805f78 100644 --- a/releasenotes/config.yaml +++ b/releasenotes/config.yaml @@ -87,6 +87,7 @@ sections: - [api, API Changes] - [security, Security Issues] - [fixes, Bug Fixes] + - [zaqar, zaqar Chart] template: | --- # To create a new release note related to a specific chart: diff --git a/releasenotes/notes/zaqar-e43f9b2ace992d92.yaml b/releasenotes/notes/zaqar-e43f9b2ace992d92.yaml new file mode 100644 index 0000000000..78c568e53d --- /dev/null +++ b/releasenotes/notes/zaqar-e43f9b2ace992d92.yaml @@ -0,0 +1,15 @@ +--- +zaqar: + - | + Added initial support for OpenStack Zaqar messaging service deployment + in Kubernetes environments through Helm charts. This enables users to + deploy and manage Zaqar services alongside other OpenStack components. + +features: + - | + Introduced Zaqar Helm chart with support for: + - Zaqar API service deployment and configuration + - Support for HTTP-based RESTful API and WebSocket messaging + - Integration with existing OpenStack identity services (Keystone) + - Support for custom Zaqar configuration through values.yaml +... diff --git a/tools/deployment/component/redis/redis.sh b/tools/deployment/component/redis/redis.sh new file mode 100755 index 0000000000..0dcf8f98e2 --- /dev/null +++ b/tools/deployment/component/redis/redis.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +# NOTE: Define variables +: ${OSH_HELM_REPO:="../openstack-helm"} +: ${OSH_VALUES_OVERRIDES_PATH:="../openstack-helm/values_overrides"} +: ${OSH_EXTRA_HELM_ARGS_ZAQAR:="$(helm osh get-values-overrides ${DOWNLOAD_OVERRIDES:-} -p ${OSH_VALUES_OVERRIDES_PATH} -c redis ${FEATURES})"} + +helm upgrade --install redis ${OSH_HELM_REPO}/redis \ + --namespace openstack \ + --create-namespace \ + --timeout 600s \ + ${OSH_EXTRA_HELM_ARGS:=} \ + ${OSH_EXTRA_HELM_ARGS_ZAQAR} + +# NOTE: Wait for pods to be ready +helm osh wait-for-pods openstack diff --git a/tools/deployment/component/zaqar/zaqar.sh b/tools/deployment/component/zaqar/zaqar.sh new file mode 100755 index 0000000000..4066cae9d4 --- /dev/null +++ b/tools/deployment/component/zaqar/zaqar.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +set -xe + +# NOTE: Define variables +: ${OSH_HELM_REPO:="../openstack-helm"} +: ${OSH_VALUES_OVERRIDES_PATH:="../openstack-helm/values_overrides"} +: ${OSH_EXTRA_HELM_ARGS_ZAQAR:="$(helm osh get-values-overrides ${DOWNLOAD_OVERRIDES:-} -p ${OSH_VALUES_OVERRIDES_PATH} -c zaqar ${FEATURES})"} + +# NOTE: Deploy Zaqar +echo "Deploying OpenStack Zaqar" + +helm upgrade --install zaqar ${OSH_HELM_REPO}/zaqar \ + --namespace openstack \ + --create-namespace \ + --timeout 600s \ + ${OSH_EXTRA_HELM_ARGS:=} \ + ${OSH_EXTRA_HELM_ARGS_ZAQAR} + +# NOTE: Wait for pods to be ready +helm osh wait-for-pods openstack + +echo "OpenStack Zaqar deployment complete." diff --git a/tools/deployment/component/zaqar/zaqar_smoke_test.sh b/tools/deployment/component/zaqar/zaqar_smoke_test.sh new file mode 100755 index 0000000000..7eecb7fa2f --- /dev/null +++ b/tools/deployment/component/zaqar/zaqar_smoke_test.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -ex + +export OS_CLOUD=openstack_helm + +OS_PROJECT_ID=$(openstack project show admin -c id -f value) +QUEUE_NAME="test" +CLIENT_ID=$(uuidgen) + +openstack --os-project-id $OS_PROJECT_ID messaging queue list + +openstack --os-project-id $OS_PROJECT_ID messaging queue create $QUEUE_NAME + +openstack --os-project-id $OS_PROJECT_ID messaging message post $QUEUE_NAME '{"body": "hello world 1"}' --client-id $CLIENT_ID +openstack --os-project-id $OS_PROJECT_ID messaging message post $QUEUE_NAME '{"body": "hello world 2"}' --client-id $CLIENT_ID + +openstack --os-project-id $OS_PROJECT_ID messaging message list $QUEUE_NAME --client-id $CLIENT_ID --echo diff --git a/values_overrides/zaqar/2025.1-ubuntu_jammy.yaml b/values_overrides/zaqar/2025.1-ubuntu_jammy.yaml new file mode 100644 index 0000000000..3a357b7cd3 --- /dev/null +++ b/values_overrides/zaqar/2025.1-ubuntu_jammy.yaml @@ -0,0 +1,12 @@ +--- +images: + tags: + bootstrap: quay.io/airshipit/heat:2025.1-ubuntu_jammy + db_init: quay.io/airshipit/heat:2025.1-ubuntu_jammy + db_drop: quay.io/airshipit/heat:2025.1-ubuntu_jammy + ks_user: quay.io/airshipit/heat:2025.1-ubuntu_jammy + ks_service: quay.io/airshipit/heat:2025.1-ubuntu_jammy + ks_endpoints: quay.io/airshipit/heat:2025.1-ubuntu_jammy + zaqar_api: quay.io/airshipit/zaqar:2025.1-ubuntu_jammy + zaqar_db_sync: quay.io/airshipit/zaqar:2025.1-ubuntu_jammy +... diff --git a/values_overrides/zaqar/2025.1-ubuntu_noble.yaml b/values_overrides/zaqar/2025.1-ubuntu_noble.yaml new file mode 100644 index 0000000000..ff846d7c2c --- /dev/null +++ b/values_overrides/zaqar/2025.1-ubuntu_noble.yaml @@ -0,0 +1,12 @@ +--- +images: + tags: + bootstrap: quay.io/airshipit/heat:2025.1-ubuntu_noble + db_init: quay.io/airshipit/heat:2025.1-ubuntu_noble + db_drop: quay.io/airshipit/heat:2025.1-ubuntu_noble + ks_user: quay.io/airshipit/heat:2025.1-ubuntu_noble + ks_service: quay.io/airshipit/heat:2025.1-ubuntu_noble + ks_endpoints: quay.io/airshipit/heat:2025.1-ubuntu_noble + zaqar_api: quay.io/airshipit/zaqar:2025.1-ubuntu_noble + zaqar_db_sync: quay.io/airshipit/zaqar:2025.1-ubuntu_noble +... diff --git a/zaqar/Chart.yaml b/zaqar/Chart.yaml new file mode 100644 index 0000000000..17d0c8d8cc --- /dev/null +++ b/zaqar/Chart.yaml @@ -0,0 +1,36 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: v2 +appVersion: v1.0.0 +description: OpenStack Messaging Service (Zaqar) +name: zaqar +type: application +version: 2025.1.0 +home: https://docs.openstack.org/zaqar/ +icon: https://www.openstack.org/themes/openstack/images/project-mascots/Zaqar/OpenStack_Project_Zaqar_vertical.png +sources: + - https://opendev.org/openstack/zaqar +keywords: + - openstack + - messaging + - queue + - helm +maintainers: + - name: OpenStack-Helm Team + email: openstack-helm@lists.openstack.org +dependencies: + - name: helm-toolkit + repository: file://../helm-toolkit + version: ">= 0.1.0" +... diff --git a/zaqar/templates/bin/_bootstrap.sh.tpl b/zaqar/templates/bin/_bootstrap.sh.tpl new file mode 100644 index 0000000000..6452d0a073 --- /dev/null +++ b/zaqar/templates/bin/_bootstrap.sh.tpl @@ -0,0 +1,18 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }} diff --git a/zaqar/templates/bin/_db-sync.sh.tpl b/zaqar/templates/bin/_db-sync.sh.tpl new file mode 100644 index 0000000000..23782ed363 --- /dev/null +++ b/zaqar/templates/bin/_db-sync.sh.tpl @@ -0,0 +1,22 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + + +set -ex + +zaqar-sql-db-manage \ + --config-file /etc/zaqar/zaqar.conf \ + upgrade head diff --git a/zaqar/templates/bin/_zaqar-test.sh.tpl b/zaqar/templates/bin/_zaqar-test.sh.tpl new file mode 100644 index 0000000000..846f4b5478 --- /dev/null +++ b/zaqar/templates/bin/_zaqar-test.sh.tpl @@ -0,0 +1,47 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +*/}} + +set -ex +export HOME=/tmp + +echo "Test: list queues" +openstack queue list + +QUEUE_NAME="test-queue-$(uuidgen | cut -d'-' -f1)" + +echo "Test: create queue" +openstack queue create ${QUEUE_NAME} + +echo "Test: post messages" +openstack message post ${QUEUE_NAME} --message '{"body":"Hello World 1"}' +openstack message post ${QUEUE_NAME} --message '{"body":"Hello World 2"}' + +echo "Test: list messages" +openstack message list ${QUEUE_NAME} + +echo "Test: get a single message" +MESSAGE_ID=$(openstack message list ${QUEUE_NAME} -f value -c id | head -1) +openstack message get ${QUEUE_NAME} ${MESSAGE_ID} + +echo "Test: claim messages" +CLAIM_ID=$(openstack claim create ${QUEUE_NAME} --ttl 30 --grace 30 -f value -c id) +openstack claim get ${QUEUE_NAME} ${CLAIM_ID} + +echo "Test: delete messages" +openstack message delete ${QUEUE_NAME} ${MESSAGE_ID} + +echo "Test: delete queue" +openstack queue delete ${QUEUE_NAME} + +exit 0 diff --git a/zaqar/templates/bin/_zaqar_api.sh.tpl b/zaqar/templates/bin/_zaqar_api.sh.tpl new file mode 100644 index 0000000000..c56dbd052d --- /dev/null +++ b/zaqar/templates/bin/_zaqar_api.sh.tpl @@ -0,0 +1,29 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +COMMAND="${@:-start}" + +function start () { + exec zaqar-server \ + --config-file /etc/zaqar/zaqar.conf +} + +function stop () { + kill -TERM 1 +} + +$COMMAND diff --git a/zaqar/templates/configmap-bin.yaml b/zaqar/templates/configmap-bin.yaml new file mode 100644 index 0000000000..cf2f83d986 --- /dev/null +++ b/zaqar/templates/configmap-bin.yaml @@ -0,0 +1,44 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} +{{- $rallyTests := .Values.conf.rally_tests }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: zaqar-bin +data: +{{- if .Values.images.local_registry.active }} + image-repo-sync.sh: | +{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} +{{- end }} + db-init.py: | +{{- include "helm-toolkit.scripts.db_init" . | indent 4 }} + db-sync.sh: | +{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + db-drop.py: | +{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }} + zaqar-api.sh: | +{{ tuple "bin/_zaqar_api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + ks-service.sh: | +{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }} + ks-endpoints.sh: | +{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }} + ks-user.sh: | +{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }} + rally-test.sh: | +{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }} +{{- end }} diff --git a/zaqar/templates/configmap-etc.yaml b/zaqar/templates/configmap-etc.yaml new file mode 100644 index 0000000000..751de80476 --- /dev/null +++ b/zaqar/templates/configmap-etc.yaml @@ -0,0 +1,56 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_etc }} +{{- $envAll := . }} + +{{- if empty .Values.conf.zaqar.keystone_authtoken.identity_uri -}} +{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.zaqar.keystone_authtoken "identity_uri" -}} +{{- end -}} +{{- if empty .Values.conf.zaqar.keystone_authtoken.memcached_servers -}} +{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.zaqar.keystone_authtoken "memcached_servers" -}} +{{- end -}} +{{- if empty .Values.conf.zaqar.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.zaqar.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} + +{{- if empty (index .Values.conf.zaqar "drivers:management_store:sqlalchemy").uri -}} +{{- $_ := tuple "oslo_db" "internal" "zaqar" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set (index .Values.conf.zaqar "drivers:management_store:sqlalchemy") "uri" -}} +{{- end -}} + +{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}} +{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} +{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }} +{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}} +{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}} +{{- end -}} + +{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}} +{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}} +{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}} +{{- end -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: zaqar-etc +type: Opaque +data: + rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }} + zaqar.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.zaqar | b64enc }} + logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }} + api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.api_paste | b64enc }} + policy.yaml: {{ toYaml .Values.conf.policy | b64enc }} +{{- end }} diff --git a/zaqar/templates/deployment-api.yaml b/zaqar/templates/deployment-api.yaml new file mode 100644 index 0000000000..dc012ff1a8 --- /dev/null +++ b/zaqar/templates/deployment-api.yaml @@ -0,0 +1,151 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "zaqarApiLivenessProbeTemplate" }} +tcpSocket: + port: {{ tuple "messaging" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- end }} + +{{- define "zaqarApiReadinessProbeTemplate" }} +tcpSocket: + port: {{ tuple "messaging" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- end }} + +{{- if .Values.manifests.deployment_api }} +{{- $envAll := . }} + +{{- $mounts_zaqar_api := .Values.pod.mounts.zaqar_api.zaqar_api }} +{{- $mounts_zaqar_api_init := .Values.pod.mounts.zaqar_api.init_container }} + +{{- $serviceAccountName := "zaqar-api" }} +{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: zaqar-api + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: +{{ tuple $envAll "zaqar" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.api }} + selector: + matchLabels: +{{ tuple $envAll "zaqar" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "zaqar" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ tuple "zaqar_api" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }} +{{ dict "envAll" $envAll "podName" "zaqar-api" "containerNames" (list "zaqar-api" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} + spec: +{{ tuple "zaqar_api" . | include "helm-toolkit.snippets.kubernetes_pod_priority_class" | indent 6 }} +{{ tuple "zaqar_api" . | include "helm-toolkit.snippets.kubernetes_pod_runtime_class" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "zaqar" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: +{{ tuple $envAll "zaqar" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }} +{{ if $envAll.Values.pod.tolerations.zaqar.enabled }} +{{ tuple $envAll "zaqar" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{ end }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }} + initContainers: +{{ tuple $envAll "api" $mounts_zaqar_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: zaqar-api +{{ tuple $envAll "zaqar_api" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "zaqar" "container" "zaqar_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/zaqar/certs/ca.crt" +{{- end }} + command: + - /tmp/zaqar-api.sh + - start + lifecycle: + preStop: + exec: + command: + - /tmp/zaqar-api.sh + - stop + ports: + - name: z-api + containerPort: {{ tuple "messaging" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{ dict "envAll" $envAll "component" "api" "container" "default" "type" "liveness" "probeTemplate" (include "zaqarApiLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} +{{ dict "envAll" $envAll "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "zaqarApiReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: pod-etc-zaqar + mountPath: /etc/zaqar + - name: zaqar-bin + mountPath: /tmp/zaqar-api.sh + subPath: zaqar-api.sh + readOnly: true + - name: zaqar-etc + mountPath: /etc/zaqar/zaqar.conf + subPath: zaqar.conf + readOnly: true + - name: zaqar-etc-snippets + mountPath: /etc/zaqar/zaqar.conf.d/ + readOnly: true + {{- if .Values.conf.zaqar.DEFAULT.log_config_append }} + - name: zaqar-etc + mountPath: {{ .Values.conf.zaqar.DEFAULT.log_config_append }} + subPath: {{ base .Values.conf.zaqar.DEFAULT.log_config_append }} + readOnly: true + {{- end }} + - name: zaqar-etc + mountPath: /etc/zaqar/api-paste.ini + subPath: api-paste.ini + readOnly: true + - name: zaqar-etc + mountPath: /etc/zaqar/policy.yaml + subPath: policy.yaml + readOnly: true +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.messaging.api.internal "path" "/etc/zaqar/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{ if $mounts_zaqar_api.volumeMounts }}{{ toYaml $mounts_zaqar_api.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: pod-etc-zaqar + emptyDir: {} + - name: zaqar-bin + configMap: + name: zaqar-bin + defaultMode: 0555 + - name: zaqar-etc + secret: + secretName: zaqar-etc + defaultMode: 0444 + - name: zaqar-etc-snippets + projected: + sources: + - secret: + name: zaqar-ks-etc +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.messaging.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{ if $mounts_zaqar_api.volumes }}{{ toYaml $mounts_zaqar_api.volumes | indent 8 }}{{ end }} +{{- end }} diff --git a/zaqar/templates/ingress-api.yaml b/zaqar/templates/ingress-api.yaml new file mode 100644 index 0000000000..5fb593da8d --- /dev/null +++ b/zaqar/templates/ingress-api.yaml @@ -0,0 +1,26 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} +{{- $envAll := . }} +{{- $ingressOpts := dict "envAll" $envAll "backendService" "api" "backendServiceType" "messaging" "backendPort" "z-api" -}} +{{- $secretName := index $envAll.Values.secrets.tls.messaging.api ($envAll.Values.network.api.ingress.classes.namespace | replace "-" "_") -}} +{{- if $envAll.Values.tls.identity -}} +{{- $_ := set $ingressOpts "certIssuer" $envAll.Values.endpoints.identity.auth.zaqar.tls.ca -}} +{{- end -}} +{{- if hasKey $envAll.Values.secrets.tls.messaging.api $envAll.Values.network.api.ingress.classes.namespace -}} +{{- $_ := set $ingressOpts "tlsSecret" $secretName -}} +{{- end -}} +{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} +{{- end }} diff --git a/zaqar/templates/job-bootstrap.yaml b/zaqar/templates/job-bootstrap.yaml new file mode 100644 index 0000000000..635659ac2c --- /dev/null +++ b/zaqar/templates/job-bootstrap.yaml @@ -0,0 +1,21 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} +{{- $bootstrapJob := dict "envAll" . "serviceName" "zaqar" "keystoneUser" .Values.bootstrap.ks_user -}} +{{- if .Values.pod.tolerations.zaqar.enabled -}} +{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}} +{{- end -}} +{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} +{{- end }} diff --git a/zaqar/templates/job-db-drop.yaml b/zaqar/templates/job-db-drop.yaml new file mode 100644 index 0000000000..c351b86b63 --- /dev/null +++ b/zaqar/templates/job-db-drop.yaml @@ -0,0 +1,24 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.job_db_drop }} +{{- $dbDropJob := dict "envAll" . "serviceName" "zaqar" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} +{{- if .Values.pod.tolerations.zaqar.enabled -}} +{{- $_ := set $dbDropJob "tolerationsEnabled" true -}} +{{- end -}} +{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} +{{- end }} diff --git a/zaqar/templates/job-db-init.yaml b/zaqar/templates/job-db-init.yaml new file mode 100644 index 0000000000..6d261ec7da --- /dev/null +++ b/zaqar/templates/job-db-init.yaml @@ -0,0 +1,33 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "metadata.annotations.job.db_init" }} +helm.sh/hook: post-install,post-upgrade +helm.sh/hook-weight: "-5" +{{- end }} + +{{- if .Values.manifests.job_db_init }} +{{- $dbToInit := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" "/etc/zaqar/zaqar.conf" "logConfigFile" "/etc/zaqar/logging.conf" "configDbSection" "drivers:management_store:sqlalchemy" "configDbKey" "uri" -}} +{{- $dbInitJob := dict "envAll" . "serviceName" "zaqar" "dbToInit" $dbToInit -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} +{{- if .Values.helm3_hook }} +{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }} +{{- end }} +{{- if .Values.pod.tolerations.zaqar.enabled -}} +{{- $_ := set $dbInitJob "tolerationsEnabled" true -}} +{{- end -}} +{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} +{{- end }} diff --git a/zaqar/templates/job-db-sync.yaml b/zaqar/templates/job-db-sync.yaml new file mode 100644 index 0000000000..90d67199a4 --- /dev/null +++ b/zaqar/templates/job-db-sync.yaml @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "metadata.annotations.job.db_sync" }} +helm.sh/hook: post-install,post-upgrade +helm.sh/hook-weight: "-4" +{{- end }} + +{{- if .Values.manifests.job_db_sync }} +{{- $dbSyncJob := dict "envAll" . "serviceName" "zaqar" "podVolMounts" .Values.pod.mounts.zaqar_db_sync.zaqar_db_sync.valumeMounts "podVols" .Values.pod.mounts.zaqar_db_sync.zaqar_db_sync.volumes "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} +{{- if .Values.helm3_hook }} +{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }} +{{- end }} +{{- if .Values.pod.tolerations.zaqar.enabled -}} +{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}} +{{- end -}} +{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} +{{- end }} diff --git a/zaqar/templates/job-image-repo-sync.yaml b/zaqar/templates/job-image-repo-sync.yaml new file mode 100644 index 0000000000..42e6dd3845 --- /dev/null +++ b/zaqar/templates/job-image-repo-sync.yaml @@ -0,0 +1,25 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "metadata.annotations.job.repo_sync" }} +helm.sh/hook: post-install,post-upgrade +{{- end }} + +{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} +{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "zaqar" "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) -}} +{{- if .Values.pod.tolerations.zaqar.enabled -}} +{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}} +{{- end -}} +{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} +{{- end }} diff --git a/zaqar/templates/job-ks-endpoints.yaml b/zaqar/templates/job-ks-endpoints.yaml new file mode 100644 index 0000000000..487f9c7df0 --- /dev/null +++ b/zaqar/templates/job-ks-endpoints.yaml @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "metadata.annotations.job.ks_endpoints" }} +helm.sh/hook: post-install,post-upgrade +helm.sh/hook-weight: "-2" +{{- end }} + +{{- if .Values.manifests.job_ks_endpoints }} +{{- $ksEndpointsJob := dict "envAll" . "serviceName" "zaqar" "serviceTypes" ( tuple "messaging" ) -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} +{{- $_ := set $ksEndpointsJob "tlsSecret" .Values.secrets.tls.messaging.api.internal -}} +{{- end -}} +{{- if .Values.helm3_hook }} +{{- $_ := set $ksEndpointsJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} +{{- end }} +{{- if .Values.pod.tolerations.zaqar.enabled -}} +{{- $_ := set $ksEndpointsJob "tolerationsEnabled" true -}} +{{- end -}} +{{ $ksEndpointsJob | include "helm-toolkit.manifests.job_ks_endpoints" }} +{{- end }} diff --git a/zaqar/templates/job-ks-service.yaml b/zaqar/templates/job-ks-service.yaml new file mode 100644 index 0000000000..4b338c35a3 --- /dev/null +++ b/zaqar/templates/job-ks-service.yaml @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "metadata.annotations.job.ks_service" }} +helm.sh/hook: post-install,post-upgrade +helm.sh/hook-weight: "-3" +{{- end }} + +{{- if .Values.manifests.job_ks_service }} +{{- $ksServiceJob := dict "envAll" . "serviceName" "zaqar" "serviceTypes" ( tuple "messaging" ) -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} +{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.messaging.api.internal -}} +{{- end -}} +{{- if .Values.helm3_hook }} +{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} +{{- end }} +{{- if .Values.pod.tolerations.zaqar.enabled -}} +{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} +{{- end }} +{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} +{{- end }} diff --git a/zaqar/templates/job-ks-user.yaml b/zaqar/templates/job-ks-user.yaml new file mode 100644 index 0000000000..40360b48f7 --- /dev/null +++ b/zaqar/templates/job-ks-user.yaml @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "metadata.annotations.job.ks_user" }} +helm.sh/hook: post-install,post-upgrade +helm.sh/hook-weight: "-1" +{{- end }} + +{{- if .Values.manifests.job_ks_user }} +{{- $ksUserJob := dict "envAll" . "serviceName" "zaqar" -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} +{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.messaging.api.internal -}} +{{- end -}} +{{- if .Values.helm3_hook }} +{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}} +{{- end }} +{{- if .Values.pod.tolerations.zaqar.enabled -}} +{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} +{{- end -}} +{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} +{{- end }} diff --git a/zaqar/templates/network_policy.yaml b/zaqar/templates/network_policy.yaml new file mode 100644 index 0000000000..586268e7e4 --- /dev/null +++ b/zaqar/templates/network_policy.yaml @@ -0,0 +1,16 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "zaqar" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/zaqar/templates/pdb-api.yaml b/zaqar/templates/pdb-api.yaml new file mode 100644 index 0000000000..d6c4b527ab --- /dev/null +++ b/zaqar/templates/pdb-api.yaml @@ -0,0 +1,33 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.pdb_api }} +{{- $envAll := . }} +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: zaqar-api + labels: +{{ tuple $envAll "zaqar" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: +{{- if .Values.pod.lifecycle.disruption_budget.api.min_available }} + minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }} +{{- else }} + maxUnavailable: {{ .Values.pod.lifecycle.disruption_budget.api.max_unavailable | default 1 }} +{{- end }} + selector: + matchLabels: +{{ tuple $envAll "zaqar" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{- end }} diff --git a/zaqar/templates/pod-rally-test.yaml b/zaqar/templates/pod-rally-test.yaml new file mode 100644 index 0000000000..9de385339c --- /dev/null +++ b/zaqar/templates/pod-rally-test.yaml @@ -0,0 +1,106 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.pod_test }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.static.tests }} + +{{- $mounts_zaqar_tests := .Values.pod.mounts.zaqar_tests.zaqar_tests }} +{{- $mounts_zaqar_tests_init := .Values.pod.mounts.zaqar_tests.init_container }} + +{{- $serviceAccountName := print .Release.Name "-test" }} +{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: v1 +kind: Pod +metadata: + name: "{{ .Release.Name }}-test" + labels: +{{ tuple $envAll "zaqar" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + annotations: + "helm.sh/hook": test-success + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ dict "envAll" $envAll "podName" "zaqar-test" "containerNames" (list "init" "zaqar-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} +spec: +{{ tuple "zaqar_tests" . | include "helm-toolkit.snippets.kubernetes_pod_priority_class" | indent 2 }} +{{ tuple "zaqar_tests" . | include "helm-toolkit.snippets.kubernetes_pod_runtime_class" | indent 2 }} + serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} + nodeSelector: + {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} +{{ if $envAll.Values.pod.tolerations.zaqar.enabled }} +{{ tuple $envAll "zaqar" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }} +{{ end }} + restartPolicy: Never + initContainers: +{{ tuple $envAll "tests" $mounts_zaqar_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} + - name: zaqar-test-ks-user +{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} + command: + - /tmp/ks-user.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: zaqar-bin + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + env: +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} +{{- end }} + - name: SERVICE_OS_SERVICE_NAME + value: "test" +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} +{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }} +{{- end }} + - name: SERVICE_OS_ROLE + value: {{ .Values.endpoints.identity.auth.test.role | quote }} + containers: + - name: zaqar-test +{{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }} +{{ dict "envAll" $envAll "application" "test" "container" "zaqar_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} + env: +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} +{{- end }} + command: + - /tmp/rally-test.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: zaqar-etc + mountPath: /etc/rally/rally_tests.yaml + subPath: rally_tests.yaml + readOnly: true + - name: zaqar-bin + mountPath: /tmp/rally-test.sh + subPath: rally-test.sh + readOnly: true +{{ if $mounts_zaqar_tests.volumeMounts }}{{ toYaml $mounts_zaqar_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: zaqar-etc + secret: + secretName: zaqar-etc + defaultMode: 0444 + - name: zaqar-bin + configMap: + name: zaqar-bin + defaultMode: 0555 +{{ if $mounts_zaqar_tests.volumes }}{{ toYaml $mounts_zaqar_tests.volumes | indent 4 }}{{ end }} +{{- end }} diff --git a/zaqar/templates/pod-test.yaml b/zaqar/templates/pod-test.yaml new file mode 100644 index 0000000000..905ceb805a --- /dev/null +++ b/zaqar/templates/pod-test.yaml @@ -0,0 +1,74 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.pod_test }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.static.tests }} + +{{- $mounts_zaqar_tests := .Values.pod.mounts.zaqar_tests.zaqar_tests }} +{{- $mounts_zaqar_tests_init := .Values.pod.mounts.zaqar_tests.init_container }} + +{{- $serviceAccountName := print .Release.Name "-test" }} +{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: v1 +kind: Pod +metadata: + name: "{{ .Release.Name }}-test" + labels: +{{ tuple $envAll "zaqar" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + annotations: + "helm.sh/hook": test-success + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ dict "envAll" $envAll "podName" "zaqar-test" "containerNames" (list "init" "zaqar-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} +spec: +{{ tuple "zaqar_tests" . | include "helm-toolkit.snippets.kubernetes_pod_priority_class" | indent 2 }} +{{ tuple "zaqar_tests" . | include "helm-toolkit.snippets.kubernetes_pod_runtime_class" | indent 2 }} + serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} + nodeSelector: + {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} +{{ if $envAll.Values.pod.tolerations.zaqar.enabled }} +{{ tuple $envAll "zaqar" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }} +{{ end }} + restartPolicy: Never + initContainers: +{{ tuple $envAll "tests" $mounts_zaqar_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} + containers: + - name: zaqar-test +{{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }} +{{ dict "envAll" $envAll "application" "test" "container" "zaqar_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} + env: +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} +{{- end }} + command: + - /tmp/zaqar-test.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: zaqar-bin + mountPath: /tmp/zaqar-test.sh + subPath: zaqar-test.sh + readOnly: true +{{ if $mounts_zaqar_tests.volumeMounts }}{{ toYaml $mounts_zaqar_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: zaqar-bin + configMap: + name: zaqar-bin + defaultMode: 0555 +{{ if $mounts_zaqar_tests.volumes }}{{ toYaml $mounts_zaqar_tests.volumes | indent 4 }}{{ end }} +{{- end }} diff --git a/zaqar/templates/secret-db.yaml b/zaqar/templates/secret-db.yaml new file mode 100644 index 0000000000..5c2ae8d333 --- /dev/null +++ b/zaqar/templates/secret-db.yaml @@ -0,0 +1,35 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_db }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "zaqar" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + annotations: +{{ tuple "oslo_db" $userClass $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }} +type: Opaque +data: +{{- if $envAll.Values.manifests.certificates }} + DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/zaqar/templates/secret-ingress-tls.yaml b/zaqar/templates/secret-ingress-tls.yaml new file mode 100644 index 0000000000..2734800207 --- /dev/null +++ b/zaqar/templates/secret-ingress-tls.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ingress_tls }} +{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "messaging" ) }} +{{- end }} diff --git a/zaqar/templates/secret-keystone.yaml b/zaqar/templates/secret-keystone.yaml new file mode 100644 index 0000000000..d827222b7b --- /dev/null +++ b/zaqar/templates/secret-keystone.yaml @@ -0,0 +1,30 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_keystone }} +{{- $envAll := . }} +{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + annotations: +{{ tuple "identity" $userClass $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} +{{- end }} diff --git a/zaqar/templates/secret-ks-etc.yaml b/zaqar/templates/secret-ks-etc.yaml new file mode 100644 index 0000000000..4ed272e082 --- /dev/null +++ b/zaqar/templates/secret-ks-etc.yaml @@ -0,0 +1,27 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ks_etc }} +{{- $envAll := . -}} +{{/* The endpoints.identity.auth sections with the oslo config sections they get rendered to */}} +{{- $ksUsers := dict + "zaqar" "keystone_authtoken" +-}} +{{ dict + "envAll" $envAll + "serviceName" "zaqar" + "serviceUserSections" $ksUsers + | include "helm-toolkit.manifests.secret_ks_etc" +}} +{{- end }} diff --git a/zaqar/templates/secret-registry.yaml b/zaqar/templates/secret-registry.yaml new file mode 100644 index 0000000000..da979b3223 --- /dev/null +++ b/zaqar/templates/secret-registry.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }} +{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }} +{{- end }} diff --git a/zaqar/templates/service-api.yaml b/zaqar/templates/service-api.yaml new file mode 100644 index 0000000000..919be8f19e --- /dev/null +++ b/zaqar/templates/service-api.yaml @@ -0,0 +1,37 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service_api }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ tuple "messaging" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + ports: + - name: z-api + port: {{ tuple "messaging" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- if .Values.network.api.node_port.enabled }} + nodePort: {{ .Values.network.api.node_port.port }} + {{- end }} + selector: +{{ tuple $envAll "zaqar" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + {{- if .Values.network.api.node_port.enabled }} + type: NodePort + {{- if .Values.network.api.external_policy_local }} + externalTrafficPolicy: Local + {{- end }} + {{- end }} +{{- end }} diff --git a/zaqar/templates/service-ingress-api.yaml b/zaqar/templates/service-ingress-api.yaml new file mode 100644 index 0000000000..343a63f4b6 --- /dev/null +++ b/zaqar/templates/service-ingress-api.yaml @@ -0,0 +1,18 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }} +{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "messaging" -}} +{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }} +{{- end }} diff --git a/zaqar/values.yaml b/zaqar/values.yaml new file mode 100644 index 0000000000..6776208ef2 --- /dev/null +++ b/zaqar/values.yaml @@ -0,0 +1,671 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +labels: + api: + node_selector_key: openstack-control-plane + node_selector_value: enabled + job: + node_selector_key: openstack-control-plane + node_selector_value: enabled + test: + node_selector_key: openstack-control-plane + node_selector_value: enabled + +release_group: null + +images: + tags: + test: docker.io/xrally/xrally-openstack:2.0.0 + bootstrap: quay.io/airshipit/heat:2025.1-ubuntu_jammy + db_init: quay.io/airshipit/heat:2025.1-ubuntu_jammy + db_drop: quay.io/airshipit/heat:2025.1-ubuntu_jammy + ks_user: quay.io/airshipit/heat:2025.1-ubuntu_jammy + ks_service: quay.io/airshipit/heat:2025.1-ubuntu_jammy + ks_endpoints: quay.io/airshipit/heat:2025.1-ubuntu_jammy + zaqar_db_sync: quay.io/airshipit/zaqar:2025.1-ubuntu_jammy + zaqar_api: quay.io/airshipit/zaqar:2025.1-ubuntu_jammy + dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_jammy + image_repo_sync: docker.io/docker:17.07.0 + pull_policy: "IfNotPresent" + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + +network: + api: + ingress: + public: true + classes: + namespace: "nginx" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + external_policy_local: false + node_port: + enabled: false + port: 30780 + +dependencies: + dynamic: + common: + local_image_registry: + jobs: + - zaqar-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + api: + jobs: + - zaqar-db-sync + - zaqar-ks-user + - zaqar-ks-endpoints + services: + - endpoint: internal + service: oslo_cache + - endpoint: internal + service: oslo_db + - endpoint: internal + service: identity + bootstrap: + services: + - endpoint: internal + service: identity + - endpoint: internal + service: messaging + db_init: + services: + - endpoint: internal + service: oslo_db + db_drop: + services: + - endpoint: internal + service: oslo_db + db_sync: + jobs: + - zaqar-db-init + services: + - endpoint: internal + service: oslo_db + ks_endpoints: + jobs: + - zaqar-ks-service + services: + - endpoint: internal + service: identity + ks_service: + services: + - endpoint: internal + service: identity + ks_user: + services: + - endpoint: internal + service: identity + +secrets: + identity: + admin: zaqar-keystone-admin + zaqar: zaqar-keystone-user + service: zaqar-keystone-service + test: zaqar-keystone-test + oslo_db: + admin: zaqar-db-admin + zaqar: zaqar-db-user + tls: + messaging: + api: + admin: zaqar-tls-admin + public: zaqar-tls-public + internal: zaqar-tls-internal + nginx: zaqar-tls-nginx + nginx_cluster: zaqar-tls-nginx-cluster + +endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 + identity: + name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + zaqar: + role: admin,service + region_name: RegionOne + username: zaqar + password: password + project_name: service + user_domain_name: service + project_domain_name: service + test: + role: admin + region_name: RegionOne + username: zaqar-test + password: password + project_name: test + user_domain_name: service + project_domain_name: service + hosts: + default: keystone + internal: keystone-api + host_fqdn_override: + default: null + path: + default: /v3 + scheme: + default: http + port: + api: + default: 80 + internal: 5000 + messaging: + name: zaqar + hosts: + default: zaqar-api + public: zaqar + host_fqdn_override: + default: null + path: + default: / + scheme: + default: "http" + service: "http" + port: + api: + default: 8888 + public: 80 + service: 8888 + oslo_db: + auth: + admin: + username: root + password: password + secret: + tls: + internal: mariadb-tls-direct + zaqar: + username: zaqar + password: password + hosts: + default: mariadb + host_fqdn_override: + default: null + path: /zaqar + scheme: mysql+pymysql + port: + mysql: + default: 3306 + oslo_cache: + auth: + memcache_secret_key: null + hosts: + default: memcached + host_fqdn_override: + default: null + port: + memcache: + default: 11211 + fluentd: + namespace: null + name: fluentd + hosts: + default: fluentd-logging + host_fqdn_override: + default: null + path: + default: null + scheme: "http" + port: + service: + default: 24224 + metrics: + default: 24220 + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns: + default: 53 + protocol: UDP + ingress: + namespace: null + name: ingress + hosts: + default: ingress + port: + ingress: + default: 80 + +pod: + probes: + rpc_timeout: 60 + rpc_retries: 2 + api: + default: + liveness: + enabled: true + params: + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + readiness: + enabled: true + params: + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + security_context: + zaqar: + pod: + runAsUser: 42424 + container: + zaqar_api: + runAsUser: 0 + test: + pod: + runAsUser: 42424 + container: + zaqar_test_ks_user: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + zaqar_test: + runAsUser: 65500 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + affinity: + anti: + type: + default: preferredDuringSchedulingIgnoredDuringExecution + topologyKey: + default: kubernetes.io/hostname + weight: + default: 10 + tolerations: + zaqar: + enabled: false + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + mounts: + zaqar_api: + init_container: null + zaqar_api: + volumeMounts: + volumes: + zaqar_bootstrap: + init_container: null + zaqar_bootstrap: + volumeMounts: + volumes: + zaqar_db_sync: + zaqar_db_sync: + volumeMounts: + volumes: + zaqar_tests: + init_container: null + zaqar_tests: + volumeMounts: + volumes: + replicas: + api: 1 + lifecycle: + upgrades: + deployments: + revision_history: 3 + pod_replacement_strategy: RollingUpdate + rolling_update: + max_unavailable: 1 + max_surge: 3 + disruption_budget: + api: + min_available: 0 + termination_grace_period: + api: + timeout: 30 + resources: + enabled: false + api: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + jobs: + bootstrap: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + db_init: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + db_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + db_drop: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + ks_endpoints: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + ks_service: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + ks_user: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + tests: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + image_repo_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + +jobs: + bootstrap: + backoffLimit: 5 + activeDeadlineSeconds: 600 + db_init: + backoffLimit: 5 + activeDeadlineSeconds: 600 + db_drop: + backoffLimit: 5 + activeDeadlineSeconds: 600 + db_sync: + backoffLimit: 5 + activeDeadlineSeconds: 600 + ks_endpoints: + backoffLimit: 5 + activeDeadlineSeconds: 600 + ks_service: + backoffLimit: 5 + activeDeadlineSeconds: 600 + ks_user: + backoffLimit: 5 + activeDeadlineSeconds: 600 + tests: + backoffLimit: 5 + activeDeadlineSeconds: 600 + image_repo_sync: + backoffLimit: 5 + activeDeadlineSeconds: 600 + +conf: + zaqar: + DEFAULT: + log_config_append: /etc/zaqar/logging.conf + drivers: + transport: wsgi + message_store: redis + management_store: sqlalchemy + keystone_authtoken: + service_token_roles: service + service_token_roles_required: true + auth_type: password + auth_version: v3 + memcache_security_strategy: ENCRYPT + service_type: reservation + cache: + backend: dogpile.cache.memory + drivers:management_store:sqlalchemy: + uri: + drivers:message_store:redis: + uri: redis://redis:6379 + drivers:transport:wsgi: + bind: 0.0.0.0 + port: 8888 + signed_url: + secret_key: SOMELONGSECRETKEY + logging: + loggers: + keys: + - root + - zaqar + handlers: + keys: + - stdout + - stderr + - "null" + formatters: + keys: + - context + - default + logger_root: + level: WARNING + handlers: "null" + logger_zaqar: + level: INFO + handlers: + - stdout + qualname: zaqar + logger_amqp: + level: WARNING + handlers: stderr + qualname: amqp + logger_amqplib: + level: WARNING + handlers: stderr + qualname: amqplib + logger_eventletwsgi: + level: WARNING + handlers: stderr + qualname: eventlet.wsgi.server + logger_sqlalchemy: + level: WARNING + handlers: stderr + qualname: sqlalchemy + logger_boto: + level: WARNING + handlers: stderr + qualname: boto + handler_null: + class: logging.NullHandler + formatter: default + args: () + handler_stdout: + class: StreamHandler + args: (sys.stdout,) + formatter: context + handler_stderr: + class: StreamHandler + args: (sys.stderr,) + formatter: context + formatter_context: + class: oslo_log.formatters.ContextFormatter + datefmt: "%Y-%m-%d %H:%M:%S" + formatter_default: + format: "%(message)s" + datefmt: "%Y-%m-%d %H:%M:%S" + api_paste: + composite:messaging: + use: "egg:Paste#urlmap" + "/": zaqarversions + "/v1": zaqarapi_v1 + composite:zaqarapi_v1: + use: "call:zaqar.transport.wsgi:pipeline_factory" + noauth: "request_id faultwrap sizelimit noauth zaqarapi_v1" + keystone: "request_id faultwrap sizelimit authtoken keystonecontext zaqarapi_v1" + app:zaqarversions: + paste.app_factory: "zaqar.api.versions:Versions.factory" + app:zaqarapi_v1: + paste.app_factory: "zaqar.api.v1.app:make_app" + filter:request_id: + paste.filter_factory: "oslo_middleware:RequestId.factory" + filter:faultwrap: + paste.filter_factory: "zaqar.api.middleware:FaultWrapper.factory" + filter:noauth: + paste.filter_factory: "zaqar.api.middleware:NoAuthMiddleware.factory" + filter:sizelimit: + paste.filter_factory: "oslo_middleware:RequestBodySizeLimiter.factory" + filter:authtoken: + paste.filter_factory: "keystonemiddleware.auth_token:filter_factory" + filter:keystonecontext: + paste.filter_factory: "zaqar.api.middleware:KeystoneContextMiddleware.factory" + policy: {} + rally_tests: + run_tempest: false + clean_up: "" + tests: + Zaqar.queues: + - args: + queue_name: "test-queue" + messages: + - "message1" + - "message2" + - "message3" + ttl: 3600 + runner: + type: "constant" + times: 10 + concurrency: 3 + sla: + failure_rate: + max: 0 + Zaqar.publish: + - args: + queue_name: "publish-queue" + messages: + - "hello" + - "world" + runner: + type: "constant" + times: 15 + concurrency: 4 + sla: + failure_rate: + max: 0 + Zaqar.consume: + - args: + queue_name: "publish-queue" + max_messages: 5 + runner: + type: "constant" + times: 10 + concurrency: 2 + sla: + failure_rate: + max: 0 + +bootstrap: + enabled: false + ks_user: zaqar + script: | + openstack token issue + + # create a test queue in Zaqar + openstack queue create test-queue || echo "Queue already exists" + +# NOTE(helm_hook): helm_hook might break for helm2 binary. +# set helm3_hook: false when using the helm2 binary. +helm3_hook: true + +manifests: + certificates: false + configmap_bin: true + configmap_etc: true + deployment_api: true + ingress_api: true + job_bootstrap: true + job_db_init: true + job_db_drop: false + job_db_sync: true + job_image_repo_sync: true + job_ks_endpoints: true + job_ks_service: true + job_ks_user: true + pdb_api: true + pod_rally_test: true + secret_db: true + secret_keystone: true + secret_ks_etc: true + service_api: true + service_ingress_api: true + +network_policy: + zaqar: + ingress: + - {} + egress: + - {} + +tls: + identity: false + oslo_db: false + messaging: + api: + public: false +... diff --git a/zuul.d/2025.1.yaml b/zuul.d/2025.1.yaml index 54ac3abcff..d358bde988 100644 --- a/zuul.d/2025.1.yaml +++ b/zuul.d/2025.1.yaml @@ -118,4 +118,15 @@ openstack_release: "2025.1" container_distro_name: ubuntu container_distro_version: jammy + +- job: + name: openstack-helm-zaqar-2025-1-ubuntu_jammy + parent: openstack-helm-zaqar + nodeset: openstack-helm-3nodes-ubuntu_jammy + timeout: 10800 + vars: + osh_params: + openstack_release: "2025.1" + container_distro_name: ubuntu + container_distro_version: jammy ... diff --git a/zuul.d/base.yaml b/zuul.d/base.yaml index 87083604f3..7b0f2133cf 100644 --- a/zuul.d/base.yaml +++ b/zuul.d/base.yaml @@ -604,4 +604,25 @@ - ./tools/deployment/component/keystone/keystone.sh - ./tools/deployment/component/freezer/freezer.sh - ./tools/deployment/component/freezer/freezer_smoke_test.sh + +- job: + name: openstack-helm-zaqar + parent: openstack-helm-deploy + timeout: 10800 + files: + - zaqar/.* + abstract: true + vars: + gate_scripts: + - ./tools/deployment/common/prepare-bashrc.sh + - ./tools/deployment/common/prepare-k8s.sh + - ./tools/deployment/common/prepare-charts.sh + - ./tools/deployment/common/setup-client.sh + - export VOLUME_HELM_ARGS="--set volume.enabled=false"; ./tools/deployment/component/common/rabbitmq.sh + - ./tools/deployment/db/mariadb.sh + - ./tools/deployment/component/common/memcached.sh + - ./tools/deployment/component/keystone/keystone.sh + - ./tools/deployment/component/redis/redis.sh + - ./tools/deployment/component/zaqar/zaqar.sh + - ./tools/deployment/component/zaqar/zaqar_smoke_test.sh ... diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 1fb4a5e752..1f0dc1219b 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -43,6 +43,7 @@ - openstack-helm-blazar-2025-1-ubuntu_jammy # 3 nodes; run only if blazar changed - openstack-helm-cloudkitty-2025-1-ubuntu_jammy # 3 nodes; run only if cloudkitty changed - openstack-helm-freezer-2025-1-ubuntu_jammy # 3 nodes; run only if freezer changed + - openstack-helm-zaqar-2025-1-ubuntu_jammy # 3 nodes; run only if zaqar changed # 2025.1 Ubuntu Noble - openstack-helm-cinder-2025-1-ubuntu_noble # 5 nodes rook - openstack-helm-compute-kit-2025-1-ubuntu_noble # 1 node + 3 nodes