Since after v3.5.6 etcd-io switched to a
distroless base image. Etcd anchor pods
are now using etcd-utility and etcd is
running a sidecar for health checks.
Change-Id: I198dca1209097de4d60a53a7568f0c4790679599
* operator logs is now streaming to pipeline and to pod
* printing status of armada chart objects
* adjust armada container cmd parameters to support both
golang and python based images
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I6d8629a48c1b862db937ddc3cd68792220388b19
This PS updates python modules and code to match Airflow 2.6.2:
- bionic py36 gates were removed
- python code corrected to match new modules versions
- selection of python modules versions was perfoemed based on
airflow-2.6.2 constraints
Change-Id: I9c3e139b3437414a61af7e7c0b7d7e533fadefda
These changes were not needed and have negative impact on
the node deployment process.
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I134a2acdf831f1c1e2f475a09b2f1d4a85cf68bf
add focal dockerfile
update zuul jobs for focal
update tox for tox4 changes
update all requirements to latest and match deckhand
update cfssl from R1.2 to v1.6.3
fixed local gates for focal
updated examples promenade manifests to run on focal
Change-Id: I2af4043784766d36588c6f738053ad66e7b89a90
Versions of Haproxy >=2.3 require the config file to end in a newline
or they'll exit with an error.
Change-Id: I9301ea679536b10ee5ad0d87d42c1655e5852616
Address changes and deprecations in Kubernetes v1.21=>v1.23
controller-manager:
* --authorization-kubeconfig and --authentication-kubeconfig must be set
* liveness/readiness probes must use HTTPS
* the default port has been changed to 10257
kubelet:
* --dynamic-config-dir has been deprecated, will not move to GA
* --cni-bin-dir has been deprecated, will be removed with dockershim
* --cni-conf-dir has been deprecated, will be removed with dockershim
* --network-plugin has been deprecated, will be removed with dockershim
https: //github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
https: //kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
https: //github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration
Change-Id: Ia996d7c14d81d1d8b8067f11c02ffb4ce90eb49a
The helm wrapper script should be the same for genesis and non-genesis
nodes. The one previously used by join nodes is removed.
Change-Id: I212127f258b9eba4fce776cb690060dc413061ca
* Give kube-proxy a blanket toleration
* Replace scheduler.alpha.kubernetes.io/critical-pod annotation with
priorityClassName: system-node-critical
Change-Id: I810333913c09531eefa1ded014fe090d4cca7f7d
The validation function validate_kubectl_logs, which may be executed as
part of genesis or cluster join, creates a log-test pod and checks that
the 'kubectl logs' output is correct.
These completed pods don't really need to live in the cluster beyond the
initial deployment.
This change deletes the log-test pod if the validation is successful.
Change-Id: I6ae9c55f960ea70335d1fd79380c7119dc11a5e2
Create additional directories on the host, ensuring that they exist with
the appropriate permissions:
- /etc/etcd
- /var/log/kubernetes
Change-Id: I0b7bed19b849037cfcc812453731460563270278
Warning: For remote container runtime,
--pod-infra-container-image is ignored in kubelet,
which should be set in that remote runtime instead
Change-Id: Iec2df4873857c0d74a267810ef215f246102c2f4
Deprecated warning:
1. Flag --address has been deprecated, see --bind-address instead.
2. Flag --port has been deprecated, see --secure-port instead.
Change-Id: Ie93e95ab755dd338ac31914d1a50e61e351b907e
Removed PersistentVolumeLabel from apiserver to fix below warning.
Deprecated warning:
1. PersistentVolumeLabel admission controller is deprecated.
Please remove this controller from your configuration files and scripts.
2. insecure-port has been deprecated, This flag has no effect now
and will be removed in v1.24.
Change-Id: Iaccff8467b5ed967fa41e85b38c27f7345cd97bb
In v1.20, TokenRequest and TokenRequestProjection become GA features,
and the following flags are required by the API server:
* --service-account-issuer
* --service-account-key-file
* --service-account-signing-key-file
This change ensures that the flags are set, and that the required keys
are in the right places.
Change-Id: I6606c5b1c9ff005d1943b424e3e7ad4d20b68408
The tiller container in the armada bootstrap pod relies on the insecure
port that kube-apiserver once listened on by default. The kube-apiserver
ability to serve on an insecure port, deprecated since v1.10, has been
removed in v1.20. [0]
This change updates the armada bootstrap pod to use the secure port
instead.
0: https://github.com/kubernetes/kubernetes/pull/95856
Change-Id: I6a37fa4e7f97c7aaa3cd0f61b56214483a7dc217
The /hyperkube prefix isn't required and causes problems when using
non-hyperkube images elsewhere.
Related earlier change: https://review.opendev.org/#/c/754487/
Change-Id: I23918669bae4d9b7d41140b2c26d3176c45665ee
This ps makes following changes to upgrade kubernetes from v1.17.3
to v1.18.6.
- Updated all references to k8s images to 1.18.6
- Updated command options and api object and versions based on
k8s 1.18 release notes:
https://kubernetes.io/docs/setup/release/notes/
- Uplifted uwsgi to 2.0.19.1 to align with other airship
components, and to bring in fixes and improvements.
- Added build-essentials and python3-dev packages to pass the zull
gate, which was looking for a c compiler.
Change-Id: I1160d1e6e2f02a0524043641b9296ea39edb301e
Updated resiliency gate script to consistently pass all gate stages,
using ubuntu bionic image for node deployment.
- Updated developer-onbording.rst with information on how to configure
and run the resilency gate behind corporate proxy.
- Updated the gate scripts to use the proxy configuration.
- Updated up.sh to pull the hyperkube image as cache, to speed up and
stabalize the initial kublet deployment of kubernetes cluster services.
- Updated and added sleeps and retries in some of gate stages and
scripts to avoid gate failures due to transient environment issues.
- Updated the ubuntu base image for node deployments from xenial to\
bionic base image.
- Added code in treadown-nodes stage to manually remove the etcd
members: kubernetes and calico, since they still remain listed as
etcd members on genesis node, even after genesis is torn down.
Change-Id: Ia11d66ab30ac7a07626d4f1d02a6da48155f862d
The cleanup process runs concurrently with pods that are actively
using kubernetes endpoints. In kubelet restart the endpoints are
often recreated breaking networking.
For now avoid the final restart.
Change-Id: I852721caa853315c6550e253cd3813ae49f00a4a
If the kubernetes apiserver (in the bootstrap Armada pod) runs with the
reconciler enabled, the kubernetes endpoint can be created with an
invalid port which will not be corrected later.
Change-Id: I6d5fb86c6c4ffded9f42bda6e2ffbf2fbc13806f
1. systemd-resolved should be removed/disabled before the symlink is
2. `domain` is redundant with the FQDN and replaced by `search`
3. correct resolv.conf EOL formatting issue
Change-Id: If7f8037c0623d9b1eb43171f09e492985a66b351
The kubelet restart at the end of the join script appears
to be unnecessary, since the only action taken by the script
between that and the previous kubelet start is node labelling
(which doesn't require a kubelet restart).
In addition, the timing of this restart may be triggering
a kubernetes state synchronization bug, where a pod's status
isn't updated to reflect the readiness of all of its containers.
Change-Id: I480d1b345e5ddcce0cac961ff9c2b76526c5b76f
When there is failure to fetch any of the apt urls, it skips and
continues. Due to which apt install fails in next step.
So added retry if apt fetch fails before proceeding to apt install.
Change-Id: I658024481b1be98d280cb1c9c4c2fb733a0d5697
Fixes a rendering issue with the previous HostSystem schema change when
common packages are omitted.
https://review.opendev.org/#/c/699162/
Change-Id: I629c652be1575351c8b33b141467f2839badc112
When the genesis and join package source definitions were split, the
.common, .genesis, and .join subkeys were inserted directly under
.properties.packages instead of .properties.packages.properties),
causing anything under packages to erroneously pass.
This change implements the intended validation, allowing packages to be
defined under either under .packages.common, or .packages.genesis and
.packages.join. The expectation is that the genesis node will end up
with the union of what is defined under genesis and common. Required
packages (a runtime and socat) need to be defined in at least one of
those locations. Similarly, join nodes will have the union of join
packages and common packages.
Change-Id: I4a658eef6efbba53ba04b2d8b4ea4711ca0b1ab0
Added ntp server configuration to be used by chrony as the recommended
ntp service for ubuntu 18.04.
Since, chorny is not installed by default in ubuntu 18.04, also added
chrony apt package to be installed on airship nodes.
Change-Id: If1437a79cf89806043f62e2eac49c3b4b5eae2cd
- Disable systemd-resolved service to test using static
/etc/resolv.conf instead.
- Updted up.sh to install socat package only if it is
defined for the specific role.
Change-Id: Ibbc874aec2585a32694e7b843f4c790d38bbb3dd
This patchset updates coredns, calico, and etcd in the containerd gate
to bring it up to date with the promenade genesis gate
It also adds the abilty to set a proxy in the containerd daemon
Change-Id: I581b27206512a4b6d8ec3a3d4212946ca3265308
Introduced new name for the field to define package that has files
which will be used as runtime for UCP containers.
Prepared set of yaml files as an example of containerd usage.
Prepared zuul job to use containerd in simple deployment.
Change-Id: Ifc82a505d064c4f13efccfd92ffc336a510220bf
This adds support for dynamic kubelet config [0]. An
actual implementation of dynamically updating the kubelet
config will be added at a later time to take advantage of this.
[0]: https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
Change-Id: I2c136cb5b69c9c51086d7c8d8fd6608008998323
This PS includes changes to support k8s 1.16, these
changes would work with existing kubernetes version
as well. A seperate change would be done to uplift
kubernetes to 1.16.
Hyperkube short aliases are removed in k8s 1.15
https://github.com/kubernetes/kubernetes/pull/76953
- Rename binaries of kubernetes components in promenade and
corresponding anchor helm charts
- Kubelet flag --allow-priveleged is deprecated in k8s 1.15 and
removed in 1.16. Remove the flag from kubelet template. This
fix will be backward compatible as long as psp are defined.
Change-Id: I751dd7c0281b0c00ac8f283c1df379e932fe4658
This adds a parameter to the genesis schema
to configure the tiller storage [0] type. For backward
compatibility, by default the parameter is not passed
to tiller, thus relying on the upstream default, which
is 'configmap'.
[0]: https://helm.sh/docs/using_helm/#tiller-s-release-information
Change-Id: I045f8b57f695385b1a502a8f13f61a58d400784e
Ruslan Aliev