Without this, heat container agents using kubectl version
1.18.x (e.g. ussuri-dev) fail because they do not have the correct
KUBECONFIG in the environment.
Task: 39938
Story: 2007591
Change-Id: Ifc212478ae09c658adeb6ba4c8e8afc8943e3977
Now the label `fixed_network_cidr` is not handled correctly, no matter
if the label is set, the default value '10.0.0.0/24' is used for
fixed network anyway. This patch fixes it and renamed it as
`fixed_subnet_cidr` to make less confusion. The new behaviour will be:
1. If the label `fixed_subnet_cidr` is set but no fixed subnet passed
in, then a new subnet will be created with the given CIDR.
2. If a fixed subnet is passed in by user, then label `fixed_subnet_cidr`
will be override with the CIDR from the given subnet.
Task: 39847
Story: 2007712
Change-Id: Id05e36696bf85297a556fcd959ed897fe47b7354
Eventlet used by many openstack packages depends on greenlet which does
not have a pip release supported by Python 3.9 (default Python version
on Fedora 33). Therefore, pin Fedora to version 32 until new greenlet
release is cut which includes the required fix [0].
Also update default heat_container_agent_tag to victoria-dev.
[0] https://github.com/python-greenlet/greenlet/pull/161
Change-Id: Ice75ae880925cd15c096eb6d1cdabf7f802bccde
Story: 2007264
Task: 39941
- Refactor helm installer to use a single meta chart install job
install job and config which use Helm v3 client.
- Use upstream helm client binary instead of using helm-client container
maintained by us. To verify checksum, helm_client_sha256 label is
introduced for helm_client_tag (or alternatively for URL specified
using new helm_client_url label).
- Default helm_client_tag=v3.2.1.
- Default tiller_tag=v2.16.7, tiller_enabled=false.
Story: 2007514
Task: 39295
Change-Id: I9b9633c81afb08b91576a9a4d3c5a0c445e0cee4
- Deprecate in-tree Cinder volume driver for removal in X cycle in
favour of out-of-tree Cinder CSI plugin for Kubernetes.
- Set cinder_csi_enabled to True by default from V cycle.
- Add unit test for in-tree Cinder deprecation.
- Add mssing unit tests for resent docker_storage_driver deprecation.
Change-Id: I6f033049b5ff18c19866637efc8cf964272097f5
Story: 2007048
Task: 37873
A new label named `master_lb_allowed_cidrs` is added to control
the IP range which can access the k8s api and etcd load balancers.
It's a good security enhancement.
Task: 39188
Story: 2007414
Change-Id: I157a3b01d169e550e79b94316803fde8ddf77b03
* remove user since it is controlled in the chart
and changed from 33 to 101
* use the latest chart v1.36.3 from stable
* use latest 0.32.0 controller image
story: 2006945
task: 39747
Change-Id: I6df49929cb8890f534afde185d56b7b6d70c691e
Signed-off-by: Spyros Trigazis <strigazi@gmail.com>
In commit I1a75f1bf12747508a3497293650d3cc668202de6 the worker node
is missed to add the docker storage support. And the current systemd
unit is not really working. So this patch fixes it by removing the
hardcode for /dev/vdb and using xfs instead of ext4 (the same way
for Fedora Atomic) to make it simpler and solid.
Task: 39331
Story: 2005201
Change-Id: I4c465664eb19f1992df95750dd7b2d99688c6cae
Heapster has been deprecated for a while and the new k8s dashboard
2.0.0 version supports metrics-server now. So it's time to upgrade
the default k8s dashboard to v2.0.0.
Task: 39101
Story: 2007256
Change-Id: I02f8cb77b472142f42ecc59a339555e60f5f38d0
In Icc4aa1f61f3b3937e5d9cc35dbe01c63c18ba3cd, we only opened tcp port 53
but services running on workers are unable to talk to CoreDNS service
running on master nodes when using Calico v3.13.1 without also opening
udp port 53. This patch addresses this issue.
Task: 39347
Story: 2007256
Change-Id: Ied4196e6f1ddcb131492b48fb57ff0ba9063bbf4
For backwards compatibility support calico
v3.3.6 as well. The control flow is managed
in the heat templates.
Story: 2007256
task: 39280
Change-Id: Id61dbdaf09cde35fdd532e3fff216934c1ef4dff
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
The tags on quay.io/coreos/etcd follow the same format as
https://github.com/etcd-io/etcd/releases compared to k8s.gcr.io which
modifies the canonical version tag by dropping the "v" prefix.
Story: 2007475
Task: 39184
Change-Id: If44eb55a68c13f8e1706242c099578ed1f264d62
The default version of coreDNS now is upgraded to 1.6.6 and
the coreDNS pod can be scheduled to master nodes.
Task: 39209
Story: 2007256
Change-Id: Icc4aa1f61f3b3937e5d9cc35dbe01c63c18ba3cd
At present, when a fixed_network is not specified, it is given the name
"private" by default. When multiple clusters are created, we end up in a
situation where we end up with multiple networks all with the same name.
This PS intends to make it easier to see where the resources belong to
by using the cluster name.
Story: 2007460
Task: 39139
Change-Id: I7f8028b716f9a9eced17d85ca2e46e2b1e34875f
The current default Calico IPv4 CIDR 192.168.0.0/16 is too common and
it has bring us some IP conflicts troubles on production. This patch is
proposing to replace it with a rare CIDR range.
Task: 39052
Story: 2007426
Change-Id: I13aa0c58bf168bc069edf1d5c0187f89011fffdb
A new config option `post_install_manifest_url` is added to support
installing cloud provider/vendor specific manifest after booted
the k8s cluster. It's an URL pointing to the manifest file. For
example, cloud admin can set their specific storageclass into
this file, then it will be automatically setup after created
the cluster.
Task: 35798
Story: 2006209
Change-Id: Ib5a2c5cd7970085db941f189613e175f622aea3f
Add support for out of tree Cinder CSI. This is installed when the
cinder_csi_enabled=true label is added. This will allow us to eventually
deprecate in-tree Cinder.
story: 2007048
task: 37868
Change-Id: I8305b9f8c9c37518ec39198693adb6f18542bf2e
Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
IPIP Mode to use for the IPv4 POOL created at start up
allowed_values: ["Always", "CrossSubnet", "Never", "Off"]
default: "Off"
Change-Id: Ib834a1f86a6db408047cc8f86fc7744d16d83904
Signed-off-by: Diogo Guerra <diogo.filipe.tomas.guerra@cern.ch>
Given we're using public container registry as the default registry,
so it would be nice to have a verification for the image's digest.
Kubernetes already supports that so user can just use format like
@sha256:xxx for those addons' tags. This patch introduces the support
for hyperkube based on podman and fedora coreos driver.
Task: 37776
Story: 2007001
Change-Id: I970c1b91254d2a375192420a9169f3a629c56ce7
Replace heapster for metrics-server as cluster default.
This requires the following labels as default:
tiller_enabled=true
heapster_enabled=false
metrics_server_enabled=true
depends-on: Idc315937a82317b76349bbe8466d900d00194953
depends-on: Icd7f380d87672c00257e34df385d81e1c3e36ddf
Story: 2004816
Task: 28979
Change-Id: I52970244c8977dc5d1a67e7ad7329897b496a0cb
Signed-off-by: Diogo Guerra <dy090.guerra@gmail.com>
Magnum allows to use CONTAINER_INFRA_PREFIX to specify a local
repository from which we can pull container images. This repository
defaults to the upstream one that is specified in the metrics helm
chart.
* This patch allows for the usage of CONTAINER_INFRA_PREFIX to
correctly configure the pull of the metric-server container image
from the specified repo.
* Add label metrics_server_chart_tag to allow user to specify
stable/metrics-server chart tag to use
* Add label metrics_server_enabled to allow enable/disable of
component (defaults: true)
Story: 2004816
Task: 37390
Change-Id: Idc315937a82317b76349bbe8466d900d00194953
Signed-off-by: Diogo Guerra <dy090.guerra@gmail.com>
Also bump up cloud_provider_tag to v1.15.0.
This is the common supported version in Fedora Atomic (now EOL) when
`use_podman=true` label is not supplied.
Task: 37817
Story: 2005380
Change-Id: I4afaf159eaf2d2ff75bd3abec4137257e0daa8f2
Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
This will install the prometheus-adapter stable
helm chart. Requires monitoring_enabled=true.
The chart version can be configured using
prometheus_adapter_chart_tag and an option is
available to overwrite the default configuration
rules for a user defined ConfigMap referenced
by using prometheus_adapter_configmap label.
story: 2006765
task: 37278
Change-Id: I5b86f4455f88c8dbeac6e56942e1ca55f1d1726c
Signed-off-by: Diogo Guerra <diogo.filipe.tomas.guerra@cern.ch>
Reverts the change in https://review.opendev.org/#/c/643225/22 (line 9).
This allows users to deploy clusters with all released versions of
cloud-provider-openstack. The openstackmagnum repo only has v1.14.0
Also updates the docs with the default value for the Train/Ussuri release.
Updates the default tag to v1.15.0 for Ussuri.
Story: 2006967
Change-Id: Icf6f9f3c02d6b211c4dc3c1d654c8d8573443e0f
Additioanlly, bumping up the Chart version to 1.24.7 without which the
ingress controller fails to deploy on 1.16.x.
Additionally, bump up nginx_ingress_controller_tag version to 0.26.1.
This is to ensure that we are running an up to date nginx ingress
controller with fixes for known CVEs.
Story: 2006853
Task: 37444
Change-Id: Ibf045a06d19b02095e19d9a21d14a91a39a3751c
Choose whether system containers etcd, kubernetes and the heat-agent will be
installed with podman or atomic. This label is relevant for k8s_fedora drivers.
k8s_fedora_atomic_v1 defaults to use_podman=false, meaning atomic will be used
pulling containers from docker.io/openstackmagnum. use_podman=true is accepted
as well, which will pull containers by k8s.gcr.io.
k8s_fedora_coreos_v1 defaults and accepts only use_podman=true.
Fix upgrade for k8s_fedora_coreos_v1 and magnum-cordon systemd unit.
Task: 37242
Story: 2005201
Change-Id: I0d5e4e059cd4f0458746df7c09d2fd47c389c6a0
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
When we start or restart the heat-agent, we run
configure_container_agent.sh which writes a few scripts. Make sure that
the scipts do not exist before writing to avoid overwriting any values
created on runtime.
When the heat-agent starts, /etc/os-collect-config.conf includes only
the reference to the os-refresh-config command. After the agent
bootstap, this file contains the credentials to check for software
deployments in the [heat] section. Before this patch, when the agent
restarted /etc/os-collect-config.conf was cleared resulting the agent to
stop working. I have the survive restarts, skiping only
os-collect-config.conf should be enough, but it is better to not touch
files on just service restart.
Additionally, fix file permissions for /etc/os-collect-config.conf.
Change heat-container-agent tag to ussuri-dev.
Change-Id: I3efd4e55e885b95721f13279b44dc1246e2fd2e4
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
With this change each node will be labeled with the following:
* --node-labels=magnum.openstack.org/role=${NODEGROUP_ROLE}
* --node-labels=magnum.openstack.org/nodegroup=${NODEGROUP_NAME}
Change-Id: Ic410a059b19a1252cdf6eed786964c5c7b03d01c
Removes the role heat param from all templates. Instead and only for
k8s templates adds the master_role and worker_role params. The new
worker_only condition should be true for all roles except for master.
Finally, adds the missing is_cluster_stack param to all templates.
Change-Id: Ie0799373fe492c2e0a0cad903ed6e8c93e6266b5
Add fedora coreos driver. To deploy clusters with fedora coreos operators
or users need to add os_distro=fedora-coreos to the image. The scripts
to deploy kubernetes on top are the same with fedora atomic. Note that
this driver has selinux enabled.
The startup of the heat-container-agent uses a workaround to copy the
SoftwareDeployment credentials to /var/lib/cloud/data/cfn-init-data.
The fedora coreos driver requires heat train to support ignition.
Task: 29968
Story: 2005201
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Change-Id: Iffcaa68d385b1b829b577ebce2df465073dfb5a1
Using the atomic cli to install kubelet breaks mount
propagation of secrets, configmaps and so on. Using podman
in a systemd unit works.
Additionally, with this change all atomic commands are dropped,
containers are pulled from gcr.io (ofiicial kubernetes containers).
Finally, after this patch only by starting the heat-agent with
ignition, we can use fedora coreos as a drop-in replacement.
* Drop del of docker0
This command to remove docker0 is carried from
earlier versions of docker. This is not an issue
anymore.
story: 2006459
task: 36871
Change-Id: I2ed8e02f5295e48d371ac9e1aff2ad5d30d0c2bd
Signed-off-by: Spyros Trigazis <spyridon.trigazi@cern.ch>
* Fedora CoreOS need the key to be passed as
a string.
* We can adopt in all drivers so that users in
the same project can do cluster resize.
story: 2005201
task: 36934
Change-Id: I9a18ce4dcbd74f0dcd23274baed7c8c3d2029d50
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
This adds the support for creating and deleting worker nodegroups
using different stack per nodegroup. In order to be backwards
compatible, default nodegroups will remain in one stack.
Having this in mind cluster status is now calculated aggregating the
statuses of the underlying stacks.
Change-Id: I97839ab8495ed5d860785dff1f6e3cc59b6a9ff7
The derived cloud_provider_enabled is placed inside extra_params so that
openstack-cloud-controller-manager gets applied correctly. This required
change was unfortulately missed in https://review.opendev.org/681922.
Additionally improve the docs related to cloud_provider_enabled label.
Story: 2006531
Task: 36740
Change-Id: I4a89d25b467edd2c4be608c37055706e4e62d78b
Support boot from volume for Kubernetes all nodes (master and worker)
so that user can create a big size root volume, which could be more
flexible than using docker_volume_size. And user can specify the
volume type so that user can leverage high performance storage, e.g.
NVMe etc.
And a new label etcd_volme_type is added as well so that user can
set volume type for etcd volume.
If the boot_volume_type or etcd_volume_type are not passed by labels,
Magnum will try to read them from config option
default_boot_volume_type and default_etcd_volume_type. A random
volume type from Cinder will be used if those options are not set.
Task: 30374
Story: 2005386
Co-Authorized-By: Feilong Wang<flwang@catalyst.net.nz>
Change-Id: I39dd456bfa285bf06dd948d11c86867fc03d5afb
For moving to 1.15.x and beyond we need to have PSP for privileged pods.
flannel, calico and node-problem-detector need it.
PSP
story: 2006515
task: 36513
Allow-priv
story: 2006252
task: 35867
Change-Id: I306a249afb275fdbd71354ed75043ffc4d466304
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Bharat Kunwar
Feilong Wang
Diogo Guerra
Spyros Trigazis
Spyros Trigazis
Bharat Kunwar
Andrei Nistor
Theodoros Tsioutsias
Spyros Trigazis
Mohammed Naser