From 61011bf158a275271446b5362525516777433454 Mon Sep 17 00:00:00 2001 From: "max.bed4d" Date: Wed, 14 May 2025 08:36:49 +0100 Subject: [PATCH 01/29] Make SMS the default runner environment --- .github/workflows/stackhpc-all-in-one.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index 205a20924..a033621e9 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -7,11 +7,10 @@ name: All in one on: workflow_call: inputs: - runner: - required: false + runner_env: + description: Which cloud to run on? type: string - description: 'Runner name' - default: 'arc-skc-aio-runner' + default: SMS Lab kayobe_image: description: Kayobe container image type: string @@ -87,11 +86,18 @@ on: required: true jobs: + runner-selection: + uses: ./.github/workflows/runner-selector.yml + with: + runner_env: ${{ inputs.runner_env }} # NOTE: Runner needs unzip and nodejs packages. all-in-one: name: All in one if: ${{ inputs.if && !cancelled() }} - runs-on: ${{ inputs.runner }} + environment: ${{ inputs.runner_env }} + runs-on: ${{ needs.runner-selection.outputs.runner_name_aio }} + needs: + - runner-selection permissions: {} env: KAYOBE_ENVIRONMENT: ci-aio From d3628ef25ecd242619c66308b3989f9c1efdcd0f Mon Sep 17 00:00:00 2001 From: "max.bed4d" Date: Wed, 14 May 2025 09:20:43 +0100 Subject: [PATCH 02/29] Add environment variables and secrets --- .github/workflows/stackhpc-all-in-one.yml | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index a033621e9..e8b334279 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -43,14 +43,6 @@ on: description: Flavor for the all-in-one VM type: string default: en1.medium - vm_network: - description: Network for the all-in-one VM - type: string - default: stackhpc-ci - vm_subnet: - description: Subnet for the all-in-one VM - type: string - default: stackhpc-ci OS_CLOUD: description: Name of cloud in clouds.yaml type: string @@ -177,8 +169,8 @@ jobs: aio_vm_name = "${{ env.VM_NAME }}" aio_vm_image = "${{ env.VM_IMAGE }}" aio_vm_flavor = "${{ env.VM_FLAVOR }}" - aio_vm_network = "${{ env.VM_NETWORK }}" - aio_vm_subnet = "${{ env.VM_SUBNET }}" + aio_vm_network = "${{ vars.HOST_IMAGE_BUILD_NETWORK }}" + aio_vm_subnet = "${{ vars.HOST_IMAGE_BUILD_SUBNET }}" aio_vm_volume_size = "${{ env.VM_VOLUME_SIZE }}" aio_vm_tags = ${{ env.VM_TAGS }} EOF @@ -188,8 +180,6 @@ jobs: VM_NAME: "skc-ci-aio-${{ inputs.neutron_plugin }}-${{ github.run_id }}" VM_IMAGE: ${{ steps.image_name.outputs.image_name }} VM_FLAVOR: ${{ inputs.vm_flavor }} - VM_NETWORK: ${{ inputs.vm_network }} - VM_SUBNET: ${{ inputs.vm_subnet }} VM_INTERFACE: ${{ inputs.vm_interface }} VM_VOLUME_SIZE: ${{ inputs.upgrade && '65' || '50' }} VM_TAGS: '["skc-ci-aio", "PR=${{ github.event.number }}"]' @@ -198,7 +188,7 @@ jobs: run: terraform plan working-directory: ${{ github.workspace }}/terraform/aio env: - OS_CLOUD: ${{ inputs.OS_CLOUD }} + OS_CLOUD: ${{ vars.OS_CLOUD }} OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }} OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }} @@ -219,7 +209,7 @@ jobs: exit 1 working-directory: ${{ github.workspace }}/terraform/aio env: - OS_CLOUD: ${{ inputs.OS_CLOUD }} + OS_CLOUD: ${{ vars.OS_CLOUD }} OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }} OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }} @@ -523,7 +513,7 @@ jobs: run: terraform destroy -auto-approve working-directory: ${{ github.workspace }}/terraform/aio env: - OS_CLOUD: ${{ inputs.OS_CLOUD }} + OS_CLOUD: ${{ vars.OS_CLOUD }} OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }} OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }} if: always() From 90b8f101cf7438065a5abc9e167104d2afa4c621 Mon Sep 17 00:00:00 2001 From: "max.bed4d" Date: Wed, 14 May 2025 09:52:48 +0100 Subject: [PATCH 03/29] Set VM flavour based on env vars --- .github/workflows/stackhpc-all-in-one.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index e8b334279..00f28eadf 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -39,10 +39,6 @@ on: description: Default network interface name type: string default: ens3 - vm_flavor: - description: Flavor for the all-in-one VM - type: string - default: en1.medium OS_CLOUD: description: Name of cloud in clouds.yaml type: string @@ -168,7 +164,7 @@ jobs: aio_vm_interface = "${{ env.VM_INTERFACE }}" aio_vm_name = "${{ env.VM_NAME }}" aio_vm_image = "${{ env.VM_IMAGE }}" - aio_vm_flavor = "${{ env.VM_FLAVOR }}" + aio_vm_flavor = "${{ vars.HOST_IMAGE_BUILD_FLAVOR }}" aio_vm_network = "${{ vars.HOST_IMAGE_BUILD_NETWORK }}" aio_vm_subnet = "${{ vars.HOST_IMAGE_BUILD_SUBNET }}" aio_vm_volume_size = "${{ env.VM_VOLUME_SIZE }}" @@ -179,7 +175,6 @@ jobs: SSH_USERNAME: "${{ inputs.ssh_username }}" VM_NAME: "skc-ci-aio-${{ inputs.neutron_plugin }}-${{ github.run_id }}" VM_IMAGE: ${{ steps.image_name.outputs.image_name }} - VM_FLAVOR: ${{ inputs.vm_flavor }} VM_INTERFACE: ${{ inputs.vm_interface }} VM_VOLUME_SIZE: ${{ inputs.upgrade && '65' || '50' }} VM_TAGS: '["skc-ci-aio", "PR=${{ github.event.number }}"]' From a812b7c756780d1c0126f294eca575d688ac23b7 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Wed, 14 May 2025 14:30:54 +0100 Subject: [PATCH 04/29] Fix PCI passthrough default templates Even though the variable ``gpu_group_map`` has default value of {} defined at stackhpc-compute.yml, it can be set to anything by users. Therefore, Using dict2items filter with it can cause unexpected templating error. Fixing this by setting {} as a default of ``gpu_group_map`` before using dict2items filter. So even if ``gpu_group_map`` becomes undefined for some reason, it doesn't fail in run time. --- etc/kayobe/ansible/pci-passthrough.yml | 2 +- etc/kayobe/kolla/config/nova/nova-api.conf | 2 +- etc/kayobe/kolla/config/nova/nova-compute.conf | 2 +- .../notes/fix-pci-default-template-8660ab2a7a106376.yaml | 4 ++++ 4 files changed, 7 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/fix-pci-default-template-8660ab2a7a106376.yaml diff --git a/etc/kayobe/ansible/pci-passthrough.yml b/etc/kayobe/ansible/pci-passthrough.yml index 59803ccf3..392713c35 100644 --- a/etc/kayobe/ansible/pci-passthrough.yml +++ b/etc/kayobe/ansible/pci-passthrough.yml @@ -11,7 +11,7 @@ vfio_pci_ids: |- {% set gpu_list = [] %} {% set output = [] %} - {% for gpu_group in gpu_group_map | dict2items | default([]) %} + {% for gpu_group in (gpu_group_map | default({})) | dict2items %} {% if gpu_group.key in group_names %} {% set _ = gpu_list.append(gpu_group.value) %} {% endif %} diff --git a/etc/kayobe/kolla/config/nova/nova-api.conf b/etc/kayobe/kolla/config/nova/nova-api.conf index 59e3a6102..ba96a2ddb 100644 --- a/etc/kayobe/kolla/config/nova/nova-api.conf +++ b/etc/kayobe/kolla/config/nova/nova-api.conf @@ -1,4 +1,4 @@ [pci] -{% for item in gpu_group_map | dict2items | map(attribute='value') | flatten | unique | list %} +{% for item in (gpu_group_map | default({})) | dict2items | map(attribute='value') | flatten | unique | list %} alias = { "vendor_id":"{{ stackhpc_gpu_data[item].vendor_id }}", "product_id":"{{ stackhpc_gpu_data[item].product_id }}", "device_type":"{{ stackhpc_gpu_data[item].device_type }}", "name":"{{ stackhpc_gpu_data[item].resource_name }}" } {% endfor %} diff --git a/etc/kayobe/kolla/config/nova/nova-compute.conf b/etc/kayobe/kolla/config/nova/nova-compute.conf index 5f8593dde..ed83c7101 100644 --- a/etc/kayobe/kolla/config/nova/nova-compute.conf +++ b/etc/kayobe/kolla/config/nova/nova-compute.conf @@ -1,7 +1,7 @@ [pci] {% raw %} {% set gpu_list = [] %} -{% for gpu_group in gpu_group_map | dict2items | default([]) %} +{% for gpu_group in (gpu_group_map | default({})) | dict2items %} {% if gpu_group.key in group_names %} {% set _ = gpu_list.append(gpu_group.value) %} {% endif %} diff --git a/releasenotes/notes/fix-pci-default-template-8660ab2a7a106376.yaml b/releasenotes/notes/fix-pci-default-template-8660ab2a7a106376.yaml new file mode 100644 index 000000000..affc29fd8 --- /dev/null +++ b/releasenotes/notes/fix-pci-default-template-8660ab2a7a106376.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + Fixes possible templating error with PCI passthrough configuration. From 40240f9b0d3cc625a505ae5c10b5088a9afee6dd Mon Sep 17 00:00:00 2001 From: Alex-Welsh <112560678+Alex-Welsh@users.noreply.github.com> Date: Thu, 15 May 2025 08:47:46 +0000 Subject: [PATCH 05/29] Merge pull request #1649 from stackhpc/zed-utils CI: Replace next_nth_usable with FQCN --- .../ci-multinode/inventory/group_vars/all/vxlan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/environments/ci-multinode/inventory/group_vars/all/vxlan.yml b/etc/kayobe/environments/ci-multinode/inventory/group_vars/all/vxlan.yml index 808c78034..fe92c42a0 100644 --- a/etc/kayobe/environments/ci-multinode/inventory/group_vars/all/vxlan.yml +++ b/etc/kayobe/environments/ci-multinode/inventory/group_vars/all/vxlan.yml @@ -15,4 +15,4 @@ vxlan_vni: # This is a dictionary of interfaces to be created by the stackhpc.vxlan role. vxlan_interfaces: - device: "vxlan{{ vxlan_vni }}" - group: "{{ '239.0.0.0/8' | next_nth_usable(vxlan_vni) }}" + group: "{{ '239.0.0.0/8' | ansible.utils.next_nth_usable(vxlan_vni) }}" From 67961f9d5061dc0c28124b01e3eea009d40ecd9a Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 15 May 2025 16:24:44 +0200 Subject: [PATCH 06/29] CI: Avoid dependency updates in forks This workflow currently runs in any customer repository hosted on GitHub. Restrict this workflow to stackhpc like the other ones. --- .github/workflows/update-dependencies.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index dea909df5..8ae3eb9ca 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -14,6 +14,7 @@ on: jobs: propose_github_release_updates: + if: github.repository == 'stackhpc/stackhpc-kayobe-config' runs-on: ubuntu-22.04 strategy: matrix: From 45d731db86d9e26ded6889e7e37dcc69b2a0aa14 Mon Sep 17 00:00:00 2001 From: "max.bed4d" Date: Fri, 16 May 2025 13:55:29 +0100 Subject: [PATCH 07/29] Var to set upgrade AiOs to Leafcloud --- .github/workflows/stackhpc-all-in-one.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index 00f28eadf..75d191098 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -77,12 +77,12 @@ jobs: runner-selection: uses: ./.github/workflows/runner-selector.yml with: - runner_env: ${{ inputs.runner_env }} + runner_env: ${{ inputs.upgrade == true && 'Leafcloud' || inputs.runner_env }} # NOTE: Runner needs unzip and nodejs packages. all-in-one: name: All in one if: ${{ inputs.if && !cancelled() }} - environment: ${{ inputs.runner_env }} + environment: ${{ inputs.upgrade == true && 'Leafcloud' || inputs.runner_env }} runs-on: ${{ needs.runner-selection.outputs.runner_name_aio }} needs: - runner-selection From 64da1b1d47a7a3209678cd797215cc6819d75525 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 19 May 2025 16:09:29 +0100 Subject: [PATCH 08/29] fix: use `rabbitmq` length for `RabbitMQNodeDown` (#1579) The `RabbitMQNodeDown` made the assumption that all deployments involve only three RabbitMQ nodes. However, this is not always the case as we do support deployments with a single node or more than three. Before this would have caused false alerts in deployments with a single RabbitMQ node. Whilst also concealing alerts in deployments with more than three nodes. Co-authored-by: Matt Crees --- etc/kayobe/kolla/config/prometheus/rabbitmq.rules | 2 +- etc/kayobe/stackhpc-monitoring.yml | 3 +++ ...ngth-for-rabbitmq-node-down-rule-c9e9c6b09f57954d.yaml | 8 ++++++++ 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/use-length-for-rabbitmq-node-down-rule-c9e9c6b09f57954d.yaml diff --git a/etc/kayobe/kolla/config/prometheus/rabbitmq.rules b/etc/kayobe/kolla/config/prometheus/rabbitmq.rules index d72230421..82022d72a 100644 --- a/etc/kayobe/kolla/config/prometheus/rabbitmq.rules +++ b/etc/kayobe/kolla/config/prometheus/rabbitmq.rules @@ -6,7 +6,7 @@ groups: - name: rabbitmq.rules rules: - alert: RabbitMQNodeDown - expr: sum(rabbitmq_build_info{instance!=""}) < 3 + expr: sum(rabbitmq_build_info{instance!=""}) < {% endraw %}{{ alertmanager_number_of_rabbitmq_nodes }}{% raw %} for: 30m labels: severity: critical diff --git a/etc/kayobe/stackhpc-monitoring.yml b/etc/kayobe/stackhpc-monitoring.yml index 831486d10..a2a88b503 100644 --- a/etc/kayobe/stackhpc-monitoring.yml +++ b/etc/kayobe/stackhpc-monitoring.yml @@ -26,6 +26,9 @@ alertmanager_packet_drop_threshold: 1 # packets/s averaged over 5 minutes. alertmanager_packet_errors_threshold: 1 +# Number of RabbitMQ nodes in the cluster. +alertmanager_number_of_rabbitmq_nodes: "{{ groups['controllers'] | length }}" + ############################################################################### # Exporter configuration diff --git a/releasenotes/notes/use-length-for-rabbitmq-node-down-rule-c9e9c6b09f57954d.yaml b/releasenotes/notes/use-length-for-rabbitmq-node-down-rule-c9e9c6b09f57954d.yaml new file mode 100644 index 000000000..e7b7b2f9a --- /dev/null +++ b/releasenotes/notes/use-length-for-rabbitmq-node-down-rule-c9e9c6b09f57954d.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Allow for easy customisation of the number of expected `RabbitMQ` + nodes when evaluating the alert `RabbitMQNodeDown`. It is set by + the `alertmanager_number_of_rabbitmq_nodes` which defaults to the + number of `controllers`. This is benefical for deployments that + do not use a standard three node setup. From ffbf780860e0cd8aacde607af5c39a6a870fcce1 Mon Sep 17 00:00:00 2001 From: stackhpc-ci <22933334+stackhpc-ci@users.noreply.github.com> Date: Tue, 20 May 2025 00:14:57 +0000 Subject: [PATCH 09/29] Bump kayobe to stackhpc/16.6.0.5 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index bd1828f53..597523c22 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/16.6.0.4 +kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/16.6.0.5 ansible-modules-hashivault>=5.2.1 jmespath From 7aee438dd947edbb008335775c843d91117e1757 Mon Sep 17 00:00:00 2001 From: stackhpc-ci <22933334+stackhpc-ci@users.noreply.github.com> Date: Tue, 20 May 2025 00:14:57 +0000 Subject: [PATCH 10/29] Bump kolla-ansible to stackhpc/18.6.0.10 --- etc/kayobe/stackhpc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml index 1de67a738..8dc781455 100644 --- a/etc/kayobe/stackhpc.yml +++ b/etc/kayobe/stackhpc.yml @@ -169,7 +169,7 @@ stackhpc_kolla_source_version: stackhpc/18.6.0.9 # Kolla Ansible source repository. stackhpc_kolla_ansible_source_url: "https://github.com/stackhpc/kolla-ansible" -stackhpc_kolla_ansible_source_version: stackhpc/18.6.0.9 +stackhpc_kolla_ansible_source_version: stackhpc/18.6.0.10 ############################################################################### # Container image registry From aeba2effb38fe74950babe57adbbbedb7d7c8841 Mon Sep 17 00:00:00 2001 From: Jake Hutchinson Date: Thu, 22 May 2025 14:47:43 +0100 Subject: [PATCH 11/29] Set check_mode to false for Kayobe/Kolla-Ansible version checks --- etc/kayobe/ansible/check-kayobe-version.yml | 1 + etc/kayobe/ansible/check-kolla-ansible-version.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/kayobe/ansible/check-kayobe-version.yml b/etc/kayobe/ansible/check-kayobe-version.yml index cc00b6aed..b527fc5d8 100644 --- a/etc/kayobe/ansible/check-kayobe-version.yml +++ b/etc/kayobe/ansible/check-kayobe-version.yml @@ -8,6 +8,7 @@ tasks: - name: Check version when: stackhpc_enable_kayobe_check + check_mode: false block: - name: Get package info community.general.pip_package_info: diff --git a/etc/kayobe/ansible/check-kolla-ansible-version.yml b/etc/kayobe/ansible/check-kolla-ansible-version.yml index 183a175dd..e6bfd92fd 100644 --- a/etc/kayobe/ansible/check-kolla-ansible-version.yml +++ b/etc/kayobe/ansible/check-kolla-ansible-version.yml @@ -6,6 +6,7 @@ tasks: - name: Check version when: stackhpc_enable_kolla_ansible_check + check_mode: false block: - name: Get current Kolla-Ansible tag ansible.builtin.command: From 902e393246b3d653dd761626e9cd0ba6a7c5f0fb Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Thu, 22 May 2025 15:35:14 +0100 Subject: [PATCH 12/29] Bump magnum-capi-helm --- etc/kayobe/kolla-image-tags.yml | 5 +++-- etc/kayobe/kolla.yml | 2 +- releasenotes/notes/capi-bump-78cd6f89a0eff0d7.yaml | 7 +++++++ 3 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/capi-bump-78cd6f89a0eff0d7.yaml diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index a4cd593de..96cdb449f 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -29,8 +29,9 @@ kolla_image_tags: rocky-9: 2024.1-rocky-9-20250219T113722 ubuntu-jammy: 2024.1-ubuntu-jammy-20250219T113722 magnum: - rocky-9: 2024.1-rocky-9-20250102T094625 - ubuntu-jammy: 2024.1-ubuntu-jammy-20250102T094625 + rocky-9: 2024.1-rocky-9-20250522T143506 + ubuntu-jammy: 2024.1-ubuntu-jammy-20250522T143506 + ubuntu-noble: 2024.1-ubuntu-noble-20250522T143506 manila: rocky-9: 2024.1-rocky-9-20250219T113722 ubuntu-jammy: 2024.1-ubuntu-jammy-20250219T113722 diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index bd1b5ef3f..5eb6740dc 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -403,7 +403,7 @@ kolla_build_customizations_common: - /additions/* magnum_base_pip_packages_override: - /magnum[osprofiler] - - magnum-capi-helm==1.2.0 + - magnum-capi-helm==1.2.1 neutron_server_packages_append: - python3-libvirt - python3-ethtool diff --git a/releasenotes/notes/capi-bump-78cd6f89a0eff0d7.yaml b/releasenotes/notes/capi-bump-78cd6f89a0eff0d7.yaml new file mode 100644 index 000000000..5a4aae413 --- /dev/null +++ b/releasenotes/notes/capi-bump-78cd6f89a0eff0d7.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Updated the version of magnum-capi-helm used in Magnum containers. This + resolves an issue stopping non-default node groups from being deleted. See + `#2095539 `__ for more + details. From cc10a8b24ba1e9376d8affd0d1e495cb18be8157 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 26 May 2025 09:56:15 +0200 Subject: [PATCH 13/29] Bump Ceph Reef container image to v18.2.7 --- etc/kayobe/cephadm.yml | 2 +- releasenotes/notes/ceph-reef-18.2.7-9d8d3ad3a1ea517b.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/ceph-reef-18.2.7-9d8d3ad3a1ea517b.yaml diff --git a/etc/kayobe/cephadm.yml b/etc/kayobe/cephadm.yml index c9e0990ee..fa633ab47 100644 --- a/etc/kayobe/cephadm.yml +++ b/etc/kayobe/cephadm.yml @@ -12,7 +12,7 @@ cephadm_ceph_release: "{{ 'squid' if os_release == 'noble' else 'reef' }}" cephadm_image: "{{ stackhpc_docker_registry if stackhpc_sync_ceph_images | bool else 'quay.io' }}/ceph/ceph:{{ cephadm_image_tag }}" # Ceph container image tag. -cephadm_image_tag: "{{ 'v19.2.1' if cephadm_ceph_release == 'squid' else 'v18.2.4' }}" +cephadm_image_tag: "{{ 'v19.2.1' if cephadm_ceph_release == 'squid' else 'v18.2.7' }}" # Ceph custom repo workaround for Ubuntu as there are no official ceph repos for Ubuntu Jammy and Noble. cephadm_custom_repos: "{{ ansible_facts['distribution'] == 'Ubuntu' }}" diff --git a/releasenotes/notes/ceph-reef-18.2.7-9d8d3ad3a1ea517b.yaml b/releasenotes/notes/ceph-reef-18.2.7-9d8d3ad3a1ea517b.yaml new file mode 100644 index 000000000..8f7efe343 --- /dev/null +++ b/releasenotes/notes/ceph-reef-18.2.7-9d8d3ad3a1ea517b.yaml @@ -0,0 +1,4 @@ +--- +upgrade: + - | + Bumps the default Ceph Reef container image to ``v18.2.7``. From 03452e76fadc9654408b0d992c7f214fb9c5f221 Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Thu, 29 May 2025 09:28:47 +0200 Subject: [PATCH 14/29] bump ovs/ovn in RL9 in caracal multiple bug fixes for ovs [1] and ovn [2] - especially ct_state.dnat handling in OVN [1] https://git.centos.org/rpms/openvswitch/blob/c9s-sig-nfv-openvswitch-3.3/f/SPECS/openvswitch3.3.spec#_1020 [2] https://git.centos.org/rpms/ovn/blob/c9s-sig-nfv-ovn24.03/f/SPECS/ovn24.03.spec#_535 Kolla Toolbox, Manila, Neutron, Nova, and Octavia containers received updates on both Rocky Linux 9 and Ubuntu. Only the Rocky Linux 9 images include the new OVS versions. --- etc/kayobe/kolla-image-tags.yml | 36 +++++++++++-------- etc/kayobe/pulp-repo-versions.yml | 2 +- ...vs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml | 11 ++++++ 3 files changed, 33 insertions(+), 16 deletions(-) create mode 100644 releasenotes/notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index a4cd593de..81676ecb3 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -26,30 +26,36 @@ kolla_image_tags: rocky-9: 2024.1-rocky-9-20250124T081816 ubuntu-jammy: 2024.1-ubuntu-jammy-20250124T081816 kolla_toolbox: - rocky-9: 2024.1-rocky-9-20250219T113722 - ubuntu-jammy: 2024.1-ubuntu-jammy-20250219T113722 + rocky-9: 2024.1-rocky-9-20250529T081147 + ubuntu-jammy: 2024.1-ubuntu-jammy-20250529T081147 + ubuntu-noble: 2024.1-ubuntu-noble-20250529T081147 magnum: rocky-9: 2024.1-rocky-9-20250102T094625 ubuntu-jammy: 2024.1-ubuntu-jammy-20250102T094625 manila: - rocky-9: 2024.1-rocky-9-20250219T113722 - ubuntu-jammy: 2024.1-ubuntu-jammy-20250219T113722 + rocky-9: 2024.1-rocky-9-20250529T081147 + ubuntu-jammy: 2024.1-ubuntu-jammy-20250529T081147 + ubuntu-noble: 2024.1-ubuntu-noble-20250529T081147 neutron: - rocky-9: 2024.1-rocky-9-20250219T113722 - ubuntu-jammy: 2024.1-ubuntu-jammy-20250219T113722 + rocky-9: 2024.1-rocky-9-20250529T081147 + ubuntu-jammy: 2024.1-ubuntu-jammy-20250529T081147 + ubuntu-noble: 2024.1-ubuntu-noble-20250529T081147 nova: - rocky-9: 2024.1-rocky-9-20250219T113722 - ubuntu-jammy: 2024.1-ubuntu-jammy-20250219T113722 + rocky-9: 2024.1-rocky-9-20250529T081147 + ubuntu-jammy: 2024.1-ubuntu-jammy-20250529T081147 + ubuntu-noble: 2024.1-ubuntu-noble-20250529T081147 octavia: - rocky-9: 2024.1-rocky-9-20250507T153144 - ubuntu-jammy: 2024.1-ubuntu-jammy-20250507T153144 - ubuntu-noble: 2024.1-ubuntu-noble-20250507T153144 + rocky-9: 2024.1-rocky-9-20250529T081147 + ubuntu-jammy: 2024.1-ubuntu-jammy-20250529T081147 + ubuntu-noble: 2024.1-ubuntu-noble-20250529T081147 openvswitch: - rocky-9: 2024.1-rocky-9-20250219T113722 - ubuntu-jammy: 2024.1-ubuntu-jammy-20250219T113722 + rocky-9: 2024.1-rocky-9-20250529T081147 + ubuntu-jammy: 2024.1-ubuntu-jammy-20250529T081147 + ubuntu-noble: 2024.1-ubuntu-noble-20250529T081147 ovn: - rocky-9: 2024.1-rocky-9-20250219T113722 - ubuntu-jammy: 2024.1-ubuntu-jammy-20250219T113722 + rocky-9: 2024.1-rocky-9-20250529T081147 + ubuntu-jammy: 2024.1-ubuntu-jammy-20250529T081147 + ubuntu-noble: 2024.1-ubuntu-noble-20250529T081147 prometheus_alertmanager: rocky-9: 2024.1-rocky-9-20250422T103147 ubuntu-jammy: 2024.1-ubuntu-jammy-20250422T103147 diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml index 2c22d0b32..e2636862b 100644 --- a/etc/kayobe/pulp-repo-versions.yml +++ b/etc/kayobe/pulp-repo-versions.yml @@ -2,7 +2,7 @@ # This file is autogenerated by Ansible using the following workflow: # https://github.com/stackhpc/stackhpc-release-train/actions/workflows/package-update-kayobe.yml stackhpc_pulp_repo_centos_stream_9_docker_version: 20241210T000909 -stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20250217T103110 +stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20250528T022338 stackhpc_pulp_repo_centos_stream_9_openstack_caracal_version: 20241212T022636 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20231213T031318 stackhpc_pulp_repo_centos_stream_9_storage_ceph_reef_version: 20240923T233036 diff --git a/releasenotes/notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml b/releasenotes/notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml new file mode 100644 index 000000000..1aac67bd8 --- /dev/null +++ b/releasenotes/notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + Updated OpenvSwitch to 3.3.4-115 and OVN to 24.03.5-88 for Rocky Linux 9 + in Caracal. For details, see the following changelogs: + * `[OVS changelog](https://git.centos.org/rpms/openvswitch/blob/c9s-sig-nfv-openvswitch-3.3/f/SPECS/openvswitch3.3.spec#_806)`_ + * `[OVN changelog](https://git.centos.org/rpms/ovn/blob/c9s-sig-nfv-ovn24.03/f/SPECS/ovn24.03.spec#_535)`_ + - | + Kolla Toolbox, Manila, Neutron, Nova, and Octavia containers received + updates on both Rocky Linux 9 and Ubuntu. Only the Rocky Linux 9 images + include the new OVS versions. From ed21759bea84a0123b44b0fa757913b73da8b0ea Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Fri, 30 May 2025 09:32:05 +0100 Subject: [PATCH 15/29] Fix release note link format --- .../notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/releasenotes/notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml b/releasenotes/notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml index 1aac67bd8..0268db52b 100644 --- a/releasenotes/notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml +++ b/releasenotes/notes/bump-ovs-ovn-rocky9-2024.1-eb5a42d9f890d3cd.yaml @@ -3,8 +3,10 @@ features: - | Updated OpenvSwitch to 3.3.4-115 and OVN to 24.03.5-88 for Rocky Linux 9 in Caracal. For details, see the following changelogs: - * `[OVS changelog](https://git.centos.org/rpms/openvswitch/blob/c9s-sig-nfv-openvswitch-3.3/f/SPECS/openvswitch3.3.spec#_806)`_ - * `[OVN changelog](https://git.centos.org/rpms/ovn/blob/c9s-sig-nfv-ovn24.03/f/SPECS/ovn24.03.spec#_535)`_ + + * `OVS changelog `__ + * `OVN changelog `__ + - | Kolla Toolbox, Manila, Neutron, Nova, and Octavia containers received updates on both Rocky Linux 9 and Ubuntu. Only the Rocky Linux 9 images From 700704cdce2751b4a5d42e22f816db1e42f6549f Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Fri, 30 May 2025 15:43:17 +0100 Subject: [PATCH 16/29] fix: do not attempt to install `python3-venv` on non `Ubuntu` systems --- etc/kayobe/ansible/smartmon-tools.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/etc/kayobe/ansible/smartmon-tools.yml b/etc/kayobe/ansible/smartmon-tools.yml index 351ce0325..c6fa35acc 100644 --- a/etc/kayobe/ansible/smartmon-tools.yml +++ b/etc/kayobe/ansible/smartmon-tools.yml @@ -15,10 +15,8 @@ - name: Ensure Python 3, venv, and pip are installed ansible.builtin.package: - name: - - python3 - - python3-venv - - python3-pip + name: > + {{ ['python3', 'python3-pip'] + (['python3-venv'] if ansible_facts['distribution'] == 'Ubuntu' else []) }} state: present become: true From d6a8981737168584280fd381454ef3c6499483e5 Mon Sep 17 00:00:00 2001 From: Piotr Parczewski Date: Wed, 19 Feb 2025 15:49:49 +0100 Subject: [PATCH 17/29] Prometheus: Remove build overrides Co-authored-by: Bartosz Bezak --- etc/kayobe/kolla/kolla-build.conf | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/etc/kayobe/kolla/kolla-build.conf b/etc/kayobe/kolla/kolla-build.conf index 1c2165c8b..95562f5c0 100644 --- a/etc/kayobe/kolla/kolla-build.conf +++ b/etc/kayobe/kolla/kolla-build.conf @@ -16,15 +16,3 @@ build_args = {{ (kolla_build_args | default({})).items() | map('join', ':') | jo type = git location = https://github.com/stackhpc/requirements reference = stackhpc/{{ openstack_release }} - -[prometheus-v2-server] -version = 2.54.1 -sha256 = amd64:31715ef65e8a898d0f97c8c08c03b6b9afe485ac84e1698bcfec90fc6e62924f,arm64:3d9946ca730f2679bbd63e9d40e559a0ba227a638d237e723af1a99bd7098263 - -[prometheus-blackbox-exporter] -version = 0.25.0 -sha256 = amd64:c651ced6405c5e0cd292a400f47ae9b34f431f16c7bb098afbcd38f710144640,arm64:46ec5a54a41dc1ea8a8cecee637e117de4807d3b0976482a16596e82e79ac484 - -[prometheus-memcached-exporter] -version = 0.14.4 -sha256 = amd64:e61b9f15959218a38c49b9ba919fca0a3e36e7edf9c607aabcf1ccbbd3b8cc59,arm64:9a28b57bd217e80acd1cdc86cef97e32058f3b2cce75f79baa13b42a27b7291a From 84ad0cba7a0bb76a908a4bce3ab60b4e60892e89 Mon Sep 17 00:00:00 2001 From: Piotr Parczewski Date: Mon, 3 Feb 2025 10:00:53 +0100 Subject: [PATCH 18/29] Bump up Prometheus image tag --- etc/kayobe/kolla-image-tags.yml | 3 +++ releasenotes/notes/update-prometheus-3519aa260d5f24ef.yaml | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 releasenotes/notes/update-prometheus-3519aa260d5f24ef.yaml diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index e88e76837..a8f103562 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -57,6 +57,9 @@ kolla_image_tags: rocky-9: 2024.1-rocky-9-20250529T081147 ubuntu-jammy: 2024.1-ubuntu-jammy-20250529T081147 ubuntu-noble: 2024.1-ubuntu-noble-20250529T081147 + prometheus: + rocky-9: 2024.1-rocky-9-20250219T145255 + ubuntu-jammy: 2024.1-ubuntu-jammy-20250219T145255 prometheus_alertmanager: rocky-9: 2024.1-rocky-9-20250422T103147 ubuntu-jammy: 2024.1-ubuntu-jammy-20250422T103147 diff --git a/releasenotes/notes/update-prometheus-3519aa260d5f24ef.yaml b/releasenotes/notes/update-prometheus-3519aa260d5f24ef.yaml new file mode 100644 index 000000000..db9c0159d --- /dev/null +++ b/releasenotes/notes/update-prometheus-3519aa260d5f24ef.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Updates Prometheus to version 2.55.1. From bb093cab05c80621838b7a05ff4412dfe5a078e8 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 3 Jun 2025 11:17:17 +0100 Subject: [PATCH 19/29] CI: Add upstream-sync workflow We tried adding upstream-sync using stackhpc-release-train [1], but the workflow addition is skipped because our default branch is a StackHPC release branch [2]. Add workflow manually to synchronise releases that still exist upstream. [1] https://github.com/stackhpc/stackhpc-release-train/pull/410 [2] https://github.com/stackhpc/stackhpc-release-train/commit/49c06d14375a90a61af7d4a4cb765111c1e6b7b3 --- .github/workflows/upstream-sync.yml | 34 +++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/upstream-sync.yml diff --git a/.github/workflows/upstream-sync.yml b/.github/workflows/upstream-sync.yml new file mode 100644 index 000000000..35eaea448 --- /dev/null +++ b/.github/workflows/upstream-sync.yml @@ -0,0 +1,34 @@ +--- +name: Upstream Sync +'on': + schedule: + - cron: "15 8 * * 1" + workflow_dispatch: +permissions: + contents: write + pull-requests: write +jobs: + synchronise-2023-1: + if: github.repository == 'stackhpc/stackhpc-kayobe-config' + name: Synchronise 2023.1 + uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main + with: + release_series: 2023.1 + synchronise-2024-1: + if: github.repository == 'stackhpc/stackhpc-kayobe-config' + name: Synchronise 2024.1 + uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main + with: + release_series: 2024.1 + synchronise-2025.1: + if: github.repository == 'stackhpc/stackhpc-kayobe-config' + name: Synchronise 2025.1 + uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main + with: + release_series: 2025.1 + synchronise-master: + if: github.repository == 'stackhpc/stackhpc-kayobe-config' + name: Synchronise master + uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main + with: + release_series: master From 5ae9d02e77def1eb4357c19a50327d35afa69e5a Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 3 Jun 2025 12:03:33 +0100 Subject: [PATCH 20/29] CI: Fix workflow syntax error --- .github/workflows/upstream-sync.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/upstream-sync.yml b/.github/workflows/upstream-sync.yml index 35eaea448..3f6449a3a 100644 --- a/.github/workflows/upstream-sync.yml +++ b/.github/workflows/upstream-sync.yml @@ -20,7 +20,7 @@ jobs: uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main with: release_series: 2024.1 - synchronise-2025.1: + synchronise-2025-1: if: github.repository == 'stackhpc/stackhpc-kayobe-config' name: Synchronise 2025.1 uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main From 712030c83ade8487cb555ad7f79cca871fe45bb5 Mon Sep 17 00:00:00 2001 From: Matt Anson Date: Tue, 3 Jun 2025 12:33:56 +0100 Subject: [PATCH 21/29] Add an option to append content to Ceph configs Adds the ``kolla_ceph_conf_append`` config option to allow the specification of a string to append to all Ceph config files retrieved using the ``cephadm-gather-keys.yml`` playbook. --- etc/kayobe/ansible/cephadm-gather-keys.yml | 1 + etc/kayobe/cephadm.yml | 3 +++ releasenotes/notes/ceph-config-append-1cc6146d3241b63e.yaml | 6 ++++++ 3 files changed, 10 insertions(+) create mode 100644 releasenotes/notes/ceph-config-append-1cc6146d3241b63e.yaml diff --git a/etc/kayobe/ansible/cephadm-gather-keys.yml b/etc/kayobe/ansible/cephadm-gather-keys.yml index e4b8da206..1b36f8bdd 100644 --- a/etc/kayobe/ansible/cephadm-gather-keys.yml +++ b/etc/kayobe/ansible/cephadm-gather-keys.yml @@ -68,6 +68,7 @@ # Kolla Ansible's merge_configs module does not like the leading tabs in ceph.conf. content: | {{ cephadm_ceph_conf.stdout | regex_replace('\t') }} + {{ kolla_ceph_conf_append if kolla_ceph_conf_append is defined }} dest: "{{ kayobe_env_config_path }}/kolla/config/{{ kolla_service_to_conf_dir[item.0.name] }}/ceph.conf" loop: "{{ query('subelements', kolla_ceph_services | selectattr('required'), 'keys') }}" loop_control: diff --git a/etc/kayobe/cephadm.yml b/etc/kayobe/cephadm.yml index fa633ab47..0da68b8e2 100644 --- a/etc/kayobe/cephadm.yml +++ b/etc/kayobe/cephadm.yml @@ -136,3 +136,6 @@ kolla_ceph_manila_required: "{{ kolla_enable_manila | bool }}" # Whether to generate Ceph configuration for Nova. kolla_ceph_nova_required: "{{ kolla_enable_nova | bool }}" + +# A (multiline) string to append to all Ceph configuration files. +#kolla_ceph_conf_append: diff --git a/releasenotes/notes/ceph-config-append-1cc6146d3241b63e.yaml b/releasenotes/notes/ceph-config-append-1cc6146d3241b63e.yaml new file mode 100644 index 000000000..1d0e534d4 --- /dev/null +++ b/releasenotes/notes/ceph-config-append-1cc6146d3241b63e.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Add ``kolla_ceph_conf_append`` configuration option to specify a string + to be appended to all ceph.conf files gathered from a ceph cluster using + ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-gather-keys.yml``. From b2bb217359c288028f87236e68b0c8808cdcea9a Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 4 Jun 2025 07:36:51 +0100 Subject: [PATCH 22/29] CI: Configure upstream repository to use for sync This requires https://github.com/stackhpc/.github/pull/55 to merge. --- .github/workflows/upstream-sync.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/upstream-sync.yml b/.github/workflows/upstream-sync.yml index 3f6449a3a..92e5c1f54 100644 --- a/.github/workflows/upstream-sync.yml +++ b/.github/workflows/upstream-sync.yml @@ -14,21 +14,25 @@ jobs: uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main with: release_series: 2023.1 + upstream: openstack/kayobe-config synchronise-2024-1: if: github.repository == 'stackhpc/stackhpc-kayobe-config' name: Synchronise 2024.1 uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main with: release_series: 2024.1 + upstream: openstack/kayobe-config synchronise-2025-1: if: github.repository == 'stackhpc/stackhpc-kayobe-config' name: Synchronise 2025.1 uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main with: release_series: 2025.1 + upstream: openstack/kayobe-config synchronise-master: if: github.repository == 'stackhpc/stackhpc-kayobe-config' name: Synchronise master uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main with: release_series: master + upstream: openstack/kayobe-config From 47d7ccda88c01823972994ac52dc8db5fd23d2a1 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 5 Jun 2025 12:40:42 +0100 Subject: [PATCH 23/29] docs: fix link to IPA upstream documentation --- doc/source/configuration/ipa.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/configuration/ipa.rst b/doc/source/configuration/ipa.rst index c55b91040..5ff239030 100644 --- a/doc/source/configuration/ipa.rst +++ b/doc/source/configuration/ipa.rst @@ -11,7 +11,7 @@ StackHPC provides prebuilt Ironic Python Agent (IPA) images in Release Train through Ark. These images are built in CI using a GitHub workflow and are configured in this -repository. See :kayobe-doc: `Kayobe documentation +repository. See :kayobe-doc:`Kayobe documentation ` for more details on IPA. Release Train IPA images are used by Bifrost and Overcloud Ironic by default in From 88786d6d511c2268f4b3ad7314da11cf4d55291c Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Thu, 5 Jun 2025 11:06:23 +0100 Subject: [PATCH 24/29] feat: add `stack` user for `Pulp` The `stack` user is intended to be used for accessing `Pulp` from the `overcloud` hosts rather than using the `admin` user. --- doc/source/configuration/release-train.rst | 33 +++++++++++++------ etc/kayobe/containers/pulp/post.yml | 12 +++++++ etc/kayobe/pulp.yml | 4 +++ etc/kayobe/stackhpc.yml | 4 +-- ...-stack-user-for-pulp-c96041e82c13aa10.yaml | 6 ++++ 5 files changed, 47 insertions(+), 12 deletions(-) create mode 100644 releasenotes/notes/add-stack-user-for-pulp-c96041e82c13aa10.yaml diff --git a/doc/source/configuration/release-train.rst b/doc/source/configuration/release-train.rst index 5ed9b50c7..ad489f502 100644 --- a/doc/source/configuration/release-train.rst +++ b/doc/source/configuration/release-train.rst @@ -52,16 +52,29 @@ The Pulp container is deployed on the seed by default, but may be disabled by setting ``seed_pulp_container_enabled`` to ``false`` in ``etc/kayobe/seed.yml``. -The URL and credentials of the local Pulp server are configured in -``etc/kayobe/pulp.yml`` via ``pulp_url``, ``pulp_username`` and -``pulp_password``. In most cases, the default values should be sufficient. -An admin password must be generated and set as the value of a -``secrets_pulp_password`` variable, typically in an Ansible Vault encrypted -``etc/kayobe/secrets.yml`` file. This password will be automatically set on -Pulp startup. - -If a proxy is required to access the Internet from the seed, ``pulp_proxy_url`` -may be used. +The URL for the local Pulp server is configured by ``pulp_url`` within +``etc/kayobe/pulp.yml``. + +The Pulp service can be configured with two sets of credentials; one for +administrator operations and another read-only for overcloud hosts +to use. +The administrator credentials can be configured ``pulp_username``, +``pulp_password`` +The basic user account credentials can be configured with ``pulp_stack_username`` +and ``pulp_stack_password``. +Both sets of credentials can be found within ``etc/kayobe/pulp.yml``. + +Both the ``pulp_password`` and ``pulp_stack_password`` are intended to be +configured via their ``secrets_*`` counterparts, i.e. +``secrets_pulp_password`` and ``secrets_pulp_stack_password``. These variables +are expected to be set in an Ansible Vault encrypted +``etc/kayobe/secrets.yml`` file. + +Passwords can be generated using ``OpenSSL`` + +.. code-block:: console + + openssl rand -base64 32 Host images are not synchronised to the local Pulp server, since they should only be pulled to the seed node once. More information on host images can be diff --git a/etc/kayobe/containers/pulp/post.yml b/etc/kayobe/containers/pulp/post.yml index 967c4e37d..7a4e7e595 100644 --- a/etc/kayobe/containers/pulp/post.yml +++ b/etc/kayobe/containers/pulp/post.yml @@ -28,6 +28,18 @@ - stackhpc_pulp_sync_for_local_container_build | bool - pulp_settings.changed +- name: Ensure Pulp stack user exists + ansible.builtin.include_role: + name: stackhpc.pulp.pulp_user + vars: + pulp_users: + - username: "{{ pulp_stack_username }}" + password: "{{ pulp_stack_password }}" + is_staff: false + when: + - pulp_stack_username is defined and pulp_stack_username | length > 0 + - pulp_stack_password is defined and pulp_stack_password | length > 0 + - name: Login to docker registry docker_login: registry_url: "{{ kolla_docker_registry or omit }}" diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index a74a7d555..214e8bc10 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -26,6 +26,10 @@ pulp_enable_tls: false pulp_username: admin pulp_password: "{{ secrets_pulp_password }}" +# Credentials for non-admin user within Pulp. +pulp_stack_username: stack +pulp_stack_password: "{{ secrets_pulp_stack_password | default('') }}" + # Proxy to use when adding remotes. pulp_proxy_url: "{{ omit }}" diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml index 8dc781455..2e47b0022 100644 --- a/etc/kayobe/stackhpc.yml +++ b/etc/kayobe/stackhpc.yml @@ -178,8 +178,8 @@ stackhpc_kolla_ansible_source_version: stackhpc/18.6.0.10 stackhpc_docker_registry: "{{ pulp_url | regex_replace('^https?://', '') }}" # Username and password of container registry. -stackhpc_docker_registry_username: "{{ pulp_username }}" -stackhpc_docker_registry_password: "{{ pulp_password }}" +stackhpc_docker_registry_username: "{{ pulp_stack_username if pulp_stack_password is defined and pulp_stack_password | length > 0 else pulp_username }}" +stackhpc_docker_registry_password: "{{ pulp_stack_password if pulp_stack_password is defined and pulp_stack_password | length > 0 else pulp_password }}" ############################################################################### # Feature flags diff --git a/releasenotes/notes/add-stack-user-for-pulp-c96041e82c13aa10.yaml b/releasenotes/notes/add-stack-user-for-pulp-c96041e82c13aa10.yaml new file mode 100644 index 000000000..63b4dae95 --- /dev/null +++ b/releasenotes/notes/add-stack-user-for-pulp-c96041e82c13aa10.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Add support for a basic user for Pulp operations instead of using + the admin user for usage. Can be enabled by setting + `pulp_stack_password`. From 43aa6e114e7ef6a480e62b23fa0ce78b113fd379 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Mon, 9 Jun 2025 09:46:35 +0100 Subject: [PATCH 25/29] Remove old OFED method OFED is no longer pre-installed in our host images. Instead, it should be installed after provisioning. See docs: --- etc/kayobe/ansible/pulp-host-image-download.yml | 5 +---- etc/kayobe/stackhpc-overcloud-host-images.yml | 11 ++--------- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/etc/kayobe/ansible/pulp-host-image-download.yml b/etc/kayobe/ansible/pulp-host-image-download.yml index 52e570b9f..54fd36ae4 100644 --- a/etc/kayobe/ansible/pulp-host-image-download.yml +++ b/etc/kayobe/ansible/pulp-host-image-download.yml @@ -7,10 +7,8 @@ # password in the get_url task of this playbook stackhpc_overcloud_host_image_url_no_auth: "{{ stackhpc_release_pulp_content_url }}/kayobe-images/\ {{ openstack_release }}/{{ os_distribution }}/{{ os_release }}/\ - {{ 'ofed/' if stackhpc_overcloud_host_image_is_ofed else '' }}\ {{ stackhpc_overcloud_host_image_version }}/\ - overcloud-{{ os_distribution }}-{{ os_release }}\ - {{ '-ofed' if stackhpc_overcloud_host_image_is_ofed else '' }}.qcow2" + overcloud-{{ os_distribution }}-{{ os_release }}.qcow2" tasks: - name: Print image information ansible.builtin.debug: @@ -18,7 +16,6 @@ OS Distribution: {{ os_distribution }} OS Release: {{ os_release }} Image tag: {{ stackhpc_overcloud_host_image_version }} - OFED: {{ stackhpc_overcloud_host_image_is_ofed }} # TODO: Add checksum support - name: Download image artifact diff --git a/etc/kayobe/stackhpc-overcloud-host-images.yml b/etc/kayobe/stackhpc-overcloud-host-images.yml index 48cc04c37..b0594e1e0 100644 --- a/etc/kayobe/stackhpc-overcloud-host-images.yml +++ b/etc/kayobe/stackhpc-overcloud-host-images.yml @@ -5,19 +5,12 @@ # Whether or not to download overcloud host images from Ark stackhpc_download_overcloud_host_images: false -# Whether or not to use images with MLNX_OFED installed (for deployment using -# mellanox/Nvidia NICs). Only available for Ubuntu Jammy and Rocky Linux 9 -# OFED images are currently WIP and this variable is a placeholder -stackhpc_overcloud_host_image_is_ofed: false - # The overcloud host image source, defined by os_distribution, os_release, -# stackhpc_overcloud_host_image_is_ofed, and the current stable version. +# and the current stable version. stackhpc_overcloud_host_image_url: "{{ stackhpc_release_pulp_content_url_with_auth }}/kayobe-images/\ {{ openstack_release }}/{{ os_distribution }}/{{ os_release }}/\ - {{ 'ofed/' if stackhpc_overcloud_host_image_is_ofed else '' }}\ {{ stackhpc_overcloud_host_image_version }}/\ - overcloud-{{ os_distribution }}-{{ os_release }}\ - {{ '-ofed' if stackhpc_overcloud_host_image_is_ofed else '' }}.qcow2" + overcloud-{{ os_distribution }}-{{ os_release }}.qcow2" # Overcloud host image version tag selection stackhpc_overcloud_host_image_version: >- From 759761c41aacdc392f9d28d4e9d73a65d80b7465 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Tue, 13 May 2025 22:14:51 +0100 Subject: [PATCH 26/29] feat: add support for `HA` Raft in `OpenBao` --- .../ansible/openbao-deploy-overcloud.yml | 29 ++++++++++++++++++- etc/kayobe/ansible/openbao-deploy-seed.yml | 4 +-- etc/kayobe/ansible/requirements.yml | 4 ++- .../inventory/group_vars/all/openbao.yml | 3 ++ .../add-openbao-raft-ha-e8d78ffe68913512.yaml | 5 ++++ 5 files changed, 41 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/add-openbao-raft-ha-e8d78ffe68913512.yaml diff --git a/etc/kayobe/ansible/openbao-deploy-overcloud.yml b/etc/kayobe/ansible/openbao-deploy-overcloud.yml index 811e9b1f0..8cf36e57e 100644 --- a/etc/kayobe/ansible/openbao-deploy-overcloud.yml +++ b/etc/kayobe/ansible/openbao-deploy-overcloud.yml @@ -21,7 +21,12 @@ gather_facts: true hosts: controllers vars: - openbao_bind_address: "{{ internal_net_name | net_ip }}" + openbao_bind_addr: "{{ internal_net_name | net_ip }}" + # This is the IP address of the first controller and therefore the leader within + # OpenBao. This could be replaced with the VIP address of the internal network if + # HAProxy has been configured to load balance the OpenBao API. + openbao_raft_leaders: + - "{{ internal_net_name | net_ip(inventory_hostname=groups['controllers'][0]) }}" tasks: - name: Set a fact about the virtualenv on the remote system ansible.builtin.set_fact: @@ -91,6 +96,28 @@ vault_unseal_keys: "{{ openbao_keys.keys_base64 }}" environment: https_proxy: "" + run_once: true + + # As the first instance is now unsealed the other instances will now need some + # time to connect before we can proceed. + - name: Wait for OpenBao Raft peers to connect + ansible.builtin.wait_for: + timeout: 30 + delegate_to: localhost + + # Raft peers take few seconds before they report an unsealed state therefore + # we must wait. + - name: Unseal OpenBao + ansible.builtin.import_role: + name: stackhpc.hashicorp.vault_unseal + vars: + vault_api_addr: https://{{ internal_net_name | net_ip }}:8200 + vault_unseal_token: "{{ openbao_keys.root_token }}" + vault_unseal_ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}" + vault_unseal_keys: "{{ openbao_keys.keys_base64 }}" + vault_unseal_timeout: 10 + environment: + https_proxy: "" - name: Configure PKI any_errors_fatal: true diff --git a/etc/kayobe/ansible/openbao-deploy-seed.yml b/etc/kayobe/ansible/openbao-deploy-seed.yml index 2f276cbf6..42972b35e 100644 --- a/etc/kayobe/ansible/openbao-deploy-seed.yml +++ b/etc/kayobe/ansible/openbao-deploy-seed.yml @@ -4,8 +4,8 @@ gather_facts: true hosts: seed vars: - openbao_bind_address: "{{ ansible_facts['lo'].ipv4.address }}" - openbao_api_addr: "http://{{ openbao_bind_address }}:8200" + openbao_bind_addr: "{{ ansible_facts['lo'].ipv4.address }}" + openbao_api_addr: "http://{{ openbao_bind_addr }}:8200" tasks: - name: Set a fact about the virtualenv on the remote system ansible.builtin.set_fact: diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index a81decfc1..8c3adb542 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -9,7 +9,9 @@ collections: - name: stackhpc.pulp version: 0.5.5 - name: stackhpc.hashicorp - version: 2.6.1 + source: https://github.com/stackhpc/ansible-collection-hashicorp + type: git + version: openbao-localhost-fix - name: stackhpc.kayobe_workflows version: 1.1.0 roles: diff --git a/etc/kayobe/inventory/group_vars/all/openbao.yml b/etc/kayobe/inventory/group_vars/all/openbao.yml index 3e084a936..ffd566dc8 100644 --- a/etc/kayobe/inventory/group_vars/all/openbao.yml +++ b/etc/kayobe/inventory/group_vars/all/openbao.yml @@ -77,3 +77,6 @@ seed_openbao_pki_certificate_subject: role: "{{ seed_openbao_pki_role_name }}" extra_params: ip_sans: "{% for host in groups['controllers'] %}{{ internal_net_name | net_ip(host) }}{% if not loop.last %},{% endif %}{% endfor %},{{ kolla_internal_vip_address }}" + +# Enable OpenBao UI +openbao_enable_ui: true diff --git a/releasenotes/notes/add-openbao-raft-ha-e8d78ffe68913512.yaml b/releasenotes/notes/add-openbao-raft-ha-e8d78ffe68913512.yaml new file mode 100644 index 000000000..596a3eada --- /dev/null +++ b/releasenotes/notes/add-openbao-raft-ha-e8d78ffe68913512.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Add support for highly available Raft when using OpenBao on + overcloud hosts. From b989ef17b1eadd61ba0e94cfbcd96fa2fc66ba7a Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Sat, 7 Jun 2025 22:09:24 +0100 Subject: [PATCH 27/29] feat: add `openbao_tls_ca` for raft peers --- etc/kayobe/ansible/openbao-deploy-overcloud.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/openbao-deploy-overcloud.yml b/etc/kayobe/ansible/openbao-deploy-overcloud.yml index 8cf36e57e..df3166ce6 100644 --- a/etc/kayobe/ansible/openbao-deploy-overcloud.yml +++ b/etc/kayobe/ansible/openbao-deploy-overcloud.yml @@ -51,7 +51,7 @@ - name: Template out TLS key and cert ansible.builtin.copy: - # Within the OpenBao container these uids & gids map to the vault user + # Within the OpenBao container these uids & gids map to the openbao user src: "{{ kayobe_env_config_path }}/openbao/{{ item }}" dest: /opt/kayobe/openbao/{{ item }} owner: 100 @@ -60,6 +60,7 @@ loop: - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt" - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key" + - "OS-TLS-INT.crt" become: true - name: Apply OpenBao role @@ -76,6 +77,7 @@ openbao_docker_tag: "{{ overcloud_openbao_docker_tag }}" openbao_tls_cert: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt" openbao_tls_key: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key" + openbao_tls_ca: "OS-TLS-INT.crt" copy_self_signed_ca: true openbao_api_addr: https://{{ internal_net_name | net_ip }}:8200 openbao_write_keys_file: true From 8e0593291d523bb3ccc161af8432a4c5fcb75172 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Sun, 8 Jun 2025 00:18:14 +0100 Subject: [PATCH 28/29] fix: update CA certificate paths in monitoring and tempest configurations --- doc/source/configuration/monitoring.rst | 8 +++++++- .../environments/ci-multinode/stackhpc-monitoring.yml | 2 +- etc/kayobe/environments/ci-multinode/tempest.yml | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/doc/source/configuration/monitoring.rst b/doc/source/configuration/monitoring.rst index 7414a5398..931324e31 100644 --- a/doc/source/configuration/monitoring.rst +++ b/doc/source/configuration/monitoring.rst @@ -169,12 +169,18 @@ for the exporter. If you are deploying in a cloud with internal TLS, you may be required to provide a CA certificate for the OpenStack Capacity exporter if your certificate is not signed by a trusted CA. For example, to use a CA certificate -named ``vault.crt`` that is also added to the Kolla containers: +named ``vault.crt`` or ``openbao.crt`` that is also added to the Kolla containers: .. code-block:: yaml stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt" +or + +.. code-block:: yaml + + stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt" + Alternatively, to disable certificate verification for the OpenStack Capacity exporter: diff --git a/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml b/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml index 93ce650b4..1d9514553 100644 --- a/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml +++ b/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml @@ -1,3 +1,3 @@ --- # Path to a CA certificate file to trust in the OpenStack Capacity exporter. -stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt" +stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt" diff --git a/etc/kayobe/environments/ci-multinode/tempest.yml b/etc/kayobe/environments/ci-multinode/tempest.yml index 0657946bb..ae2d8f132 100644 --- a/etc/kayobe/environments/ci-multinode/tempest.yml +++ b/etc/kayobe/environments/ci-multinode/tempest.yml @@ -3,4 +3,4 @@ rally_no_sensitive_log: false # Add the Vault CA certificate to the rally container when running tempest. -tempest_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt" +tempest_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt" From 7cc19433e85ee3345d236c566818aa645903c5f4 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 9 Jun 2025 16:20:34 +0100 Subject: [PATCH 29/29] feat: upgrade `stackhpc.hashicorp` => `2.7.1` --- etc/kayobe/ansible/requirements.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 8c3adb542..7c83c00ec 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -9,9 +9,7 @@ collections: - name: stackhpc.pulp version: 0.5.5 - name: stackhpc.hashicorp - source: https://github.com/stackhpc/ansible-collection-hashicorp - type: git - version: openbao-localhost-fix + version: 2.7.1 - name: stackhpc.kayobe_workflows version: 1.1.0 roles: