The extraction of the monolithic hyperkube binary from its container
image to be used as kubelet was last relevant in Kubernetes 1.16. Since
then, the hyperkube image has been deprecated, the structure of the
image has been changed, and it has ultimately been eliminated in
Kubernetes 1.19.
This change cleans up promenade accordingly.
Reverts the following commits:
* 886007b New CLI option to extract hyperkube
* 32a6c15 hyperkube image in promenade init
* 955deed New source for hyperkube binary definition
Change-Id: Ib62ecdf1af13abe8202a4ba4f86c39b9042ed13f
When pip is upgraded to 20.3, the pip dependency resolver is much more
strict and will no longer install a combination of packages that is mutually
inconsistent[0].
These changes account for the fact that Shipyard imports Armada, Drydock,
Promenade, and Deckhand. Having said that, with pip 20.3, the pip
packages amongst those projects cannot conflict. A follow-up change may
be needed if more conflicts are found.
Change-Id: Ie6effbdae759158e19b0b0adb2bdac0396eab047
This PS includes changes to support k8s 1.16, these
changes would work with existing kubernetes version
as well. A seperate change would be done to uplift
kubernetes to 1.16.
Hyperkube short aliases are removed in k8s 1.15
https://github.com/kubernetes/kubernetes/pull/76953
- Rename binaries of kubernetes components in promenade and
corresponding anchor helm charts
- Kubelet flag --allow-priveleged is deprecated in k8s 1.15 and
removed in 1.16. Remove the flag from kubelet template. This
fix will be backward compatible as long as psp are defined.
Change-Id: I751dd7c0281b0c00ac8f283c1df379e932fe4658
New option --extract-hyperkube to declare the way how hyperkube
will be delivered.
By default this option is disabled which means hyperkube should be
extracted before running promenade container for the first time.
When it's enabled the appropriate env vars should be set for
promenade container to be able to extract hyperkube binary from image.
Change-Id: I2c45100e1e953d859d768ec80f268bd490ce3a81
Now it's possible to use hyperkube Docker image to extract hyperkube binary.
Use case for this feature is kubelet/kubectl delivery in one binary(hyperkube)
which is built into Docker image. Promenade will extract hyperkube from Docker image,
create symlinks for kubelet/kubectl pointed to hyperkube. To do so promenade container
need to be configured to use Docker on the host where this container will be created.
This is happening only for script generation for genesis node. Later when promenade
will be started as a service pod inside ucp cluster it will generate scripts for joining nodes
by using cached hyperkube from /tmp.
Old way to delivery kubelet from tarball is still supported.
Configuration for the new method.
Need to export environment variables to properly configure Docker in Docker.
Docker socket should be provided as a mounted file inside promenade.
Also need to set temporary permissions for this socket during the build scripts stage.
Example:
DOCKER_SOCK="/var/run/docker.sock"
sudo chmod o+rw $DOCKER_SOCK
export DOCKER_HOST="unix:/${DOCKER_SOCK}"
export PROMENADE_TMP="abs_path_tmp_dir_on_host"
export PROMENADE_TMP_LOCAL="tmp_dir_inside_container"
After genesis scripts generation Docker socket permission should be turned back:
sudo chmod o-rw $DOCKER_SOCK
Change-Id: Ida22ea934fc551fec34df162d8147c8b9e630330
Adds functionality to read context marker and end-user
from request headers and log that information where
available, to aid in tracing transactions that span
multiple Airship components.
Change-Id: I31c26b269ef6db9ebf44eb381eb6745ce40fc4ea
This change accomplishes 2 primary things:
1. It generalizes work to enable the EventRateLimit admission plugin.
2. It restructures the anchor so that during an upgrade an "old" anchor
does not try to coordinate the injection of "new" data from
configmaps/secrets.
It also includes these ancillary changes:
* Clean up apiserver argument specification in the chart.
* De-duplicate and realign apiserver arguments in bootstrapping templates.
It has the side effects of:
* Adding a new field, ".apiserver.arguments" to the Genesis config,
which will be the preferred way to configure bootstrapping apiservers
going forward (in lieu of command_prefix).
Change-Id: I33cfe80ee8e29cd79e479a7985e3c098a2288fda
This was removed in Iccf6228ab9e6d621d3047994b3adc192d67273c9 but should
not have been as it has allowed for code format drift.
This also
* Pins the version of yapf to 0.24.0
* Fixes some drift
* Updates formatting to the version of yapf being used
Change-Id: Ie3d9fd6344a29d8ddb76a36d4a31d001a4c8b7c6
- This addresses a bug where Promenade doesn't detect some invalid
configurations during genesis script generation.
- Refactor some validation checks for performance
Change-Id: I8b39caaab04819a935b83eb544979eac333fe409
- Support defaults that evaluate to non-true by making the
conditional look for `None` specifically
Change-Id: Ia912f409e29031a70beb7ec2d5e51b76843de319
- During the genesis or join operation when /etc/hosts and
/etc/resolv.conf are controlled by Promeande, we need to
support including a domain name. This can be configured
by YAML definition or by the join-script API. To support
backward compatability use a default of 'local' when no
domain is specified.
Testing: `./tools/gate.sh resiliency` has passed locally
Change-Id: Ia0d300912d3ec25eb7f1cb9c580eaa40b5b4addb
This provides more robustness in testing and removes a nosec.
Additionally, commit 5a8b1d8 introduced a random failure in the
resiliency gate, due to there being a chance to choose the intentionally
downed node for the join ip.
Change-Id: I77b410b8e51f9d41eca2be4f5f770694140733b4
This patch set removes substitution_sources kwarg from the
Deckhand layering call as it is deprecated [0] because
all concrete documents will simply be used by default as the
substitution source documents.
[0] 1583b78902/deckhand/engine/layering.py (L480)
Change-Id: I934c8d5e7f2fa2a84dcdba592bd515f889337f79
* Detect and re-use existing Certs/Keys
* Negative functional test for join with missing cert
* Positive functional test to generate cert after initial construction
* Extract some promenade test code into tools/g2/lib/promenade.sh
* Add timestamps to tar'd up files
Change-Id: Ib717785fc2c8f6cd1db1970ecdf1f5184ed40e92
This avoids possible issues when the configuration of the bootstrapping
apiserver differs from the chart's configuration. Issues were
specifically seen when overriding the node port range, but this opens up
additional configuration also.
Change-Id: I2a3fc5847e850c8055c099bac50782debbbabbf4
This behavior can be disabled with the `leave_kubectl` query parameter
to the `join-scripts` endpoint.
Change-Id: Ia2d9d11f2e900aed0b69394de6ba30442921d5a0
This PS resolves a recent issue with Deckhand in which missing
substitution sources cause Promenade to fail during genesis,
while using Deckhand to render documents. The fix involves
introducing a new flag called fail_on_missing_sub_src which
if False logs a warning rather than raises an exception
in the event that a substitution source document is missing.
Also adds better exception handling and logging around
Deckhand.
Example error:
Traceback (most recent call last):
File "/usr/local/bin/promenade", line 10, in <module>
sys.exit(promenade())
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/opt/promenade/promenade/cli.py", line 55, in genereate_certs
debug=debug, streams=config_files, substitute=True, validate=False)
File "/opt/promenade/promenade/config.py", line 49, in from_streams
return cls(documents=documents, **kwargs)
File "/opt/promenade/promenade/config.py", line 29, in __init__
documents = [dict(d) for d in deckhand_eng.render()]
File "/usr/local/lib/python3.6/site-packages/deckhand/engine/layering.py", line 485, in render
self.secrets_substitution.substitute_all(doc))
File "/usr/local/lib/python3.6/site-packages/deckhand/engine/secrets_manager.py", line 182, in substitute_all
document_name=document.name)
Depends-On: https://review.gerrithub.io/#/c/400880/
Change-Id: I4486535d4555ece54eb4d47bfb56472250f97ab4
This PS removes some dead config substitution code from Promenade's
config.py module. This code became dead in the following PS:
https://review.gerrithub.io/#/c/394615/ which migrated over to
Deckhand-based substitution, causing Promenade's former substitution
code to no longer be used anywhere.
Change-Id: Ic96e522557101310db289712068db9528fd040d6
Use the Deckhand engine module directly to manage local configuration
files during CLI usage.
Note: not doing document validation as DH currently requires schemas to
be sourced from the database. Simple schema validation in place.
- Layering/substitution
- Schema validation based on DataSchema documents in payload
- Add deckhand to requirements
A few tooling updates
- concatenate test & schema yaml files into a single file to avoid name
conflicts
- make nginx directory in build-scripts stage
Change-Id: I2d56244f01c58052f14331bc09fd5843d4c95292
* Add ability to fetch design from Deckhand
* Add functional testing for Deckhand design_ref integration
* Update complete example to work with changes to Ceph chart
Change-Id: Ice25a27b340e68a8ab38a23021cd91e032ca537b
This change includes several interconnected features:
* Migration to Deckhand-based configuration. This is integrated here,
because new configuration data were needed, so it would have been
wasted effort to either implement it in the old format or to update
the old configuration data to Dechkand format.
* Failing faster with stronger validation. Migration to Deckhand
configuration was a good opportunity to add schema validation, which
is a requirement in the near term anyway. Additionally, rendering
all templates up front adds an additional layer of "fail-fast".
* Separation of certificate generation and configuration assembly into
different commands. Combined with Deckhand substitution, this creates
a much clearer distinction between Promenade configuration and
deployable secrets.
* Migration of components to charts. This is a key step that will
enable support for dynamic node management. Additionally, this paves
the way for significant configurability in component deployment.
* Version of kubelet is configurable & controlled via download url.
* Restructuring templates to be more intuitive. Many of the templates
require changes or deletion due to the migration to charts.
* Installation of pre-configured useful tools on hosts, including calicoctl.
* DNS is now provided by coredns, which is highly configurable.
Change-Id: I9f2d8da6346f4308be5083a54764ce6035a2e10c
* remove old files
* sketch of non-bootkube genesis
* add basic chroot/bootstrap script
* cleanup kubectl/kubelet fetching
* fix cni bin asset path
* add non-pod asset loader
* add example ca
* refactor key gen/distribution
* flannel up on genesis
* refactor some code toward join
* WIP: last commit working on "self-hosted, helm-managed"
* first pass at consolidating config for vanilla deploy
* refactor cli a bit
* use provided cluster ca
* separate genesis and join scripts
* add basic etcd joining
* actually run the proxy everywhere
* update readme
* enable kubelet service
* add pki most places
* use consistent sa keypair
* use quay.io/attcomdev/promenade
* fix typo in n3
* tls everywhere in kubernetes
* tls for etcd
* remove currently unused files
Sergiy Markin