Automatic merge from submit-queue.
Initial bazel support
Builds on the 1.8 version bump
The "trick" is to strip the BUILD & BUILD.bazel files from the vendor-ed deps.
Will rebase after 1.8 version bump merges.
Automatic merge from submit-queue. .
promoting drain and validate by setting feature flag to true
I am unable to recreate https://github.com/kubernetes/kops/issues/2407, and frankly, it may be an edge case. We could warn a user if their wait times are low, but that would be another PR.
This PR moves Drain and Validate functionality for rolling-updates into the default user experience, setting the Feature Flag to true.
Per feedback, I am using the node and master interval times for the validation.
Automatic merge from submit-queue. .
Support encryption-at-rest for the kube-apiserver
This PR adds support for enabling encryption-at-rest for data in etcd, via the kube-apiserver (as per https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data).
I've put the functionality behind a feature flag, `+EnableDataEncryption`. It can then be enabled per-cluster by using `--enable-encryption-config` on the command line, or by adding a `kubeEncryptionConfig` section to the cluster spec. This is passed through to the kube-apiserver by the nodeup process. I'm not sure if this is the best way of doing it right now, but it is working.
Fixes#3356.
Automatic merge from submit-queue. .
improve documentation for secrets
I was struggling on how to change a the api basic auth password for my cluster and found this to be the only way to do it. If there is an easier way, let me know and i can adapt the docs again :)
- add a new kops secret command to store encryption config
- add the experimential-encryption-provider-config flag to the kube-apiserver
- add functionality to nodeup to create the stored encryption config in the correct path
Automatic merge from submit-queue. .
Allow specifying a SSH key name for AWS
Related to #2309, this allows naming an existing key pair using the
cluster spec field `sshKeyName`.
In our use case, kops can now be used without providing the ability to
create EC2 key pairs.
Automatic merge from submit-queue
Add romana to built-in CNI options
This PR adds `romana` as a networking option for kops.
It installs the latest "preview" release of Romana v2.0, which provides the expected features in terms of IP allocations and route configuration. Network policy features are being ported to 2.0 and will be in the final release. (We intend to submit a followup PR for kops as part of that rolling out that release.)
Note: in this setup, we're using the etcd cluster that kops deploys for k8s. This isn't ideal, but some possibilities (eg: StatefulSets) aren't practical for the CNI itself, and creating a parallel etcd cluster via manifests seemed to be a more-intrusive approach than using the existing one.
If this is a concern or problem, then I'm very open to discussing and implementing it based on your suggestions.
Also, some functionality is exclusive to AWS environments. Other cloud platforms are on Romana's roadmap but not developed yet. Let me know that restriction needs to be enforced in code or directly documented.
Automatic merge from submit-queue
Add a doc to describe how to use kops in AWS China
Closes#2933, closes#3282.
@wangycc, @mgyong, @hb404 This doc might be helpful for you guys to deploy a cluster in AWS China Region.
@chrislovecnm, @justinsb Please help to review. Thanks.
Automatic merge from submit-queue
small docs improvement
Make cmd1 populate the var for cmd2
Using `tee /dev/stderr` allows the user to still get output if they copy-pasta the first command. The other changes prepare the HZC variable so it can be used if they copy-pasta the second command.
Automatic merge from submit-queue
Added ability to set --service-node-port-range
Addresses: #3052 and #3326
From what I can tell, `--service-node-port-range` has been a valid option forever, so I haven't worried about k8s versions.
@justinsb @chrislovecnm let me know if any changes are required.
Using `tee /dev/stderr` allows the user to still get output if they copy-pasta the first command. The other changes prepare the HZC variable so it can be used if they copy-pasta the second command.
Automatic merge from submit-queue
Flannel: change default backend type
We support udp, which has to the default for backwards-compatibility,
but also new clusters will now use vxlan.
Extending the current implementation of toolbox template to include multiple files and snippets. Note, i've removed the requirements for defaults as I think people should be forced to specifically pass them.
- fixing the vetting iseues to the method YamlToJson -> YAMLToJSON
- adding a safety check to ensure templates don't reference an unknown value
- extending the unit test to ensure the above works on main and snippets
- include the ability to specify multiple configuration files, useful for common.yaml and prod.yaml etc
Requested Changes - Toolbox Templating
Added the requested changes
- moved the templater into it's own package rather than using base util
- moved to using the sprig library for additional template function
- @note: i couldn't find a native way in sprig to do snippets, also the i've overloaded the indent as it appears to do the indent on all lines rather than on the newline, meaning i'd have to shift my first line back by the indent to get it to work, which seems ugly
Related to #2309, this allows naming an existing key pair using the
cluster spec field `sshKeyName`.
In our use case, kops can now be used without providing the ability to
create EC2 key pairs.
aws.md linked to advanced_create.md which was deleted in
https://github.com/kubernetes/kops/pull/2725. Its contents were added to
high_availability.md. Update the link to point to the relevant section in
high_availability.md.
Signed-off-by: Steven Santos Erenst <stevenerenst@gmail.com>
Automatic merge from submit-queue
Adds DNSControllerSpec and WatchIngress flag
This PR is in reference to #2496, #2468 and the issues referenced in there relating to use of the watch-ingress flag.
This PR attempts to rectify this situation and gives users who want it, the option to turn on watch-ingress without forcing it on them. Also spits out a warning to the logs about potential side effects.
Includes notes in `docs/cluster_spec.md` to explain.
Kubernetes Submit Queue
jatan28
Justin Santa Barbara
John Laswell
chrislovecnm
Julian Simioni
georgebuckerfield
Timothy Josefik
Andrey Chernih
Andrey Falko
Kashif Saadat
Hanfei Shen
Reen Lokum
Caleb Gilmour
Bruno Bronosky
Francesco Vasco
Victor Palade
Rohith
Robin Percy
John Zeringue
Steven Santos Erenst
Krishna m-Kumar
Eric Hole