The current Promenade image is vulnerable to several CVEs:
CVE-2019-3462
CVE-2018-16865
CVE-2018-16864
Which Ubuntu 16.04/18.04 addresses.
This patchset makes the following changes:
1. Adds new distro specific dockerfiles for xenial/bionic.
2. Updates gates to be specific about the ubuntu image being
checked.
3. Updates .zuul.yaml checks/gates/post jobs for xenial/bionic.
4. Updates build-image.sh docker build for specific dockerfile
specified in config.sh (IMAGE_PROMENADE_DISTRO).
Change-Id: I89e5297a3baa8c2d2c142e5e29932476fc628398
This is uplift for CoreDNS to version 1.6.2
Upstream CoreDNS image has no tools inside like wget/dig and can't
be used as is because pod probes will fail. Coredns pod has
Liveness/Readiness probes which are just a shell script to run
wget/dig to determine that CoreDNS is functional. So, decided
to add tools for probes in promenade image and do refactoring.
New endpoints for health check are running in side-car:
/externalhealth - to do the same check like previous shell script,
/selfcheck - to do check of the health of side-car itself.
Main container should be pointed to check endpoint provided by
side-car container.
Change-Id: Ib7fcf309b6cc34a86eeeec6e2109988cfa862955
This change has passed the Promenade resiliency gate.
- Use `master` versions of armada/tiller charts.
- Use consistent and updated HTK version in tests/examples.
- Fixes resiliency gate which broke due to missed HTK
version updates [0].
- Updates for "opendev" rebranding.
[0]: https://review.opendev.org/#/c/659863/
Change-Id: Ic145cde908a383b5130b2b0294d48708fcb1823f
Readthedocs failed to render Promenade exceptions with error:
> WARNING: autodoc: failed to import exception 'xxx' from module
> 'promenade'; the following exception was raised: No module
> named 'falcon'
Trying to add Promenade requirements to the installed requirements list,
so that Readthedocs has all modules, including those needed for the
Promenade itself.
Unify docs building by utilizing Zuul docs-on-readthedocs template job.
Cosmetic readability changes:
1. combined all Makefile .PHONY targets into one
2. merged multiple LABEL instructions in Dockerfile into one
Change-Id: I731ee3426a631fa765f13ba7091dcb4b9ebd0353
a. Adding the same encryption configuration to webhook-apiserver
as is used for kubernetes-apiserver, so it can access secrets
stored in etcd by kubernetes-apiserver.
b. Adding an additional ingress annotation to allow for TLS
access to the Keystone backend.
c. Adding an apt-get clean to Dockerfile as this seems to be
needed to get image building working properly.
This patchset has passed the Promenade resiliency gate.
Change-Id: I7b15779b688458ec0faf2b23700d0c1bc2ede7e6
Updated promenade packaging scripts to use pbr.
This was done to make sure all required packages
for promenade package library are pulled, when another
moudle does git pull to use promenade package library.
Change-Id: I820ac6513c42456d52f92dab72dba2a34d8b437b
1) Use OCI Image Specs for labels instead of custom 'commit-id=xxxxx'
or legacy "Label Schema"
2) Fix missing git commit id labels on images (.revision)
3) Add human-readable title (.title) of the image, URL (.url), and
a few other properties (annotations) according to the latest Specs
4) Unify docker-image-build.yaml playbook with other Airship-*
components
Change-Id: I89afed3bf6a1f9fa92391d605bb6b3c871e58126
l is to let user customize the base image of the component
by passing FROM=myimage during the build process. This would let any
project leveraging Airship ensure that the base image is matching the
security requirements for that project and still use the same Dockerfile.
This will also ease the control of the /etc/apt/source.list
and thereby the result of apt-get update/upgrade procedure.
2. The above goal is achievable by using docker-ce feature such as:
ARG FROM="defaultbaseimage:xx"
FROM ${FROM}
For this reason, the installation of docker.io in the Zuul gating is beeing
replaced by docker-ce.
3. Third Goal is to bring consistency with the other compoenents leveraging
Helm such as the openstack-helm and potentially use bindep the same way
the LOCI images are to ensure
4. The new syntax in the Dockerfile is still commented out until the associated
image builder have been updated to use docker-ce as they have been for the LOCI
images.
Change-Id: Ie5ae836221dc3cb9bdafc6e5e6670f914d3d1bb4
This change includes several interconnected features:
* Migration to Deckhand-based configuration. This is integrated here,
because new configuration data were needed, so it would have been
wasted effort to either implement it in the old format or to update
the old configuration data to Dechkand format.
* Failing faster with stronger validation. Migration to Deckhand
configuration was a good opportunity to add schema validation, which
is a requirement in the near term anyway. Additionally, rendering
all templates up front adds an additional layer of "fail-fast".
* Separation of certificate generation and configuration assembly into
different commands. Combined with Deckhand substitution, this creates
a much clearer distinction between Promenade configuration and
deployable secrets.
* Migration of components to charts. This is a key step that will
enable support for dynamic node management. Additionally, this paves
the way for significant configurability in component deployment.
* Version of kubelet is configurable & controlled via download url.
* Restructuring templates to be more intuitive. Many of the templates
require changes or deletion due to the migration to charts.
* Installation of pre-configured useful tools on hosts, including calicoctl.
* DNS is now provided by coredns, which is highly configurable.
Change-Id: I9f2d8da6346f4308be5083a54764ce6035a2e10c
- Tiller and helm to 2.5.0
- Kubernetes to 1.6.8
Tiller 2.5 adds a verbosity flag which we are using, so the older
version not having this flag is causing test failures.
Kubernetes 1.6.4 seems to not be assigning IPs to static pods, therefore
they don't properly get added to services (in particular, this effects
the calico-etcd service).
Change-Id: I9d8a55dc2b5d248eb6bd3c820fe33f0f827bc83d
* remove old files
* sketch of non-bootkube genesis
* add basic chroot/bootstrap script
* cleanup kubectl/kubelet fetching
* fix cni bin asset path
* add non-pod asset loader
* add example ca
* refactor key gen/distribution
* flannel up on genesis
* refactor some code toward join
* WIP: last commit working on "self-hosted, helm-managed"
* first pass at consolidating config for vanilla deploy
* refactor cli a bit
* use provided cluster ca
* separate genesis and join scripts
* add basic etcd joining
* actually run the proxy everywhere
* update readme
* enable kubelet service
* add pki most places
* use consistent sa keypair
* use quay.io/attcomdev/promenade
* fix typo in n3
* tls everywhere in kubernetes
* tls for etcd
* remove currently unused files