Merge "Use daemonset instead of hpa+deployment for keystone"

devstack/lib/keystone

@@ -38,8 +38,8 @@ export -f init_keystone
 function start_keystone {
 
 	# rollout keystone
-	kubernetes_rollout_restart deploy/keystone
+	kubernetes_rollout_restart daemonset/keystone
-	kubernetes_rollout_status deploy/keystone
+	kubernetes_rollout_status daemonset/keystone
 
 	# Get right service port for testing
 	local service_port=$KEYSTONE_SERVICE_PORT

images/keystone/Dockerfile

@@ -30,3 +30,4 @@ RUN apt update && apt -y install git && \
 EXPOSE 5000
 ENV UWSGI_HTTP_SOCKET=:5000 \
     UWSGI_WSGI_FILE=/usr/local/bin/keystone-wsgi-public
+CMD ["/usr/local/bin/uwsgi","--ini","/etc/uwsgi/uwsgi.ini"]

openstack_operator/keystone.py

@@ -72,7 +72,7 @@ def create_or_rotate_fernet_repository(name):
                            keys=keys, adopt=True)
 
 
-@kopf.timer('apps', 'v1', 'deployments',
+@kopf.timer('apps', 'v1', 'daemonsets',
             when=kopf.all_([filters.managed, _is_keystone_deployment]),
             interval=FERNET_ROTATION_INTERVAL)
 def create_or_rotate_fernet(**_):
@@ -107,22 +107,31 @@ def create_or_resume(name, spec, **_):
                            region_name=region_name,
                            username=username)
     # (TODO)Replace the current admin url
-    utils.create_or_update('keystone/deployment.yml.j2',
+    utils.create_or_update('keystone/daemonset.yml.j2',
                            name=name, spec=spec,
                            config_hash=config_hash)
     utils.create_or_update('keystone/service.yml.j2',
                            name=name, spec=spec)
-    utils.create_or_update('keystone/horizontalpodautoscaler.yml.j2',
-                           name=name)
     if "ingress" in spec:
         utils.create_or_update('keystone/ingress.yml.j2',
                                spec=spec)
 
+    # NOTE(Alex): We should remove this once all deployments are no longer
+    #               using Deployment.
+    utils.ensure_absent('keystone/deployment.yml.j2',
+                        name=name, spec=spec,
+                        config_hash=config_hash)
+
+    # NOTE(Alex): We should remove this once all deployments are no longer
+    #               using HPA.
+    utils.create_or_update('keystone/horizontalpodautoscaler.yml.j2',
+                           name=name)
+
 
 def update(spec, **_):
     """Update a keystone
 
-    This function updates the deployment for horizon if there are any
+    This function updates the deployment for keystone if there are any
     changes that happen within it.
     """
     if "ingress" in spec:

openstack_operator/templates/keystone/daemonset.yml.j2

@@ -0,0 +1,165 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: keystone
+  namespace: openstack
+  labels:
+    {{ labels("keystone", name) | indent(4) }}
+spec:
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      {{ labels("keystone", name) | indent(6) }}
+  template:
+    metadata:
+      labels:
+        {{ labels("keystone", name) | indent(8) }}
+      annotations:
+        checksum/config: "{{ config_hash }}"
+    spec:
+      initContainers:
+      - name: db-sync
+        image: vexxhost/keystone:latest
+        imagePullPolicy: Always
+        command:
+        - keystone-manage
+        - db_sync
+        volumeMounts:
+        - mountPath: /etc/keystone
+          name: config
+      - name: bootstrap
+        image: vexxhost/keystone:latest
+        imagePullPolicy: Always
+        env:
+        - name: OS_BOOTSTRAP_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: keystone-init
+        - name: OS_BOOTSTRAP_REGION_ID
+          valueFrom:
+            secretKeyRef:
+              key: region_name
+              name: keystone-init
+        - name: OS_BOOTSTRAP_ADMIN_URL
+          valueFrom:
+            secretKeyRef:
+              key: auth_url
+              name: keystone-init
+        - name: OS_BOOTSTRAP_PUBLIC_URL
+          valueFrom:
+            secretKeyRef:
+              key: auth_url
+              name: keystone-init
+        - name: OS_BOOTSTRAP_USERNAME
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: keystone-init
+        - name: OS_BOOTSTRAP_PROJECT_NAME
+          valueFrom:
+            secretKeyRef:
+              key: project_name
+              name: keystone-init
+        - name: OS_BOOTSTRAP_SERVICE_NAME
+          value: keystone
+        - name: OS_BOOTSTRAP_INTERNAL_URL
+          value: http://keystone.openstack.svc.cluster.local
+        command:
+        - keystone-manage
+        - bootstrap
+        volumeMounts:
+        - mountPath: /etc/keystone
+          name: config
+        - name: fernet-keys
+          mountPath: /etc/keystone/fernet-keys
+        - name: credential-keys
+          mountPath: /etc/keystone/credential-keys
+        - name: uwsgi-config
+          mountPath: /etc/uwsgi
+      containers:
+      - name: keystone
+        image: vexxhost/keystone:latest
+        imagePullPolicy: Always
+        env:
+        {% for v in env %}
+        - name: "{{ v.name }}"
+          value: "{{ v.value }}"
+        {% endfor %}
+        ports:
+        - name: keystone
+          protocol: TCP
+          containerPort: 5000
+        livenessProbe:
+          httpGet:
+            path: /v3
+            port: keystone
+        readinessProbe:
+          httpGet:
+            path: /v3
+            port: keystone
+        lifecycle:
+          preStop:
+            exec:
+              command: ["/bin/sleep", "5"]
+        resources:
+          requests:
+            cpu: 200m
+            ephemeral-storage: 500M
+            memory: 512M
+        securityContext:
+          runAsUser: 65534
+          runAsGroup: 65534
+        volumeMounts:
+        - mountPath: /etc/keystone/
+          name: config
+        - name: fernet-keys
+          mountPath: /etc/keystone/fernet-keys
+        - name: credential-keys
+          mountPath: /etc/keystone/credential-keys
+        - name: uwsgi-config
+          mountPath: /etc/uwsgi
+      volumes:
+      - name: config
+        secret:
+          secretName: keystone-config
+      - name: fernet-keys
+        secret:
+          secretName: keystone-fernet
+      - name: credential-keys
+        secret:
+          secretName: keystone-credential
+      - name: uwsgi-config
+        configMap:
+          defaultMode: 420
+          name: uwsgi-default
+{% if 'nodeSelector' in spec %}
+      nodeSelector:
+        {{ spec.nodeSelector | to_yaml | indent(8) }}
+{% endif %}
+{% if 'tolerations' in spec %}
+      tolerations:
+        {{ spec.tolerations | to_yaml | indent(8) }}
+{% endif %}
+{% if 'hostAliases' in spec %}
+      hostAliases:
+        {{ spec.hostAliases | to_yaml | indent(8) }}
+{% endif %}