This fix propose two parts:
* introduce timeout (60s) to requests calls
* remove `file` scheme support for requests calls.
Change-Id: Ide2c2915ba5d6ff03933160b74f7206492276968
Adding the master_lb_enabled option when creating a cluster,
which will benefit both the cloud provider side and the end
user side. For cloud prodiver, they don't have to maintain
separate cluster templates with or w/o master_lb_enabled enabled.
For end user, they can easily use one single template to create
different clusters with different configs.
Task: 39680
Story: 2007634
Change-Id: I0b586f05168ece84fd340ef7493a56688191053d
When the cloud is behind a proxy, podman needs to access the dockerhub
via proxy to pull the image, so the proxy settings need to be exported
to etcd systemd file as well. We're setting the heat-params as
environment file for k8s components already.
Besides, because CIDR of fixed subnet vary for different clusters,
so the subnet CIDR should be added into NO_PROXY list. Otherwise,
it will affect the communication between etcd members and also the
communication between k8s components.
Task: 39990
Story: 2007768
Change-Id: I4dba79e04abe38b9806e847348d3dd77ef96bee5
Now the label `fixed_network_cidr` is not handled correctly, no matter
if the label is set, the default value '10.0.0.0/24' is used for
fixed network anyway. This patch fixes it and renamed it as
`fixed_subnet_cidr` to make less confusion. The new behaviour will be:
1. If the label `fixed_subnet_cidr` is set but no fixed subnet passed
in, then a new subnet will be created with the given CIDR.
2. If a fixed subnet is passed in by user, then label `fixed_subnet_cidr`
will be override with the CIDR from the given subnet.
Task: 39847
Story: 2007712
Change-Id: Id05e36696bf85297a556fcd959ed897fe47b7354
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.
Change-Id: Ib3ca91e93db260e081c43d236d5d6fae5a2adfd7
When resizing a NG we should strictly send the
desired node_count and the nodes_to_remove.
Otherwise the stack update operation may replace/rebuild
nodes or other resources.
This was the functionality with:
Id84e5d878b21c908021e631514c2c58b3fe8b8b0
But it was reverted with:
I725413e77f5a7bdb48131e8a10e5dc884b5e066a
Story: 2005266
task: 39860
Change-Id: Ib31b6801e0e2d954c31ac91e77ae9d3ef1afebd2
Signed-off-by: Spyros Trigazis <strigazi@gmail.com>
A new label named `master_lb_allowed_cidrs` is added to control
the IP range which can access the k8s api and etcd load balancers.
It's a good security enhancement.
Task: 39188
Story: 2007414
Change-Id: I157a3b01d169e550e79b94316803fde8ddf77b03
Now that we no longer support py27, we can use the standard library
unittest.mock module instead of the third party mock lib.
Change-Id: I6245a207ec65df0ef11a798b4cffe3157abccb73
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Co-Authored-By: Spyros Trigazis <spyridon.trigazis@cern.ch>
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8.
Remove hacking and friends from lower-constraints, those are not needed
for co-installing.
Change-Id: I926efaef501f190e78da9cab40c1e94203277258
A new config option `post_install_manifest_url` is added to support
installing cloud provider/vendor specific manifest after booted
the k8s cluster. It's an URL pointing to the manifest file. For
example, cloud admin can set their specific storageclass into
this file, then it will be automatically setup after created
the cluster.
Task: 35798
Story: 2006209
Change-Id: Ib5a2c5cd7970085db941f189613e175f622aea3f
Only query Cinder API for volume type if volume size is greater than 0.
This is to make sure that Magnum does not have a hard dependency on
Cinder and works without the Cinder API enlisted as an endpoint.
This regression was introduced in https://review.opendev.org/#/c/621734/
where boot from volume support was introduced. See
https://storyboard.openstack.org/#!/story/2005386#comment-147555 for
more details of the error.
Story: 2005386
Task: 37565
Change-Id: I1bdec0c11a18bea9143fb4792a0a2e4ba5dc1fcf
With this change each node will be labeled with the following:
* --node-labels=magnum.openstack.org/role=${NODEGROUP_ROLE}
* --node-labels=magnum.openstack.org/nodegroup=${NODEGROUP_NAME}
Change-Id: Ic410a059b19a1252cdf6eed786964c5c7b03d01c
Removes the role heat param from all templates. Instead and only for
k8s templates adds the master_role and worker_role params. The new
worker_only condition should be true for all roles except for master.
Finally, adds the missing is_cluster_stack param to all templates.
Change-Id: Ie0799373fe492c2e0a0cad903ed6e8c93e6266b5
Since OpenStack Cloud Controller Manager only accepts fixed_subnet uuid,
convert fixed_subnet name to uuid when a cluster is created.
Without this patch, there is a chance OCCM fails to start in come cases
when fixed_subnet is rendered as name.
Story: 2002652
Task: 28816
Change-Id: Ie70bc00f5617ef94c39c9faea7d39617ee01b07b
* Fedora CoreOS need the key to be passed as
a string.
* We can adopt in all drivers so that users in
the same project can do cluster resize.
story: 2005201
task: 36934
Change-Id: I9a18ce4dcbd74f0dcd23274baed7c8c3d2029d50
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
This adds the support for creating and deleting worker nodegroups
using different stack per nodegroup. In order to be backwards
compatible, default nodegroups will remain in one stack.
Having this in mind cluster status is now calculated aggregating the
statuses of the underlying stacks.
Change-Id: I97839ab8495ed5d860785dff1f6e3cc59b6a9ff7
The derived cloud_provider_enabled is placed inside extra_params so that
openstack-cloud-controller-manager gets applied correctly. This required
change was unfortulately missed in https://review.opendev.org/681922.
Additionally improve the docs related to cloud_provider_enabled label.
Story: 2006531
Task: 36740
Change-Id: I4a89d25b467edd2c4be608c37055706e4e62d78b
Support boot from volume for Kubernetes all nodes (master and worker)
so that user can create a big size root volume, which could be more
flexible than using docker_volume_size. And user can specify the
volume type so that user can leverage high performance storage, e.g.
NVMe etc.
And a new label etcd_volme_type is added as well so that user can
set volume type for etcd volume.
If the boot_volume_type or etcd_volume_type are not passed by labels,
Magnum will try to read them from config option
default_boot_volume_type and default_etcd_volume_type. A random
volume type from Cinder will be used if those options are not set.
Task: 30374
Story: 2005386
Co-Authorized-By: Feilong Wang<flwang@catalyst.net.nz>
Change-Id: I39dd456bfa285bf06dd948d11c86867fc03d5afb
Sometimes, the fixed_network value gets rendered as UUID. However OCCM's
internal-network-name requires the network name, it does not support
UUID. This patch introduces a new parameter called fixed_network_name
which converts fixed_network UUID to name if it is UUID-like.
Story: 2005333
Task: 36313
Change-Id: I3453bc0dbea285687d39c9782685cb1f2a3ecd39
When using a public cluster template, user still need the capability
to reuse their existing network/subnet, and they also need to be
able to turn of/off the floatingip to overwrite the setting in the
public template. This patch supports that by adding those three
items as parameters when creating cluster.
Story: 2006208
Task: 35797
Change-Id: I11579ff6b83d133c71c2cbf49ee4b20996dfb918
With the new config option `keystone_auth_default_policy`, cloud admin
can set a default keystone auth policy for k8s cluster when the
keystone auth is enabled. As a result, user can use their current
keystone user to access k8s cluster as long as they're assigned
correct roles, and they will get the pre-defined permissions
set by the cloud provider.
The default policy now is based on the v2 format recently introduced
in k8s-keystone-auth which is getting more useful now. For example,
in v1 it doesn't support a policy for user to access resources from
all namespaces but kube-system, but v2 can do that.
NOTE: Now we're using openstackmagnum dockerhub repo until CPO
team fixing their image release issue.
Task: 30069
Story: 1755770
Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6
Rolling ugprade is an important feature for a managed k8s service,
at this stage, two user cases will be covered:
1. Upgrade base operating system
2. Upgrade k8s version
Known limitation: When doing operating system upgrade, there is no
chance to call kubectl drain to evict pods on that node.
Task: 30185
Story: 2002210
Change-Id: Ibbed59bc135969174a20e5243ff8464908801a23
This reverts commit e8d0ee1b14.
This commit is reverted for two reasons:
* It is undesirable that the end user can inject proxy config into
the magnum-conductor service via the cluster template.
* The proxy settings for the magnum-conductor service may not be
the same as those which are required in the cluster template for
the end user VM.
Systemd, docker and podman all include native mechanisms for setting
environment variables for proecesses, and this should be used by the
cloud operator / deployment tooling to configure the required proxy
settings for the magnum-conductor service.
In particular this patch makes it impossible for the cloud operator
to specify their own http_proxy via the environment, the user supplied
cluster template setting will always be used.
Change-Id: I33da19ad6764bedcf15f2a08381063e2471f8991
Using Node Problem Detector, Draino and AutoScaler to support
auto healing for K8s cluster, user can use a new label
"auto_healing_enabled' to turn on/off it.
Meanwhile, a new label "auto_scaling_enabled" is also introduced
to enable the capability to let the k8s cluster auto scale based
its workload.
Task: 28923
Story: 2004782
Change-Id: I25af2a72a7a960205929374d2300bd83d4d20960
This commit removes the fields node_addresses, master_addresses,
node_count and master_count from the cluster object since this info
will be stored in the nodegroups. At the same time, provides the way
to adapt existing clusters to the new schema.
story: 2005266
Change-Id: Iaf2cef3cc50b956c9b6d7bae13dbb716ae54eaf7
The existing drivers are adapted to get node_count and master_count
information from the cluster's nodegroups. At the same time the
output mappings were updated to reflect the changes in the stack to
the nodegroups.
story: 2005266
Change-Id: I725413e77f5a7bdb48131e8a10e5dc884b5e066a
- Never allocate floating IP for etcd service.
- Introduce a new label `master_lb_floating_ip_enabled` which controls
if Magnum allocates floating IP for the master load balancer. This
label only takes effect when the `master_lb_enabled` is set. The
default value is the same with `floating_ip_enabled`.
- The `floating_ip_enabled` property now only controls if Magnum
should allocate the floating IPs for the master and worker nodes.
Change-Id: I0a232406deaf112b0cb9e445735d7b49206c676d
Story: #2005153
Task: #29868
- Add "octavia" as one of the "ingress_controller" options.
- Add label "octavia_ingress_controller_tag".
- Use external network ID in the heat templates.
Story: 2004838
Change-Id: I7d889a054cd5feb2eeef523b20607a6c7630d777
Now cloud-provider-openstack of Kubernetes has a webhook to support
Keystone authorization and authentication. With this feature, user
can use a new label 'keystone-auth-enabled' to enable the keystone
authN and authZ.
DocImpact
Task: 21637
Story: 1755770
Change-Id: I3d21ad8f55c0d7308a302f62db9e9af147a604f8
HTTP(S) proxy can be specified when creating the template.
https://docs.openstack.org/magnum/latest/admin/magnum-proxy.html
However, it is not being utilized when talking to a public etcd discovery
service, which result in failed cluster creation. We need to be able to
use HTTP(S) proxy when services are running behind a firewall.
Change-Id: I13d86b0dc7c232a51149107f0412219388d8c2cd
story: 2004664
Cluster update was used for scaling operations only,
but if the heat-temaplates where changed for any reason
(eg upgrade of the magnum server), the stack update command
was destructive.
This patch uses the existing parameter in the stack update call.
story: 1722573
task: 21583
Change-Id: Id84e5d878b21c908021e631514c2c58b3fe8b8b0
A new label `service_cluster_ip_range` is added for k8s so that
user can set the service portal ip range to avoid conflicts with
pod ip range.
Task: 22568
Story: 2002725
Change-Id: Ie6e95a953059cc4bd5cf15a44f8666b714defb13
Due to a change in Go 1.10.3[1], which k8s v1.11.1 is based on, now
magnum is failing to create a working k8s cluster with version 1.11.1.
This patch is changing removing the extention usage for server auth
for ca cert and using simple public/private keys for k8s service account
keys.
[1] https://go.googlesource.com/go/+/09fa131c99da0ef9f78c9f4f6cd955237ccc01cd
Task: 23210
Story: 2003103
Change-Id: Ieba8f55d55db2afda6888d4bc6c2caa87370d13d
Multi master deployments for k8s driver use different service account
keys for each api/controller manager server which leads to 401 errors
for service accounts. This patch will create a signed cert and private
key for k8s service account keys explicitly, dedicatedly for the k8s
cluster to avoid the inconsistent keys issue.
Task: 21653
Story: 1766546
Change-Id: I61547405f866d3c5a84da63de66724b55af1066a
This adds an immediate failure response if the etcd discovery service returns
a bad status code. Before Magnum would continue to run and fail to configure
but with vague information of its failure. This would cause Magnum to generally
wait until the entire timeout before failing.
Change-Id: Iebd51e5dc8a3e3c285cb0c2af35c19f6f37ed0a7
Task: 22193
Story: 2002584