Now the label `fixed_network_cidr` is not handled correctly, no matter
if the label is set, the default value '10.0.0.0/24' is used for
fixed network anyway. This patch fixes it and renamed it as
`fixed_subnet_cidr` to make less confusion. The new behaviour will be:
1. If the label `fixed_subnet_cidr` is set but no fixed subnet passed
in, then a new subnet will be created with the given CIDR.
2. If a fixed subnet is passed in by user, then label `fixed_subnet_cidr`
will be override with the CIDR from the given subnet.
Task: 39847
Story: 2007712
Change-Id: Id05e36696bf85297a556fcd959ed897fe47b7354
The current default Calico IPv4 CIDR 192.168.0.0/16 is too common and
it has bring us some IP conflicts troubles on production. This patch is
proposing to replace it with a rare CIDR range.
Task: 39052
Story: 2007426
Change-Id: I13aa0c58bf168bc069edf1d5c0187f89011fffdb
With this change each node will be labeled with the following:
* --node-labels=magnum.openstack.org/role=${NODEGROUP_ROLE}
* --node-labels=magnum.openstack.org/nodegroup=${NODEGROUP_NAME}
Change-Id: Ic410a059b19a1252cdf6eed786964c5c7b03d01c
Removes the role heat param from all templates. Instead and only for
k8s templates adds the master_role and worker_role params. The new
worker_only condition should be true for all roles except for master.
Finally, adds the missing is_cluster_stack param to all templates.
Change-Id: Ie0799373fe492c2e0a0cad903ed6e8c93e6266b5
* Fedora CoreOS need the key to be passed as
a string.
* We can adopt in all drivers so that users in
the same project can do cluster resize.
story: 2005201
task: 36934
Change-Id: I9a18ce4dcbd74f0dcd23274baed7c8c3d2029d50
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Using comma delimited ipv4 address list to specify multi dns server
"8.8.8.8,114.114.114.114".
Task: 29465
Story: 2004994
Change-Id: I031247b0cc2ae417f18b2a5b9b3832e78ed9dafd
- Never allocate floating IP for etcd service.
- Introduce a new label `master_lb_floating_ip_enabled` which controls
if Magnum allocates floating IP for the master load balancer. This
label only takes effect when the `master_lb_enabled` is set. The
default value is the same with `floating_ip_enabled`.
- The `floating_ip_enabled` property now only controls if Magnum
should allocate the floating IPs for the master and worker nodes.
Change-Id: I0a232406deaf112b0cb9e445735d7b49206c676d
Story: #2005153
Task: #29868
Now Magnums onlys has one server group for all master and worker nodes
per cluster, which is not very flexible for small cloud scale. For a
3+ master clusters, it's easily meeting the capacity when using hard
anti-affinity policy. This patch is proposing one server group for each
master and worker nodes group to have better flexibility.
story: 2004195
Change-Id: If11ba863a2aa538efe1e3e850084bdd33afd27d2
A user may not rely on nova-keypairs to access their cluster
such as a preconfigured SSSD.
story: 2004402
task: 28035
Change-Id: I77fbdc174d3dddfd312fb8dac20516314d4c182e
Without those fixes new cluster fails with message:
ERROR: The Parameter (etcd_volume_size) was not defined in template.
Task: 1722523
Story: 20337
Change-Id: Ie38c9e010b61fafeda51ae8dccba94b6ed743f1d
In the OpenStack deployment with Octavia service enabled, the octavia
service should be used not only for master nodes high availability, but
also for k8s LoadBalancer type service implementation as well.
Change-Id: Ib61f59507510253794a4780a91e49aa6682c8039
Closes-Bug: #1770133
Currently, there is no guarantee to make sure all nodes of one cluster are
created on different compute hosts. So it would be nice if we can create
a server group and set it with anti-affinity policy to get a better HA
for cluster. This patch is proposing to create a server group for master
and minion nodes with soft-anti-affinity policy by default.
Closes-Bug: #1737802
Change-Id: Icc7a73ef55296a58bf00719ca4d1cdcc304fab86
In the drivers section of magnum.conf add openstack_ca_file.
This file is expected to be a CA Certificate OR CA bundle
which will be passed on every node and it will be installed
on the host's CA bundle.
Update devstack plugin to use the ssl bundle if tls-proxy is
enabled.
Install the CA for drivers:
k8s_coreos_v1
k8s_fedora_atomic_v1
k8s_fedora_ironic_v1
mesos_ubuntu_v1
swarm_fedora_atomic_v1
swarm_fedora_atomic_v2
Add doc in troubleshooting-guide.
Add release notes.
Closes-Bug: #1580704
Partially-Implements: blueprint heat-agent
Change-Id: Id48fbea187da667a5e7334694c3ec17c8e2504db
Added configuration parameter, verify_ca, to magnum.conf with default
value of True. This parameter is passed to the heat templates to
indicate whether the cluster nodes validate the Certificate Authority
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
This configuration parameter can be set to False to disable CA
validation.
Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com>
Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413
Partial-Bug: #1663757
The instance type of servers at the moment can become quite long
due to the Heat autogenerated names. This patch cleans up the names
so that they are shorter yet contain all the info needed to be able
to know where they belong to.
Change-Id: I5bcbe73f08844242d049b8408221da40d22cd3dc
host-gw offer better performances out of the box. Allowed address pair
are automatically configured by Magnum.
Change-Id: I5fd18b8d6b76f6a5f73b13bc4cfd19e52c33791c
kubernetes dashboard [1] has lot of features and is actively
managed.
With this patch kubernetes dashboard is added and enabled in
k8s coreos cluster by default.
The kubernetes dashboard is enabled by default. To disable it, set the
label 'kube_dashboard_enabled' to False
Reference:
[1] https://github.com/kubernetes/dashboard
Implements: blueprint add-kube-dashboard
Change-Id: I9b001ec3c232aea2395df7d83c6ac991cbf5dea3
Cluster that uses ETCD like swarm and K8s failed with LB and TLS enable
because ETCD LB protocol is HTTP but SSL termination in on the ETCD
node. ETCD LB protocol should be the same as K8s with TLS enable
Partial-Bug: #1679724
Change-Id: Ie8c8a7e4609c0e2e63095d4c18af84cc653654e1
This adds the default set of admission control to CoreOS driver and
enable service account that are a requirement for most K8s addons
Change-Id: Id4948973627f4517eba13901e822f22e3fb1212f
Partially-Implements: bp coreos-best-pratice
This change introduces default recommended values for Kubelet on CoreOS:
- Usage of CNI (Container Networking Interface) with Flannel
- Update deprecated Kubelet Args (--config)
- Bind mount recommended CoreOS folders in Kubelet
It also introduces a new parameter: CONTAINER_RUNTIME which will allow to
switch between rkt and docker as container runtime. For now only docker
is used.
Partially-Implements: blueprint coreos-best-pratice
Change-Id: I1db1c3c06198b41098472f5c28405c533b91b41e
Parent commit allow custom secure HYPERKUBE_IMAGE_REPO (which can also
be a local registry). Here we implement INSECURE_REGISTRY_URL which
allow settings custom insecure registry for Kubernetes infra components.
It also enable the insecure registry for Docker daemon.
Partially-Implements: blueprint coreos-best-pratice
Partially-Implements: blueprint support-insecure-registry
Change-Id: If00afa2e8a9100546301f9a1f161daed6e3ffc4f
Introduce HYPERKUBE_IMAGE_REPO variable which is set to CoreOS
hyperkube by default. Also remove "_coreos.0" from script as it can be a
different build number. This number should be included in the kubernetes
version parameters and not in scripts.
With this, it is possible to use any combination of hyperkube image with
any tags. by default we use the CoreOS one.
Partially-Implements: blueprint support-insecure-registry
Partially-Implements: blueprint coreos-best-pratice
Change-Id: Ie0fbed4b160fa972cfe130c252e87765690e2f5f
If nothing is specified a set of recommended default plugins is used,
which includes the ServiceAccount one.
Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94
Closes-Bug: #1646489
Make Kubernetes' kube-controller-manager and kube-scheduler
health checks configurable as a parameter to the cluster-template
(label).
Set their value higher for all deployments. And set their value
to a high number for tests, for the CI.
Change-Id: I65e2da12487c513419125f0525a4e21bac22210e
Closes-Bug: 1648826
If a fixed_network and fixed_subnet is specified no private network
is created by the templates and the specified network is
used instead for VMs provisioning, like in the Ironic driver.
Currently missing is the code to handle the use case where you
specify a fixed_network but not a fixed_subnet, this will come
in a following patch.
Partially Implements: blueprint decouple-private-network
Change-Id: I2003eb709b22b905063d846eb71570fc5e033618
Currently for each driver has following code
1) Create a fixed Network.
2) Create a fixed subnet in the network created at step 1.
3) Create a router
4) Attach subnet(created at step2) to router(created at step 3)
A new resource is created for above tasks in network.yaml file.
New resource does the above tasks and output the fixed network ID
and fixed subnet id, which is used by other parts of the heat
template.
Change-Id: Ib347ce5c54c6566300a43e05b277bf80351a2256
Closes-Bug: #1606912
This patch allows two security groups to be created for k8s coreos
cluster(one for master and one for minion)
Change-Id: Id12cba8fbe060ced017ea0c402aab77325f71b09
Closes-bug: 1642752
This patch allows k8s coreos cluster to be created
without Floating IP resources.
Depends-on: I51feb6ccdc0fab91a591568866e6801f2bbb319b
Change-Id: Ifc8b6bde5a9bc3dd8c7e965e0450e2aa0d243263
Partially-Implements: blueprint bay-with-no-floating-ips
Closes-Bug: #1630189
Partial-Bug: #1490334
LBaaS v1 api is completely removed by neutron, so it
cannot be used now. Added Support of LBaaS v2 API.
Now all COE's uses LBaaS v2.
Co-Authored-By: yatin karel <yatin.karel@nectechnologies.in>
Change-Id: Idbccbe1065857449fc8e158115b7833b68c2da9f
Partially-Implements: blueprint magnum-lbaasv2-support
This is patch 3 of 3 to change the internal usage of the terms
Bay and BayModel. This patch updates Bay to Cluster in DB and
Object as well as all the usages. No functionality should be
changed by this patch, just naming and db updates.
Change-Id: Ife04b0f944ded03ca932d70e09e6766d09cf5d9f
Implements: blueprint rename-bay-to-cluster
Following things has been added to make core OS driver HA
1) Created two pools for API and etcd.
2) Added health monitoring for both API and etcd.
3) Register masters into the pool created at step 1 to
balance load among them.
Address switcher has been added to
1) If LBaaS is not enabled(1 master) then master IPs are
exposed.
2) If LBaaS is enabled(more than 1 master) then LBaaS IPs
are exposed.
Co-Author-By: Hongbin Lu <hongbin.lu@huawei.com>
Change-Id: I96391076f17bdb7161455cea7732c0d85cb72fe0
Closes-bug: #1580220
Since we have seperate template files to different driver directory, we
can cleanup -coreos suffix from template.
1. Remove unused shell scripts.
2. Remove kube-examples.yaml and kube-user.yaml which is never used.
Closes-bug: #1606655
Change-Id: I6ac93ad23e7ae30ad1eb9be1c79c2cf36af8db0c
Michal Nasiadka