* operator logs is now streaming to pipeline and to pod
* printing status of armada chart objects
* adjust armada container cmd parameters to support both
golang and python based images
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I6d8629a48c1b862db937ddc3cd68792220388b19
Removed PersistentVolumeLabel from apiserver to fix below warning.
Deprecated warning:
1. PersistentVolumeLabel admission controller is deprecated.
Please remove this controller from your configuration files and scripts.
2. insecure-port has been deprecated, This flag has no effect now
and will be removed in v1.24.
Change-Id: Iaccff8467b5ed967fa41e85b38c27f7345cd97bb
The tiller container in the armada bootstrap pod relies on the insecure
port that kube-apiserver once listened on by default. The kube-apiserver
ability to serve on an insecure port, deprecated since v1.10, has been
removed in v1.20. [0]
This change updates the armada bootstrap pod to use the secure port
instead.
0: https://github.com/kubernetes/kubernetes/pull/95856
Change-Id: I6a37fa4e7f97c7aaa3cd0f61b56214483a7dc217
If the kubernetes apiserver (in the bootstrap Armada pod) runs with the
reconciler enabled, the kubernetes endpoint can be created with an
invalid port which will not be corrected later.
Change-Id: I6d5fb86c6c4ffded9f42bda6e2ffbf2fbc13806f
This adds a parameter to the genesis schema
to configure the tiller storage [0] type. For backward
compatibility, by default the parameter is not passed
to tiller, thus relying on the upstream default, which
is 'configmap'.
[0]: https://helm.sh/docs/using_helm/#tiller-s-release-information
Change-Id: I045f8b57f695385b1a502a8f13f61a58d400784e
This change has been tested by the promenade resiliency gate.
This adds configuration for which ports to use for the tiller container
in the bootstrap-armada pod, and changes the defaults to be outside of
`net.ipv4.ip_local_port_range`, since the apiserver container in this pod
dynamically selects ports in that range to connect to etcd, which can
cause conflicts. See [0] for an example.
By default, since we're no longer using the standard tiller ports, this
does mean that we cannot connect to this tiller instance (before it's
replaced by the chart-based instance) via the helm CLI, until it supports
overriding the tiller port to connect to, however this should be
relatively soon [1].
[0]: https://github.com/helm/helm/issues/4886
[1]: https://github.com/helm/helm/pull/5590
Change-Id: Ief11411f079db27489e6974c028f6b7a16bb67bf
Now it's possible to use hyperkube Docker image to extract hyperkube binary.
Use case for this feature is kubelet/kubectl delivery in one binary(hyperkube)
which is built into Docker image. Promenade will extract hyperkube from Docker image,
create symlinks for kubelet/kubectl pointed to hyperkube. To do so promenade container
need to be configured to use Docker on the host where this container will be created.
This is happening only for script generation for genesis node. Later when promenade
will be started as a service pod inside ucp cluster it will generate scripts for joining nodes
by using cached hyperkube from /tmp.
Old way to delivery kubelet from tarball is still supported.
Configuration for the new method.
Need to export environment variables to properly configure Docker in Docker.
Docker socket should be provided as a mounted file inside promenade.
Also need to set temporary permissions for this socket during the build scripts stage.
Example:
DOCKER_SOCK="/var/run/docker.sock"
sudo chmod o+rw $DOCKER_SOCK
export DOCKER_HOST="unix:/${DOCKER_SOCK}"
export PROMENADE_TMP="abs_path_tmp_dir_on_host"
export PROMENADE_TMP_LOCAL="tmp_dir_inside_container"
After genesis scripts generation Docker socket permission should be turned back:
sudo chmod o-rw $DOCKER_SOCK
Change-Id: Ida22ea934fc551fec34df162d8147c8b9e630330
- The pod running tiller during bootstrap had verbosity 99
making the tiller logs almost unusable. Turn this down.
Change-Id: I6a93d7948e7db96ee95894d685a410aa0b82500a
This change accomplishes 2 primary things:
1. It generalizes work to enable the EventRateLimit admission plugin.
2. It restructures the anchor so that during an upgrade an "old" anchor
does not try to coordinate the injection of "new" data from
configmaps/secrets.
It also includes these ancillary changes:
* Clean up apiserver argument specification in the chart.
* De-duplicate and realign apiserver arguments in bootstrapping templates.
It has the side effects of:
* Adding a new field, ".apiserver.arguments" to the Genesis config,
which will be the preferred way to configure bootstrapping apiservers
going forward (in lieu of command_prefix).
Change-Id: I33cfe80ee8e29cd79e479a7985e3c098a2288fda
Add the EventRateLimit admission controller, to allow operators to
define rate limits for the k8s API server at the server, namespace,
or user account level.
This also
* cleans up some of the parameters passed into the API server
* replaces the deprecated --admission-control parameter
* applies --repair-malformed-updates consistently, incl examples
* removes unused batch/v2alpha1 runtime config
* https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
* removes duplicate --service-cluster-ip-range setting
This PS adds EventRateLimits to the bootstrap and anchor API
servers; future work will need to add it to the Keystone
Webhook API server.
Change-Id: I32a2d4add880e50f470e4cb0687e20d16e6e926d
- Turn off anonymous-auth.
- Reworked haproxy helm test and updated test images.
- Reworked kubernetes-apiserver readiness and liveness tests.
Change-Id: Ifb39ebed0f9f6e430e97247fceebbd7816f092c7
This adds stability to etcd and enables cleaner waiting by tiller during
deployment of the Kubernetes apiserver and etcd.
* Adds second auxiliary etcd process.
* Enables "sequenced" for remaining ChartGroups.
* Removes unused disks from test VMs.
* Add readiness and liveness probes for kubernetes components
Change-Id: I6f83bb912f76b0ec35503723b417ba45d69e39c5
This avoids possible issues when the configuration of the bootstrapping
apiserver differs from the chart's configuration. Issues were
specifically seen when overriding the node port range, but this opens up
additional configuration also.
Change-Id: I2a3fc5847e850c8055c099bac50782debbbabbf4
This allows us to replace the apiserver process during genesis with the
chart-managed version that is likely to only listen on a secure port.
* Bundle armada + tiller + insecure apiserver into a static pod
* Report aramda logs via host filesystem
NOTE: This is using an additional apiserver sidecar rather than a
`kubectl proxy` sidecar with a serviceaccount, because it's running as a
static pod.
Change-Id: I39c638020c0ad36db8d3b10c4ecb959a6642ad0e
Ruslan Aliev