Merge remote-tracking branch 'upstream/master' into inject-datastore-encryption-key

Author: valentintorikian

.circleci/config.yml

@@ -3,11 +3,11 @@ version: 2.1
 # Add additional CircleCI Orbs dependencies
 orbs:
   # https://circleci.com/orbs/registry/orb/circleci/kubernetes
-  kubernetes: circleci/kubernetes@0.10.1
+  kubernetes: circleci/kubernetes@0.11.0
   # Pins Helm to v2.x
   # TODO: Consider upgrading Helm to v3.0 (https://github.com/StackStorm/stackstorm-ha/issues/98)
   # https://circleci.com/orbs/registry/orb/circleci/helm
-  helm: circleci/[email protected].0
+  helm: circleci/[email protected].3
   # https://circleci.com/orbs/registry/orb/ccpgames/minikube
   minikube: ccpgames/[email protected]
 
@@ -17,7 +17,7 @@ jobs:
     working_directory: ~/stackstorm-ha
     docker:
       # Pin Helm to v2.x, see https://github.com/StackStorm/stackstorm-ha/issues/98
-      - image: lachlanevenson/k8s-helm:v2.16.1
+      - image: lachlanevenson/k8s-helm:v2.16.7
     steps:
       - checkout
       - run:
@@ -78,10 +78,17 @@ jobs:
       - kubernetes/install
       - minikube/minikube-install:
           # https://github.com/kubernetes/minikube/releases
-          version: v1.5.2
+          version: v1.10.1
+      - run:
+          name: Install dependencies
+          command: |
+            sudo apt update || true
+            # K8s 1.18 requires conntrack
+            # See: https://github.com/kubernetes/minikube/issues/7179
+            sudo apt install -y conntrack
       - run:
           name: Create new K8s cluster
-          command: sudo -E minikube start --vm-driver=none --cpus $(nproc) --memory 4096
+          command: sudo -E minikube start --vm-driver=none
           environment:
             CHANGE_MINIKUBE_NONE_USER: true
       - helm/install-helm-on-cluster

CHANGELOG.md

@@ -3,6 +3,25 @@
 ## In Development
 * Allow injection of datastore key in cluster (#115) (by @AngryDeveloper)
 
+## v0.30.0
+* Pin st2 version to `v3.3dev` as a new latest development version (#129)
+* Migrate from `py2` `Ubuntu Xenial` to `py3` `Ubuntu Bionic` as a base StackStorm OS (StackStorm/st2-dockerfiles#16, #129)
+* Switch from MongoDB `3.4` to `4.0` for the mongodb-ha Helm chart (#129)
+* Update `etcd-operator` 3rd party chart from `0.10.0` to latest `0.10.3` (#129)
+* Update `rabbitmq-ha` 3rd party chart from `1.36.4` to `1.44.1` (#129)
+* Update `mongodb-replicaset` 3rd party chart from `3.9.6` to `3.14.0` (#129)
+* Update CI infrastructure env, run tests on updated Helm `v2.16.7`, latest minikube `v1.10.1` and K8s `1.18` (#129)
+
+## v0.28.0
+* Added support for custom image repository (#131) (by @ytjohn)
+
+## v0.27.0
+* Added support to toggle etcd-operator as a coordination backend (#127) (by @rrahman-nv)
+
+## v0.26.0
+* Added custom annotations to sensorcontainer and actionrunner Pods (#123) (by @stefangusa)
+* Improve Helm values recommendations to configure 3rd party chart dependencies `rabbitmq-ha` and `mongodb-ha` in prod (#125) (by @stefangusa)
+
 ## v0.25.0
 * Change ingress name from `<release name>-ingress` to `<release name>-st2web-ingress`, useful when using `stackstorm-ha` as a requirement for another chart. (#112) (by @erenatas)
 * Fix st2web ingress which should have been defined as an Integer instead of a String (#111) (by @erenatas)

Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
 # Update StackStorm version here to rely on other Docker images tags
-appVersion: 3.2dev
+appVersion: 3.3dev
 name: stackstorm-ha
-version: 0.25.0
+version: 0.30.0
 description: StackStorm K8s Helm Chart, optimized for running StackStorm in HA environment.
 home: https://stackstorm.com/#product
 icon: https://avatars1.githubusercontent.com/u/4969009

requirements.yaml

@@ -1,10 +1,10 @@
 dependencies:
   - name: rabbitmq-ha
-    version: 1.36.4
+    version: 1.44.1
     repository: https://kubernetes-charts.storage.googleapis.com/
     condition: rabbitmq-ha.enabled
   - name: mongodb-replicaset
-    version: 3.9.6
+    version: 3.14.0
     repository: https://kubernetes-charts.storage.googleapis.com/
     alias: mongodb-ha
     condition: mongodb-ha.enabled
@@ -13,5 +13,7 @@ dependencies:
     repository: https://kubernetes-charts.storage.googleapis.com/
     condition: external-dns.enabled
   - name: etcd-operator
-    version: 0.10.0
+    version: 0.10.3
     repository: https://kubernetes-charts.storage.googleapis.com/
+    condition: etcd-operator.enabled
+

templates/_helpers.tpl

@@ -23,6 +23,8 @@ community
 {{- define "imageRepository" -}}
 {{- if required "Missing context '.Values.enterprise.enabled'!" .Values.enterprise.enabled -}}
 docker.stackstorm.com
+{{- else if .Values.image.repository -}}
+{{ .Values.image.repository }}
 {{- else -}}
 stackstorm
 {{- end -}}

templates/configmaps_st2-conf.yaml

@@ -20,8 +20,10 @@ data:
   st2.docker.conf: |
     [auth]
     api_url = http://{{ .Release.Name }}-st2api{{ template "enterpriseSuffix" . }}:9101/
+    {{- if index .Values "etcd-operator" "enabled" }}
     [coordination]
     url = etcd://{{ index .Values "etcd-operator" "etcdCluster" "name" }}-client:2379
+    {{- end }}
     {{- if index .Values "rabbitmq-ha" "enabled" }}
     [messaging]
     url = amqp://{{ required "rabbitmq-ha.rabbitmqUsername is required!" (index .Values "rabbitmq-ha" "rabbitmqUsername") }}:{{ required "rabbitmq-ha.rabbitmqPassword is required!" (index .Values "rabbitmq-ha" "rabbitmqPassword") }}@{{ .Release.Name }}-rabbitmq-ha-discovery:5672

templates/deployments.yaml

@@ -880,7 +880,9 @@ spec:
         checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") $ | sha256sum }}
         checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") $ | sha256sum }}
         {{- if $.Values.secrets.st2.datastore_crypto_key }}
-        checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }}
+        checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") & | sha256sum }}
+        {{- if .annotations }}
+{{ toYaml .annotations | indent 8 }}
         {{- end }}
     spec:
       imagePullSecrets:
@@ -1042,6 +1044,8 @@ spec:
         checksum/ssh: {{ include (print $.Template.BasePath "/secrets_ssh.yaml") . | sha256sum }}
         {{- if $.Values.secrets.st2.datastore_crypto_key }}
         checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }}
+        {{- if .Values.st2actionrunner.annotations }}
+{{ toYaml .Values.st2actionrunner.annotations | indent 8 }}
         {{- end }}
     spec:
       {{- if .Values.st2actionrunner.hostAliases }}

tests/st2tests.sh

@@ -7,9 +7,9 @@ load "${BATS_HELPERS_DIR}/bats-file/load.bash"
 @test 'st2 version deployed and python env are as expected' {
   run st2 --version
   assert_success
-  # st2 3.1dev (7079635), on Python 2.7.12
+  # st2 3.3dev (9ea417346), on Python 3.6.9
   assert_line --partial "st2 ${ST2_VERSION}"
-  assert_line --partial 'on Python 2.7.12'
+  assert_line --partial 'on Python 3.6.9'
 }
 
 @test 'ST2_AUTH_URL service endpoint is accessible and working' {

values.yaml

@@ -7,6 +7,12 @@
 image:
   # Image pull policy. Change to "IfNotPresent" when switching to stable images
   pullPolicy: Always
+  # st2 image repository. Set this to override the default ("stackstorm") or enterprise
+  # docker image repository ("docker.stackstorm.com"). Applies to all st2 containers except
+  # st2chatops and st2packs (which have their own override). This also does not impact 
+  # dependencies such as mongo or redis, which have their own helm chart settings.
+  repository: ""
+
 
 ##
 ## StackStorm Enterprise settings (Optional)
@@ -108,6 +114,7 @@ st2:
       - name:
         livenessProbe: {}
         readinessProbe: {}
+        annotations: {}
         # TODO: Find out recommended/default resources for this specific service (#5)
         resources: {}
         # Additional advanced settings to control pod/deployment placement
@@ -344,6 +351,7 @@ st2actionrunner:
   replicas: 5
   # TODO: Find out recommended/default resources for this specific service (#5)
   resources: {}
+  annotations: {}
   # Additional advanced settings to control pod/deployment placement
   nodeSelector: {}
   tolerations: []
@@ -421,15 +429,16 @@ mongodb-ha:
   # Specify your external [database] connection parameters under st2.config
   enabled: true
   image:
-    # StackStorm currently supports maximum MongoDB v3.4
-    tag: 3.4
+    # StackStorm currently supports maximum MongoDB v4.0
+    tag: "4.0"
   auth:
     enabled: true
     # NB! It's highly recommended to change ALL defaults!
     adminUser: "admin"
     adminPassword: "XeL5Rxwj7F0Wt43tFZVTN7H8Sg5XDHmK"
     # Minimal key length is 6 symbols
     key: "82PItDpqroti5RngOA7UqbHH7c6bFUwy"
+  resources: {}
 
 ##
 ## RabbitMQ HA configuration (3rd party chart dependency)
@@ -444,6 +453,12 @@ rabbitmq-ha:
   rabbitmqUsername: admin
   # TODO: Use default random 24 character password, but need to fetch this string for use by downstream services
   rabbitmqPassword: 9jS+w1u07NbHtZke1m+jW4Cj
+  # RabbitMQ Memory high watermark. See: http://www.rabbitmq.com/memory.html
+  # Default values might not be enough for StackStorm deployment to work properly. We recommend to adjust these settings for you needs as well as enable Pod memory limits via "resources".
+  #rabbitmqMemoryHighWatermark: 512MB
+  #rabbitmqMemoryHighWatermarkType: absolute
+  # Up to 255 character string, should be fixed so that re-deploying the chart does not fail (see: https://github.com/helm/charts/issues/12371)
+  #rabbitmqErlangCookie: 8MrqQdCQ6AQ8U3MacSubHE5RqkSfvNaRHzvxuFcG
   persistentVolume:
     enabled: true
   # RabbitMQ application vhost, should match with 'ha' Queue Mirroring definition policy
@@ -452,6 +467,10 @@ rabbitmq-ha:
     # Enable Queue Mirroring between nodes
     # See https://www.rabbitmq.com/ha.html
     policies: '{"vhost":"/","name":"ha","pattern":"", "definition":{"ha-mode":"all","ha-sync-mode":"automatic","ha-sync-batch-size":10}}'
+  # We recommend to set the memory limit for RabbitMQ-HA Pods in production deployments.
+  # Make sure to also change the rabbitmqMemoryHighWatermark following the formula:
+  # rabbitmqMemoryHighWatermark = 0.4 * resources.limits.memory
+  resources: {}
 
 ##
 ## Etcd HA configuration (3rd party chart dependency)
@@ -461,6 +480,9 @@ rabbitmq-ha:
 ##
 etcd-operator:
   # we don't need backup & restore etcd for short-lived coordination operations
+  # Change to `false` to disable in-cluster ectd deployment.
+  # Specify your external [coordination] connection parameters under st2.config
+  enabled: true
   deployments:
     backupOperator: false
     restoreOperator: false