For backwards compatibility support calico
v3.3.6 as well. The control flow is managed
in the heat templates.
Story: 2007256
task: 39280
Change-Id: Id61dbdaf09cde35fdd532e3fff216934c1ef4dff
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
The tags on quay.io/coreos/etcd follow the same format as
https://github.com/etcd-io/etcd/releases compared to k8s.gcr.io which
modifies the canonical version tag by dropping the "v" prefix.
Story: 2007475
Task: 39184
Change-Id: If44eb55a68c13f8e1706242c099578ed1f264d62
Improve the taint of master node kubelet to get the conformance
test passed and update the OCCM and Helm/Tiller tolerations accordingly.
Task: 39223
Story: 2007256
Change-Id: Ief452e05ddf13a1d1ee77641311c3ae7abbe90f2
The default version of coreDNS now is upgraded to 1.6.6 and
the coreDNS pod can be scheduled to master nodes.
Task: 39209
Story: 2007256
Change-Id: Icc4aa1f61f3b3937e5d9cc35dbe01c63c18ba3cd
Kubelet fails to handle SELinux labelling of Cinder PV without
presenting the rootfs to Kubelet and as a result, an unprivileged
container lacks the ability to access the path.
With this patch, Kubelet handles the correct labelling automatically
when a Cinder PV is attached to a pod.
The default behaviour using system containers in Fedora Atomic is to
mount rootfs [1] but we did not implement the same behaviour in Fedora
CoreOS which was a mistake as this was a missing piece of code.
[1] https://github.com/openstack/magnum/blob/master/dockerfiles/kubernetes-kubelet/config.json.template#L335
Story: 2007413
Task: 39129
Change-Id: Id59c604928244bf49773b7519fa756d5b2814b69
Set the max-size for container/pod logs to 10m
and max of 5 rotated files. The values relay
the default of kubernetes when it is using
a remote container runtime [0] (container-log-max-files
and container-log-max-size) This defaults cover the
case of containerd.
[0] https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
story: 2007402
task: 39031
Change-Id: Ie3106b40b4d1c6866761c507122047e88e513651
Signed-off-by: Spyros Trigazis <strigazi@gmail.com>
The upstream docs [0] were missing a parameters
for the calico-node ClusterRole.
Without it we get:
2020-02-21 11:41:35.762 [ERROR][8]
...
User "system:serviceaccount:kube-system:calico-node"
cannot patch resource "nodes/status" in API group ""
at the cluster scope
[0] https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml
Needs to be backported to train.
story: 2005318
task: 39041
Change-Id: Ib7d3068ee53c08fea32a69c997b6de6477a17f0a
Signed-off-by: Spyros Trigazis <strigazi@gmail.com>
By default podman containers can write unlimited bytes
of log and evenrually fill up the disk nodes.
Set the max size per containers to 50MB.
story: 2007402
task: 39003
Change-Id: I405e331eb1f9f987d3fbc301a09ab25bcb96926d
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
A new config option `post_install_manifest_url` is added to support
installing cloud provider/vendor specific manifest after booted
the k8s cluster. It's an URL pointing to the manifest file. For
example, cloud admin can set their specific storageclass into
this file, then it will be automatically setup after created
the cluster.
Task: 35798
Story: 2006209
Change-Id: Ib5a2c5cd7970085db941f189613e175f622aea3f
Add an ARCH parameter to handle arch specific things, mostly are the
docker image repo names.
Because not all the docker images magnum used support multi-arch
manifest[1] like kubernetes-dashboard, it will need to specific the
arch name in the docker image repo name.
[1]
https://kubernetes.io/docs/concepts/containers/images/#building-multi-architecture-images-with-manifests
Change-Id: Iccb3a030aefd2d4e55a455d1a0401cbc4eb7fd14
Task: 37884
Story: 2007026
A regression was introduced by I970c1b91254d2a375192420a9169f3a629c56ce7
which means that deployments where use_podman is unspecified or false
fail because `podman image inspect` is not scoped by this check.
Story: 2007001
Task: 38844
Change-Id: I6a08312693caf8a52174a1ff199d205d54076ee9
Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
Add support for out of tree Cinder CSI. This is installed when the
cinder_csi_enabled=true label is added. This will allow us to eventually
deprecate in-tree Cinder.
story: 2007048
task: 37868
Change-Id: I8305b9f8c9c37518ec39198693adb6f18542bf2e
Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
At present, metrics-server pod keeps doing a CrashLoopBack because host
name does not resolve when a cloud does not operate a DNS.
Task: 38642
Story: 2007265
Change-Id: Ia47a9282f56f30569b190ec2585b38c459086b63
Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
At present, when heat-container-agent is executing SoftwareDeployment
scripts, the output of this is not visible to the cluster administrator
until the execution is complete. This is an unhelpful behaviour, as it
is far more useful to see what is happening in real time. This change
logs output to files under /var/log/heat-config/heat-config-script/.
Also removes duplication of prefix for heat-container-agent container.
Story: 2007264
Task: 38632
Change-Id: I5504c00efce89105d403722d583bb75f7bdea714
Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
In coreos we have selinux in enforcing.
When the systemd unit does not have
user and group, and the service type is
not simple.
story: 2007210
task: 38609
Change-Id: Ia36a51e62b3dab97faf3ce58a218441bd93e77e9
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Adding the volume mount for /etc/machine-id so that the kubelet
boostraped by podman can access the correct instance ID. Without
this, autoscaler will fail to delete empty node. This issue is
reported on autoscaler repo[1].
[1] https://github.com/kubernetes/autoscaler/issues/2819
Task: 38743
Story: 2007286
Change-Id: I2852f4b255e782bb65b13571502194ee9f455ae3
To display the node OS-IMAGE in k8s properly
we need to mount /usr/lib/os-release,
/ets/os-release is just a symlink.
story: 2006459
task: 38505
Change-Id: I0c850126c7299cb7a4fe201efee311d76bc14ce6
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
When calling systemctl from the heat-agent we need
to do it over ssh.
story: 2007210
task: 38377
Change-Id: I1f917d276501a174448dbdfe447d69294e7090c4
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
monitoring-influxdb and monitoring-grafana were
missing the selector.
1.16+ needs it.
story: 2006459
task: 38376
Change-Id: Iab5205cc84bad30890db7fad380fb02f6ba23786
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
The prometheus/grafana script needs to download a grafana json
file by curl which doesn't work since the proxy issue. This patch
fixes it.
Task: 38167
Story: 2007005
Change-Id: I51ba108e23524eecc04bbbd47a5b50b8d4a529f9
IPIP Mode to use for the IPv4 POOL created at start up
allowed_values: ["Always", "CrossSubnet", "Never", "Off"]
default: "Off"
Change-Id: Ib834a1f86a6db408047cc8f86fc7744d16d83904
Signed-off-by: Diogo Guerra <diogo.filipe.tomas.guerra@cern.ch>
Given we're using public container registry as the default registry,
so it would be nice to have a verification for the image's digest.
Kubernetes already supports that so user can just use format like
@sha256:xxx for those addons' tags. This patch introduces the support
for hyperkube based on podman and fedora coreos driver.
Task: 37776
Story: 2007001
Change-Id: I970c1b91254d2a375192420a9169f3a629c56ce7
Due to the big changes recently to support k8s rolling upgrade, a
regression issue was introduced which is broken the proxy function
for image downloading. This patch fixes it for both fedor atomic
driver and fedora coreos driver.
Task: 37784
Story: 2007005
Change-Id: I11113d69629e1a97a58e5270f67c7404292b45c3
Diogo Guerra