The default value of cgroup-driver for kubelet is cgroupfs.
But the new version docker's cgroup value is systemd.
It needs the cgroup-driver parameter for kubelet to
ensure a successful installation.
Change-Id: I03a4289b8bc6d63c33085fa3ddd99341cb2de388
Closes-Bug: #1776591
This patch ensures the kuryr-kubernetes service is started after
creating the l7 router, as this was only ensured for the
containerized deployments
Closes-Bug: #1777469
Change-Id: Ia634db2dd7c58b2010483795684e8f776a4f1ee4
This is the second patch of the Ingress Controller capability.
In order for the K8S Ingress and OpenShift Route resources to work,
the cluster must have an Ingress Controller running.
This patch extends LBaaS driver to support L7 load balancing and
verifies, retrieves and stores the L7 router LB (pre-created by admin or
Devstack) details.
The OCP-route and K8S-endpoint handlers (implemented in next patch) will
query the ingress controller for the L7 router details.
Partially Implements: blueprint openshift-router-support
Change-Id: Id55169f6c9c1c607b2aa54c92711dfbd04a9e39d
This is the first patch of the Ingress Controller capability.
In order for the K8S Ingress and OpenShift Route resources to work,
the cluster must have an Ingress Controller running.
The Kuryr's Ingress Controller implementation will be based on
Octavia L7 load balancing.
This patch adds support for the creation of an external Load Balancer
in Devstack deployment, the follow-up Ingress Controller patches will
configure the L7 rules in that LB to perform the actual L7 routing.
Partially Implements: blueprint openshift-router-support
Change-Id: I9c18bd1d2d0f2127a1a924efe7976a38b6f7cc51
This commit implements initial version of high availability support in
kuryr-controller - Active/Passive mode. In this mode only one instance
of controller is processing the resources while other ones are in
standby mode. If current leader dies, one of standbys is taking the
leader role and starts processing resources.
Please note that as leader election is based on Kubernetes mechanisms,
this is only supported when kuryr-controller is run as Pod on Kubernetes
cluster.
Implements: bp high-availability
Change-Id: I2c6c9315612d64158fb9f8284e0abb065aca7208
It adds a experimental gate to check the namespace subnet driver
functionality
Depends-On: Iafc08ede300aecf1dc52135c6e51b89875e729d6
Change-Id: I79f47a7b915f310b728a50322ee0cbaa0f23c5b1
According to the documentation, we should reserve the latter half of the
service subnet cidr so that we don't let octavia vrrp allocate IPs that
can be used by Kubernetes/OpenShift own service IPAM
Closes-Bug: #1763278
Change-Id: Ib4d176ba92cb42cdd6f8105e15843c7e967175cf
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
neutron CLI is deprecated and will be removed in the future.
Use openstack CLI instead.
Change-Id: I188793a910419f37f58c64d8e179e36327c10e23
Closes-Bug: #1774577
This patch adds a new subnet driver that creates a new network
for each created k8s namespace. It makes use of K8s CRDs to store
the information about the network resources created for each
namespace
Partially Implements: blueprint network-namespace
Change-Id: I7988e1da7a9ed57f29c85ddcd99bb2c87808010e
When doing a sequence of stack-unstack with DevStack configured to
deploy OpenShift it will leave over the data directory of OpenShift.
When stacking again openshift-node will reuse old configuration even if
$DATA_DIR is removed by the user. This causes it to use old certificates
and be unable to connect to the cluster.
This commit fixes it by cleaning up the directories we use:
* Placing all the configs in the $DATA_DIR. Before this commit
openshift-node data landed in $DEST/openshfit.
* Moving OpenShift binaries directory from $DEST/openshift to
$DATA_DIR/openshift/bin.
* Making sure $DATA_DIR/openshift is purged on unstacking.
Change-Id: Ia3bbf868b1a77c9afa22bebd779ec5dc646958ce
Closes-Bug: 1759242
The current LB member creation expects that an OVS bind occurred, but
for the Nested environment the Overcloud do not OVS bind.
This commit fixes the issue by checking whether a configuration option
is enabled to OVS bind and so use the IP address of the port created,
otherwise will use HOST_IP.
Change-Id: Id851ea0a0eebe141ba3f97466faa6d98856d5229
Closes-Bug: #1762894
Use case where Kuryr is deployed containerized and the cloud platform
was OpenShift is broken at the moment. This commit adds a gate testing
that use case to the experimental queue.
This patch sits on top of 3 fixes that fix the use case.
Change-Id: I8ef488c1197c69f3a0ed8c2522ef8ff226bf8c8a
Without this patch, with SDNs that apply SG to the ovs internal ports
would get blocked by the fact that the traffic from the API LB to the
member is not allowed. This can be easily reproduced with setting the
ml2/ovs firewall driver to openvswitch instead of hybrid.
Change-Id: I0fdb09e705328c4da4fc302dc80f9aa2a2730aad
Closes-bug: #1765082
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
This changes _ACTIVATION_TIMEOUT of LBaaS driver from constant to
configurable value in order to make it flexible to production
environment.
This commit also increases the timeout value in DevStack plugin to make
sure Octavia has time to run Amphorae in the gate.
Co-Authored-By: Michał Dulko <mdulko@redhat.com>
Change-Id: I895d3e5af71ccc7219be422b9ca9e9f8833bad8f
Related-Bug: 1753653
Signed-off-by: Eunsoo Park <esevan.park@gmail.com>
In containerized OpenShift deployments we're not attaching `privileged`
SCC to `kuryr-controller` SA created by DevStack plugin. This causes
kuryr-controller Deployment and kuryr-cni DaemonSet to fail as
`kuryr-controller` SA lacks permissions to run privileged containers.
This commit solves that by using `oadm` to attach the SCC to SA.
Change-Id: I2c827cd986a17e08c94558c852b4a225cfe057a6
Closes-Bug: 1759287
When Octavia stopped needing neutron-lbaasv2 devstack plugin we tried it
out with success but we still kept usage the plugin so that our devstack
plugin could target older than pike.
Unfortunately during this time the proxy became unnecessary and not well
maintained and due to our gates still using it, when we tried queens
with the supported proxy less Octavia we realized that it fails.
This patch addresses it by making the existing neutronclient usage point
to the load-balancer endpoint when the proxy is not in place.
Change-Id: Iafd74f23bdf336a4d78ba4759f702cf989c8bc30
Closes-Bug: #1763045
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
This commit changes the way kuryr-cni is executed in containerized
deployments. Now it'll use `docker exec` command to execute kuryr-cni
inside the CNI container. This should make it easier to be consumed by
deployers.
To be able to do such changes I needed to stop mounting host's /etc
directory. I believe this was unnecessary and was blocking curl from
working in isolation from host OS.
Closes-Bug: 1757531
Change-Id: I373d65536a43eab98f0fc708936b97637f82eaff
In the gate K8s API was inaccessible through the LB we create for it.
This means that we could only connect to the API directly through
HOST_IP.
This commit fixes the issue by adding required iptables rule that allows
traffic to the LB and fixes up the member IP added to the LB.
Change-Id: Icd53ec45a479d54015d0506fb5e8bb9896d0a9df
Related-Bug: 555040
Our containerized gates started failing recently. Turns out some default
configuation was changed and `tls-proxy` service was added. This option
makes all OpenStack endpoints use HTTPS. This includes creation of a
DevStack CA certificates bundle that then will be configured to be
verified when connecting to OpenStack APIs. This works well with
non-containerized deployment as the bundle is available locally in
/opt/stack/data and our `[neutron]` section sets `cafile` option to
point there.
Things are different in containerized deployment use case as we need a
way to pass those certificates into the container. Effectively - we had
no CA certificates support for containerized deployments either in
DevStack or production.
This commit adds that support by including new Kuryr Kubernetes resource
definition - `kuryr-certificates` Secret. It is supposed to hold CA
certificate under `kuryr-ca-bundle.crt` key. kuryr-controller DaemonSet
definition was modified to mount the certificate into /etc/ssl/certs.
Changes also include implementing support for that in DevStack plugin
(placing the certificate in the secret and setting the `[neutron]cafile`
config option to point to that certificate).
Closes-Bug: 1758061
Change-Id: I7ac9d05868994cfc2a1aef4a8cd6c2148895e9c8
OpenShift container probes in baremetal deployments are also necessary
as well as enabling routing to the service network for the OpenShift API
to be reachable by host networking pods.
Closes-Bug: 1757993
Change-Id: I73ab7d4ad660cb109ad3469c9a0ea0de35be8179
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
It's tested on baremetal with lbaasv2.
1) neutron-vif is used for KURYR_POD_VIF_DRIVER.
2) port_pool_enabled in tempest.conf is updated to True
Partially-Implements: blueprint enhance-upstream-gates
Depends-On: I0921cf8a416f79745fb96bb67636eac6ed47a537
Change-Id: I1cb916d527db8d49669a807e66769fbb7c55e8e4
This commit implements what was discussed on the PTG, i.e. deprecation
of running Kuryr-Kubernetes without kuryr-daemon services. This commit
includes changes in configuration defaults, sample local.conf files,
documentation, gates and a release note explaining the change.
Change-Id: I152c81797cb83237af4917a4487cb1f1918270aa
Stable Kubernetes 1.9 was released recently, this commit updates
DevStack default value to point to it.
Change-Id: Iaa6f7badefa9d2f52403484daa73436cde9725a0
The CNI daemon should always be run in its own cgroup. That typically
can take two forms:
- Running inside a container
- Running as a systemd service
This patch changes the way the memory usage is tracked so that both
of the cgroup memberships listed above are supported.
Thanks to using cgroups for tracking the memory usage, we will finally
take into account the CNI daemon children memory usage.
Change-Id: I0ef48742653d5c17ea0cc787ae3a997d5d315c5a
Closes-Bug: 1752939
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
This commit does necessary changes in DevStack plugin to support
OpenShift in 3.7.1 version and switches URL to that version.
Change-Id: I18d7c97090570811d509b9574d747ea526695b6c
This patch adds readiness and liveness to CNI. It checks presence
of NET_ADMIN capabilities, IPDB in working order, connection to
Kubernetes API, quantity of CNI add failures, health of CNI
components and existence of memory leaks.
Implements: blueprint cni-daemon-readiness-liveness
Change-Id: I9a4b871d196dbadfed687df93bb3cad97c957bfb
In plugin.sh, wait_for has a default timeout. This change allows the
default to be overriden with an optional argument.
Change-Id: I5ec2a0d346fb8cec5a458bb06f0e0437c9da9789
Avoid long wait for tasks that should end quickly.
The timeout default is 5 minutes (300 seconds), but may be configured in
local.conf by defining KURYR_WAIT_TIMEOUT to any other value (seconds)
Change-Id: I86b2a436085452ef74104750db29c14b9092b7ae
It is common for Neutron deployment's policy to forbid GETs to the
public subnet, only allowing GETs for the public net. Since the only
required field of those two for creating a FIP is the public net, let's
change public net to be the only required config option and have the
subnet stick around as optional.
Change-Id: I31c3c51ad2dc12f8f560cbab01c86d04aabb754e
Closes-Bug: 1749921
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
This commit changes the way we produce kuryr-cni Docker image. Previously we've
distributed the kuryr-driver as pyinstaller binary that contained Python 3
interpreter and all the dependencies. This binary was called from CNI. That
approach had some disadvantages, the major being complicated build procedure
and having to see false-positive BrokenPipeError tracebacks in kubelet
logs.
This commit implements distributing kuryr-driver as a virtualenv with
kuryr-kubernetes and all the dependecies installed. That virtualenv is then
copied onto the host system and CNI can easily activate it and run kuryr-cni
binary. This should solve issues caused by pyinstaller.
Closes-Bug: 1747058
Change-Id: I65b01ba27cbe39b66f0a972d12f3abc166934e62
In case a node is only set to run the kubelet, there's not going to be a
running hyperkube container and the hyperkube extraction will fail. It's
better to not assume and just have a cheap container run made in purpose
for extraction.
Change-Id: Iaa543825e89ae4acd2d4527f6eb4324b97874313
Closes-Bug: 1742757
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
Currently CNI daemon is not coded to wait for VIF to become active
before returning IP to the CNI. This commit fixes that by adding waiting
to ADD part of the code.
Change-Id: I2a4c3f3534c54ee7da886c28f73b3dda236b9c93
Closes-Bug: 1739014
This patch checks the health of k8s, Keystone and Neutron,
by using a server that combines all the verifications. Also, checks
if ports are loaded into the pools when required.
Partially Implements: blueprint controller-readiness-liveness-probes
Change-Id: I09121a61d23fb64b326dae3947d5d24b1329cde3
