This commit uses the existing policy-in-code module to move all
default policies for quotas into code. This commit also adds
helpful documentation about each API those policies protect,
which will be generated in sample policy files.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I2fbd7577545ed08dee10064d321e8c6941324b5d
This commit uses the existing policy-in-code module to move all
default policies for cluster templates into code. This commit also adds
helpful documentation about each API those policies protect,
which will be generated in sample policy files.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I9a8176ea20e3c925441473d1d84db3a73edca7a5
This commit uses the existing policy-in-code module to move all
default policies for clusters into code. This commit also adds
helpful documetation about each API those policies protect,
which will be generated in sample policy files.
Change-Id: I36e69fe930505c2777f4376be1f6ddf17016998f
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
This commit uses the existing policy-in-code module to move all
default policies for baymodels into code. This commit also adds
helpful documetation about each API those policies protect, which
will be generated in sample policy files.
Change-Id: Ia4409ff712d0e64985d9565e11671b33c8ac9ddf
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
This commit uses the existing policy-in-code module to move all
default policies for bays into code. This commit also adds helpful
documetation about each API those policies protect, which will be
generated in sample policy files.
Change-Id: I4221ed56146ed952781f5f38bc4344d8a0d07881
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
This change prepares the magnum project to start implementing
policies in code. Subsequent patches will register more magnum
policies in code and remove the corresponding entry from the
policy file maintained in source.
This is part of a community effort to provide better user
experience for those having to maintain RBAC policy. More
information on this effort can be found below:
https://governance.openstack.org/tc/goals/queens/policy-in-code.html
Change-Id: I0e2b34067ea1e4d5868df544a9f65ae3f1944c43
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Add master_flavor_id as an option during cluster create. If not given,
the default is taken from the cluster template.
Add master_flavor_id in the Cluster object and use that instead
of the one from ClusterTemplate.
Update both magnum and magnum cli documentation to reflect the above changes.
Partial-Bug: #1699247
Change-Id: Id1d973167b381538121583a0a9691304b39e98de
Add a label to prefix all container image use by magnum:
* kubernetes components
* coredns
* node-exporter
* kubernetes-dashboard
Using this label all containers will be pulled from the specified
registry and group in the registry.
TODO:
* grafana
* prometheus
Closes-Bug: #1712810
Change-Id: Iefe02f5ebc97787ee80431e0f16f73ae8444bdc0
The periodic jobs are currently getting registered per each worker
which means that in cases with large number of workers, the APIs
for services such as Heat and Keystone will be hit very hard.
This patch resolves this issue by registering the jobs only to the
main process, ensuring that they run once per instance (or group
of workers).
Closes-Bug: #1702349
Change-Id: If9e13effc14fd35e646d02bb4f568e79786aa958
When writing the node-exporter manifest, make sure that
the directory exists.
Change-Id: I41be5c09890bd2c9a063d4942f03305ff690ec4b
Closes-Bug: #1716697
Newer versions have moved from iso8601.iso8601.Utc() to
just iso8601.UTC, causing tests to fail under py35.
Change-Id: I59c771b6803866282912c2067ff5ed25bba13626
Closes-bug: #1715486
1. It will fail to create cluster if there is chinese in tenant name
2. TENANT_NAME is unnecessary after changing to trustee
this patch is for k8s_fedora_atomic and k8s_fedora_ironic
Change-Id: Ie072f183110ae95861fb3694a913a3a4526549fb
Close-Bug: #1711308
At the moment, no_proxy variable is evaluated separately for docker
daemon and for swarm-manager container running in docker. Evaluated
value for swarm-manager is not getting into cloud-init script, because
$NODE_PROXY token is getting replaced by Heat str_replace function.
This commit is intended to unify NO_PROXY evaluation and also fix the
issue with swarm-manager.
Related-Bug: #1647815
Related-Bug: #1632698
Related-Bug: #1660562
Change-Id: I336024265008b6cae308bf7b614476b71b81fa01
Separate the tag from which to pull from the kubernetes version.
With the current state the tag and the version happen to be the
the same. But, it is not decided yet in the fedoraproject how the
images are going to be tag. Finally, operators might want to try
their own container images with custom tags.
Depends-On: Icddb8ed1598f2ba1f782622f86fb6083953c3b3f
Implements: blueprint run-kube-as-container
Change-Id: I4c4bc055d7df5e65aede93464bff51e6d5971504
Following up of https://review.openstack.org/#/c/487943
Depends-On: I9a7d00cddb456b885b6de28cfb3d33d2e16cc348
Implements: blueprint run-kube-as-container
Change-Id: Icddb8ed1598f2ba1f782622f86fb6083953c3b3f
Following up of https://review.openstack.org/#/c/487357
Depends-On: I22918c0b06ca34d96ee68ac43fabcd5c0b281950
Implements: blueprint run-kube-as-container
Change-Id: I9a7d00cddb456b885b6de28cfb3d33d2e16cc348
Use system containers based on fedora rawhide from
projectatomic [1]. Until the fedoraproject updated
the tags properly we mirror our containers in [2].
System containers are meant to be drop in replacements
of the fedora kubernetes binaries.
Update k8s to 1.7.4 to match the version in the containers.
[1] https://github.com/projectatomic/atomic-system-containers
[2] https://hub.docker.com/r/openstackmagnum/
Implements: blueprint run-kube-as-container
Change-Id: I22918c0b06ca34d96ee68ac43fabcd5c0b281950
Add labels as an option during cluster create. If not given,
the default is taken from the cluster template.
Add labels in the Cluster object and use that instead
of the one from ClusterTemplate.
Update both magnum and magnum cli documentation to reflect the above changes.
Partial-Bug: #1697651
Implements: blueprint flatten-attributes
Change-Id: I8990c78433dcbbca5bc4aa121678b02636346802
For system such as Fedora Atomic, the CA bundle files which are
contained in /etc/ssl/certs are symbolic links to /etc/pki. When
configuring the controller manager to use an SSL endpoint, it will
raise an error as it is unable to authenticate the SSL endpoint.
This patch removes the host mount at /etc/ssl/certs. The Hyperkube
images already ship a collection of CAs which are likely good for
all needs.
Closes-Bug: #1708452
Change-Id: Ife2b60d1968482a8c3ab9b44abbe401c6230881c
When creating a kubernetes cluster on baremetal & fedora, if the cluster
template does not have a docker_volume_type defined, the following error
is seen:
InvalidParameterValue: ERROR: The Parameter (docker_volume_type) was not
provided.
Cinder isn't mandatory, and neither is the docker_volume_type cluster
template parameter, so it shouldn't need to be set.
This change adds a default value of an empty string for the option
[cinder]default_docker_volume_type, which allows the cluster to be
created.
Change-Id: I4416e2826e4a14a11b93d55d342e4de9b3dc12d7
Closes-Bug: #1702075
* Swarm-mode is the fastest cluster to deploy since it doesn't
require to pull anything from outside.
* Add the output nodes for swarm-mode too.
* Disable copy logs (I think a better practice is to copy logs
on demand).
* Don't run test_create_list_sign_delete_clusters, because it is
very unstable on the CI.
Partially-Implements: blueprint swarm-mode-support
2nd commit message:
Update to Fedora Atomic 26
This patch moves the current master to test against Fedora Atomic 26,
in addition, it switches to downloading from Fedora mirrors.
2nd-Change-Id: I9a97c0eb78b2c9d10e8be1501babb19e73ee70c1
3rd commit message:
Set default iptables FORWARD policy to ACCEPT
With the release of Docker 1.13 which is available in Fedora
Atomic 26, it no longer sets the policy of the FORWARD chain
to ACCEPT[1]. Therefore, CNI networking such as Flannel will
cease to work.
This patch sets the policy to ACCEPT so that traffic can work
once again for deployments which are based on Docker versions
which are newer than 1.13
[1]: https://github.com/moby/moby/pull/28257
3rd-Change-Id: I1457602748619f38f87542fc01a2996ee80e58b7
Closes-Bug: #1708454
Co-Authored-By: Mohammed Naser <mnaser@vexxhost.com>
Change-Id: I86d4dcc94fff622be4ee2acc8dd60ed81bc5d433
Method set_latent is deprecated in favor of method set_defaults in
e9c3a23e845d8c53b266a3b2e4ca7fb0a5a0425a. We need remove the usage of
method set_latent. We just use these config options in tests, it works
well for unit tests without them, so it's safe to remove them.
Change-Id: I582c787395d6eef559d7914bea815440cc09c0e2
Closes-Bug: #1707151
we have enable multiple workers of magnum-conductor that
result in multiple processes save same DB entry concurrently.
This patch logs warning message instead of raising exception
Change-Id: I548d50bed5d80e96042f88039e880075e1bffc53
Close-Bug: #1711324
https://review.openstack.org/#/c/439906/ fixed it only for
tls based cluster, we need kubectl exec/log to work with
tls-disabled clusters as well.
Change-Id: Iae2d4bc9af7fc55ab0ce2db97c6b7cf61479a2ff
Closes-Bug: #1668337
The instance type of servers at the moment can become quite long
due to the Heat autogenerated names. This patch cleans up the names
so that they are shorter yet contain all the info needed to be able
to know where they belong to.
Change-Id: I5bcbe73f08844242d049b8408221da40d22cd3dc
Hieu LE
yatin