Since after v3.5.6 etcd-io switched to a
distroless base image. Etcd anchor pods
are now using etcd-utility and etcd is
running a sidecar for health checks.
Change-Id: I198dca1209097de4d60a53a7568f0c4790679599
This PS updates python modules and code to match Airflow 2.6.2:
- bionic py36 gates were removed
- python code corrected to match new modules versions
- selection of python modules versions was perfoemed based on
airflow-2.6.2 constraints
Change-Id: I9c3e139b3437414a61af7e7c0b7d7e533fadefda
upgrades kubernetes client to v1.26.0
remove installation of containerd during genesis.sh to prevent containerd downgrade
update bitnami kubectl image to image with curl installed for readiness check
Change-Id: I3afd5a7e7211bae3f52263167a62a012da0619a0
Address changes and deprecations in Kubernetes v1.21=>v1.23
controller-manager:
* --authorization-kubeconfig and --authentication-kubeconfig must be set
* liveness/readiness probes must use HTTPS
* the default port has been changed to 10257
kubelet:
* --dynamic-config-dir has been deprecated, will not move to GA
* --cni-bin-dir has been deprecated, will be removed with dockershim
* --cni-conf-dir has been deprecated, will be removed with dockershim
* --network-plugin has been deprecated, will be removed with dockershim
https: //github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
https: //kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
https: //github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration
Change-Id: Ia996d7c14d81d1d8b8067f11c02ffb4ce90eb49a
Uplifting tiller image to ghcr.io/helm/tiller:v2.17.0 since
v2.16.1 is not available anymore
Update the helm installation script to download and install v2.17.0
Change-Id: I92a7fe096a32377e155a298dc258bc2f4b93a2c1
Update example manifests to use latest bionic based armada and deckhand images to fix the zuul gates.
Change-Id: Ic70b7269a73a3b34608442ee71620358fa8785c2
Replace all usages of the hyperkube image with standalone container
images for apiserver, controller, scheduler, and proxy.
Change-Id: I44392c7900a72edd35bc5afa1c50bec8e04f927f
gcr.io/google_containers/ no longer contains some of the image
versions we require, use the new location.
Change-Id: I8f9a976a35ca632d785dd4d05f2a55713bde8c3e
This ps makes following changes to upgrade kubernetes from v1.17.3
to v1.18.6.
- Updated all references to k8s images to 1.18.6
- Updated command options and api object and versions based on
k8s 1.18 release notes:
https://kubernetes.io/docs/setup/release/notes/
- Uplifted uwsgi to 2.0.19.1 to align with other airship
components, and to bring in fixes and improvements.
- Added build-essentials and python3-dev packages to pass the zull
gate, which was looking for a c compiler.
Change-Id: I1160d1e6e2f02a0524043641b9296ea39edb301e
This adds a parameter to the genesis schema
to configure the tiller storage [0] type. For backward
compatibility, by default the parameter is not passed
to tiller, thus relying on the upstream default, which
is 'configmap'.
[0]: https://helm.sh/docs/using_helm/#tiller-s-release-information
Change-Id: I045f8b57f695385b1a502a8f13f61a58d400784e
To be able to run with the nobody user, an init container
is used in the haproxy-anchor pod to change the ownership and
permissions of '/host/etc/promenade/haproxy'. Security conext
was included in 'etc/kubernetes/manifests/haproxy.yaml' and
'promenade/schemas/Genesis.yaml' schema was updated to included
run_as_user property for haproxy pod.
Change-Id: Id248face0be43c417284ceb781997634a9c4dd5e
Those components are now publishing `master-ubuntu_xenial` rather
thans `master` tags, so promenade was using out of date versions.
Change-Id: Ic2a2634fe8a4c051984236d04a90e6dd203cdd2b
- Currently the auxiliary etcd instances remove themselves
after a single non-genesis member joins the cluster. This
leaves the cluster susceptible to non-recoverable disruption
until a 3rd member joins. This change makes the auxiliary control
script wait for a configurable number of non-auxiliary members to
join before removing the auxiliary members.
Change-Id: Ib4968b533e8433e3c40a845d086c7078e807c3e2
This version fixes manifest validation [0], so a couple invalid
manifests are fixed in this patchset as well.
[0]: 32d7f1a3fc
Change-Id: I0cbdf21cf016271bef2d8a541687ce3ab28081ce
Adds an optional external_ip parameter to the prom join script API,
and to the Genesis and KubernetesNode schema.
This is used to populate the host's IP address in its /etc/hosts
file if present, according to normal hosts conventions.
If the value is not passed to prom-join or is absent from a
Genesis or KubernetesNode document, then the hosts file defaults
to the current loopback IP for the hostname (business as usual).
Change-Id: I58dc219923b18aaf9c83453b896ce509664d8766
This change updates the following components in the Promenade charts,
docs, and example bootstrap configuration:
Kubernetes 1.10.11 -> 1.11.6
CoreDNS 1.1.2 -> 1.1.3 (per k8s 1.11 recommendations)
Etcd 3.2.14 -> 3.2.18 (per k8s 1.11 recommendations)
Tiller 2.10.0 -> 2.12.1 (per Helm k8s support)
This change has been tested by the Promenade resiliency gate.
Change-Id: Ia70de212dd2d50c6638578b92c750a4d5c791229
This change accomplishes 2 primary things:
1. It generalizes work to enable the EventRateLimit admission plugin.
2. It restructures the anchor so that during an upgrade an "old" anchor
does not try to coordinate the injection of "new" data from
configmaps/secrets.
It also includes these ancillary changes:
* Clean up apiserver argument specification in the chart.
* De-duplicate and realign apiserver arguments in bootstrapping templates.
It has the side effects of:
* Adding a new field, ".apiserver.arguments" to the Genesis config,
which will be the preferred way to configure bootstrapping apiservers
going forward (in lieu of command_prefix).
Change-Id: I33cfe80ee8e29cd79e479a7985e3c098a2288fda
This avoids leaving zombies in cases where the processes don't reap
children.
Also fixes a certificate issue with the resiliency gate.
Change-Id: I8a795557b0d60338c40b360c947b81a20fd48877
Add the EventRateLimit admission controller, to allow operators to
define rate limits for the k8s API server at the server, namespace,
or user account level.
This also
* cleans up some of the parameters passed into the API server
* replaces the deprecated --admission-control parameter
* applies --repair-malformed-updates consistently, incl examples
* removes unused batch/v2alpha1 runtime config
* https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
* removes duplicate --service-cluster-ip-range setting
This PS adds EventRateLimits to the bootstrap and anchor API
servers; future work will need to add it to the Keystone
Webhook API server.
Change-Id: I32a2d4add880e50f470e4cb0687e20d16e6e926d
* Enabled the NodeRestriction Admission Controller.
* Configured the default terminated-pod-gc-threshold in the
controller-manager.
* Disable repair-malformed-updates.
* Disable anonymous-auth in the Kubelet.
* Further restrict permissions for contents of /etc/kubernetes and
/var/lib/etcd.
Change-Id: I112652a5aa7bde054de253234f65755d90ab65ad
This also makes a corresponding update to the Makefile to address a bug
with which $(HELM) is being used that was exposed during local testing.
Change-Id: I08da45c1f232960c58ab482053befed83da6fdd6
Ruslan Aliev