* Give kube-proxy a blanket toleration
* Replace scheduler.alpha.kubernetes.io/critical-pod annotation with
priorityClassName: system-node-critical
Change-Id: I810333913c09531eefa1ded014fe090d4cca7f7d
To avoid cycling the pods in the anchor daemonset too quickly, only
consider a kubernetes-apiserver-anchor pod ready if:
- it created the static manifest kubernetes-apiserver.yaml
- the kubernetes-apiserver pod on the same host is ready
Change-Id: I53dd1c044332946eeb965f07ae828910f00b04c6
The apiserver anchor pods already have an annotation to detect changes
in the apiserver-bin configmap, but not for apiserver-etc.
This change adds the hash annotation, so that the daemonset pods will
cycle if a chart upgrade should result in a config change to the
apiserver static pod.
Change-Id: If3aa1b77ea9a737705b8be5e4938b183e310e265
For any host mounts that include /var/lib/kubelet, use HostToContainer
mountPropagation, which avoids creating extra references to mounts in
other containers.
Affects the following resources:
* haproxy-anchor daemonset
* kubernetes-apiserver-anchor daemonset
* kubernetes-controller-manager-anchor daemonset
* kubernetes-scheduler-anchor daemonset
Change-Id: Ib7fb018c4c1916d00311a73f64f77a99b682d4c8
This PS ensures there is a newline present between the cert and its
key when concatenating them together.
Change-Id: I72319c1a415d683f19ff8f96060eb39bbec34b75
Signed-off-by: Pete Birley <pete@port.direct>
kubernetes-controller-manager-anchor pods get stuck in Terminating state
because the pre-stop script tries to touch /tmp/stop, which is on a read
only root filesystem.
This change mounts an emptyDir at /tmp to resolve the issue.
The same change is applied to apiserver, etcd, and scheduler anchors, to
prevent the issue if readOnlyRootFilesystem is enabled.
Related change for haproxy:
https://review.opendev.org/685711/
Change-Id: I784498e0dc24da91a983716029973919b96a3055
This updates the apiserver chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to false
Change-Id: I76d80c4cbf40d1e3e518a3d2969c86f4d5c8c3f4
- Support key rotation for the etcd encryption key in the
apiserver chart
- Remove configmap annotations from the apiserver anchor pods
as the pod is built to pickup changes in configmap contents
without restart.
- Also update the apiserver anchor DaemonSet to apps/v1 and
make required updates to support that update.
Change-Id: I2d18996bbe04bada9da2bce01a502550d3681c97
Daemonset update strategy defaults to OnDelete in v1beta1, whereas
it defaults to RollingUpdate in v1, which seems prefereable.
This also adds helm-toolkit based labels at the controller level
to match standard usage such as for example by armada as wait labels.
This change has been tested using the promenade resiliency gate.
Change-Id: I9fd1bc4caedc0a6717b779e5333640ca8dc78b7e
Fixes the destination for the file created during the liveness probe for
the apiserver anchor pod so that it exists in the desired location for
the subsequent check.
Change-Id: I29966ee47524f73b018cc6ea85854a42a406dfc3
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. This can be used, for example, to force an
artificial manifest change in CICD scenarios, for upgradability
testing purposes.
Change-Id: I8d0ffac306258f940c63799e86e7e26b5c2c5add
- Turn off anonymous-auth.
- Reworked haproxy helm test and updated test images.
- Reworked kubernetes-apiserver readiness and liveness tests.
Change-Id: Ifb39ebed0f9f6e430e97247fceebbd7816f092c7
This adds stability to etcd and enables cleaner waiting by tiller during
deployment of the Kubernetes apiserver and etcd.
* Adds second auxiliary etcd process.
* Enables "sequenced" for remaining ChartGroups.
* Removes unused disks from test VMs.
* Add readiness and liveness probes for kubernetes components
Change-Id: I6f83bb912f76b0ec35503723b417ba45d69e39c5
This change includes several interconnected features:
* Migration to Deckhand-based configuration. This is integrated here,
because new configuration data were needed, so it would have been
wasted effort to either implement it in the old format or to update
the old configuration data to Dechkand format.
* Failing faster with stronger validation. Migration to Deckhand
configuration was a good opportunity to add schema validation, which
is a requirement in the near term anyway. Additionally, rendering
all templates up front adds an additional layer of "fail-fast".
* Separation of certificate generation and configuration assembly into
different commands. Combined with Deckhand substitution, this creates
a much clearer distinction between Promenade configuration and
deployable secrets.
* Migration of components to charts. This is a key step that will
enable support for dynamic node management. Additionally, this paves
the way for significant configurability in component deployment.
* Version of kubelet is configurable & controlled via download url.
* Restructuring templates to be more intuitive. Many of the templates
require changes or deletion due to the migration to charts.
* Installation of pre-configured useful tools on hosts, including calicoctl.
* DNS is now provided by coredns, which is highly configurable.
Change-Id: I9f2d8da6346f4308be5083a54764ce6035a2e10c