Merge "Set apiserver bind address to 0.0.0.0"
diff --git a/README.rst b/README.rst
index c3df5f7..60ef3b4 100644
--- a/README.rst
+++ b/README.rst
@@ -71,7 +71,7 @@
virtlet:
enabled: true
namespace: kube-system
- image: mirantis/virtlet:v0.7.0
+ image: mirantis/virtlet:v0.8.0
hosts:
- cmp01
- cmp02
diff --git a/kubernetes/_common.sls b/kubernetes/_common.sls
index 1610d64..b489517 100644
--- a/kubernetes/_common.sls
+++ b/kubernetes/_common.sls
@@ -83,19 +83,32 @@
- onlyif: /bin/false
{%- endif %}
+/usr/bin/dockershim:
+ file.symlink:
+ - target: /usr/bin/criproxy
+ - require:
+ - file: /usr/bin/criproxy
+
/etc/criproxy:
file.directory:
- user: root
- group: root
- mode: 0750
-/etc/criproxy/kubelet.conf:
+/etc/criproxy/node.conf:
file.managed:
- - source: salt://kubernetes/files/virtlet/kubelet.conf
+ - user: root
+ - group: root
+ - mode: 0640
+ - contents: ''
+
+/etc/systemd/system/dockershim.service:
+ file.managed:
+ - source: salt://kubernetes/files/systemd/dockershim.service
- template: jinja
- user: root
- group: root
- - mode: 640
+ - mode: 755
/etc/systemd/system/criproxy.service:
file.managed:
@@ -105,14 +118,24 @@
- group: root
- mode: 755
+dockershim_service:
+ service.running:
+ - name: dockershim
+ - enable: True
+ - watch:
+ - file: /etc/systemd/system/dockershim.service
+ - file: /usr/bin/dockershim
+ {%- if grains.get('noservices') %}
+ - onlyif: /bin/false
+ {%- endif %}
+
criproxy_service:
service.running:
- name: criproxy
- enable: True
- watch:
- file: /etc/systemd/system/criproxy.service
- - file: /etc/criproxy/kubelet.conf
- - file: /etc/criproxy
+ - file: /etc/criproxy/node.conf
- file: /usr/bin/criproxy
{%- if grains.get('noservices') %}
- onlyif: /bin/false
@@ -123,6 +146,11 @@
/etc/criproxy:
file.absent
+dockershim_service:
+ service.dead:
+ - name: dockershim
+ - enable: False
+
criproxy_service:
service.dead:
- name: criproxy
diff --git a/kubernetes/files/systemd/criproxy.service b/kubernetes/files/systemd/criproxy.service
index 6d91cb2..fb6dcf5 100644
--- a/kubernetes/files/systemd/criproxy.service
+++ b/kubernetes/files/systemd/criproxy.service
@@ -3,8 +3,7 @@
[Service]
ExecStart=/usr/bin/criproxy -alsologtostderr \
- -connect docker,virtlet:/var/run/virtlet.sock \
- -kubeletcfg /etc/criproxy/kubelet.conf \
+ -connect /var/run/dockershim.sock,virtlet:/var/run/virtlet.sock \
-listen /var/run/criproxy.sock
Restart=always
StartLimitInterval=0
diff --git a/kubernetes/files/systemd/dockershim.service b/kubernetes/files/systemd/dockershim.service
new file mode 100644
index 0000000..ec02645
--- /dev/null
+++ b/kubernetes/files/systemd/dockershim.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=dockershim for criproxy
+
+[Service]
+EnvironmentFile=-/etc/default/kubelet
+ExecStart=/usr/bin/dockershim \
+ $KUBE_LOGTOSTDERR \
+ $KUBE_LOG_LEVEL \
+ $KUBE_ALLOW_PRIV \
+ $KUBELET_ADDRESS \
+ $KUBELET_PORT \
+ $KUBELET_HOSTNAME \
+ $KUBELET_API_SERVER \
+ $DOCKER_ENDPOINT \
+ $CADVISOR_PORT \
+ $DAEMON_ARGS
+
+Restart=always
+StartLimitInterval=0
+RestartSec=10
+
+[Install]
+RequiredBy=criproxy.service
+
diff --git a/kubernetes/files/virtlet/kubelet.conf b/kubernetes/files/virtlet/kubelet.conf
deleted file mode 100644
index 2697cc3..0000000
--- a/kubernetes/files/virtlet/kubelet.conf
+++ /dev/null
@@ -1,150 +0,0 @@
-{%- from "kubernetes/map.jinja" import common with context %}
-{
- "address": "0.0.0.0",
- "allowPrivileged": true,
- "authentication": {
- "anonymous": {
- "enabled": true
- },
- "webhook": {
- "cacheTTL": "2m0s",
- "enabled": false
- },
- "x509": {
- "clientCAFile": ""
- }
- },
- "authorization": {
- "mode": "AlwaysAllow",
- "webhook": {
- "cacheAuthorizedTTL": "5m0s",
- "cacheUnauthorizedTTL": "30s"
- }
- },
- "babysitDaemons": false,
- "cAdvisorPort": 4194,
- "certDirectory": "/var/run/kubernetes",
- "cgroupDriver": "cgroupfs",
- "cgroupRoot": "",
- "cgroupsPerQOS": true,
-{%- if common.get('cloudprovider', {}).get('enabled') %}
- "cloudProvider": "{{ common.cloudprovider.provider }}"
-{%- if common.get('cloudprovider', {}).get('provider') == 'openstack' %}
- "cloudConfigFile": "/etc/kubernetes/cloud-config.conf",
-{%- endif %}
-{%- else %}
- "cloudProvider": "auto-detect",
-{%- endif %}
-
- "clusterDNS": [
- "10.254.0.10"
- ],
- "clusterDomain": "{{ common.cluster_domain|replace('_', '-') }}",
- "cniBinDir": "/opt/cni/bin",
- "cniConfDir": "",
- "containerRuntime": "docker",
- "containerized": false,
- "contentType": "application/vnd.kubernetes.protobuf",
- "cpuCFSQuota": true,
- "dockerEndpoint": "unix:///var/run/docker.sock",
- "dockerExecHandlerName": "native",
- "enableCRI": true,
- "enableContentionProfiling": false,
- "enableControllerAttachDetach": true,
- "enableCustomMetrics": false,
- "enableDebuggingHandlers": true,
- "enableServer": true,
- "enforceNodeAllocatable": [
- "pods"
- ],
- "eventBurst": 10,
- "eventRecordQPS": 5,
- "evictionHard": "memory.available<100Mi",
- "evictionMaxPodGracePeriod": 0,
- "evictionMinimumReclaim": "",
- "evictionPressureTransitionPeriod": "5m0s",
- "evictionSoft": "",
- "evictionSoftGracePeriod": "",
- "exitOnLockContention": false,
- "experimentalKernelMemcgNotification": false,
- "experimentalQOSReserved": {},
- "featureGates": "DynamicKubeletConfig=true",
- "fileCheckFrequency": "5s",
- "hairpinMode": "promiscuous-bridge",
- "healthzBindAddress": "127.0.0.1",
- "healthzPort": 10248,
- "hostIPCSources": [
- "*"
- ],
- "hostNetworkSources": [
- "*"
- ],
- "hostPIDSources": [
- "*"
- ],
- "hostnameOverride": "",
- "httpCheckFrequency": "20s",
- "imageGCHighThresholdPercent": 90,
- "imageGCLowThresholdPercent": 80,
- "imageMinimumGCAge": "2m0s",
- "imagePullProgressDeadline": "1m0s",
- "iptablesDropBit": 15,
- "iptablesMasqueradeBit": 14,
- "kubeAPIBurst": 10,
- "kubeAPIQPS": 5,
- "kubeReserved": {},
- "kubeletCgroups": "",
- "lockFilePath": "",
- "lowDiskSpaceThresholdMB": 256,
- "makeIPTablesUtilChains": true,
- "manifestURL": "",
- "manifestURLHeader": "",
- "masterServiceNamespace": "default",
- "maxContainerCount": -1,
- "maxOpenFiles": 1000000,
- "maxPerPodContainerCount": 1,
- "maxPods": 110,
- "minimumGCAge": "0s",
- "networkPluginDir": "/etc/cni/net.d",
- "networkPluginMTU": 0,
- "networkPluginName": "cni",
- "nodeIP": "",
- "nodeLabels": {
- "node-role.kubernetes.io/node": "true"
- },
- "nodeStatusUpdateFrequency": "10s",
- "nonMasqueradeCIDR": "10.0.0.0/8",
- "oomScoreAdj": -999,
- "outOfDiskTransitionFrequency": "5m0s",
- "podCIDR": "",
- "podInfraContainerImage": "gcr.io/google_containers/pause-amd64:3.0",
- "podManifestPath": "/etc/kubernetes/manifests",
- "podsPerCore": 0,
- "port": 10250,
- "protectKernelDefaults": false,
- "readOnlyPort": 10255,
- "registerNode": true,
- "registerSchedulable": true,
- "registerWithTaints": [],
- "registryBurst": 10,
- "registryPullQPS": 5,
- "remoteImageEndpoint": "",
- "remoteRuntimeEndpoint": "",
- "resolvConf": "/etc/resolv.conf",
- "rktAPIEndpoint": "localhost:15441",
- "rktPath": "",
- "rktStage1Image": "",
- "rootDirectory": "/var/lib/kubelet",
- "runtimeCgroups": "",
- "runtimeRequestTimeout": "2m0s",
- "seccompProfileRoot": "/var/lib/kubelet/seccomp",
- "serializeImagePulls": true,
- "streamingConnectionIdleTimeout": "4h0m0s",
- "syncFrequency": "1m0s",
- "systemCgroups": "",
- "systemReserved": {},
- "tlsCertFile": "",
- "tlsPrivateKeyFile": "",
- "volumePluginDir": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/",
- "volumeStatsAggPeriod": "1m0s"
-}
diff --git a/kubernetes/master/federation.sls b/kubernetes/master/federation.sls
index 2becd61..49f7c5a 100644
--- a/kubernetes/master/federation.sls
+++ b/kubernetes/master/federation.sls
@@ -6,7 +6,7 @@
archive.extracted:
- name: /tmp/kubernetes-client
- source: {{ master.federation.source }}
- {%- if {{ master.federation.get('hash') }} %}
+ {%- if master.federation.get('hash') %}
- source_hash: sha256={{ master.federation.hash }}
{%- endif %}
- tar_options: xzf
@@ -56,10 +56,11 @@
kubefed_init:
cmd.run:
- - name: kubefed init {{ master.federation.name }} --host-cluster-context=local --kubeconfig=/etc/kubernetes/federation/federation.kubeconfig --federation-system-namespace={{ master.federation.namespace }} --api-server-service-type={{ master.federation.service_type }} --etcd-persistent-storage=false --dns-provider={{ master.federation.dns_provider }} --dns-provider-config=/etc/kubernetes/federation/dns.conf --dns-zone-name={{ master.federation.name }} --image={{ common.hyperkube.image }}
+ - name: kubefed init {{ master.federation.name }} --host-cluster-context=local --kubeconfig=/etc/kubernetes/federation/federation.kubeconfig --federation-system-namespace={{ master.federation.namespace }} --api-server-service-type={{ master.federation.service_type }} --api-server-advertise-address={{ master.apiserver.vip_address }} --etcd-persistent-storage=false --dns-provider={{ master.federation.dns_provider }} --dns-provider-config=/etc/kubernetes/federation/dns.conf --dns-zone-name={{ master.federation.name }} --image={{ common.hyperkube.image }}
- require:
- file: /usr/bin/kubefed
- file: /etc/kubernetes/federation/federation.kubeconfig
+ - timeout: 120
- unless: kubectl get namespace {{ master.federation.namespace }}
{%- if grains.get('noservices') %}
- onlyif: /bin/false
@@ -92,31 +93,32 @@
# Assumes the following:
# * Pillar data master.federation.childclusters is populated
# * kubeconfig data for each cluster exists in /etc/kubernetes/federation/federation.kubeconfig
-{%- if master.federation.get('childclusters') }
+{%- if master.federation.get('childclusters') %}
{%- for childcluster in master.federation.childclusters %}
-federation_verify_kubeconfig_{{ childcluster }}:
+federation_set_insecure_{{ childcluster }}:
cmd.run:
- - name: kubectl config get-contexts -o name | grep {{ childcluster }}
+ - name: kubectl config set-cluster {{ childcluster }} --insecure-skip-tls-verify=true
- env:
- KUBECONFIG: /etc/kubernetes/federation/childclusters.kubeconfig
- require:
- cmd: kubefed_init
{%- if grains.get('noservices') %}
- onlyif: /bin/false
+ {%- else %}
+ - unless: kubectl --context {{ childcluster }} config view --minify | egrep "insecure-skip-tls-verify. true"
{%- endif %}
-
+
federation_join_cluster_{{ childcluster }}:
cmd.run:
- - name: kubefed join {{ childcluster }} --host-cluster-context=local --context={{ master.federation.name }}
+ - name: kubefed join {{ childcluster }} --host-cluster-context={{ common.cluster_name }} --context={{ master.federation.name }}
- env:
- - KUBECONFIG: /etc/kubernetes/federation.kubeconfig
+ - KUBECONFIG: /etc/kubernetes/federation/childclusters.kubeconfig:/etc/kubernetes/federation/federation.kubeconfig
- require:
- - cmd: verify_kubeconfig_{{ childcluster }}
- - unless: kubectl get clusters | grep {{ childcluster }}
+ - cmd: federation_set_insecure_{{ childcluster }}
+ - unless: kubectl --context {{ master.federation.name }} get clusters | grep {{ childcluster }}
{%- endfor %}
{%- endif %}
{%- endif %}
-
diff --git a/metadata/service/common.yml b/metadata/service/common.yml
index b7884b4..c29d5ee 100644
--- a/metadata/service/common.yml
+++ b/metadata/service/common.yml
@@ -55,7 +55,7 @@
virtlet:
enabled: False
namespace: kube-system
- image: mirantis/virtlet:v0.7.0
+ image: mirantis/virtlet:v0.8.0
cloudprovider:
enabled: False
provider: openstack
diff --git a/metadata/service/master/cluster.yml b/metadata/service/master/cluster.yml
index cf02e33..50e5ce6 100644
--- a/metadata/service/master/cluster.yml
+++ b/metadata/service/master/cluster.yml
@@ -64,7 +64,7 @@
enabled: False
name: federation
namespace: federation-system
- source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
- hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
+ source: https://dl.k8s.io/v1.7.3/kubernetes-client-linux-amd64.tar.gz
+ hash: 8d66c7912914ac9add514e660fdc8c963b748a7c588c43a14533157a9f0e1c92
service_type: NodePort
dns_provider: coredns
diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index de461b3..80ad876 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
@@ -63,7 +63,7 @@
virtlet:
enabled: False
namespace: kube-system
- image: mirantis/virtlet:v0.7.0
+ image: mirantis/virtlet:v0.8.0
token:
admin: ${_param:kubernetes_admin_token}
kubelet: ${_param:kubernetes_kubelet_token}
@@ -86,7 +86,7 @@
enabled: False
name: federation
namespace: federation-system
- source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
- hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
+ source: https://dl.k8s.io/v1.7.3/kubernetes-client-linux-amd64.tar.gz
+ hash: 8d66c7912914ac9add514e660fdc8c963b748a7c588c43a14533157a9f0e1c92
service_type: NodePort
dns_provider: coredns
diff --git a/tests/pillar/master_cluster.sls b/tests/pillar/master_cluster.sls
index e5e937b..2f40293 100644
--- a/tests/pillar/master_cluster.sls
+++ b/tests/pillar/master_cluster.sls
@@ -42,7 +42,7 @@
hosts:
- cmp01
- cmp02
- image: mirantis/virtlet:v0.7.0
+ image: mirantis/virtlet:v0.8.0
master:
admin:
password: password
diff --git a/tests/pillar/master_contrail.sls b/tests/pillar/master_contrail.sls
index 553a220..b562e66 100644
--- a/tests/pillar/master_contrail.sls
+++ b/tests/pillar/master_contrail.sls
@@ -39,7 +39,7 @@
virtlet:
enabled: true
namespace: kube-system
- image: mirantis/virtlet:v0.7.0
+ image: mirantis/virtlet:v0.8.0
hosts:
- cmp01
- cmp02
diff --git a/tests/pillar/master_contrail4_0.sls b/tests/pillar/master_contrail4_0.sls
index 0434f5a..fe63c4a 100644
--- a/tests/pillar/master_contrail4_0.sls
+++ b/tests/pillar/master_contrail4_0.sls
@@ -39,7 +39,7 @@
virtlet:
enabled: true
namespace: kube-system
- image: mirantis/virtlet:v0.7.0
+ image: mirantis/virtlet:v0.8.0
hosts:
- cmp01
- cmp02
diff --git a/tests/pillar/pool_cluster.sls b/tests/pillar/pool_cluster.sls
index 7e281b4..35523bb 100644
--- a/tests/pillar/pool_cluster.sls
+++ b/tests/pillar/pool_cluster.sls
@@ -18,7 +18,7 @@
virtlet:
enabled: true
namespace: kube-system
- image: mirantis/virtlet:v0.7.0
+ image: mirantis/virtlet:v0.8.0
hosts:
- cmp01
- cmp02
diff --git a/tests/pillar/pool_cluster_with_domain.sls b/tests/pillar/pool_cluster_with_domain.sls
index 0a05b00..595e39e 100644
--- a/tests/pillar/pool_cluster_with_domain.sls
+++ b/tests/pillar/pool_cluster_with_domain.sls
@@ -18,7 +18,7 @@
virtlet:
enabled: true
namespace: kube-system
- image: mirantis/virtlet:v0.7.0
+ image: mirantis/virtlet:v0.8.0
hosts:
- cmp01
- cmp02
diff --git a/tests/pillar/pool_contrail4_0.sls b/tests/pillar/pool_contrail4_0.sls
index 95c9a27..bdd87b7 100644
--- a/tests/pillar/pool_contrail4_0.sls
+++ b/tests/pillar/pool_contrail4_0.sls
@@ -18,7 +18,7 @@
virtlet:
enabled: true
namespace: kube-system
- image: mirantis/virtlet:v0.7.0
+ image: mirantis/virtlet:v0.8.0
hosts:
- cmp01
- cmp02