diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index caa702e09..e5b0a0ca5 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -7,11 +7,10 @@ name: All in one on: workflow_call: inputs: - runner: - required: false + runner_env: + description: Which cloud to run on? type: string - description: 'Runner name' - default: 'arc-skc-aio-runner' + default: SMS Lab kayobe_image: description: Kayobe container image type: string @@ -40,18 +39,6 @@ on: description: Default network interface name type: string default: ens3 - vm_flavor: - description: Flavor for the all-in-one VM - type: string - default: en1.medium - vm_network: - description: Network for the all-in-one VM - type: string - default: stackhpc-ci - vm_subnet: - description: Subnet for the all-in-one VM - type: string - default: stackhpc-ci OS_CLOUD: description: Name of cloud in clouds.yaml type: string @@ -87,11 +74,18 @@ on: required: true jobs: + runner-selection: + uses: ./.github/workflows/runner-selector.yml + with: + runner_env: ${{ inputs.upgrade == true && 'Leafcloud' || inputs.runner_env }} # NOTE: Runner needs unzip and nodejs packages. all-in-one: name: All in one if: ${{ inputs.if && !cancelled() }} - runs-on: ${{ inputs.runner }} + environment: ${{ inputs.upgrade == true && 'Leafcloud' || inputs.runner_env }} + runs-on: ${{ needs.runner-selection.outputs.runner_name_aio }} + needs: + - runner-selection permissions: {} env: KAYOBE_ENVIRONMENT: ci-aio @@ -170,9 +164,9 @@ jobs: aio_vm_interface = "${{ env.VM_INTERFACE }}" aio_vm_name = "${{ env.VM_NAME }}" aio_vm_image = "${{ env.VM_IMAGE }}" - aio_vm_flavor = "${{ env.VM_FLAVOR }}" - aio_vm_network = "${{ env.VM_NETWORK }}" - aio_vm_subnet = "${{ env.VM_SUBNET }}" + aio_vm_flavor = "${{ vars.HOST_IMAGE_BUILD_FLAVOR }}" + aio_vm_network = "${{ vars.HOST_IMAGE_BUILD_NETWORK }}" + aio_vm_subnet = "${{ vars.HOST_IMAGE_BUILD_SUBNET }}" aio_vm_volume_size = "${{ env.VM_VOLUME_SIZE }}" aio_vm_tags = ${{ env.VM_TAGS }} EOF @@ -181,9 +175,6 @@ jobs: SSH_USERNAME: "${{ inputs.ssh_username }}" VM_NAME: "skc-ci-aio-${{ inputs.neutron_plugin }}-${{ github.run_id }}" VM_IMAGE: ${{ steps.image_name.outputs.image_name }} - VM_FLAVOR: ${{ inputs.vm_flavor }} - VM_NETWORK: ${{ inputs.vm_network }} - VM_SUBNET: ${{ inputs.vm_subnet }} VM_INTERFACE: ${{ inputs.vm_interface }} VM_VOLUME_SIZE: ${{ inputs.upgrade && '65' || '50' }} VM_TAGS: '["skc-ci-aio", "PR=${{ github.event.number }}"]' @@ -192,7 +183,7 @@ jobs: run: terraform plan working-directory: ${{ github.workspace }}/terraform/aio env: - OS_CLOUD: ${{ inputs.OS_CLOUD }} + OS_CLOUD: ${{ vars.OS_CLOUD }} OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }} OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }} @@ -213,7 +204,7 @@ jobs: exit 1 working-directory: ${{ github.workspace }}/terraform/aio env: - OS_CLOUD: ${{ inputs.OS_CLOUD }} + OS_CLOUD: ${{ vars.OS_CLOUD }} OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }} OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }} @@ -471,7 +462,7 @@ jobs: run: terraform destroy -auto-approve working-directory: ${{ github.workspace }}/terraform/aio env: - OS_CLOUD: ${{ inputs.OS_CLOUD }} + OS_CLOUD: ${{ vars.OS_CLOUD }} OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }} OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }} if: always() diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index dea909df5..8ae3eb9ca 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -14,6 +14,7 @@ on: jobs: propose_github_release_updates: + if: github.repository == 'stackhpc/stackhpc-kayobe-config' runs-on: ubuntu-22.04 strategy: matrix: diff --git a/.github/workflows/upstream-sync.yml b/.github/workflows/upstream-sync.yml new file mode 100644 index 000000000..92e5c1f54 --- /dev/null +++ b/.github/workflows/upstream-sync.yml @@ -0,0 +1,38 @@ +--- +name: Upstream Sync +'on': + schedule: + - cron: "15 8 * * 1" + workflow_dispatch: +permissions: + contents: write + pull-requests: write +jobs: + synchronise-2023-1: + if: github.repository == 'stackhpc/stackhpc-kayobe-config' + name: Synchronise 2023.1 + uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main + with: + release_series: 2023.1 + upstream: openstack/kayobe-config + synchronise-2024-1: + if: github.repository == 'stackhpc/stackhpc-kayobe-config' + name: Synchronise 2024.1 + uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main + with: + release_series: 2024.1 + upstream: openstack/kayobe-config + synchronise-2025-1: + if: github.repository == 'stackhpc/stackhpc-kayobe-config' + name: Synchronise 2025.1 + uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main + with: + release_series: 2025.1 + upstream: openstack/kayobe-config + synchronise-master: + if: github.repository == 'stackhpc/stackhpc-kayobe-config' + name: Synchronise master + uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main + with: + release_series: master + upstream: openstack/kayobe-config diff --git a/doc/source/configuration/ipa.rst b/doc/source/configuration/ipa.rst index 846e6daa0..2892937b1 100644 --- a/doc/source/configuration/ipa.rst +++ b/doc/source/configuration/ipa.rst @@ -11,7 +11,7 @@ StackHPC provides prebuilt Ironic Python Agent (IPA) images in Release Train through Ark. These images are built in CI using a GitHub workflow and are configured in this -repository. See :kayobe-doc: `Kayobe documentation +repository. See :kayobe-doc:`Kayobe documentation ` for more details on IPA. Release Train IPA images are used by Bifrost and Overcloud Ironic by default in diff --git a/doc/source/configuration/monitoring.rst b/doc/source/configuration/monitoring.rst index 7414a5398..931324e31 100644 --- a/doc/source/configuration/monitoring.rst +++ b/doc/source/configuration/monitoring.rst @@ -169,12 +169,18 @@ for the exporter. If you are deploying in a cloud with internal TLS, you may be required to provide a CA certificate for the OpenStack Capacity exporter if your certificate is not signed by a trusted CA. For example, to use a CA certificate -named ``vault.crt`` that is also added to the Kolla containers: +named ``vault.crt`` or ``openbao.crt`` that is also added to the Kolla containers: .. code-block:: yaml stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt" +or + +.. code-block:: yaml + + stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt" + Alternatively, to disable certificate verification for the OpenStack Capacity exporter: diff --git a/doc/source/configuration/release-train.rst b/doc/source/configuration/release-train.rst index 0afbfb9e5..3d65a933f 100644 --- a/doc/source/configuration/release-train.rst +++ b/doc/source/configuration/release-train.rst @@ -52,16 +52,29 @@ The Pulp container is deployed on the seed by default, but may be disabled by setting ``seed_pulp_container_enabled`` to ``false`` in ``etc/kayobe/seed.yml``. -The URL and credentials of the local Pulp server are configured in -``etc/kayobe/pulp.yml`` via ``pulp_url``, ``pulp_username`` and -``pulp_password``. In most cases, the default values should be sufficient. -An admin password must be generated and set as the value of a -``secrets_pulp_password`` variable, typically in an Ansible Vault encrypted -``etc/kayobe/secrets.yml`` file. This password will be automatically set on -Pulp startup. - -If a proxy is required to access the Internet from the seed, ``pulp_proxy_url`` -may be used. +The URL for the local Pulp server is configured by ``pulp_url`` within +``etc/kayobe/pulp.yml``. + +The Pulp service can be configured with two sets of credentials; one for +administrator operations and another read-only for overcloud hosts +to use. +The administrator credentials can be configured ``pulp_username``, +``pulp_password`` +The basic user account credentials can be configured with ``pulp_stack_username`` +and ``pulp_stack_password``. +Both sets of credentials can be found within ``etc/kayobe/pulp.yml``. + +Both the ``pulp_password`` and ``pulp_stack_password`` are intended to be +configured via their ``secrets_*`` counterparts, i.e. +``secrets_pulp_password`` and ``secrets_pulp_stack_password``. These variables +are expected to be set in an Ansible Vault encrypted +``etc/kayobe/secrets.yml`` file. + +Passwords can be generated using ``OpenSSL`` + +.. code-block:: console + + openssl rand -base64 32 Host images are not synchronised to the local Pulp server, since they should only be pulled to the seed node once. More information on host images can be diff --git a/etc/kayobe/ansible/cephadm-gather-keys.yml b/etc/kayobe/ansible/cephadm-gather-keys.yml index e4b8da206..1b36f8bdd 100644 --- a/etc/kayobe/ansible/cephadm-gather-keys.yml +++ b/etc/kayobe/ansible/cephadm-gather-keys.yml @@ -68,6 +68,7 @@ # Kolla Ansible's merge_configs module does not like the leading tabs in ceph.conf. content: | {{ cephadm_ceph_conf.stdout | regex_replace('\t') }} + {{ kolla_ceph_conf_append if kolla_ceph_conf_append is defined }} dest: "{{ kayobe_env_config_path }}/kolla/config/{{ kolla_service_to_conf_dir[item.0.name] }}/ceph.conf" loop: "{{ query('subelements', kolla_ceph_services | selectattr('required'), 'keys') }}" loop_control: diff --git a/etc/kayobe/ansible/check-kayobe-version.yml b/etc/kayobe/ansible/check-kayobe-version.yml index cc00b6aed..b527fc5d8 100644 --- a/etc/kayobe/ansible/check-kayobe-version.yml +++ b/etc/kayobe/ansible/check-kayobe-version.yml @@ -8,6 +8,7 @@ tasks: - name: Check version when: stackhpc_enable_kayobe_check + check_mode: false block: - name: Get package info community.general.pip_package_info: diff --git a/etc/kayobe/ansible/check-kolla-ansible-version.yml b/etc/kayobe/ansible/check-kolla-ansible-version.yml index 183a175dd..e6bfd92fd 100644 --- a/etc/kayobe/ansible/check-kolla-ansible-version.yml +++ b/etc/kayobe/ansible/check-kolla-ansible-version.yml @@ -6,6 +6,7 @@ tasks: - name: Check version when: stackhpc_enable_kolla_ansible_check + check_mode: false block: - name: Get current Kolla-Ansible tag ansible.builtin.command: diff --git a/etc/kayobe/ansible/openbao-deploy-overcloud.yml b/etc/kayobe/ansible/openbao-deploy-overcloud.yml index 811e9b1f0..df3166ce6 100644 --- a/etc/kayobe/ansible/openbao-deploy-overcloud.yml +++ b/etc/kayobe/ansible/openbao-deploy-overcloud.yml @@ -21,7 +21,12 @@ gather_facts: true hosts: controllers vars: - openbao_bind_address: "{{ internal_net_name | net_ip }}" + openbao_bind_addr: "{{ internal_net_name | net_ip }}" + # This is the IP address of the first controller and therefore the leader within + # OpenBao. This could be replaced with the VIP address of the internal network if + # HAProxy has been configured to load balance the OpenBao API. + openbao_raft_leaders: + - "{{ internal_net_name | net_ip(inventory_hostname=groups['controllers'][0]) }}" tasks: - name: Set a fact about the virtualenv on the remote system ansible.builtin.set_fact: @@ -46,7 +51,7 @@ - name: Template out TLS key and cert ansible.builtin.copy: - # Within the OpenBao container these uids & gids map to the vault user + # Within the OpenBao container these uids & gids map to the openbao user src: "{{ kayobe_env_config_path }}/openbao/{{ item }}" dest: /opt/kayobe/openbao/{{ item }} owner: 100 @@ -55,6 +60,7 @@ loop: - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt" - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key" + - "OS-TLS-INT.crt" become: true - name: Apply OpenBao role @@ -71,6 +77,7 @@ openbao_docker_tag: "{{ overcloud_openbao_docker_tag }}" openbao_tls_cert: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt" openbao_tls_key: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key" + openbao_tls_ca: "OS-TLS-INT.crt" copy_self_signed_ca: true openbao_api_addr: https://{{ internal_net_name | net_ip }}:8200 openbao_write_keys_file: true @@ -91,6 +98,28 @@ vault_unseal_keys: "{{ openbao_keys.keys_base64 }}" environment: https_proxy: "" + run_once: true + + # As the first instance is now unsealed the other instances will now need some + # time to connect before we can proceed. + - name: Wait for OpenBao Raft peers to connect + ansible.builtin.wait_for: + timeout: 30 + delegate_to: localhost + + # Raft peers take few seconds before they report an unsealed state therefore + # we must wait. + - name: Unseal OpenBao + ansible.builtin.import_role: + name: stackhpc.hashicorp.vault_unseal + vars: + vault_api_addr: https://{{ internal_net_name | net_ip }}:8200 + vault_unseal_token: "{{ openbao_keys.root_token }}" + vault_unseal_ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}" + vault_unseal_keys: "{{ openbao_keys.keys_base64 }}" + vault_unseal_timeout: 10 + environment: + https_proxy: "" - name: Configure PKI any_errors_fatal: true diff --git a/etc/kayobe/ansible/openbao-deploy-seed.yml b/etc/kayobe/ansible/openbao-deploy-seed.yml index 2f276cbf6..42972b35e 100644 --- a/etc/kayobe/ansible/openbao-deploy-seed.yml +++ b/etc/kayobe/ansible/openbao-deploy-seed.yml @@ -4,8 +4,8 @@ gather_facts: true hosts: seed vars: - openbao_bind_address: "{{ ansible_facts['lo'].ipv4.address }}" - openbao_api_addr: "http://{{ openbao_bind_address }}:8200" + openbao_bind_addr: "{{ ansible_facts['lo'].ipv4.address }}" + openbao_api_addr: "http://{{ openbao_bind_addr }}:8200" tasks: - name: Set a fact about the virtualenv on the remote system ansible.builtin.set_fact: diff --git a/etc/kayobe/ansible/pci-passthrough.yml b/etc/kayobe/ansible/pci-passthrough.yml index 59803ccf3..392713c35 100644 --- a/etc/kayobe/ansible/pci-passthrough.yml +++ b/etc/kayobe/ansible/pci-passthrough.yml @@ -11,7 +11,7 @@ vfio_pci_ids: |- {% set gpu_list = [] %} {% set output = [] %} - {% for gpu_group in gpu_group_map | dict2items | default([]) %} + {% for gpu_group in (gpu_group_map | default({})) | dict2items %} {% if gpu_group.key in group_names %} {% set _ = gpu_list.append(gpu_group.value) %} {% endif %} diff --git a/etc/kayobe/ansible/pulp-host-image-download.yml b/etc/kayobe/ansible/pulp-host-image-download.yml index 52e570b9f..54fd36ae4 100644 --- a/etc/kayobe/ansible/pulp-host-image-download.yml +++ b/etc/kayobe/ansible/pulp-host-image-download.yml @@ -7,10 +7,8 @@ # password in the get_url task of this playbook stackhpc_overcloud_host_image_url_no_auth: "{{ stackhpc_release_pulp_content_url }}/kayobe-images/\ {{ openstack_release }}/{{ os_distribution }}/{{ os_release }}/\ - {{ 'ofed/' if stackhpc_overcloud_host_image_is_ofed else '' }}\ {{ stackhpc_overcloud_host_image_version }}/\ - overcloud-{{ os_distribution }}-{{ os_release }}\ - {{ '-ofed' if stackhpc_overcloud_host_image_is_ofed else '' }}.qcow2" + overcloud-{{ os_distribution }}-{{ os_release }}.qcow2" tasks: - name: Print image information ansible.builtin.debug: @@ -18,7 +16,6 @@ OS Distribution: {{ os_distribution }} OS Release: {{ os_release }} Image tag: {{ stackhpc_overcloud_host_image_version }} - OFED: {{ stackhpc_overcloud_host_image_is_ofed }} # TODO: Add checksum support - name: Download image artifact diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index a81decfc1..7c83c00ec 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -9,7 +9,7 @@ collections: - name: stackhpc.pulp version: 0.5.5 - name: stackhpc.hashicorp - version: 2.6.1 + version: 2.7.1 - name: stackhpc.kayobe_workflows version: 1.1.0 roles: diff --git a/etc/kayobe/ansible/smartmon-tools.yml b/etc/kayobe/ansible/smartmon-tools.yml index 351ce0325..c6fa35acc 100644 --- a/etc/kayobe/ansible/smartmon-tools.yml +++ b/etc/kayobe/ansible/smartmon-tools.yml @@ -15,10 +15,8 @@ - name: Ensure Python 3, venv, and pip are installed ansible.builtin.package: - name: - - python3 - - python3-venv - - python3-pip + name: > + {{ ['python3', 'python3-pip'] + (['python3-venv'] if ansible_facts['distribution'] == 'Ubuntu' else []) }} state: present become: true diff --git a/etc/kayobe/cephadm.yml b/etc/kayobe/cephadm.yml index 751cc77f2..64c087081 100644 --- a/etc/kayobe/cephadm.yml +++ b/etc/kayobe/cephadm.yml @@ -133,3 +133,6 @@ kolla_ceph_manila_required: "{{ kolla_enable_manila | bool }}" # Whether to generate Ceph configuration for Nova. kolla_ceph_nova_required: "{{ kolla_enable_nova | bool }}" + +# A (multiline) string to append to all Ceph configuration files. +#kolla_ceph_conf_append: diff --git a/etc/kayobe/containers/pulp/post.yml b/etc/kayobe/containers/pulp/post.yml index 967c4e37d..7a4e7e595 100644 --- a/etc/kayobe/containers/pulp/post.yml +++ b/etc/kayobe/containers/pulp/post.yml @@ -28,6 +28,18 @@ - stackhpc_pulp_sync_for_local_container_build | bool - pulp_settings.changed +- name: Ensure Pulp stack user exists + ansible.builtin.include_role: + name: stackhpc.pulp.pulp_user + vars: + pulp_users: + - username: "{{ pulp_stack_username }}" + password: "{{ pulp_stack_password }}" + is_staff: false + when: + - pulp_stack_username is defined and pulp_stack_username | length > 0 + - pulp_stack_password is defined and pulp_stack_password | length > 0 + - name: Login to docker registry docker_login: registry_url: "{{ kolla_docker_registry or omit }}" diff --git a/etc/kayobe/environments/ci-multinode/inventory/group_vars/all/vxlan.yml b/etc/kayobe/environments/ci-multinode/inventory/group_vars/all/vxlan.yml index 808c78034..fe92c42a0 100644 --- a/etc/kayobe/environments/ci-multinode/inventory/group_vars/all/vxlan.yml +++ b/etc/kayobe/environments/ci-multinode/inventory/group_vars/all/vxlan.yml @@ -15,4 +15,4 @@ vxlan_vni: # This is a dictionary of interfaces to be created by the stackhpc.vxlan role. vxlan_interfaces: - device: "vxlan{{ vxlan_vni }}" - group: "{{ '239.0.0.0/8' | next_nth_usable(vxlan_vni) }}" + group: "{{ '239.0.0.0/8' | ansible.utils.next_nth_usable(vxlan_vni) }}" diff --git a/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml b/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml index 93ce650b4..1d9514553 100644 --- a/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml +++ b/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml @@ -1,3 +1,3 @@ --- # Path to a CA certificate file to trust in the OpenStack Capacity exporter. -stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt" +stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt" diff --git a/etc/kayobe/environments/ci-multinode/tempest.yml b/etc/kayobe/environments/ci-multinode/tempest.yml index 0657946bb..ae2d8f132 100644 --- a/etc/kayobe/environments/ci-multinode/tempest.yml +++ b/etc/kayobe/environments/ci-multinode/tempest.yml @@ -3,4 +3,4 @@ rally_no_sensitive_log: false # Add the Vault CA certificate to the rally container when running tempest. -tempest_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt" +tempest_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt" diff --git a/etc/kayobe/inventory/group_vars/all/openbao.yml b/etc/kayobe/inventory/group_vars/all/openbao.yml index 172cc3cfc..445e8bfba 100644 --- a/etc/kayobe/inventory/group_vars/all/openbao.yml +++ b/etc/kayobe/inventory/group_vars/all/openbao.yml @@ -78,3 +78,6 @@ seed_openbao_pki_certificate_subject: role: "{{ seed_openbao_pki_role_name }}" extra_params: ip_sans: "{% for host in groups['controllers'] %}{{ internal_net_name | net_ip(host) }}{% if not loop.last %},{% endif %}{% endfor %},{{ kolla_internal_vip_address }}" + +# Enable OpenBao UI +openbao_enable_ui: true diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 4e92495b8..682093d1c 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -351,7 +351,7 @@ kolla_build_customizations_common: - /additions/* magnum_base_pip_packages_override: - /magnum[osprofiler] - - magnum-capi-helm==1.2.0 + - magnum-capi-helm==1.2.1 neutron_server_packages_append: - python3-libvirt - python3-ethtool diff --git a/etc/kayobe/kolla/config/nova/nova-api.conf b/etc/kayobe/kolla/config/nova/nova-api.conf index 59e3a6102..ba96a2ddb 100644 --- a/etc/kayobe/kolla/config/nova/nova-api.conf +++ b/etc/kayobe/kolla/config/nova/nova-api.conf @@ -1,4 +1,4 @@ [pci] -{% for item in gpu_group_map | dict2items | map(attribute='value') | flatten | unique | list %} +{% for item in (gpu_group_map | default({})) | dict2items | map(attribute='value') | flatten | unique | list %} alias = { "vendor_id":"{{ stackhpc_gpu_data[item].vendor_id }}", "product_id":"{{ stackhpc_gpu_data[item].product_id }}", "device_type":"{{ stackhpc_gpu_data[item].device_type }}", "name":"{{ stackhpc_gpu_data[item].resource_name }}" } {% endfor %} diff --git a/etc/kayobe/kolla/config/nova/nova-compute.conf b/etc/kayobe/kolla/config/nova/nova-compute.conf index 5f8593dde..ed83c7101 100644 --- a/etc/kayobe/kolla/config/nova/nova-compute.conf +++ b/etc/kayobe/kolla/config/nova/nova-compute.conf @@ -1,7 +1,7 @@ [pci] {% raw %} {% set gpu_list = [] %} -{% for gpu_group in gpu_group_map | dict2items | default([]) %} +{% for gpu_group in (gpu_group_map | default({})) | dict2items %} {% if gpu_group.key in group_names %} {% set _ = gpu_list.append(gpu_group.value) %} {% endif %} diff --git a/etc/kayobe/kolla/config/prometheus/rabbitmq.rules b/etc/kayobe/kolla/config/prometheus/rabbitmq.rules index d72230421..82022d72a 100644 --- a/etc/kayobe/kolla/config/prometheus/rabbitmq.rules +++ b/etc/kayobe/kolla/config/prometheus/rabbitmq.rules @@ -6,7 +6,7 @@ groups: - name: rabbitmq.rules rules: - alert: RabbitMQNodeDown - expr: sum(rabbitmq_build_info{instance!=""}) < 3 + expr: sum(rabbitmq_build_info{instance!=""}) < {% endraw %}{{ alertmanager_number_of_rabbitmq_nodes }}{% raw %} for: 30m labels: severity: critical diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index 12feb9fc1..601117be4 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -26,6 +26,10 @@ pulp_enable_tls: false pulp_username: admin pulp_password: "{{ secrets_pulp_password }}" +# Credentials for non-admin user within Pulp. +pulp_stack_username: stack +pulp_stack_password: "{{ secrets_pulp_stack_password | default('') }}" + # Proxy to use when adding remotes. pulp_proxy_url: "{{ omit }}" diff --git a/etc/kayobe/stackhpc-monitoring.yml b/etc/kayobe/stackhpc-monitoring.yml index 831486d10..a2a88b503 100644 --- a/etc/kayobe/stackhpc-monitoring.yml +++ b/etc/kayobe/stackhpc-monitoring.yml @@ -26,6 +26,9 @@ alertmanager_packet_drop_threshold: 1 # packets/s averaged over 5 minutes. alertmanager_packet_errors_threshold: 1 +# Number of RabbitMQ nodes in the cluster. +alertmanager_number_of_rabbitmq_nodes: "{{ groups['controllers'] | length }}" + ############################################################################### # Exporter configuration diff --git a/etc/kayobe/stackhpc-overcloud-host-images.yml b/etc/kayobe/stackhpc-overcloud-host-images.yml index 9e4546fc2..c009f8e8f 100644 --- a/etc/kayobe/stackhpc-overcloud-host-images.yml +++ b/etc/kayobe/stackhpc-overcloud-host-images.yml @@ -5,19 +5,12 @@ # Whether or not to download overcloud host images from Ark stackhpc_download_overcloud_host_images: false -# Whether or not to use images with MLNX_OFED installed (for deployment using -# mellanox/Nvidia NICs). Only available for Ubuntu Noble and Rocky Linux 9 -# OFED images are currently WIP and this variable is a placeholder -stackhpc_overcloud_host_image_is_ofed: false - # The overcloud host image source, defined by os_distribution, os_release, -# stackhpc_overcloud_host_image_is_ofed, and the current stable version. +# and the current stable version. stackhpc_overcloud_host_image_url: "{{ stackhpc_release_pulp_content_url_with_auth }}/kayobe-images/\ {{ openstack_release }}/{{ os_distribution }}/{{ os_release }}/\ - {{ 'ofed/' if stackhpc_overcloud_host_image_is_ofed else '' }}\ {{ stackhpc_overcloud_host_image_version }}/\ - overcloud-{{ os_distribution }}-{{ os_release }}\ - {{ '-ofed' if stackhpc_overcloud_host_image_is_ofed else '' }}.qcow2" + overcloud-{{ os_distribution }}-{{ os_release }}.qcow2" # Overcloud host image version tag selection stackhpc_overcloud_host_image_version: >- diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml index ac8f1acb2..83b822624 100644 --- a/etc/kayobe/stackhpc.yml +++ b/etc/kayobe/stackhpc.yml @@ -154,8 +154,8 @@ stackhpc_kolla_ansible_source_version: stackhpc/20.0.0.3 stackhpc_docker_registry: "{{ pulp_url | regex_replace('^https?://', '') }}" # Username and password of container registry. -stackhpc_docker_registry_username: "{{ pulp_username }}" -stackhpc_docker_registry_password: "{{ pulp_password }}" +stackhpc_docker_registry_username: "{{ pulp_stack_username if pulp_stack_password is defined and pulp_stack_password | length > 0 else pulp_username }}" +stackhpc_docker_registry_password: "{{ pulp_stack_password if pulp_stack_password is defined and pulp_stack_password | length > 0 else pulp_password }}" ############################################################################### # Feature flags diff --git a/releasenotes/notes/add-openbao-raft-ha-e8d78ffe68913512.yaml b/releasenotes/notes/add-openbao-raft-ha-e8d78ffe68913512.yaml new file mode 100644 index 000000000..596a3eada --- /dev/null +++ b/releasenotes/notes/add-openbao-raft-ha-e8d78ffe68913512.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Add support for highly available Raft when using OpenBao on + overcloud hosts. diff --git a/releasenotes/notes/add-stack-user-for-pulp-c96041e82c13aa10.yaml b/releasenotes/notes/add-stack-user-for-pulp-c96041e82c13aa10.yaml new file mode 100644 index 000000000..63b4dae95 --- /dev/null +++ b/releasenotes/notes/add-stack-user-for-pulp-c96041e82c13aa10.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Add support for a basic user for Pulp operations instead of using + the admin user for usage. Can be enabled by setting + `pulp_stack_password`. diff --git a/releasenotes/notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml b/releasenotes/notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml new file mode 100644 index 000000000..0268db52b --- /dev/null +++ b/releasenotes/notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + Updated OpenvSwitch to 3.3.4-115 and OVN to 24.03.5-88 for Rocky Linux 9 + in Caracal. For details, see the following changelogs: + + * `OVS changelog `__ + * `OVN changelog `__ + + - | + Kolla Toolbox, Manila, Neutron, Nova, and Octavia containers received + updates on both Rocky Linux 9 and Ubuntu. Only the Rocky Linux 9 images + include the new OVS versions. diff --git a/releasenotes/notes/capi-bump-78cd6f89a0eff0d7.yaml b/releasenotes/notes/capi-bump-78cd6f89a0eff0d7.yaml new file mode 100644 index 000000000..5a4aae413 --- /dev/null +++ b/releasenotes/notes/capi-bump-78cd6f89a0eff0d7.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Updated the version of magnum-capi-helm used in Magnum containers. This + resolves an issue stopping non-default node groups from being deleted. See + `#2095539 `__ for more + details. diff --git a/releasenotes/notes/ceph-config-append-1cc6146d3241b63e.yaml b/releasenotes/notes/ceph-config-append-1cc6146d3241b63e.yaml new file mode 100644 index 000000000..1d0e534d4 --- /dev/null +++ b/releasenotes/notes/ceph-config-append-1cc6146d3241b63e.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Add ``kolla_ceph_conf_append`` configuration option to specify a string + to be appended to all ceph.conf files gathered from a ceph cluster using + ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-gather-keys.yml``. diff --git a/releasenotes/notes/ceph-reef-18.2.7-9d8d3ad3a1ea517b.yaml b/releasenotes/notes/ceph-reef-18.2.7-9d8d3ad3a1ea517b.yaml new file mode 100644 index 000000000..8f7efe343 --- /dev/null +++ b/releasenotes/notes/ceph-reef-18.2.7-9d8d3ad3a1ea517b.yaml @@ -0,0 +1,4 @@ +--- +upgrade: + - | + Bumps the default Ceph Reef container image to ``v18.2.7``. diff --git a/releasenotes/notes/fix-pci-default-template-8660ab2a7a106376.yaml b/releasenotes/notes/fix-pci-default-template-8660ab2a7a106376.yaml new file mode 100644 index 000000000..affc29fd8 --- /dev/null +++ b/releasenotes/notes/fix-pci-default-template-8660ab2a7a106376.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + Fixes possible templating error with PCI passthrough configuration. diff --git a/releasenotes/notes/update-prometheus-3519aa260d5f24ef.yaml b/releasenotes/notes/update-prometheus-3519aa260d5f24ef.yaml new file mode 100644 index 000000000..db9c0159d --- /dev/null +++ b/releasenotes/notes/update-prometheus-3519aa260d5f24ef.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Updates Prometheus to version 2.55.1. diff --git a/releasenotes/notes/use-length-for-rabbitmq-node-down-rule-c9e9c6b09f57954d.yaml b/releasenotes/notes/use-length-for-rabbitmq-node-down-rule-c9e9c6b09f57954d.yaml new file mode 100644 index 000000000..e7b7b2f9a --- /dev/null +++ b/releasenotes/notes/use-length-for-rabbitmq-node-down-rule-c9e9c6b09f57954d.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Allow for easy customisation of the number of expected `RabbitMQ` + nodes when evaluating the alert `RabbitMQNodeDown`. It is set by + the `alertmanager_number_of_rabbitmq_nodes` which defaults to the + number of `controllers`. This is benefical for deployments that + do not use a standard three node setup.