Use daemonset instead of hpa+deployment for keystone

- remove hpa - use daemonset - ensure absent of older deployments - remove resource limit Change-Id: I581182af2a5a67dfe112c7b10abc65247b77276b
2020-07-07 17:09:00 +03:00 · 2020-07-07 17:09:00 +03:00 · 720e8dcf58
commit 720e8dcf58
parent d0928ca4df
5 changed files with 198 additions and 23 deletions
--- a/devstack/lib/keystone
+++ b/devstack/lib/keystone
@ -38,8 +38,8 @@ export -f init_keystone
 function start_keystone {

 	# rollout keystone
-	kubernetes_rollout_restart deploy/keystone
-	kubernetes_rollout_status deploy/keystone
+	kubernetes_rollout_restart daemonset/keystone
+	kubernetes_rollout_status daemonset/keystone

 	# Get right service port for testing
 	local service_port=$KEYSTONE_SERVICE_PORT
--- a/images/keystone/Dockerfile
+++ b/images/keystone/Dockerfile
@ -30,3 +30,4 @@ RUN apt update && apt -y install git && \
 EXPOSE 5000
 ENV UWSGI_HTTP_SOCKET=:5000 \
    UWSGI_WSGI_FILE=/usr/local/bin/keystone-wsgi-public
+CMD ["/usr/local/bin/uwsgi","--ini","/etc/uwsgi/uwsgi.ini"]
--- a/openstack_operator/keystone.py
+++ b/openstack_operator/keystone.py
@ -72,7 +72,7 @@ def create_or_rotate_fernet_repository(name):
                           keys=keys, adopt=True)


-@kopf.timer('apps', 'v1', 'deployments',
+@kopf.timer('apps', 'v1', 'daemonsets',
            when=kopf.all_([filters.managed, _is_keystone_deployment]),
            interval=FERNET_ROTATION_INTERVAL)
 def create_or_rotate_fernet(**_):
@ -107,22 +107,31 @@ def create_or_resume(name, spec, **_):
                           region_name=region_name,
                           username=username)
    # (TODO)Replace the current admin url
-    utils.create_or_update('keystone/deployment.yml.j2',
+    utils.create_or_update('keystone/daemonset.yml.j2',
                           name=name, spec=spec,
                           config_hash=config_hash)
    utils.create_or_update('keystone/service.yml.j2',
                           name=name, spec=spec)
-    utils.create_or_update('keystone/horizontalpodautoscaler.yml.j2',
-                           name=name)
    if "ingress" in spec:
        utils.create_or_update('keystone/ingress.yml.j2',
                               spec=spec)

+    # NOTE(Alex): We should remove this once all deployments are no longer
+    #               using Deployment.
+    utils.ensure_absent('keystone/deployment.yml.j2',
+                        name=name, spec=spec,
+                        config_hash=config_hash)
+
+    # NOTE(Alex): We should remove this once all deployments are no longer
+    #               using HPA.
+    utils.create_or_update('keystone/horizontalpodautoscaler.yml.j2',
+                           name=name)
+

 def update(spec, **_):
    """Update a keystone

-    This function updates the deployment for horizon if there are any
+    This function updates the deployment for keystone if there are any
    changes that happen within it.
    """
    if "ingress" in spec:
--- a/openstack_operator/templates/keystone/daemonset.yml.j2
+++ b/openstack_operator/templates/keystone/daemonset.yml.j2
@ -0,0 +1,165 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: keystone
+  namespace: openstack
+  labels:
+    {{ labels("keystone", name) | indent(4) }}
+spec:
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      {{ labels("keystone", name) | indent(6) }}
+  template:
+    metadata:
+      labels:
+        {{ labels("keystone", name) | indent(8) }}
+      annotations:
+        checksum/config: "{{ config_hash }}"
+    spec:
+      initContainers:
+      - name: db-sync
+        image: vexxhost/keystone:latest
+        imagePullPolicy: Always
+        command:
+        - keystone-manage
+        - db_sync
+        volumeMounts:
+        - mountPath: /etc/keystone
+          name: config
+      - name: bootstrap
+        image: vexxhost/keystone:latest
+        imagePullPolicy: Always
+        env:
+        - name: OS_BOOTSTRAP_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: keystone-init
+        - name: OS_BOOTSTRAP_REGION_ID
+          valueFrom:
+            secretKeyRef:
+              key: region_name
+              name: keystone-init
+        - name: OS_BOOTSTRAP_ADMIN_URL
+          valueFrom:
+            secretKeyRef:
+              key: auth_url
+              name: keystone-init
+        - name: OS_BOOTSTRAP_PUBLIC_URL
+          valueFrom:
+            secretKeyRef:
+              key: auth_url
+              name: keystone-init
+        - name: OS_BOOTSTRAP_USERNAME
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: keystone-init
+        - name: OS_BOOTSTRAP_PROJECT_NAME
+          valueFrom:
+            secretKeyRef:
+              key: project_name
+              name: keystone-init
+        - name: OS_BOOTSTRAP_SERVICE_NAME
+          value: keystone
+        - name: OS_BOOTSTRAP_INTERNAL_URL
+          value: http://keystone.openstack.svc.cluster.local
+        command:
+        - keystone-manage
+        - bootstrap
+        volumeMounts:
+        - mountPath: /etc/keystone
+          name: config
+        - name: fernet-keys
+          mountPath: /etc/keystone/fernet-keys
+        - name: credential-keys
+          mountPath: /etc/keystone/credential-keys
+        - name: uwsgi-config
+          mountPath: /etc/uwsgi
+      containers:
+      - name: keystone
+        image: vexxhost/keystone:latest
+        imagePullPolicy: Always
+        env:
+        {% for v in env %}
+        - name: "{{ v.name }}"
+          value: "{{ v.value }}"
+        {% endfor %}
+        ports:
+        - name: keystone
+          protocol: TCP
+          containerPort: 5000
+        livenessProbe:
+          httpGet:
+            path: /v3
+            port: keystone
+        readinessProbe:
+          httpGet:
+            path: /v3
+            port: keystone
+        lifecycle:
+          preStop:
+            exec:
+              command: ["/bin/sleep", "5"]
+        resources:
+          requests:
+            cpu: 200m
+            ephemeral-storage: 500M
+            memory: 512M
+        securityContext:
+          runAsUser: 65534
+          runAsGroup: 65534
+        volumeMounts:
+        - mountPath: /etc/keystone/
+          name: config
+        - name: fernet-keys
+          mountPath: /etc/keystone/fernet-keys
+        - name: credential-keys
+          mountPath: /etc/keystone/credential-keys
+        - name: uwsgi-config
+          mountPath: /etc/uwsgi
+      volumes:
+      - name: config
+        secret:
+          secretName: keystone-config
+      - name: fernet-keys
+        secret:
+          secretName: keystone-fernet
+      - name: credential-keys
+        secret:
+          secretName: keystone-credential
+      - name: uwsgi-config
+        configMap:
+          defaultMode: 420
+          name: uwsgi-default
+{% if 'nodeSelector' in spec %}
+      nodeSelector:
+        {{ spec.nodeSelector | to_yaml | indent(8) }}
+{% endif %}
+{% if 'tolerations' in spec %}
+      tolerations:
+        {{ spec.tolerations | to_yaml | indent(8) }}
+{% endif %}
+{% if 'hostAliases' in spec %}
+      hostAliases:
+        {{ spec.hostAliases | to_yaml | indent(8) }}
+{% endif %}
--- a/openstack_operator/templates/operator/uwsgidefaultconfig.yml.j2
+++ b/openstack_operator/templates/operator/uwsgidefaultconfig.yml.j2
@ -4,19 +4,19 @@ metadata:
  name: uwsgi-default
  namespace: openstack
 data:
-  uwsgi.yaml: |
-    uwsgi:
-      enable-threads: True
-      processes: '%k'
-      exit-on-reload: True
-      die-on-term: True
-      lazy-apps: True
-      add-header: 'Connection: close'
-      buffer-size: 65535
-      thunder-lock: True
-      http-auto-chunked: True
-      http-raw-body: True
-      socket-timeout: 10
-      need-app: True
-      route-user-agent: '^kube-probe.* donotlog:'
-      log-x-forwarded-for: True
+  uwsgi.ini: |-
+    [uwsgi]
+    enable-threads = true
+    workers = %(%k * 1)
+    exit-on-reload = true
+    die-on-term = true
+    lazy-apps = true
+    add-header = 'Connection: close'
+    buffer-size = 65535
+    thunder-lock = true
+    http-auto-chunked = true
+    http-raw-body = true
+    socket-timeout = 10
+    need-app = true
+    route-user-agent = '^kube-probe.* donotlog:'
+    log-x-forwarded-for = true