Commit Graph

71 Commits (742a1681cec468a413c22dc55d401f74e4e31379)

Author SHA1 Message Date
Matthew Mosesohn 0f64f8db90 Merge pull request #1155 from mattymo/helm
Add helm deployment
2017-03-20 17:00:06 +03:00
Matthew Mosesohn b69d4b0ecc Add helm deployment 2017-03-17 20:24:41 +03:00
Matthew Mosesohn e1faeb0f6c Fix weave on RHEL deployment
Reduce retry delay checking weave
Always load br_netfilter module
2017-03-17 18:17:47 +03:00
Aleksandr Didenko 3a39904011 Move calico-policy-controller into separate role
By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132
2017-03-17 11:21:52 +01:00
Matthew Mosesohn 6453650895 Merge pull request #1093 from mattymo/scaledns
Add autoscalers for dnsmasq and kubedns
2017-03-02 16:58:56 +03:00
Matthew Mosesohn 9cb12cf250 Add autoscalers for dnsmasq and kubedns
By default kubedns and dnsmasq scale when installed.
Dnsmasq is no longer a daemonset. It is now a deployment.
Kubedns is no longer a replicationcluster. It is now a deployment.
Minimum replicas is two (to enable rolling updates).

Reduced memory erquirements for dnsmasq and kubedns
2017-03-02 13:44:22 +03:00
Sergii Golovatiuk d31c040dc0 Change kube-api default port from 443 to 6443
Operator can specify any port for kube-api (6443 default) This helps in
case where some pods such as Ingress require 443 exclusively.

Closes: 820
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-28 15:45:35 +01:00
Brad Beam 56664b34a6 Lower default memory requests
This is to address out of memory issues on CI as well as help
fit deployments for people starting out with kargo on smaller
machines
2017-02-27 10:53:43 -06:00
Bogdan Dobrelya 712872efba Rework inventory all by real groups' vars
* Leave all.yml to keep only optional vars
* Store groups' specific vars by existing group names
* Fix optional vars casted as mandatory (add default())
* Fix missing defaults for an optional IP var
* Relink group_vars for terraform to reflect changes

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-02-23 09:43:42 +01:00
Matthew Mosesohn 3cc1491833 Merge branch 'master' into pedantic-syntax-cleanup 2017-02-20 20:19:38 +03:00
Andrew Greenwood ca9ea097df Cleanup legacy syntax, spacing, files all to yml
Migrate older inline= syntax to pure yml syntax for module args as to be consistant with most of the rest of the tasks
Cleanup some spacing in various files
Rename some files named yaml to yml for consistancy
2017-02-17 16:22:34 -05:00
Antoine Legrand b84cc14694 Merge pull request #1029 from mattymo/graceful
Add graceful upgrade process
2017-02-17 21:24:32 +01:00
Matthew Mosesohn 617edda9ba Adjust weave daemonset for serial deployment 2017-02-16 18:24:30 +03:00
Vladimir Rutsky 7ab04b2e73 fix typo in "kibana_base_url" variable name
This typo lead to kibana_base_url being undefined and Kibana used
default base URL ("/") which is incorrect with default proxy-based
access.
2017-02-16 18:17:06 +03:00
Matthew Mosesohn 6ae70e03cb fixup upgrades for canal and weave 2017-02-10 13:27:41 +03:00
Matthew Mosesohn 29fd957352 Enable weave upgrade from previous versions
Raise readiness probe initial time to 60 (was 30)
2017-02-09 21:39:31 +03:00
Matthew Mosesohn 3c713a3f53 Fix upgrade for all daemonset type resources
Daemonsets cannot be simply upgraded through a single API call,
regardless of any kubectl documentation. The resource must be
purged and then recreated in order to make any changes.
2017-02-08 18:16:00 +03:00
Matthew Mosesohn bfd1ea1da1 Merge pull request #971 from bradbeam/efk
Adding EFK logging stack
2017-02-08 14:28:04 +03:00
Aleksandr Didenko 54af533b31 Update playbooks to support new netchecker
Netchecker is rewritten in Go lang with some new args instead of
env variables. Also netchecker-server no longer requires kubectl
container. Updating playbooks accordingly.
2017-02-07 15:20:34 +01:00
Matthew Mosesohn fd30131dc2 Revert "Drop linux capabilities and rework users/groups" 2017-02-06 15:58:54 +03:00
Bogdan Dobrelya cae2982d81 Merge pull request #911 from bogdando/DROP_CAPS
Drop linux capabilities and rework users/groups
2017-02-06 12:05:51 +01:00
Brad Beam df3e11bdb8 Adding EFK logging stack 2017-02-03 16:27:08 -06:00
Sergii Golovatiuk f2e4ffcac2 Fix weave-net after upgrade to 1.82
- Set recommended CPU settings
- Cleans up upgrade to weave 1.82. The original WeaveWorks
daemonset definition uses weave-net name.
- Limit DS creation to master
- Combined 2 tasks into one with better condition
2017-02-02 10:31:58 +01:00
Matthew Mosesohn 39d87a96aa Rename weave-kube to weave-net
Cleans up upgrade to weave 1.82. The original WeaveWorks
daemonset definition uses weave-net name.
2017-01-31 18:47:27 +03:00
Matthew Mosesohn 6463a01e04 Merge pull request #880 from bradbeam/weave-kube
Weave kube
2017-01-31 13:31:09 +03:00
Brad Beam a11b9d28bd Upgrading weave to weave-kube 2017-01-27 17:05:25 -06:00
Brad Beam b54eb609bf Consolidating kube.py module 2017-01-27 11:28:11 -06:00
Bogdan Dobrelya cb2e5ac776 Drop linux capabilities and rework users/groups
* Drop linux capabilities for unprivileged containerized
  worlkoads Kargo configures for deployments.
* Configure required securityContext/user/group/groups for kube
  components' static manifests, etcd, calico-rr and k8s apps,
  like dnsmasq daemonset.
* Rework cloud-init (etcd) users creation for CoreOS.
* Fix nologin paths, adjust defaults for addusers role and ensure
  supplementary groups membership added for users.
* Add netplug user for network plugins (yet unused by privileged
  networking containers though).
* Grant the kube and netplug users read access for etcd certs via
  the etcd certs group.
* Grant group read access to kube certs via the kube cert group.
* Remove priveleged mode for calico-rr and run it under its uid/gid
  and supplementary etcd_cert group.
* Adjust docs.
* Align cpu/memory limits and dropped caps with added rkt support
  for control plane.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-20 08:50:42 +01:00
Greg Althaus 61dab8dc0b Should only check for api-server running on the master.
If this runs on other nodes, it will fail the playbook.
2017-01-17 15:57:34 -06:00
Aleksandr Didenko 0909368339 Set latest stable versions for Calico images
Change version for calico images to v1.0.0. Also bump versions for
CNI and policy controller.

Also removing images repo and tag duplication from netchecker role
2017-01-09 12:05:49 +01:00
Alexander Block 1d2a18b355 Introduce dns_mode and resolvconf_mode and implement docker_dns mode
Also update reset.yml to do more dns/network related cleanup.
2017-01-05 23:38:51 +01:00
Bogdan Dobrelya d8a2941e9e Fix cert paths for flannel/calico policy apps
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-03 16:12:54 +01:00
Bogdan Dobrelya a56d9de502 Systemd units, limits, and bin path fixes
* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
  systemd limits due to the lack of consensus in the kernel community
  requires out-of-tree kernel patches.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-28 15:49:42 +01:00
Bogdan Dobrelya bb0c3537cb Do not forward bogus domains for upstream resolvers
Also fix kube log level 4 to log dnsmasq queries.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-23 11:53:14 +01:00
Matthew Mosesohn ad796d188d Individual etcd ssl certs
Includes hooks for triggering calico, kubelet, and kube-apiserver restarts
if etcd certs changed.
2016-12-22 13:31:11 +03:00
Bogdan Dobrelya de8cd5cd7f Merge pull request #786 from mattymo/bug777
Add wait for kube-apiserver to kubernetes-apps
2016-12-22 11:02:50 +01:00
Bogdan Dobrelya f10d1327d4 Revert "Do not forward private domains for upstream resolvers" 2016-12-21 15:24:17 +01:00
Matthew Mosesohn d314174149 Add wait for kube-apiserver to kubernetes-apps
Fixes #777
2016-12-21 15:39:39 +03:00
Bogdan Dobrelya 101864c050 Do not forward private domains for upstream resolvers
Also fix kube log level 4 to log dnsmasq queries.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
2016-12-19 11:01:41 +01:00
Bogdan Dobrelya c75f394707 Address standalone kubelet config case
Also place in global vars and do not repeat the kube_*_config_dir
and kube_namespace vars for better code maintainability and UX.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-13 16:35:53 +01:00
Matthew Mosesohn 459bee6d2c Bump kubedns version to 1.9
Version 1.9 has reduced verbosity for federation dns queries
which flood container logs.
2016-12-09 17:57:54 +03:00
Bogdan Dobrelya 8cc84e132a Add tags
Add tags to allow more granular tasks filtering.
Add generator script for MD formatted tags found.
Add docs for tags how-to.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-09 12:14:28 +01:00
Antoine Legrand 5b382668f5 Merge pull request #529 from bogdando/netcheck
Add a k8s app for advanced e2e netcheck for DNS
2016-11-28 15:26:30 +01:00
Bogdan Dobrelya b7692fad09 Add advanced net check for DNS K8s app
* Add an option to deploy K8s app to test e2e network connectivity
  and cluster DNS resolve via Kubedns for nethost/simple pods
  (defaults to false).
* Parametrize existing k8s apps templates with kube_namespace and
  kube_config_dir instead of hardcode.
* For CoreOS, ensure nameservers from inventory to be put in the
  first place to allow hostnet pods connectivity via short names
  or FQDN and hostnet agents to pass as well, if netchecker
  deployed.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-28 13:23:25 +01:00
Bogdan Dobrelya 2d18e19263 Tune dnsmasq/kubedns limits, replicas, logging
* Add dns_replicas, dns_memory/cpu_limit/requests vars for
dns related apps.
* When kube_log_level=4, log dnsmasq queries as well.
* Add log level control for skydns (part of kubedns app).
* Add limits/requests vars for dnsmasq (part of kubedns app) and
  dnsmasq daemon set.
* Drop string defaults for kube_log_level as it is int and
  is defined in the global vars as well.
* Add docs

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-25 12:49:17 +01:00
Bogdan Dobrelya dff78f616e Allow pre-downloaded images to be used effectively
According to http://kubernetes.io/docs/user-guide/images/ :
By default, the kubelet will try to pull each image from the
specified registry. However, if the imagePullPolicy property
of the container is set to IfNotPresent or Never, then a local\
image is used (preferentially or exclusively, respectively).

Use IfNotPresent value to allow images prepared by the download
role dependencies to be effectively used by kubelet without pull
errors resulting apps to stay blocked in PullBackOff/Error state
even when there are images on the localhost exist.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-22 16:16:04 +01:00
Bogdan Dobrelya 66f27ed1f3 Download images as dependencies of roles
Pre download all required container images as roles' deps.
Drop unused flannel-server-helper images pre download.
Improve pods creation post-install test pre downloaded busybox.
Improve logs collection script with kubectl describe, fix sudo/etcd/weave
commands.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-22 11:13:57 +01:00
Aleksandr Didenko 251800eb16 Fix policy controller
'etcd_cert_dir' variable is missing from 'kubernetes-apps/ansible'
role which breaks Calico policy controller deployment.

Also fixing calico-policy-controller.yml.
2016-11-10 13:31:31 +01:00
Matthew Mosesohn 9ea9604b3f Merge pull request #591 from kubernetes-incubator/etcdtls
Add etcd tls support
2016-11-10 12:32:13 +03:00
Matthew Mosesohn a32cd85eb7 Add etcd TLS support 2016-11-09 18:38:28 +03:00