Everything is containerized in rkt. If behind proxy, flannel, etcd
and kubelet will failed to rkt fetch images and cluster creation
will failed.
Closes-Bug: #1689618
Change-Id: Ia12deeb659483980d2a20e4cba5d449167b600d0
This change introduces default recommended values for Kubelet on CoreOS:
- Usage of CNI (Container Networking Interface) with Flannel
- Update deprecated Kubelet Args (--config)
- Bind mount recommended CoreOS folders in Kubelet
It also introduces a new parameter: CONTAINER_RUNTIME which will allow to
switch between rkt and docker as container runtime. For now only docker
is used.
Partially-Implements: blueprint coreos-best-pratice
Change-Id: I1db1c3c06198b41098472f5c28405c533b91b41e
myip is defined almost in every fragment. It is unnecessary. We can use
KUBE_NODE_IP that is defined in HEAT. Also, if for some reason
KUBE_NODE_IP is empty, we use the failsafe like in make-cert fragment
where we curl metadata to make sure KUBE_NODE_IP is not empty.
Implements: blueprint coreos-best-pratice
Change-Id: I8597a5afa9b4bc7a5c740738303102e7b60ec63e
Multiple variables names where used in different fragments. This commit
makes KUBE_CERTS_PATH and HOST_CERTS_PATH hardcoded values in heat-params
fragment and use them inside fragments instead of hardcoded value and
different variables names
Implements: blueprint coreos-best-pratice
Change-Id: I8c7856601096672890ab5a1318db0177d582e53d
Instead of sourcing heat-params in script, we can use it as a systemd
unit EnvironmentFile directive and not inline in sh scripts.
Change-Id: I3ebf23dee6785febdc87bc5ce4212c30ef24806e
With this patch following are done:-
- Configure Etcd with TLS support
Configure Following to commuicate with TLS enabled Etcd:-
- Flannel
Etcd also listens at http://127.0.0.1:2379, so on master nodes
etcdctl can communicate without using certificates.
if TLS_DISABLED="True" then TLS is not enabled for etcd.
Change-Id: I7691ca328c4e1bc0738937b62cd813b5ad7df959
Implements: blueprint secure-etcd-cluster-coe
Michal Nasiadka