Set resource requests for system pods to
guarantee at least some amount of resources.
This prevents them from being starved of
CPU/memory when running alongside resource
intensive workloads in the cluster and
gives them a higher quality of service class.
metrics-server:
100m/200Mi recommended for up to 100 node clusters.
https://github.com/kubernetes-sigs/metrics-server#scaling
openstack-cloud-controller-manager:
200m CPU taken from example manifests.
kubernetes-dashboard:
100m/100Mi taken from helm chart defaults.
heapster:
100m/128Mi taken from helm chart defaults.
influxdb:
100m/256Mi taken from influx helm chart defaults.
grafana (for influxdb):
100m/200Mi same as monitoring grafana.
ingress-traefik:
100m/50Mi taken from helm chart defaults.
cluster-autoscaler:
100m/300Mi taken from helm chart defaults.
csi-cinder-nodeplugin:
25m CPU on both containers to ensure
Burstable QoS class.
csi-cinder-controllerplugin:
20m CPU on all containers to ensure
Burstable QoS class.
tiller-deploy:
25m CPU to ensure it can always handle
the readiness probe.
octavia-ingress-controller:
50m CPU, just a guess really.
Story: 2008825
Task: 42290
Change-Id: Ifcd764c00d7046744ba63609078cc6c5d02fdc1c
* Traefik version updated from v1.7.19 to v1.7.28
* Force secure connections to use TLSv1.2 or greater
Change-Id: I65561358113952e3f60dc488b35ee8fa8f8da740
Signed-off-by: Diogo Guerra <diogo.filipe.tomas.guerra@cern.ch>
* in 1.20 8080 is not supported anymore
** use only 6443
** change all probes for health to use kubectl and 6443
* configure the signing key in API
story: 2008524
task: 41731
Change-Id: Ibaf1840214016d2dd6ac15e2137eb3cd3d767889
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Use kubectl from the heat agent to apply the
traefik deployment. Current behaviour was to
create a systemd unit to send the manifests
to the API.
This way we will have only one way for applying
manifests to the API.
This change is triggered to adddress the kubectl
change [0] that is not using 127.0.0.1:8080 as
the default kubernetes API.
[0] https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#kubectl
story: 2005286
task: 39522
Change-Id: I8982bd4ec2ab69f35938970d604c16ac5e62e1fa
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
In coreos we have selinux in enforcing.
When the systemd unit does not have
user and group, and the service type is
not simple.
story: 2007210
task: 38609
Change-Id: Ia36a51e62b3dab97faf3ce58a218441bd93e77e9
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
When calling systemctl from the heat-agent we need
to do it over ssh.
story: 2007210
task: 38377
Change-Id: I1f917d276501a174448dbdfe447d69294e7090c4
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
The current magnum traefik deployment will always pull latest traefik
container image. With the new launch of traefik v2
(https://blog.containo.us/back-to-traefik-2-0-2f9aa17be305) this will
have impact on how the ingress is described in k8s.
This patch:
* Sets the traefik version to default tag v1.7.9, stable release
prior to v2.
* Adds a new label <traefik_ingress_controller_tag> to enable user
to specify other than default traefik release.
Task: 30143
Task: 30146
Story: 2005286
Change-Id: I031a594f7b6014d88df055664afcf51b1cd2cd94
Signed-off-by: Diogo Guerra <dy090.guerra@gmail.com>
Explicitly set the support cipher suite for Ingress TLS using Traefik,
following Mozilla intermediate minus DES3:
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
Move the Traefik configuration to a ConfigMap for more flexbility than
provided by command line arguments.
Change-Id: I5a5a95385c4143cce21c60073ae168336c4b2f27
Story: 2005326
Task: 30254
- Start workers as soon as the master VM is created, rather than
waiting all the services ready.
- Move all the SoftwareDeployment outside of kubemaster stack.
- Tweak the scripts in SoftwareDeployment so that they can be combined
into a single script.
Story: 2004573
Task: 28347
Change-Id: Ie48861253615c8f60b34a2c1e9ad6b91d3ae685e
Co-Authored-By: Lingxian Kong <anlin.kong@gmail.com>
Currently, Magnum is using k8s API /version to check the API
availibility which is not a good way because /version only
reflects if the basic k8s api is working on not. And it will
return response even the etcd service is down. This patch fixes
it by using /healthz to replace /version.
Task: 22566
Story: 1775759
Change-Id: I45a1bd48a22842a251dafa6c349f0022fd319e3f
Scripts are the core of Magnum for COE deployment. To be more
clear and consistent, two changes proposed in this patch:
1. Rename network related script to xxx-flannel-xxx given they
are all for flannel and now we have calico driver.
2. Adding .sh for some scripts to be consistent with others.
Change-Id: I97f3e53b4b43648a4896193fb4ce469dbf42c611