Since after v3.5.6 etcd-io switched to a
distroless base image. Etcd anchor pods
are now using etcd-utility and etcd is
running a sidecar for health checks.
Change-Id: I198dca1209097de4d60a53a7568f0c4790679599
This PS adds a possibility to limit (to throttle) the number of
simultaneously uploaded backups while keeping the logic on the client
side using flag files on remote side.
Change-Id: I753faab8f3d934346d54e38bfc94cec3a8f79385
This PS adds staggered backups possibility by adding anti-affinity rules
to backups cronjobs that can be followed across several namespaces to
decrease load on remote backup destination server making sure that at
every moment in time there is only one backup upload is in progress.
Change-Id: I320c6ce6370b45c602114189819a4225e479f680
This PS updates python modules and code to match Airflow 2.6.2:
- bionic py36 gates were removed
- python code corrected to match new modules versions
- selection of python modules versions was perfoemed based on
airflow-2.6.2 constraints
Change-Id: I9c3e139b3437414a61af7e7c0b7d7e533fadefda
To avoid pods cycling too quickly by checking if manifest
was created by daemonset and the component on the same host
is ready
Change-Id: I7f9b35e222ef5934fca71f30fdf9941caa60ccd7
upgrades kubernetes client to v1.26.0
remove installation of containerd during genesis.sh to prevent containerd downgrade
update bitnami kubectl image to image with curl installed for readiness check
Change-Id: I3afd5a7e7211bae3f52263167a62a012da0619a0
add focal dockerfile
update zuul jobs for focal
update tox for tox4 changes
update all requirements to latest and match deckhand
update cfssl from R1.2 to v1.6.3
fixed local gates for focal
updated examples promenade manifests to run on focal
Change-Id: I2af4043784766d36588c6f738053ad66e7b89a90
Updating etcd chart with added backup validation function empty implementation(subject for future realization). This has to be done because helm-toolkit chart in openstack-helm-infra is now calling that function verify_databases_backup_archives() as part of backup_databases() function implementation:
https://review.opendev.org/c/openstack/openstack-helm-infra/+/853027
Changed apiVersion of etcd cronjob from batch/v1beta to batch/v1 and fixed securityContext for etcd_backup.
Also bumping up HTK version to 0.2.48 from a commit id obtained from merge of https://review.opendev.org/c/openstack/openstack-helm-infra/+/853027 and set proper commit id in this file: tools/helm_tk.sh
Change-Id: Ie047dd0e6a2aae6483ace89cad22d6720890cdfc
Address changes and deprecations in Kubernetes v1.21=>v1.23
controller-manager:
* --authorization-kubeconfig and --authentication-kubeconfig must be set
* liveness/readiness probes must use HTTPS
* the default port has been changed to 10257
kubelet:
* --dynamic-config-dir has been deprecated, will not move to GA
* --cni-bin-dir has been deprecated, will be removed with dockershim
* --cni-conf-dir has been deprecated, will be removed with dockershim
* --network-plugin has been deprecated, will be removed with dockershim
https: //github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
https: //kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
https: //github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration
Change-Id: Ia996d7c14d81d1d8b8067f11c02ffb4ce90eb49a
Update the anchor pods to use a regularly patched and updated kubectl
image that contains the necessary components (bash, jq, curl, etc.) in
addition to kubectl: https://hub.docker.com/r/bitnami/kubectl
Change-Id: Ia3e75dc334c3c1a88abfec10fb0367447e79a538
Removing set -x from within the dump_databases_to_directory function.
The set -x from within the function is causing all the code that
follows the function call to have debug tracing on. This in turns
causing multiple identical logs for the same event. Looking at this
function, there should be enough logging to aid debugging.
Reference ps: https://review.opendev.org/c/openstack/openstack-helm-infra/+/830533
(commit 2fc1ce4a142e605a9fc6c90dceabbf7c4bfb81e3)
Change-Id: Id442972bbcca983afab7c4f3c29f3686e9e0b481
Pick up the helm-toolkit DB backup enhancement in etcd
to add capability to retry uploading backup to remote server.
Change-Id: If6ea347a4c2c55f14f35d95681aaf482d0a6103c
1) Uplift helm-toolkit to include db-backup-restore error log string
prefixes for the generation of alert
https://review.opendev.org/c/openstack/openstack-helm-infra/+/823867
2) Error log string prefixes are added to etcd backup-restore as well
Change-Id: Iad51a3e55567d0861140a97c17a1b7d859e13938
Update applicable charts to use non-deprecated APIs [0], specifically
addressing the following resource types:
* ClusterRole
* ClusterRoleBinding
* Role
* Rolebinding
The APIs being migrated to are available in v1.19 or earlier. As of this
change, v1.19 is the oldest supported Kubernetes version, slated for EOL
on 2021-10-28. [1]
0: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
1: https://kubernetes.io/releases/
Change-Id: I134b201d9ae01a8d74e34ee14f3bfe3b960cb5aa
* Give kube-proxy a blanket toleration
* Replace scheduler.alpha.kubernetes.io/critical-pod annotation with
priorityClassName: system-node-critical
Change-Id: I810333913c09531eefa1ded014fe090d4cca7f7d
To avoid cycling the pods in the anchor daemonset too quickly, only
consider a kubernetes-apiserver-anchor pod ready if:
- it created the static manifest kubernetes-apiserver.yaml
- the kubernetes-apiserver pod on the same host is ready
Change-Id: I53dd1c044332946eeb965f07ae828910f00b04c6
This change corrects two rendering issues in the kube-apiserver anchor
script. The details and impact are mentioned below.
1. The kube-apiserver anchor script fails to clean up some files from
the host, because the path is incomplete. For example, the cleanup()
function of the script includes:
rm -f "/host/acconfig.yaml"
instead of
rm -f "/host/etc/kubernetes/apiserver/acconfig.yaml"
2. A recent change to allow fileless command options [0] caused some
extraneous lines to end up in the script. For example, the rendered
script includes:
snapshot_files() {
cp "/tmp/etc/" "${SNAPSHOT_DIR}/etc/kubernetes/apiserver/"
}
compare_copy_files() {
SRC="${SNAPSHOT_DIR}/etc/kubernetes/apiserver/"
DEST="/host/etc/kubernetes/apiserver/"
if [ ! -e "${DEST}" ] || ! cmp -s "${SRC}" "${DEST}"; then
mkdir -p $(dirname "${DEST}")
cp "${SRC}" "${DEST}"
chmod go-rwx "${DEST}"
fi
}
cleanup() {
rm -f "/host/"
}
Since the 'cp' and 'rm' commands don't include '-r', this is actually
non-impacting, other than some log messages.
0: https://review.opendev.org/c/airship/promenade/+/788092
Change-Id: Id0a47727d56268d13ebb4718b8578d94272c2181
Deprecated warning:
1. Flag --address has been deprecated, see --bind-address instead.
2. Flag --port has been deprecated, see --secure-port instead.
Change-Id: Ie93e95ab755dd338ac31914d1a50e61e351b907e
Removed PersistentVolumeLabel from apiserver to fix below warning.
Deprecated warning:
1. PersistentVolumeLabel admission controller is deprecated.
Please remove this controller from your configuration files and scripts.
2. insecure-port has been deprecated, This flag has no effect now
and will be removed in v1.24.
Change-Id: Iaccff8467b5ed967fa41e85b38c27f7345cd97bb
Flags in kube-proxy other than --config, --write-config-to,
and --cleanup are deprecated.
Added configmap to remove deprecated warning
Change-Id: I325e3a459b1079c6d1902bf06a43e00021231716
Add a hash of the dynamic-config configmap to the annotations of the apiserver-webhook pod metadata, so that a chart upgrade will trigger a pod restart if the configmap contents change
Change-Id: I9c01b71b128e2bc6a5a07e5aa7ba826a4ffa237e
The Corefile in values.yaml has been unchanged since before CoreDNS
version 1.1.3, but the specified image version is 1.6.4.
This change aligns the Corefile with the CoreDNS version, as generated
by the Corefile migration tool [0]:
corefile-tool migrate --from 1.1.3 --to 1.6.4
0: https://github.com/coredns/corefile-migration/tree/master/corefile-tool
Change-Id: I8912737bf219e43e1b8e477109a76d38085014f2
In v1.20, TokenRequest and TokenRequestProjection become GA features,
and the following flags are required by the API server:
* --service-account-issuer
* --service-account-key-file
* --service-account-signing-key-file
This change ensures that the flags are set, and that the required keys
are in the right places.
Change-Id: I6606c5b1c9ff005d1943b424e3e7ad4d20b68408