diff --git a/devstack/lib/keystone b/devstack/lib/keystone index 6882bc40..ee551313 100644 --- a/devstack/lib/keystone +++ b/devstack/lib/keystone @@ -38,8 +38,8 @@ export -f init_keystone function start_keystone { # rollout keystone - kubernetes_rollout_restart deploy/keystone - kubernetes_rollout_status deploy/keystone + kubernetes_rollout_restart daemonset/keystone + kubernetes_rollout_status daemonset/keystone # Get right service port for testing local service_port=$KEYSTONE_SERVICE_PORT diff --git a/images/keystone/Dockerfile b/images/keystone/Dockerfile index c7f061c1..6e0b2163 100644 --- a/images/keystone/Dockerfile +++ b/images/keystone/Dockerfile @@ -30,3 +30,4 @@ RUN apt update && apt -y install git && \ EXPOSE 5000 ENV UWSGI_HTTP_SOCKET=:5000 \ UWSGI_WSGI_FILE=/usr/local/bin/keystone-wsgi-public +CMD ["/usr/local/bin/uwsgi","--ini","/etc/uwsgi/uwsgi.ini"] diff --git a/openstack_operator/keystone.py b/openstack_operator/keystone.py index 3bc44cfc..aba222c6 100644 --- a/openstack_operator/keystone.py +++ b/openstack_operator/keystone.py @@ -72,7 +72,7 @@ def create_or_rotate_fernet_repository(name): keys=keys, adopt=True) -@kopf.timer('apps', 'v1', 'deployments', +@kopf.timer('apps', 'v1', 'daemonsets', when=kopf.all_([filters.managed, _is_keystone_deployment]), interval=FERNET_ROTATION_INTERVAL) def create_or_rotate_fernet(**_): @@ -107,22 +107,31 @@ def create_or_resume(name, spec, **_): region_name=region_name, username=username) # (TODO)Replace the current admin url - utils.create_or_update('keystone/deployment.yml.j2', + utils.create_or_update('keystone/daemonset.yml.j2', name=name, spec=spec, config_hash=config_hash) utils.create_or_update('keystone/service.yml.j2', name=name, spec=spec) - utils.create_or_update('keystone/horizontalpodautoscaler.yml.j2', - name=name) if "ingress" in spec: utils.create_or_update('keystone/ingress.yml.j2', spec=spec) + # NOTE(Alex): We should remove this once all deployments are no longer + # using Deployment. + utils.ensure_absent('keystone/deployment.yml.j2', + name=name, spec=spec, + config_hash=config_hash) + + # NOTE(Alex): We should remove this once all deployments are no longer + # using HPA. + utils.create_or_update('keystone/horizontalpodautoscaler.yml.j2', + name=name) + def update(spec, **_): """Update a keystone - This function updates the deployment for horizon if there are any + This function updates the deployment for keystone if there are any changes that happen within it. """ if "ingress" in spec: diff --git a/openstack_operator/templates/keystone/daemonset.yml.j2 b/openstack_operator/templates/keystone/daemonset.yml.j2 new file mode 100644 index 00000000..9254e3a0 --- /dev/null +++ b/openstack_operator/templates/keystone/daemonset.yml.j2 @@ -0,0 +1,165 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: keystone + namespace: openstack + labels: + {{ labels("keystone", name) | indent(4) }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + {{ labels("keystone", name) | indent(6) }} + template: + metadata: + labels: + {{ labels("keystone", name) | indent(8) }} + annotations: + checksum/config: "{{ config_hash }}" + spec: + initContainers: + - name: db-sync + image: vexxhost/keystone:latest + imagePullPolicy: Always + command: + - keystone-manage + - db_sync + volumeMounts: + - mountPath: /etc/keystone + name: config + - name: bootstrap + image: vexxhost/keystone:latest + imagePullPolicy: Always + env: + - name: OS_BOOTSTRAP_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: keystone-init + - name: OS_BOOTSTRAP_REGION_ID + valueFrom: + secretKeyRef: + key: region_name + name: keystone-init + - name: OS_BOOTSTRAP_ADMIN_URL + valueFrom: + secretKeyRef: + key: auth_url + name: keystone-init + - name: OS_BOOTSTRAP_PUBLIC_URL + valueFrom: + secretKeyRef: + key: auth_url + name: keystone-init + - name: OS_BOOTSTRAP_USERNAME + valueFrom: + secretKeyRef: + key: username + name: keystone-init + - name: OS_BOOTSTRAP_PROJECT_NAME + valueFrom: + secretKeyRef: + key: project_name + name: keystone-init + - name: OS_BOOTSTRAP_SERVICE_NAME + value: keystone + - name: OS_BOOTSTRAP_INTERNAL_URL + value: http://keystone.openstack.svc.cluster.local + command: + - keystone-manage + - bootstrap + volumeMounts: + - mountPath: /etc/keystone + name: config + - name: fernet-keys + mountPath: /etc/keystone/fernet-keys + - name: credential-keys + mountPath: /etc/keystone/credential-keys + - name: uwsgi-config + mountPath: /etc/uwsgi + containers: + - name: keystone + image: vexxhost/keystone:latest + imagePullPolicy: Always + env: + {% for v in env %} + - name: "{{ v.name }}" + value: "{{ v.value }}" + {% endfor %} + ports: + - name: keystone + protocol: TCP + containerPort: 5000 + livenessProbe: + httpGet: + path: /v3 + port: keystone + readinessProbe: + httpGet: + path: /v3 + port: keystone + lifecycle: + preStop: + exec: + command: ["/bin/sleep", "5"] + resources: + requests: + cpu: 200m + ephemeral-storage: 500M + memory: 512M + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + volumeMounts: + - mountPath: /etc/keystone/ + name: config + - name: fernet-keys + mountPath: /etc/keystone/fernet-keys + - name: credential-keys + mountPath: /etc/keystone/credential-keys + - name: uwsgi-config + mountPath: /etc/uwsgi + volumes: + - name: config + secret: + secretName: keystone-config + - name: fernet-keys + secret: + secretName: keystone-fernet + - name: credential-keys + secret: + secretName: keystone-credential + - name: uwsgi-config + configMap: + defaultMode: 420 + name: uwsgi-default +{% if 'nodeSelector' in spec %} + nodeSelector: + {{ spec.nodeSelector | to_yaml | indent(8) }} +{% endif %} +{% if 'tolerations' in spec %} + tolerations: + {{ spec.tolerations | to_yaml | indent(8) }} +{% endif %} +{% if 'hostAliases' in spec %} + hostAliases: + {{ spec.hostAliases | to_yaml | indent(8) }} +{% endif %} \ No newline at end of file diff --git a/openstack_operator/templates/operator/uwsgidefaultconfig.yml.j2 b/openstack_operator/templates/operator/uwsgidefaultconfig.yml.j2 index 5fc18eeb..4e5a3c4b 100644 --- a/openstack_operator/templates/operator/uwsgidefaultconfig.yml.j2 +++ b/openstack_operator/templates/operator/uwsgidefaultconfig.yml.j2 @@ -4,19 +4,19 @@ metadata: name: uwsgi-default namespace: openstack data: - uwsgi.yaml: | - uwsgi: - enable-threads: True - processes: '%k' - exit-on-reload: True - die-on-term: True - lazy-apps: True - add-header: 'Connection: close' - buffer-size: 65535 - thunder-lock: True - http-auto-chunked: True - http-raw-body: True - socket-timeout: 10 - need-app: True - route-user-agent: '^kube-probe.* donotlog:' - log-x-forwarded-for: True + uwsgi.ini: |- + [uwsgi] + enable-threads = true + workers = %(%k * 1) + exit-on-reload = true + die-on-term = true + lazy-apps = true + add-header = 'Connection: close' + buffer-size = 65535 + thunder-lock = true + http-auto-chunked = true + http-raw-body = true + socket-timeout = 10 + need-app = true + route-user-agent = '^kube-probe.* donotlog:' + log-x-forwarded-for = true