When magnum is using x509keypair as backend
the db query fails to apply the tenant filters
due to the missing context.
Pass the context to the the cert_manager.
story: 2006897
task: 37533
Change-Id: Ifdedac420fe4384013704865fa05ea6f1c15feb5
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Now Magnum is using podman and systemd to manage the etcd service
and start heat-container-agent. In cases where the nodes pull images
from docker.io or another mirror registry with high latency, the etcd
or heat container agent service take long time to start, which is
causing timeout when bootstraping k8s cluster for fedora atomic/coreos
drivers. This patch fixes it by adding TimeoutStartSec for the systemd
services.
Task: 37452
Story: 2006459
Change-Id: I89855983f45544f202fc94ede396d1b0c44d286e
Remove hard coded reference to train-dev which ends up pulling multiple
images down and use HEAT_CONTAINER_AGENT_TAG instead.
Also add missing CONTAINER_INFRA_PREFIX.
Story: 2006459
Task: 37566
Change-Id: Ic8d0e3ba125ef6ce7fde68c086ccbdb4730ac4a6
The flag has been removed in Kubernetes version 1.16.x for which users
should use Podman but to continue to use Fedora Atomic without
use_podman=true which means using Docker 1.13.x, ServiceAccount tokens
cannot be propagated without using the --containerized flag when
use_podman=false.
This flag should not have been removed in
I3efd4e55e885b95721f13279b44dc1246e2fd2e4.
Story: 2006846
Task: 37434
Change-Id: I5ccef63de928ff01d10dc4cc500d0e1583eb0378
Now Magnum is using podman and systemd to manage the k8s components.
In cases where the nodes pull images from docker.io or another
mirror registry with high latency, some of the components may take long
time to start, which is causing timeout when bootstraping k8s
cluster for fedora atomic/coreos drivers. This patch fixes it by
adding TimeoutStartSec for the systemd services.
Task: 37251
Story: 2006459
Change-Id: I709bac620e4ceec1858672076eb0aef997704b62
Change the validation of the script execution to run only when
CERT_MANAGER_API == true as per default definition.
dropping: if RUN != "false"
Change-Id: I73aad3a3455fa3ebf9b360c40aa6ac003a44ac8a
In the fedora coreos driver we should take the heat-agent
image from the parameters provided in the templates.
Change-Id: I48081b57192738b00fe14317d2488e658020a0ea
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Docker volume size as well as volume env files should be fetched
based on the nodegroup and not the cluster.
story: 2006701
task: 37008
Change-Id: Ia9e7f4612f36f4e57626b2e931b84898523e9ccb
Choose whether system containers etcd, kubernetes and the heat-agent will be
installed with podman or atomic. This label is relevant for k8s_fedora drivers.
k8s_fedora_atomic_v1 defaults to use_podman=false, meaning atomic will be used
pulling containers from docker.io/openstackmagnum. use_podman=true is accepted
as well, which will pull containers by k8s.gcr.io.
k8s_fedora_coreos_v1 defaults and accepts only use_podman=true.
Fix upgrade for k8s_fedora_coreos_v1 and magnum-cordon systemd unit.
Task: 37242
Story: 2005201
Change-Id: I0d5e4e059cd4f0458746df7c09d2fd47c389c6a0
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
With this change, the nodegroup api controller raises an exception
if the user tries to create a nodegroup in a cluster that does not
have an api_address yet. If the nodegroup is created without the
cluster's API address as an input then the new nodes will not be
able to join the cluster.
Change-Id: If3b168d7f756a055b80d38a4f80cedc97f1b47e8
story: 2006716
task: 37087
When we start or restart the heat-agent, we run
configure_container_agent.sh which writes a few scripts. Make sure that
the scipts do not exist before writing to avoid overwriting any values
created on runtime.
When the heat-agent starts, /etc/os-collect-config.conf includes only
the reference to the os-refresh-config command. After the agent
bootstap, this file contains the credentials to check for software
deployments in the [heat] section. Before this patch, when the agent
restarted /etc/os-collect-config.conf was cleared resulting the agent to
stop working. I have the survive restarts, skiping only
os-collect-config.conf should be enough, but it is better to not touch
files on just service restart.
Additionally, fix file permissions for /etc/os-collect-config.conf.
Change heat-container-agent tag to ussuri-dev.
Change-Id: I3efd4e55e885b95721f13279b44dc1246e2fd2e4
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Along with the kubernetes version upgrade support we just released, we're
adding the support to upgrade the operating system of the k8s cluster
(including master and worker nodes). It's an inplace upgrade leveraging the
atomic/ostree upgrade capability.
Story: 2002210
Task: 33607
Change-Id: If6b9c054bbf5395c30e2803314e5695a531c22bc
Without this patch, it is impossible to create a cluster without
defining a fixed_network or a fixed_subnet that already exists since we
get a Fixed{Network,Subnet}NotFound error, and Heat is unable to create
these for us.
Story: 2002652
Task: 37201
Change-Id: I0e26682b0b6093b215393eb4ce8e94eae8e5e8f7
Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
Adds support for upgrading nodegroups. All non-default nodegroups,
are allowed to be upgraded using the CT set in the cluster. The
only label that gets upgraded for now is kube_tag. All other labels
in the new cluster_template are ignored.
Change-Id: Icade1a70f160d5ec1c0e6f06ee642e29fe9b02ff
With this change each node will be labeled with the following:
* --node-labels=magnum.openstack.org/role=${NODEGROUP_ROLE}
* --node-labels=magnum.openstack.org/nodegroup=${NODEGROUP_NAME}
Change-Id: Ic410a059b19a1252cdf6eed786964c5c7b03d01c
Removes the role heat param from all templates. Instead and only for
k8s templates adds the master_role and worker_role params. The new
worker_only condition should be true for all roles except for master.
Finally, adds the missing is_cluster_stack param to all templates.
Change-Id: Ie0799373fe492c2e0a0cad903ed6e8c93e6266b5
Add fedora coreos driver. To deploy clusters with fedora coreos operators
or users need to add os_distro=fedora-coreos to the image. The scripts
to deploy kubernetes on top are the same with fedora atomic. Note that
this driver has selinux enabled.
The startup of the heat-container-agent uses a workaround to copy the
SoftwareDeployment credentials to /var/lib/cloud/data/cfn-init-data.
The fedora coreos driver requires heat train to support ignition.
Task: 29968
Story: 2005201
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Change-Id: Iffcaa68d385b1b829b577ebce2df465073dfb5a1
Add Dockerfile and CI config for building cluster autoscaler
container images specifically for magnum.
The autoscaler is built with the build tag "magnum" so that
only the magnum provider is included in the binary. This cuts
the size of the image in half compared to building with all
cloud providers.
The container-build job in .zuul.yaml has to have its timeout
increased, as the build time was already close to the timeout.
Change-Id: Iecbae5866278afe1687a4533b71af60fce537a4a
This change addresses an issue with state aggregation where default
ngs were in a failed state and it was ignored. e.g. default ngs were
in UPDATE_FAILED, a non-default ng in UPDATE_COMPLETE and the cluster
reported UPDATE_COMPLETE.
Change-Id: I317c896f0f161427fada677393df5fd2435e7bbd
story: 2006713
task: 37084
Since OpenStack Cloud Controller Manager only accepts fixed_subnet uuid,
convert fixed_subnet name to uuid when a cluster is created.
Without this patch, there is a chance OCCM fails to start in come cases
when fixed_subnet is rendered as name.
Story: 2002652
Task: 28816
Change-Id: Ie70bc00f5617ef94c39c9faea7d39617ee01b07b
* Changing the reference to 'Atomic' in the k8s_coreos_v1 driver
to 'Container Linux'
* Changing a misspelled 'mater' to 'master'
in swarm_fedora_atomic_v1/templates/swarmmaster.yaml description
* Changing a misspelled 'mater' to 'master' in
swarm_fedora_atomic_v1/templates/swarmmaster.yaml description
Change-Id: I69a31d2b91fed48f07f649fa876e208e268fb339
Using the atomic cli to install kubelet breaks mount
propagation of secrets, configmaps and so on. Using podman
in a systemd unit works.
Additionally, with this change all atomic commands are dropped,
containers are pulled from gcr.io (ofiicial kubernetes containers).
Finally, after this patch only by starting the heat-agent with
ignition, we can use fedora coreos as a drop-in replacement.
* Drop del of docker0
This command to remove docker0 is carried from
earlier versions of docker. This is not an issue
anymore.
story: 2006459
task: 36871
Change-Id: I2ed8e02f5295e48d371ac9e1aff2ad5d30d0c2bd
Signed-off-by: Spyros Trigazis <spyridon.trigazi@cern.ch>
* Fedora CoreOS need the key to be passed as
a string.
* We can adopt in all drivers so that users in
the same project can do cluster resize.
story: 2005201
task: 36934
Change-Id: I9a18ce4dcbd74f0dcd23274baed7c8c3d2029d50
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Zuul