Cluster update was used for scaling operations only,
but if the heat-temaplates where changed for any reason
(eg upgrade of the magnum server), the stack update command
was destructive.
This patch uses the existing parameter in the stack update call.
story: 1722573
task: 21583
Change-Id: Id84e5d878b21c908021e631514c2c58b3fe8b8b0
To upgrade cluster we need to be able to set image tags
so this change adds to labels for corresponding containers
Task: 23314
Story: 2003171
Change-Id: I4cd0270a69fb889c59bdb28966821adb11fd0292
Since python3.6 os.path.join can be either bytes or
a str. So mock os.path.join in order for the unit tests to
pass.
Change-Id: I82c793875d888092e5c814727a6c4ad4053e76fb
Signed-off-by: Chuck Short <chucks@redhat.com>
Currently, Magnum is running periodic tasks to collect k8s cluster
metrics to message bus. Unfortunately, it's collecting pods info
only from "default" namespace which makes this function useless.
What's more, even Magnum can get all pods from all namespaces, it
doesn't make much sense to keep this function in Magnum. Because
operators only care about the health of cluster nodes. If they
want to know the status of pods, they can use heapster or other
tools to get that.
Task: 22619
Story: 1775116
Change-Id: I3ca0f2e96fe63870406cc5323f08fa018ac6e8be
A new label `service_cluster_ip_range` is added for k8s so that
user can set the service portal ip range to avoid conflicts with
pod ip range.
Task: 22568
Story: 2002725
Change-Id: Ie6e95a953059cc4bd5cf15a44f8666b714defb13
Due to a change in Go 1.10.3[1], which k8s v1.11.1 is based on, now
magnum is failing to create a working k8s cluster with version 1.11.1.
This patch is changing removing the extention usage for server auth
for ca cert and using simple public/private keys for k8s service account
keys.
[1] https://go.googlesource.com/go/+/09fa131c99da0ef9f78c9f4f6cd955237ccc01cd
Task: 23210
Story: 2003103
Change-Id: Ieba8f55d55db2afda6888d4bc6c2caa87370d13d
Add 'cloud_provider_enabled' label for the k8s_fedora_atomic
driver. Defaults to true. For specific kubernetes versions if
'cinder' is selected as a 'volume_driver', it is implied that
the cloud provider will be enabled since they are combined.
The motivation for this change is that in environments with
high load to the OpenStack APIs, users might want to disable
the cloud provider.
story: 1775358
task: 1775358
Change-Id: I2920f699654af1f4ba45644ab60a04a3f70918fe
We use the same technique that is used for kubernetes clusters, with a
custom heat resource that provides either a floating IP, or
OS::Heat::None when disabled. We also add coverage tests for swarm-mode.
Change-Id: I3b5877bcd89fc2436776f49e479ffadf72c00ea3
Story: 1772433
Task: 21662
Task: 22102
Co-authored-by: Mark Goddard <mark@stackhpc.com>
Currently the option of selecting no floating IP will not apply to
a multimaster configuration and loadbalancers will be expected to use
floating IPs. This patch allows the floating IP resources to be
disabled among the load balancers.
Task: 22121
Story: 2002557
Change-Id: I8f96fba8aa41319ac209baedd9d3a927aad0eb91
Multi master deployments for k8s driver use different service account
keys for each api/controller manager server which leads to 401 errors
for service accounts. This patch will create a signed cert and private
key for k8s service account keys explicitly, dedicatedly for the k8s
cluster to avoid the inconsistent keys issue.
Task: 21653
Story: 1766546
Change-Id: I61547405f866d3c5a84da63de66724b55af1066a
This adds an immediate failure response if the etcd discovery service returns
a bad status code. Before Magnum would continue to run and fail to configure
but with vague information of its failure. This would cause Magnum to generally
wait until the entire timeout before failing.
Change-Id: Iebd51e5dc8a3e3c285cb0c2af35c19f6f37ed0a7
Task: 22193
Story: 2002584
This patch allows specification of Cgroup driver for Kubelet service.
The necessity of this patch was realised after upgrading Docker to the
new community edition (17.3+) which defaults to `cgroupfs` Cgroup
driver but on the other hand, Fedora Atomic (version 27) comes with
1.13. Cgroup drivers for Docker need to be identical for the two
services, Docker and Kubelet, need to be able to work together.
Story: 2002533
Task: 22079
Change-Id: Ia4b38a63ede59e18c8edb01e93acbb66f1e0b0e4
Certificate (ca.crt) has to be striped for some application parsers
as they might require pure base64 representation of
certificate itself, without empty characters
at the beginning nor the end of file
Change-Id: I5f58e19d03abdf040b9a5b5df2f4dd83b4c0e3a9
Closes-Bug: #1775342
Certificate (ca.crt) has to be striped for some application parsers
as they might require pure base64 representation of
certificate itself, without empty characters
at the beginning nor the end of file
Change-Id: I85457e0e2adcf21003300fafc6e2502f74b1afb5
In the OpenStack deployment with Octavia service enabled, the octavia
service should be used not only for master nodes high availability, but
also for k8s LoadBalancer type service implementation as well.
Change-Id: Ib61f59507510253794a4780a91e49aa6682c8039
Closes-Bug: #1770133
Updated file test_cert_manager.py to add test_get_cluster_magnum_cert
and fix typos in existing test names.
Change-Id: I24ae1f6c781462e85c92134af784278f78d59e7c
Added configuration parameter, temp_cache_dir, to magnum.conf with
default value of "/var/lib/magnum/certificate-cache". This local
directory will hold cached cluster TLS credentials that are generated
during periodic tasks, to reduce load as the number of clusters
increases. If the temp_cache_dir does not exist, the certificates
will be created as tempfiles.
Closes-Bug: #1659545
Change-Id: I8808c4098a7c8d22dbfc841142c9f9c8b976dde1
python docker version in u-c is bumped to 3.1.1 in [1].
Till 2.7.0 if MINIMUM_DOCKER_API_VERSION it just reported
warning but since 3.0.0 it reports Error, see [2]. This
patch bumps the expected version to 1.21 which is same
docker version used in magnum and supported by current
python docker.
[1] https://review.openstack.org/#/c/551428/
[2] df8422d079
Change-Id: Id93c5f70504c7d686dbd1b3d9bdfc1ef657d9287
Define a set of new labels to pass additional options to the kubernetes
daemons - kubelet_options, kubeapi_options, kubescheduler_options,
kubecontroller_options, kubeproxy_options.
In all cases the default value is "", meaning no extra options are
passed to the daemons.
Change-Id: Idabe33b1365c7530edc53d1a81dee3c857a4ea47
Closes-Bug: #1701223
Add ingress controller configuration and backend to kubernetes clusters.
A new label 'ingress_controller' defines which backend should serve
ingress, with traefik added as the only option for now.
It is defined as a DaemonSet, with instances on all nodes defined with a
certain role. This role is set as an additional cluster label
'ingress_controller_role', with a default value of 'ingress'.
For now no node is automatically set with this role, with users or operators
having to do this manually after cluster creation.
Change-Id: I5175cf91f37e2988dc3d33042558d994810842f3
Closes-Bug: #1738808
After merging https://review.openstack.org/#/c/531066/
it would be interesting for admin users to be able to
delete clusters and cluster templates as well.
Related-Bug: #1740982
Change-Id: I91f909e8814b86fd5f8b555573238b99b47ffd03
In Fedora Atomic 27 etcd and flanneld are removed from the base image.
Install them as a system containers.
* update docker-storage configuration
* add etcd and flannel tags as labels
Change-Id: I2103c7c3d50f4b68ddc11abff72bc9e3f22839f3
Closes-Bug: #1735381
The new config option 'disabled_drivers' is designed to address a
typical user case: As cloud provider, I'd like to only provide
some particular drivers, e.g. fedora atomic/k8s and don't expose
any other driver support. With this patch, when user create a new
template which is in 'disabled_drivers'. A BadRequest error will
be returned.
Closes-Bug: #1746961
Change-Id: Ib4c53ffed78a1847b2da9672e6348c88757ad66e
Octavia is already an official LBaaS solution for Openstack
(https://governance.openstack.org/tc/reference/projects/octavia.html) and
will deprecate the neutron-lbaas extension starting from Queens release.
For deployment support Octavia service for load balancing functionlity,
Octavia related resources instead of LBaaS should be used in Heat template.
Tested in my DevStack environment.
Change-Id: Icc45e0a126c648fbcba4ebcd1bb258d60957f2d6
Closes-Bug: #1748577
Add a new label 'cert_manager_api' to kubernetes clusters controlling the
enable/disable of the kubernetes certificate manager api.
The same cluster cert/key pair is used by this api. The heat agent is used
to install the key in the master node(s), as this is required for kubernetes
to later sign new certificate requests.
The master template init order is changed so the heat agent is launched
previous to enabling the services - the controller manager requires the CA key
to be locally available before being launched.
Change-Id: Ibf85147316e3a194d8a3f92cbb4ae9ce8e16c98f
Partial-Bug: #1734318
Spyros Trigazis
yatin