From 51b9a1c84be482031121f1f972a53605174902fc Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Wed, 23 Oct 2024 15:53:10 -0500 Subject: [PATCH 01/10] feat: flavor schema for ironic hw detect We'll want to detect and confirm the hardware in Ironic and match it to hardware flavors we want to offer and expect. This schema defines the data files that the flavors hook for Ironic will consume. Changed cpu_models to cpu_model and added support for pci devices list. --- docs/schema/flavor.schema.json | 1 + .../ironic_understack/flavor_spec.py | 18 +++- .../tests/test_flavor_spec.py | 14 ++-- .../ironic_understack/tests/test_matcher.py | 9 +- schema/README.md | 5 ++ schema/flavor.schema.json | 84 +++++++++++++++++++ 6 files changed, 118 insertions(+), 13 deletions(-) create mode 120000 docs/schema/flavor.schema.json create mode 100644 schema/flavor.schema.json diff --git a/docs/schema/flavor.schema.json b/docs/schema/flavor.schema.json new file mode 120000 index 000000000..28bad20bd --- /dev/null +++ b/docs/schema/flavor.schema.json @@ -0,0 +1 @@ +../../schema/flavor.schema.json \ No newline at end of file diff --git a/python/ironic-understack/ironic_understack/flavor_spec.py b/python/ironic-understack/ironic_understack/flavor_spec.py index 8848f80db..30fcd1262 100644 --- a/python/ironic-understack/ironic_understack/flavor_spec.py +++ b/python/ironic-understack/ironic_understack/flavor_spec.py @@ -6,6 +6,14 @@ from ironic_understack.machine import Machine +@dataclass +class PciSpec: + vendor_id: str + device_id: str + sub_vendor_id: str + sub_device_id: str + + @dataclass class FlavorSpec: name: str @@ -13,8 +21,9 @@ class FlavorSpec: model: str memory_gb: int cpu_cores: int - cpu_models: list[str] + cpu_model: str drives: list[int] + pci: list[PciSpec] @staticmethod def from_yaml(yaml_str: str) -> "FlavorSpec": @@ -25,8 +34,9 @@ def from_yaml(yaml_str: str) -> "FlavorSpec": model=data["model"], memory_gb=data["memory_gb"], cpu_cores=data["cpu_cores"], - cpu_models=data["cpu_models"], + cpu_model=data.get("cpu_model", data.get("cpu_models", [""]).pop()), drives=data["drives"], + pci=data.get("pci", []), ) @staticmethod @@ -67,7 +77,7 @@ def score_machine(self, machine: Machine): if ( machine.memory_gb == self.memory_gb and machine.disk_gb in self.drives - and machine.cpu in self.cpu_models + and machine.cpu == self.cpu_model ): return 100 @@ -80,7 +90,7 @@ def score_machine(self, machine: Machine): return 0 # Rule 4: Machine must match the flavor on one of the CPU models exactly - if machine.cpu not in self.cpu_models: + if machine.cpu != self.cpu_model: return 0 # Rule 5 and 6: Rank based on exact matches or excess capacity diff --git a/python/ironic-understack/ironic_understack/tests/test_flavor_spec.py b/python/ironic-understack/ironic_understack/tests/test_flavor_spec.py index 16cdcc8b5..8e06a3bc0 100644 --- a/python/ironic-understack/ironic_understack/tests/test_flavor_spec.py +++ b/python/ironic-understack/ironic_understack/tests/test_flavor_spec.py @@ -14,8 +14,7 @@ def valid_yaml(): model: PowerEdge R7615 memory_gb: 7777 cpu_cores: 245 -cpu_models: - - AMD EPYC 9254 245-Core Processor +cpu_model: AMD EPYC 9254 245-Core Processor drives: - 960 - 960 @@ -50,7 +49,7 @@ def test_from_yaml(valid_yaml): assert spec.model == "PowerEdge R7615" assert spec.memory_gb == 7777 assert spec.cpu_cores == 245 - assert spec.cpu_models == ["AMD EPYC 9254 245-Core Processor"] + assert spec.cpu_model == "AMD EPYC 9254 245-Core Processor" assert spec.drives == [960, 960] @@ -119,8 +118,9 @@ def flavors(): model="Fake Machine", memory_gb=100, cpu_cores=13, - cpu_models=["AMD EPYC 9254 245-Core Processor"], + cpu_model="AMD EPYC 9254 245-Core Processor", drives=[500, 500], + pci=[], ), FlavorSpec( name="medium", @@ -128,8 +128,9 @@ def flavors(): model="Fake Machine", memory_gb=200, cpu_cores=15, - cpu_models=["AMD EPYC 9254 245-Core Processor"], + cpu_model="AMD EPYC 9254 245-Core Processor", drives=[1500, 1500], + pci=[], ), FlavorSpec( name="large", @@ -137,8 +138,9 @@ def flavors(): model="Fake Machine", memory_gb=400, cpu_cores=27, - cpu_models=["AMD EPYC 9254 245-Core Processor"], + cpu_model="AMD EPYC 9254 245-Core Processor", drives=[1800, 1800], + pci=[], ), ] diff --git a/python/ironic-understack/ironic_understack/tests/test_matcher.py b/python/ironic-understack/ironic_understack/tests/test_matcher.py index 89dd22f8d..2e4455fc3 100644 --- a/python/ironic-understack/ironic_understack/tests/test_matcher.py +++ b/python/ironic-understack/ironic_understack/tests/test_matcher.py @@ -13,8 +13,9 @@ def sample_flavors(): model="Fake Machine", memory_gb=4, cpu_cores=2, - cpu_models=["x86"], + cpu_model="x86", drives=[20], + pci=[], ), FlavorSpec( name="medium", @@ -22,8 +23,9 @@ def sample_flavors(): model="Fake Machine", memory_gb=8, cpu_cores=4, - cpu_models=["x86"], + cpu_model="x86", drives=[40], + pci=[], ), FlavorSpec( name="large", @@ -31,8 +33,9 @@ def sample_flavors(): model="Fake Machine", memory_gb=16, cpu_cores=8, - cpu_models=["x86"], + cpu_model="x86", drives=[80], + pci=[], ), ] diff --git a/schema/README.md b/schema/README.md index ff56aec9f..ff0139fb2 100644 --- a/schema/README.md +++ b/schema/README.md @@ -5,3 +5,8 @@ ```bash curl -o argo-workflows.json https://raw.githubusercontent.com/argoproj/argo-workflows/master/api/jsonschema/schema.json ``` + +## flavor.schema + +Used to define hardware identification / mapping for Ironic hardware to Nova flavors. +The flavors hook uses these files to set properties automatically on the nodes. diff --git a/schema/flavor.schema.json b/schema/flavor.schema.json new file mode 100644 index 000000000..397b8c94e --- /dev/null +++ b/schema/flavor.schema.json @@ -0,0 +1,84 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://rackerlabs.github.io/understack/schema/flavor.schema.json", + "title": "UnderStack Hardware Flavor", + "description": "Server flavor configuration schema", + "type": "object", + "properties": { + "name": { + "description": "Flavor name for specified configuration (ie gp01.s)", + "type": "string" + }, + "manufacturer": { + "description": "Manufacturer of the hardware chassis", + "type": "string" + }, + "model": { + "description": "Model of the hardware chassis", + "type": "string" + }, + "cpu_cores": { + "description": "Total CPU cores.", + "type": "number" + }, + "cpu_model": { + "description": "Processor model", + "type": "string" + }, + "cpu_models": { + "description": "Processor models", + "type": "array", + "items": { + "type": "string", + "description": "Processor model" + }, + "minItems": 1, + "maxItems": 1 + }, + "memory_gb": { + "description": "Total memory in GB", + "type": "number" + }, + "memory_modules": { + "description": "Memory modules", + "type": "array", + "items": { + "type": "number", + "description": "Capacity in GB" + } + }, + "drives": { + "description": "Drives", + "type": "array", + "items": { + "type": "number", + "description": "Capacity in GB" + } + }, + "pci": { + "description": "PCI devices", + "type": "array", + "items": { + "type": "object", + "description": "PCI device", + "properties": { + "vendor_id": { + "type": "string" + }, + "device_id": { + "type": "string" + }, + "sub_vendor_id": { + "type": "string" + }, + "sub_device_id": { + "type": "string" + } + }, + "required": ["vendor_id", "device_id", "sub_vendor_id", "sub_device_id"] + + } + } + }, + "required": [ "name", "manufacturer", "model", "cpu_cores", "cpu_models", "memory_gb", "drives" ] +} From ece7bc5e1ee308dfeed40267fc444953d60b9c28 Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Thu, 24 Oct 2024 16:43:23 +0100 Subject: [PATCH 02/10] switch openstack public endpoints to https --- components/glance/aio-values.yaml | 6 ++++++ components/ironic/aio-values.yaml | 6 ++++++ components/keystone/aio-values.yaml | 5 +++++ components/neutron/aio-values.yaml | 7 +++++++ components/nova/aio-values.yaml | 6 ++++++ components/placement/aio-values.yaml | 8 ++++++++ 6 files changed, 38 insertions(+) diff --git a/components/glance/aio-values.yaml b/components/glance/aio-values.yaml index f8d40263c..6cd524d8b 100644 --- a/components/glance/aio-values.yaml +++ b/components/glance/aio-values.yaml @@ -11,6 +11,12 @@ endpoints: name: rabbitmq-server hosts: default: rabbitmq-nodes + image: + port: + api: + public: 443 + scheme: + public: https network: # configure OpenStack Helm to use Undercloud's ingress diff --git a/components/ironic/aio-values.yaml b/components/ironic/aio-values.yaml index 86611fe41..e3b89753f 100644 --- a/components/ironic/aio-values.yaml +++ b/components/ironic/aio-values.yaml @@ -76,6 +76,12 @@ endpoints: name: rabbitmq-server hosts: default: rabbitmq-nodes + baremetal: + port: + api: + public: 443 + scheme: + public: https network: api: diff --git a/components/keystone/aio-values.yaml b/components/keystone/aio-values.yaml index 8c2e2e8d7..c19ee7558 100644 --- a/components/keystone/aio-values.yaml +++ b/components/keystone/aio-values.yaml @@ -312,6 +312,11 @@ endpoints: # which is wired back to keystone-api via the service_ingress_api manifest. just # go direct to the service default: keystone-api + scheme: + public: https + port: + api: + public: 443 manifests: job_credential_cleanup: false diff --git a/components/neutron/aio-values.yaml b/components/neutron/aio-values.yaml index f94b31a7b..2c87b0fa6 100644 --- a/components/neutron/aio-values.yaml +++ b/components/neutron/aio-values.yaml @@ -11,6 +11,13 @@ endpoints: name: rabbitmq-server hosts: default: rabbitmq-nodes + network: + port: + api: + public: 443 + scheme: + public: https + network: # we're using ironic and actual switches diff --git a/components/nova/aio-values.yaml b/components/nova/aio-values.yaml index b41829b7c..ee1e8c9d0 100644 --- a/components/nova/aio-values.yaml +++ b/components/nova/aio-values.yaml @@ -18,6 +18,12 @@ endpoints: name: rabbitmq-server hosts: default: rabbitmq-nodes + compute: + port: + api: + public: 443 + scheme: + public: https network: # we're using ironic and actual switches diff --git a/components/placement/aio-values.yaml b/components/placement/aio-values.yaml index cd8868254..a634bcbfb 100644 --- a/components/placement/aio-values.yaml +++ b/components/placement/aio-values.yaml @@ -55,3 +55,11 @@ annotations: placement_ks_endpoints: argocd.argoproj.io/hook: Sync argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + +endpoints: + placement: + scheme: + public: 'https' + port: + api: + public: 443 From a12a662006ed3284f941384a1914eac3cbaf781a Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Thu, 24 Oct 2024 10:56:00 -0500 Subject: [PATCH 03/10] feat(schema): switch cpu_models to cpu_model --- .../ironic_understack/flavor_spec.py | 2 +- schema/flavor.schema.json | 12 +----------- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/python/ironic-understack/ironic_understack/flavor_spec.py b/python/ironic-understack/ironic_understack/flavor_spec.py index 30fcd1262..359a16d47 100644 --- a/python/ironic-understack/ironic_understack/flavor_spec.py +++ b/python/ironic-understack/ironic_understack/flavor_spec.py @@ -34,7 +34,7 @@ def from_yaml(yaml_str: str) -> "FlavorSpec": model=data["model"], memory_gb=data["memory_gb"], cpu_cores=data["cpu_cores"], - cpu_model=data.get("cpu_model", data.get("cpu_models", [""]).pop()), + cpu_model=data["cpu_model"], drives=data["drives"], pci=data.get("pci", []), ) diff --git a/schema/flavor.schema.json b/schema/flavor.schema.json index 397b8c94e..5db821d51 100644 --- a/schema/flavor.schema.json +++ b/schema/flavor.schema.json @@ -25,16 +25,6 @@ "description": "Processor model", "type": "string" }, - "cpu_models": { - "description": "Processor models", - "type": "array", - "items": { - "type": "string", - "description": "Processor model" - }, - "minItems": 1, - "maxItems": 1 - }, "memory_gb": { "description": "Total memory in GB", "type": "number" @@ -80,5 +70,5 @@ } } }, - "required": [ "name", "manufacturer", "model", "cpu_cores", "cpu_models", "memory_gb", "drives" ] + "required": [ "name", "manufacturer", "model", "cpu_cores", "cpu_model", "memory_gb", "drives" ] } From 24ce069f678c8d7bc36020fb5de2d65646b64197 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:41:55 +0000 Subject: [PATCH 04/10] chore(deps): update actions/setup-python digest to 0b93645 --- .github/workflows/build-ironic-images.yaml | 2 +- .github/workflows/code-test.yaml | 2 +- .github/workflows/mkdocs.yaml | 2 +- .github/workflows/pre-commit.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-ironic-images.yaml b/.github/workflows/build-ironic-images.yaml index a3facf424..110d97ccf 100644 --- a/.github/workflows/build-ironic-images.yaml +++ b/.github/workflows/build-ironic-images.yaml @@ -22,7 +22,7 @@ jobs: working-directory: ironic-images/ipa-debian-bookworm steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5 id: setup-python with: python-version: '3.11' diff --git a/.github/workflows/code-test.yaml b/.github/workflows/code-test.yaml index 91abee0da..3af3e2b30 100644 --- a/.github/workflows/code-test.yaml +++ b/.github/workflows/code-test.yaml @@ -41,7 +41,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - run: pipx install poetry==1.7.1 && poetry self add 'poetry-dynamic-versioning[plugin]' - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5 with: python-version-file: python/${{ matrix.project }}/pyproject.toml cache: "poetry" diff --git a/.github/workflows/mkdocs.yaml b/.github/workflows/mkdocs.yaml index c64af70e8..1b6c7d888 100644 --- a/.github/workflows/mkdocs.yaml +++ b/.github/workflows/mkdocs.yaml @@ -34,7 +34,7 @@ jobs: with: files: docs config_file: .markdownlint.yml - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5 with: python-version: 3.x cache: pip diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 2bf8e961a..ef7a24768 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5 id: setup-python with: python-version: '3.11' From 161e130f158c14d42fa1688beeba7f426f9969ef Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Thu, 24 Oct 2024 12:35:05 -0500 Subject: [PATCH 05/10] ci: pin a typos version to not break Avoid getting broken by pinning a version --- .github/workflows/typos.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/typos.yaml b/.github/workflows/typos.yaml index bc361ae4d..4996fdca8 100644 --- a/.github/workflows/typos.yaml +++ b/.github/workflows/typos.yaml @@ -15,6 +15,6 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Typos Spell Checker - uses: crate-ci/typos@master + uses: crate-ci/typos@v1.26.8 with: config: ./.typos.toml From 35e73932a15206207f94e5f9db45306f721e2a5f Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Thu, 24 Oct 2024 13:13:14 -0500 Subject: [PATCH 06/10] ci: add more pre-commit checks Check for bad symlinks, check yaml files, and merge conflicts. Fixed bad symlink as well. --- .pre-commit-config.yaml | 6 ++++++ workflows/argo-events/docs/README.md | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cc2cacb76..63bc8e140 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -8,11 +8,17 @@ repos: exclude: '^docs/overrides' - id: fix-byte-order-marker - id: mixed-line-ending + - id: check-merge-conflict + - id: check-yaml + args: + - --allow-multiple-documents + exclude: mkdocs.yml - id: check-yaml name: check-yaml-mkdocs # --unsafe is a workaround for the use of !! in mkdocs.yml args: [--unsafe] files: mkdocs.yml + - id: check-symlinks - repo: https://github.com/adrienverge/yamllint rev: v1.33.0 hooks: diff --git a/workflows/argo-events/docs/README.md b/workflows/argo-events/docs/README.md index 14e39e062..bb92d1639 120000 --- a/workflows/argo-events/docs/README.md +++ b/workflows/argo-events/docs/README.md @@ -1 +1 @@ -../../docs/component-understack-workflows.md \ No newline at end of file +../../../docs/component-understack-workflows.md \ No newline at end of file From e9bd499fbda7784efef580b7dd8a2ed8bb66021e Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Thu, 24 Oct 2024 13:17:30 -0500 Subject: [PATCH 07/10] ci: bump versions --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 63bc8e140..80f8269ac 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -34,16 +34,16 @@ repos: - schema/argo-workflows.json files: "workflows/argo-events/workflowtemplates/.*.(yml|yaml)$" - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.37.0 + rev: v0.42.0 hooks: - id: markdownlint files: '^docs/' - repo: https://github.com/crate-ci/typos - rev: v1.22.8 + rev: v1.26.8 hooks: - id: typos - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.5.4 + rev: v0.7.1 hooks: - id: ruff args: [--fix] From 74bad3aed7043423460fa206fe17609fa666719d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 24 Oct 2024 18:27:58 +0000 Subject: [PATCH 08/10] chore(deps): pin crate-ci/typos action to 0d9e0c2 --- .github/workflows/typos.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/typos.yaml b/.github/workflows/typos.yaml index 4996fdca8..fff9aa0d1 100644 --- a/.github/workflows/typos.yaml +++ b/.github/workflows/typos.yaml @@ -15,6 +15,6 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Typos Spell Checker - uses: crate-ci/typos@v1.26.8 + uses: crate-ci/typos@0d9e0c2c1bd7f770f6eb90f87780848ca02fc12c # v1.26.8 with: config: ./.typos.toml From 182b99e9b76c8d46dc2c514680f6189737b30f30 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Thu, 24 Oct 2024 17:52:29 -0500 Subject: [PATCH 09/10] feat: refactor cert-manager issuer for better default Default all the services to use the 'understack-cluster-issuer' which is documented as the issuer that needs to be provided to create HTTPS entries for everything. This removes the amount of configuration that needs to be done per deployment. --- apps/appsets/components.yaml | 9 ----- components/argo/ingress.yaml | 2 +- components/dex/ingress.yaml | 2 +- components/glance/aio-values.yaml | 13 ++++++++ components/horizon/aio-values.yaml | 16 +++++++++ components/ironic/aio-values.yaml | 9 +++++ components/keystone/aio-values.yaml | 13 ++++++++ components/nautobot/nautobot-values.yaml | 2 +- components/neutron/aio-values.yaml | 13 ++++++++ components/nova/aio-values.yaml | 13 ++++++++ components/openstack-secrets.tpl.yaml | 42 ------------------------ components/placement/aio-values.yaml | 13 ++++++++ scripts/gitops-secrets-gen.sh | 2 +- 13 files changed, 94 insertions(+), 55 deletions(-) diff --git a/apps/appsets/components.yaml b/apps/appsets/components.yaml index af7f5f738..9522d7b92 100644 --- a/apps/appsets/components.yaml +++ b/apps/appsets/components.yaml @@ -50,9 +50,6 @@ spec: - op: replace path: /spec/tls/0/hosts/0 value: dex.{{index .metadata.annotations "dns_zone" }} - - op: replace - path: '/metadata/annotations/cert-manager.io~1cluster-issuer' - value: 'understack-cluster-issuer' - repoURL: '{{index .metadata.annotations "uc_deploy_git_url"}}' targetRevision: '{{index .metadata.annotations "uc_deploy_ref"}}' ref: deploy @@ -85,9 +82,6 @@ spec: releaseName: nautobot valuesObject: ingress: - annotations: - cert-manager.io/cluster-issuer: 'understack-cluster-issuer' - nginx.ingress.kubernetes.io/backend-protocol: HTTPS hostname: 'nautobot.{{index .metadata.annotations "dns_zone" }}' valueFiles: - $understack/components/nautobot/nautobot-values.yaml @@ -158,9 +152,6 @@ spec: - op: replace path: /spec/tls/0/hosts/0 value: workflows.{{index .metadata.annotations "dns_zone" }} - - op: replace - path: '/metadata/annotations/cert-manager.io~1cluster-issuer' - value: 'understack-cluster-issuer' - component: argo-events skipComponent: '{{has "argo-events" ((default "[]" (index .metadata.annotations "uc_skip_components") | fromJson))}}' sources: diff --git a/components/argo/ingress.yaml b/components/argo/ingress.yaml index 2b97b74b7..7a395d1ce 100644 --- a/components/argo/ingress.yaml +++ b/components/argo/ingress.yaml @@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - cert-manager.io/cluster-issuer: selfsigned-cluster-issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer nginx.ingress.kubernetes.io/backend-protocol: HTTPS nginx.ingress.kubernetes.io/force-ssl-redirect: "true" name: argo-workflows diff --git a/components/dex/ingress.yaml b/components/dex/ingress.yaml index 79985e389..082da7aea 100644 --- a/components/dex/ingress.yaml +++ b/components/dex/ingress.yaml @@ -3,7 +3,7 @@ kind: Ingress metadata: name: dex annotations: - cert-manager.io/cluster-issuer: selfsigned-cluster-issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer nginx.ingress.kubernetes.io/backend-protocol: HTTP spec: ingressClassName: nginx diff --git a/components/glance/aio-values.yaml b/components/glance/aio-values.yaml index 6cd524d8b..c5d585267 100644 --- a/components/glance/aio-values.yaml +++ b/components/glance/aio-values.yaml @@ -17,12 +17,25 @@ endpoints: public: 443 scheme: public: https + host_fqdn_override: + public: + tls: + secretName: glance-tls-public + issuerRef: + name: understack-cluster-issuer + kind: ClusterIssuer network: # configure OpenStack Helm to use Undercloud's ingress # instead of expecting the ingress controller provided # by OpenStack Helm use_external_ingress_controller: true + api: + ingress: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + # set our default issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer # Glance storage backend # we'll switch to radosgw in the future diff --git a/components/horizon/aio-values.yaml b/components/horizon/aio-values.yaml index ac9169927..28a0c3f99 100644 --- a/components/horizon/aio-values.yaml +++ b/components/horizon/aio-values.yaml @@ -14,11 +14,27 @@ conf: allowed_hosts: - '*' +endpoints: + dashboard: + host_fqdn_override: + public: + tls: + secretName: keystone-tls-public + issuerRef: + name: understack-cluster-issuer + kind: ClusterIssuer + network: # configure OpenStack Helm to use Undercloud's ingress # instead of expecting the ingress controller provided # by OpenStack Helm use_external_ingress_controller: true + dashboard: + ingress: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + # set our default issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer # (nicholas.kuechler) updating the jobs list to remove the 'horizon-db-init' job. dependencies: diff --git a/components/ironic/aio-values.yaml b/components/ironic/aio-values.yaml index e3b89753f..d8859cef7 100644 --- a/components/ironic/aio-values.yaml +++ b/components/ironic/aio-values.yaml @@ -82,6 +82,13 @@ endpoints: public: 443 scheme: public: https + host_fqdn_override: + public: + tls: + secretName: ironic-tls-public + issuerRef: + name: understack-cluster-issuer + kind: ClusterIssuer network: api: @@ -92,6 +99,8 @@ network: cluster: "nginx-openstack" annotations: nginx.ingress.kubernetes.io/rewrite-target: / + # set our default issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer external_policy_local: false node_port: enabled: false diff --git a/components/keystone/aio-values.yaml b/components/keystone/aio-values.yaml index c19ee7558..c2c92998b 100644 --- a/components/keystone/aio-values.yaml +++ b/components/keystone/aio-values.yaml @@ -98,6 +98,12 @@ network: # instead of expecting the ingress controller provided # by OpenStack Helm use_external_ingress_controller: true + api: + ingress: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + # set our default issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer dependencies: static: @@ -317,6 +323,13 @@ endpoints: port: api: public: 443 + host_fqdn_override: + public: + tls: + secretName: keystone-tls-public + issuerRef: + name: understack-cluster-issuer + kind: ClusterIssuer manifests: job_credential_cleanup: false diff --git a/components/nautobot/nautobot-values.yaml b/components/nautobot/nautobot-values.yaml index 83198e78b..e6763c081 100644 --- a/components/nautobot/nautobot-values.yaml +++ b/components/nautobot/nautobot-values.yaml @@ -66,5 +66,5 @@ ingress: tls: true secretName: "nautobot-ingress-tls" annotations: - cert-manager.io/cluster-issuer: selfsigned-cluster-issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer nginx.ingress.kubernetes.io/backend-protocol: HTTPS diff --git a/components/neutron/aio-values.yaml b/components/neutron/aio-values.yaml index 2c87b0fa6..414c573e4 100644 --- a/components/neutron/aio-values.yaml +++ b/components/neutron/aio-values.yaml @@ -17,6 +17,13 @@ endpoints: public: 443 scheme: public: https + host_fqdn_override: + public: + tls: + secretName: neutron-tls-public + issuerRef: + name: understack-cluster-issuer + kind: ClusterIssuer network: @@ -28,6 +35,12 @@ network: # instead of expecting the ingress controller provided # by OpenStack Helm use_external_ingress_controller: true + server: + ingress: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + # set our default issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer conf: plugins: diff --git a/components/nova/aio-values.yaml b/components/nova/aio-values.yaml index ee1e8c9d0..5bff4716d 100644 --- a/components/nova/aio-values.yaml +++ b/components/nova/aio-values.yaml @@ -24,6 +24,13 @@ endpoints: public: 443 scheme: public: https + host_fqdn_override: + public: + tls: + secretName: nova-tls-public + issuerRef: + name: understack-cluster-issuer + kind: ClusterIssuer network: # we're using ironic and actual switches @@ -34,6 +41,12 @@ network: # instead of expecting the ingress controller provided # by OpenStack Helm use_external_ingress_controller: true + osapi: + ingress: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + # set our default issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer conf: ceph: diff --git a/components/openstack-secrets.tpl.yaml b/components/openstack-secrets.tpl.yaml index e4300412c..c48864121 100644 --- a/components/openstack-secrets.tpl.yaml +++ b/components/openstack-secrets.tpl.yaml @@ -33,12 +33,6 @@ endpoints: host_fqdn_override: public: host: keystone.${DNS_ZONE} - tls: - # must match the value in the top level 'secrets' key for the public endpoint - secretName: keystone-tls-public - issuerRef: - name: understack-cluster-issuer - kind: ClusterIssuer # 'oslo_cache' is the memcache layer oslo_cache: @@ -108,12 +102,6 @@ endpoints: host_fqdn_override: public: host: ironic.${DNS_ZONE} - tls: - # must match the value in the top level 'secrets' key for the public endpoint - secretName: ironic-tls-public - issuerRef: - name: understack-cluster-issuer - kind: ClusterIssuer # 'image' is the glance service image: @@ -121,12 +109,6 @@ endpoints: host_fqdn_override: public: host: glance.${DNS_ZONE} - tls: - # must match the value in the top level 'secrets' key for the public endpoint - secretName: glance-tls-public - issuerRef: - name: understack-cluster-issuer - kind: ClusterIssuer # 'network' is the neutron service network: @@ -134,12 +116,6 @@ endpoints: host_fqdn_override: public: host: neutron.${DNS_ZONE} - tls: - # must match the value in the top level 'secrets' key for the public endpoint - secretName: neutron-tls-public - issuerRef: - name: understack-cluster-issuer - kind: ClusterIssuer # 'compute' is the nova service compute: @@ -147,12 +123,6 @@ endpoints: host_fqdn_override: public: host: nova.${DNS_ZONE} - tls: - # must match the value in the top level 'secrets' key for the public endpoint - secretName: nova-tls-public - issuerRef: - name: understack-cluster-issuer - kind: ClusterIssuer # 'placement' is the nova service placement: @@ -160,12 +130,6 @@ endpoints: host_fqdn_override: public: host: placement.${DNS_ZONE} - tls: - # must match the value in the top level 'secrets' key for the public endpoint - secretName: placement-tls-public - issuerRef: - name: understack-cluster-issuer - kind: ClusterIssuer # 'dashboard' is the horizon service dashboard: @@ -173,12 +137,6 @@ endpoints: host_fqdn_override: public: host: horizon.${DNS_ZONE} - tls: - # must match the value in the top level 'secrets' key for the public endpoint - secretName: horizon-tls-public - issuerRef: - name: understack-cluster-issuer - kind: ClusterIssuer # necessary cause the ingress definition in openstack-helm-infra helm-toolkit hardcodes this secrets: diff --git a/components/placement/aio-values.yaml b/components/placement/aio-values.yaml index a634bcbfb..5087ac453 100644 --- a/components/placement/aio-values.yaml +++ b/components/placement/aio-values.yaml @@ -6,6 +6,12 @@ network: # instead of expecting the ingress controller provided # by OpenStack Helm use_external_ingress_controller: true + api: + ingress: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + # set our default issuer + cert-manager.io/cluster-issuer: understack-cluster-issuer # (nicholas.kuechler) updating the jobs list to remove the 'placement-db-init' job. dependencies: @@ -63,3 +69,10 @@ endpoints: port: api: public: 443 + host_fqdn_override: + public: + tls: + secretName: placement-tls-public + issuerRef: + name: understack-cluster-issuer + kind: ClusterIssuer diff --git a/scripts/gitops-secrets-gen.sh b/scripts/gitops-secrets-gen.sh index ccd05ed09..9902ff6c3 100755 --- a/scripts/gitops-secrets-gen.sh +++ b/scripts/gitops-secrets-gen.sh @@ -144,7 +144,7 @@ if [ ! -f "${DEST_DIR}/cert-manager/cluster-issuer.yaml" ]; then apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: ${DEPLOY_NAME}-cluster-issuer + name: understack-cluster-issuer annotations: argocd.argoproj.io/sync-wave: "5" spec: From 1947fe79f3766f889ff61d4d98ba165f37d90873 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 13:02:53 +0000 Subject: [PATCH 10/10] fix(deps): update dependency sushy to v5.3.0 --- python/understack-workflows/poetry.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/python/understack-workflows/poetry.lock b/python/understack-workflows/poetry.lock index b39dec026..7c08e29fa 100644 --- a/python/understack-workflows/poetry.lock +++ b/python/understack-workflows/poetry.lock @@ -1538,17 +1538,17 @@ pbr = ">=2.0.0,<2.1.0 || >2.1.0" [[package]] name = "sushy" -version = "5.2.0" +version = "5.3.0" description = "Sushy is a small Python library to communicate with Redfish based systems" optional = false python-versions = ">=3.8" files = [ - {file = "sushy-5.2.0-py3-none-any.whl", hash = "sha256:503896341615761d81cd95dd5281ee4c8c02932c5048332d0000d2460209b8a0"}, - {file = "sushy-5.2.0.tar.gz", hash = "sha256:d90a696fef42c522892179138f4ceae347d11676efdbe18fdeda0cf81154c1e4"}, + {file = "sushy-5.3.0-py3-none-any.whl", hash = "sha256:4b02d98cef30c9842e024ca42ca0894af07e5fab5ec95b1f734b3e302aca8339"}, + {file = "sushy-5.3.0.tar.gz", hash = "sha256:8785c4febf227b002750f316e856f31e894448fdbda816658aba201983f37e82"}, ] [package.dependencies] -pbr = ">=2.0.0,<2.1.0 || >2.1.0" +pbr = ">=6.0.0" python-dateutil = ">=2.7.0" requests = ">=2.14.2" stevedore = ">=1.29.0"