Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consolidate IRIS and stackhpc branches #160

Open
wants to merge 6 commits into
base: stackhpc/victoria
Choose a base branch
from

Conversation

jovial
Copy link

@jovial jovial commented Jul 14, 2021

The hope is that we can use a common branch for all deployments. I'm hoping that if we use feature flags for new functionality then we won't need to maintain separate branches.

Depends-on: stackhpc/kolla#80

@jovial
Copy link
Author

jovial commented Jul 14, 2021

Looking at diff, the prometheus change to v2 looks to be a breaking one. I should hide that behind a feature flag.

@jovial jovial changed the title Consolidate IRIS and stackhpc branches WIP: Consolidate IRIS and stackhpc branches Jul 14, 2021
@cityofships
Copy link
Member

Prometheus v2 support already landed in Victoria branch: 9ed79e8

Not controlled via flag, support for v1 is/should be abandoned?

@jovial
Copy link
Author

jovial commented Jul 14, 2021

Prometheus v2 support already landed in Victoria branch: 9ed79e8

Not controlled via flag, support for v1 is/should be abandoned?

Thanks, I'll drop those patches then :)

@jovial
Copy link
Author

jovial commented Jul 14, 2021

Can also drop the libvirt exporter stuff once we get:

#156

merged.

@jovial jovial force-pushed the cumulus/victoria branch from 267b7fc to aeb41e9 Compare July 14, 2021 12:50
@jovial
Copy link
Author

jovial commented Jul 14, 2021

Prometheus v2 support already landed in Victoria branch: 9ed79e8
Not controlled via flag, support for v1 is/should be abandoned?

Thanks, I'll drop those patches then :)

I've force pushed with the Prometheus patches removed.

dougszumski and others added 6 commits February 1, 2022 10:11
cASO is an OpenStack accounting extractor. For more detail see:
https://github.com/IFCA/caso

By default, cASO is configured to output to Fluentd via TCP. The
accounting information can then be shipped off to ElasticSearch.

(cherry picked from commit d8ab00f)
Add support for deploying the Kolla Prometheus libvirt exporter
image to facilitate gathering metrics from the Nova libvirt service.

Partially-Implements: blueprint libvirt-exporter
(cherry picked from commit edcd41a)
(cherry picked from commit ab84608)

Change-Id: Ife0a9ac6e4f03802543d0812d552c30ddb982b9e
(cherry picked from commit 1422e0e)
This uses the same approach as the mariadb role (and others).

Closes-Bug: : 1928193
Co-Authored-By: John Garbutt <[email protected]>
Change-Id: I79a7a8c80327cfd9ef31d17fe71f450a181a638c
(cherry picked from commit 502152290ac5fc2a09176c52a459b9741273b752)
(cherry picked from commit 9ec49a3)
* Register Swift-compatible endpoints in Keystone
* Load balance across RadosGW API servers using HAProxy

The support is exercised in the cephadm CI jobs, but since RGW is
not currently enabled via cephadm, it is not yet tested.

https://docs.ceph.com/en/latest/radosgw/keystone/

Implements: blueprint ceph-rgw

Change-Id: I891c3ed4ed93512607afe65a42dd99596fd4dbf9
(cherry picked from commit 5b75fefb7d9f50c197f3cd86e18059cb31ca9984)
(cherry picked from commit 31f18de)
This pull request adds support for the OpenID Connect authentication
flow in Keystone and enables both ID and access token authentication
flows. The ID token configuration is designed to allow users to
authenticate via Horizon using an identity federation; whereas the
Access token is used to allow users to authenticate in the OpenStack CLI
using a federated user.

Without this PR, if one wants to configure OpenStack to use identity
federation, he/she needs to do a lot of configurations in the keystone,
Horizon, and register quite a good number of different parameters using
the CLI such as mappings, identity providers, federated protocols, and
so on. Therefore, with this PR, we propose a method for operators to
introduce/present the IdP's metadata to Kolla-ansible, and based on the
presented metadata, Kolla-ansible takes care of all of the
configurations to prepare OpenStack to work in a federated environment.

Implements: blueprint add-openid-support
Co-Authored-By: Jason Anderson <[email protected]>
Change-Id: I0203a3470d7f8f2a54d5e126d947f540d93b8210
(cherry picked from commit f3fbe83)
This gets rid of one of the steps in the authentication flow.

Closes-Bug: 1930055
Change-Id: I4ed4651b55a912f1d9aec7277bae6bb4776f1e0a
(cherry picked from commit 510508e9fa416801af58c1aedcf24e0bf8e88194)
@jovial jovial changed the title WIP: Consolidate IRIS and stackhpc branches Consolidate IRIS and stackhpc branches Feb 1, 2022
@@ -78,6 +78,7 @@ LogLevel info
{% for idp in keystone_identity_providers %}
{% if idp.protocol == 'openid' %}
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/websso>
OIDCDiscoverURL {{ keystone_public_url }}/redirect_uri?iss={{ item.identifier | urlencode }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be idp.identifier?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@@ -0,0 +1,3 @@
---
dependencies:
- { role: common }

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We dropped these role deps in victoria.

####################
caso_install_type: "{{ kolla_install_type }}"
caso_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ caso_install_type }}-caso"
caso_tag: "{{ openstack_release }}"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

openstack_tag

---
- name: Configure cASO user
kolla_toolbox:
module_name: "kolla_keystone_user"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We stopped doing it this way in Train. The module was dropped from the kolla-toolbox image. You need to use service-ks-register role now


[keystone_auth]
auth_type = password
auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

keystone_admin_url


- name: Checking free ports for Prometheus libvirt-exporter
wait_for:
host: "{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'api' | kolla_address

static_configs:
- targets:
{% for host in groups["prometheus-libvirt-exporter"] %}
- '{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ hostvars[host]['prometheus_libvirt_exporter_port'] }}'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

- '{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ hostvars[host]['prometheus_libvirt_exporter_port'] }}'

####################
# HAProxy
####################
prometheus_haproxy_members: "{% for host in groups['prometheus'] %}server {{ hostvars[host]['ansible_hostname'] }} {{ 'api' | kolla_address(host) }}:{{ prometheus_port }} check inter 2000 rise 2 fall 5{% if not loop.first %} backup{% endif %};{% endfor %}"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ansible_facts.hostname

Comment on lines +28 to +31
# List of Ceph RadosGW hostname:port to use as HAProxy backends.
ceph_rgw_hosts: []
ceph_rgw_haproxy_members: "{{ ceph_rgw_hosts | map('regex_replace', '(.*)', 'server \\1 \\1 ' + ceph_rgw_haproxy_healthcheck) | list }}"
ceph_rgw_haproxy_healthcheck: "check inter 2000 rise 2 fall 5"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ended up a bit different upstream:

# List of Ceph hosts to use as HAProxy backends. Each item should contain
# 'host' and 'port'` keys. The 'ip' and 'port' keys are optional. If 'ip' is
# not specified, the 'host' values should be resolvable from the host running
# HAProxy. If the ``port`` is not specified, the default HTTP (80) or HTTPS
# (443) port will be used.
ceph_rgw_hosts: []
ceph_rgw_haproxy_members: >-
  {%- set members = [] -%} 
  {%- for host in ceph_rgw_hosts -%} 
  {%- set port = (":" ~ host.port) if host.port is defined else "" -%}
  {%- set member = "server " ~ host.host ~ " " ~ host.ip | default(host.host) ~ port ~ " " ~ ceph_rgw_haproxy_healthcheck -%}
  {%- set _ = members.append(member) -%}
  {%- endfor -%}
  {{ members }}
ceph_rgw_haproxy_healthcheck: "check inter 2000 rise 2 fall 5"

Should we backport again from the merged patch?

@@ -78,6 +78,7 @@ LogLevel info
{% for idp in keystone_identity_providers %}
{% if idp.protocol == 'openid' %}
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/websso>
OIDCDiscoverURL {{ keystone_public_url }}/redirect_uri?iss={{ item.identifier | urlencode }}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@jovial jovial mentioned this pull request Mar 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants