According to the documentation the first argument to log is either a
domain or a '.' (dot). The current setting of 'log stdout' appears to
blackhole query logs. The default output of log is stdout so the
argument would not be necessary.
Removing `stdout` allows coredns to send query logs to stdout.
Reference: https://coredns.io/plugins/log/
Change-Id: I7837015c37eb58ba43ff42cc8b647c717fa1c650
In order to properly support EndpointSlices, enhance ClusterRole.
story: 2009874
task: 44582
Signed-off-by: Daniel Meyerholt <dxm523@gmail.com>
Change-Id: Ib9d81e8d215bb50cb0d80b954949012cbbf45a5c
Starting from CoreDNS 1.7.0 the upstream option is not valid anymore
and CoreDNS does not start when it is set. It has been effectively a
noop since 1.5.2.
Task: 42765
Story: 2009030
Change-Id: I4e8029a4cd5e89d7173758fa1dc2e718895fdbe7
* in 1.20 8080 is not supported anymore
** use only 6443
** change all probes for health to use kubectl and 6443
* configure the signing key in API
story: 2008524
task: 41731
Change-Id: Ibaf1840214016d2dd6ac15e2137eb3cd3d767889
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Without this, heat container agents using kubectl version
1.18.x (e.g. ussuri-dev) fail because they do not have the correct
KUBECONFIG in the environment.
Task: 39938
Story: 2007591
Change-Id: Ifc212478ae09c658adeb6ba4c8e8afc8943e3977
The default version of coreDNS now is upgraded to 1.6.6 and
the coreDNS pod can be scheduled to master nodes.
Task: 39209
Story: 2007256
Change-Id: Icc4aa1f61f3b3937e5d9cc35dbe01c63c18ba3cd
Add an ARCH parameter to handle arch specific things, mostly are the
docker image repo names.
Because not all the docker images magnum used support multi-arch
manifest[1] like kubernetes-dashboard, it will need to specific the
arch name in the docker image repo name.
[1]
https://kubernetes.io/docs/concepts/containers/images/#building-multi-architecture-images-with-manifests
Change-Id: Iccb3a030aefd2d4e55a455d1a0401cbc4eb7fd14
Task: 37884
Story: 2007026
The proportional autoscaler was not taken from
the real gcr.io/google_containers but but from
docker.io/googlecontainer.
story: 2003993
task: 30492
Change-Id: I2b6fa6f6c839d86b935feb9e1fa9f044d1835b34
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
- Start workers as soon as the master VM is created, rather than
waiting all the services ready.
- Move all the SoftwareDeployment outside of kubemaster stack.
- Tweak the scripts in SoftwareDeployment so that they can be combined
into a single script.
Story: 2004573
Task: 28347
Change-Id: Ie48861253615c8f60b34a2c1e9ad6b91d3ae685e
Co-Authored-By: Lingxian Kong <anlin.kong@gmail.com>
Currently, Magnum is using k8s API /version to check the API
availibility which is not a good way because /version only
reflects if the basic k8s api is working on not. And it will
return response even the etcd service is down. This patch fixes
it by using /healthz to replace /version.
Task: 22566
Story: 1775759
Change-Id: I45a1bd48a22842a251dafa6c349f0022fd319e3f
When creating a multi-master cluster, all master nodes will attempt to
create kubernetes resources in the cluster at this same time, like
coredns, the dashboard, calico etc. This race conditon shouldn't be
a problem when doing declarative calls instead of imperative (kubectl
apply instead of create). However, due to [1], kubectl fails to apply
the changes and the deployemnt scripts fail causing cluster to creation
to fail in the case of Heat SoftwareDeployments. This patch passes the
ResourceGroup index of every master so that resource creation will be
attempted only from the first master node.
[1] https://github.com/kubernetes/kubernetes/issues/44165
Task: 21673
Story: 1775759
Change-Id: I83f78022481aeef945334c37ac6c812bba9791fd
After adding the autoscaler for coredns, the limit
for user_data was reached again. Make coredns
config a SoftwareDeployment.
Change-Id: I0a9852e9293842e859947acf0c4b6da20394436a
Closes-Bug: #1757554
DNS service is a very critical service in k8s world, though it's not
a part of k8s itself. So it would be nice to have it replicate more
than 1 and on differents nodes to have high availbility. Otherwise,
services running on k8s cluster will be broken if the node contains
DNS pod down. Another sample is, when user would like to do a cluster
upgrade, services will be borken when the node containers DNS pod
being replaced. You can find lots of discussion about this, please
refer [1],[2] and [3].
[1] https://github.com/kubernetes/kubeadm/issues/128
[2] https://github.com/kubernetes/kubernetes/issues/40063
[3] https://github.com/kubernetes/kops/issues/2693
Closes-Bug: #1757554
Change-Id: Ic64569d4bdcf367955398d5badef70e7afe33bbb
Due to a few several small connected patches for the
fedora atomic driver, this patch includes 4 smaller patches.
Patch 1:
k8s: Do not start kubelet and kube-proxy on master
Patch [1], misses the removal of kubelet and kube-proxy from
enable-services-master.sh and therefore they are started if they
exist in the image or the script will fail.
https://review.openstack.org/#/c/533593/
Closes-Bug: #1726482
Patch 2:
k8s: Set require-kubeconfig when needed
From kubernetes 1.8 [1] --require-kubeconfig is deprecated and
in kubernetes 1.9 it is removed.
Add --require-kubeconfig only for k8s <= 1.8.
[1] https://github.com/kubernetes/kubernetes/issues/36745
Closes-Bug: #1718926https://review.openstack.org/#/c/534309/
Patch 3:
k8s_fedora: Add RBAC configuration
* Make certificates and kubeconfigs compatible
with NodeAuthorizer [1].
* Add CoreDNS roles and rolebindings.
* Create the system:kube-apiserver-to-kubelet ClusterRole.
* Bind the system:kube-apiserver-to-kubelet ClusterRole to
the kubernetes user.
* remove creation of kube-system namespaces, it is created
by default
* update client cert generation in the conductor with
kubernetes' requirements
* Add --insecure-bind-address=127.0.0.1 to work on
multi-master too. The controller manager on each
node needs to contact the apiserver (on the same node)
on 127.0.0.1:8080
[1] https://kubernetes.io/docs/admin/authorization/node/
Closes-Bug: #1742420
Depends-On: If43c3d0a0d83c42ff1fceffe4bcc333b31dbdaab
https://review.openstack.org/#/c/527103/
Patch 4:
k8s_fedora: Update coredns config to pass e2e
To pass the e2e conformance tests, coredns needs to
be configured with POD-MODE verified. Otherwise, pods
won't be resolvable [1].
[1] https://github.com/coredns/coredns/tree/master/plugin/kuberneteshttps://review.openstack.org/#/c/528566/
Closes-Bug: #1738633
Change-Id: Ibd5245ca0f5a11e1d67a2514cebb2ffe8aa5e7de
Add a label to prefix all container image use by magnum:
* kubernetes components
* coredns
* node-exporter
* kubernetes-dashboard
Using this label all containers will be pulled from the specified
registry and group in the registry.
TODO:
* grafana
* prometheus
Closes-Bug: #1712810
Change-Id: Iefe02f5ebc97787ee80431e0f16f73ae8444bdc0
Enable internal cluster DNS by deploying CoreDNS in the kube-system
namespace. It covers dns queries for both the cluster and external,
acting as a proxy with a cache layer in front.
Version of CoreDNS hard-coded to 007, image taken from dockerhub.
Related-Bug: #1692449
Change-Id: I0a9703b531fe872416dcd79fa7d4d27c1ea61586