These changes were not needed and have negative impact on
the node deployment process.
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I134a2acdf831f1c1e2f475a09b2f1d4a85cf68bf
add focal dockerfile
update zuul jobs for focal
update tox for tox4 changes
update all requirements to latest and match deckhand
update cfssl from R1.2 to v1.6.3
fixed local gates for focal
updated examples promenade manifests to run on focal
Change-Id: I2af4043784766d36588c6f738053ad66e7b89a90
Create additional directories on the host, ensuring that they exist with
the appropriate permissions:
- /etc/etcd
- /var/log/kubernetes
Change-Id: I0b7bed19b849037cfcc812453731460563270278
Updated resiliency gate script to consistently pass all gate stages,
using ubuntu bionic image for node deployment.
- Updated developer-onbording.rst with information on how to configure
and run the resilency gate behind corporate proxy.
- Updated the gate scripts to use the proxy configuration.
- Updated up.sh to pull the hyperkube image as cache, to speed up and
stabalize the initial kublet deployment of kubernetes cluster services.
- Updated and added sleeps and retries in some of gate stages and
scripts to avoid gate failures due to transient environment issues.
- Updated the ubuntu base image for node deployments from xenial to\
bionic base image.
- Added code in treadown-nodes stage to manually remove the etcd
members: kubernetes and calico, since they still remain listed as
etcd members on genesis node, even after genesis is torn down.
Change-Id: Ia11d66ab30ac7a07626d4f1d02a6da48155f862d
1. systemd-resolved should be removed/disabled before the symlink is
2. `domain` is redundant with the FQDN and replaced by `search`
3. correct resolv.conf EOL formatting issue
Change-Id: If7f8037c0623d9b1eb43171f09e492985a66b351
When there is failure to fetch any of the apt urls, it skips and
continues. Due to which apt install fails in next step.
So added retry if apt fetch fails before proceeding to apt install.
Change-Id: I658024481b1be98d280cb1c9c4c2fb733a0d5697
Fixes a rendering issue with the previous HostSystem schema change when
common packages are omitted.
https://review.opendev.org/#/c/699162/
Change-Id: I629c652be1575351c8b33b141467f2839badc112
When the genesis and join package source definitions were split, the
.common, .genesis, and .join subkeys were inserted directly under
.properties.packages instead of .properties.packages.properties),
causing anything under packages to erroneously pass.
This change implements the intended validation, allowing packages to be
defined under either under .packages.common, or .packages.genesis and
.packages.join. The expectation is that the genesis node will end up
with the union of what is defined under genesis and common. Required
packages (a runtime and socat) need to be defined in at least one of
those locations. Similarly, join nodes will have the union of join
packages and common packages.
Change-Id: I4a658eef6efbba53ba04b2d8b4ea4711ca0b1ab0
- Disable systemd-resolved service to test using static
/etc/resolv.conf instead.
- Updted up.sh to install socat package only if it is
defined for the specific role.
Change-Id: Ibbc874aec2585a32694e7b843f4c790d38bbb3dd
Introduced new name for the field to define package that has files
which will be used as runtime for UCP containers.
Prepared set of yaml files as an example of containerd usage.
Prepared zuul job to use containerd in simple deployment.
Change-Id: Ifc82a505d064c4f13efccfd92ffc336a510220bf
- Allow the timeout for package install during genesis.sh
to be configurable via env var.
- Group apt update/apt install into a single timeout block
and increase the default from 20m to 30m
Change-Id: Ic0f55e43e0ac714a6b46579b93995bc02af1df8b
Currently, the package, repository, and key lists are used by up.sh for
genesis and join. This is not desirable when using an in-cluster
mirroring service, as the service address may change after it has been
deployed.
This commit separates the sources for genesis and join to circumvent the
aforementioned pain point. A 'common' entry in the
'promenade/HostSystem/v1' document can be used if a common source for
genesis and join is desired.
Co-authored-by: Rick Bartra <rb560u@att.com>
Change-Id: Ieb2513da0cff587297cfcbf5629d908696349621
* added in missing recursive flag to the chmod command used to remove
extraneous permissions from CURATED_DIRS
* added commands to change permissions for manifests and configurations
that are copied to the host
Change-Id: I174db09061c3162db11dd976a55132f5fad7a80d
* Enabled the NodeRestriction Admission Controller.
* Configured the default terminated-pod-gc-threshold in the
controller-manager.
* Disable repair-malformed-updates.
* Disable anonymous-auth in the Kubelet.
* Further restrict permissions for contents of /etc/kubernetes and
/var/lib/etcd.
Change-Id: I112652a5aa7bde054de253234f65755d90ab65ad
This introduces a new document called `EncryptionPolicy` to configure
this behavior. It currently only supports using symmetric encryption
with `GPG`, but that should be available on all Ubuntu systems (which is
what we currently support) and should also be fairly reliable.
Change-Id: I06d4faa119b736773df0d8cbf0e7a23fd98edcdf
Depends-On: https://review.openstack.org/#/c/602175/
This avoids issues when, e.g. cloud-init is still installing packages
when the join script executes.
Change-Id: Iba637426480b140013c5ff441b978677f15b6709
This change includes several interconnected features:
* Migration to Deckhand-based configuration. This is integrated here,
because new configuration data were needed, so it would have been
wasted effort to either implement it in the old format or to update
the old configuration data to Dechkand format.
* Failing faster with stronger validation. Migration to Deckhand
configuration was a good opportunity to add schema validation, which
is a requirement in the near term anyway. Additionally, rendering
all templates up front adds an additional layer of "fail-fast".
* Separation of certificate generation and configuration assembly into
different commands. Combined with Deckhand substitution, this creates
a much clearer distinction between Promenade configuration and
deployable secrets.
* Migration of components to charts. This is a key step that will
enable support for dynamic node management. Additionally, this paves
the way for significant configurability in component deployment.
* Version of kubelet is configurable & controlled via download url.
* Restructuring templates to be more intuitive. Many of the templates
require changes or deletion due to the migration to charts.
* Installation of pre-configured useful tools on hosts, including calicoctl.
* DNS is now provided by coredns, which is highly configurable.
Change-Id: I9f2d8da6346f4308be5083a54764ce6035a2e10c
Ruslan Aliev