From e3aaa89376c2b405d74c91995888c6370b25dc51 Mon Sep 17 00:00:00 2001 From: Jakub Darmach Date: Thu, 8 Feb 2024 13:19:33 +0100 Subject: [PATCH] Removing Tiller support Removed Tiller support from Helm modules install kubernetes fragment. Change-Id: I81db0055ae82c64218498ae3e2a4fcc802f8d0e4 --- doc/source/user/index.rst | 28 +-- doc/source/user/monitoring.rst | 4 - .../fragments/enable-helm-tiller.sh | 237 ------------------ .../fragments/install-helm-modules.sh | 101 ++++---- .../fragments/write-heat-params-master.sh | 3 - .../drivers/heat/k8s_fedora_template_def.py | 3 - .../templates/kubecluster.yaml | 19 -- .../templates/kubemaster.yaml | 15 -- .../unit/drivers/test_template_definition.py | 18 -- .../notes/drop-tiller-5b98862961003df8.yaml | 8 + 10 files changed, 57 insertions(+), 379 deletions(-) delete mode 100644 magnum/drivers/common/templates/kubernetes/fragments/enable-helm-tiller.sh create mode 100644 releasenotes/notes/drop-tiller-5b98862961003df8.yaml diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index 71b04b2fa4..f2783b9ab2 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -399,13 +399,6 @@ the table are linked to more details elsewhere in the user guide. +---------------------------------------+--------------------+---------------+ | `k8s_keystone_auth_tag`_ | see below | see below | +---------------------------------------+--------------------+---------------+ -| `tiller_enabled`_ | - true | false | -| | - false | | -+---------------------------------------+--------------------+---------------+ -| `tiller_tag`_ | see below | "" | -+---------------------------------------+--------------------+---------------+ -| `tiller_namespace`_ | see below | see below | -+---------------------------------------+--------------------+---------------+ | `helm_client_url`_ | see below | see below | +---------------------------------------+--------------------+---------------+ | `helm_client_sha256`_ | see below | see below | @@ -1404,22 +1397,6 @@ _`k8s_keystone_auth_tag` Train default: v1.14.0 Ussuri default: v1.18.0 -_`tiller_enabled` - If set to true, tiller will be deployed in the kube-system namespace. - Ussuri default: false - Train default: false - -_`tiller_tag` - This label allows users to override the default container tag for Tiller. - For additional tags, `refer to Tiller page - `_ and look for tags`_. You must use identical tiller_tag if - you wish to use Tiller (for helm_client_tag`_. Ussuri default: v3.2.1 _`master_lb_floating_ip_enabled` @@ -1683,8 +1659,6 @@ _`ingress_controller` Controller is configured. For more details about octavia-ingress-controller please refer to `cloud-provider-openstack document `_ - To use 'nginx' ingress controller, tiller_enabled must be true when using - helm_client_tag ${TILLER_RBAC} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: ${TILLER_NAMESPACE} ---- -# Tiller service account -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tiller - namespace: ${TILLER_NAMESPACE} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tiller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: tiller - namespace: ${TILLER_NAMESPACE} -EOF - } - - [ -f ${TILLER_DEPLOYER} ] || { - echo "Writing File: $TILLER_DEPLOYER" - mkdir -p $(dirname ${TILLER_DEPLOYER}) - cat << EOF > ${TILLER_DEPLOYER} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - app: helm - name: tiller - name: tiller-deploy - namespace: ${TILLER_NAMESPACE} -spec: - replicas: 1 - strategy: {} - selector: - matchLabels: - app: helm - name: tiller - template: - metadata: - creationTimestamp: null - labels: - app: helm - name: tiller - spec: - automountServiceAccountToken: true - containers: - - env: - - name: TILLER_NAMESPACE - value: ${TILLER_NAMESPACE} - - name: TILLER_HISTORY_MAX - value: "0" - - name: TILLER_TLS_VERIFY - value: "1" - - name: TILLER_TLS_ENABLE - value: "1" - - name: TILLER_TLS_CERTS - value: /etc/certs - image: ${TILLER_IMAGE} - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /liveness - port: 44135 - initialDelaySeconds: 1 - timeoutSeconds: 1 - name: tiller - ports: - - containerPort: 44134 - name: tiller - - containerPort: 44135 - name: http - readinessProbe: - httpGet: - path: /readiness - port: 44135 - initialDelaySeconds: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 25m - volumeMounts: - - mountPath: /etc/certs - name: tiller-certs - readOnly: true - serviceAccountName: tiller - tolerations: - # Make sure the pod can be scheduled on master kubelet. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - # run only on master nodes - nodeSelector: - node-role.kubernetes.io/master: "" - volumes: - - name: tiller-certs - secret: - secretName: tiller-secret -status: {} - ---- -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: null - labels: - app: helm - name: tiller - name: tiller-deploy - namespace: ${TILLER_NAMESPACE} -spec: - ports: - - name: tiller - port: 44134 - targetPort: tiller - selector: - app: helm - name: tiller - type: ClusterIP -status: - loadBalancer: {} - ---- -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - creationTimestamp: null - labels: - app: helm - name: tiller - name: tiller-secret - namespace: ${TILLER_NAMESPACE} -data: - ca.crt: $(cat "${CERTS_DIR}/ca.cert.pem" | base64 --wrap=0) - tls.crt: $(cat "${CERTS_DIR}/tiller.cert.pem" | base64 --wrap=0) - tls.key: $(cat "${CERTS_DIR}/tiller.key.pem" | base64 --wrap=0) ---- -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - creationTimestamp: null - labels: - app: helm - name: tiller-ca-key - name: tiller-ca-key - namespace: ${TILLER_NAMESPACE} -data: - ca.key.pem: $(cat "${CERTS_DIR}/ca.key.pem" | base64 --wrap=0) ---- -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - creationTimestamp: null - labels: - app: helm - name: helm-client - name: helm-client-secret - namespace: ${TILLER_NAMESPACE} -data: - ca.pem: $(cat "${CERTS_DIR}/ca.cert.pem" | base64 --wrap=0) - cert.pem: $(cat "${CERTS_DIR}/helm.cert.pem" | base64 --wrap=0) - key.pem: $(cat "${CERTS_DIR}/helm.key.pem" | base64 --wrap=0) -EOF - } - - until [ "ok" = "$(kubectl get --raw='/healthz')" ] - do - echo "Waiting for Kubernetes API..." - sleep 5 - done - - kubectl apply -f ${TILLER_RBAC} - kubectl apply -f ${TILLER_DEPLOYER} -fi - -printf "Finished running ${step}\n" diff --git a/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh b/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh index a0b3f4bc75..1bdc5aabc6 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh @@ -24,68 +24,63 @@ until [ "ok" = "$(kubectl get --raw='/healthz')" ]; do sleep 5 done -if [[ "$(echo ${TILLER_ENABLED} | tr '[:upper:]' '[:lower:]')" != "true" && "${HELM_CLIENT_TAG}" == v2.* ]]; then - echo "Use --labels tiller_enabled=True for helm_client_tag /srv/magnum/bin/helm +$ssh_cmd chmod +x /srv/magnum/bin/helm + +helm_install_cmd="helm upgrade --install magnum . --namespace kube-system --values values.yaml --render-subchart-notes" +helm_history_cmd="helm history magnum --namespace kube-system" +if [[ "${HELM_CLIENT_TAG}" == v2.* ]]; then + CERTS_DIR="/etc/kubernetes/helm/certs" + export HELM_HOME="/srv/magnum/kubernetes/helm/home" + export HELM_TLS_ENABLE="true" + mkdir -p "${HELM_HOME}" + ln -s ${CERTS_DIR}/helm.cert.pem ${HELM_HOME}/cert.pem + ln -s ${CERTS_DIR}/helm.key.pem ${HELM_HOME}/key.pem + ln -s ${CERTS_DIR}/ca.cert.pem ${HELM_HOME}/ca.pem + + # HACK - Force wait because of bug https://github.com/helm/helm/issues/5170 + until helm init --client-only --wait; do + sleep 5s done + helm_install_cmd="helm upgrade --install --name magnum . --namespace kube-system --values values.yaml --render-subchart-notes" + helm_history_cmd="helm history magnum" +fi - if ! echo "${HELM_CLIENT_SHA256} /srv/magnum/helm-client.tar.gz" | sha256sum -c - ; then - echo "ERROR helm-client.tar.gz computed checksum did NOT match, exiting." - exit 1 - fi - - source /etc/bashrc - $ssh_cmd tar xzvf /srv/magnum/helm-client.tar.gz linux-amd64/helm -O > /srv/magnum/bin/helm - $ssh_cmd chmod +x /srv/magnum/bin/helm - - helm_install_cmd="helm upgrade --install magnum . --namespace kube-system --values values.yaml --render-subchart-notes" - helm_history_cmd="helm history magnum --namespace kube-system" - if [[ "${HELM_CLIENT_TAG}" == v2.* ]]; then - CERTS_DIR="/etc/kubernetes/helm/certs" - export HELM_HOME="/srv/magnum/kubernetes/helm/home" - export HELM_TLS_ENABLE="true" - export TILLER_NAMESPACE - mkdir -p "${HELM_HOME}" - ln -s ${CERTS_DIR}/helm.cert.pem ${HELM_HOME}/cert.pem - ln -s ${CERTS_DIR}/helm.key.pem ${HELM_HOME}/key.pem - ln -s ${CERTS_DIR}/ca.cert.pem ${HELM_HOME}/ca.pem - - # HACK - Force wait because of bug https://github.com/helm/helm/issues/5170 - until helm init --client-only --wait; do - sleep 5s - done - helm_install_cmd="helm upgrade --install --name magnum . --namespace kube-system --values values.yaml --render-subchart-notes" - helm_history_cmd="helm history magnum" - fi - - HELM_CHART_DIR="/srv/magnum/kubernetes/helm/magnum" - if [[ -d "${HELM_CHART_DIR}" ]]; then - pushd ${HELM_CHART_DIR} - cat << EOF > Chart.yaml +HELM_CHART_DIR="/srv/magnum/kubernetes/helm/magnum" +if [[ -d "${HELM_CHART_DIR}" ]]; then + pushd ${HELM_CHART_DIR} + cat << EOF > Chart.yaml apiVersion: v1 name: magnum version: 1.0.0 appVersion: v1.0.0 description: Magnum Helm Charts EOF - sed -i '1i\dependencies:' requirements.yaml + sed -i '1i\dependencies:' requirements.yaml - i=0 - until ($helm_history_cmd | grep magnum | grep deployed) || (helm dep update && $helm_install_cmd); do - i=$((i + 1)) - [ $i -lt 60 ] || break; - sleep 5 - done - popd - fi + i=0 + until ($helm_history_cmd | grep magnum | grep deployed) || (helm dep update && $helm_install_cmd); do + i=$((i + 1)) + [ $i -lt 60 ] || break; + sleep 5 + done + popd fi echo "END: ${step}" diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh index 0cd02bf95b..53034354bc 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh @@ -124,9 +124,6 @@ KEYSTONE_AUTH_ENABLED="$KEYSTONE_AUTH_ENABLED" K8S_KEYSTONE_AUTH_TAG="$K8S_KEYSTONE_AUTH_TAG" PROJECT_ID="$PROJECT_ID" EXTERNAL_NETWORK_ID="$EXTERNAL_NETWORK_ID" -TILLER_ENABLED="$TILLER_ENABLED" -TILLER_TAG="$TILLER_TAG" -TILLER_NAMESPACE="$TILLER_NAMESPACE" HELM_CLIENT_URL="$HELM_CLIENT_URL" HELM_CLIENT_SHA256="$HELM_CLIENT_SHA256" HELM_CLIENT_TAG="$HELM_CLIENT_TAG" diff --git a/magnum/drivers/heat/k8s_fedora_template_def.py b/magnum/drivers/heat/k8s_fedora_template_def.py index 52acc13e2e..b207daeda6 100644 --- a/magnum/drivers/heat/k8s_fedora_template_def.py +++ b/magnum/drivers/heat/k8s_fedora_template_def.py @@ -111,9 +111,6 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition): 'prometheus_adapter_chart_tag', 'prometheus_adapter_configmap', 'selinux_mode', - 'tiller_enabled', - 'tiller_tag', - 'tiller_namespace', 'helm_client_url', 'helm_client_sha256', 'helm_client_tag', 'traefik_ingress_controller_tag', diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml index 02c6eac5d9..3a6252175c 100644 --- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml @@ -789,21 +789,6 @@ parameters: description: > project id of current project - tiller_enabled: - type: boolean - description: Choose whether to install tiller or not. - default: false - - tiller_tag: - type: string - description: tag of tiller container - default: "v2.16.7" - - tiller_namespace: - type: string - description: namespace where tiller will be installed. - default: "magnum-tiller" - helm_client_url: type: string description: url of helm client tarball @@ -1364,9 +1349,6 @@ resources: prometheus_adapter_chart_tag: {get_param: prometheus_adapter_chart_tag} prometheus_adapter_configmap: {get_param: prometheus_adapter_configmap} project_id: {get_param: project_id} - tiller_enabled: {get_param: tiller_enabled} - tiller_tag: {get_param: tiller_tag} - tiller_namespace: {get_param: tiller_namespace} helm_client_url: {get_param: helm_client_url} helm_client_sha256: {get_param: helm_client_sha256} helm_client_tag: {get_param: helm_client_tag} @@ -1417,7 +1399,6 @@ resources: - get_file: ../../common/templates/kubernetes/fragments/core-dns-service.sh - get_file: ../../common/templates/kubernetes/fragments/calico-service.sh - get_file: ../../common/templates/kubernetes/fragments/flannel-service.sh - - get_file: ../../common/templates/kubernetes/fragments/enable-helm-tiller.sh - str_replace: template: {get_file: ../../common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh} params: diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml index 917f010db8..4d2feb2303 100644 --- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml @@ -545,18 +545,6 @@ parameters: description: > project id of current project - tiller_enabled: - type: string - description: Whether to enable tiller or not - - tiller_tag: - type: string - description: tag of tiller container - - tiller_namespace: - type: string - description: namespace where tiller will be installed - helm_client_url: type: string description: url of helm client tarball @@ -895,9 +883,6 @@ resources: "$PROMETHEUS_ADAPTER_CONFIGMAP": {get_param: prometheus_adapter_configmap} "$PROJECT_ID": {get_param: project_id} "$EXTERNAL_NETWORK_ID": {get_param: external_network} - "$TILLER_ENABLED": {get_param: tiller_enabled} - "$TILLER_TAG": {get_param: tiller_tag} - "$TILLER_NAMESPACE": {get_param: tiller_namespace} "$HELM_CLIENT_URL": {get_param: helm_client_url} "$HELM_CLIENT_SHA256": {get_param: helm_client_sha256} "$HELM_CLIENT_TAG": {get_param: helm_client_tag} diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py index a3f9d17e3a..eff2eeabd5 100644 --- a/magnum/tests/unit/drivers/test_template_definition.py +++ b/magnum/tests/unit/drivers/test_template_definition.py @@ -509,12 +509,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): prometheus_adapter_configmap = mock_cluster.labels.get( 'prometheus_adapter_configmap') project_id = mock_cluster.project_id - tiller_enabled = mock_cluster.labels.get( - 'tiller_enabled') - tiller_tag = mock_cluster.labels.get( - 'tiller_tag') - tiller_namespace = mock_cluster.labels.get( - 'tiller_namespace') helm_client_url = mock_cluster.labels.get( 'helm_client_url') helm_client_sha256 = mock_cluster.labels.get( @@ -655,9 +649,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): 'prometheus_adapter_configmap': prometheus_adapter_configmap, 'project_id': project_id, 'external_network': external_network_id, - 'tiller_enabled': tiller_enabled, - 'tiller_tag': tiller_tag, - 'tiller_namespace': tiller_namespace, 'helm_client_url': helm_client_url, 'helm_client_sha256': helm_client_sha256, 'helm_client_tag': helm_client_tag, @@ -1072,12 +1063,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): prometheus_adapter_configmap = mock_cluster.labels.get( 'prometheus_adapter_configmap') project_id = mock_cluster.project_id - tiller_enabled = mock_cluster.labels.get( - 'tiller_enabled') - tiller_tag = mock_cluster.labels.get( - 'tiller_tag') - tiller_namespace = mock_cluster.labels.get( - 'tiller_namespace') helm_client_url = mock_cluster.labels.get( 'helm_client_url') helm_client_sha256 = mock_cluster.labels.get( @@ -1222,9 +1207,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): 'prometheus_adapter_configmap': prometheus_adapter_configmap, 'project_id': project_id, 'external_network': external_network_id, - 'tiller_enabled': tiller_enabled, - 'tiller_tag': tiller_tag, - 'tiller_namespace': tiller_namespace, 'helm_client_url': helm_client_url, 'helm_client_sha256': helm_client_sha256, 'helm_client_tag': helm_client_tag, diff --git a/releasenotes/notes/drop-tiller-5b98862961003df8.yaml b/releasenotes/notes/drop-tiller-5b98862961003df8.yaml new file mode 100644 index 0000000000..bef60274af --- /dev/null +++ b/releasenotes/notes/drop-tiller-5b98862961003df8.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - | + ``Tiller`` support has been dropped, following labels are not functional + anymore: + * ``tiller_enabled`` + * ``tiller_tag`` + * ``tiller_namespace``