- k8s version = 1.8.2
- change 'kubectl upgrade' to 'replace' since its unavailable
in new version
Change-Id: If0feabfe678d558e15273bd20b51994a56b9ea6e
rbac.authorization.k8s.io/v1alpha1 is no longer valid in recent
Kuernetes releases (where /v1beta1 and /v1 work). Use
rbac.authorization.k8s.io/v1beta1 which works on currently supported
releases.
Change-Id: I91ed84f9d3305ca1098e7743999a319c9e47b4a0
Keystone supports (and that's a default setting since Ocata) using
non-persistent fernet tokens instead of UUID tokens written into the DB.
This setting is in some cases better in terms of performance and
manageability (no more tokens DB table cleanups). OpenStack-Helm should
be able to support it.
General issue with fernet tokens is that keys used to encrypt them need
to be persistent and shared accross the cluster. Moreover "rotate"
operation generates a new key, so key repository will change over time.
This commit implements fernet tokens support by:
* A 'keystone-fernet-keys' secret is created to serve as keys repository.
* New fernet-setup Job will populate secret with initial keys.
* New fernet-rotate CronJob will be run periodically (weekly by default)
and perform key rotation operation and update the secret.
* Secret is attached to keystone-api pods in /etc/keystone/fernet-tokens
directory.
Turns out k8s is updating secrets attached to pods automatically, so
because of Keystone's fernet tokens implementation, we don't need to
worry about synchronization of the key repository. Everything should be
fine unless fernet-rotate job will run before all of the pods will
notice the change in the secret. As in real-world scenario you would
rotate your keys no more often than once an hour, this should be totally
fine.
Implements: blueprint keystone-fernet-tokens
Change-Id: Ifc84b8c97e1a85d30eb46260582d9c58220fbf0a
This PS refactors the ceph chart and secret generation process.
The updated chart replaces the existing "bootstrap" chart.
Additionally, Ceph manifests and deployment guides were modified
accordingly.
Change-Id: I6f5bb88fc0f40cfee8865d9dab83859d765e7537
Co-Authored-By: Larry Rensing <lr699s@att.com>
This PS makes the init of the KubeADM environment more stable by ensuring
all kube-system pods are up before trying to launch tiller. the NFS PVC
provider is now made optional but enabled by default, so that Ceph (and
other more complex providers) can be supported in future. Finaly the
scripts to bring up k8s/helm are refined to not bring in the clients if
already present with the correct versions on the host.
Change-Id: I4d7ceb6196e8fd5e3350ec99f09fbe6bb5fe01f6
This PS also pins the remaining components of the kubelet, moves
the K8s version to 1.6.4 and restores CentOS 7 operation.
Change-Id: Ia32c9e02dbf9451c13addce436f6e36f5a0a622f
This PS updates the NFS Image, and moves the CNI to use Canal as
the backend for container networking.
Change-Id: Iade12181be9a427bad7bc5eb2658eefacbff0279
The /var/log/containers mount is necessary for use with fluentd.
The kubelet creates symlinks that grab the pod name, namespace,
and container name from this directory on the host, so it needs
to be mounted
Change-Id: Ib1e4769b739d1f85ab22ad66612fb96d4c917b33
This PS fixes the quotes round the echo statments. Though mostly
cosmetic, it is needed for some things that slipped thorough with ! them.
Change-Id: Ie752cc88732192c51e97a2f44f554ad0474f09e5
This PS brings in a container for setting up a Kubeadm based
AIO environement for development and Gating purposes.
Change-Id: Ice96b03b519a380d4679d701e4bbb97024bb2fb5
