Automatic merge from submit-queue
Specify initial period in gossip-based cluster name pattern
This is the most trivial change ever, but I actually got bitten by this and had to grep the source code to figure out that the initial period needed to be in the cluster name suffix.
Automatic merge from submit-queue
Use SSL in ELB API server health check
This switch causes the ELB to perform a SSL handshake and makes the
`I0427 03:57:55.059255 1 logs.go:41] http: TLS handshake error from IP:PORT: EOF`
disappear from the apiserver logs.
Tested manually and everything looks ✅
Inspiration from https://github.com/kubernetes-incubator/kube-aws/pull/604
Automatic merge from submit-queue
Add support for cluster using http forward proxy #2481
Adds support for running a cluster where access to external resources must be done through an http forward proxy. This adds a new element to the ClusterSpec, `EgressProxy`, and then sets up environment variables where appropriate. Access to API servers is additionally assumed to be done through the proxy, in particular this is necessary for AWS VPCs with private topology and egress by proxy (no NAT), at least until Amazon implements VPC Endpoints for the APIs.
Additionally, see my notes in #2481
TODOs
- [x] Consider editing files from nodeup rather than cloudup
- [x] Add support for RHEL
- [x] Validate on RHEL
- [x] ~Add support for CoreOS~ See #3032
- [x] ~Add support for vSphere~ See #3071
- [x] Minimize services effected
- [x] ~Support seperate https_proxy configuration~ See #3069
- [x] ~Remove unvalidated proxy auth support (save for future PR)~ See #3070
- [x] Add Documentation
- [x] Fill in some sensible default exclusions for the user, allow the user to extend this list
- [x] Address PR review comments
- [x] Either require port or handle nil
- [x] ~Do API validation (or file an issue for validation)~ See #3077
- [x] Add uppercase versions of proxy env vars to cover our bases
- [x] ~File an issue for unit tests~ 😬 See #3072
- [x] Validate cluster upgrades and updates
- [x] Remove ftp_proxy (nothing uses)
This switch causes the ELB to perform a SSL handshake and makes the
`I0427 03:57:55.059255 1 logs.go:41] http: TLS handshake error from IP:PORT: EOF`
disappear from the apiserver logs.
Automatic merge from submit-queue
Kops Replace Command - create unprovisioned
The current 'kops replace' fails if the resource does not exist, which is annoying if you want to use the feature to drive your CI. This PR adds a --create option to create any resource which does not exist. At the moment we limit this to instanceGroups only. I'd also like to see this command perhaps be renamed to kops apply?
- added a --create command line option to the replace command to create unprovisioned resources
Automatic merge from submit-queue
Etcd TLS Options
The current implementation does not put any transport security on the etcd cluster. The PR provides and optional flag to enable TLS the etcd cluster
- cleaned up and fixed any formatting issues on the journey
- added two new certificates (server/client) for etcd peers and a client certificate for kubeapi and others perhaps (perhaps calico?)
- disabled the protokube service for nodes completely is not required; note this was first raised in https://github.com/kubernetes/kops/pull/3091, but figured it would be easier to place in here given the relation
- updated protokube codebase to reflect the changes, removing the master option as its no longer required
- added additional integretion tests for the protokube manifests;
- note, still need to add documentation, but opening the PR to get feedback
- one outstanding issue is the migration from http -> https for preexisting clusters, i'm gonna hit the coreos board to ask for the best options
- added the master option back the protokube, updating the nodeup model and protokube code
- removed any comments no related to the PR as suggested
- reverted the ordering of the mutex in the AWSVolumes in protokube
Automatic merge from submit-queue
Fix for Canal Taints and Tolerations
This PR fixes issues with taints and tolerations for the Canal network type.
There are 2 problems:
1. Canal pods will not schedule onto dedicated instancegroups due to their too-strict tolerations. A similar fix for calico was merged recently #3097 - this is the same fix for Canal instead.
2. When booting a cluster with 1.7.0 we ran into the same issue mentioned in projectcalico/canal#77 and likely experienced in #2856. Specifically one of our dedicated instancegroups and the master nodes had no Taints attached. To mitigate we simply bump the versions of calico/node and calico/cni to match the versions that resolvedprojectcalico/canal#77.
When using these fixes to boot our k8s 1.7.3 cluster with this branch the Taints showed up and Calico scheduled on our masters and our dedicated IG.
I am not sure if there are associated tests that need to be updated here - still not familiar enough with the kops repo to tell.
Automatic merge from submit-queue
Fixing clusterautoscaler rbac
Fixes#3144
I have tested on my cluster and it can now update the status of the pods. Im not sure if it also needs the permission to `patch` on the `endpoint`
Maybe someone with better RBAC knowlage can pick up on this? @chrislovecnm
I also gave the file some pretty treatment.. sorry habbit
The current implementation does not put any transport security on the etcd cluster. The PR provides and optional flag to enable TLS the etcd cluster
- cleaned up and fixed any formatting issues on the journey
- added two new certificates (server/client) for etcd peers and a client certificate for kubeapi and others perhaps (perhaps calico?)
- disabled the protokube service for nodes completely is not required; note this was first raised in https://github.com/kubernetes/kops/pull/3091, but figured it would be easier to place in here given the relation
- updated protokube codebase to reflect the changes, removing the master option as its no longer required
- added additional integretion tests for the protokube manifests;
- note, still need to add documentation, but opening the PR to get feedback
- one outstanding issue is the migration from http -> https for preexisting clusters, i'm gonna hit the coreos board to ask for the best options
Automatic merge from submit-queue
Rename OWNERS assignees: to approvers:
They are effectively the same, assignees is deprecated
ref: kubernetes/test-infra#3851
I broke this into two commits around vendor/ because I'm not sure it's kosher to be editing vendored OWNERS directly. ref: kubernetes/test-infra#3694
ref: https://github.com/kubernetes/gengo/pull/71 for the gengo OWNERS changes if that's the more appropriate route to go
The current 'kops replace' fails if the resource does not exist, which is annoying if you want to use the feature to drive your CI. This PR adds a --create option to create any resource which does not exist. At the moment we limit this to instanceGroups only. I'd also like to see this command perhaps be renamed to kops apply?
Previously the configuration has been written after docker has been started and
was actually only applied after a reboot.
Manually reload system and restart docker to ensure the configuration has been
applied.
Automatic merge from submit-queue
Configure docker on CoreOS/ContainerOS
While the installation of docker should be skipped, docker should still be
configured to allow overriding the docker config using kops.
Fixes https://github.com/kubernetes/kops/issues/3057
//cc @aledbf
Automatic merge from submit-queue
adding warning about --full
This starts work on https://github.com/kubernetes/kops/issues/2290. Adds a warning to deter users from using YAML generated by --full.
Automatic merge from submit-queue
Update kube-proxy to handle aws returning multiple hostnames
Amazon's dhcp service supports returning a space separated list of hostnames. This patch makes sure to split the domains first before picking the hostname override.
Closes#3060.
Automatic merge from submit-queue
added wider toleration to calico-node daemonset (#2857)
Calico pod needs to run on all nodes, regardless of their taints. Otherwise the node cannot join the cluster. See #2857 for more discussion. This commit was originally b66b6260e7 by @ca16. It's also similar to the PR that kube-aws recently merged: https://github.com/kubernetes-incubator/kube-aws/pull/687/files.
Would you mind merging this to 1.7 branch too?
Automatic merge from submit-queue
Add `kops create secret dockerconfig` feature
This adds a well-known secret name `dockerconfig` which will automatically
be used if present to create `/root/.docker/config.json` on all nodes. This will
allow private registries to be used for kops hooks as well as any k8s images
without the need to define `imagePullSecrets` in every namespace.
closes https://github.com/kubernetes/kops/issues/2505
Automatic merge from submit-queue
Vetting / Formatting / Cleanup
- fixed any of the vettting / formatting issues that i'm came across on the update
- removed the commented out lines from the componentconfig as it make its increasingly difficult to find what is supported, what is not and the difference between them.
- added SerializeImagePulls, RegisterSchedulable to kubelet (by default they are ignored)
- added FeatureGates to the kube-proxy
- fixed the vetting issue with NodeUpConfig -> Config
- added the aws london regions for cloud provider lookup
Out of interest can someone point me to where these multi-versioned componentconfig are being used?
Automatic merge from submit-queue
docs/topology - Fix the rolling-update command
This patch updates the `kops rolling-update` command which should be
run after making changes to the API server topology.
Fixes#3093
Signed-off-by: M S Vishwanath Bhat <msvbhat@gmail.com>
While the installation of docker should be skipped, docker should still be
configured to allow overriding the docker config using kops.
Fixes https://github.com/kubernetes/kops/issues/3057
Kubernetes Submit Queue
Lars Lehtonen
Nathan Smith
asifdxtreme
Derek VerLee
Johannes Würbach
Rohith
Prachetas Prabhu
BradErz
Sathiya Shunmugasundaram
Aaron Crickenberger
bhack
Grischa Ekart