A user may not rely on nova-keypairs to access their cluster
such as a preconfigured SSSD.
story: 2004402
task: 28035
Change-Id: I77fbdc174d3dddfd312fb8dac20516314d4c182e
Without those fixes new cluster fails with message:
ERROR: The Parameter (etcd_volume_size) was not defined in template.
Task: 1722523
Story: 20337
Change-Id: Ie38c9e010b61fafeda51ae8dccba94b6ed743f1d
In the OpenStack deployment with Octavia service enabled, the octavia
service should be used not only for master nodes high availability, but
also for k8s LoadBalancer type service implementation as well.
Change-Id: Ib61f59507510253794a4780a91e49aa6682c8039
Closes-Bug: #1770133
Currently, there is no guarantee to make sure all nodes of one cluster are
created on different compute hosts. So it would be nice if we can create
a server group and set it with anti-affinity policy to get a better HA
for cluster. This patch is proposing to create a server group for master
and minion nodes with soft-anti-affinity policy by default.
Closes-Bug: #1737802
Change-Id: Icc7a73ef55296a58bf00719ca4d1cdcc304fab86
In the drivers section of magnum.conf add openstack_ca_file.
This file is expected to be a CA Certificate OR CA bundle
which will be passed on every node and it will be installed
on the host's CA bundle.
Update devstack plugin to use the ssl bundle if tls-proxy is
enabled.
Install the CA for drivers:
k8s_coreos_v1
k8s_fedora_atomic_v1
k8s_fedora_ironic_v1
mesos_ubuntu_v1
swarm_fedora_atomic_v1
swarm_fedora_atomic_v2
Add doc in troubleshooting-guide.
Add release notes.
Closes-Bug: #1580704
Partially-Implements: blueprint heat-agent
Change-Id: Id48fbea187da667a5e7334694c3ec17c8e2504db
Added configuration parameter, verify_ca, to magnum.conf with default
value of True. This parameter is passed to the heat templates to
indicate whether the cluster nodes validate the Certificate Authority
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
This configuration parameter can be set to False to disable CA
validation.
Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com>
Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413
Partial-Bug: #1663757
Everything is containerized in rkt. If behind proxy, flannel, etcd
and kubelet will failed to rkt fetch images and cluster creation
will failed.
Closes-Bug: #1689618
Change-Id: Ia12deeb659483980d2a20e4cba5d449167b600d0
The instance type of servers at the moment can become quite long
due to the Heat autogenerated names. This patch cleans up the names
so that they are shorter yet contain all the info needed to be able
to know where they belong to.
Change-Id: I5bcbe73f08844242d049b8408221da40d22cd3dc
host-gw offer better performances out of the box. Allowed address pair
are automatically configured by Magnum.
Change-Id: I5fd18b8d6b76f6a5f73b13bc4cfd19e52c33791c
Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.
A new variable in trust section: trustee_keystone_interface which
default to public is introduced.
Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
Closes-Bug: #1643197
kubernetes dashboard [1] has lot of features and is actively
managed.
With this patch kubernetes dashboard is added and enabled in
k8s coreos cluster by default.
The kubernetes dashboard is enabled by default. To disable it, set the
label 'kube_dashboard_enabled' to False
Reference:
[1] https://github.com/kubernetes/dashboard
Implements: blueprint add-kube-dashboard
Change-Id: I9b001ec3c232aea2395df7d83c6ac991cbf5dea3
Cluster that uses ETCD like swarm and K8s failed with LB and TLS enable
because ETCD LB protocol is HTTP but SSL termination in on the ETCD
node. ETCD LB protocol should be the same as K8s with TLS enable
Partial-Bug: #1679724
Change-Id: Ie8c8a7e4609c0e2e63095d4c18af84cc653654e1
The cluster-cidr fix asymetric routing in specific
use case. Adding dbus removes iptables error message for kube-proxy and
adding ${HOST_CERT_PATH} is just common practice.
Change-Id: I8912091ebcb5c1ef940f43e5195a849f8fa6370e
Partially-Implements: bp coreos-best-pratice
This adds the default set of admission control to CoreOS driver and
enable service account that are a requirement for most K8s addons
Change-Id: Id4948973627f4517eba13901e822f22e3fb1212f
Partially-Implements: bp coreos-best-pratice
This change introduces default recommended values for Kubelet on CoreOS:
- Usage of CNI (Container Networking Interface) with Flannel
- Update deprecated Kubelet Args (--config)
- Bind mount recommended CoreOS folders in Kubelet
It also introduces a new parameter: CONTAINER_RUNTIME which will allow to
switch between rkt and docker as container runtime. For now only docker
is used.
Partially-Implements: blueprint coreos-best-pratice
Change-Id: I1db1c3c06198b41098472f5c28405c533b91b41e
By default, API service with service account is accessible from inside
the cluster at the address 10.254.0.1. This IP should be added to SANS
when generating the certs.
Fixes-bug: #1660811
Change-Id: I214b4296bea55bb0c4015165c56fbd8ca3cebd39
Parent commit allow custom secure HYPERKUBE_IMAGE_REPO (which can also
be a local registry). Here we implement INSECURE_REGISTRY_URL which
allow settings custom insecure registry for Kubernetes infra components.
It also enable the insecure registry for Docker daemon.
Partially-Implements: blueprint coreos-best-pratice
Partially-Implements: blueprint support-insecure-registry
Change-Id: If00afa2e8a9100546301f9a1f161daed6e3ffc4f
Introduce HYPERKUBE_IMAGE_REPO variable which is set to CoreOS
hyperkube by default. Also remove "_coreos.0" from script as it can be a
different build number. This number should be included in the kubernetes
version parameters and not in scripts.
With this, it is possible to use any combination of hyperkube image with
any tags. by default we use the CoreOS one.
Partially-Implements: blueprint support-insecure-registry
Partially-Implements: blueprint coreos-best-pratice
Change-Id: Ie0fbed4b160fa972cfe130c252e87765690e2f5f
myip is defined almost in every fragment. It is unnecessary. We can use
KUBE_NODE_IP that is defined in HEAT. Also, if for some reason
KUBE_NODE_IP is empty, we use the failsafe like in make-cert fragment
where we curl metadata to make sure KUBE_NODE_IP is not empty.
Implements: blueprint coreos-best-pratice
Change-Id: I8597a5afa9b4bc7a5c740738303102e7b60ec63e
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
Since commit 220675d42a heat-params are
used by systemd and are unnecessary.
Implements: blueprint coreos-best-pratice
Change-Id: Iaf88219db2d3aaa452ff07a146acb3fbef323eb1
Multiple variables names where used in different fragments. This commit
makes KUBE_CERTS_PATH and HOST_CERTS_PATH hardcoded values in heat-params
fragment and use them inside fragments instead of hardcoded value and
different variables names
Implements: blueprint coreos-best-pratice
Change-Id: I8c7856601096672890ab5a1318db0177d582e53d
Instead of sourcing heat-params in script, we can use it as a systemd
unit EnvironmentFile directive and not inline in sh scripts.
Change-Id: I3ebf23dee6785febdc87bc5ce4212c30ef24806e
If nothing is specified a set of recommended default plugins is used,
which includes the ServiceAccount one.
Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94
Closes-Bug: #1646489
Otherwise, the magnum certificates API will return a 406 Not
Acceptable error.
Change-Id: I0d59bf71b62bdd4204cd32d26ef3f2fc30f8f180
Closes-Bug: #1659423
Jim Bach