openstack
/
magnum
Code Issues Proposed changes

Merge "Removing Tiller support"

This commit is contained in:
Zuul 2024-03-04 20:52:16 +00:00 committed by Gerrit Code Review
parent 38a0f41c94 e3aaa89376
commit 52f479c8ec
10 changed files with 57 additions and 379 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
doc/source/user/index.rst
View File

@ -399,13 +399,6 @@ the table are linked to more details elsewhere in the user guide.
+---------------------------------------+--------------------+---------------+
| `k8s_keystone_auth_tag`_ | see below | see below |
+---------------------------------------+--------------------+---------------+
| `tiller_enabled`_ | - true | false |
| | - false | |
+---------------------------------------+--------------------+---------------+
| `tiller_tag`_ | see below | "" |
+---------------------------------------+--------------------+---------------+
| `tiller_namespace`_ | see below | see below |
+---------------------------------------+--------------------+---------------+
| `helm_client_url`_ | see below | see below |
+---------------------------------------+--------------------+---------------+
| `helm_client_sha256`_ | see below | see below |
@ -1404,22 +1397,6 @@ _`k8s_keystone_auth_tag`
Train default: v1.14.0
Ussuri default: v1.18.0
_`tiller_enabled`
If set to true, tiller will be deployed in the kube-system namespace.
Ussuri default: false
Train default: false
_`tiller_tag`
This label allows users to override the default container tag for Tiller.
For additional tags, `refer to Tiller page
<https://github.com/helm/helm/tags>`_ and look for tags<v3.0.0.
Train default: v2.12.3
Ussuri default: v2.16.7
_`tiller_namespace`
The namespace in which Tiller and Helm v2 chart install jobs are installed.
Default: magnum-tiller
_`helm_client_url`
URL of the helm client binary.
Default: ''
@ -1431,8 +1408,7 @@ _`helm_client_sha256`
_`helm_client_tag`
This label allows users to override the default container tag for Helm
client. For additional tags, `refer to Helm client page
<https://github.com/helm/helm/tags>`_. You must use identical tiller_tag if
you wish to use Tiller (for helm_client_tag<v3.0.0).
<https://github.com/helm/helm/tags>`_.
Ussuri default: v3.2.1
_`master_lb_floating_ip_enabled`
@ -1683,8 +1659,6 @@ _`ingress_controller`
Controller is configured. For more details about octavia-ingress-controller
please refer to `cloud-provider-openstack document
<https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/octavia-ingress-controller/using-octavia-ingress-controller.md>`_
To use 'nginx' ingress controller, tiller_enabled must be true when using
helm_client_tag<v3.0.0.
_`ingress_controller_role`
This label defines the role nodes should have to run an instance of the

4
doc/source/user/monitoring.rst
View File

@ -28,16 +28,12 @@ The installation of these services is controlled with the following labels:
_`metrics_server_enabled`
metrics_server_enabled is used to enable disable the installation of
the metrics server.
To use this service tiller_enabled must be true when using
helm_client_tag<v3.0.0.
Train default: true
Stein default: true
_`monitoring_enabled`
Enable installation of cluster monitoring solution provided by the
stable/prometheus-operator helm chart.
To use this service tiller_enabled must be true when using
helm_client_tag<v3.0.0.
Default: false
_`prometheus_adapter_enabled`

237
magnum/drivers/common/templates/kubernetes/fragments/enable-helm-tiller.sh
View File

@ -1,237 +0,0 @@
. /etc/sysconfig/heat-params
step="enable-helm-tiller"
printf "Starting to run ${step}\n"
if [ "$(echo ${TILLER_ENABLED} | tr '[:upper:]' '[:lower:]')" == "true" ]; then
CERTS_DIR="/etc/kubernetes/helm/certs/"
mkdir -p "${CERTS_DIR}"
# Private CA key
openssl genrsa -out "${CERTS_DIR}/ca.key.pem" 4096
# CA public cert
openssl req -key "${CERTS_DIR}/ca.key.pem" -new -x509 -days 7300 -sha256 -out "${CERTS_DIR}/ca.cert.pem" -extensions v3_ca -subj "/C=US/ST=Texas/L=Austin/O=OpenStack/OU=Magnum/CN=tiller"
# Private tiller-server key
openssl genrsa -out "${CERTS_DIR}/tiller.key.pem" 4096
# Private helm-client key
openssl genrsa -out "${CERTS_DIR}/helm.key.pem" 4096
# Request for tiller-server cert
openssl req -key "${CERTS_DIR}/tiller.key.pem" -new -sha256 -out "${CERTS_DIR}/tiller.csr.pem" -subj "/C=US/ST=Texas/L=Austin/O=OpenStack/OU=Magnum/CN=tiller-server"
# Request for helm-client cert
openssl req -key "${CERTS_DIR}/helm.key.pem" -new -sha256 -out "${CERTS_DIR}/helm.csr.pem" -subj "/C=US/ST=Texas/L=Austin/O=OpenStack/OU=Magnum/CN=helm-client"
# Sign tiller-server cert
openssl x509 -req -CA "${CERTS_DIR}/ca.cert.pem" -CAkey "${CERTS_DIR}/ca.key.pem" -CAcreateserial -in "${CERTS_DIR}/tiller.csr.pem" -out "${CERTS_DIR}/tiller.cert.pem" -days 365
# Sign helm-client cert
openssl x509 -req -CA "${CERTS_DIR}/ca.cert.pem" -CAkey "${CERTS_DIR}/ca.key.pem" -CAcreateserial -in "${CERTS_DIR}/helm.csr.pem" -out "${CERTS_DIR}/helm.cert.pem" -days 365
_tiller_prefix=${CONTAINER_INFRA_PREFIX:-gcr.io/kubernetes-helm/}
TILLER_RBAC=/srv/magnum/kubernetes/manifests/tiller-rbac.yaml
TILLER_DEPLOYER=/srv/magnum/kubernetes/manifests/deploy-tiller.yaml
TILLER_IMAGE="${_tiller_prefix}tiller:${TILLER_TAG}"
[ -f ${TILLER_RBAC} ] || {
echo "Writing File: $TILLER_RBAC"
mkdir -p $(dirname ${TILLER_RBAC})
cat << EOF > ${TILLER_RBAC}
---
apiVersion: v1
kind: Namespace
metadata:
name: ${TILLER_NAMESPACE}
---
# Tiller service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: ${TILLER_NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: ${TILLER_NAMESPACE}
EOF
}
[ -f ${TILLER_DEPLOYER} ] || {
echo "Writing File: $TILLER_DEPLOYER"
mkdir -p $(dirname ${TILLER_DEPLOYER})
cat << EOF > ${TILLER_DEPLOYER}
---
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller
name: tiller-deploy
namespace: ${TILLER_NAMESPACE}
spec:
replicas: 1
strategy: {}
selector:
matchLabels:
app: helm
name: tiller
template:
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller
spec:
automountServiceAccountToken: true
containers:
- env:
- name: TILLER_NAMESPACE
value: ${TILLER_NAMESPACE}
- name: TILLER_HISTORY_MAX
value: "0"
- name: TILLER_TLS_VERIFY
value: "1"
- name: TILLER_TLS_ENABLE
value: "1"
- name: TILLER_TLS_CERTS
value: /etc/certs
image: ${TILLER_IMAGE}
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /liveness
port: 44135
initialDelaySeconds: 1
timeoutSeconds: 1
name: tiller
ports:
- containerPort: 44134
name: tiller
- containerPort: 44135
name: http
readinessProbe:
httpGet:
path: /readiness
port: 44135
initialDelaySeconds: 1
timeoutSeconds: 1
resources:
requests:
cpu: 25m
volumeMounts:
- mountPath: /etc/certs
name: tiller-certs
readOnly: true
serviceAccountName: tiller
tolerations:
# Make sure the pod can be scheduled on master kubelet.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
# run only on master nodes
nodeSelector:
node-role.kubernetes.io/master: ""
volumes:
- name: tiller-certs
secret:
secretName: tiller-secret
status: {}
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller
name: tiller-deploy
namespace: ${TILLER_NAMESPACE}
spec:
ports:
- name: tiller
port: 44134
targetPort: tiller
selector:
app: helm
name: tiller
type: ClusterIP
status:
loadBalancer: {}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller
name: tiller-secret
namespace: ${TILLER_NAMESPACE}
data:
ca.crt: $(cat "${CERTS_DIR}/ca.cert.pem" | base64 --wrap=0)
tls.crt: $(cat "${CERTS_DIR}/tiller.cert.pem" | base64 --wrap=0)
tls.key: $(cat "${CERTS_DIR}/tiller.key.pem" | base64 --wrap=0)
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller-ca-key
name: tiller-ca-key
namespace: ${TILLER_NAMESPACE}
data:
ca.key.pem: $(cat "${CERTS_DIR}/ca.key.pem" | base64 --wrap=0)
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
creationTimestamp: null
labels:
app: helm
name: helm-client
name: helm-client-secret
namespace: ${TILLER_NAMESPACE}
data:
ca.pem: $(cat "${CERTS_DIR}/ca.cert.pem" | base64 --wrap=0)
cert.pem: $(cat "${CERTS_DIR}/helm.cert.pem" | base64 --wrap=0)
key.pem: $(cat "${CERTS_DIR}/helm.key.pem" | base64 --wrap=0)
EOF
}
until [ "ok" = "$(kubectl get --raw='/healthz')" ]
do
echo "Waiting for Kubernetes API..."
sleep 5
done
kubectl apply -f ${TILLER_RBAC}
kubectl apply -f ${TILLER_DEPLOYER}
fi
printf "Finished running ${step}\n"

101
magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh
View File

@ -24,68 +24,63 @@ until [ "ok" = "$(kubectl get --raw='/healthz')" ]; do
sleep 5
done
if [[ "$(echo ${TILLER_ENABLED} | tr '[:upper:]' '[:lower:]')" != "true" && "${HELM_CLIENT_TAG}" == v2.* ]]; then
echo "Use --labels tiller_enabled=True for helm_client_tag<v3.0.0 to allow for tiller dependent resources to be installed."
else
if [ -z "${HELM_CLIENT_URL}" ] ; then
HELM_CLIENT_URL="https://get.helm.sh/helm-$HELM_CLIENT_TAG-linux-amd64.tar.gz"
fi
i=0
until curl -o /srv/magnum/helm-client.tar.gz "${HELM_CLIENT_URL}"; do
i=$((i + 1))
[ $i -lt 5 ] || break;
sleep 5
if [ -z "${HELM_CLIENT_URL}" ] ; then
HELM_CLIENT_URL="https://get.helm.sh/helm-$HELM_CLIENT_TAG-linux-amd64.tar.gz"
fi
i=0
until curl -o /srv/magnum/helm-client.tar.gz "${HELM_CLIENT_URL}"; do
i=$((i + 1))
[ $i -lt 5 ] || break;
sleep 5
done
if ! echo "${HELM_CLIENT_SHA256} /srv/magnum/helm-client.tar.gz" | sha256sum -c - ; then
echo "ERROR helm-client.tar.gz computed checksum did NOT match, exiting."
exit 1
fi
source /etc/bashrc
$ssh_cmd tar xzvf /srv/magnum/helm-client.tar.gz linux-amd64/helm -O > /srv/magnum/bin/helm
$ssh_cmd chmod +x /srv/magnum/bin/helm
helm_install_cmd="helm upgrade --install magnum . --namespace kube-system --values values.yaml --render-subchart-notes"
helm_history_cmd="helm history magnum --namespace kube-system"
if [[ "${HELM_CLIENT_TAG}" == v2.* ]]; then
CERTS_DIR="/etc/kubernetes/helm/certs"
export HELM_HOME="/srv/magnum/kubernetes/helm/home"
export HELM_TLS_ENABLE="true"
mkdir -p "${HELM_HOME}"
ln -s ${CERTS_DIR}/helm.cert.pem ${HELM_HOME}/cert.pem
ln -s ${CERTS_DIR}/helm.key.pem ${HELM_HOME}/key.pem
ln -s ${CERTS_DIR}/ca.cert.pem ${HELM_HOME}/ca.pem
# HACK - Force wait because of bug https://github.com/helm/helm/issues/5170
until helm init --client-only --wait; do
sleep 5s
done
helm_install_cmd="helm upgrade --install --name magnum . --namespace kube-system --values values.yaml --render-subchart-notes"
helm_history_cmd="helm history magnum"
fi
if ! echo "${HELM_CLIENT_SHA256} /srv/magnum/helm-client.tar.gz" | sha256sum -c - ; then
echo "ERROR helm-client.tar.gz computed checksum did NOT match, exiting."
exit 1
fi
source /etc/bashrc
$ssh_cmd tar xzvf /srv/magnum/helm-client.tar.gz linux-amd64/helm -O > /srv/magnum/bin/helm
$ssh_cmd chmod +x /srv/magnum/bin/helm
helm_install_cmd="helm upgrade --install magnum . --namespace kube-system --values values.yaml --render-subchart-notes"
helm_history_cmd="helm history magnum --namespace kube-system"
if [[ "${HELM_CLIENT_TAG}" == v2.* ]]; then
CERTS_DIR="/etc/kubernetes/helm/certs"
export HELM_HOME="/srv/magnum/kubernetes/helm/home"
export HELM_TLS_ENABLE="true"
export TILLER_NAMESPACE
mkdir -p "${HELM_HOME}"
ln -s ${CERTS_DIR}/helm.cert.pem ${HELM_HOME}/cert.pem
ln -s ${CERTS_DIR}/helm.key.pem ${HELM_HOME}/key.pem
ln -s ${CERTS_DIR}/ca.cert.pem ${HELM_HOME}/ca.pem
# HACK - Force wait because of bug https://github.com/helm/helm/issues/5170
until helm init --client-only --wait; do
sleep 5s
done
helm_install_cmd="helm upgrade --install --name magnum . --namespace kube-system --values values.yaml --render-subchart-notes"
helm_history_cmd="helm history magnum"
fi
HELM_CHART_DIR="/srv/magnum/kubernetes/helm/magnum"
if [[ -d "${HELM_CHART_DIR}" ]]; then
pushd ${HELM_CHART_DIR}
cat << EOF > Chart.yaml
HELM_CHART_DIR="/srv/magnum/kubernetes/helm/magnum"
if [[ -d "${HELM_CHART_DIR}" ]]; then
pushd ${HELM_CHART_DIR}
cat << EOF > Chart.yaml
apiVersion: v1
name: magnum
version: 1.0.0
appVersion: v1.0.0
description: Magnum Helm Charts
EOF
sed -i '1i\dependencies:' requirements.yaml
sed -i '1i\dependencies:' requirements.yaml
i=0
until ($helm_history_cmd | grep magnum | grep deployed) || (helm dep update && $helm_install_cmd); do
i=$((i + 1))
[ $i -lt 60 ] || break;
sleep 5
done
popd
fi
i=0
until ($helm_history_cmd | grep magnum | grep deployed) || (helm dep update && $helm_install_cmd); do
i=$((i + 1))
[ $i -lt 60 ] || break;
sleep 5
done
popd
fi
echo "END: ${step}"

3
magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh
View File

@ -124,9 +124,6 @@ KEYSTONE_AUTH_ENABLED="$KEYSTONE_AUTH_ENABLED"
K8S_KEYSTONE_AUTH_TAG="$K8S_KEYSTONE_AUTH_TAG"
PROJECT_ID="$PROJECT_ID"
EXTERNAL_NETWORK_ID="$EXTERNAL_NETWORK_ID"
TILLER_ENABLED="$TILLER_ENABLED"
TILLER_TAG="$TILLER_TAG"
TILLER_NAMESPACE="$TILLER_NAMESPACE"
HELM_CLIENT_URL="$HELM_CLIENT_URL"
HELM_CLIENT_SHA256="$HELM_CLIENT_SHA256"
HELM_CLIENT_TAG="$HELM_CLIENT_TAG"

3
magnum/drivers/heat/k8s_fedora_template_def.py
View File

@ -111,9 +111,6 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
'prometheus_adapter_chart_tag',
'prometheus_adapter_configmap',
'selinux_mode',
'tiller_enabled',
'tiller_tag',
'tiller_namespace',
'helm_client_url', 'helm_client_sha256',
'helm_client_tag',
'traefik_ingress_controller_tag',

19
magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
View File

@ -789,21 +789,6 @@ parameters:
description: >
project id of current project
tiller_enabled:
type: boolean
description: Choose whether to install tiller or not.
default: false
tiller_tag:
type: string
description: tag of tiller container
default: "v2.16.7"
tiller_namespace:
type: string
description: namespace where tiller will be installed.
default: "magnum-tiller"
helm_client_url:
type: string
description: url of helm client tarball
@ -1364,9 +1349,6 @@ resources:
prometheus_adapter_chart_tag: {get_param: prometheus_adapter_chart_tag}
prometheus_adapter_configmap: {get_param: prometheus_adapter_configmap}
project_id: {get_param: project_id}
tiller_enabled: {get_param: tiller_enabled}
tiller_tag: {get_param: tiller_tag}
tiller_namespace: {get_param: tiller_namespace}
helm_client_url: {get_param: helm_client_url}
helm_client_sha256: {get_param: helm_client_sha256}
helm_client_tag: {get_param: helm_client_tag}
@ -1417,7 +1399,6 @@ resources:
- get_file: ../../common/templates/kubernetes/fragments/core-dns-service.sh
- get_file: ../../common/templates/kubernetes/fragments/calico-service.sh
- get_file: ../../common/templates/kubernetes/fragments/flannel-service.sh
- get_file: ../../common/templates/kubernetes/fragments/enable-helm-tiller.sh
- str_replace:
template: {get_file: ../../common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh}
params:

15
magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
View File

@ -545,18 +545,6 @@ parameters:
description: >
project id of current project
tiller_enabled:
type: string
description: Whether to enable tiller or not
tiller_tag:
type: string
description: tag of tiller container
tiller_namespace:
type: string
description: namespace where tiller will be installed
helm_client_url:
type: string
description: url of helm client tarball
@ -895,9 +883,6 @@ resources:
"$PROMETHEUS_ADAPTER_CONFIGMAP": {get_param: prometheus_adapter_configmap}
"$PROJECT_ID": {get_param: project_id}
"$EXTERNAL_NETWORK_ID": {get_param: external_network}
"$TILLER_ENABLED": {get_param: tiller_enabled}
"$TILLER_TAG": {get_param: tiller_tag}
"$TILLER_NAMESPACE": {get_param: tiller_namespace}
"$HELM_CLIENT_URL": {get_param: helm_client_url}
"$HELM_CLIENT_SHA256": {get_param: helm_client_sha256}
"$HELM_CLIENT_TAG": {get_param: helm_client_tag}

18
magnum/tests/unit/drivers/test_template_definition.py
View File

@ -509,12 +509,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
prometheus_adapter_configmap = mock_cluster.labels.get(
'prometheus_adapter_configmap')
project_id = mock_cluster.project_id
tiller_enabled = mock_cluster.labels.get(
'tiller_enabled')
tiller_tag = mock_cluster.labels.get(
'tiller_tag')
tiller_namespace = mock_cluster.labels.get(
'tiller_namespace')
helm_client_url = mock_cluster.labels.get(
'helm_client_url')
helm_client_sha256 = mock_cluster.labels.get(
@ -655,9 +649,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'prometheus_adapter_configmap': prometheus_adapter_configmap,
'project_id': project_id,
'external_network': external_network_id,
'tiller_enabled': tiller_enabled,
'tiller_tag': tiller_tag,
'tiller_namespace': tiller_namespace,
'helm_client_url': helm_client_url,
'helm_client_sha256': helm_client_sha256,
'helm_client_tag': helm_client_tag,
@ -1072,12 +1063,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
prometheus_adapter_configmap = mock_cluster.labels.get(
'prometheus_adapter_configmap')
project_id = mock_cluster.project_id
tiller_enabled = mock_cluster.labels.get(
'tiller_enabled')
tiller_tag = mock_cluster.labels.get(
'tiller_tag')
tiller_namespace = mock_cluster.labels.get(
'tiller_namespace')
helm_client_url = mock_cluster.labels.get(
'helm_client_url')
helm_client_sha256 = mock_cluster.labels.get(
@ -1222,9 +1207,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'prometheus_adapter_configmap': prometheus_adapter_configmap,
'project_id': project_id,
'external_network': external_network_id,
'tiller_enabled': tiller_enabled,
'tiller_tag': tiller_tag,
'tiller_namespace': tiller_namespace,
'helm_client_url': helm_client_url,
'helm_client_sha256': helm_client_sha256,
'helm_client_tag': helm_client_tag,

8
releasenotes/notes/drop-tiller-5b98862961003df8.yaml Normal file
View File

@ -0,0 +1,8 @@
---
upgrade:
- |
``Tiller`` support has been dropped, following labels are not functional
anymore:
* ``tiller_enabled``
* ``tiller_tag``
* ``tiller_namespace``