Kubernetes bay needs to be fully functional before notifying Heat
to bring the stack to CREATE_COMPLETE. This patch added a systemd
unit that keeps pinging the kube-apiserver and notify Heat once
it goes through.
Change-Id: Ib4fb22f3040d76d488c6cac6873d64b4d973ebb1
Closes-Bug: #1551824
Currently, we use the users auth token, which expires after a while.
We need to use a trust instead.
Remove user_token at the same time.
Change-Id: Id1d34c59eccd70be24c5b9e00cd921b5a9d59860
Partially-Implements: blueprint use-trust-for-tls-cert-generation
Currently, we use the users auth token, which expires after a while.
We need to use a trust instead.
Change-Id: Ie18e6a1371871720fbfd4af0bd43e166075b0c6d
Closes-Bug: #1503863
Partially-Implements: blueprint use-trust-for-tls-cert-generation
Now kubernetes image is 1.0.6 and written in so many file.
It is difficult to modify the parameter when we need to change
it.
The patch make the value united a variable.
Change-Id: Ic476ffc90e4379e5a978c96dcc0f745e8d7fddd8
Allow configuring Flannel with 3 different backends
Magnum deploys k8s/swarm over a dedicated neutron private network,
possibly using flannel. Flannel's `host-gw` backend gives the best
performance in this topopolgy (private layer2): no packet processing
overhead, no reduction to MTU, scales to many hosts as well as the
alternatives. The performance difference is significant, see bug for
performance numbers for the 3 backend options.
Note that part of this change involves relaxing the minion IP spoofing
rules to allow traffic from all dynamically-allocated flannel subnets.
This is morally equivalent to what we were doing previously with
encapsulation - only now neutron is able to see the inner IP header
directly.
This patch repurposes the label "flannel_use_vxlan" when the network
driver is flannel.
1. Rename the label flannel_use_vxlan to flannel_backend
2. Redefine the value of this label from "yes/no"
to "udp/vxlan/host-gw"
For example, to create a bay model with flannel as network driver:
--network-driver flannel --labels flannel_backend=host-gw
Other backend options are udp and vxlan.
Co-Authored-By: Ton Ngo <ton@us.ibm.com>
Partial-Bug: #1518605
Closes-Bug: #1516789
Change-Id: I6d2441664ad1baaca14d0e6ff4bcddbe75bee094
Make scripts adaptable to different network interface.
Some scripts currently query eth0 directly to get the IP of
the node. This causes the script to fail if the node uses
a different network interface. The change passes in the
IP from Heat so that it is not susceptible to the particular
network interface being used.
This change is necessary to use the stock image from Atomic,
since eth0 is not used in this image.
This patch is broken out from the patch:
https://review.openstack.org/#/c/276232/
so that it can proceed independently.
Co-Authored-By: Corey O'Brien <coreypobrien@gmail.com>
Partially-Implements: blueprint atomic23
Change-Id: If8f972d8dabc8304484dfaff8d4e7f1f8755507b
This patch follows the CoreOS guidance for kubernetes:
https://coreos.com/kubernetes/docs/latest/getting-started.html
CoreOS doesn't support multi-part mime user-data, so we cannot pack
multiple scripts into one (which we did in Atomic). The major work of
this patch is to wrap each cloud-init script with a systemd unit,
which will be executed one-by-one at the first boot.
Note that this patch only enable a basic CoreOS support. Advanced
features (i.e. TLS, Cinder volume, HA, external load balancing) are
not included. These features need to be ported from Atomic as a
future work.
Partially-Implements: blueprint coreos-k8s-bay
Change-Id: Ib6fe76718ac9b198e0aae57618d3edd98792f15d
All services (except kublet) in Kubernetes can be run in container
(http://kubernetes.io/v1.0/docs/user-guide/ui.html)
Partially-Implements: blueprint run-kube-as-container
Change-Id: Idb499e6d5b9c2805b192bc23425238cf8a55e86e
Rename heat-kubernetes to kubernetes, heat-mesos to mesos,
docker-swarm to swarm in templates. We use heat templates and
no other methods, so I think it is unnecessary to add heat before
coe. kubernetes, mesos, swarm are better than
heat-kubernetes, heat-mesos, docker-swarm.
Change-Id: I257b35c1c4ef55d3172095736f550f2c55c8d81f
Closes-Bug: #1514682
This patch adds proxy in follow places:
1. etcd needs ETCD_DISCOVERY_PROXY when try to do discovery
/etc/etcd/etcd.conf
2. docker daemon need set proxy to allow downloads images
/etc/systemd/system/docker.service.d/proxy.conf
3. and for os level, we need to set http_proxy, https_proxy and no_proxy too
/etc/bashrc
Implements: blueprint discovery-proxy
Co-authored-by: Manjeet Singh Bhatia <manjeet.s.bhatia@intel.com>
Change-Id: I19c92dc9b4fe195037b5ad4ca49b529cf6be4cfb
Currently security group is created for each kube masters and kube
minions. It's very redundant.
This patch moves security group setting to kubecluster.yaml to share.
Change-Id: Idb6cdb5c5c6015b29331238f7fbbcd92e1a70d83
Closes-Bug: #1499184
This patch modifies template to generate certificates and configure TLS
settings for kube-apiserver/kubelet/kube-proxy.
Co-Authored-By: Andrew Melton <andrew.melton@rackspace.com>
Partially-Implements: bp secure-kubernetes
Change-Id: I76b0f91f0c44f9880980e35c6b8856ea48ed3ce1
Kubernetes service provides the LoadBalancer feature
This is supported through an OpenStack plugin in Kubernetes code.
Enabling this feature requires configuring the cluster properly for
Kubernetes to interface with Neutron. Kubernetes backend will then
create the Neutron load balancer pool, members, VIP and monitor,
and manage the pool members as pods are added/removed from the
service.
This patch updates the Fedora Atomic heat templates and scripts for
the following changes:
1. Update command line parameters for Kubernetes services.
2. Pass along OpenStack info and generate the configuration file
for Kubernetes to talk to OpenStack.
3. Adjust the name for minion and private network to match what
Kubernetes expects.
4. Let kubelet register the minion automatically instead of
registering manually.
With this patch, a Kubernetes service containing the attribute
"type: LoadBalancer" will have a load balancer created in Neutron.
The new image fedora-21-atomic-6.qcow2 needs to be used since it
contains required fixes for the kube-controller-manager.
The load balancer support will be disabled by default, the user
needs to log into the master node to enter the password to
enable the feature. See the guide for details.
The templates for CoreOS and Ironic are in following patches.
Partially-Implements: blueprint external-lb
Change-Id: I2c4b854f94fb2dfc99fc460c897f33bf59d260e3
Refactors Heat templates to support multiple container network
implementations through the network_driver parameter. Keeps
Flannel and its associated parameters as-is for backwards
compatibility.
Partially-Implements: blueprint heat-network-refactor
Change-Id: If00adf5db9187b4ade33785bc19becedb4e688a0
With this patch, k8s template support more than one master nodes.
The number of master nodes can be specified through Heat parameter.
For fault tolerance, the cluster tolerants failure of no more than
half of the size. For example, a cluster with 3 master node tolerant
failure of 1 master node. Below is the table:
SIZE TOLERANCE
1 0
3 1
4 1
5 2
6 2
7 3
8 3
9 4
Change-Id: Ic28c13bdcadb39949f9c50be45e09f7627c5d627
Partially-Implements: blueprint make-master-ha
* Configure etcd to use a discovery_url to bootstrap the cluster.
* Users can provide discovery_url for individual bay.
* If discovery_url is not provided, it will be generated at runtime
by using a discovery service.
* Admin can set the endpoint of the discovery service in config file.
Default is the public etcd discovery service.
Change-Id: I9dd3a47f6d50ebadf74c4ee65701183f18c9d629
Partially-Implements: blueprint make-master-ha
Below parameters in kubecluster.yaml and kubeminion.yaml should be
string instead of boolean.
* flannel_use_vxlan
* kube_allow_priv
This patch fixes it.
Change-Id: I91c17505af9083ddf4828b8e51a045c3474ec88c
Closes-bug: #1478890
In k8s bay, each minion node communicate with master node to register
itself. To enable HA mode, we needs to have multiple master nodes and
registration needs to be done through load balancers to avoid single
point of failure.
Change-Id: I828e40b56e9b38d61bc381caf080f0bd42c698b3
Partially-Implements: blueprint make-master-ha
Currently, our python k8sclient uses the IP address of the master node
as the API endpoint. As we are going to have multiple master nodes,
we need to use IP address of the load balancer instead.
Change-Id: I4da0a80f489f634afc154e8b3626b8c12cc50e86
Partially-Implements: blueprint make-master-ha
Recent versions of etcd requires one to explicitly set
ETCD_ADVERTISE_CLIENT_URLS when using ETCD_LISTEN_CLIENT_URLS.
See: 89bcc18d24
Change-Id: I948a5c842a6350d2b38834a63c2719287c9203ea
Partially-Implements: blueprint make-master-ha
Closes-Bug: #1477289
Add a load balancer for kube-apiserver and another one for etcd server.
We are going to support multiple master nodes and the introduction of
load balancers is the first step.
Change-Id: I1c4b4e3d801d4f955bfd48c26e36c340cff8da19
Partially-Implements: blueprint make-master-ha
Add a parameter 'minions_to_remove' that lists resources to be
removed on stack update. The value will be passed to removal_policy
of the 'kube_minions' resource group.
Change-Id: I65a9473789742fdf8d05deaa229a6b8e4a9884e3
Partially-Implements: blueprint magnum-smart-bay-scale-down
Includes backport "deafault external_network to "public""
heat-coe-templates: I03c74f2fb47a33820e0bac4947aeaaf096feade3
Includes backport "do not provide default image names"
Image naming is not standard enough for us to provide defaults.
heat-coe-templates: I67345c3ec807b15101c7248853469c860e0abe8d
Includes backport "minor README updates"
heat-coe-templates: I01270324a2ee31c8fe4369047806634dbbf1cb01
Change-Id: Idc3e27db85f8d06be82cc1c07c62384a4ee13c84
heat-coe-templates: I9e575028f5b4177c1f5833b1626ca38bf653768a
Includes backport "correct error introduced in baeaafd"
heat-coe-templates: Ibdc184c8956422215677bccd4115d0c9826e98d9
Includes backport "fixed parameter name mismatch"
heat-coe-templates: I7c1a477d68e4304d98f7ae368be6a727d3e46011
Includes backport "remove required/default comments"
with the move to names instead of UUIDs, we can provide sane
defaults for just about everything other than the ssh key.
heat-coe-templates: Id37465925ef42a88c5c7a74e570dbe50164fa5da
Includes backport "restore some comments"
these comments help provide logical structure to the template
heat-coe-templates: Ib4bc8193ff281d1c6230665f18bf6652925077f5
Includes backport "like a200304, but for kubeminions.yaml"
Add comments to kubeminons.yaml template
heat-coe-templates: Icbe41359b62032e6e422b4d82a1e0ada6c58d0e4
Change-Id: I18be04861691f7f6cda6542bf637cdeab95c8d16
Also update CoreOS template to match external_network param.
heat-coe-templates: If3f629ecd8c3628818039d7d570874bd483a65f6
Change-Id: I5a381d9b83dfd975d8eff980ada2161a38f8157d
With this change, heat-kubernetes permits you to manually add
minions to a cluster via the stack-update command.
Warning:
This backport does not contain the changes that add atomic-upgrade to
the new node.
heat-coe-templates: I12e963333ae49303f89456eccc7d5d6228675cdc
Change-Id: I03c1143a672307554463d72cf78fa06aaf78e61d
According to Heat documentation, AWS::CloudFormation::WaitCondition
timeout attribute should be a number but magnum templates use strings:
master_wait_condition:
type: "AWS::CloudFormation::WaitCondition"
properties:
Handle:
get_resource: master_wait_handle
Timeout: "6000"
This change replaces string timeouts ("6000") by number timeout (6000).
Change-Id: I2ad6825899dca551a152c101832c2d38c61a113e
Closes-Bug: #1437234
Pull request 14 changes the start order of Kubernetes. The master
now starts first, and the minion starts after the master completes.
This prevents flanneld in the minions from timing out and failing to
start the kubernetes services on the minions.
See:
https://github.com/larsks/heat-kubernetes/pull/14/
Change-Id: Ia823fd3593dc7c5d9d9c6327e009b833ad586a5c
Closes-bug: #1434468
Below is the list of commits being pulled
* Merge pull request #12 from takac/master
larsks/heat-kubernetes@90120c9c985052c6546b3421384e56b97a0cba4f
* Add master flavor param to kubecluster
larsks/heat-kubernetes@78fba1527babb19ef01d1fc31d0a8fe0eb0b20bf
* Allow specification docker volume size
larsks/heat-kubernetes@7459b176a8c0013360d654d7361c6c8babe2e636
Change-Id: I215234f223dd898e94612d4ff9ca1e1e148dd8c4
Closes-Bug: 1417642
We are now putting all templates under magnum/templates , so the
original template for k8s should also be moved here.
Change-Id: I44924911705578c1f55fa87df83d0a9a800576b5
Closes-Bug: #1425964
These were the commits pulled from larsks github repo(s)
ef48d0 configure flannel via systemd unit
4e1b7a Merge pull request #11 from hongbin/replacement_policy
02ea53 Set port replacement_policy to AUTO
b06de8 call daemon-reload before starting services
c265dd fix json syntax problem
88a8bd configure cinder volume for docker storage
7ae6e5 default server_image wasn't useful
809d9b updated requirements in README
6595da integrate wait-for-flanneld into docker.service.yaml
cb51ae use flanneld sysconfig for etcd url
6cf8b9 added note re: vxlan backend issues on centos
18d9c6 make portal_net address range a parameter
343bde added license
efb341 add fix for docker/docker#9468
b235dc use less confusing name for flannel json config
08d873 make vxlan support conditional (+ doc updates)
daee9e permit kube api access via services
747d06 add a "minion" default user
b1c36c refactor config using software config support
0d981d use centos atomic host
538f7a remove get-image.sh
Change-Id: Ibd22a2805328ef76ad3996113b10e82cc1a16a9b
Closes-Bug: 1417642
In 20150106 IRC meeting, we decide to add two templates to magnum
for creating bays. One for virt and the other is for ironic.
larsks/heat-kubernetes is for virt and we can merge it first.
Change-Id: I9db19c006db9c9b725a562f532448d447761542f
Hua Wang
Hongbin Lu
Eli Qiao
wangqun
Angus Lees
Ton Ngo
Egor Guz
OTSUKA, Yuanying
Daneyon Hansen
Kai Qiang Wu(Kennan)
Tom Cammann
Cedric Brandily
Steven Dake
Hongbin Lu
Jay Lau (Guangya Liu)
digambar