In the OpenStack deployment with Octavia service enabled, the octavia
service should be used not only for master nodes high availability, but
also for k8s LoadBalancer type service implementation as well.
Change-Id: Ib61f59507510253794a4780a91e49aa6682c8039
Closes-Bug: #1770133
Added configuration parameter, verify_ca, to magnum.conf with default
value of True. This parameter is passed to the heat templates to
indicate whether the cluster nodes validate the Certificate Authority
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
This configuration parameter can be set to False to disable CA
validation.
Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com>
Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413
Partial-Bug: #1663757
kubernetes dashboard [1] has lot of features and is actively
managed.
With this patch kubernetes dashboard is added and enabled in
k8s coreos cluster by default.
The kubernetes dashboard is enabled by default. To disable it, set the
label 'kube_dashboard_enabled' to False
Reference:
[1] https://github.com/kubernetes/dashboard
Implements: blueprint add-kube-dashboard
Change-Id: I9b001ec3c232aea2395df7d83c6ac991cbf5dea3
Cluster that uses ETCD like swarm and K8s failed with LB and TLS enable
because ETCD LB protocol is HTTP but SSL termination in on the ETCD
node. ETCD LB protocol should be the same as K8s with TLS enable
Partial-Bug: #1679724
Change-Id: Ie8c8a7e4609c0e2e63095d4c18af84cc653654e1
This adds the default set of admission control to CoreOS driver and
enable service account that are a requirement for most K8s addons
Change-Id: Id4948973627f4517eba13901e822f22e3fb1212f
Partially-Implements: bp coreos-best-pratice
This change introduces default recommended values for Kubelet on CoreOS:
- Usage of CNI (Container Networking Interface) with Flannel
- Update deprecated Kubelet Args (--config)
- Bind mount recommended CoreOS folders in Kubelet
It also introduces a new parameter: CONTAINER_RUNTIME which will allow to
switch between rkt and docker as container runtime. For now only docker
is used.
Partially-Implements: blueprint coreos-best-pratice
Change-Id: I1db1c3c06198b41098472f5c28405c533b91b41e
Introduce HYPERKUBE_IMAGE_REPO variable which is set to CoreOS
hyperkube by default. Also remove "_coreos.0" from script as it can be a
different build number. This number should be included in the kubernetes
version parameters and not in scripts.
With this, it is possible to use any combination of hyperkube image with
any tags. by default we use the CoreOS one.
Partially-Implements: blueprint support-insecure-registry
Partially-Implements: blueprint coreos-best-pratice
Change-Id: Ie0fbed4b160fa972cfe130c252e87765690e2f5f
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
Multiple variables names where used in different fragments. This commit
makes KUBE_CERTS_PATH and HOST_CERTS_PATH hardcoded values in heat-params
fragment and use them inside fragments instead of hardcoded value and
different variables names
Implements: blueprint coreos-best-pratice
Change-Id: I8c7856601096672890ab5a1318db0177d582e53d
Make Kubernetes' kube-controller-manager and kube-scheduler
health checks configurable as a parameter to the cluster-template
(label).
Set their value higher for all deployments. And set their value
to a high number for tests, for the CI.
Change-Id: I65e2da12487c513419125f0525a4e21bac22210e
Closes-Bug: 1648826
With this patch following are done:-
- Configure Etcd with TLS support
Configure Following to commuicate with TLS enabled Etcd:-
- Flannel
Etcd also listens at http://127.0.0.1:2379, so on master nodes
etcdctl can communicate without using certificates.
if TLS_DISABLED="True" then TLS is not enabled for etcd.
Change-Id: I7691ca328c4e1bc0738937b62cd813b5ad7df959
Implements: blueprint secure-etcd-cluster-coe
This is patch 3 of 3 to change the internal usage of the terms
Bay and BayModel. This patch updates Bay to Cluster in DB and
Object as well as all the usages. No functionality should be
changed by this patch, just naming and db updates.
Change-Id: Ife04b0f944ded03ca932d70e09e6766d09cf5d9f
Implements: blueprint rename-bay-to-cluster
This patch moves k8s-coreos specific templates and
template_definition class to the new drivers folder.
It also deletes the /magnum/templates folder
as everything has been moved to the drivers directory.
Change-Id: I6b2ca49e4d7d5fcfb96d0abc373d6476fd907358
Paritially-Implements: blueprint bay-drivers
Michal Nasiadka