add focal dockerfile
update zuul jobs for focal
update tox for tox4 changes
update all requirements to latest and match deckhand
update cfssl from R1.2 to v1.6.3
fixed local gates for focal
updated examples promenade manifests to run on focal
Change-Id: I2af4043784766d36588c6f738053ad66e7b89a90
The extraction of the monolithic hyperkube binary from its container
image to be used as kubelet was last relevant in Kubernetes 1.16. Since
then, the hyperkube image has been deprecated, the structure of the
image has been changed, and it has ultimately been eliminated in
Kubernetes 1.19.
This change cleans up promenade accordingly.
Reverts the following commits:
* 886007b New CLI option to extract hyperkube
* 32a6c15 hyperkube image in promenade init
* 955deed New source for hyperkube binary definition
Change-Id: Ib62ecdf1af13abe8202a4ba4f86c39b9042ed13f
gcr.io/google_containers/ no longer contains some of the image
versions we require, use the new location.
Change-Id: I8f9a976a35ca632d785dd4d05f2a55713bde8c3e
This ps makes following changes to upgrade kubernetes from v1.17.3
to v1.18.6.
- Updated all references to k8s images to 1.18.6
- Updated command options and api object and versions based on
k8s 1.18 release notes:
https://kubernetes.io/docs/setup/release/notes/
- Uplifted uwsgi to 2.0.19.1 to align with other airship
components, and to bring in fixes and improvements.
- Added build-essentials and python3-dev packages to pass the zull
gate, which was looking for a c compiler.
Change-Id: I1160d1e6e2f02a0524043641b9296ea39edb301e
Updated resiliency gate script to consistently pass all gate stages,
using ubuntu bionic image for node deployment.
- Updated developer-onbording.rst with information on how to configure
and run the resilency gate behind corporate proxy.
- Updated the gate scripts to use the proxy configuration.
- Updated up.sh to pull the hyperkube image as cache, to speed up and
stabalize the initial kublet deployment of kubernetes cluster services.
- Updated and added sleeps and retries in some of gate stages and
scripts to avoid gate failures due to transient environment issues.
- Updated the ubuntu base image for node deployments from xenial to\
bionic base image.
- Added code in treadown-nodes stage to manually remove the etcd
members: kubernetes and calico, since they still remain listed as
etcd members on genesis node, even after genesis is torn down.
Change-Id: Ia11d66ab30ac7a07626d4f1d02a6da48155f862d
The current Promenade image is vulnerable to several CVEs:
CVE-2019-3462
CVE-2018-16865
CVE-2018-16864
Which Ubuntu 16.04/18.04 addresses.
This patchset makes the following changes:
1. Adds new distro specific dockerfiles for xenial/bionic.
2. Updates gates to be specific about the ubuntu image being
checked.
3. Updates .zuul.yaml checks/gates/post jobs for xenial/bionic.
4. Updates build-image.sh docker build for specific dockerfile
specified in config.sh (IMAGE_PROMENADE_DISTRO).
Change-Id: I89e5297a3baa8c2d2c142e5e29932476fc628398
This adds a lightweight, three-node cluster configuration for the
gate.sh test harness, leveraging the "basic" manifest set.
This is handy for quickly setting up a full cluster for development
or validation purposes.
Change-Id: Ie36e3a5d32776c316d9a0752b53f9755dd8e09f0
Introduced new name for the field to define package that has files
which will be used as runtime for UCP containers.
Prepared set of yaml files as an example of containerd usage.
Prepared zuul job to use containerd in simple deployment.
Change-Id: Ifc82a505d064c4f13efccfd92ffc336a510220bf
New option --extract-hyperkube to declare the way how hyperkube
will be delivered.
By default this option is disabled which means hyperkube should be
extracted before running promenade container for the first time.
When it's enabled the appropriate env vars should be set for
promenade container to be able to extract hyperkube binary from image.
Change-Id: I2c45100e1e953d859d768ec80f268bd490ce3a81
Now it's possible to use hyperkube Docker image to extract hyperkube binary.
Use case for this feature is kubelet/kubectl delivery in one binary(hyperkube)
which is built into Docker image. Promenade will extract hyperkube from Docker image,
create symlinks for kubelet/kubectl pointed to hyperkube. To do so promenade container
need to be configured to use Docker on the host where this container will be created.
This is happening only for script generation for genesis node. Later when promenade
will be started as a service pod inside ucp cluster it will generate scripts for joining nodes
by using cached hyperkube from /tmp.
Old way to delivery kubelet from tarball is still supported.
Configuration for the new method.
Need to export environment variables to properly configure Docker in Docker.
Docker socket should be provided as a mounted file inside promenade.
Also need to set temporary permissions for this socket during the build scripts stage.
Example:
DOCKER_SOCK="/var/run/docker.sock"
sudo chmod o+rw $DOCKER_SOCK
export DOCKER_HOST="unix:/${DOCKER_SOCK}"
export PROMENADE_TMP="abs_path_tmp_dir_on_host"
export PROMENADE_TMP_LOCAL="tmp_dir_inside_container"
After genesis scripts generation Docker socket permission should be turned back:
sudo chmod o-rw $DOCKER_SOCK
Change-Id: Ida22ea934fc551fec34df162d8147c8b9e630330
Daemonset update strategy defaults to OnDelete in v1beta1, whereas
it defaults to RollingUpdate in v1, which seems prefereable.
This also adds helm-toolkit based labels at the controller level
to match standard usage such as for example by armada as wait labels.
This change has been tested using the promenade resiliency gate.
Change-Id: I9fd1bc4caedc0a6717b779e5333640ca8dc78b7e
Adds an optional external_ip parameter to the prom join script API,
and to the Genesis and KubernetesNode schema.
This is used to populate the host's IP address in its /etc/hosts
file if present, according to normal hosts conventions.
If the value is not passed to prom-join or is absent from a
Genesis or KubernetesNode document, then the hosts file defaults
to the current loopback IP for the hostname (business as usual).
Change-Id: I58dc219923b18aaf9c83453b896ce509664d8766
16.04 on 16.04 VMs will crash (illegal instruction in
raid6_avx21_gen_syndrome) on boot if the host has AVX2 and we pass
that through.
The issue seems to be the guest kernel sees presence of AVX2 so raid6
module makes use of it - though it's not enabled (different bits).
Until this is resolved in the host hypervisor (kvm) and/or guest
kernel, mask out AVX2 to prevent crashes in L1/L2 VMs.
Change-Id: I0ca8edb8f62f9f2e96aa5e265bac631c346d0eac
This introduces a new document called `EncryptionPolicy` to configure
this behavior. It currently only supports using symmetric encryption
with `GPG`, but that should be available on all Ubuntu systems (which is
what we currently support) and should also be fairly reliable.
Change-Id: I06d4faa119b736773df0d8cbf0e7a23fd98edcdf
Depends-On: https://review.openstack.org/#/c/602175/
The image used to test kubectl logs in the validation scripts was hard
coded and is now configurable.
This also makes the power-up-node.sh gate script more robust by making
it wait for the node to be ready.
Change-Id: I531ca8477ac3575dd4249ab5e991881af290fa52
In the resiliency gate:
* Enable the --endpoint-reconciler-type=least option for the apiserver.
* Extract etcd validation into its own stages.
* Test joining a node while one control plane node is down.
Change-Id: Id89b0816e91ab6427c5e2f4833ad4ec4e1e3d133
Depends-On: I2150d40e917567a4072a1565c1b96089f3d6fd2b
* Updates version references
* Increase memory of test VMs due to higher usage with bump
* Move etcd chart scripts from /tmp to /tmp/bin
* Remove certificate signing options for controller manager
* Remove -a from `kubectl get pods`, since that is deprecated in 1.10
* Shorten liveness/readiness probe times for CoreDNS
Change-Id: I16db0370f1c619e16002dd58e29025eb1538691f
* Detect and re-use existing Certs/Keys
* Negative functional test for join with missing cert
* Positive functional test to generate cert after initial construction
* Extract some promenade test code into tools/g2/lib/promenade.sh
* Add timestamps to tar'd up files
Change-Id: Ib717785fc2c8f6cd1db1970ecdf1f5184ed40e92
This adds stability to etcd and enables cleaner waiting by tiller during
deployment of the Kubernetes apiserver and etcd.
* Adds second auxiliary etcd process.
* Enables "sequenced" for remaining ChartGroups.
* Removes unused disks from test VMs.
* Add readiness and liveness probes for kubernetes components
Change-Id: I6f83bb912f76b0ec35503723b417ba45d69e39c5
This behavior can be disabled with the `leave_kubectl` query parameter
to the `join-scripts` endpoint.
Change-Id: Ia2d9d11f2e900aed0b69394de6ba30442921d5a0
- Remove apt conf for proxy, rely on environment
- Update schema to correctly support no_proxy
- Update build-image stage to support a proxy
Change-Id: Ie07a72ad35fde57596af88f838c8c1836b1e8510
- Replaced the logged token in the test script with a md5sum.
The md5sum can be used for comparison but will not be the token.
Change-Id: I8a8f0751f032413590648ad57fb0b0563b167c78
- During genesis there was a race condition on the genesis node leaving
and other nodes joining.
- Updated etcd anchor to update the config when a host is not healthy.
fixes #54
Change-Id: I0ba2c831c73cc3136ee635e7d0c0efcc8b009858
Adds policy enforcement to validatedesign and adds testing for
validatedesign endpoint. Also fixes error when raising
ValidationException.
Change-Id: Ie48fc49a05f7890866d2dd3480c4d6333ef3a087
This removes the reliance on coredns for APIserver discovery, allowing
a simpler configuration that is compatible with corednx 1.0.x
Change-Id: Ia3b7b5627c16ec47af6b0d6d5e8dee2674e9b1ee