This PS updates python modules and code to match Airflow 2.6.2:
- bionic py36 gates were removed
- python code corrected to match new modules versions
- selection of python modules versions was perfoemed based on
airflow-2.6.2 constraints
Change-Id: I9c3e139b3437414a61af7e7c0b7d7e533fadefda
upgrades kubernetes client to v1.26.0
remove installation of containerd during genesis.sh to prevent containerd downgrade
update bitnami kubectl image to image with curl installed for readiness check
Change-Id: I3afd5a7e7211bae3f52263167a62a012da0619a0
Address changes and deprecations in Kubernetes v1.21=>v1.23
controller-manager:
* --authorization-kubeconfig and --authentication-kubeconfig must be set
* liveness/readiness probes must use HTTPS
* the default port has been changed to 10257
kubelet:
* --dynamic-config-dir has been deprecated, will not move to GA
* --cni-bin-dir has been deprecated, will be removed with dockershim
* --cni-conf-dir has been deprecated, will be removed with dockershim
* --network-plugin has been deprecated, will be removed with dockershim
https: //github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
https: //kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
https: //github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration
Change-Id: Ia996d7c14d81d1d8b8067f11c02ffb4ce90eb49a
Update the anchor pods to use a regularly patched and updated kubectl
image that contains the necessary components (bash, jq, curl, etc.) in
addition to kubectl: https://hub.docker.com/r/bitnami/kubectl
Change-Id: Ia3e75dc334c3c1a88abfec10fb0367447e79a538
Update applicable charts to use non-deprecated APIs [0], specifically
addressing the following resource types:
* ClusterRole
* ClusterRoleBinding
* Role
* Rolebinding
The APIs being migrated to are available in v1.19 or earlier. As of this
change, v1.19 is the oldest supported Kubernetes version, slated for EOL
on 2021-10-28. [1]
0: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
1: https://kubernetes.io/releases/
Change-Id: I134b201d9ae01a8d74e34ee14f3bfe3b960cb5aa
* Give kube-proxy a blanket toleration
* Replace scheduler.alpha.kubernetes.io/critical-pod annotation with
priorityClassName: system-node-critical
Change-Id: I810333913c09531eefa1ded014fe090d4cca7f7d
To avoid cycling the pods in the anchor daemonset too quickly, only
consider a kubernetes-apiserver-anchor pod ready if:
- it created the static manifest kubernetes-apiserver.yaml
- the kubernetes-apiserver pod on the same host is ready
Change-Id: I53dd1c044332946eeb965f07ae828910f00b04c6
This change corrects two rendering issues in the kube-apiserver anchor
script. The details and impact are mentioned below.
1. The kube-apiserver anchor script fails to clean up some files from
the host, because the path is incomplete. For example, the cleanup()
function of the script includes:
rm -f "/host/acconfig.yaml"
instead of
rm -f "/host/etc/kubernetes/apiserver/acconfig.yaml"
2. A recent change to allow fileless command options [0] caused some
extraneous lines to end up in the script. For example, the rendered
script includes:
snapshot_files() {
cp "/tmp/etc/" "${SNAPSHOT_DIR}/etc/kubernetes/apiserver/"
}
compare_copy_files() {
SRC="${SNAPSHOT_DIR}/etc/kubernetes/apiserver/"
DEST="/host/etc/kubernetes/apiserver/"
if [ ! -e "${DEST}" ] || ! cmp -s "${SRC}" "${DEST}"; then
mkdir -p $(dirname "${DEST}")
cp "${SRC}" "${DEST}"
chmod go-rwx "${DEST}"
fi
}
cleanup() {
rm -f "/host/"
}
Since the 'cp' and 'rm' commands don't include '-r', this is actually
non-impacting, other than some log messages.
0: https://review.opendev.org/c/airship/promenade/+/788092
Change-Id: Id0a47727d56268d13ebb4718b8578d94272c2181
Removed PersistentVolumeLabel from apiserver to fix below warning.
Deprecated warning:
1. PersistentVolumeLabel admission controller is deprecated.
Please remove this controller from your configuration files and scripts.
2. insecure-port has been deprecated, This flag has no effect now
and will be removed in v1.24.
Change-Id: Iaccff8467b5ed967fa41e85b38c27f7345cd97bb
In v1.20, TokenRequest and TokenRequestProjection become GA features,
and the following flags are required by the API server:
* --service-account-issuer
* --service-account-key-file
* --service-account-signing-key-file
This change ensures that the flags are set, and that the required keys
are in the right places.
Change-Id: I6606c5b1c9ff005d1943b424e3e7ad4d20b68408
The kube-apiserver command line is constructed from a command_prefix
array, and in the case of the apiserver chart, an arguments array, both
defined in values.yaml. If an option needs to be added to the command
line, the entire array needs to be redefined in a values.yaml override,
which is sometimes inconvenient.
There is an existing interface in the apiserver and apiserver-webhook
charts to allow kube-apiserver arguments to be appended, but only when
they are associated with a config file that is dynamically included in a
configmap. The typical usage is similar to:
conf:
ignored_key_name:
file: filename.yaml
content: ...
command_options:
- --some-file=/etc/kubernetes/apiserver/filename.yaml
This change removes the requirement to include a file in the configmap,
allowing arbitrary command options to be appended. For example, in the
apiserver chart, this is now possible:
conf:
ignored_key_name:
command_options:
- --service-account-issuer=apiserver
Change-Id: I86283ecedd701c0f061da7b706d6ed54498f27a3
The existing apiserver chart supports volume overrides for the anchor
daemonset, but not for the apiserver static pod itself. The feature to
allow volume overrides in the apiserver-webhook chart was never fully
implemented.
This changes allows volume overrides via values.yaml for both charts,
and provides a more complete audit example that includes mounting the
audit log destination as a host path volume.
Change-Id: I27ccf77671a190e8cb6b66d8a9b13c2cde6c9a45
The apiserver anchor pods already have an annotation to detect changes
in the apiserver-bin configmap, but not for apiserver-etc.
This change adds the hash annotation, so that the daemonset pods will
cycle if a chart upgrade should result in a config change to the
apiserver static pod.
Change-Id: If3aa1b77ea9a737705b8be5e4938b183e310e265
Replace all usages of the hyperkube image with standalone container
images for apiserver, controller, scheduler, and proxy.
Change-Id: I44392c7900a72edd35bc5afa1c50bec8e04f927f
gcr.io/google_containers/ no longer contains some of the image
versions we require, use the new location.
Change-Id: I8f9a976a35ca632d785dd4d05f2a55713bde8c3e
For any host mounts that include /var/lib/kubelet, use HostToContainer
mountPropagation, which avoids creating extra references to mounts in
other containers.
Affects the following resources:
* haproxy-anchor daemonset
* kubernetes-apiserver-anchor daemonset
* kubernetes-controller-manager-anchor daemonset
* kubernetes-scheduler-anchor daemonset
Change-Id: Ib7fb018c4c1916d00311a73f64f77a99b682d4c8
There are several kubernetes bugs [0,1,2] involving connection problems
that seem related to the Go net/http2 library, where the stream state
and connection state can get out of sync. This can manifest as a kubelet
issue, where the node status gets stuck in a NotReady state, but can
also happen elsewhere.
In newer versions of the Go libraries some issues are fixed [3,4], but
the fixes are not present in k8s 1.18.
This change disables http2 in kube-apiserver and webhook-apiserver. This
should be sufficient to avoid the majority of the issues, as disabling
on one side of the connection is enough, and apiserver is generally
either the client or the server.
0: https://github.com/kubernetes/kubernetes/issues/87615
1: https://github.com/kubernetes/kubernetes/issues/80313
2: https://github.com/kubernetes/client-go/issues/374
3: https://github.com/golang/go/issues/40423
4: https://github.com/golang/go/issues/40201
Change-Id: Id693a7201acffccbc4b3db8f4e4b96290fd50288
The existing exec probes for apiserver rely on things that do not exist
in the official kubernetes release images (bash, socat).
This change modifies the apiserver to use HTTP probes of the recommended
liveness and readiness endpoints.[0]
Also sets `--anonymous-auth=true` (the default setting), as kubelet is
unable to provide a client certificate when performing the health check.
RBAC rules apply, but unauthenticated users will be able to access the
following endpoints:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:public-info-viewer
rules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
- /version
- /version/
verbs:
- get
0: https://v1-18.docs.kubernetes.io/docs/reference/using-api/health-checks/
Change-Id: I06d739c844fe85ec6cbf47d3bb69a39cd008ddd8
Uses the standard helm-toolkit macros for liveness and readiness probes,
allowing them to be enabled or disabled, and params to be overridden.
Change-Id: Ie9aef97f56f2205ada24f17e7cafabc5943ae097
The /hyperkube prefix isn't required and causes problems when using
non-hyperkube images elsewhere.
Change-Id: Ie9281b07e3be0eedbe86be726f907f68461e23b2
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0
Change-Id: Ifd2d7af1f2dabe9bbccd65551e0223dddff529dc
This ps makes following changes to upgrade kubernetes from v1.17.3
to v1.18.6.
- Updated all references to k8s images to 1.18.6
- Updated command options and api object and versions based on
k8s 1.18 release notes:
https://kubernetes.io/docs/setup/release/notes/
- Uplifted uwsgi to 2.0.19.1 to align with other airship
components, and to bring in fixes and improvements.
- Added build-essentials and python3-dev packages to pass the zull
gate, which was looking for a c compiler.
Change-Id: I1160d1e6e2f02a0524043641b9296ea39edb301e
This changes adds security context template at pod level to
set run as user value
This also adds security context template at container level to
set readOnly-fs flag
Change-Id: Iba720e687218987cfefe7a9f08630fb11e8eac12
This updates the promenade chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem
Change-Id: I0be613a2617fcc83a8750ece7aae121fae0be839
This adds "set -u" (in addition to the existing -x) to the anchor
scripts. This should fix an issue seen occasionally in the haproxy
chart which is only explainable by the IDENTIFIER variable failing
to get set correctly.
All variables used in the anchor scripts ought to be defined, and
there's no need to rely on blank strings as defaults.
"set -e" was considered for this, but may have unintended side-effects:
-u should be safe and avoid the issue we've seen.
Change-Id: Idbc2f9f77d4754874999d5d83d322a17076c7392
This PS ensures there is a newline present between the cert and its
key when concatenating them together.
Change-Id: I72319c1a415d683f19ff8f96060eb39bbec34b75
Signed-off-by: Pete Birley <pete@port.direct>
This adds -e to the pre_stop scripts, so that they fail out if
any of their commands fail. This is required, since it's the only
way to communicate whether there is an issue during pre_hook
execution.
"The logs for a Hook handler are not exposed in Pod events.
If a handler fails for some reason, it broadcasts an event."
https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
As an example, this issue was discovered when "touch /tmp/stop"
was failing silently due to a readOnlyRootFilesystem setting,
resulting in pods that would not successfully Terminate until
the grace period was exhausted.
Change-Id: Ic9a228230d944530e31ed61f4239fd434cbb6187