Commit Graph

50 Commits

Author SHA1 Message Date
SPEARS, DUSTIN (ds443n) 7f15516372 Update k8s to v1.29.2
Change-Id: I8d8d38e62fd13884afb0d0c4d027d81879cbe313
2024-03-07 16:41:50 -05:00
SPEARS, DUSTIN (ds443n) 89d9d907b7 Upgrade kubernetes to v1.29.0
Change-Id: I2d62dac82d6b9d738c3aa71e541e89eddeb5ae87
2024-01-08 13:39:28 -05:00
SPEARS, DUSTIN (ds443n) 903b1363db Update k8s to v1.28.4
Change-Id: I300aa19f78206712b08d246cabbe5043b8abf509
2023-11-30 13:42:20 -05:00
SPEARS, DUSTIN (ds443n) f806f8983a Update k8s to 1.27.4
Change-Id: I782762508f5fa8206751d7b9f719bcea448efe09
2023-07-31 13:55:03 -04:00
SPEARS, DUSTIN (ds443n) 3c68fb2281 Update k8s to 1.27.2
Bump k8s from 1.27.1 to 1.27.2

Change-Id: If171853f06d970a8bcfaa83098e407de9b4bc041
2023-06-02 15:28:33 -04:00
SPEARS, DUSTIN (ds443n) 7a4051c6a3 Revert chart version
reverting chart versions to previous value

Change-Id: Id1d06f81d997d704af1a0bdb3fd0d8c9e8746360
2023-05-17 15:39:24 -04:00
SPEARS, DUSTIN (ds443n) 1717ed84e5 k8s upgrade to 1.27.1
upgrades kubernetes client to v1.27.1
upgrade etcd to v3.5.6

Change-Id: Iaf287353425aa6263a81617890a2ca3c2f2e4281
2023-05-17 10:32:04 -04:00
SPEARS, DUSTIN (ds443n) 70dd0c8599 Remove deprecated controller-manager flag
Additionally update all images from k8s.gcr.io to registry.k8s.io

Change-Id: I0240ee0bf5d23d035126a81318f57b240f5af402
2023-04-18 15:02:30 -04:00
SPEARS, DUSTIN (ds443n) 27a8b0d798 k8s upgrade to 1.26.0
upgrades kubernetes client to v1.26.0
remove installation of containerd during genesis.sh to prevent containerd downgrade
update bitnami kubectl image to image with curl installed for readiness check

Change-Id: I3afd5a7e7211bae3f52263167a62a012da0619a0
2023-03-20 13:16:48 -04:00
Ruslan Aliev c10165c144 K8S upgrade 1.24
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: Iaa0c5f57ac621f2b91f525da423db0acd9d8ea99
2022-09-14 19:34:02 -05:00
Ruslan Aliev e207bbe966 k8s upgrade to v1.23.7
Address changes and deprecations in Kubernetes v1.21=>v1.23

controller-manager:
* --authorization-kubeconfig and --authentication-kubeconfig must be set
* liveness/readiness probes must use HTTPS
* the default port has been changed to 10257

kubelet:
* --dynamic-config-dir has been deprecated, will not move to GA
* --cni-bin-dir has been deprecated, will be removed with dockershim
* --cni-conf-dir has been deprecated, will be removed with dockershim
* --network-plugin has been deprecated, will be removed with dockershim

https: //github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
https: //kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
https: //github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration
Change-Id: Ia996d7c14d81d1d8b8067f11c02ffb4ce90eb49a
2022-06-29 00:21:45 -05:00
francisy 3cac5cbde0 Promenade Enhancement
Update charts in Promenade to Kubernetes version 1.21

Change-Id: Iab6d10b384a8be3a4b4d2357a51b35ab93a797b0
2022-01-10 14:04:15 -05:00
Sean Eagan 9d696ca0a4 Use helm 3 in chart build
`helm serve` is removed in helm 3 so this moves
to using local `file://` dependencies [0] instead.

[0]: https://helm.sh/docs/chart_best_practices/dependencies/#repository-urls

Signed-off-by: Sean Eagan <seaneagan1@gmail.com>
Change-Id: Ia45c57e0cccac477f6ff59a254d03d6fcec14bef
2021-09-30 16:57:05 -05:00
Sean Eagan ccadbc05b8 Fix chart yaml indentation issue
Signed-off-by: Sean Eagan <seaneagan1@gmail.com>
Change-Id: I884785942ded0f355b9256263cc23b2e01f35bab
2021-09-30 16:53:26 -05:00
ubuntu 183b977754 Fix deprecated warning in Promenade apiserver chart
Removed PersistentVolumeLabel from apiserver to fix below warning.
Deprecated warning:
1. PersistentVolumeLabel admission controller is deprecated.
   Please remove this controller from your configuration files and scripts.
2. insecure-port has been deprecated, This flag has no effect now
   and will be removed in v1.24.

Change-Id: Iaccff8467b5ed967fa41e85b38c27f7345cd97bb
2021-06-29 16:14:17 +00:00
francisy cb1398496d Add hash annotation to apiserver-webhook deployment
Add a hash of the dynamic-config configmap to the annotations of the apiserver-webhook pod metadata, so that a chart upgrade will trigger a pod restart if the configmap contents change

Change-Id: I9c01b71b128e2bc6a5a07e5aa7ba826a4ffa237e
2021-06-10 17:53:22 -04:00
Zuul 0e8fad3fbc Merge "Add "labels" to apiserver-webhook deployment" 2021-05-14 19:27:49 +00:00
Phil Sphicas ae6782b452 Kubernetes: Uplift to v1.20.5
Uplift Kubernetes images and binaries from v1.19.7 to v1.20.5. No config
changes.

Change-Id: If2a8c9169c831a001205e8aa947df7fc00a1e658
2021-05-03 17:21:30 +00:00
Phil Sphicas 9533be32a1 Add required apiserver serviceaccount flags
In v1.20, TokenRequest and TokenRequestProjection become GA features,
and the following flags are required by the API server:
* --service-account-issuer
* --service-account-key-file
* --service-account-signing-key-file

This change ensures that the flags are set, and that the required keys
are in the right places.

Change-Id: I6606c5b1c9ff005d1943b424e3e7ad4d20b68408
2021-04-30 22:45:43 +00:00
DeJaeger, Darren (dd118r) 774f85248d Add "labels" to apiserver-webhook deployment
Defines a "labels" variable and adds it to the deployment itself. In
addition, reuses said labels variable to replace other parts of the
deployment in which this was repeated. This will clean up the chart
a bit and enable Armada itself to properly wait for certain percentages
of the deployment replicas to be ready prior to proceeding. Prior to
this change, there wasn't a way to select the apiserver-webhook
deployment via labels.

Change-Id: If1ddb4feb8cde414e76a412431222f8f608f3b18
2021-04-30 18:09:46 -04:00
Phil Sphicas 300a399aff apiserver(-webhook): Allow fileless kube-apiserver command_options
The kube-apiserver command line is constructed from a command_prefix
array, and in the case of the apiserver chart, an arguments array, both
defined in values.yaml. If an option needs to be added to the command
line, the entire array needs to be redefined in a values.yaml override,
which is sometimes inconvenient.

There is an existing interface in the apiserver and apiserver-webhook
charts to allow kube-apiserver arguments to be appended, but only when
they are associated with a config file that is dynamically included in a
configmap. The typical usage is similar to:

    conf:
      ignored_key_name:
        file: filename.yaml
        content: ...
        command_options:
          - --some-file=/etc/kubernetes/apiserver/filename.yaml

This change removes the requirement to include a file in the configmap,
allowing arbitrary command options to be appended. For example, in the
apiserver chart, this is now possible:

    conf:
      ignored_key_name:
        command_options:
          - --service-account-issuer=apiserver

Change-Id: I86283ecedd701c0f061da7b706d6ed54498f27a3
2021-04-28 05:18:16 +00:00
Phil Sphicas c6b62ff414 apiserver(-webhook): Allow volume overrides
The existing apiserver chart supports volume overrides for the anchor
daemonset, but not for the apiserver static pod itself. The feature to
allow volume overrides in the apiserver-webhook chart was never fully
implemented.

This changes allows volume overrides via values.yaml for both charts,
and provides a more complete audit example that includes mounting the
audit log destination as a host path volume.

Change-Id: I27ccf77671a190e8cb6b66d8a9b13c2cde6c9a45
2021-04-21 21:52:29 +00:00
Phil Sphicas 5bb58863b6 Uplift Kubernetes to v1.19.7
Change-Id: I2ac28e2383cb9c4d84d09c23c02a087db714803e
2021-02-11 17:23:32 +00:00
Phil Sphicas 5323ca2710 Deploy with standalone kubernetes images
Replace all usages of the hyperkube image with standalone container
images for apiserver, controller, scheduler, and proxy.

Change-Id: I44392c7900a72edd35bc5afa1c50bec8e04f927f
2021-02-11 17:23:32 +00:00
Chris Wedgwood 630e504e3e Update to container image repo k8s.gcr.io
gcr.io/google_containers/ no longer contains some of the image
versions we require, use the new location.

Change-Id: I8f9a976a35ca632d785dd4d05f2a55713bde8c3e
2021-01-11 17:42:31 +00:00
Phil Sphicas de9f8415d7 kube-apiserver: disable http2
There are several kubernetes bugs [0,1,2] involving connection problems
that seem related to the Go net/http2 library, where the stream state
and connection state can get out of sync. This can manifest as a kubelet
issue, where the node status gets stuck in a NotReady state, but can
also happen elsewhere.

In newer versions of the Go libraries some issues are fixed [3,4], but
the fixes are not present in k8s 1.18.

This change disables http2 in kube-apiserver and webhook-apiserver. This
should be sufficient to avoid the majority of the issues, as disabling
on one side of the connection is enough, and apiserver is generally
either the client or the server.

0: https://github.com/kubernetes/kubernetes/issues/87615
1: https://github.com/kubernetes/kubernetes/issues/80313
2: https://github.com/kubernetes/client-go/issues/374
3: https://github.com/golang/go/issues/40423
4: https://github.com/golang/go/issues/40201

Change-Id: Id693a7201acffccbc4b3db8f4e4b96290fd50288
2020-10-23 21:28:51 +00:00
Chris Wedgwood 8c52be3dde Remove /hyperkube prefix
The /hyperkube prefix isn't required and causes problems when using
non-hyperkube images elsewhere.

Change-Id: Ie9281b07e3be0eedbe86be726f907f68461e23b2
2020-09-26 07:53:46 +00:00
Andrii Ostapenko 940253563a
Change helm-toolkit dependency version to ">= 0.1.0"
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0

Change-Id: Ifd2d7af1f2dabe9bbccd65551e0223dddff529dc
2020-09-24 19:43:10 -05:00
Mahmoudi, Ahmad (am495p) c302a083a6 Upgrade k8s from v1.17.3 to v1.18.6
This ps makes following changes to upgrade kubernetes from v1.17.3
to v1.18.6.
  - Updated all references to k8s images to 1.18.6
  - Updated command options and api object and versions based on
    k8s 1.18 release notes:
      https://kubernetes.io/docs/setup/release/notes/
  - Uplifted uwsgi to 2.0.19.1 to align with other airship
    components, and to bring in fixes and improvements.
  - Added build-essentials and python3-dev packages to pass the zull
    gate, which was looking for a c compiler.

Change-Id: I1160d1e6e2f02a0524043641b9296ea39edb301e
2020-08-19 15:56:45 +00:00
KHIYANI, RAHUL (rk0850) fbaa07a66c Implement helm-toolkit snippet to apiserver and webhook pods/containers
This updates the promenade chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem

Change-Id: I0be613a2617fcc83a8750ece7aae121fae0be839
2020-07-02 14:52:19 +00:00
Smruti Soumitra Khuntia da7c79f6b9 Upgrade Hyperkube version from 1.16.2 to 1.17.3
Changes to use to Hyperkube v1.17.3 instead  of
v1.16.2

Change-Id: I442694afad7f718dcd4db7fa7bb2c60beec8bdaa
2020-05-22 15:23:37 +00:00
KHIYANI, RAHUL (rk0850) 8463e61eb7 apiserver-webhook: Add Apparmor runtime default to apiserver-webhook
Change-Id: Ib2376030a2e694c2b359a4bbffdc0bd968ec6310
2020-04-20 21:53:53 +00:00
KHIYANI, RAHUL (rk0850) 1deee87b93 apiserver-webhook: Add container security context
This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: If61b6f9189a36f069efa80ef1a31b35328a92f1a
2020-02-17 15:06:14 +00:00
Samuel Pilla b77c6fe637 Upgrade Hyperkube version for k8s 1.16
Upgrade Hyperkube to v1.16.2

Change-Id: I3f17ac007e3704c1f4ae2f79e0c41704074c2010
2019-12-06 18:20:13 +00:00
Evgeny L 0ed774a7cf Allow to configure service network policy for apiserver-webhook
The patch introduces network policy configuration similar
to openstack-helm services. It allows users to configure
policies depending on the environment.

* Network policies are disabled by default.
* When enabled default policies allow all ingress and
  egress traffic (i.e. policy set to {}), this may be
  changed in future patch-sets.

Change-Id: I3c6457f4abc9accf39cd9320208899200a43f828
2019-11-08 00:03:43 +00:00
Phil Sphicas eacecb7918 Fix: apiserver-webhook chart apiVersion (typo)
The apiserver-webhook chart specifies an invalid apiVersion: vn. This
change corrects the apiVersion to v1.

It is not clear what (if anything) currently validates the apiVersion,
but this will likely become more relevant with Helm 3.

Change-Id: I0868f1da2e5610d2ca7212a414841205392e5f1f
2019-11-05 19:39:54 -08:00
Kumar, Nishant (nk613n) b49805ae82 Chart changes to support k8s v1.16
This PS includes changes to support k8s 1.16, these
changes would work with existing kubernetes version
as well. A seperate change would be done to uplift
kubernetes to 1.16.

Hyperkube short aliases are removed in k8s 1.15
https://github.com/kubernetes/kubernetes/pull/76953

- Rename binaries of kubernetes components in promenade and
corresponding anchor helm charts
- Kubelet flag --allow-priveleged is deprecated in k8s 1.15 and
removed in 1.16. Remove the flag from kubelet template. This
fix will be backward compatible as long as psp are defined.

Change-Id: I751dd7c0281b0c00ac8f283c1df379e932fe4658
2019-10-25 13:59:22 +00:00
Zuul bffa2b0cfd Merge "(fix) add node selector to apiserver-webhook" 2019-09-06 20:40:40 +00:00
Scott Hussey ecfd773506 (charts) Webhook dynamic config
- support a similar dynamic config patter in the apiserver-webhook
  chart as the base apiserver chart

- Update the example values.yaml in apiserver to fully reflect
  configuration of the aggregation API

Change-Id: I85da2512934071fb9d9465ee4b957e18a8e394ad
2019-08-17 13:12:37 -05:00
Crank, Daniel (dc6350) 5c92a11b8a Fixes/updates for webhook-apiserver
a. Adding the same encryption configuration to webhook-apiserver
as is used for kubernetes-apiserver, so it can access secrets
stored in etcd by kubernetes-apiserver.

b. Adding an additional ingress annotation to allow for TLS
access to the Keystone backend.

c. Adding an apt-get clean to Dockerfile as this seems to be
needed to get image building working properly.

This patchset has passed the Promenade resiliency gate.

Change-Id: I7b15779b688458ec0faf2b23700d0c1bc2ede7e6
2019-08-20 09:07:24 -05:00
Luna Das 7f63537f8a Add facility to configure log levels in kubernetes-components
Change-Id: Ib7c481b71818c6673cd0b9c47d282d4a3f42d307
2019-08-14 13:33:21 +05:30
Zuul b417f422e9 Merge "Run apiserver-webhook containers with the 'nobody' user" 2019-07-16 21:58:45 +00:00
Hussey, Scott (sh8121) ca4fb44b97 (fix) add node selector to apiserver-webhook
- Add a nodeSelector stanza to the apiserver-webhook pod
  template
- Add the release_uuid pattern

Change-Id: I2754dffb2931a965335ee0961013e5edd9feee6d
2019-06-21 16:13:33 -05:00
anthony.bellino 90d9601f62 Add pod anti-affinity to apiserver-webhook
This PS adds pod anti-affinity to apiserver-webhook pods,
so that the scheduler can constrain pods against labels on other pods
running on the node. The default soft rule is in place so that if the
scheduler can’t satisfy the requirement, the pod will still
be scheduled.

Change-Id: I8c118410b822d4fed44693b8a0308c8eff103978
2019-05-29 22:11:48 +00:00
BARTRA, RICK 6fcdde451b Run apiserver-webhook containers with the 'nobody' user
The apiserver-webhook containers should run with a non-root user when
possible

Change-Id: Ia56794e4f39423cbb642c3aa518649abc2a51d5c
2019-04-30 20:47:46 +00:00
Matt McEuen e4cab73d0f Update to Kubernetes 1.11.6
This change updates the following components in the Promenade charts,
docs, and example bootstrap configuration:
  Kubernetes 1.10.11 -> 1.11.6
  CoreDNS 1.1.2 -> 1.1.3 (per k8s 1.11 recommendations)
  Etcd 3.2.14 -> 3.2.18 (per k8s 1.11 recommendations)
  Tiller 2.10.0 -> 2.12.1 (per Helm k8s support)

This change has been tested by the Promenade resiliency gate.

Change-Id: Ia70de212dd2d50c6638578b92c750a4d5c791229
2019-02-05 17:29:59 -06:00
Zuul 3efe546ab6 Merge "Update Kubernetes to 1.10.11" 2018-12-18 18:05:40 +00:00
Mark Burnett cdd1a6bd28 Update Kubernetes to 1.10.11
Change-Id: If1479f7a5d0a8ea459eed39172a0bc1f89935e36
2018-12-18 11:32:28 -06:00
Scott Hussey 0e813a04b9 Extend webhook-enabled apiserver chart
- Updates to the webhook-enabled apiserver chart to properly
  support certificate trust and allow for fragmented CAs for
  better security.

Change-Id: I56dee9d1ca4e0807d89ce6b0f3ab3fb5d4ea8c67
2018-12-10 18:09:25 +00:00
Gupta, Sangeet (sg774j) ae95ed400e APISERVER for webhook
This commit create an apisever pods with kubernetes keystone webhook
as a side for. The sole purpose of this pods is authentication and
authorization.

Change-Id: I74472576d7dc0da6ac66d7e0a8e1db5fad156952
2018-09-18 15:04:32 -05:00