Commit Graph

1663 Commits (c98e9525c7db34734afb29d1b9fb409a08d16ef7)

Author SHA1 Message Date
Spyros Trigazis c98e9525c7 Add heat_container_agent_tag label
Add heat_container_agent_tag label to allow users select the
heat-agent tag. Stein default: stein-dev

story: 2003992
task: 26936

Change-Id: I6a8d8dbb2ec7bd4b7d01fa7cd790a8966ea88f73
Signed-off-by: Spyros Trigazis <>
5 years ago
Zuul 53a1840d68 Merge "Use existing templates for cluster-update command" 5 years ago
Spyros Trigazis 3f773f1fd0 Use existing templates for cluster-update command
Cluster update was used for scaling operations only,
but if the heat-temaplates where changed for any reason
(eg upgrade of the magnum server), the stack update command
was destructive.

This patch uses the existing parameter in the stack update call.

story: 1722573
task: 21583

Change-Id: Id84e5d878b21c908021e631514c2c58b3fe8b8b0
5 years ago
Zuul eebffc8ef1 Merge "Fix unit test failure with python3.6" 5 years ago
Zuul dc5ccba016 Merge "Add prometheus & grafana container image tags" 5 years ago
Zuul d9a43d87d0 Merge "Fixing CoreOS driver" 5 years ago
Zuul b881ecd512 Merge "Add health_status and health_status_reason to cluster" 5 years ago
Sergey Filatov 0cf61dfb74 Add prometheus & grafana container image tags
To upgrade cluster we need to be able to set image tags
so this change adds to labels for corresponding containers

Task: 23314
Story: 2003171

Change-Id: I4cd0270a69fb889c59bdb28966821adb11fd0292
5 years ago
Zuul 7b6415a5bc Merge "[k8s] Add new label `service_cluster_ip_range`" 5 years ago
Chuck Short 72f7e5f72e Fix unit test failure with python3.6
Since python3.6 os.path.join can be either bytes or
a str. So mock os.path.join in order for the unit tests to

Change-Id: I82c793875d888092e5c814727a6c4ad4053e76fb
Signed-off-by: Chuck Short <>
5 years ago
Feilong Wang d80febb384 Add health_status and health_status_reason to cluster
Related blueprint cluster-healing

Change-Id: I78d4d14fb064996de77bdd6a381d2df53a9488b8
5 years ago
Rick Cano 419a228503 Fixing CoreOS driver
Decoding ca on nodes

Change-Id: I4a30a348c1c0a62cb1a7b429b05878f321db92ed
5 years ago
Feilong Wang a26c2225b6 Deprecate send_cluster_metrics
Currently, Magnum is running periodic tasks to collect k8s cluster
metrics to message bus. Unfortunately, it's collecting pods info
only from "default" namespace which makes this function useless.
What's more, even Magnum can get all pods from all namespaces, it
doesn't make much sense to keep this function in Magnum. Because
operators only care about the health of cluster nodes. If they
want to know the status of pods, they can use heapster or other
tools to get that.

Task: 22619
Story: 1775116

Change-Id: I3ca0f2e96fe63870406cc5323f08fa018ac6e8be
5 years ago
Feilong Wang 80fcf76d27 [k8s] Add new label `service_cluster_ip_range`
A new label `service_cluster_ip_range` is added for k8s so that
user can set the service portal ip range to avoid conflicts with
pod ip range.

Task: 22568
Story: 2002725

Change-Id: Ie6e95a953059cc4bd5cf15a44f8666b714defb13
5 years ago
Feilong Wang b9918386b0 Using simple public/private key for k8s service account keys
Due to a change in Go 1.10.3[1], which k8s v1.11.1 is based on, now
magnum is failing to create a working k8s cluster with version 1.11.1.
This patch is changing removing the extention usage for server auth
for ca cert and using simple public/private keys for k8s service account


Task: 23210
Story: 2003103

Change-Id: Ieba8f55d55db2afda6888d4bc6c2caa87370d13d
5 years ago
Spyros Trigazis 974399a912 k8s_fedora: Add cloud_provider_enabled label
Add 'cloud_provider_enabled' label for the k8s_fedora_atomic
driver. Defaults to true. For specific kubernetes versions if
'cinder' is selected as a 'volume_driver', it is implied that
the cloud provider will be enabled since they are combined.

The motivation for this change is that in environments with
high load to the OpenStack APIs, users might want to disable
the cloud provider.

story: 1775358
task: 1775358

Change-Id: I2920f699654af1f4ba45644ab60a04a3f70918fe
5 years ago
Bharat Kunwar b7bfee5d27 Support disabling floating IPs in swarm mode
We use the same technique that is used for kubernetes clusters, with a
custom heat resource that provides either a floating IP, or
OS::Heat::None when disabled. We also add coverage tests for swarm-mode.

Change-Id: I3b5877bcd89fc2436776f49e479ffadf72c00ea3
Story: 1772433
Task: 21662
Task: 22102
Co-authored-by: Mark Goddard <>
5 years ago
Zuul efe1fabd37 Merge "Sync service account keys for multi masters" 5 years ago
Zuul 1eb1f35a75 Merge "Add option to specify Cgroup driver for Kubelet" 5 years ago
Zuul f0dec728e7 Merge "Allow multimaster lb with no floating ip option" 5 years ago
Jim Bach 393e70f0b0 Allow multimaster lb with no floating ip option
Currently the option of selecting no floating IP will not apply to
a multimaster configuration and loadbalancers will be expected to use
floating IPs. This patch allows the floating IP resources to be
disabled among the load balancers.

Task: 22121
Story: 2002557
Change-Id: I8f96fba8aa41319ac209baedd9d3a927aad0eb91
5 years ago
Feilong Wang 043c57da74 Sync service account keys for multi masters
Multi master deployments for k8s driver use different service account
keys for each api/controller manager server which leads to 401 errors
for service accounts. This patch will create a signed cert and private
key for k8s service account keys explicitly, dedicatedly for the k8s
cluster to avoid the inconsistent keys issue.

Task:  21653
Story: 1766546

Change-Id: I61547405f866d3c5a84da63de66724b55af1066a
5 years ago
Jim Bach 003e27fb96 Added error handling for discoveryurl
This adds an immediate failure response if the etcd discovery service returns
a bad status code. Before Magnum would continue to run and fail to configure
but with vague information of its failure. This would cause Magnum to generally
wait until the entire timeout before failing.

Change-Id: Iebd51e5dc8a3e3c285cb0c2af35c19f6f37ed0a7
Task: 22193
Story: 2002584
5 years ago
Bharat Kunwar ec58c23361 Add option to specify Cgroup driver for Kubelet
This patch allows specification of Cgroup driver for Kubelet service.
The necessity of this patch was realised after upgrading Docker to the
new community edition (17.3+) which defaults to  `cgroupfs` Cgroup
driver but on the other hand, Fedora Atomic (version 27) comes with
1.13. Cgroup drivers for Docker need to be identical for the two
services, Docker and Kubelet, need to be able to work together.

Story: 2002533
Task: 22079
Change-Id: Ia4b38a63ede59e18c8edb01e93acbb66f1e0b0e4
5 years ago
Piotr Mrowczynski edee7030e4 Strip signed certificate
Certificate (ca.crt) has to be striped for some application parsers
as they might require pure base64 representation of
certificate itself, without empty characters
at the beginning nor the end of file

Change-Id: I5f58e19d03abdf040b9a5b5df2f4dd83b4c0e3a9
Closes-Bug: #1775342
5 years ago
Zuul 3d02fd7c99 Merge "Revert "Strip signed certificate"" 5 years ago
Spyros Trigazis d66b4f2291 Revert "Strip signed certificate"
This reverts commit 69ffdae1d0.

Change-Id: Ie5dfdc4019fa9097bfecb96f43a107c08364303b
5 years ago
Zuul 5c8997e363 Merge "Use Octavia for LoadBalancer type service" 5 years ago
Piotr Mrowczynski 69ffdae1d0 Strip signed certificate
Certificate (ca.crt) has to be striped for some application parsers
as they might require pure base64 representation of
certificate itself, without empty characters
at the beginning nor the end of file

Change-Id: I85457e0e2adcf21003300fafc6e2502f74b1afb5
5 years ago
Lingxian Kong 2cc57c5386 Use Octavia for LoadBalancer type service
In the OpenStack deployment with Octavia service enabled, the octavia
service should be used not only for master nodes high availability, but
also for k8s LoadBalancer type service implementation as well.

Change-Id: Ib61f59507510253794a4780a91e49aa6682c8039
Closes-Bug: #1770133
5 years ago
Kirsten G f6ed7d3a4a Add and improve tests for certificate manager
Updated file to add test_get_cluster_magnum_cert
and fix typos in existing test names.

Change-Id: I24ae1f6c781462e85c92134af784278f78d59e7c
5 years ago
Kirsten G d9e590bdc6 Cache barbican certs for periodic tasks
Added configuration parameter, temp_cache_dir, to magnum.conf with
default value of "/var/lib/magnum/certificate-cache". This local
directory will hold cached cluster TLS credentials that are generated
during periodic tasks, to reduce load as the number of clusters
increases. If the temp_cache_dir does not exist, the certificates
will be created as tempfiles.

Closes-Bug: #1659545

Change-Id: I8808c4098a7c8d22dbfc841142c9f9c8b976dde1
5 years ago
yatin dd7ed64690 Update minimum version of docker in unit tests
python docker version in u-c is bumped to 3.1.1 in [1].
Till 2.7.0 if MINIMUM_DOCKER_API_VERSION it just reported
warning but since 3.0.0 it reports Error, see [2]. This
patch bumps the expected version to 1.21 which is same
docker version used in magnum and supported by current
python docker.

[2] df8422d079

Change-Id: Id93c5f70504c7d686dbd1b3d9bdfc1ef657d9287
5 years ago
Zuul 742014d8ea Merge "Corrected some misspellings in magnum" 5 years ago
Spyros Trigazis 30785acd3c Update kubernetes dashboard to v1.8.3
Add the RBAC enabled kubernetes-dashboard with
version v1.8.3.

Related-Bug: #1680900
Change-Id: I68a17d22dda9661c81f40bcc9db06f7456790958
5 years ago
Zuul 095b0146bb Merge "k8s: allow passing extra options to kube daemons" 5 years ago
Zuul 4be27a7c86 Merge "[kubernetes] add ingress controller" 5 years ago
Zuul 7664f490d3 Merge "Run etcd and flanneld in a system container" 5 years ago
Zuul 46d86f1456 Merge "Admin can now delete clusters in any project" 5 years ago
Ricardo Rocha 4efb58b28d k8s: allow passing extra options to kube daemons
Define a set of new labels to pass additional options to the kubernetes
daemons - kubelet_options, kubeapi_options, kubescheduler_options,
kubecontroller_options, kubeproxy_options.

In all cases the default value is "", meaning no extra options are
passed to the daemons.

Change-Id: Idabe33b1365c7530edc53d1a81dee3c857a4ea47
Closes-Bug: #1701223
5 years ago
Ricardo Rocha 0b18989a50 [kubernetes] add ingress controller
Add ingress controller configuration and backend to kubernetes clusters.

A new label 'ingress_controller' defines which backend should serve
ingress, with traefik added as the only option for now.

It is defined as a DaemonSet, with instances on all nodes defined with a
certain role. This role is set as an additional cluster label
'ingress_controller_role', with a default value of 'ingress'.

For now no node is automatically set with this role, with users or operators
having to do this manually after cluster creation.

Change-Id: I5175cf91f37e2988dc3d33042558d994810842f3
Closes-Bug: #1738808
5 years ago
Daniel Abad 6aac36358c Admin can now delete clusters in any project
After merging
it would be interesting for admin users to be able to
delete clusters and cluster templates as well.

Related-Bug: #1740982
Change-Id: I91f909e8814b86fd5f8b555573238b99b47ffd03
5 years ago
Spyros Trigazis d95ba4d1ff Run etcd and flanneld in a system container
In Fedora Atomic 27 etcd and flanneld are removed from the base image.
Install them as a system containers.

* update docker-storage configuration
* add etcd and flannel tags as labels

Change-Id: I2103c7c3d50f4b68ddc11abff72bc9e3f22839f3
Closes-Bug: #1735381
5 years ago
Zuul ec08641e90 Merge "Add support for Octavia resources in Heat" 5 years ago
Zuul 69296d4b43 Merge "Add disabled_drivers config option" 5 years ago
Feilong Wang 838b8daf6e Support calico as network driver
Adding calico as Kubernetes network driver to support network
policy of Kubernetes. Network policy is a very important feature
for k8s production use. See more information about k8s network
policy at [1] and [2], as for calico please refer [3] and [4].


Closes-Bug: #1746379

Change-Id: I135a46cd32a67d73d8e64ac5bbc4debfae6c4568
5 years ago
Feilong Wang 05c7f35d23 Add disabled_drivers config option
The new config option 'disabled_drivers' is designed to address a
typical user case: As cloud provider, I'd like to only provide
some particular drivers, e.g. fedora atomic/k8s and don't expose
any other driver support. With this patch, when user create a new
template which is in 'disabled_drivers'. A BadRequest error will
be returned.

Closes-Bug: #1746961

Change-Id: Ib4c53ffed78a1847b2da9672e6348c88757ad66e
5 years ago
Lingxian Kong 3c8edd4d88 Add support for Octavia resources in Heat
Octavia is already an official LBaaS solution for Openstack
( and
will deprecate the neutron-lbaas extension starting from Queens release.

For deployment support Octavia service for load balancing functionlity,
Octavia related resources instead of LBaaS should be used in Heat template.

Tested in my DevStack environment.

Change-Id: Icc45e0a126c648fbcba4ebcd1bb258d60957f2d6
Closes-Bug: #1748577
5 years ago
Ricardo Rocha faa9e90402 [k8s] allow enabling kubernetes cert manager api
Add a new label 'cert_manager_api' to kubernetes clusters controlling the
enable/disable of the kubernetes certificate manager api.

The same cluster cert/key pair is used by this api. The heat agent is used
to install the key in the master node(s), as this is required for kubernetes
to later sign new certificate requests.

The master template init order is changed so the heat agent is launched
previous to enabling the services - the controller manager requires the CA key
to be locally available before being launched.

Change-Id: Ibf85147316e3a194d8a3f92cbb4ae9ce8e16c98f
Partial-Bug: #1734318
5 years ago
Zuul 7aa0c0a285 Merge "federation api: api endpoints" 5 years ago