@larryrensing working this issue.

We should set sane values for rolling dates in each chart (where relevant), ensuring that values such as maxSurge, and others are controllable by the operator.

http://kubernetes.io/docs/admin/disruptions/

This ensures that operators can safely drain nodes without having to understand all the complexity underneath.

Services that would require this and likely require "minAvailable:" would be:

• ceph monitors (2 for quorum)
• ceph osds (would think 2 but could be 1 since our default pool maintains 3 copies - this is understandably a simplification of more advanced configurations users may place on top such as pools with only 1 or 2 copies which would contradict this for now)
• mariadb (2 for quorum)
• All OpenStack API services: (1)
• DHCP and L3 services: (1)

Create a container that can then be used in a Kubernetes/Jenkins workflow. The goal should be:

• Use the existing Jenkins Helm chart to deploy a complete Jenkins system that can be used for building out Kolla containers.
• Add entrypoint logic (again, using Kolla-build --include-footer flags).
• Should be developer initiated into the CI pipeline.
• Make it useable for anyone (create sensible ENV's).

In the common chart we have a function called: joinListWithColon

• https://github.com/att-comdev/openstack-helm/blob/master/common/templates/_funcs.tpl#L1

This should be joinListWithComma

Many mount points including / are read-only on RPM-OSTREE Linux distros like Atomic, as a result, the default development values do not work: as there is no /data directory.

We should either update the documentation to tell users how to change this value, or update it to one that is acceptable for both minikube and Atomic Linux e.g: /var/lib/localkube.

• https://github.com/att-comdev/openstack-helm/blob/master/mariadb/values.yaml#L22

@DTadrzak @PiotrProkop we started to document things a little better for outside collaborators (others have expressed interest too). there's now a project under this repo that will help keep things sane.

@Ciello89 is working this issue.

This would be very helpful when k8s would move init containers out of annotations.

we need to do a db 'restart/db sync' in order to update maas tables when going from one version to another. it would be nice to automate this process going forward.

In order to get rid of Daemonsets We should use a Deployments which use NodeAffinity/PodAffinity/PodAnti-Affinity.

Thanks to this approach we would be able to use only two kinds of labels (openstack-control-plane, openstack-compute-node), we don't need to take care about ovs label. It makes cluster administrating easier.

What's more It's first step to support drain command(#36) in OpenStack-helm solution.

Regarding to dynamic changes in cluster configuration. We can set replicas: 1000 so that Operators don't need to take care about increasing the amount every time, when a new server is discovered. What's more if we add PodAnti-Affinity to deployment annotations we are sure that only 1 instance per node is deployed.

i would like to look at policies that could restrict access from all services having direct access to the API (wherever possible/within reason). perhaps a PoC with something like https://github.com/aporeto-inc/trireme could be used, or possibly calico/romana?

@alanmeadows working this issue.

Once the initial 0.1.0 release is cut I think it would be good idea to formally define a structure for use within values.yaml, this will make the orchestration of multiple services much easier to manage and provide a source of truth for both new contributors and services to use as a reference source.

In particular, I think this should cover (as a starting point):

• Image Tags & Pull Policy
• Resouces:
  • Replicas
  • RAM/CPU allocation
• Service/Networking
  • Ports
  • K8s Service name/type
  • Ingress
  • Namespacing
• Keystone
  • Admin Creds
  • Service Creds
• Database
  • URI
  • Admin Creds
  • User Creds
• Service specific config (a generic structure layout)

Commit 6f124d5 added NodeSelectors to several jobs across several components, using the value ".Vales.labels.node_selector_key". However, some components (neutron, nova) have more granular node selection, e.g. ".Values.labels.server.node_selector_key", and this is causing make to fail with errors like the following for me:

==> Linting neutron
[ERROR] templates/job-db-sync.yaml: unable to parse YAML
error converting YAML to JSON: yaml: line 9: did not find expected key
[ERROR] templates/job-init.yaml: unable to parse YAML
error converting YAML to JSON: yaml: line 9: did not find expected key
[ERROR] templates/job-post.yaml: unable to parse YAML
error converting YAML to JSON: yaml: line 9: did not find expected key

We need to define contribution guidelines, create issue templates and automatically label based on key words, etc.

Foundational Elements for Openstack (charts):

• MaaS (Bare Metal Provisioning)
• • Ensure ceph storage is persistent #15
• • Persistant Volumes for MaaS #23
• Ceph (Persistent Storage)
• • Initial commit of ceph helm chart #1
• • aic-helm normalization #14
• • Ensure ceph storage is persistent #15
• • Update readme to fix secret generation ordering #33
• • Allow more control over ceph chart #39
• • Create a globals or master.yaml override harness for all independent charts #42
• MariaDB (Database)
• • Adding MariaDB #3
• • Add missing init_containers for keystone and MariaDB #8
• • Refactor MariaDB now that rbd PVCs can be leveraged #9
• • General Cleanup #11
• • Refactor keystone with new subdirectory template layout #19
• • Refactor MariaDB to match keystone template layout #40
• • Convert Helm chart to 2.1.0 format and Kubernetes 1.5 StatefulSets #51
• RabbitMQ
• • Basic version of rabbitmq #6
• • Fixing labels in rabbitmq #7
• • General Cleanup #11
• • aic-helm normalization #14
• Memcached
• • Adding Memcached #5
• • General Cleanup #11
• • Refactor Memcached #85

Primary Openstack Services (charts):

• Keystone (Persistent Storage)
• • Adding keystone #4
• • Add missing init_containers for keystone and MariaDB #8
• • General Cleanup #11
• • Keystone fix #12
• • Refactor keystone with new subdirectory template layout #19
• • Refactor mariadb to match keystone template layout #40
• • Refactor glance to match keystone template layout #41
• • Create a globals or master.yaml override harness for all independent charts #42
• Glance (Database)
• • Adding support for glance service #17
• • Refactor keystone with new subdirectory template layout #19
• • Refactor glance #118
• Nova
• Neutron
• Heat
• Cinder
• Horizon

CI Workflow(s):

• Build/Push custom container images from Jenkins
• • Build Docker Container-Kolla-Build Containers via Jenkins workflow as a Kubernetes Pod #20

In this release, we are able to demonstrate the following:

• Demonstrate Helm-Driven Resource Quotas
• Demonstrate a single service upgrade (Keystone)
• Demonstrate Legacy KVM Instance: Legacy KVM artifact running as a container
• Demonstrate Resiliency Aspects
• • Disconnect Control Plane Host
• • Re-Provision Control Plane from Scratch

We want to document the use of Registries, components, trends, Jenkins pipelines, etc for general user consumption. A good example of this is Openstack Ansible project.

each of the openstack-helm charts need to have configurable resource quotas: i.e. chart/templates//deployment.yaml & chart/values.yaml

for more information: http://kubernetes.io/docs/admin/resourcequota/

https://github.com/kubernetes/helm/blob/master/docs/chart_repository.md#share-your-charts-with-others

this would remove the need to clone and install things locally.

See https://github.com/aweber/rabbitmq-autocluster

We should investigate leveraging the DNS backend, since this should be supported natively with a kubernetes service, as opposed to using etcd.

For a working example, see https://github.com/openstack/fuel-ccp-rabbitmq - however this example uses etcd and would prefer to validate the DNS approach works.

https://github.com/asobti/kube-monkey

The goal here is to allow you to run:

"./tool.py master.yaml"

Where master.yaml contains:

ceph:
...
keystone:
...

This will generate:

/tmp/xk92012/ceph.yaml
/tmp/xk92012/keystone.yaml
/tmp/xk92012/horizon.yaml

You can then install charts:

helm install --values=/tmp/xk92012/horizon.yaml ./horizon-0.1.0.tgz

This is a requirement because a raw native master.yaml does not support an upper level namespace of "chartname", requiring it to be all in the same namespace if used across various charts.

This tool will be required until Helm issue #1520 is resolved or they introduce plugins that support this. Either will work.

The stackanetes-entrypoint image consistently leveraged runs into issues with DAEMONSET dependencies, and has trouble with config file dependencies. These should be documented in this issue subsequently but I do not have readily available access to tracebacks at the moment.

We either need to:

1. Investigate whether since its creation there is a now "standard" init container for dependency checking that is being widely used

2. If we continue to use it, ensure we are including it in our CI/CD pipelines we will develop and be creating issues to have the issues we encountered resolved in the upstream repository: https://github.com/stackanetes/kubernetes-entrypoint

Today, in some charts, jobs may land on tenant compute infrastructure or other unintended kubernetes infrastructure. Node placement needs to be consistent for all resources including jobs.

An example job lacking nodeSelector labels below:

https://github.com/att-comdev/openstack-helm/blob/master/neutron/templates/job-db-sync.yaml

@alanmeadows is working to standardize on StatefulSets, and MariaDB is impacted with this work.

i would like to see these charts end up in kubernetes/helm upstream. in order to make this happen they need to incubate, and i would like to get eyes on them. we should talk about the low hanging fruit, and critical items (Ceph, MaaS), and work towards getting them incubated for easier consumption.

@alanmeadows we should determine a good development path for 2017. minikube supports all of the versions that we need now, however the issue will be with persistent volumes.

$ minikube get-k8s-versions
The following Kubernetes versions are available:
	- v1.5.1
	- v1.4.5
	- v1.4.3
        . . .
        . . .
        . . .

Some interesting considerations:

• Updating Kubernetes for Minikube
• Persistant Volumes in Minikube (See "private registries" and ingress add-on also)

I think it would be helpful for us to unblock development with an upstream, development-friendly too, and ditch Halcyon Vagrant option for development at some point, because it's just going to get hard to maintain, and will be resource intensive for developers. If our manifests are created in a way where a single daemonset is enough for consensus, than this may be a better path forward (long term). If we need changes, we can always just throw them at minikube directly.

we need some basic linting and CI gating for our repository. this will make the community more confident in the changes they are submitting, and help assist reviewers before merging code into our repository as well.

Template names are global, even when used in sub-charts. As a result, it is very easy for collision to occur, with non-deterministic outcomes - which could (and has in my development work) result in effects ranging from failed services to potential security risks.

Due to this, I propose that template names, and macros, should always be scoped to the name of the chart they come from, this would require refactoring, but will I feel make the future development of charts much simpler, and more manageable.

As a result things like:

{{- define "env_ks_user_create_openrc_tpl" }}

should be written as:

{{- define "common.env_ks_user_create_openrc_tpl" }}

(from: https://github.com/att-comdev/openstack-helm/blob/master/common/templates/snippets/_ks_env_user_create_openrc.tpl#L1)

PoC to demonstration draining a Kubernetes node, upgrade foundational elements (i.e. Docker, host kernel, etc), and bring back into the cluster. This is to identify a useful, and documented path for users as part of our PoC. This ends up going into Documentation after exploration.

@andrecolin working this issue.

We may be able to handle secretes like this in the near future: https://github.com/andrewstuart/helm/blob/5d58b7792c4b0b56ec8eee49cfcc79980e9b0ed3/docs/chart_template_guide/accessing_files.md#secrets

The ceph monitors require reliable IP addressing, they should be converted to a statefulset.

Convert the template layout to match the new keystone template layout, which is more readable and supports testing of injected scripts as they are not wrapped in nested YAML.

@alanmeadows i'm a bit torn on this idea, because it will require some work, but I think during the 0.2.0 release we should rename the bootstrap chart to something that is a bit more clearer for new users (even thought it's lightly documented). so we can either make the documentation more clear, rename, or both. thoughts?

We need to ensure that every chart consistently leverages the init-container approach.

An example of where we are doing it correctly:

https://github.com/att-comdev/openstack-helm/blob/master/keystone/templates/deployment.yaml#L11-L40

An example of something that needs conversion:

https://github.com/att-comdev/openstack-helm/blob/master/neutron/templates/deployment-server.yaml#L14-L34

@andrecolin is looking into this PoC requirement.

Create a neutron helm chart, leveraging the standard reference deployment (non-contrail).

Create the helm chart for the koala-build container.

Convert the template layout to match the new keystone template layout, which is more readable and supports testing of injected scripts as they are not wrapped in nested YAML.

test

Hi,

I can't edit the /etc/resolv.conf file within the container following the instructions:

[root@kub1 ~]# kubectl exec kube-controller-manager-kub1.localdomain -it -n kube-system -- /bin/bash
exec: "/bin/bash": stat /bin/bash: no such file or directory
error: error stream protocol error: invalid exit code value "-1"

however

[root@kub1 ~]# kubectl exec kube-controller-manager-kub1.localdomain -it -n kube-system -- echo $0
-bash

Any idea?

thank you