Due to cve-2022-4886 the default pathType for an ingress should be
either "Exact" or "Prefix". This allows for more strict path validation by
the admission controller.
Change-Id: I1089bd5c893685fe3b2bcd6868da2f2b761e144f
* Allow any recursion and cache queries for named svc
* Bump maas v3 to the actual version
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I16a4ec843dc73a2349e8603d4200920599eab918
The named and nginx processes both try to use all available CPUs. In
addition, there is a bug in named that sometimes causes it to spin on a
FUTEX, pegging the CPU.
This change constrains those processes to a single CPU (overridable in
values.yaml), and includes /etc/bind/bind.keys in named.conf to avoid
the CPU spike.
Change-Id: I4a278023f5c0dd5e7bdee46891591b278f2ddcad
Adding said label, that's already defined, to the deployments themselves.
This will enable Armada to properly wait for certain percentages of the
deployment replicas to be ready prior to proceeding. Prior to this change,
there wasn't a way to select these deployments via labels.
Change-Id: I4d8e479eb40e4395a4e3b79bbc9df651aa4e12e7
Sometimes the ephemeral environment needs additional cloud-init data.
This change allows user-data sections to be added to the default files
in /etc/maas/preseeds: enlist, commissioning, and curtin.
For example, to resolve issues with 'apt-get update' failures during
enlistment, something like this may be necessary:
conf:
cloudconfig:
override: true
sections:
bootcmd:
- "rm -fr /var/lib/apt/lists"
Change-Id: I817006a799003ace3f35d02507489720b0f9079b
For any host mounts that include /var/lib/kubelet, use HostToContainer
mountPropagation, which avoids creating extra references to mounts in
other containers.
Affects the following resources:
* maas-ingress deployment
Change-Id: I8f8239dc868e30d0203cb994b0eb6a615f40d87b
This updates the maas chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag
Change-Id: I1eba6ab3a7c27ddcb3e8ddc8e743b91dc5e521c3
This change allows extra late_commands to be added to the curtin
userdata, which are executed before the node is rebooted at the end of
the deployment. This can be useful to install packages or perform other
customization.
One sample use-case is the installation of specific kernel module
packages that match the target kernel image, in cases where the
ephemeral environment uses a different kernel version.
Change-Id: I80084c544f6a7dafd6aa84c8041cf86bdc3b9f4b
The existing drivers.yaml rendered by the MAAS chart is missing the
top-level 'drivers' key, so it doesn't actually work. This change fixes
the rendering of the file, and adds a comment in values.yaml about where
to look for additional information about where and how the file is used:
https://github.com/maas/maas/blob/2.3.5/src/maasserver/third_party_drivers.py
Change-Id: I940c8a57d3e404a101de5c1ea92f8a467319dbaa
MAAS uses MBR for boot disks smaller than 2 TiB. This change provides an
option to force the use of GPT, regardless of boot disk size. The chart
value is: conf.maas.force_gpt=true.
The 2 TiB "threshold" for when GPT is required is simply lowered to 0:
https://github.com/maas/maas/blob/2.3/src/maasserver/models/partitiontable.py#L51-L53
This change could be accomplished with a patch to the maas-region image
directly, but then it would not be configurable, and it may not be
useful for all users. Using sed in the startup script seems like a fair
solution.
Change-Id: I87d3f4b9c97048cdef383cbd15c5a16ac219066b
Using `exit 0` in the ntpd stub causes some unwanted log warnings:
maas.service_monitor[151]: [warn] Service 'ntp' is on but not in the
expected state of 'running', its current state is 'exited'.
This change allows the stub to respond appropriately to 'systemctl
status ntpd' and 'systemctl restart ntpd' and keeps MAAS happier.
Change-Id: I41b95051ce595fb9001f4104a1abb48b66a657c4
By default, curtin creates a swap file of up to 8GB. When swap is later
disabled, there is still a /swap.img file left hanging around that needs
to be cleaned up.
This change sets the size to 0 to disable the creation of the swap file
in the first place.
https://curtin.readthedocs.io/en/latest/topics/config.html#swap
Change-Id: I9e1e5f67007ae3c49617525e989b27e123b69d53
A recent change[0] to allow customization of the log level inadvertently
resulted in most messages being logged twice - once if they matched the
severity constraint, and again for all non-local messages, which for the
intended use case is all of them.
This change corrects the rsyslog.conf to drop local messages, and log
the remainder at the configured severity level. It also removes the
"$RepeatedMsgReduction on" parameter, which may have partially masked
the issue, and whose use is not advised.[1]
Change-Id: Ib15f82d9e1c7cef7d6085d6a215354b064aa09bb
0: e22afb6e95
1: https://www.rsyslog.com/doc/v8-stable/configuration/action/rsconf1_repeatedmsgreduction.html
Provide a knob to adjust some less-common MAAS configuration settings.
Changes the default values as follows: disables network discovery, sets
the active subnet mapping interval to 0 (from 10800 seconds), marks the
intro as completed, and disables Google analytics.
Refer to `maas $PROFILE maas set-config -h` for the list of available
configuration items.
Change-Id: I46d348ef5777e22ebeb7a062e5f6061d9ad61a1c
With the existing readiness probe mechanism, if log rotation occurs
then it may lead maas rack pod to show false not ready. Instead save
the success message of rack registration to a file and then use it in
the readiness probe.
Change-Id: I569b99186d398db44a10824dc3fe8c745b13a4ac
Provide the ability to overwrite the default logging level.
Use 'info' as the default with log_level attribute.
Change-Id: I4bfd82a568c1eaad7de891bd103b3f8ff032e589
Uplifts the ingress-nginx-controller image to 0.26.1, including the
required chart modifications for RBAC, new options for stream and
profiler ports, and a change in the default status port from 18080
to 10246.
Change-Id: Ia0b33a739ea180de45b7e3920968d12ea651a573
When the MAAS syslog pod starts, it polls continuously until the log
file exists, generating a message every 10 seconds. However, rsyslogd
won't create the file until it receives the first message, which could
take a while.
This change will create an empty file if none exists prior to starting
the rsyslogd service.
Previous comments indicate some concerns about a race condition, and it
is possible that there are some circumstances when the file may go away
and come back, so the polling loop is left in place.
Change-Id: Ic56faf718038c5d17ab9353399a94ec74e91f8d0
This change fixes a few issues with the MAAS chart:
1. Removes extraneous serviceName from maas-ingress-errors Deployment
2. Adds missing serviceName to maas-syslog StatefulSet
3. Moves maas-region-api Ingress object back under extensions/v1beta1
Similar to: https://review.opendev.org/691701/
Change-Id: I83156c0e255ad17bbac024daba293490980414ee
'apps/v1beta1' apiVersion for Deployment has been deprecated.
'extensions/v1beta1' apiVersion for Ingress resource has been deprecated.
This PS aligns towards the effort in moving to k8s 1.16.
Reference: https://v1-14.docs.kubernetes.io/docs/setup/release/notes/#deprecations
Change-Id: Ied31e4e136fb9bf0343d609cf75bd1b7028d6f66
- The import script would skip creating a new boot source
selection for a non-default distro in some cases due
to a non-recommended if construct. Change to the recommended
'if ! grep -q' pattern
Change-Id: I59e6732598f74fc34a6986dbdfe4200d8cd9ea9f
Updating deployment-ingress-errors chart so ingress-errors deploys.
The chart was previously checking for rack_deployment which is now
rack_statefulset.
Change-Id: I79750804ca7bb62a7fcf9c91b80a435d9af332aa
- Addition of a NodeSelector into the MAAS API helm test pod spec,
to assist it getting placed onto the correct set of nodes.
Change-Id: I31ca107a20f358760b77cadeef1a7f01bd8eb885
The patch introduces network policy configuration similar
to openstack-helm services. It allows users to configure
policies depending on the environment.
* Network policies are disabled by default.
* When enabled default policies allow all ingress and
egress traffic (i.e. policy set to {}), this may be
changed in future patch-sets.
Change-Id: I288ad9ad82d4820d70cccd26b73d3c1a44862f9e
Run the maas-ingress and maas-ingress-vip containers with the
'www-data' (33) user
Run the maas-ingress-errors container with the error-page image [0],
from [1] which already runs as nobody user.
[0] Dockerfile.404-server-with-metrics
[1] https://github.com/kubernetes/ingress-gce
Change-Id: Idf3791a958017d512bb3f5015b59452e2831b1b3