Ensure apiserver role can only be used on AWS (because of firewalling)
Apply api-server label to CP as well
Consolidate node not ready validation message
Guard apiserver nodes with a feature flag
Rename Apiserver role to APIServer
Add an integration test for apiserver nodes
Rename Apiserver role to APIServer
Enumerate all roles in rolling update docs
Apply suggestions from code review
Co-authored-by: Steven E. Harris <seh@panix.com>
Upstream changes:
* Release notes for 3.0.20201209
* Handling hanging list command from etcd client during reconciliation loop
* Update dependencies to match kOps 1.19
* Include IPs in peer certificates
* Use etcd v3.4.13 in tests
* Eager-broadcast leadership on every leader iteration
* Update Go to 1.15.7
Release notes for 3.0.20201117:
* Release notes for 3.0.20200531
* Adds support for using OS application credentials
* Fixes usage of OpenStack Swift reauthentication
* Move from debian-hyperkube-base to debian-base
* Add license headers to each file
* Fix some typos picked up by verify-spelling
* Fix some problems with trailing spaces
* Add support for etcd 3.4.13
* Switch to gcr.io/cloud-marketplace-containers/google/debian10 - Fix
for #340 option 1
* Support for ARM64
* BUG: OpenStack ignore AvailabilityZone in discovery
* Added full cinder ID to candidateDeviceNodes
* feat(etcd-manager-ctl): use backupname to delete backup instead of timestamp
* Update kops to pick up AllowAuth Openstack
* Build base image by raw expansion of deb packages
* Switch the cloudbuild docker image, locking to 2.2.0
* Fix build on case-insensitive file systems (MacOS)
* Set AltNames on server certificates
* govet: Fix a log message
This is causing problems with the Kubernetes 1.19 code-generator.
A nil entry in these slices wouldn't be valid anyways, so this should have no impact.
Changes since 3.0.20200429:
* Use env vars to customize backup retention
* Use next attachment point when device already in use
* Simplify uploading backups
kube-apiserver doesn't expose the healthcheck via a dedicated
endpoint, instead relying on anonyomous-access being enabled. That
has previously forced us to enable the unauthenticated endpoint on
127.0.0.1:8080.
Instead we now run a small sidecar container, which
proxies /healthz and /readyz requests (only) adding appropriate
authentication using a client certificate.
This will also enable better load balancer checks in future, as these
have previously been hampered by the custom CA certificate.
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
With etcd-manager the DNS names should only be used by the
etcd-manager pod itself, so we don't need to share /etc/hosts with the
host.
By not sharing we avoid:
(1) the temptation to address etcd directly
(2) problems of concurrent updates to /etc/hosts being hard from within a container (because locking is difficult across bind mounts)
Introducing with kubernetes 1.17 to avoid changing behavior of existing versions.
Primarily for DigitalOcean support
Changes:
* fix issues in pr#253
* Update rules-docker to 0.12
* [DO-7442] Fix logic for Digital Ocean volume tag
* Update release process to use shipbot
* Move to go modules
* Update golang to 1.13.3
* travis: Test newer bazel versions
* Fix unit tests
* Test everything, not just //test
We had a port collision on 3997; change the default memberlist ports
to avoid the collision (we haven't shipped a release with this in it).
Also create a go file so that we can use constants to keep track of
our port numbers, rather than magic values.
Refactor to start to centralize the env-var configuration for system
components, also start to add test coverage so we can be sure we
haven't broken things!
Ciprian Hacman
John Gardiner Myers
Ole Markus With
Justin SB
Otto Sulin
Kenji Kaneda
Anthony Stanton
Peter Rifel
Rodrigo Menezes
Ciprian Hacman
Kubernetes Prow Robot
mmerrill3
Xiaoyu Zhong
tanjunchen
Jesse Haka
Srikanth
mikesplain