Currently master_lb_enabled can be enabled at cluster creation but validation
is only done for cluster_template.
We need to validate in cluster.
Fix testing
task: 41535
story: 2007634
story: 2008487
Change-Id: Icf32de2b803aa160dc3b7993e128deff11d02fcb
1. Update default containerd version to 1.4.3
2. Fix the redirect issue of containerd tarball download
story: 2008451
Change-Id: I05cbd1ec62e9a68c68a1666ff62f20138bf8c731
The default admission controller list of k8s is being updated in
this patch by removing the SecurityContextDeny controller, which
will fix the k8s dashboard and metrics/prometheus creating issue.
Story: 2008426
Change-Id: I2cd53bc9c59a60b90f708b1434381f120ace8c49
This patch aims to fix clusters that uses only private network
and monitoring_enabled.
It was observed that:
- no floating ip, so the kube_master_external_ip is null
- because of that, the value that gets sent to the shell
for KUBE_MASTERS_PRIVATE is actually [null]
- this happens when deploying prometheus-operator
( label monitoring_enable=true )
Those topics above results in a cluster taking around 30
minutes to be completed until monitoring gives up configuring
endpoints.
Change-Id: I0fb4b2604f38bd3a325f82b1364b78ff17792c65
A regression issue introduced by [1], which is causing Cinder CSI pods
failed to start. This patch will fixed it.
[1] https://review.opendev.org/#/c/749101/
Change-Id: If9dd67672becb6def9f97afa7e60b2660cf5b27e
Task: 41097
Story: 2008250
During the reshuffling of bash fragments,
we missed sourcing bashrc which contains the
location of kubeconfig.
Fix addition of /srv/magnum/bin to PATH.
story: 2007591
task: 39938
Change-Id: I238f7e2a1cbcb696a51880fb6ea75ea0a7ce6288
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Seen while validating release, in the heat container agent journal:
```
/var/lib/heat-config/heat-config-script/0c399610-30a6-4728-80f2-702b0630400f:
line 776: --cluster-cidr: command not found
error: expected 'logs [-f] [-p] (POD | TYPE/NAME) [-c CONTAINER]'.
```
Task: 41231
Story: 2008330
Change-Id: I3fdd186b73950b4b3e5790752eaafc47ff7da8f3
This reverts commit 290d60a0aa.
We cannot do the copy in the Ignition stage, it's too early, unfortunately. We may have to fall back to the original way to put the copy in a script.
Change-Id: I5b6d1d3d7acfb640a20ecc7f8e1e954a7d3628e4
A regression issue introduced by [1], which is causing Cinder CSI pods
failed to start. This patch will fixed it.
[1] https://review.opendev.org/#/c/749101/
Task: 41097
Story: 2008250
Change-Id: I0e20bc3eb306af86d22f0ea9f770186bb88eaca5
The pattern of adding a column and then reading a table with it
no longer works in SQLAlchemy 1.3.20. This has been reported
upstream [1].
[1] https://github.com/sqlalchemy/sqlalchemy/issues/5669
Change-Id: I5fd1deeef9cf70794bc61c101e1d7d4379d4b96b
There are two issues with current k8s admission controller list:
1. The default existing list is not consistent when user passes
in extra controller or not
2. The existing list is out of date.
The new list are based on below consideration:
1. Get the default list based on k8s v1.16.x[1] because it's the
supported oldest version.
2. Keep it consistent when user passes in extra controllers or not
3. Keep all the admission controllers we has used in the code
[1] https://v1-16.docs.kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#which-plugins-are-enabled-by-default
Task: 40767
Story: 2008076
Change-Id: Ie5b89b97710d2e2d41c9ce4f3ec30046390acbeb
Magnum cluster deletion is not behaving as expected. While it appears to
delete successfully, _delete_complete routine in
magnum/drivers/heat/driver.py is never called because the status of
nodegroups have not had the chance to sync with Heat before
_check_delete_complete is called. As a result, for example, trustee user
accounts are left orphaned. This PS changes or order of activities so
that _delete_complete is invoked successfully.
Story: 2007965
Task: 40459
Change-Id: Ibadd5b57fe175bb0b100266e2dbcc2e1ea4efcf9
Add file to the reno documentation build to show release notes for
stable/victoria.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/victoria.
Change-Id: I31bf3288bcca9ca840d3809d6a45165f592f6bae
Sem-Ver: feature
From k8s v1.19.x, kube-apiserver binary can't accept any parameter,
and actually we're not using the pass-in KUBE_API_PORT. So it's
safe to drop it.
Change-Id: I12a0bb3441d18c3b68a8db4ab3234e04e5218cd2
Now Magnum is not deploying any service or workload on k8s
worker nodes which need to get credentials from local to talk
to Magnum control plane. So the cloud-config file should be
removed from worker nodes to reduce the attach surface from
a security point of view.
Task: 40791
Story: 2008090
Change-Id: I72e418491cbd19291527bbe4b504d599c740fea9
When using delete_on_termination and the booting of the instance fails
on the first attempt, the second attempt will fail with Heat. The
reason is that with delete_on_termination set to True, Nova will delete
the volume when Heat deletes the ERROR'd instance and it will then
result in the follow-up boot to fail with an error along the line of
unable to find volume, which masks the real failure from the user (which
could potentialy be aquota issue).
With this patch, we no longer set this and instead use the default of
false. This will not mean we will leak volumes because when we delete
the stack, Heat will do all the right things and delete them in order,
making sure the volume disappears eventually.
Change-Id: I362cea7bf57825035d13d234d0181a2b1fca5743
The password contains special characters, so we need to
quote the password string on docker login.
Change-Id: Ie826c78309395765911db01e6d412426e46f176e
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Now k8s cluster owner can do CA cert rotate to re-generate CA of
the cluster, service account keys and the certs of all nodes will
be regenerated as well. Cluster user needs to get a new kubeconfig
to access kubernetes API. This function is only supported by
Fedora CoreOS driver.
To test this patch with python-magnumclient, you need this patch
https://review.opendev.org/#/c/724243/, otherwise, you will see
an error about "not enough values to unpack", though the CA cert
rotate request has been processed by Magnum server side correctly.
Task: 39580
Story: 2005201
Change-Id: I4ae12f928e4f49b99732fba097371692cb35d9ee