Merge "Add support for MFA options" into stable/2023.2
diff --git a/charts/barbican/templates/deployment-api.yaml b/charts/barbican/templates/deployment-api.yaml
index 8ae9ea4..1e5cbba 100644
--- a/charts/barbican/templates/deployment-api.yaml
+++ b/charts/barbican/templates/deployment-api.yaml
@@ -47,6 +47,12 @@
{{ dict "envAll" $envAll "podName" "barbican-api" "containerNames" (list "init" "barbican-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "barbican" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ with .Values.pod.priorityClassName.barbican_api }}
+ priorityClassName: {{ . }}
+{{ end }}
+{{ with .Values.pod.runtimeClassName.barbican_api }}
+ runtimeClassName: {{ . }}
+{{ end }}
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
diff --git a/charts/barbican/templates/pod-test.yaml b/charts/barbican/templates/pod-test.yaml
index f414356..783d328 100644
--- a/charts/barbican/templates/pod-test.yaml
+++ b/charts/barbican/templates/pod-test.yaml
@@ -33,6 +33,12 @@
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{ dict "envAll" $envAll "podName" "barbican-test" "containerNames" (list "init" "barbican-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
spec:
+{{ with .Values.pod.priorityClassName.barbican_tests }}
+ priorityClassName: {{ . }}
+{{ end }}
+{{ with .Values.pod.runtimeClassName.barbican_tests }}
+ runtimeClassName: {{ . }}
+{{ end }}
serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
nodeSelector:
diff --git a/charts/barbican/values.yaml b/charts/barbican/values.yaml
index e2e87bf..17aee72 100644
--- a/charts/barbican/values.yaml
+++ b/charts/barbican/values.yaml
@@ -55,6 +55,14 @@
- image_repo_sync
pod:
+ priorityClassName:
+ barbican_api: null
+ barbican_tests: null
+ db_sync: null
+ runtimeClassName:
+ barbican_api: null
+ barbican_tests: null
+ db_sync: null
security_context:
barbican:
pod:
diff --git a/charts/nova/templates/statefulset-compute-ironic.yaml b/charts/nova/templates/statefulset-compute-ironic.yaml
index 377555d..37d3fc5 100644
--- a/charts/nova/templates/statefulset-compute-ironic.yaml
+++ b/charts/nova/templates/statefulset-compute-ironic.yaml
@@ -51,8 +51,6 @@
{{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
{{ .Values.labels.agent.compute_ironic.node_selector_key }}: {{ .Values.labels.agent.compute_ironic.node_selector_value }}
- securityContext:
- runAsUser: 0
hostPID: true
dnsPolicy: ClusterFirstWithHostNet
initContainers:
diff --git a/charts/patches/barbican/0003-Enable-priority-runtime-ClassName-for-Barbican.patch b/charts/patches/barbican/0003-Enable-priority-runtime-ClassName-for-Barbican.patch
new file mode 100644
index 0000000..a956746
--- /dev/null
+++ b/charts/patches/barbican/0003-Enable-priority-runtime-ClassName-for-Barbican.patch
@@ -0,0 +1,63 @@
+From e7640e5fc0179fabfa063e89f7e7a7612e1c807e Mon Sep 17 00:00:00 2001
+From: Dong Ma <dong.ma@vexxhost.com>
+Date: Mon, 10 Feb 2025 06:32:12 +0000
+Subject: [PATCH] Enable {priority,runtime}ClassName for Barbican
+
+---
+ barbican/templates/deployment-api.yaml | 6 +++
+ barbican/templates/pod-test.yaml | 6 +++
+ barbican/values.yaml | 8 ++++
+
+diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml
+index 8ae9ea42..1e5cbbac 100644
+--- a/barbican/templates/deployment-api.yaml
++++ b/barbican/templates/deployment-api.yaml
+@@ -47,6 +47,12 @@ spec:
+ {{ dict "envAll" $envAll "podName" "barbican-api" "containerNames" (list "init" "barbican-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ {{ dict "envAll" $envAll "application" "barbican" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
++{{ with .Values.pod.priorityClassName.barbican_api }}
++ priorityClassName: {{ . }}
++{{ end }}
++{{ with .Values.pod.runtimeClassName.barbican_api }}
++ runtimeClassName: {{ . }}
++{{ end }}
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+ {{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+diff --git a/barbican/templates/pod-test.yaml b/barbican/templates/pod-test.yaml
+index f4143564..783d328b 100644
+--- a/barbican/templates/pod-test.yaml
++++ b/barbican/templates/pod-test.yaml
+@@ -33,6 +33,12 @@ metadata:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ {{ dict "envAll" $envAll "podName" "barbican-test" "containerNames" (list "init" "barbican-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+ spec:
++{{ with .Values.pod.priorityClassName.barbican_tests }}
++ priorityClassName: {{ . }}
++{{ end }}
++{{ with .Values.pod.runtimeClassName.barbican_tests }}
++ runtimeClassName: {{ . }}
++{{ end }}
+ serviceAccountName: {{ $serviceAccountName }}
+ {{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+ nodeSelector:
+diff --git a/barbican/values.yaml b/barbican/values.yaml
+index e2e87bf7..17aee723 100644
+--- a/barbican/values.yaml
++++ b/barbican/values.yaml
+@@ -55,6 +55,14 @@ images:
+ - image_repo_sync
+
+ pod:
++ priorityClassName:
++ barbican_api: null
++ barbican_tests: null
++ db_sync: null
++ runtimeClassName:
++ barbican_api: null
++ barbican_tests: null
++ db_sync: null
+ security_context:
+ barbican:
+ pod:
diff --git a/charts/patches/neutron/0004-nic-name-feature.patch b/charts/patches/neutron/0004-nic-name-feature.patch
new file mode 100644
index 0000000..c2325e7
--- /dev/null
+++ b/charts/patches/neutron/0004-nic-name-feature.patch
@@ -0,0 +1,61 @@
+diff --git a/charts/neutron/templates/bin/_neutron-openvswitch-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-openvswitch-agent-init.sh.tpl
+index bd0a64a..08833a5 100644
+--- a/charts/neutron/templates/bin/_neutron-openvswitch-agent-init.sh.tpl
++++ b/charts/neutron/templates/bin/_neutron-openvswitch-agent-init.sh.tpl
+@@ -196,6 +196,12 @@ function process_dpdk_nics {
+ while IFS= read -r nic; do
+ local port_name=$(get_dpdk_config_value ${nic} '.name')
+ local pci_id=$(get_dpdk_config_value ${nic} '.pci_id')
++ local iface=$(get_dpdk_config_value ${nic} '.iface')
++ if [ -n ${iface} ] && [ -z ${pci_id} ]; then
++ local pci_id=$(get_address_by_nicname ${iface})
++ else
++ iface=$(get_name_by_pci_id "${pci_id}")
++ fi
+ local bridge=$(get_dpdk_config_value ${nic} '.bridge')
+ local vf_index=$(get_dpdk_config_value ${nic} '.vf_index')
+
+@@ -203,8 +209,6 @@ function process_dpdk_nics {
+ migrate_ip "${pci_id}" "${bridge}"
+ fi
+
+- iface=$(get_name_by_pci_id "${pci_id}")
+-
+ if [ -n "${iface}" ]; then
+ ip link set ${iface} promisc on
+ if [ -n "${vf_index}" ]; then
+@@ -292,6 +296,12 @@ function process_dpdk_bonds {
+ echo $bond | jq -r -c '.nics[]' > /tmp/nics_array
+ while IFS= read -r nic; do
+ local pci_id=$(get_dpdk_config_value ${nic} '.pci_id')
++ local iface=$(get_dpdk_config_value ${nic} '.iface')
++ if [ -n ${iface} ] && [ -z ${pci_id} ]; then
++ local pci_id=$(get_address_by_nicname ${iface})
++ else
++ iface=$(get_name_by_pci_id "${pci_id}")
++ fi
+ local nic_name=$(get_dpdk_config_value ${nic} '.name')
+ local pmd_rxq_affinity=$(get_dpdk_config_value ${nic} '.pmd_rxq_affinity')
+ local vf_index=$(get_dpdk_config_value ${nic} '.vf_index')
+@@ -302,8 +312,6 @@ function process_dpdk_bonds {
+ ip_migrated=true
+ fi
+
+- iface=$(get_name_by_pci_id "${pci_id}")
+-
+ if [ -n "${iface}" ]; then
+ ip link set ${iface} promisc on
+ if [ -n "${vf_index}" ]; then
+@@ -407,6 +415,12 @@ function get_driver_by_address {
+ fi
+ }
+
++function get_address_by_nicname {
++ if [[ -e /sys/class/net/$1/device ]]; then
++ readlink -f /sys/class/net/$1/device | xargs basename
++ fi
++}
++
+ function init_ovs_dpdk_bridge {
+ bridge=$1
+ ovs-vsctl --db=unix:${OVS_SOCKET} --may-exist add-br ${bridge} \
diff --git a/charts/patches/nova/0001-Resolve-two-redundant-securityContext-problems.patch b/charts/patches/nova/0001-Resolve-two-redundant-securityContext-problems.patch
new file mode 100644
index 0000000..e76bfde
--- /dev/null
+++ b/charts/patches/nova/0001-Resolve-two-redundant-securityContext-problems.patch
@@ -0,0 +1,25 @@
+From f2940941f44ee41bc631941ea5fc316ac8b8253b Mon Sep 17 00:00:00 2001
+From: Dong Ma <dong.ma@vexxhost.com>
+Date: Tue, 11 Feb 2025 15:19:31 +0000
+Subject: [PATCH] Resolve two redundant securityContext problems
+
+---
+ nova/templates/statefulset-compute-ironic.yaml | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/nova/templates/statefulset-compute-ironic.yaml b/nova/templates/statefulset-compute-ironic.yaml
+index 377555d6..37d3fc5a 100644
+--- a/nova/templates/statefulset-compute-ironic.yaml
++++ b/nova/templates/statefulset-compute-ironic.yaml
+@@ -51,8 +51,6 @@ spec:
+ {{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.agent.compute_ironic.node_selector_key }}: {{ .Values.labels.agent.compute_ironic.node_selector_value }}
+- securityContext:
+- runAsUser: 0
+ hostPID: true
+ dnsPolicy: ClusterFirstWithHostNet
+ initContainers:
+--
+2.34.1
+
diff --git a/releasenotes/notes/adding-nicname-as-an-option-f7e790ea8174e6af.yaml b/releasenotes/notes/adding-nicname-as-an-option-f7e790ea8174e6af.yaml
new file mode 100644
index 0000000..103a6db
--- /dev/null
+++ b/releasenotes/notes/adding-nicname-as-an-option-f7e790ea8174e6af.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ It is now possible to configure DPDK interfaces using the interface names in addition to
+ possibly being able to use the ``pci_id`` to ease deploying in heterogeneous environments.
diff --git a/releasenotes/notes/barbican-priority-runtime-class-b84c8515f03e18c5.yaml b/releasenotes/notes/barbican-priority-runtime-class-b84c8515f03e18c5.yaml
new file mode 100644
index 0000000..4414c45
--- /dev/null
+++ b/releasenotes/notes/barbican-priority-runtime-class-b84c8515f03e18c5.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - The Barbican role now allows users to configure the ``priorityClassName`` and
+ the ``runtimeClassName`` for all of the different components of the service.
diff --git a/releasenotes/notes/fix-two-redundant-securityContext-problems-28bfb724627e8920.yaml b/releasenotes/notes/fix-two-redundant-securityContext-problems-28bfb724627e8920.yaml
new file mode 100644
index 0000000..799899e
--- /dev/null
+++ b/releasenotes/notes/fix-two-redundant-securityContext-problems-28bfb724627e8920.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+ - |
+ Fix two redundant securityContext problems in
+ statefulset-compute-ironic.yaml template.
diff --git a/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml b/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml
new file mode 100644
index 0000000..2b52c90
--- /dev/null
+++ b/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml
@@ -0,0 +1,8 @@
+---
+security:
+ - The Horizon service now runs as the non-privileged user `horizon` in the
+ container.
+ - The Horizon service ``ALLOWED_HOSTS`` setting is now configured to point
+ to the configured endpoints for the service.
+ - The CORS headers are now configured to only allow requests from the
+ configured endpoints for the service.
diff --git a/roles/barbican/tests/priorityclass_test.yaml b/roles/barbican/tests/priorityclass_test.yaml
new file mode 100644
index 0000000..cebccc4
--- /dev/null
+++ b/roles/barbican/tests/priorityclass_test.yaml
@@ -0,0 +1,48 @@
+suite: priorityclass
+tests:
+ - it: should support not having a priority class
+ templates:
+ - templates/deployment-api.yaml
+ - templates/pod-test.yaml
+ - templates/job-db-sync.yaml
+ asserts:
+ - template: templates/deployment-api.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.template.spec.priorityClassName
+ - template: templates/pod-test.yaml
+ documentIndex: 1
+ notExists:
+ path: spec.priorityClassName
+ - template: templates/job-db-sync.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.template.spec.priorityClassName
+
+ - it: should support setting a priority class
+ templates:
+ - templates/deployment-api.yaml
+ - templates/pod-test.yaml
+ - templates/job-db-sync.yaml
+ set:
+ pod:
+ priorityClassName:
+ barbican_api: platform
+ barbican_tests: platform
+ db_sync: platform
+ asserts:
+ - template: templates/deployment-api.yaml
+ documentIndex: 3
+ equal:
+ path: spec.template.spec.priorityClassName
+ value: platform
+ - template: templates/pod-test.yaml
+ documentIndex: 1
+ equal:
+ path: spec.priorityClassName
+ value: platform
+ - template: templates/job-db-sync.yaml
+ documentIndex: 3
+ equal:
+ path: spec.template.spec.priorityClassName
+ value: platform
diff --git a/roles/barbican/tests/runtimeclass_test.yaml b/roles/barbican/tests/runtimeclass_test.yaml
new file mode 100644
index 0000000..2ee6b08
--- /dev/null
+++ b/roles/barbican/tests/runtimeclass_test.yaml
@@ -0,0 +1,48 @@
+suite: runtimeclass
+tests:
+ - it: should support not having a runtime class
+ templates:
+ - templates/deployment-api.yaml
+ - templates/pod-test.yaml
+ - templates/job-db-sync.yaml
+ asserts:
+ - template: templates/deployment-api.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.template.spec.runtimeClassName
+ - template: templates/pod-test.yaml
+ documentIndex: 1
+ notExists:
+ path: spec.runtimeClassName
+ - template: templates/job-db-sync.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.template.spec.runtimeClassName
+
+ - it: should support setting a runtime class
+ templates:
+ - templates/deployment-api.yaml
+ - templates/pod-rally-test.yaml
+ - templates/job-db-sync.yaml
+ set:
+ pod:
+ runtimeClassName:
+ barbican_api: kata-clh
+ barbican_tests: kata-clh
+ db_sync: kata-clh
+ asserts:
+ - template: templates/deployment-api.yaml
+ documentIndex: 3
+ equal:
+ path: spec.template.spec.runtimeClassName
+ value: kata-clh
+ - template: templates/pod-test.yaml
+ documentIndex: 1
+ equal:
+ path: spec.runtimeClassName
+ value: kata-clh
+ - template: templates/job-db-sync.yaml
+ documentIndex: 3
+ equal:
+ path: spec.template.spec.runtimeClassName
+ value: kata-clh
diff --git a/roles/horizon/vars/main.yml b/roles/horizon/vars/main.yml
index 3e4f541..e0499bb 100644
--- a/roles/horizon/vars/main.yml
+++ b/roles/horizon/vars/main.yml
@@ -17,6 +17,16 @@
images:
tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('horizon') }}"
pod:
+ security_context:
+ horizon:
+ pod:
+ fsGroup: 42424
+ db_sync:
+ pod:
+ fsGroup: 42424
+ tests:
+ pod:
+ fsGroup: 42424
replicas:
server: 3
conf:
@@ -24,6 +34,8 @@
local_settings:
config:
disallow_iframe_embed: "True"
+ allowed_hosts:
+ - "{{ openstack_helm_endpoints_horizon_api_host }}"
secure_proxy_ssl_header: "True"
horizon_images_upload_mode: direct
openstack_enable_password_retrieve: "True"
@@ -55,3 +67,5 @@
_horizon_ingress_annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "5000m"
nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
+ nginx.ingress.kubernetes.io/enable-cors: "true"
+ nginx.ingress.kubernetes.io/cors-allow-origin: "{{ openstack_helm_endpoints_horizon_api_host }}"
diff --git a/roles/tempest/vars/main.yml b/roles/tempest/vars/main.yml
index 39eb424..068cd87 100644
--- a/roles/tempest/vars/main.yml
+++ b/roles/tempest/vars/main.yml
@@ -33,7 +33,8 @@
endpoint_type: internal
fixed_network_name: public
dashboard:
- dashboard_url: "http://horizon-int.openstack.svc.cluster.local"
+ dashboard_url: "https://{{ openstack_helm_endpoints_horizon_api_host }}"
+ disable_ssl_certificate_validation: "{{ cluster_issuer_type == 'self-signed' }}"
identity:
v3_endpoint_type: internal
image: