Merge "Bump kubedns to 1.14.5 because of CVE-2017-13704"
diff --git a/README.rst b/README.rst
index 60ef3b4..5ad0948 100644
--- a/README.rst
+++ b/README.rst
@@ -126,6 +126,45 @@
domain: company.mydomain
provider: coredns
+Enable external DNS addon with Designate provider
+
+.. code-block:: yaml
+
+ parameters:
+ kubernetes:
+ common:
+ addons:
+ externaldns:
+ externaldns:
+ enabled: True
+ domain: company.mydomain
+ provider: designate
+ designate_os_options:
+ OS_AUTH_URL: https://keystone_auth_endpoint:5000
+ OS_PROJECT_DOMAIN_NAME: default
+ OS_USER_DOMAIN_NAME: default
+ OS_PROJECT_NAME: admin
+ OS_USERNAME: admin
+ OS_PASSWORD: password
+ OS_REGION_NAME: RegionOne
+
+Enable external DNS addon with AWS provider
+
+.. code-block:: yaml
+
+ parameters:
+ kubernetes:
+ common:
+ addons:
+ externaldns:
+ externaldns:
+ enabled: True
+ domain: company.mydomain
+ provider: aws
+ aws_options:
+ AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
+ AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
Enable OpenStack cloud provider
.. code-block:: yaml
diff --git a/kubernetes/files/kube-addons/coredns/coredns-cm.yml b/kubernetes/files/kube-addons/coredns/coredns-cm.yml
index 0cd3a48..54de711 100644
--- a/kubernetes/files/kube-addons/coredns/coredns-cm.yml
+++ b/kubernetes/files/kube-addons/coredns/coredns-cm.yml
@@ -1,5 +1,5 @@
-{%- from "kubernetes/map.jinja" import common with context %}
-{%- from "kubernetes/map.jinja" import master with context %}
+{%- from "kubernetes/map.jinja" import common with context -%}
+{%- from "kubernetes/map.jinja" import master with context -%}
---
apiVersion: v1
kind: ConfigMap
@@ -15,14 +15,14 @@
etcd {{ master.federation.name }} {
stubzones
path /skydns
- endpoint http://coredns-etcd:2379
+ endpoint http://coredns-etcd-cluster-client:2379
}
{% endif %}
{% if common.addons.externaldns.enabled %}
etcd {{ common.addons.externaldns.domain }} {
stubzones
path /skydns
- endpoint http://coredns-etcd:2379
+ endpoint http://coredns-etcd-cluster-client:2379
}
{% endif %}
errors
diff --git a/kubernetes/files/kube-addons/coredns/coredns-deploy.yml b/kubernetes/files/kube-addons/coredns/coredns-deploy.yml
index f225af5..e1e2dd3 100644
--- a/kubernetes/files/kube-addons/coredns/coredns-deploy.yml
+++ b/kubernetes/files/kube-addons/coredns/coredns-deploy.yml
@@ -1,4 +1,4 @@
-{%- from "kubernetes/map.jinja" import common with context %}
+{%- from "kubernetes/map.jinja" import common with context -%}
---
apiVersion: extensions/v1beta1
kind: Deployment
diff --git a/kubernetes/files/kube-addons/coredns/coredns-etcd-cluster.yaml b/kubernetes/files/kube-addons/coredns/coredns-etcd-cluster.yaml
new file mode 100644
index 0000000..50e2383
--- /dev/null
+++ b/kubernetes/files/kube-addons/coredns/coredns-etcd-cluster.yaml
@@ -0,0 +1,14 @@
+{%- from "kubernetes/map.jinja" import common with context -%}
+---
+apiVersion: etcd.database.coreos.com/v1beta2
+kind: EtcdCluster
+metadata:
+ namespace: {{ common.addons.coredns.namespace }}
+ name: coredns-etcd-cluster
+ labels:
+ app: coredns-etcd-operator
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ size: 3
+ version: {{ common.addons.coredns.etcd.version }}
+ baseImage: {{ common.addons.coredns.etcd.base_image }}
diff --git a/kubernetes/files/kube-addons/coredns/coredns-etcd-operator-deployment.yaml b/kubernetes/files/kube-addons/coredns/coredns-etcd-operator-deployment.yaml
new file mode 100644
index 0000000..0ec870d
--- /dev/null
+++ b/kubernetes/files/kube-addons/coredns/coredns-etcd-operator-deployment.yaml
@@ -0,0 +1,38 @@
+{%- from "kubernetes/map.jinja" import common with context -%}
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ namespace: {{ common.addons.coredns.namespace }}
+ labels:
+ app: coredns-etcd-operator
+ addonmanager.kubernetes.io/mode: Reconcile
+ name: coredns-etcd-operator
+spec:
+ strategy:
+ type: Recreate
+ replicas: 1
+ selector:
+ matchLabels:
+ name: coredns-etcd-operator
+ template:
+ metadata:
+ labels:
+ name: coredns-etcd-operator
+ spec:
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
+ containers:
+ - name: coredns-etcd-operator
+ image: {{ common.addons.coredns.etcd.operator_image }}
+ env:
+ - name: MY_POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: MY_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ restartPolicy: Always
diff --git a/kubernetes/files/kube-addons/coredns/etcd-deploy.yml b/kubernetes/files/kube-addons/coredns/etcd-deploy.yml
deleted file mode 100644
index 937ae69..0000000
--- a/kubernetes/files/kube-addons/coredns/etcd-deploy.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-{%- from "kubernetes/map.jinja" import common with context %}
----
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
- namespace: {{ common.addons.coredns.namespace }}
- labels:
- app: coredns-etcd
- addonmanager.kubernetes.io/mode: Reconcile
- name: coredns-etcd
-spec:
- strategy:
- type: Recreate
- replicas: 1
- selector:
- matchLabels:
- name: coredns-etcd
- template:
- metadata:
- labels:
- name: coredns-etcd
- spec:
- tolerations:
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
- containers:
- - command:
- - /usr/local/bin/etcd
- - --name
- - coredns-etcd
- - --listen-peer-urls
- - http://0.0.0.0:2380
- - --listen-client-urls
- - http://0.0.0.0:2379
- - --advertise-client-urls
- - http://coredns-etcd:2379
- - --initial-cluster-state
- - new
- image: {{ common.addons.coredns.etcd_image }}
- name: coredns-etcd
- ports:
- - containerPort: 2379
- name: client
- protocol: TCP
- - containerPort: 2380
- name: server
- protocol: TCP
- restartPolicy: Always
diff --git a/kubernetes/files/kube-addons/coredns/etcd-svc.yml b/kubernetes/files/kube-addons/coredns/etcd-svc.yml
deleted file mode 100644
index 4272275..0000000
--- a/kubernetes/files/kube-addons/coredns/etcd-svc.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-{%- from "kubernetes/map.jinja" import common with context %}
----
-apiVersion: v1
-kind: Service
-metadata:
- name: coredns-etcd
- namespace: {{ common.addons.coredns.namespace }}
- labels:
- k8s-app: coredns-etcd
- kubernetes.io/cluster-service: "true"
- kubernetes.io/name: "coredns-etcd"
- addonmanager.kubernetes.io/mode: Reconcile
-spec:
- selector:
- k8s-app: coredns-etcd
- ports:
- - name: client
- port: 2379
- protocol: TCP
- targetPort: 2379
- - name: server
- port: 2380
- protocol: TCP
- targetPort: 2380
diff --git a/kubernetes/files/kube-addons/externaldns/externaldns-aws-secret.yaml b/kubernetes/files/kube-addons/externaldns/externaldns-aws-secret.yaml
new file mode 100644
index 0000000..2221f1d
--- /dev/null
+++ b/kubernetes/files/kube-addons/externaldns/externaldns-aws-secret.yaml
@@ -0,0 +1,14 @@
+{%- from "kubernetes/map.jinja" import common with context -%}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: aws-secret
+ namespace: kube-system
+ labels:
+ addonmanager.kubernetes.io/mode: EnsureExists
+type: Opaque
+data:
+{%- for option, value in common.addons.externaldns.aws_options.items() %}
+ {{ option }}: {{ salt['hashutil.base64_b64encode'](value) }}
+{%- endfor %}
diff --git a/kubernetes/files/kube-addons/externaldns/externaldns-deploy.yml b/kubernetes/files/kube-addons/externaldns/externaldns-deploy.yml
index 39723b1..0803d6e 100644
--- a/kubernetes/files/kube-addons/externaldns/externaldns-deploy.yml
+++ b/kubernetes/files/kube-addons/externaldns/externaldns-deploy.yml
@@ -3,11 +3,13 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
- namespace: {{ common.addons.externaldns.namespace }}
name: external-dns
+ namespace: {{ common.addons.externaldns.namespace }}
labels:
+ k8s-app: externaldns
addonmanager.kubernetes.io/mode: Reconcile
spec:
+ replicas: 1
strategy:
type: Recreate
template:
@@ -21,6 +23,7 @@
containers:
- name: external-dns
image: {{ common.addons.externaldns.image }}
+ imagePullPolicy: Always
args:
- --source=service
- --source=ingress
@@ -29,8 +32,21 @@
#- --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
- --registry=txt
- --txt-owner-id=my-identifier
- {% if common.addons.externaldns.provider == "coredns" %}
+ - --publish-internal-services
+ {%- if common.addons.externaldns.provider == "coredns" %}
env:
- name: ETCD_URLS
- value: "https://coredns-etcd:2379"
- {% endif %}
+ value: "http://coredns-etcd-cluster-client:2379"
+ {%- elif common.addons.externaldns.provider == "designate" %}
+ envFrom:
+ - secretRef:
+ name: designate-os-secret
+ {%- elif common.addons.externaldns.provider == "aws" %}
+ envFrom:
+ - secretRef:
+ name: aws-secret
+ {%- endif %}
+ livenessProbe:
+ httpGet:
+ port: 7979
+ path: /healthz
diff --git a/kubernetes/files/kube-addons/externaldns/externaldns-designate-secret.yaml b/kubernetes/files/kube-addons/externaldns/externaldns-designate-secret.yaml
new file mode 100644
index 0000000..de1f6e8
--- /dev/null
+++ b/kubernetes/files/kube-addons/externaldns/externaldns-designate-secret.yaml
@@ -0,0 +1,14 @@
+{%- from "kubernetes/map.jinja" import common with context -%}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: designate-os-secret
+ namespace: kube-system
+ labels:
+ addonmanager.kubernetes.io/mode: EnsureExists
+type: Opaque
+data:
+{%- for option, value in common.addons.externaldns.designate_os_options.items() %}
+ {{ option }}: {{ salt['hashutil.base64_b64encode'](value) }}
+{%- endfor %}
diff --git a/kubernetes/files/kube-addons/netchecker/netchecker-server.yml b/kubernetes/files/kube-addons/netchecker/netchecker-server.yml
index 6cfac36..181765c 100644
--- a/kubernetes/files/kube-addons/netchecker/netchecker-server.yml
+++ b/kubernetes/files/kube-addons/netchecker/netchecker-server.yml
@@ -30,8 +30,11 @@
args:
- "-v=5"
- "-logtostderr"
- - "-kubeproxyinit=false"
- "-endpoint=0.0.0.0:{{ common.addons.netchecker.port }}"
+{%- if common.addons.get('contrail_network_controller', {}).get('enabled') %}
+ - "-kubeproxyinit=true"
+{%- else %}
+ - "-kubeproxyinit=false"
- "-etcd-endpoints={% for member in master.etcd.members %}https://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %}"
{%- if master.etcd.get('ssl', {}).get('enabled') %}
- "-etcd-key=/var/lib/etcd/etcd-client.key"
@@ -46,3 +49,4 @@
- hostPath:
path: /var/lib/etcd
name: etcd-certs
+{%- endif %}
\ No newline at end of file
diff --git a/kubernetes/master/federation.sls b/kubernetes/master/federation.sls
index 49f7c5a..ca3228c 100644
--- a/kubernetes/master/federation.sls
+++ b/kubernetes/master/federation.sls
@@ -111,7 +111,7 @@
federation_join_cluster_{{ childcluster }}:
cmd.run:
- - name: kubefed join {{ childcluster }} --host-cluster-context={{ common.cluster_name }} --context={{ master.federation.name }}
+ - name: kubefed join {{ childcluster }} --host-cluster-context=local --context={{ master.federation.name }}
- env:
- KUBECONFIG: /etc/kubernetes/federation/childclusters.kubeconfig:/etc/kubernetes/federation/federation.kubeconfig
- require:
diff --git a/kubernetes/master/kube-addons.sls b/kubernetes/master/kube-addons.sls
index 8344337..99156a2 100644
--- a/kubernetes/master/kube-addons.sls
+++ b/kubernetes/master/kube-addons.sls
@@ -129,6 +129,21 @@
{% endif %}
{%- if common.addons.coredns.enabled or master.federation.enabled %}
+/etc/kubernetes/addons/coredns/coredns-etcd-operator-deployment.yaml:
+ file.managed:
+ - source: salt://kubernetes/files/kube-addons/coredns/coredns-etcd-operator-deployment.yaml
+ - template: jinja
+ - group: root
+ - dir_mode: 755
+ - makedirs: True
+
+/etc/kubernetes/addons/coredns/coredns-etcd-cluster.yaml:
+ file.managed:
+ - source: salt://kubernetes/files/kube-addons/coredns/coredns-etcd-cluster.yaml
+ - template: jinja
+ - group: root
+ - dir_mode: 755
+ - makedirs: True
/etc/kubernetes/addons/coredns/coredns-cm.yml:
file.managed:
@@ -153,22 +168,6 @@
- group: root
- dir_mode: 755
- makedirs: True
-
-/etc/kubernetes/addons/coredns/etcd-svc.yml:
- file.managed:
- - source: salt://kubernetes/files/kube-addons/coredns/etcd-svc.yml
- - template: jinja
- - group: root
- - dir_mode: 755
- - makedirs: True
-
-/etc/kubernetes/addons/coredns/etcd-deploy.yml:
- file.managed:
- - source: salt://kubernetes/files/kube-addons/coredns/etcd-deploy.yml
- - template: jinja
- - group: root
- - dir_mode: 755
- - makedirs: True
{% endif %}
{% endif %}
@@ -182,6 +181,24 @@
- dir_mode: 755
- makedirs: True
+{%- if common.addons.get('externaldns', {}).get('provider') == 'designate' %}
+/etc/kubernetes/addons/externaldns/externaldns-designate-secret.yaml:
+ file.managed:
+ - source: salt://kubernetes/files/kube-addons/externaldns/externaldns-designate-secret.yaml
+ - template: jinja
+ - group: root
+{% endif %}
+
+{%- if common.addons.get('externaldns', {}).get('provider') == 'aws' %}
+/etc/kubernetes/addons/externaldns/externaldns-aws-secret.yaml:
+ file.managed:
+ - source: salt://kubernetes/files/kube-addons/externaldns/externaldns-aws-secret.yaml
+ - template: jinja
+ - group: root
+ - dir_mode: 755
+ - makedirs: True
+{% endif %}
+
{% endif %}
{%- if common.addons.get('dashboard', {'enabled': False}).enabled %}
diff --git a/kubernetes/meta/prometheus.yml b/kubernetes/meta/prometheus.yml
index df0ee76..f73bd29 100644
--- a/kubernetes/meta/prometheus.yml
+++ b/kubernetes/meta/prometheus.yml
@@ -13,7 +13,7 @@
target:
kubernetes:
enabled: true
- api_ip: ${_param:kubernetes_control_address}
+ api_ip: {{ pool.apiserver.host }}
cert_name: prometheus-server.crt
key_name: prometheus-server.key
static:
diff --git a/metadata/service/common.yml b/metadata/service/common.yml
index c29d5ee..063014b 100644
--- a/metadata/service/common.yml
+++ b/metadata/service/common.yml
@@ -45,7 +45,10 @@
enabled: False
namespace: kube-system
image: coredns/coredns:latest
- etcd_image: quay.io/coreos/etcd:v3.1.0
+ etcd:
+ operator_image: quay.io/coreos/etcd-operator:v0.5.2
+ version: 3.1.8
+ base_image: quay.io/coreos/etcd
externaldns:
enabled: False
namespace: kube-system
diff --git a/metadata/service/master/cluster.yml b/metadata/service/master/cluster.yml
index 50e5ce6..50e6d81 100644
--- a/metadata/service/master/cluster.yml
+++ b/metadata/service/master/cluster.yml
@@ -64,7 +64,7 @@
enabled: False
name: federation
namespace: federation-system
- source: https://dl.k8s.io/v1.7.3/kubernetes-client-linux-amd64.tar.gz
- hash: 8d66c7912914ac9add514e660fdc8c963b748a7c588c43a14533157a9f0e1c92
+ source: https://dl.k8s.io/v1.6.2/kubernetes-client-linux-amd64.tar.gz
+ hash: f8ef17b8b4bb8f6974fa2b3faa992af3c39ad318c30bdfe1efab957361d8bdfe
service_type: NodePort
dns_provider: coredns