Commit Graph

62 Commits

Author SHA1 Message Date
SPEARS, DUSTIN (ds443n) 7f15516372 Update k8s to v1.29.2
Change-Id: I8d8d38e62fd13884afb0d0c4d027d81879cbe313
2024-03-07 16:41:50 -05:00
SPEARS, DUSTIN (ds443n) 89d9d907b7 Upgrade kubernetes to v1.29.0
Change-Id: I2d62dac82d6b9d738c3aa71e541e89eddeb5ae87
2024-01-08 13:39:28 -05:00
SPEARS, DUSTIN (ds443n) 903b1363db Update k8s to v1.28.4
Change-Id: I300aa19f78206712b08d246cabbe5043b8abf509
2023-11-30 13:42:20 -05:00
Sergiy Markin 69a74590e7 Airflow stable 2.6.2
This PS updates python modules and code to match Airflow 2.6.2:

- bionic py36 gates  were removed
- python code corrected to match new modules versions
- selection of python modules versions was perfoemed based on
  airflow-2.6.2 constraints

Change-Id: I9c3e139b3437414a61af7e7c0b7d7e533fadefda
2023-08-29 21:12:11 +00:00
SPEARS, DUSTIN (ds443n) f806f8983a Update k8s to 1.27.4
Change-Id: I782762508f5fa8206751d7b9f719bcea448efe09
2023-07-31 13:55:03 -04:00
SPEARS, DUSTIN (ds443n) 3c68fb2281 Update k8s to 1.27.2
Bump k8s from 1.27.1 to 1.27.2

Change-Id: If171853f06d970a8bcfaa83098e407de9b4bc041
2023-06-02 15:28:33 -04:00
SPEARS, DUSTIN (ds443n) 7a4051c6a3 Revert chart version
reverting chart versions to previous value

Change-Id: Id1d06f81d997d704af1a0bdb3fd0d8c9e8746360
2023-05-17 15:39:24 -04:00
SPEARS, DUSTIN (ds443n) 1717ed84e5 k8s upgrade to 1.27.1
upgrades kubernetes client to v1.27.1
upgrade etcd to v3.5.6

Change-Id: Iaf287353425aa6263a81617890a2ca3c2f2e4281
2023-05-17 10:32:04 -04:00
SPEARS, DUSTIN (ds443n) 70dd0c8599 Remove deprecated controller-manager flag
Additionally update all images from k8s.gcr.io to registry.k8s.io

Change-Id: I0240ee0bf5d23d035126a81318f57b240f5af402
2023-04-18 15:02:30 -04:00
SPEARS, DUSTIN (ds443n) 5f62088d01 Adjusting daemonset anchor readiness check
To avoid pods cycling too quickly by checking if manifest
was created by daemonset and the component on the same host
is ready

Change-Id: I7f9b35e222ef5934fca71f30fdf9941caa60ccd7
2023-04-13 15:35:29 -04:00
SPEARS, DUSTIN (ds443n) 27a8b0d798 k8s upgrade to 1.26.0
upgrades kubernetes client to v1.26.0
remove installation of containerd during genesis.sh to prevent containerd downgrade
update bitnami kubectl image to image with curl installed for readiness check

Change-Id: I3afd5a7e7211bae3f52263167a62a012da0619a0
2023-03-20 13:16:48 -04:00
Ruslan Aliev c10165c144 K8S upgrade 1.24
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: Iaa0c5f57ac621f2b91f525da423db0acd9d8ea99
2022-09-14 19:34:02 -05:00
Ruslan Aliev e207bbe966 k8s upgrade to v1.23.7
Address changes and deprecations in Kubernetes v1.21=>v1.23

controller-manager:
* --authorization-kubeconfig and --authentication-kubeconfig must be set
* liveness/readiness probes must use HTTPS
* the default port has been changed to 10257

kubelet:
* --dynamic-config-dir has been deprecated, will not move to GA
* --cni-bin-dir has been deprecated, will be removed with dockershim
* --cni-conf-dir has been deprecated, will be removed with dockershim
* --network-plugin has been deprecated, will be removed with dockershim

https: //github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
https: //kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
https: //github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration
Change-Id: Ia996d7c14d81d1d8b8067f11c02ffb4ce90eb49a
2022-06-29 00:21:45 -05:00
Phil Sphicas 0f9818eccc Use bitnami kubectl
Update the anchor pods to use a regularly patched and updated kubectl
image that contains the necessary components (bash, jq, curl, etc.) in
addition to kubectl: https://hub.docker.com/r/bitnami/kubectl

Change-Id: Ia3e75dc334c3c1a88abfec10fb0367447e79a538
2022-04-25 14:28:59 -07:00
francisy 3cac5cbde0 Promenade Enhancement
Update charts in Promenade to Kubernetes version 1.21

Change-Id: Iab6d10b384a8be3a4b4d2357a51b35ab93a797b0
2022-01-10 14:04:15 -05:00
Phil Sphicas 08906262fd Update tolerations and priority classes
* Give kube-proxy a blanket toleration
* Replace scheduler.alpha.kubernetes.io/critical-pod annotation with
    priorityClassName: system-node-critical

Change-Id: I810333913c09531eefa1ded014fe090d4cca7f7d
2021-10-18 11:33:54 -07:00
Sean Eagan 9d696ca0a4 Use helm 3 in chart build
`helm serve` is removed in helm 3 so this moves
to using local `file://` dependencies [0] instead.

[0]: https://helm.sh/docs/chart_best_practices/dependencies/#repository-urls

Signed-off-by: Sean Eagan <seaneagan1@gmail.com>
Change-Id: Ia45c57e0cccac477f6ff59a254d03d6fcec14bef
2021-09-30 16:57:05 -05:00
Thirunavukkarasu Palani 7692b36fe9 Fix deprecated warning in Promenade controller-manager chart
Deprecated warning:
1. Flag --address has been deprecated, see --bind-address instead.
2. Flag --port has been deprecated, see --secure-port instead.

Change-Id: Ie93e95ab755dd338ac31914d1a50e61e351b907e
2021-07-14 04:15:41 +00:00
Phil Sphicas ae6782b452 Kubernetes: Uplift to v1.20.5
Uplift Kubernetes images and binaries from v1.19.7 to v1.20.5. No config
changes.

Change-Id: If2a8c9169c831a001205e8aa947df7fc00a1e658
2021-05-03 17:21:30 +00:00
Phil Sphicas 5bb58863b6 Uplift Kubernetes to v1.19.7
Change-Id: I2ac28e2383cb9c4d84d09c23c02a087db714803e
2021-02-11 17:23:32 +00:00
Phil Sphicas 5323ca2710 Deploy with standalone kubernetes images
Replace all usages of the hyperkube image with standalone container
images for apiserver, controller, scheduler, and proxy.

Change-Id: I44392c7900a72edd35bc5afa1c50bec8e04f927f
2021-02-11 17:23:32 +00:00
Chris Wedgwood 630e504e3e Update to container image repo k8s.gcr.io
gcr.io/google_containers/ no longer contains some of the image
versions we require, use the new location.

Change-Id: I8f9a976a35ca632d785dd4d05f2a55713bde8c3e
2021-01-11 17:42:31 +00:00
Phil Sphicas 946a28dc76 Use HostToContainer mountPropagation
For any host mounts that include /var/lib/kubelet, use HostToContainer
mountPropagation, which avoids creating extra references to mounts in
other containers.

Affects the following resources:
* haproxy-anchor daemonset
* kubernetes-apiserver-anchor daemonset
* kubernetes-controller-manager-anchor daemonset
* kubernetes-scheduler-anchor daemonset

Change-Id: Ib7fb018c4c1916d00311a73f64f77a99b682d4c8
2021-01-08 01:05:04 +00:00
Chris Wedgwood 8c52be3dde Remove /hyperkube prefix
The /hyperkube prefix isn't required and causes problems when using
non-hyperkube images elsewhere.

Change-Id: Ie9281b07e3be0eedbe86be726f907f68461e23b2
2020-09-26 07:53:46 +00:00
Andrii Ostapenko 940253563a
Change helm-toolkit dependency version to ">= 0.1.0"
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0

Change-Id: Ifd2d7af1f2dabe9bbccd65551e0223dddff529dc
2020-09-24 19:43:10 -05:00
Mahmoudi, Ahmad (am495p) c302a083a6 Upgrade k8s from v1.17.3 to v1.18.6
This ps makes following changes to upgrade kubernetes from v1.17.3
to v1.18.6.
  - Updated all references to k8s images to 1.18.6
  - Updated command options and api object and versions based on
    k8s 1.18 release notes:
      https://kubernetes.io/docs/setup/release/notes/
  - Uplifted uwsgi to 2.0.19.1 to align with other airship
    components, and to bring in fixes and improvements.
  - Added build-essentials and python3-dev packages to pass the zull
    gate, which was looking for a c compiler.

Change-Id: I1160d1e6e2f02a0524043641b9296ea39edb301e
2020-08-19 15:56:45 +00:00
KHIYANI, RAHUL (rk0850) 880c6503c8 Add security context template for promenade charts
This changes adds security context template at pod level to
set run as user value

This also adds security context template at container level to
set readOnly-fs flag

Change-Id: Iba720e687218987cfefe7a9f08630fb11e8eac12
2020-07-22 05:24:50 +00:00
KHIYANI, RAHUL (rk0850) dfebe8f55f Add apparmor profile to promenade tpl files
Change-Id: I00d5c74e079f72f9837f8502dfa6ca805e2e0e04
2020-07-20 15:23:08 -05:00
Smruti Soumitra Khuntia da7c79f6b9 Upgrade Hyperkube version from 1.16.2 to 1.17.3
Changes to use to Hyperkube v1.17.3 instead  of
v1.16.2

Change-Id: I442694afad7f718dcd4db7fa7bb2c60beec8bdaa
2020-05-22 15:23:37 +00:00
Zuul 88434cbcb7 Merge "Promenade: Add Docker default AppArmor profile to controller_manager anchor" 2020-02-05 00:56:55 +00:00
KHIYANI, RAHUL (rk0850) 41c5bb8e23 Promenade: Add Docker default AppArmor profile to controller_manager anchor
Also added AppArmor to promenade genesis gates in order to test apparmor changes
to promenade charts

Change-Id: Ib393306dabf40ef9817072aaa9824c22e60626dc
2020-02-04 22:52:27 +00:00
Matt McEuen 1d0a4619b4 Add -u to anchor scripts
This adds "set -u" (in addition to the existing -x) to the anchor
scripts. This should fix an issue seen occasionally in the haproxy
chart which is only explainable by the IDENTIFIER variable failing
to get set correctly.

All variables used in the anchor scripts ought to be defined, and
there's no need to rely on blank strings as defaults.

"set -e" was considered for this, but may have unintended side-effects:
-u should be safe and avoid the issue we've seen.

Change-Id: Idbc2f9f77d4754874999d5d83d322a17076c7392
2020-02-03 14:00:12 -06:00
Samuel Pilla b77c6fe637 Upgrade Hyperkube version for k8s 1.16
Upgrade Hyperkube to v1.16.2

Change-Id: I3f17ac007e3704c1f4ae2f79e0c41704074c2010
2019-12-06 18:20:13 +00:00
Matt McEuen fcaacf94a3 Add -e to pre_stop hooks
This adds -e to the pre_stop scripts, so that they fail out if
any of their commands fail.  This is required, since it's the only
way to communicate whether there is an issue during pre_hook
execution.

"The logs for a Hook handler are not exposed in Pod events.
If a handler fails for some reason, it broadcasts an event."
https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks

As an example, this issue was discovered when "touch /tmp/stop"
was failing silently due to a readOnlyRootFilesystem setting,
resulting in pods that would not successfully Terminate until
the grace period was exhausted.

Change-Id: Ic9a228230d944530e31ed61f4239fd434cbb6187
2019-11-07 17:31:50 -06:00
Phil Sphicas a7c7282ba4 Fix: anchor pre-stop failures
kubernetes-controller-manager-anchor pods get stuck in Terminating state
because the pre-stop script tries to touch /tmp/stop, which is on a read
only root filesystem.

This change mounts an emptyDir at /tmp to resolve the issue.

The same change is applied to apiserver, etcd, and scheduler anchors, to
prevent the issue if readOnlyRootFilesystem is enabled.

Related change for haproxy:
https://review.opendev.org/685711/

Change-Id: I784498e0dc24da91a983716029973919b96a3055
2019-11-04 15:14:27 -08:00
Kumar, Nishant (nk613n) b49805ae82 Chart changes to support k8s v1.16
This PS includes changes to support k8s 1.16, these
changes would work with existing kubernetes version
as well. A seperate change would be done to uplift
kubernetes to 1.16.

Hyperkube short aliases are removed in k8s 1.15
https://github.com/kubernetes/kubernetes/pull/76953

- Rename binaries of kubernetes components in promenade and
corresponding anchor helm charts
- Kubelet flag --allow-priveleged is deprecated in k8s 1.15 and
removed in 1.16. Remove the flag from kubelet template. This
fix will be backward compatible as long as psp are defined.

Change-Id: I751dd7c0281b0c00ac8f283c1df379e932fe4658
2019-10-25 13:59:22 +00:00
Luna Das 7f63537f8a Add facility to configure log levels in kubernetes-components
Change-Id: Ib7c481b71818c6673cd0b9c47d282d4a3f42d307
2019-08-14 13:33:21 +05:30
Kumar, Nishant(nk613n) 75d3a86234 Add release uuid annotation to POD spec
Change-Id: Id4a96de7da9233589b54217e04a346281eaea68c
2019-06-25 14:55:05 +00:00
Kumar, Nishant(nk613n) b80746d07a [FIX] set correct key for Controller manager DS upgrade
This change puts in the correct key for Daemonset upgrades to
be controlled by the configuration done in `values.yaml`.

Change-Id: Ic04597cc46d9ce1aac14823191ccc245ac7f9810
2019-06-05 02:21:38 -04:00
Matt McEuen 46b6437e72 Make static manifest cleanup configurable
By design, the anchor pods clean up after their static pods
(and associated secrets/configs) via a hook when they the anchor
pods are stopped, to make sure that cruft is not left lying around
(or running) when an anchor pod is no longer scheduled to a host.

However, it's been observed that on a host under high load, e.g.
if one or two other control plane hosts are down, then the anchor
pods may be stopped in an unplanned manner.  This results in
service unavailability for the anchored static manifest pods.

This change makes that cleanup behavior configurable (following the
pattern already implemented in the haproxy chart) but leaves it on by
by default.

Change-Id: Iab14510ef8ea5b9e400e0f744231811117029887
2019-06-12 11:16:38 -05:00
RAHUL KHIYANI 34aca639f0 controller_manager: Add pod/container security context
This updates the controller_manager chart to include the pod
security context on the pod template

This also adds the container security context to set
readOnlyRootFilesystem to true

Change-Id: Icee324ef7ddbd230c7c99f4dc284e2866d9acf1a
2019-05-07 22:06:47 +00:00
Sean Eagan 2e2a30515c Use apps/v1 k8s controllers and add labels
Daemonset update strategy defaults to OnDelete in v1beta1, whereas
it defaults to RollingUpdate in v1, which seems prefereable.

This also adds helm-toolkit based labels at the controller level
to match standard usage such as for example by armada as wait labels.

This change has been tested using the promenade resiliency gate.

Change-Id: I9fd1bc4caedc0a6717b779e5333640ca8dc78b7e
2019-04-23 09:24:53 -05:00
Matt McEuen e4cab73d0f Update to Kubernetes 1.11.6
This change updates the following components in the Promenade charts,
docs, and example bootstrap configuration:
  Kubernetes 1.10.11 -> 1.11.6
  CoreDNS 1.1.2 -> 1.1.3 (per k8s 1.11 recommendations)
  Etcd 3.2.14 -> 3.2.18 (per k8s 1.11 recommendations)
  Tiller 2.10.0 -> 2.12.1 (per Helm k8s support)

This change has been tested by the Promenade resiliency gate.

Change-Id: Ia70de212dd2d50c6638578b92c750a4d5c791229
2019-02-05 17:29:59 -06:00
Mark Burnett cdd1a6bd28 Update Kubernetes to 1.10.11
Change-Id: If1479f7a5d0a8ea459eed39172a0bc1f89935e36
2018-12-18 11:32:28 -06:00
Zuul 422d22ff9c Merge "Add release uuid to pods and rc objects (prom)" 2018-11-06 19:18:34 +00:00
Michael Beaver 8b45a36419 Secure host file permissions
* added in missing recursive flag to the chmod command used to remove
extraneous permissions from CURATED_DIRS
* added commands to change permissions for manifests and configurations
that are copied to the host

Change-Id: I174db09061c3162db11dd976a55132f5fad7a80d
2018-10-19 13:50:18 -05:00
Matt McEuen eae60aba15 Add release uuid to pods and rc objects (prom)
This PS adds the ability to attach a release uuid to pods and rc
objects as desired.  This can be used, for example, to force an
artificial manifest change in CICD scenarios, for upgradability
testing purposes.

Change-Id: I8d0ffac306258f940c63799e86e7e26b5c2c5add
2018-10-16 12:43:32 -05:00
Mark Burnett d7c7a47c61 Improve security of default and example configurations
* Enabled the NodeRestriction Admission Controller.
* Configured the default terminated-pod-gc-threshold in the
  controller-manager.
* Disable repair-malformed-updates.
* Disable anonymous-auth in the Kubelet.
* Further restrict permissions for contents of /etc/kubernetes and
  /var/lib/etcd.

Change-Id: I112652a5aa7bde054de253234f65755d90ab65ad
2018-09-26 11:49:15 -05:00
Mark Burnett ea4c9b73e4 Remove unused image references
Change-Id: I152ccc1d8b10bdad89bff1f3cabc471ffd8d0734
2018-07-23 11:17:41 -05:00
hosingh000 131718aef8 Upgrade the version of kubernetes-entrypoint for UCP helm charts
Change-Id: I8196917509373b4753ab0714089fb2c41ec90eeb
2018-07-10 11:51:57 -05:00