From 4d3ec058d849f67c3246a092929cd37dd367b08b Mon Sep 17 00:00:00 2001 From: "Anselme, Schubert (sa246v)" Date: Mon, 3 Apr 2023 09:54:18 -0400 Subject: [PATCH] Upgrade MAAS to 3.5 This PS upgrades maas to version maas version 3.5 (jammy) Signed-off-by: Anselme, Schubert (sa246v) Change-Id: If5fffa59f547d4b19d7c0f086204800e9144d952 --- .gitignore | 3 +- .zuul.yaml | 112 ++++---- Makefile | 11 +- charts/maas/Chart.yaml | 4 +- charts/maas/requirements.lock | 6 + charts/maas/requirements.yaml | 1 + charts/maas/templates/bin/_db-sync.sh.tpl | 5 +- charts/maas/templates/bin/_enable-tls.sh.tpl | 19 ++ .../templates/bin/_export-secret-key.sh.tpl | 75 ++++++ .../bin/_import-boot-resources.sh.tpl | 248 +++++++++--------- .../maas/templates/bin/_import-ca-cert.sh.tpl | 23 ++ charts/maas/templates/bin/_maas-test.sh.tpl | 91 ++++--- .../templates/certificate-maas-ingress.yaml | 32 +++ charts/maas/templates/certificate-maas.yaml | 35 +++ charts/maas/templates/configmap-bin.yaml | 9 + .../templates/deployment-ingress-errors.yaml | 2 +- charts/maas/templates/ingress-region.yaml | 45 ++++ charts/maas/templates/job-enable-tls.yaml | 79 ++++++ charts/maas/templates/job-import.yaml | 23 ++ ...ecret-region.yaml => secret-maas-tls.yaml} | 14 +- .../templates/service-ingress-headless.yaml | 4 + charts/maas/templates/service-region.yaml | 20 ++ charts/maas/templates/statefulset-rack.yaml | 24 +- charts/maas/templates/statefulset-region.yaml | 87 +++++- .../maas/templates/tests/test-maas-init.yaml | 20 +- charts/maas/values.yaml | 86 +++--- .../3.5_ipmi_error.patch | 27 ++ .../3.5_nic_filter.patch | 13 + .../3.5_redfish_retries.patch | 12 + .../3.5_secure_headers.patch | 12 + .../3.5_transfer_trusted_only.patch | 9 + images/maas-rack-controller-jammy/Dockerfile | 93 +++++++ images/maas-rack-controller-jammy/README.md | 1 + .../scripts/journalctl-to-tty.service | 13 + .../scripts/maas-http-watcher.path | 5 + .../scripts/maas-http-watcher.service | 9 + .../scripts/override.chrony.conf | 3 + .../scripts/register-rack-controller.service | 12 + .../3.5_configure_ipmi_user.patch | 70 +++++ .../3.5_kernel_package.patch | 31 +++ .../3.5_partitiontable_does_not_exist.patch | 13 + .../3.5_proxy_acl.patch | 10 + .../3.5_regex_tags.patch | 24 ++ .../3.5_route.patch | 17 ++ .../3.5_secure_headers.patch | 12 + .../3.5_transfer_trusted_only.patch | 9 + .../maas-region-controller-jammy/Dockerfile | 93 +++++++ images/maas-region-controller-jammy/README.md | 1 + .../journalctl-to-tty.service | 13 + .../override.chrony.conf | 3 + images/sstream-cache-jammy/Dockerfile | 49 ++++ images/sstream-cache/Dockerfile | 31 +-- tools/gate/playbooks/docker-image-build.yaml | 27 +- 53 files changed, 1381 insertions(+), 309 deletions(-) create mode 100644 charts/maas/requirements.lock create mode 100644 charts/maas/templates/bin/_enable-tls.sh.tpl create mode 100644 charts/maas/templates/bin/_export-secret-key.sh.tpl create mode 100644 charts/maas/templates/bin/_import-ca-cert.sh.tpl create mode 100644 charts/maas/templates/certificate-maas-ingress.yaml create mode 100644 charts/maas/templates/certificate-maas.yaml create mode 100644 charts/maas/templates/job-enable-tls.yaml rename charts/maas/templates/{secret-region.yaml => secret-maas-tls.yaml} (59%) create mode 100644 images/maas-rack-controller-jammy/3.5_ipmi_error.patch create mode 100644 images/maas-rack-controller-jammy/3.5_nic_filter.patch create mode 100644 images/maas-rack-controller-jammy/3.5_redfish_retries.patch create mode 100644 images/maas-rack-controller-jammy/3.5_secure_headers.patch create mode 100644 images/maas-rack-controller-jammy/3.5_transfer_trusted_only.patch create mode 100644 images/maas-rack-controller-jammy/Dockerfile create mode 100644 images/maas-rack-controller-jammy/README.md create mode 100644 images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service create mode 100644 images/maas-rack-controller-jammy/scripts/maas-http-watcher.path create mode 100644 images/maas-rack-controller-jammy/scripts/maas-http-watcher.service create mode 100644 images/maas-rack-controller-jammy/scripts/override.chrony.conf create mode 100644 images/maas-rack-controller-jammy/scripts/register-rack-controller.service create mode 100644 images/maas-region-controller-jammy/3.5_configure_ipmi_user.patch create mode 100644 images/maas-region-controller-jammy/3.5_kernel_package.patch create mode 100644 images/maas-region-controller-jammy/3.5_partitiontable_does_not_exist.patch create mode 100644 images/maas-region-controller-jammy/3.5_proxy_acl.patch create mode 100644 images/maas-region-controller-jammy/3.5_regex_tags.patch create mode 100644 images/maas-region-controller-jammy/3.5_route.patch create mode 100644 images/maas-region-controller-jammy/3.5_secure_headers.patch create mode 100644 images/maas-region-controller-jammy/3.5_transfer_trusted_only.patch create mode 100644 images/maas-region-controller-jammy/Dockerfile create mode 100644 images/maas-region-controller-jammy/README.md create mode 100644 images/maas-region-controller-jammy/journalctl-to-tty.service create mode 100644 images/maas-region-controller-jammy/override.chrony.conf create mode 100644 images/sstream-cache-jammy/Dockerfile diff --git a/.gitignore b/.gitignore index 170bae3..0674734 100644 --- a/.gitignore +++ b/.gitignore @@ -7,4 +7,5 @@ build/ .vscode/ -charts/deps \ No newline at end of file +charts/deps/ +!charts/deps/.gitkeep diff --git a/.zuul.yaml b/.zuul.yaml index 0f5e21a..309824d 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -16,13 +16,13 @@ - airship-maas-lint-ws - airship-maas-chart-build-gate - airship-maas-chart-build-latest-htk - - airship-maas-docker-build-gate-bionic + - airship-maas-docker-build-gate - airship-maas-lint-yaml gate: jobs: - airship-maas-lint-ws - airship-maas-chart-build-gate - - airship-maas-docker-build-gate-bionic + - airship-maas-docker-build-gate - airship-maas-lint-yaml post: jobs: @@ -47,14 +47,14 @@ Lints all files for trailing whitespace run: tools/gate/playbooks/zuul-linter.yaml timeout: 300 - nodeset: airship-maas-single-node + nodeset: airship-maas-single-node-jammy - job: name: airship-maas-chart-build-gate description: Build charts using pinned Helm toolkit. run: tools/gate/playbooks/helm-linter.yaml timeout: 600 - nodeset: airship-maas-single-node + nodeset: airship-maas-single-node-jammy vars: HTK_COMMIT: 49c117443391cec75e0bd52bb4a9d033325927ad @@ -64,17 +64,17 @@ voting: false run: tools/gate/playbooks/helm-linter.yaml timeout: 600 - nodeset: airship-maas-single-node + nodeset: airship-maas-single-node-jammy vars: HTK_COMMIT: master - job: - name: airship-maas-docker-build-gate-bionic - timeout: 1800 + name: airship-maas-docker-build-gate + timeout: 3600 run: tools/gate/playbooks/docker-image-build.yaml - nodeset: airship-maas-single-node + nodeset: airship-maas-single-node-jammy files: - - '^images/.*' + - "^images/.*" vars: publish: false tags: @@ -88,17 +88,17 @@ run: tools/gate/playbooks/lint-yaml.yaml nodeset: airship-maas-single-node irrelevant-files: - - '^charts/maas/templates/.*' + - "^charts/maas/templates/.*" - job: name: airship-maas-docker-publish - timeout: 1800 + timeout: 3600 run: tools/gate/playbooks/docker-image-build.yaml - nodeset: airship-maas-single-node + nodeset: airship-maas-single-node-jammy secrets: - airship_maas_quay_creds irrelevant-files: - - '^images/.*' + - "^images/.*" vars: publish: true tags: @@ -142,53 +142,53 @@ git_mirror_repository: airshipit/maas secrets: - name: git_mirror_credentials - secret: maas-airshipit-github-secret + secret: maas-airshipit-github-secret-2023-03-23 pass-to-parent: true - secret: - name: maas-airshipit-github-secret + name: maas-airshipit-github-secret-2023-03-23 data: user: git host: github.com - host_key: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + host_key: github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= ssh_key: !encrypted/pkcs1-oaep - - WjZJqgndvx9apoPz8nA1sJ324cYE7JyGQYjzYevbJO95t/oqcuI3lKl7MJ7CVnbYXcuVO - f9gy1hqnF1dpi2vB/eO3xevj95pU61XPyR5HcJiI25CyVv1R0lEf6m160nTkliYOIpPR6 - jVqU6ciE2fpTiQ6wPBQHBnguTJsNRulBsjnbpzzvKG3L0Li1RV+j2tP7JyCzsrwbbXCe3 - 27bwQD1ZnhOH6oDA1LDpqVLhcFbTW/A1UnCn5gRt3Z0I+Av49yw3fN3e1RP9p5wOiLXGm - 022lzm59SnEc3jWlmMaySzBs4KyUABI7Xc7uENl+erYbe8Hb52rPPvbwPYRnSymh2V4h/ - SVqwbDOQ1p1ogS1mHk03HPFDMgsdoOG6LtvgLBEgWDFE04Qw350dVypL+MzsgZwVIQq21 - sVpfMHJF4A9GqYjHZLJSngVJVKf3sYFnvYEP6L3DUiDa3jvLRpo/lAnr1UNdV4VOZHqah - ZCZuJ0OELi4lakHbh4LSEc4n+a0yev8Z1azH5pkpgZhLrAjaWnhgZiyfHifWCvTyRG27P - s6Xph5P0E2sRwIfdK2wnVSA5RDSvdh00z72Bh72k726lQHulFs1TsTtwYo+cpdQNM87Xh - uW+99Z0ntzLO53EsyiQRy9c8PYXX8FrK+KGPrhJ/dztPcB68njY2v/ypTB7YOs= - - icA8YhdGSbPCzGGmRpm4LsUIQzSXaFCapcsG9gNf7KVUfkcWApVaK9b3fylw8e50lQ5Cx - 5OAGOElXvAMW7NijsPD3c5TztB/rIunsOGhN/k9+x5c8fNoWBSXlwtf28pJ1iAEIoyozZ - FN9esz/XbFUke7tM73Fg7DJaS8FUeA4SNr4O+Y8hM74hYxUPidkuR8r+yKNcp9hLM6czT - jx7WmPO5+1ZFvPva2qKzOc27SEPPSkl0t6MIg9wPTQCUcxiQj38ZapDQInV4ozTJVRW0W - YuHaSnGIUhudfuHVvnA9A3VgVpgz+Jgpv92KjD/kKA6JQdIA4K9G/05qGrf9k45fFUe0b - h+Wnuta8h50BzZ8n8tLHQxf+B7e30JLbK962ywUpnc9LryfnWrV5CPneREz8tfs9iq3i6 - m7jyl3xi9PtZ/qBqHX3oP2vim+GWSvOT209S9XxDZWMzhRsO2NuySgepwYYipOYQgwoq4 - ViqzYYCGrGpUDGWzu0GtYw3HGSBle1izmiPNh+CpUUPPUnZ6v3dNsxOYiqy1DaHFxiNdy - xttyZFUzVxrIGY7Ju+R1bxMs3HHUtxZcPVpEuCukq3ucCfsM9s6+lKBhUhELNO4NIULM9 - kEFVn/kjqAlQoPFuI2brHwJ0ELJE+djKf8a/d72HngF5hUzMNeZ/H4P9RZlq2E= - - GrHLGoP4HZyVFx0FUxSE1yv6PYWsAQuGJfzkG86dr60TzAT64tTaf23ZhI+lGwfJQZkMd - LdzpAPdDMCAxCLiB5HUylo2dIzLKPtNgMmK/KNpVdX1ehWHlm+f0r70LJ7Ft2lSGZfNbh - Dkp1JBhFc+p6b0pxz3OZaGKD/uy/sAAVyx6pkwO2Lyxx3LAprA2syWUj9/OWkCFGZpQ4R - aLBy5IBBXMvaCaQC4OrSzSLlKErXNq+guj9z5pa7ct4xNs5ZRK77Fp/o3Ch3WP7XwaFbT - /jX8yDQEzOyV/ZufH2kdmum8oV9iLbjS410jOEqvBmJ8oU5TKztz3wreo6gHnb/Ipmqbe - iGVOHSp+VYM2CsJ1WNxYiAxfgjiXDeGdFw2HsdZRA5x2WSKmTuJE8PWLMjn9I3qQzTJSb - 16Rb1l/NptL2VrfLitDykhIIlrvKWUf3t1fJ4SLMeqpn4pee4Z+WFTiNutc0rzdOJIl5I - 9MsiGf+stSTd+SOl327geM9ay7Jnxa/orjVrHff3EfCJkWPGqTBno7asNz18xfQARmym0 - OJVPsVSvwXgWNPlbb9kcmvX6NwAPsUdqylgBbl9BWlTklhWUzrT5fFxlrmbVA6fe/9isR - Ye7KnKzbTZJoKSRWmCHIsm48tBLxWgTt95md7phMwqsPQD3YY12xkszRn92KfM= - - Br6y0uCDii7X5kvCulc/kuYwm6ysaOfu3r7iWxshcPw2Up+WdltWRIa+dBcR9pDm/FNwa - iWPVyrL7qvavLgRQT7M0GdECFo6Y6D19Qvt2WPSpcD5MwphZdrAU8ENKlBtm8MhMnWA9T - XWBLBH0BSFRU2GpGk+7zC4cUnKo3uV3fc7AtXW7W076kGoWy01z4EtgL5P+s7SLPMKCyA - CH969Hnz1zDn8BebTaM45gc6fPX5f1o0haPF22XDOb+/I3CiAfH9fA0HYWzZqForvLV5J - 6LZ8kxDWzmvxnEFiggT3Zc/jNi74bQ0YVrI5RoplNbvqiSpuszl4HpWBogr9ybkIbU1BT - fVX2l09NN4v5eWxfQGjdQpuuxSUN1pY2aCIcluxjELkZ0ACqqHVL6swaATxWIe1xZwPLb - 3qn21OV4RqAf1BFPttYsLIH3+bX0A6302LcYZcHtmse+B2rQAu2c4XsSL1H8ClRji/4Wm - LFXQPCLteeVlb3feYffA3Vzjn0pnltRb6QulKNtaWp0viG1w88+aiJvyKP4MGJrzOnEQk - iFGqB42WTLr2N6vzw5SIVpk3CvqlVIfvSUet8NikwH96NXMNzW5vwkGdzxoop2A44MIoW - mZq8KcKOaK+KH3mr7XeipxaHt74P8EhnQuOtXrcCbTEkByWdzm55UM7aPQNeoc= + - Ctq8uiBKJa7YVWphZu4y/M7cajpPKKIx9kc0xM8fIfkUBWG++JXFjvqVMn1wolfBCbfw5 + fSqNyEazE+Vr8Gk/9iwpgD13b7O+ar7CfY/HmkjeqRQYqGDEsBzCKEksK4zjzzRBufqpC + DpulFkPSR9RoiQKuIv2C3n3afJkXgWPosdF9akluHRK5gzm7ayWkvoWEVQDkG1JaIrg6F + R/v12ADusA1RKYqbRyHR5RVV9CJqu4RImvZvXBGau6H+0zZQLCATnUZH8vEjiu/GVFlcz + Z7Zy6pGSFsxxlSqibcPwYR/CwQBOc+WDQQZ0zD1LfI+64K4t17VcxEtL0S/x07PKfKKmr + hYDQLR6Zg7uSzoloW27r3hUP1PcHjdGRF4u21EToT+7BVb2yPBfNS+W2i+NX1VQrWTGqP + lvmCz0A7bEn7PmHvPhtUwoSX2ZW0nqXdpTiDLpn1/Q+VpkCdMEMT42VeuuYTVvbxAtEaU + 195LHICPH/6r6o4C57/3ouLcuTKAQr7u2Wnn/7MyPVBtFRnOtjX1t/Hil42QVaHFtbjun + ov/GEnKqdPH1S/2XfPlgIVwgjI4k2LRWRm0F2HLrXiSfZrjofCbLFuBZKK23zHaUFrI8P + QyyyET/Sdo8qpOFEpfzdFD0fH8NqU7mt5Ka/F1d2uYJmhCbRX1kpcSXqo+RFgA= + - OxJZdG9DkL9I9ecTx56HAF05I3GbGbXUUF2yDeA26uXUHJRFp8y/llfGyt2G6gUlZ6apM + ti7oC4tnsxdTt83vRx2O/p+SF7PYoQuYf+6d2+6CFBB58g4bV6JfncVyRyIAWtHRDMWFo + kY9YYc1pFPQZ6m+mdi7SMsjLHWZwos/Xh+tBpyUyKdKC7aoNUZiAWDYAUPnIjQamB+QXm + 8tzfbvhqz33DcFlrBiR0SC8XkOlm88gPtxVftJEiugyQPRfDvjG3Q6Zo4gRAsTfslQQAF + gjENyXoSGUcvQREh237vLBdqLskke6qpeVb2769omaSdh/Fh0d1f6pjw2BCfMfcNz8GYe + 1HIATlj1PFFPCnI+BVzH/mr81PdWx5k31sMgI85vcucDBw7XQiBpCiJUzy4ZRrDyFupNt + oEajwkexnYSJAVD87brH4N76uRUCqBHMbaXZubZlXupkzDQov1R8UOcYv5zf0UQri+Bq7 + dyEbVZXxleyWlW62GDu1rsFdwmKdcGLoBLdzmI8ZVHXp82DT926o8dLBDpGRahbAu0M7c + A7i0VbtSmrXifD8tkMo9s9vJ82gl6VL4UUSimAfKEzpnMZxdoFEWlbivOOhAjsRBjk5wR + JvusSAVfpTRWXcD9rtFlwO6G9njsbTt+rWVpT+uKOxB+c2eceTJXwGyHo9vVdU= + - k83gdcIAOl0ga4oFzSFMq5KdrafmnRLbfRwaCdc0GfrKxT6MusVIY1axFnOjyKxhzANhA + d0UzuOTedDxmBsKvddX4Ridkj9dpbaP6csqz/4rce1p0cgoD7opr9td1UU95HcYBO61Qm + 7914nWPDNludEn09+YEsMsiylSx6fBx7hkAAg+fC4TQQDJf+SA47pyZN7RRqtpJ7MLy6h + UViKVYfEep3zlJn1coBylrQ0atT59kNYxYLzvPmUnYVTibibmR2Kqg91c6wm4bfwcFOgL + eKdP02RRWhQSCPCEeOJ5aDqKfgBrUKXYQ3ZellHaBOn9BHrKnJMD4pEpffQLkv+YJM7xq + SfHArdJ7wnvn3NXxktWZN6qvDO0sgLMCyKGj4Q0+DA5cleY1aaQ5n3IH4VbtacqkO8TJi + iSUlhzHolYuTfijWDIQ3NbjO4i47XXn9LEvpeGjB2ridMflb9s1q/v3b9XC8h+8Dz3XsH + RM2248CPaWGSrQvJ90pr88sWb0e1VHWIxkTvSiu90iZeUn0OYnyyAPThZDkGqt6VCUsGF + EK+lnxoE9v9kNN7eCwLAQtUqLoTGj+c+OtNtC65lyVQXQWd+ca7rQ6XMlIlzOU8X/Z4no + bw/EWFCYGJxkZp4KWH/zurvpvWEvknxVWnH7HTEMRxQvstczuOcensZn6WLBk4= + - VUITbduRP6LvFR0Fwiam0+2V68F3mIpGSYjRCzcSpIHjecng6n+FiHKM5CG1pPQV3uOOp + bL7uRCx6cSHG8gfrjR3PD8xf1VR/K5redHosWOSXUz7+dSPhObQA/VaTi92BUMKu3rdjJ + rJhiEOPSVl+QxsJzWt+6pGHuOyLOGkOBycwjBRTG1plUA8thgoTIl2srDKP3728YjvfBq + MCK6JhwelPKLCWEeVYCeyLoF2eqEqqxSfbFiDdtqnXAF4fNUsHuVMHF9Cz+NGJ1o/EgS2 + tio1Om3VEbgViPtdhNCyU9NZMEtO+5KpNoiV1rIA7Na+I5K1clztt3ax94muKJqjj+04f + Q4J2h1zR+1Lok43mEest+wjVRsfyTXf8jMHOJ9QF10Z+26UwDUKSgRP+jm+Lx8QUMKyi7 + R+1g0gyQqvxgUqIt35TeRu3tgX+50TQBKX0RFIatUuiCG1FuKB6q2VmjjA5L8M+gEZwO4 + fm17RWjM2EbRdFuNmPymrHSvc3gWTUe25nPbKDpovPhU0K1493QZgYLUqmlvh7RRw4eHa + GHLQTPtXMpsrl+c3A/2hpXcUvYHhmxvlFLla7p0mgmD2uNB5wRDqU88p/ub0z0jHCLO5Q + +izMoqA6r8FuVMjccHc8DEwZcsuQ3jvZk1XCxY3mAkPHiAoyxvQtxfNeRuBZw0= diff --git a/Makefile b/Makefile index a475d3f..7d7e633 100644 --- a/Makefile +++ b/Makefile @@ -15,13 +15,10 @@ DOCKER_REGISTRY ?= quay.io REGION_SUFFIX ?= maas-region IMG_COMMON_DIR ?= images -REGION_IMG_DIR ?= images/maas-region-controller RACK_SUFFIX ?= maas-rack -RACK_IMG_DIR ?= images/maas-rack-controller CACHE_SUFFIX ?= maas-cache -CACHE_IMG_DIR ?= images/sstream-cache IMAGE_PREFIX ?= airshipit -IMAGE_TAG ?= untagged +IMAGE_TAG ?= latest PROXY ?= http://proxy.foo.com:8000 NO_PROXY ?= localhost,127.0.0.1,.svc.cluster.local USE_PROXY ?= false @@ -29,12 +26,12 @@ PUSH_IMAGE ?= false # use this variable for image labels added in internal build process LABEL ?= org.airshipit.build=community COMMIT ?= $(shell git rev-parse HEAD) -IMAGE_NAME := maas-rack-controller maas-region-controller sstream-cache +IMAGE_NAME := maas-rack-controller-jammy maas-region-controller-jammy sstream-cache-jammy BUILD_DIR := $(shell mktemp -d) HELM := $(BUILD_DIR)/helm SSTREAM_IMAGE := "https://images.maas.io/ephemeral-v3/stable/" -SSTREAM_RELEASE := "bionic" -UBUNTU_BASE_IMAGE ?= ubuntu:18.04 +SSTREAM_RELEASE := "jammy" +UBUNTU_BASE_IMAGE ?= quay.io/airshipit/ubuntu:jammy USE_CACHED_IMG ?= false DOCKER_EXTRA_ARGS ?= diff --git a/charts/maas/Chart.yaml b/charts/maas/Chart.yaml index 35e2830..e112abf 100755 --- a/charts/maas/Chart.yaml +++ b/charts/maas/Chart.yaml @@ -12,10 +12,12 @@ # See the License for the specific language governing permissions and # limitations under the License. +--- apiVersion: v1 description: Chart to run Canonical MaaS name: maas -version: 0.1.5 +version: 0.1.6 +appVersion: 3.5.3 home: https://docs.ubuntu.com/maas sources: - https://git.launchpad.net/maas diff --git a/charts/maas/requirements.lock b/charts/maas/requirements.lock new file mode 100644 index 0000000..b4b974b --- /dev/null +++ b/charts/maas/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: helm-toolkit + repository: file://../deps/helm-toolkit + version: 2024.2.0 +digest: sha256:68a561f57ba60b9f040679cd768b0abb8d5b48175f0da0977d168d31667e8635 +generated: "2025-03-18T21:30:44.577523-04:00" diff --git a/charts/maas/requirements.yaml b/charts/maas/requirements.yaml index f0eabff..0272bd5 100644 --- a/charts/maas/requirements.yaml +++ b/charts/maas/requirements.yaml @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +--- dependencies: - name: helm-toolkit repository: file://../deps/helm-toolkit diff --git a/charts/maas/templates/bin/_db-sync.sh.tpl b/charts/maas/templates/bin/_db-sync.sh.tpl index b511c05..aaf30d5 100644 --- a/charts/maas/templates/bin/_db-sync.sh.tpl +++ b/charts/maas/templates/bin/_db-sync.sh.tpl @@ -16,7 +16,8 @@ set -ex -rm -f /var/run/rsyslogd.pid -service rsyslog restart +# error: rsyslog: Unrecognized service +rm -f /var/run/rsyslogd.pid || true +service rsyslog restart || true maas-region dbupgrade diff --git a/charts/maas/templates/bin/_enable-tls.sh.tpl b/charts/maas/templates/bin/_enable-tls.sh.tpl new file mode 100644 index 0000000..37b2766 --- /dev/null +++ b/charts/maas/templates/bin/_enable-tls.sh.tpl @@ -0,0 +1,19 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +maas config-tls enable --yes --cacert /etc/maas/ssl/ca.crt /etc/maas/ssl/tls.key /etc/maas/ssl/tls.crt diff --git a/charts/maas/templates/bin/_export-secret-key.sh.tpl b/charts/maas/templates/bin/_export-secret-key.sh.tpl new file mode 100644 index 0000000..b620aea --- /dev/null +++ b/charts/maas/templates/bin/_export-secret-key.sh.tpl @@ -0,0 +1,75 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +function clear_secret { + wget \ + --server-response \ + --ca-certificate=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + --header='Content-Type: application/json' \ + --header="Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ + --method=DELETE \ + https://kubernetes.default.svc.cluster.local/api/v1/namespaces/${MAAS_REGION_SECRET_NAMESPACE}/secrets/${MAAS_REGION_SECRET} +} + +function post_secret { + wget \ + --server-response \ + --ca-certificate=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + --header='Content-Type: application/json' \ + --header="Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ + --method=POST \ + --body-file=/tmp/secret.json \ + https://kubernetes.default.svc.cluster.local/api/v1/namespaces/${MAAS_REGION_SECRET_NAMESPACE}/secrets \ + 2>&1 +} + +SECRET=$(cat /var/lib/maas/secret) + +if [ "x$SECRET" != "x" ]; then + ENCODED_SECRET=$(echo -n $SECRET | base64 -w 0) + cat < /tmp/secret.json +{ + "apiVersion": "v1", + "kind": "Secret", + "type": "Opaque", + "metadata": { + "name": "${MAAS_REGION_SECRET}" + }, + "data": { + "REGION_SECRET": "$ENCODED_SECRET" + } +} +EOS + while true; do + export result=$(post_secret) + if [ ! -z "$(echo "$result" | grep -i '201 Created')" ]; then + echo 'Secret created' + break + elif [ ! -z "$(echo "$result" | grep -i '409 Conflict')" ]; then + echo 'Secret exists, clearing before trying again' + clear_secret + else + echo 'Secret creation failed' + echo $result + fi + sleep 15 + done +else + echo "Failed to get key from maas." + exit 1 +fi diff --git a/charts/maas/templates/bin/_import-boot-resources.sh.tpl b/charts/maas/templates/bin/_import-boot-resources.sh.tpl index 7ca5999..99972be 100644 --- a/charts/maas/templates/bin/_import-boot-resources.sh.tpl +++ b/charts/maas/templates/bin/_import-boot-resources.sh.tpl @@ -23,173 +23,161 @@ JOB_TIMEOUT=${JOB_TIMEOUT:-900} RETRY_TIMER=${RETRY_TIMER:-30} function timer { - retry_wait=$1 - shift + retry_wait=$1 + shift - while [[ ${JOB_TIMEOUT} -gt 0 ]] - do - "$@" - rc=$? - if [ $rc -eq 0 ] - then - return $rc - else - JOB_TIMEOUT=$(($JOB_TIMEOUT - $retry_wait)) - sleep $retry_wait - fi - done + while [[ ${JOB_TIMEOUT} -gt 0 ]]; do + "$@" + rc=$? + if [ $rc -eq 0 ]; then + return $rc + else + JOB_TIMEOUT=$((JOB_TIMEOUT - retry_wait)) + sleep $retry_wait + fi + done - return 124 + return 124 } function import_resources { - check_for_download - rc=$? + check_for_download + rc=$? - if [ $rc -ne 0 ] - then - echo "Starting image import try ${import_tries}..." - maas ${ADMIN_USERNAME} boot-resources import - sleep 30 - check_for_download - rc=$? - fi + if [ $rc -ne 0 ]; then + echo "Starting image import try ${import_tries}..." + maas ${ADMIN_USERNAME} boot-resources import + sleep 30 + check_for_download + rc=$? + fi - return $rc + return $rc } function start_import { - timer "$RETRY_TIMER" import_resources + timer "$RETRY_TIMER" import_resources } function check_for_download { - if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; - then - echo -e '\nBoot resources currently importing\n' - return 1 - else - synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq ".[] | select( .type | contains(\"Synced\")) | .name " | grep -c $MAAS_DEFAULT_DISTRO) - if [[ $synced_imgs -gt 0 ]] - then - echo 'Boot resources have completed importing' - return 0 - else - echo 'Import failed!' - return 1 - fi - fi + if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; then + echo -e '\nBoot resources currently importing\n' + return 1 + else + synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq '.[] | select( .type | contains("Synced")) | .name ' | grep -c $MAAS_DEFAULT_DISTRO) + if [[ $synced_imgs -gt 0 ]]; then + echo 'Boot resources have completed importing' + return 0 + else + echo 'Import failed!' + return 1 + fi + fi } function check_then_set_single { - option="$1" - value="$2" + option="$1" + value="$2" - cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"') - desired_val=$(echo ${value} | tr -d '"') + cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"') + desired_val=$(echo ${value} | tr -d '"') - if [[ $cur_val != $desired_val ]] - then - echo "Setting MAAS option ${option} to ${desired_val}" - maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val} - return $? - else - echo "MAAS option ${option} already set to ${cur_val}" - return 0 - fi + if [[ $cur_val != $desired_val ]]; then + echo "Setting MAAS option ${option} to ${desired_val}" + maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val} + return $? + else + echo "MAAS option ${option} already set to ${cur_val}" + return 0 + fi } function check_then_set { - option=$1 - value=$2 + option=$1 + value=$2 - timer "$RETRY_TIMER" check_then_set_single "$option" "$value" + timer "$RETRY_TIMER" check_then_set_single "$option" "$value" } # Get rack controllers reporting a healthy rackd function get_active_rack_controllers { - maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id' + maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id' } function check_for_rack_sync_single { - sync_list="" + sync_list="" - rack_list=$(get_active_rack_controllers) - for rack_id in ${rack_list} - do - selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name") - synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"') - if [[ $synced_ctlr == "true" && ! -z ${selected_imgs} ]] - then - sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq) - else - maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id} - fi - if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$' ) == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]] - then - return 0 - fi - done + rack_list=$(get_active_rack_controllers) + for rack_id in ${rack_list}; do + selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name") + synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"') + if [[ $synced_ctlr == "true" && -n ${selected_imgs} ]]; then + sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq) + else + maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id} + fi + if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$') == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]]; then + return 0 + fi + done - return 1 + return 1 } function check_for_rack_sync { - timer "$RETRY_TIMER" check_for_rack_sync_single + timer "$RETRY_TIMER" check_for_rack_sync_single } function configure_proxy { - check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED} - check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED} - check_then_set http_proxy ${MAAS_PROXY_SERVER} - check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT} + check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED} + check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED} + check_then_set http_proxy ${MAAS_PROXY_SERVER} + check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT} } function configure_ntp { - check_then_set ntp_servers ${MAAS_NTP_SERVERS} - check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY} + check_then_set ntp_servers ${MAAS_NTP_SERVERS} + check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY} } function configure_dns { - check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED} - check_then_set upstream_dns ${MAAS_DNS_SERVERS} + check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED} + check_then_set upstream_dns ${MAAS_DNS_SERVERS} } function configure_syslog { - check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG} + check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG} } function configure_images { - check_for_rack_sync + check_for_rack_sync - if [[ $? -eq 124 ]] - then - echo "Timed out waiting for rack controller sync." - return 1 - fi + if [[ $? -eq 124 ]]; then + echo "Timed out waiting for rack controller sync." + return 1 + fi - check_then_set default_osystem ${MAAS_DEFAULT_OS} - check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO} - check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO} - check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL} + check_then_set default_osystem ${MAAS_DEFAULT_OS} + check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO} + check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO} + check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL} } function configure_boot_sources { - if [[ $USE_IMAGE_CACHE == 'true' ]] - then - maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/ - fi + if [[ $USE_IMAGE_CACHE == 'true' ]]; then + maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/ + fi - selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')" + selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')" - if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}" - then - # Need to start an import to get the availability data - maas "$ADMIN_USERNAME" boot-resources import - if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \ - release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then - return 1 - fi - fi + if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}"; then + # Need to start an import to get the availability data + maas "$ADMIN_USERNAME" boot-resources import + if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \ + release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then + return 1 + fi + fi } function create_extra_commissioning_script { @@ -215,21 +203,26 @@ EOF } function configure_extra_settings { -{{- range $k, $v := .Values.conf.maas.extra_settings }} - check_then_set {{$k}} {{$v}} -{{- else }} - : No additional MAAS config -{{- end }} + {{- range $k, $v := .Values.conf.maas.extra_settings }} + check_then_set {{$k}} {{$v}} + {{- else }} + : No additional MAAS config + {{- end }} } function maas_login { - KEY=$(maas-region apikey --username=${ADMIN_USERNAME}) - if [ -z "$KEY" ] - then - return 1 - fi - maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY - return $? + KEY=$(maas-region apikey --username=${ADMIN_USERNAME}) + if [ -z "$KEY" ]; then + return 1 + fi + {{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} + maas login --insecure ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY + {{- else if .Values.conf.maas.tls.enabled }} + maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY + {{- else }} + maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY + {{- end }} + return $? } timer "$RETRY_TIMER" maas_login @@ -245,10 +238,9 @@ create_extra_commissioning_script timer "$RETRY_TIMER" configure_boot_sources start_import -if [[ $? -eq 0 ]] -then - configure_images +if [[ $? -eq 0 ]]; then + configure_images else - echo "Image import FAILED!" - exit 1 + echo "Image import FAILED!" + exit 1 fi diff --git a/charts/maas/templates/bin/_import-ca-cert.sh.tpl b/charts/maas/templates/bin/_import-ca-cert.sh.tpl new file mode 100644 index 0000000..ade0552 --- /dev/null +++ b/charts/maas/templates/bin/_import-ca-cert.sh.tpl @@ -0,0 +1,23 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +sleep 15 + +# Import MaaS CA Certificate +cp -f /etc/maas/certificates/ca.crt /usr/local/share/ca-certificates/ca.crt +update-ca-certificates diff --git a/charts/maas/templates/bin/_maas-test.sh.tpl b/charts/maas/templates/bin/_maas-test.sh.tpl index 4a36e81..ae78ae3 100644 --- a/charts/maas/templates/bin/_maas-test.sh.tpl +++ b/charts/maas/templates/bin/_maas-test.sh.tpl @@ -18,78 +18,75 @@ set -ex function check_boot_images { - if maas local boot-resources is-importing | grep -q 'true'; - then - echo -e '\nBoot resources currently importing\n' - return 1 - else - synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced) - if [[ $synced_imgs -gt 0 ]] - then - echo 'Boot resources have completed importing' - return 0 - else - return 1 - fi - fi + if maas local boot-resources is-importing | grep -q 'true'; then + echo -e '\nBoot resources currently importing\n' + return 1 + else + synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced) + if [[ $synced_imgs -gt 0 ]]; then + echo 'Boot resources have completed importing' + return 0 + else + return 1 + fi + fi } function check_rack_controllers { - rack_cnt=$(maas local rack-controllers read | grep -c hostname) - if [[ $rack_cnt -gt 0 ]] - then - echo "Found $rack_cnt rack controllers." - return 0 - else - return 1 - fi + rack_cnt=$(maas local rack-controllers read | grep -c hostname) + if [[ $rack_cnt -gt 0 ]]; then + echo "Found $rack_cnt rack controllers." + return 0 + else + return 1 + fi } function check_admin_api { - if maas local version read; - then - echo 'Admin API is responding' - return 0 - else - return 1 - fi + if maas local version read; then + echo 'Admin API is responding' + return 0 + else + return 1 + fi } function establish_session { - maas login local ${MAAS_URL} ${MAAS_API_KEY} - return $? + maas login local ${MAAS_URL} ${MAAS_API_KEY} + return $? } +# Import CA Certificate +{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} +update-ca-certificates +{{- end }} + establish_session -if [[ $? -ne 0 ]] -then - echo "MAAS API login FAILED!" - exit 1 +if [[ $? -ne 0 ]]; then + echo "MAAS API login FAILED!" + exit 1 fi check_boot_images -if [[ $? -eq 1 ]] -then - echo "Image import test FAILED!" - exit 1 +if [[ $? -eq 1 ]]; then + echo "Image import test FAILED!" + exit 1 fi check_rack_controllers -if [[ $? -eq 1 ]] -then - echo "Rack controller query FAILED!" - exit 1 +if [[ $? -eq 1 ]]; then + echo "Rack controller query FAILED!" + exit 1 fi check_admin_api -if [[ $? -eq 1 ]] -then - echo "Admin API response FAILED!" - exit 1 +if [[ $? -eq 1 ]]; then + echo "Admin API response FAILED!" + exit 1 fi echo "MAAS Validation SUCCESS!" diff --git a/charts/maas/templates/certificate-maas-ingress.yaml b/charts/maas/templates/certificate-maas-ingress.yaml new file mode 100644 index 0000000..a2b44d9 --- /dev/null +++ b/charts/maas/templates/certificate-maas-ingress.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled .Values.cert_manager.create }} +{{- $envAll := . }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.secrets.maas_ingress_cert }} +spec: + secretName: {{ .Values.secrets.maas_ingress_cert }} + commonName: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + issuerRef: + kind: {{ .Values.cert_manager.issuer.kind }} + name: {{ .Values.cert_manager.issuer.name }} + dnsNames: + - {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{ end }} diff --git a/charts/maas/templates/certificate-maas.yaml b/charts/maas/templates/certificate-maas.yaml new file mode 100644 index 0000000..ebf9a0f --- /dev/null +++ b/charts/maas/templates/certificate-maas.yaml @@ -0,0 +1,35 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled }} +{{- $envAll := . }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.secrets.maas_cert }} +spec: + secretName: {{ .Values.secrets.maas_cert }} + commonName: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + issuerRef: + kind: {{ .Values.cert_manager.issuer.kind }} + name: {{ .Values.cert_manager.issuer.name }} + dnsNames: + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }} + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc.cluster.local +{{ end }} diff --git a/charts/maas/templates/configmap-bin.yaml b/charts/maas/templates/configmap-bin.yaml index 43d7bd7..a06521c 100644 --- a/charts/maas/templates/configmap-bin.yaml +++ b/charts/maas/templates/configmap-bin.yaml @@ -23,6 +23,9 @@ metadata: data: db-init.sh: |+ {{- include "helm-toolkit.scripts.pg_db_init" . | indent 4 }} + + #set maasdb owner to maas + pgsql_superuser_cmd "ALTER DATABASE $USER_DB_NAME OWNER to $USER_DB_USER;" db-sync.sh: |+ {{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} bootstrap-admin-user.sh: | @@ -35,6 +38,8 @@ data: {{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} export-api-key.sh: | {{ tuple "bin/_export-api-key.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + export-secret-key.sh: | +{{ tuple "bin/_export-secret-key.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} register-rack-controller.sh: | {{ tuple "bin/_register-rack-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} maas-test.sh: | @@ -49,3 +54,7 @@ data: {{ tuple "bin/_maas-vip-configure.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} start-syslog.sh: | {{ tuple "bin/_start-syslog.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- if .Values.conf.maas.tls.enabled }} + enable-tls.sh: | +{{ tuple "bin/_enable-tls.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/charts/maas/templates/deployment-ingress-errors.yaml b/charts/maas/templates/deployment-ingress-errors.yaml index 0bd3d83..689ee68 100644 --- a/charts/maas/templates/deployment-ingress-errors.yaml +++ b/charts/maas/templates/deployment-ingress-errors.yaml @@ -15,7 +15,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.rack_statefulset }} +{{- if and .Values.manifests.maas_ingress .Values.manifests.rack_statefulset }} {{- $envAll := . }} {{- $labels := tuple $envAll "maas" "ingress-errors" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}} {{- $serviceAccountName := "maas-ingress-errors" }} diff --git a/charts/maas/templates/ingress-region.yaml b/charts/maas/templates/ingress-region.yaml index d32a907..57ef220 100644 --- a/charts/maas/templates/ingress-region.yaml +++ b/charts/maas/templates/ingress-region.yaml @@ -20,8 +20,16 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: maas-region-api + annotations: +{{ toYaml .Values.network.region_api.ingress.annotations | indent 4 }} spec: ingressClassName: {{ .Values.network.region_api.ingress.classes.cluster | quote }} +{{- if .Values.conf.maas.tls.enabled }} + tls: + - secretName: maas-region-api-tls + hosts: + - {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{ end }} rules: - host: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} http: @@ -55,6 +63,43 @@ spec: name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} port: name: region-api +{{- else if (and .Values.conf.maas.ingress_disable_gui .Values.conf.maas.tls.enabled) }} + - path: /MAAS/api + pathType: Prefix + backend: + service: + name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + port: + name: region-api-tls + - path: /MAAS/images-stream + pathType: Prefix + backend: + service: + name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + port: + name: region-api-tls + - path: /MAAS/metadata + pathType: Prefix + backend: + service: + name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + port: + name: region-api-tls + - path: /MAAS/rpc + pathType: Prefix + backend: + service: + name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + port: + name: region-api-tls +{{- else if .Values.conf.maas.tls.enabled }} + - path: / + pathType: Prefix + backend: + service: + name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + port: + name: region-api-tls {{- else }} - path: / pathType: Prefix diff --git a/charts/maas/templates/job-enable-tls.yaml b/charts/maas/templates/job-enable-tls.yaml new file mode 100644 index 0000000..8644baf --- /dev/null +++ b/charts/maas/templates/job-enable-tls.yaml @@ -0,0 +1,79 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. +Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.conf.maas.tls.enabled }} +{{- $envAll := . }} +{{- $serviceAccountName := "maas-enable-tls" }} +{{ tuple $envAll "enable_tls" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: maas-enable-tls + labels: +{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +spec: + template: + metadata: + labels: +{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ dict "envAll" $envAll "podName" "maas-enable-tls" "containerNames" (list "init" "maas-enable-tls") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} + spec: +{{ dict "envAll" $envAll "application" "enable_tls" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }} + initContainers: +{{ tuple $envAll "enable_tls" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: maas-enable-tls + image: {{ .Values.images.tags.enable_tls }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.enable_tls | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "enable_tls" "container" "maas_enable_tls" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/enable-tls.sh + volumeMounts: + - name: maas-bin + mountPath: /tmp/enable-tls.sh + subPath: enable-tls.sh + readOnly: true + - name: maas-etc + mountPath: /etc/maas/regiond.conf + subPath: regiond.conf + readOnly: true + - name: maas-tls + mountPath: /etc/maas/ssl + readOnly: true + volumes: + - name: maas-bin + configMap: + name: maas-bin + defaultMode: 0555 + - name: maas-etc + configMap: + name: maas-etc + defaultMode: 0444 + - name: maas-tls + secret: + secretName: {{ .Values.secrets.maas_cert }} + defaultMode: 0444 +{{ end }} diff --git a/charts/maas/templates/job-import.yaml b/charts/maas/templates/job-import.yaml index 4ec7d75..6f745e2 100644 --- a/charts/maas/templates/job-import.yaml +++ b/charts/maas/templates/job-import.yaml @@ -46,6 +46,15 @@ spec: - name: region-import-resources image: {{ .Values.images.tags.maas_region }} imagePullPolicy: {{ .Values.images.pull_policy }} +{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} + lifecycle: + postStart: + exec: + command: + - /bin/sh + - -c + - sleep 15; update-ca-certificates +{{- end }} env: - name: USE_IMAGE_CACHE value: {{ .Values.conf.cache.enabled | quote }} @@ -100,6 +109,12 @@ spec: - /tmp/import-boot-resources.sh {{ dict "envAll" $envAll "component" "import-resources" "container" "region-import-resources" "type" "readiness" "probeTemplate" (include "jobreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} volumeMounts: +{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/ca.crt + subPath: ca.crt + readOnly: true +{{- end }} - name: maas-bin mountPath: /tmp/import-boot-resources.sh subPath: import-boot-resources.sh @@ -125,3 +140,11 @@ spec: configMap: name: maas-etc defaultMode: 0444 +{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} + - name: ca-cert + secret: + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: ca.crt +{{ end }} diff --git a/charts/maas/templates/secret-region.yaml b/charts/maas/templates/secret-maas-tls.yaml similarity index 59% rename from charts/maas/templates/secret-region.yaml rename to charts/maas/templates/secret-maas-tls.yaml index 3ad2223..f7038c1 100644 --- a/charts/maas/templates/secret-region.yaml +++ b/charts/maas/templates/secret-maas-tls.yaml @@ -1,5 +1,5 @@ {{/* -Copyright 2017 The Openstack-Helm Authors. +Copyright 2017 AT&T Intellectual Property. All other rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -14,14 +14,16 @@ See the License for the specific language governing permissions and limitations under the License. */}} +{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create (eq .Values.cert_manager.enabled false) }} {{- $envAll := . }} -{{- $secretName := index $envAll.Values.secrets.maas_region "name" }} --- apiVersion: v1 kind: Secret metadata: - name: {{ $secretName }} -type: Opaque + name: {{ .Values.secrets.certificate }} +type: kubernetes/tls data: - REGION_SECRET: |- -{{ $envAll.Values.secrets.maas_region.value | b64enc | indent 4 }} + ca.crt: {{ .Values.conf.maas.tls.ca | b64enc }} + tls.crt: {{ .Values.conf.maas.tls.cert | b64enc }} + tls.key: {{ .Values.conf.maas.tls.key | b64enc }} +{{ end }} diff --git a/charts/maas/templates/service-ingress-headless.yaml b/charts/maas/templates/service-ingress-headless.yaml index 912ceb1..d32840b 100644 --- a/charts/maas/templates/service-ingress-headless.yaml +++ b/charts/maas/templates/service-ingress-headless.yaml @@ -24,6 +24,10 @@ spec: ports: - name: http port: 80 +{{- if .Values.conf.maas.tls.enabled }} + - name: https + port: 443 +{{- end }} selector: {{ tuple . "maas" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} ... diff --git a/charts/maas/templates/service-region.yaml b/charts/maas/templates/service-region.yaml index 72cc542..23449a4 100644 --- a/charts/maas/templates/service-region.yaml +++ b/charts/maas/templates/service-region.yaml @@ -28,6 +28,14 @@ spec: {{ if .Values.network.region_api.node_port.enabled }} nodePort: {{ tuple "maas_region" "nodeport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} {{ end }} +{{- if .Values.conf.maas.tls.enabled }} + - name: region-api-tls + port: {{ tuple "maas_region" "secure" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + targetPort: {{ tuple "maas_region" "podporttls" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{ if .Values.network.region_api.node_port.enabled }} + nodePort: {{ tuple "maas_region" "nodeporttls" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{ end }} +{{- end }} - name: region-proxy port: {{ tuple "maas_region" "internal" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} targetPort: {{ tuple "maas_region" "podport" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} @@ -41,6 +49,18 @@ spec: - name: region-syslog port: 514 targetPort: {{ tuple "maas_region" "podport" "region_syslog" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + - name: temporal-server + port: 5271 + targetPort: 5271 + - name: temporal-matching + port: 5272 + targetPort: 5272 + - name: temporal-history + port: 5273 + targetPort: 5273 + - name: temporal-worker + port: 5274 + targetPort: 5274 selector: {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ if or .Values.network.region_proxy.node_port.enabled .Values.network.region_api.node_port.enabled }} diff --git a/charts/maas/templates/statefulset-rack.yaml b/charts/maas/templates/statefulset-rack.yaml index 1913b30..4dc7e1b 100644 --- a/charts/maas/templates/statefulset-rack.yaml +++ b/charts/maas/templates/statefulset-rack.yaml @@ -71,6 +71,15 @@ spec: image: {{ .Values.images.tags.maas_rack }} imagePullPolicy: {{ .Values.images.pull_policy }} tty: true +{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} + lifecycle: + postStart: + exec: + command: + - /bin/sh + - -c + - sleep 15; update-ca-certificates +{{- end }} {{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: MAAS_ENDPOINT @@ -97,7 +106,6 @@ spec: {{- if not .Values.conf.maas.cgroups.disable_cgroups_rack }} - mountPath: /sys/fs/cgroup name: host-sys-fs-cgroup - readOnly: true {{- end }} - mountPath: /run name: pod-run @@ -113,6 +121,12 @@ spec: mountPath: /usr/sbin/ntpd subPath: ntpd.sh readOnly: true +{{- end }} +{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/ca.crt + subPath: ca.crt + readOnly: true {{- end }} - name: maas-bin mountPath: /tmp/start.sh @@ -185,6 +199,14 @@ spec: configMap: name: maas-etc defaultMode: 0444 +{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} + - name: ca-cert + secret: + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: ca.crt +{{ end }} {{ if $mounts_maas_rack.volumes }}{{ toYaml $mounts_maas_rack.volumes | indent 8 }}{{ end }} volumeClaimTemplates: - metadata: diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml index 092ef6d..6c07a9a 100644 --- a/charts/maas/templates/statefulset-region.yaml +++ b/charts/maas/templates/statefulset-region.yaml @@ -17,9 +17,53 @@ {{- $serviceAccountName := "maas-region" }} {{- $mounts_maas_region := .Values.pod.mounts.maas_region.maas_region }} {{- $mounts_maas_region_init := .Values.pod.mounts.maas_region.init_container }} - {{ tuple $envAll "region_controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $envAll.Release.Name }}-{{ $envAll.Release.Namespace }}-{{ $serviceAccountName }}-export + namespace: {{ $envAll.Release.Namespace }} +rules: + - apiGroups: + - "" + - extensions + - batch + - apps + verbs: + - get + - list + resources: + - services + - endpoints + - jobs + - pods + - apiGroups: + - "" + verbs: + - get + - create + - update + - delete + resources: + - secrets +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $envAll.Release.Name }}-{{ $serviceAccountName }}-export + namespace: {{ $envAll.Release.Namespace }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $envAll.Release.Name }}-{{ $envAll.Release.Namespace }}-{{ $serviceAccountName }}-export +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- apiVersion: apps/v1 kind: StatefulSet metadata: @@ -94,12 +138,29 @@ spec: image: {{ .Values.images.tags.maas_region }} imagePullPolicy: {{ .Values.images.pull_policy }} tty: true - + lifecycle: + postStart: + exec: + command: + - /bin/sh + - -c + - sleep 15; update-ca-certificates; /tmp/export-secret-key.sh {{ tuple $envAll $envAll.Values.pod.resources.maas_region | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "region" "container" "maas_region" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + env: + - name: MAAS_REGION_SECRET_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MAAS_REGION_SECRET + value: {{ .Values.secrets.maas_region.name }} ports: - name: region-api containerPort: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- if .Values.conf.maas.tls.enabled }} + - name: region-api-tls + containerPort: {{ tuple "maas_region" "podporttls" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- end }} - name: region-proxy containerPort: {{ tuple "maas_region" "podport" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} readinessProbe: @@ -111,7 +172,6 @@ spec: {{- if not .Values.conf.maas.cgroups.disable_cgroups_region }} - mountPath: /sys/fs/cgroup name: host-sys-fs-cgroup - readOnly: true {{- end }} - mountPath: /run name: pod-run @@ -119,9 +179,15 @@ spec: name: pod-run-lock - mountPath: /tmp name: pod-tmp - - name: maas-region-secret - mountPath: /var/lib/maas/secret - subPath: REGION_SECRET +{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/ca.crt + subPath: ca.crt + readOnly: true +{{- end }} + - name: maas-bin + mountPath: /tmp/export-secret-key.sh + subPath: export-secret-key.sh readOnly: true - name: maas-etc mountPath: /etc/bind/named.conf.options @@ -200,9 +266,14 @@ spec: configMap: name: maas-bin defaultMode: 0555 - - name: maas-region-secret +{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} + - name: ca-cert secret: - secretName: {{ .Values.secrets.maas_region.name }} + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: ca.crt +{{ end }} {{- if $mounts_maas_region.volumes }}{{ toYaml $mounts_maas_region.volumes | indent 8 }}{{ end }} {{- if .Values.manifests.maas_syslog }} volumeClaimTemplates: diff --git a/charts/maas/templates/tests/test-maas-init.yaml b/charts/maas/templates/tests/test-maas-init.yaml index 790c7c7..e591872 100644 --- a/charts/maas/templates/tests/test-maas-init.yaml +++ b/charts/maas/templates/tests/test-maas-init.yaml @@ -38,7 +38,11 @@ spec: - name: maas-api-test env: - name: 'MAAS_URL' - value: {{ tuple "maas_region" "internal" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} +{{- if empty .Values.conf.maas.url.maas_url }} + value: {{ tuple "maas_region" "public" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} +{{- else }} + value: {{ .Values.conf.maas.url.maas_url }} +{{- end }} - name: 'MAAS_API_KEY' valueFrom: secretKeyRef: @@ -50,6 +54,12 @@ spec: {{ dict "envAll" $envAll "application" "api_test" "container" "maas_api_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} command: ["/tmp/maas-test.sh"] volumeMounts: +{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/ca.crt + subPath: ca.crt + readOnly: true +{{- end }} - name: maas-bin mountPath: /tmp/maas-test.sh subPath: maas-test.sh @@ -59,5 +69,13 @@ spec: configMap: name: maas-bin defaultMode: 0555 +{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }} + - name: ca-cert + secret: + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: ca.crt +{{ end }} ... {{- end }} diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml index 23faed9..a9bde0c 100644 --- a/charts/maas/values.yaml +++ b/charts/maas/values.yaml @@ -17,6 +17,7 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +--- dependencies: static: maas_ingress: {} @@ -29,6 +30,7 @@ dependencies: endpoint: monitor jobs: - maas-export-api-key + - maas-export-secret-key region_controller: jobs: - maas-db-sync @@ -74,6 +76,12 @@ dependencies: endpoint: internal - service: maas_ingress endpoint: monitor + enable_tls: + jobs: + - maas-bootstrap-admin-user + services: + - service: maas_region + endpoint: internal network_policy: maas: @@ -96,18 +104,19 @@ manifests: images: tags: - db_init: docker.io/postgres:9.5 + db_init: docker.io/library/postgres:14.5 db_sync: quay.io/airshipit/maas-region-controller:latest maas_rack: quay.io/airshipit/maas-rack-controller:latest maas_region: quay.io/airshipit/maas-region-controller:latest bootstrap: quay.io/airshipit/maas-region-controller:latest export_api_key: quay.io/airshipit/maas-region-controller:latest maas_cache: quay.io/airshipit/sstream-cache:latest - dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 + dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1 ingress_vip: docker.io/busybox:latest error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0 maas_syslog: quay.io/airshipit/maas-region-controller:latest + enable_tls: quay.io/airshipit/maas-region-controller:latest pull_policy: IfNotPresent local_registry: # TODO(portdirect): this chart does not yet support local image cacheing @@ -119,7 +128,7 @@ jobs: import_boot_resources: try_limit: 1 retry_timer: 10 - #default timeout: 15 minutes + # default timeout: 15 minutes timeout: 900 labels: @@ -222,12 +231,12 @@ conf: logfile: nodeboot.log logrotate: # How many rotated logs to keep - rotate: '30' + rotate: "30" # Size threshold when a log should rotate - size: '100M' + size: "100M" # levels (emerg,alert,crit,error,warning,notice,info,debug) # use 'info' as default when overwritting the default - log_level: 'info' + log_level: "info" maas: override: append: @@ -262,9 +271,9 @@ conf: # An external proxy server to use proxy_server: null images: - default_os: 'ubuntu' - default_image: 'bionic' - default_kernel: 'ga-18.04' + default_os: "ubuntu" + default_image: "focal" + default_kernel: "ga-20.04" credentials: secret: namespace: maas @@ -292,8 +301,15 @@ conf: # enlist_commissioning: if true, directly go into commissioning during enlistment enlist_commissioning: false # system user for console login/recovery in early phases of deployment - system_user: 'root' - system_passwd: 'password' + system_user: "root" + system_passwd: "password" + tls: + enabled: false + create: false + insecure: false # set to true to allow self-signed certs + ca: "" + cert: "" + key: "" drivers: null #### If you populates drivers, it will replace the 3rd party driver #### info that comes with MaaS. see structure below if it is needed @@ -339,8 +355,9 @@ secrets: admin: maas-admin maas_region: name: maas-region-secret - value: 3858f62230ac3c915f300c664312c63f ssh_key: ssh-private-key + maas_cert: maas-region-api-tls + maas_ingress_cert: maas-region-api-ingress-tls pod: mandatory_access_control: @@ -389,19 +406,19 @@ pod: readOnlyRootFilesystem: false capabilities: add: - - 'NET_ADMIN' - - 'SYS_MODULE' + - "NET_ADMIN" + - "SYS_MODULE" runAsUser: 0 maas_ingress_vip: readOnlyRootFilesystem: false capabilities: add: - - 'NET_ADMIN' + - "NET_ADMIN" maas_ingress: readOnlyRootFilesystem: false capabilities: add: - - 'NET_BIND_SERVICE' + - "NET_BIND_SERVICE" ingress_errors: pod: runAsUser: 65534 @@ -455,12 +472,12 @@ pod: readOnlyRootFilesystem: false capabilities: add: - - 'DAC_READ_SEARCH' - - 'NET_ADMIN' - - 'SYS_ADMIN' - - 'SYS_PTRACE' - - 'SYS_RESOURCE' - - 'SYS_TIME' + - "DAC_READ_SEARCH" + - "NET_ADMIN" + - "SYS_ADMIN" + - "SYS_PTRACE" + - "SYS_RESOURCE" + - "SYS_TIME" region: pod: runAsUser: 0 @@ -471,12 +488,12 @@ pod: readOnlyRootFilesystem: false capabilities: add: - - 'SYS_ADMIN' - - 'NET_ADMIN' - - 'SYS_PTRACE' - - 'SYS_TIME' - - 'SYS_RESOURCE' - - 'DAC_READ_SEARCH' + - "SYS_ADMIN" + - "NET_ADMIN" + - "SYS_PTRACE" + - "SYS_TIME" + - "SYS_RESOURCE" + - "DAC_READ_SEARCH" api_test: pod: runAsUser: 0 @@ -659,7 +676,6 @@ endpoints: syslog: public: 514 podport: 514 - maas_db: auth: admin: @@ -690,12 +706,15 @@ endpoints: path: default: /MAAS scheme: - default: 'http' + default: "http" port: region_api: default: 80 + secure: 443 nodeport: 31900 + nodeporttls: 31901 podport: 5240 + podporttls: 5443 public: 80 region_proxy: default: 8000 @@ -722,3 +741,10 @@ endpoints: default: http host_fqdn_override: default: null + +cert_manager: + enabled: false + create: false + issuer: + kind: ClusterIssuer + name: ca-issuer diff --git a/images/maas-rack-controller-jammy/3.5_ipmi_error.patch b/images/maas-rack-controller-jammy/3.5_ipmi_error.patch new file mode 100644 index 0000000..bcfafe3 --- /dev/null +++ b/images/maas-rack-controller-jammy/3.5_ipmi_error.patch @@ -0,0 +1,27 @@ +diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py +index 752ae66..e8f1632 100644 +--- a/src/provisioningserver/drivers/power/ipmi.py ++++ b/src/provisioningserver/drivers/power/ipmi.py +@@ -155,6 +155,13 @@ IPMI_ERRORS = { + ), + "exception": PowerConnError, + }, ++ "BMC error": { ++ "message": ( ++ "Device not responding correctly while performing power action." ++ " MAAS performed several retries. Please wait and try again." ++ ), ++ "exception": PowerConnError, ++ }, + "could not find inband device": { + "message": ( + "An inband device could not be found." +@@ -321,7 +328,7 @@ class IPMIPowerDriver(PowerDriver): + ), + ] + ip_extractor = make_ip_extractor("power_address") +- wait_time = (4, 8, 16, 32) ++ wait_time = (4, 4, 8, 8, 16, 16, 32, 32) + + def detect_missing_packages(self): + if not shell.has_command_available("ipmipower"): diff --git a/images/maas-rack-controller-jammy/3.5_nic_filter.patch b/images/maas-rack-controller-jammy/3.5_nic_filter.patch new file mode 100644 index 0000000..ba4da85 --- /dev/null +++ b/images/maas-rack-controller-jammy/3.5_nic_filter.patch @@ -0,0 +1,13 @@ +diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py +index 6124f68..fb1fa0b 100644 +--- a/src/provisioningserver/utils/network.py ++++ b/src/provisioningserver/utils/network.py +@@ -1187,6 +1187,8 @@ def get_all_interfaces_definition( + # interfaces for guests. By themselves, they're not useful for MAAS to + # manage. + "tunnel", ++ # Always exclude non-specific ethernet interfaces. ++ "ethernet", + ] + if not running_in_container(): + # When not running in a container, we should be able to identify diff --git a/images/maas-rack-controller-jammy/3.5_redfish_retries.patch b/images/maas-rack-controller-jammy/3.5_redfish_retries.patch new file mode 100644 index 0000000..040a0e8 --- /dev/null +++ b/images/maas-rack-controller-jammy/3.5_redfish_retries.patch @@ -0,0 +1,12 @@ +diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py +index e46d930..dbe17a3 100644 +--- a/src/provisioningserver/drivers/power/redfish.py ++++ b/src/provisioningserver/drivers/power/redfish.py +@@ -175,6 +175,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase): + make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE), + ] + ip_extractor = make_ip_extractor("power_address") ++ wait_time = (4, 8, 16, 32) + + def detect_missing_packages(self): + # no required packages diff --git a/images/maas-rack-controller-jammy/3.5_secure_headers.patch b/images/maas-rack-controller-jammy/3.5_secure_headers.patch new file mode 100644 index 0000000..ca66adf --- /dev/null +++ b/images/maas-rack-controller-jammy/3.5_secure_headers.patch @@ -0,0 +1,12 @@ +diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py +index d30156b..3a04ecb 100644 +--- a/src/twisted/web/server.py ++++ b/src/twisted/web/server.py +@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized): + self.site = self.channel.site + + # set various default headers +- self.setHeader(b"server", version) + self.setHeader(b"date", http.datetimeToString()) + + # Resource Identification diff --git a/images/maas-rack-controller-jammy/3.5_transfer_trusted_only.patch b/images/maas-rack-controller-jammy/3.5_transfer_trusted_only.patch new file mode 100644 index 0000000..faa6dcf --- /dev/null +++ b/images/maas-rack-controller-jammy/3.5_transfer_trusted_only.patch @@ -0,0 +1,9 @@ +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index d76fcfa9a..0cca0fe8d 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -18,3 +18,4 @@ allow-recursion { trusted; }; + {{if not upstream_allow_query_cache}} + allow-query-cache { trusted; }; + {{endif}} ++allow-transfer { trusted; }; diff --git a/images/maas-rack-controller-jammy/Dockerfile b/images/maas-rack-controller-jammy/Dockerfile new file mode 100644 index 0000000..a7dc487 --- /dev/null +++ b/images/maas-rack-controller-jammy/Dockerfile @@ -0,0 +1,93 @@ +ARG FROM=quay.io/airshipit/ubuntu:jammy +FROM ${FROM} + +LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' +LABEL org.opencontainers.image.url='https://airshipit.org' +LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas' +LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas' +LABEL org.opencontainers.image.vendor='The Airship Authors' +LABEL org.opencontainers.image.licenses='Apache-2.0' + +ARG HTTP_PROXY +ARG HTTPS_PROXY +ARG NO_PROXY +ARG http_proxy +ARG https_proxy +ARG no_proxy + +ENV DEBIAN_FRONTEND noninteractive +ENV container docker + +ENV MAAS_VERSION 1:3.5.4-16349-g.4dbbed5f4-0ubuntu1~22.04.1 + +RUN apt-get -qq update \ + && apt-get install -y \ + avahi-daemon \ + isc-dhcp-server \ + jq \ + libvirt-clients \ + libvirt-daemon-system\ + patch \ + software-properties-common \ + sudo \ + systemd \ + ca-certificates \ +# Don't start any optional services except for the few we need. +# (specifically, don't start avahi-daemon, isc-dhcp-server, or libvirtd) + && find /etc/systemd/system \ + /lib/systemd/system \ + -path '*.wants/*' \ + -not -name '*journald*' \ + -not -name '*systemd-tmpfiles*' \ + -not -name '*systemd-user-sessions*' \ + -exec rm \{} \; \ + && systemctl set-default multi-user.target \ +# Install maas from the ppa + && add-apt-repository -yu ppa:maas/3.5 \ + && apt-get install -y \ + maas-rack-controller=$MAAS_VERSION \ + && rm -rf /var/lib/apt/lists/* + +# Preserve the directory structure, permissions, and contents of /var/lib/maas +RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas + +# register ourselves with the region controller +COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack-controller.service +RUN systemctl enable register-rack-controller.service + +# Patch so that Calico interfaces are ignored +COPY 3.5_nic_filter.patch /tmp/3.5_nic_filter.patch +COPY 3.5_secure_headers.patch /tmp/3.5_secure_headers.patch +# Patch so maas knows that "BMC error" is retriable +COPY 3.5_ipmi_error.patch /tmp/3.5_ipmi_error.patch +# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC +COPY 3.5_redfish_retries.patch /tmp/3.5_redfish_retries.patch +# Patch to restrict access to zone transfers +COPY 3.5_transfer_trusted_only.patch /tmp/3.5_transfer_trusted_only.patch + +RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.5_nic_filter.patch +RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.5_secure_headers.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.5_ipmi_error.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.5_redfish_retries.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.5_transfer_trusted_only.patch + +# echo journalctl logs to the container's stdout +COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service +RUN systemctl enable journalctl-to-tty.service + +# quiet sudo for the maas user +RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log + +# avoid triggering bind9 high cpu utilization bug +RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns + +# fix chronyd.pid permission +COPY scripts/override.chrony.conf /etc/systemd/system/chrony.service.d/override.conf + +# fix httpproxy.sock permission +COPY scripts/maas-http-watcher.service /etc/systemd/system/maas-http-watcher.service +COPY scripts/maas-http-watcher.path /etc/systemd/system/maas-http-watcher.path +RUN systemctl enable maas-http-watcher.service + +# initalize systemd +CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] diff --git a/images/maas-rack-controller-jammy/README.md b/images/maas-rack-controller-jammy/README.md new file mode 100644 index 0000000..0a11659 --- /dev/null +++ b/images/maas-rack-controller-jammy/README.md @@ -0,0 +1 @@ +[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-rack) Ubuntu MaaS Rack Controller diff --git a/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service b/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service new file mode 100644 index 0000000..2725055 --- /dev/null +++ b/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service @@ -0,0 +1,13 @@ +[Unit] +Description=Journald console log streamer +Requires=systemd-journald.service +After=systemd-journald.service + +[Service] +Restart=always +RestartSec=0 +ExecStart=/bin/journalctl -f +StandardOutput=tty + +[Install] +WantedBy=basic.target diff --git a/images/maas-rack-controller-jammy/scripts/maas-http-watcher.path b/images/maas-rack-controller-jammy/scripts/maas-http-watcher.path new file mode 100644 index 0000000..7a6b60f --- /dev/null +++ b/images/maas-rack-controller-jammy/scripts/maas-http-watcher.path @@ -0,0 +1,5 @@ +[Path] +PathModified=/var/run/maas/httpproxy.sock + +[Install] +WantedBy=multi-user.target diff --git a/images/maas-rack-controller-jammy/scripts/maas-http-watcher.service b/images/maas-rack-controller-jammy/scripts/maas-http-watcher.service new file mode 100644 index 0000000..89ccd4b --- /dev/null +++ b/images/maas-rack-controller-jammy/scripts/maas-http-watcher.service @@ -0,0 +1,9 @@ +[Unit] +Description=MAAS HTTP server and reverse proxy server +After=network.target + +[Service] +ExecStart=bash -c 'until (stat -f /var/run/maas/httpproxy.sock); do sleep 60; done; chmod o+rw /var/run/maas/httpproxy.sock' + +[Install] +WantedBy=multi-user.target diff --git a/images/maas-rack-controller-jammy/scripts/override.chrony.conf b/images/maas-rack-controller-jammy/scripts/override.chrony.conf new file mode 100644 index 0000000..6f3cd41 --- /dev/null +++ b/images/maas-rack-controller-jammy/scripts/override.chrony.conf @@ -0,0 +1,3 @@ +[Service] +ExecStartPre=-mkdir -p /var/log/chrony +ExecStartPre=-chown root /var/run/chrony diff --git a/images/maas-rack-controller-jammy/scripts/register-rack-controller.service b/images/maas-rack-controller-jammy/scripts/register-rack-controller.service new file mode 100644 index 0000000..fb439d3 --- /dev/null +++ b/images/maas-rack-controller-jammy/scripts/register-rack-controller.service @@ -0,0 +1,12 @@ +[Unit] +Description=Register with MaaS Region Controller +Wants=network-online.target +After=network-online.target + +[Service] +Type=oneshot +PassEnvironment=MAAS_ENDPOINT MAAS_REGION_SECRET MAAS_API_KEY HOST_MOUNT_PATH +ExecStart=/usr/local/bin/register-rack-controller.sh + +[Install] +WantedBy=multi-user.target diff --git a/images/maas-region-controller-jammy/3.5_configure_ipmi_user.patch b/images/maas-region-controller-jammy/3.5_configure_ipmi_user.patch new file mode 100644 index 0000000..136b928 --- /dev/null +++ b/images/maas-region-controller-jammy/3.5_configure_ipmi_user.patch @@ -0,0 +1,70 @@ +diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py +index 9d032ee..b01a12a 100755 +--- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py ++++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py +@@ -129,17 +129,27 @@ class BMCConfig(metaclass=ABCMeta): + """Returns boolean value of whether the BMC was detected.""" + + def add_bmc_user(self): +- """Add the specified BMC user and (re)set its password. +- +- Should set the username and password, even if it hasn't been +- changed. +- """ +- # MAAS is the default user and will always be passed to the script. +- if self.username not in (None, "maas"): +- print( +- "WARNING: Unable to set a specific username or password on %s!" +- % self +- ) ++ """Create/configure an IPMI user, but with several tries""" ++ attempt = 1 ++ max_attempts = 5 ++ backoff_amount = 30 ++ exceptions_caught = [] ++ while attempt <= max_attempts: ++ print("INFO: Attempt to add IPMI BMC user - %s" % attempt) ++ try: ++ self._add_bmc_user() ++ except Exception as e: ++ exceptions_caught.append(e) ++ if (attempt + 1) > max_attempts: ++ # This is our last attempt, exiting ++ print("ERROR: Unable to add BMC user!\n{}".format(exceptions_caught), file=sys.stderr) ++ sys.exit(1) ++ ++ if self.password is None: ++ time.sleep(attempt * backoff_amount) ++ else: ++ return ++ attempt += 1 + + def configure(self): + """Configure the BMC for use.""" +@@ -188,7 +198,7 @@ class IPMIBase(BMCConfig): + first_unused = section_name + return first_unused + +- def add_bmc_user(self): ++ def _add_bmc_user(self): + if not self.username: + self.username = "maas" + user_number = self._pick_user_number(self.username) +@@ -212,7 +222,7 @@ class IPMIBase(BMCConfig): + if self._bmc_config[user_number].get(key) != value: + self._bmc_set(user_number, key, value) + except Exception: +- pass ++ raise + else: + self.password = password + # Not all user settings are available on all BMC keys, its +@@ -227,8 +237,6 @@ class IPMIBase(BMCConfig): + "Yes", + ) + return +- print("ERROR: Unable to add BMC user!", file=sys.stderr) +- sys.exit(1) + + def _bmc_get_config(self, section=None): + """Fetch and cache all BMC settings.""" diff --git a/images/maas-region-controller-jammy/3.5_kernel_package.patch b/images/maas-region-controller-jammy/3.5_kernel_package.patch new file mode 100644 index 0000000..a3b095b --- /dev/null +++ b/images/maas-region-controller-jammy/3.5_kernel_package.patch @@ -0,0 +1,31 @@ +diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py +index 72a7c86..4559326 100644 +--- a/src/maasserver/preseed.py ++++ b/src/maasserver/preseed.py +@@ -254,7 +254,26 @@ def compose_curtin_kernel_preseed(node): + if node.get_osystem() == "custom": + return [] + ++ # previous logic to retrieve kpackage parameter + kpackage = BootResource.objects.get_kpackage_for_node(node) ++ ++ # determine if this node has kernel parameters applied by drydock ++ # and override kpackage if we discover the right properties ++ kernel_opt_tag = "%s_kp" % (node.hostname) ++ if kernel_opt_tag in node.tag_names(): ++ ++ # the tag exists, retrieve it ++ kernel_opts = node.tags.get(name=kernel_opt_tag).kernel_opts ++ ++ # parse the string and find our package param value ++ # e.g. kernel_package=linux-image-4.15.0-34-generic ++ kparams = kernel_opts.split() ++ kdict = dict( ++ kparam.split("=", 1) for kparam in kparams if "=" in kparam ++ ) ++ if "kernel_package" in kdict: ++ kpackage = kdict["kernel_package"] ++ + if kpackage: + kernel_config = {"kernel": {"package": kpackage, "mapping": {}}} + return [yaml.safe_dump(kernel_config)] diff --git a/images/maas-region-controller-jammy/3.5_partitiontable_does_not_exist.patch b/images/maas-region-controller-jammy/3.5_partitiontable_does_not_exist.patch new file mode 100644 index 0000000..8346799 --- /dev/null +++ b/images/maas-region-controller-jammy/3.5_partitiontable_does_not_exist.patch @@ -0,0 +1,13 @@ +diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py +index 4302d8d..f0e51c8 100644 +--- a/src/maasserver/api/partitions.py ++++ b/src/maasserver/api/partitions.py +@@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler): + device = BlockDevice.objects.get_block_device_or_404( + system_id, device_id, request.user, NodePermission.view + ) +- partition_table = device.partitiontable_set.get() ++ partition_table = device.get_partitiontable() + if partition_table is None: + return [] + else: diff --git a/images/maas-region-controller-jammy/3.5_proxy_acl.patch b/images/maas-region-controller-jammy/3.5_proxy_acl.patch new file mode 100644 index 0000000..0de535e --- /dev/null +++ b/images/maas-region-controller-jammy/3.5_proxy_acl.patch @@ -0,0 +1,10 @@ +18,24c18 +< http_access allow maas_proxy_manager localhost +< http_access deny maas_proxy_manager +< http_access deny !Safe_ports +< http_access deny CONNECT !SSL_ports +< http_access allow localnet +< http_access allow localhost +< http_access deny all +--- +> http_access allow all diff --git a/images/maas-region-controller-jammy/3.5_regex_tags.patch b/images/maas-region-controller-jammy/3.5_regex_tags.patch new file mode 100644 index 0000000..fd96f95 --- /dev/null +++ b/images/maas-region-controller-jammy/3.5_regex_tags.patch @@ -0,0 +1,24 @@ +diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py +index 2cbaa9d..bb83b4b 100644 +--- a/src/maasserver/models/ownerdata.py ++++ b/src/maasserver/models/ownerdata.py +@@ -17,7 +17,7 @@ from django.db.models import ( + + from maasserver.models.cleansave import CleanSave + +-DATA_KEY_RE = re.compile(r"[\w.-]+$") ++#DATA_KEY_RE = re.compile(r"[\w.-]+$") + + + class OwnerDataManager(Manager): +@@ -32,8 +32,8 @@ class OwnerDataManager(Manager): + if value is None: + to_remove.add(key) + else: +- if not DATA_KEY_RE.match(key): +- raise ValueError("Invalid character in key name") ++ # if not DATA_KEY_RE.match(key): ++ # raise ValueError("Invalid character in key name") + + self.update_or_create( + node=node, key=key, defaults={"value": value} diff --git a/images/maas-region-controller-jammy/3.5_route.patch b/images/maas-region-controller-jammy/3.5_route.patch new file mode 100644 index 0000000..676204c --- /dev/null +++ b/images/maas-region-controller-jammy/3.5_route.patch @@ -0,0 +1,17 @@ +diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py +index 1203e6b..5475b18 100644 +--- a/src/maasserver/preseed_network.py ++++ b/src/maasserver/preseed_network.py +@@ -307,7 +307,11 @@ class InterfaceConfiguration: + + def _get_matching_routes(self, source): + """Return all route objects matching `source`.""" +- return {route for route in self.routes if route.source == source} ++ return { ++ route ++ for route in self.routes ++ if str(route.source.cidr) == str(source.cidr) ++ } + + def _generate_addresses(self): + """Generate the various addresses needed for this interface.""" diff --git a/images/maas-region-controller-jammy/3.5_secure_headers.patch b/images/maas-region-controller-jammy/3.5_secure_headers.patch new file mode 100644 index 0000000..ca66adf --- /dev/null +++ b/images/maas-region-controller-jammy/3.5_secure_headers.patch @@ -0,0 +1,12 @@ +diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py +index d30156b..3a04ecb 100644 +--- a/src/twisted/web/server.py ++++ b/src/twisted/web/server.py +@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized): + self.site = self.channel.site + + # set various default headers +- self.setHeader(b"server", version) + self.setHeader(b"date", http.datetimeToString()) + + # Resource Identification diff --git a/images/maas-region-controller-jammy/3.5_transfer_trusted_only.patch b/images/maas-region-controller-jammy/3.5_transfer_trusted_only.patch new file mode 100644 index 0000000..faa6dcf --- /dev/null +++ b/images/maas-region-controller-jammy/3.5_transfer_trusted_only.patch @@ -0,0 +1,9 @@ +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index d76fcfa9a..0cca0fe8d 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -18,3 +18,4 @@ allow-recursion { trusted; }; + {{if not upstream_allow_query_cache}} + allow-query-cache { trusted; }; + {{endif}} ++allow-transfer { trusted; }; diff --git a/images/maas-region-controller-jammy/Dockerfile b/images/maas-region-controller-jammy/Dockerfile new file mode 100644 index 0000000..683cf76 --- /dev/null +++ b/images/maas-region-controller-jammy/Dockerfile @@ -0,0 +1,93 @@ +ARG FROM=quay.io/airshipit/ubuntu:jammy +FROM ${FROM} + +LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' +LABEL org.opencontainers.image.url='https://airshipit.org' +LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas' +LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas' +LABEL org.opencontainers.image.vendor='The Airship Authors' +LABEL org.opencontainers.image.licenses='Apache-2.0' + +ARG HTTP_PROXY +ARG HTTPS_PROXY +ARG NO_PROXY +ARG http_proxy +ARG https_proxy +ARG no_proxy + +ENV DEBIAN_FRONTEND noninteractive +ENV container docker + +ENV MAAS_VERSION 1:3.5.4-16349-g.4dbbed5f4-0ubuntu1~22.04.1 + +RUN apt-get -qq update \ + && apt-get install -y \ + avahi-daemon \ + jq \ + patch \ + software-properties-common \ + sudo \ + systemd \ + cron \ + ca-certificates \ + bind9-dnsutils \ +# Don't start any optional services except for the few we need. +# (specifically, don't start avahi-daemon) + && find /etc/systemd/system \ + /lib/systemd/system \ + -path '*.wants/*' \ + -not -name '*journald*' \ + -not -name '*systemd-tmpfiles*' \ + -not -name '*systemd-user-sessions*' \ + -exec rm \{} \; \ + && systemctl set-default multi-user.target \ +# Install maas from the ppa + && add-apt-repository -yu ppa:maas/3.5 \ + && apt-get install -y \ + maas-region-api=$MAAS_VERSION \ + # tcpdump is required by /usr/lib/maas/beacon-monitor + tcpdump \ + && rm -rf /var/lib/apt/lists/* + +# Preserve the directory structure, permissions, and contents of /var/lib/maas +RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas + +# MAAS workarounds +COPY 3.5_route.patch /tmp/3.5_route.patch +COPY 3.5_kernel_package.patch /tmp/3.5_kernel_package.patch +# sh8121att: allow all requests via the proxy to allow it to work +# behind ingress +COPY 3.5_proxy_acl.patch /tmp/3.5_proxy_acl.patch +# Patch to add retrying to MaaS BMC user setup, and improve exception handling +COPY 3.5_configure_ipmi_user.patch /tmp/3.5_configure_ipmi_user.patch +COPY 3.5_secure_headers.patch /tmp/3.5_secure_headers.patch +COPY 3.5_partitiontable_does_not_exist.patch /tmp/3.5_partitiontable_does_not_exist.patch +# Allow tags with '/' symbols +COPY 3.5_regex_tags.patch /tmp/3.5_regex_tags.patch +# Patch to restrict access to zone transfers +COPY 3.5_transfer_trusted_only.patch /tmp/3.5_transfer_trusted_only.patch + +RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.5_route.patch +RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.5_kernel_package.patch +RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.5_configure_ipmi_user.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.5_proxy_acl.patch +RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.5_secure_headers.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.5_partitiontable_does_not_exist.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.5_regex_tags.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.5_transfer_trusted_only.patch + +# echo journalctl logs to the container's stdout +COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service +RUN systemctl enable journalctl-to-tty.service + +# quiet sudo for the maas user +RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log + +# avoid triggering bind9 high cpu utilization bug +RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns + +# fix chronyd.pid permission +COPY override.chrony.conf /etc/systemd/system/chrony.service.d/override.conf + +# initalize systemd +CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] diff --git a/images/maas-region-controller-jammy/README.md b/images/maas-region-controller-jammy/README.md new file mode 100644 index 0000000..cd33b83 --- /dev/null +++ b/images/maas-region-controller-jammy/README.md @@ -0,0 +1 @@ +[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-region) Ubuntu MaaS Region Controller diff --git a/images/maas-region-controller-jammy/journalctl-to-tty.service b/images/maas-region-controller-jammy/journalctl-to-tty.service new file mode 100644 index 0000000..2725055 --- /dev/null +++ b/images/maas-region-controller-jammy/journalctl-to-tty.service @@ -0,0 +1,13 @@ +[Unit] +Description=Journald console log streamer +Requires=systemd-journald.service +After=systemd-journald.service + +[Service] +Restart=always +RestartSec=0 +ExecStart=/bin/journalctl -f +StandardOutput=tty + +[Install] +WantedBy=basic.target diff --git a/images/maas-region-controller-jammy/override.chrony.conf b/images/maas-region-controller-jammy/override.chrony.conf new file mode 100644 index 0000000..6f3cd41 --- /dev/null +++ b/images/maas-region-controller-jammy/override.chrony.conf @@ -0,0 +1,3 @@ +[Service] +ExecStartPre=-mkdir -p /var/log/chrony +ExecStartPre=-chown root /var/run/chrony diff --git a/images/sstream-cache-jammy/Dockerfile b/images/sstream-cache-jammy/Dockerfile new file mode 100644 index 0000000..b96da10 --- /dev/null +++ b/images/sstream-cache-jammy/Dockerfile @@ -0,0 +1,49 @@ +ARG FROM=quay.io/airshipit/ubuntu:jammy +FROM ${FROM} + +LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' +LABEL org.opencontainers.image.url='https://airshipit.org' +LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas' +LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas' +LABEL org.opencontainers.image.vendor='The Airship Authors' +LABEL org.opencontainers.image.licenses='Apache-2.0' + +ARG HTTP_PROXY +ARG HTTPS_PROXY +ARG NO_PROXY +ARG http_proxy +ARG https_proxy +ARG no_proxy + +ARG SSTREAM_IMAGE=https://images.maas.io/ephemeral-v3/stable/ +ARG SSTREAM_RELEASE=jammy + +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get -qq update && \ + apt-get install -y --no-install-recommends \ + apache2 \ + file \ + gpgv \ + python3-certifi \ + simplestreams \ + ubuntu-cloudimage-keyring + +RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \ + /var/www/html/maas/images/ephemeral-v3/daily 'arch=amd64' "release~${SSTREAM_RELEASE}" --max=1 --progress + +RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \ + /var/www/html/maas/images/ephemeral-v3/daily 'os~(grub*|pxelinux)' --max=1 --progress + +RUN sh -c 'echo "" > /etc/apache2/ports.conf' + +ENV APACHE_RUN_USER=www-data +ENV APACHE_RUN_GROUP=www-data +ENV APACHE_PID_FILE=/var/run/apache2.pid +ENV APACHE_RUN_DIR=/var/run/ +ENV APACHE_LOCK_DIR=/var/lock +ENV APACHE_LOG_DIR=/var/log/ +ENV LANG=C + +ENTRYPOINT ["/usr/sbin/apache2"] +CMD ["-E", "/dev/stderr","-c","ErrorLog /dev/stderr","-c","Listen 8888","-c","ServerRoot /etc/apache2","-c","DocumentRoot /var/www/html","-D","FOREGROUND"] diff --git a/images/sstream-cache/Dockerfile b/images/sstream-cache/Dockerfile index 1ff4fd0..b270972 100644 --- a/images/sstream-cache/Dockerfile +++ b/images/sstream-cache/Dockerfile @@ -1,4 +1,4 @@ -ARG FROM=ubuntu:18.04 +ARG FROM=public.ecr.aws/docker/library/ubuntu:bionic FROM ${FROM} LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' @@ -18,15 +18,16 @@ ARG no_proxy ARG SSTREAM_IMAGE=https://images.maas.io/ephemeral-v3/stable/ ARG SSTREAM_RELEASE=bionic -ENV DEBIAN_FRONTEND noninteractive +ENV DEBIAN_FRONTEND=noninteractive RUN apt-get -qq update && \ - apt install -y simplestreams \ - apache2 \ - gpgv \ - ubuntu-cloudimage-keyring \ - python-certifi --no-install-recommends \ - file + apt-get install -y --no-install-recommends \ + apache2 \ + file \ + gpgv \ + python3-certifi \ + simplestreams \ + ubuntu-cloudimage-keyring RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \ /var/www/html/maas/images/ephemeral-v3/daily 'arch=amd64' "release~${SSTREAM_RELEASE}" --max=1 --progress @@ -36,13 +37,13 @@ RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg $ RUN sh -c 'echo "" > /etc/apache2/ports.conf' -ENV APACHE_RUN_USER www-data -ENV APACHE_RUN_GROUP www-data -ENV APACHE_PID_FILE /var/run/apache2.pid -ENV APACHE_RUN_DIR /var/run/ -ENV APACHE_LOCK_DIR /var/lock -ENV APACHE_LOG_DIR /var/log/ -ENV LANG C +ENV APACHE_RUN_USER=www-data +ENV APACHE_RUN_GROUP=www-data +ENV APACHE_PID_FILE=/var/run/apache2.pid +ENV APACHE_RUN_DIR=/var/run/ +ENV APACHE_LOCK_DIR=/var/lock +ENV APACHE_LOG_DIR=/var/log/ +ENV LANG=C ENTRYPOINT ["/usr/sbin/apache2"] CMD ["-E", "/dev/stderr","-c","ErrorLog /dev/stderr","-c","Listen 8888","-c","ServerRoot /etc/apache2","-c","DocumentRoot /var/www/html","-D","FOREGROUND"] diff --git a/tools/gate/playbooks/docker-image-build.yaml b/tools/gate/playbooks/docker-image-build.yaml index 87b696e..4e5d394 100644 --- a/tools/gate/playbooks/docker-image-build.yaml +++ b/tools/gate/playbooks/docker-image-build.yaml @@ -13,6 +13,12 @@ # limitations under the License. - hosts: primary + roles: + - bindep + - ensure-docker + - ensure-python + - ensure-pip + tasks: - include_vars: vars.yaml @@ -40,9 +46,19 @@ debug: var: image_tags - - name: docker install - include_role: - name: ensure-docker + - name: Install Docker python module for ansible docker login + block: + - pip: + name: docker + executable: pip3 + become: True + + - name: Install tox python module for ansible docker login + block: + - pip: + name: tox + executable: pip3 + become: True - name: Make images when: not publish @@ -65,9 +81,10 @@ - name: Publish images block: - docker_login: - username: "{{ airship_maas_quay_creds.username }}" - password: "{{ airship_maas_quay_creds.password }}" + username: "{{ airship_armada_quay_creds.username }}" + password: "{{ airship_armada_quay_creds.password }}" registry_url: "https://quay.io/api/v1/" + api_version: "1.43" - make: chdir: "{{ zuul.project.src_dir }}"