SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE


YUM REPOSITORY

 
 
Changelog for kubernetes-salt-4.0.0+git_r1014_2665f91-249.1.noarch.rpm :
Wed Feb 20 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit c67d8f9 by dmaiocchi dmaiocchiAATTsuse.com
Improve states stability
- caasp_etcd.healthy function can fail even if the etcd cluster is
healty: adding a retry is better solution for avoding false-failure
during orchs.
- add caasp_service for kubeapi-server.service, with this we are
checking 10 times that the service is running in a row.
( having service.running only can cause false failures)
- fixed some indentation around states.

Wed Feb 20 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 9c06818 by Florian Bergmann fbergmannAATTsuse.de
Use iteritems from six import for python2/3 compatibility.
Fixes bsc#1123497
Commit 1b21219 by Florian Bergmann fbergmannAATTsuse.de
Fix python3 iteration over dictionary.
In python3 python prevents modifying the dictionary that is iterated over.
Instead of modifying the dictionary a new one is constructed instead.
Fixes bsc#1123497

Wed Feb 20 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 78435fc by Jordi Massaguer Pla jmassaguerplaAATTsuse.de
use caasp v4 images from SUSE Registry

Tue Feb 19 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit b3b4568 by Markos Chandras mchandrasAATTsuse.de
Jenkinsfile: Switch to dynamic library fetching and drop branch
Instead of having the library hardcoded to Jenkins master, we can fetch it
dynamically. We also drop the usage of library branches since it does not
make sense to maintain such a thing in the CI. The master branch should be
able to handle both development and release branches.

Tue Feb 19 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 4280cf4 by Maximilian Meister mmeisterAATTsuse.de
update critical pod configuration
https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
bsc#1122783
Signed-off-by: Maximilian Meister

Tue Feb 19 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 32d6dbe by Maximilian Meister mmeisterAATTsuse.de
[bsc#1125095] deployment timeout not correctly configured
instead of setting the timeout we were only setting the retries which causes
the timeout to be prolonged too much
Signed-off-by: Maximilian Meister

Tue Feb 19 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit a5d00a8 by Florian Bergmann fbergmannAATTsuse.de
Force basename on the system certificate name to prevent path traversal

Tue Feb 19 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 4f75ad3 by Rafael Fernández López ereslibreAATTereslibre.es
Make nodename appear first on the /etc/hosts file
Salt will pick the first name on the current default interface to determine
the hostname of the machine. Since we are sorting with all entries for each
machine there\'s a high change that a salt minion id will win the first
position, affecting certain grains that we use to determine the hostname of
the node.
Fixes: bsc#1117339

Tue Feb 19 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit d0d4384 by Michal Jura mjuraAATTsuse.com
Enable kube-apiserver authentication to the kubelet (bsc#1121146)
Kube-apiserver should authenticate to the kubelet with a client certificate
and key. This is configured with the --kubelet-client-certificate and
- -kubelet-client-key flags provided to the API server. Kubelet has to be
started with the --client-ca-file flag or clientCAFile option in
kubelet-config.yaml file, this is providing a CA bundle to verify client
certificates with.
(cherry picked from commit 6309fb22ae122db6e2db2705fe47c1f4ae939ffb)
Commit 1b083a4 by Michal Jura mjuraAATTsuse.com
Disable anonymous access to Kubelet API (bsc#1121146)
(cherry picked from commit dd88fe82fa8a611db1593025b5c61818e7a61999)

Mon Feb 18 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 42c129a by Panos Georgiadis drpaneasAATTgmail.com
Disable insecure port in kube-apiserver (bsc#1121148)

* Fixes bnc#1121148 - Critical Security issue for KubeAPI
Insecure API port exposed to all Master Node guest containers
In older versions of Kubernetes, you could run kube-apiserver
with an API port that does not have any protections around it.
This PR disables insecure port by passing the --insecure-port=0
In recent versions, this has been disabled by default with the
intention of completely deprecating it
(cherry picked from commit 01d91482e9a84b05b3b6eaec6a94b7b19ee74ee4)

Thu Feb 14 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit cb017ed by Alvaro Saurin alvaro.saurinAATTgmail.com
Use a writable directory for volume plugins Use the same volumes plugins
directory for the controller-manager and the kubelet.
bsc#1117942
Signed-off-by: Alvaro Saurin

Wed Feb 13 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 8baefd4 by Panos Georgiadis drpaneasAATTgmail.com
Run flannel in unprivileged mode (bsc#1121153 bsc#1121154)
Fixes bsc#1121153 - High Security issue for Kubernetes: Flannel container
runs in privileged mode
This fix makes sure that flannel runs in unprivileged mode.
This is done by changing the flannel manifests and also adding a new PSP
policy that disables both privilege mode and privilege escallation.
The new PSP activates \'NET_ADMIN\' capability, hostNetwork and
allowedHostPaths.

* Fixes bsc#1121154 - High Security issue for Kubernetes: Flannel container
has read/write access to /run, including docker.sock
Change the path from \'/run\' into \'/run/flannel\'
Co-authored-by: chentex
(cherry picked from commit 8216c9ce691c8174eb2fcd66a1a2fecc446ee106)

Wed Feb 13 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 9ceeeab by dmaiocchi dmaiocchiAATTsuse.com
Improve msg of healty function.
Cluster is to generic, use etcd cluster instead

Thu Feb 7 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 8443e0d by Markos Chandras mchandrasAATTsuse.de
Jenkinsfile: Use docker cmdline directly instead of k8s Jenkins plugin
The tox and flake8 pipelines are the only ones which depend on the k8s
Jenkins plugin. As such, we can use docker directly in order to be able to
drop the plugin from the server. The nodelabel is hardcoded because it does
not make much sense to make this configurable given everything happens on a
container.

Mon Feb 4 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit b91cbbf by Miquel Sabaté Solà msabateAATTsuse.com
caasp_filters: properly parse IP addresses
As it appears, for Python 2 Salt is using a custom module for providing the
ipaddress from Python 3. This implementation turned out to have bugs (e.g.
accepting something70.domain.net as a valid IPv4 record). I\'ve re-implemented
the is_ip
* functions so they are using socket.inet_pton instead, which should
suffice in our use case.
bsc#1123291

Mon Feb 4 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 73b87c4 by Maximilian Meister mmeisterAATTsuse.de
[bsc#1116049] don\'t fail timing out on a drain
we want to ensure that the platform \'survives\' even if an application is not
\'drainable\'
it already happened that some applications are getting stuck in a termination
process and won\'t recover anymore. This can happen for various reasons
(volume not detachable, podDisruptionBudget ...)
as we are using the drain during every update, we are likely to run into this
issue multiple times per cluster
Signed-off-by: Maximilian Meister

Mon Feb 4 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit d1af183 by Miquel Sabaté Solà msabateAATTsuse.com
Added instructions for running unit tests
Signed-off-by: Miquel Sabaté Solà

Thu Jan 31 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit ed1b79e by Maximilian Meister mmeisterAATTsuse.de
adapt flannel config for k8s > 1.12
this is already fixed in higher flannel versions (0.11.1)
see:
https://github.com/coreos/flannel/commit/bc79dd1505b0c8681ece4de4c0d86c5cd2643275
Signed-off-by: Maximilian Meister
Commit b2ae73b by Maximilian Meister mmeisterAATTsuse.de
cadvisor-port flag is not valid anymore
it has been deprecated since 1.10 and now dropped
Signed-off-by: Maximilian Meister

Wed Jan 30 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 9f8728a by Michal Jura mjuraAATTsuse.com
[CPI] Sanitize the values from the pillar (bsc#1122439)

Tue Jan 29 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 7776b4b by Rafael Fernández López ereslibreAATTereslibre.es
Enable `ExperimentalCriticalPodAnnotation` feature gate in the kubelet
Fixes: bsc#1114812

Mon Jan 28 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit a42b893 by Rafael Fernández López ereslibreAATTereslibre.es
Use `jenkins-tox-container` image instead of `jenkins-tox3-container` image.
Maintenance update 9039 on opensuse increased `pluggy` version to 0.6.0. This
rendered `python3-tox` unusable with that pluggy version, as the current
version in OBS requires `pluggy` (pluggy>=0.3.0,<0.4.0).
Since this is making salt pipelines fail we are including the `python3`
environment on the regular `jenkins-tox-container`.
[1] https://build.suse.de/request/show/182868

Wed Jan 16 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 0da4671 by Danny Sauer dsauerAATTsuse.com
Minor cleanup for flake8
Minor changes to fix flake8 warnings
- use raw strings in regex methods
- inline-suppress an incorrect unused variable warning
- update to flake8 version 3.6.0
- switch flake8 config to use new extend-ignore option (\"ignore\" is an
exclusive list, so overrides the default ignored list)

Wed Jan 16 13:00:00 2019 containers-bugownerAATTsuse.de
- Commit 98c8b40 by Maximilian Meister mmeisterAATTsuse.de
in python3 strings need to be decoded from binary objects
Signed-off-by: Maximilian Meister

Tue Dec 4 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 99a0d11 by Maximilian Meister mmeisterAATTsuse.de
Added migration orchestration.
This orchestration will run transactional-update salt migration to change the
cluster to a new channel.
bsc#1109785
Signed-off-by: Maximilian Meister
Use SUSE official Registry. This package should be in the SUSE namespace (bsc#1118108)

Mon Nov 19 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit bf5feaa by Florian Bergmann fbergmannAATTsuse.de
Use the correct key to access the etcd_version from pillars
Commit 962a830 by Florian Bergmann fbergmannAATTsuse.de
Only add a new etcd member if no alias is already a member
When adding a new member to etcd, it might happen that it is already part of
the cluster using one of the aliases - when migrating from v2 to v3 it seems
common that the default nodename changes.
If this is the case it should not be added again with the new nodename, as
one node can not have 2 etcd members.

Fri Nov 16 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 97f9dab by emilianolangella emiliano.langellaAATTsuse.com
Fix bsc#1116005: Dex pods should run only on master nodes
Dex pods should run only on master nodes due to firewall/security policies
that could be applied to workers nodes.

Thu Nov 15 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 11c82a5 by Maximilian Meister mmeisterAATTsuse.de
don\'t run haproxy states when not really needed
in case of a kubernetes update from 1.9 to 1.10 we can\'t afford to stop
kubernetes through the haproxy states, because it will not be able to restart
as the --config file flag has changed between those releases
the update orchestration fails in the sanity check of the state
all-workers-3.0-pre-clean-shutdown because the new kubelet configuration is
already applied, but the old kubernetes version is still running before the
reboot
This is a corner case and our other states would have to be adapted as well
to re-run configs when a node gets accidentally rebooted and the config
hasn\'t been applied yet.
Furthermore this is only an issue coming from v2 during migration to v3 - so
the case that this happens is even rarer.
Trying to run this state on each worker would require a check for
/etc/caasp/haproxy/haproxy.cfg to safely determine if it needs to be run or
not, but it is not possible to use salt runners with a target to determine if
this file exists on all worker nodes.
salt.runners.salt.cmd doesn\'t accept targets salt.runners.salt.execute only
exists since salt2017.7.0 which might not be present yet for a user that
hasn\'t installed the salt upgrade yet.
bsc#1114645
Signed-off-by: Maximilian Meister

Thu Nov 15 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit b4c0474 by Michal Jura mjuraAATTsuse.com
Add log rotation options to docker daemon (bug#1114832)

Thu Nov 15 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit b4c0474 by Michal Jura mjuraAATTsuse.com
Add log rotation options to docker daemon (bug#1114832)

Thu Nov 8 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 9ef0f58 by David Helkowski dhelkowskiAATTsuse.com
Add support for OIDC connectors to dex configmap

Tue Nov 6 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 793d856 by Rafael Fernández López ereslibreAATTereslibre.es
Add a whitelist for returned events so we only save events that we care about
Fixes: bsc#1112967

Tue Oct 30 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit e501ce9 by Rafael Fernández López ereslibreAATTereslibre.es
Fix tests
Commit 90423b6 by Rafael Fernández López ereslibreAATTereslibre.es

* Add more test cases for `caasp_etcd`

* Update to allow `etcdctl` API version 3
Fixes: bsc#1098433 Fixes: bsc#1098064 Fixes: bsc#1098161
Commit e5efa1c by Rafael Fernández López ereslibreAATTereslibre.es
Allow `etcd` to grow as required and shrink to optimal etcd cluster sizes on
corner cases.
Improve `etcd` configuration handling to allow it to grow as needed. This
change includes:

* Adding several masters at the same time

*
* `etcd` will grow instance by instance still, as recommended by the
`etcd` administration best practices.

* Try to use the current endpoints reported by `etcd`. This makes much
easier to grow several instances one by one without having to relay
on internal hacks to properly set up `ETCD_INITIAL_CLUSTER` environment
variable.

* Add helper methods that allow us to list current members (active and
unstarted)

* Differentiate between the first bootstrap (`ETCD_INITIAL_CLUSTER_STATE`
defaults to `new`) and
*any
* other run, where `ETCD_INITIAL_CLUSTER_STATE`
will be `existing`, as the `etcd` cluster is already running.
When we grow, we take into account the golden ratio; however, when shrinking
the cluster we don\'t. It might happen that a cluster ends up with not
recommended etcd number of nodes (2, 4, 6...) depending on how it grew before
and how it shrank.
This logic makes sure that we are always on an etcd golden ratio, also on
corner cases when removing nodes.
Fixes: bsc#1098433 Fixes: bsc#1098064 Fixes: bsc#1098161

Thu Oct 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 0d75b49 by Florian Bergmann fbergmannAATTsuse.de
Use the registry configuration mapped from the host node.

Thu Oct 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 641ab4e by Ludovic Cavajani lcavajaniAATTsuse.com
rename aggregator to proxy-client
Signed-off-by: Ludovic Cavajani
Commit 081d260 by Ludovic Cavajani lcavajaniAATTsuse.com
bsc#1108195 Aggregation layer needs configuration
Signed-off-by: Ludovic Cavajani

Wed Oct 10 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 842a528 by Florian Bergmann fbergmannAATTsuse.de
Fix unittests by mocking the __utils__ dictionary of salt.
Fix flake8 errors.
Update flake8 configuration to contain __utils__ as builtin.
Commit dfa86b1 by Florian Bergmann fbergmannAATTsuse.de
Copy the dex configmap before running kubectl_appy_dir_template.
Otherwise there can be a different ordering, in which the configmap file has
not been copied before the 20-deployment.yaml file is rendered by jinja.
Commit 3c7e2ff by Florian Bergmann fbergmannAATTsuse.de
Remove all pkg.installed statements.
Given that caasp right now only runs on transactional-update servers, these
statements are useless - they can never install a package anyhow and will
only fail should the package not be installed already.
Commit ccc3834 by Florian Bergmann fbergmannAATTsuse.de
Cleanup shebang lines: remove unneeded ones, use python3 else.
Commit 5fac8c1 by Florian Bergmann fbergmannAATTsuse.de
Use a salt module to determine base_image_url used for images.
Remove containerfeeder states, if registry images are used.
Commit 15cb59d by Florian Bergmann fbergmannAATTsuse.de
Synchronize grains on minion connect.
Commit a73f3d4 by Alvaro Saurin alvaro.saurinAATTgmail.com
Fix caasp_hosts: use caasp_log utililty module instead of importing.
Importing the module would break in python3.
Commit d0371e9 by Florian Bergmann fbergmannAATTsuse.de
Do not ignore etcd members if they were requested without id.
Commit 95119a5 by Florian Bergmann fbergmannAATTsuse.de
Fix Jinja filters for python3.
- Dictionary accesses can no longer be indexed.
- Neither values() nor keys() return a index-accessed datastructure in
python3: in Jinja this means having to use the \'first\' filter instead to
access the first element.
get_with_expr returns dict_keys() which don\'t implement __add__.
Instead converting them to lists, where needed will allow concatenating
those.
Commit 02fa037 by Florian Bergmann fbergmannAATTsuse.de
Add the whole /usr/share/salt/kubernetes/salt folder as module_dir.
Otherwise the _utils/caasp_log.py module will not be available in
orchestrations.
Commit f77ab2f by Florian Bergmann fbergmannAATTsuse.de
Use __utils__ to access the caasp_log utility module.
This is required for python3:
https://docs.saltstack.com/en/latest/topics/utils/index.html
Add caasp_log module to proxy the _utils module.
This allows salt-states and templates to call the module still.

Wed Oct 10 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit d1b7960 by Florian Bergmann fbergmannAATTsuse.de
Fix bsc#1111168: Do not expect masters to always need to be updated
If the masters already updated, but workers failed to update this state will
not have any minions to run on and fail if \'execpt_minions: false\' is not
set.

Wed Oct 10 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 84a115f by Florian Bergmann fbergmannAATTsuse.de
Changes has to be dictionary.
When using a boolean it will fail the state in salt-2018.3.0.
Commit 5bcafd2 by Alvaro Saurin alvaro.saurinAATTgmail.com
Generate the /etc/hosts file from a state, merging our entries with
previously found entries.
bsc#1098334

Wed Oct 10 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 5e37228 by Jordi Massaguer Pla jmassaguerplaAATTsuse.de
use sle12sp3 images from suse registry
Signed-off-by: Jordi Massaguer Pla

Wed Oct 3 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 95c1980 by Rafael Fernández López ereslibreAATTereslibre.es
Always wait for haproxy to be serving requests before continuing.
We could do the wait on the different places to avoid a generic piece like
haproxy having to wait for a specific component like the apiserver, but we
are already writing specific components in its configuration, and a future
reordering of states could trigger this error again.
So, when we kill haproxy, wait for it to be serving requests again before
continuing with the next state.
On the 2 to 3 upgrade this was causing a failure because right after
restarting haproxy we were trying to drain the node. Since we run this
operation on the very same machine that is being targeted, this `kubectl`
command cannot reach the apiserver (because haproxy is still initializing),
causing the whole update orchestration to fail.
Fixes: bsc#1109661

Tue Sep 25 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 310c6ba by Michal Jura mjuraAATTsuse.com
Fix space formatting in apiserver configuration

Thu Sep 6 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 5fee301 by Vicente Zepeda Mas vzepedamasAATTsuse.com
Fix bsc#1099045 adds annotation to use docker/default seccomp profile
Signed-off-by: Vicente Zepeda Mas

Fri Aug 17 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 904eac6 by Kiall Mac Innes kiallAATTmacinnes.ie
Create RoleBinding to allow dex discovery
This RoleBinding allows unauthenticated users (such as those using caasp-cli)
to find the Dex service endpoint.
This was dropped in 3cdcfaedb2d029694a34fbcb147087eccea3e25a
bsc#1104658

Thu Aug 16 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 95898c4 by Vicente Zepeda Mas vzepedamasAATTsuse.com
Fix bsc#1101004 removes unsused pillars for transactional updates

Tue Aug 14 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 865e929 by Vicente Zepeda Mas vzepedamasAATTsuse.com
Fix #bsc1101004 removes extra configuration for transactional updates
Signed-off-by: Vicente Zepeda Mas

Tue Aug 14 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 1d5c830 by Kiall Mac Innes kiallAATTmacinnes.ie
Reintroduce kubelet drain timeout and abort if draining fails
This is a partial revert of 03d371fc489f4bd0e15da348b60390aa558daf76. We
reintroduce the --timeout flag, leaving --grace-period unset (thus,
inheriting from from the Pods terminationGracePeriodSeconds value). Without
this, kubectl drain can hang forever in certain circumstances.
Additionally, should the drain fail, then fail the orchestration. This
ensures that we do not reboot a node which has, for example, SES/Ceph mounts
active, which would in turn cause systemd to hang as the machine is rebooted.
bsc#1104217

Tue Aug 14 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 6990731 by Rafael Fernández López ereslibreAATTereslibre.es
Fix `--peer-urls=` argument provide (no quoting)
Commit 8583884 by Rafael Fernández López ereslibreAATTereslibre.es
Pass `ETCDCTL_API` version as an envvar instead of at the command name.
This would not work as what is fork + exec\'ed is the `ETCDCTL_API=version`,
what is not found in the `PATH`, causing the whole command to fail.
Besides, each version produces a different output, and the parsing needs to
be updated in order to properly get the member id.
Follow up of https://github.com/kubic-project/salt/pull/622

Thu Aug 9 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 6bc0d83 by Alvaro Saurin alvaro.saurinAATTgmail.com
Set things like the runtime_config and admission_control in the pillar. Minor
cleanups.
feature#cleanups

Thu Aug 9 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 54e4891 by Rafael Fernández López ereslibreAATTereslibre.es
HAProxy will refuse to start if it cannot resolve any name.
In a context in which cloud-init could be updating the hostnames after
machines are continuing with the update orchestration, we could be writing
one thing to `/etc/hosts` and another one in the `haproxy` configuration,
refusing this one to start because it cannot resolve the new name.
This easily fixable in a newer HAProxy version by using the `init-addr`
configuration, so HAProxy won\'t refuse to start if it cannot resolve any
backend -- it will just ignore it --.
For now, let\'s make the temporal window as small as possible, making the
`haproxy` init.sls depend on the `etc-hosts` SLS, as it\'s
*so
* dependant on
it.
However, this is not in any way an ideal fix; rather a way to make this
problematic window as small as possible.
Fixes: bsc#1097478

Thu Aug 9 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 2872769 by Nirmoy Das ndasAATTsuse.de
add default network policy for kube-dns and dex

Thu Aug 9 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 9629ada by Maximilian Meister mmeisterAATTsuse.de
read ETCDCTL_API version from the pillar
upgrade#etcdctl
Signed-off-by: Maximilian Meister
Commit 30907a3 by Michal Jura mjuraAATTsuse.com
fix migration script from etcd2 to etcd3
Commit 129466a by Michal Jura mjuraAATTsuse.com
update etcdctl sysconfig with ENDPOINTS flag
Commit a02ac2e by Maximilian Meister mmeisterAATTsuse.de
switch to etcd3 as a storage back-end
upgrade#etcdctl
Fixes: bsc#1098433
Fixes: bsc#1098064
Fixes: bsc#1098161
Signed-off-by: Maximilian Meister

Thu Aug 9 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 241bc5f by Alvaro Saurin alvaro.saurinAATTgmail.com
Updated diagrams for docs
feature#docs

Tue Aug 7 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 5a466f7 by Kiall Mac Innes kiallAATTmacinnes.ie
Update salt version used for tests to 2018.3.0

Mon Aug 6 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 3c67ad3 by Florian Bergmann fbergmannAATTsuse.de
Allow states targeting specific versions of caasp to have no nodes.
Otherwise the states would fail if no nodes are returned in the `tgt`
expression.
Commit c7550b2 by Florian Bergmann fbergmannAATTsuse.de
Adjust network_settings config format for salt 2018.3.0.
Before this release the format did not use the \'interfaces\' key.
Commit bd20320 by Florian Bergmann fbergmannAATTsuse.de
Use a reactor to sync modules and update mine on minion start.
Commit a7a3273 by Florian Bergmann fbergmannAATTsuse.de
Force the 15-secret.yaml file to be created first in dex.
Otherwise the kubectl_apply_dir_template macro will fail, as the file does
not exist when it tries to run `salt.hashutil.digest` on it.
Commit a79c041 by Florian Bergmann fbergmannAATTsuse.de
Add missing __virtual__ functions to execution modules.
(Attempt to make the automatic synchronization work for custom execution
modules - seems not to work)

Sat Aug 4 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 6b7abdb by Maximilian Meister mmeisterAATTsuse.de
remove deprecated flag
see https://github.com/kubernetes/kubernetes/pull/58968
k8s#1.11
Signed-off-by: Maximilian Meister

Mon Jul 30 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 67e276c by Michal Jura mjuraAATTsuse.com
[CPI] Add self-signed certificate to CPI configuration, bsc#1101973

Tue Jul 24 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit f93b74b by Michal Jura mjuraAATTsuse.com
Fix and remove empty lines in OpenStack cpi config

Mon Jul 23 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 66cafde by Kiall Mac Innes kiallAATTmacinnes.ie
Configure addon pod affinity
Sometimes, Kubernetes will schedule all replicas of an addon to the same
machine. Defeating much of the purpose of running multiple replicas.
Configure all addons with affinity rules to encourage Kubernetes to spread
these pods around the available machines.
bsc#1101805

Thu Jul 19 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit c02c3ec by Michal Jura mjuraAATTsuse.com
Move deprecated flags to kubelet config.yaml

Mon Jul 16 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit f0a0ac1 by Rafael Fernández López ereslibreAATTereslibre.es
Batch potentially dangerous and massive operations.
Fixes: bsc#1101124

Thu Jul 12 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit d03c2fa by Rafael Fernández López ereslibreAATTereslibre.es
Add haproxy migration sls to apply during upgrade
During an upgrade from 2.0 to 3.0, workers will lose communication with the
apiservers on the master nodes because of an auth change. After we have
applied all the master nodes, and before we start looping over the workers,
apply haproxy system-wide on all the workers, allowing their haproxy to
update its configuration, thus, being able to authenticate against the
apiservers again.
This patch includes a new tree structure, meant to be destroyed between
versions, but that allows to not poison the main structure of states with
transient migration logic. The structure is as follows:
- migrations
- -
- overriden-sls/
*
-
* (direct actions that can spawn other migration tasks)
Fixes: bsc#1100212
Commit f190a7a by Rafael Fernández López ereslibreAATTereslibre.es
Migrate all labels when renaming a node (builtin and user-defined labels).
Fixes: bsc#1100891
Commit a7e1b72 by Rafael Fernández López ereslibreAATTereslibre.es
Only perform migrations on machines that are going to be updated.
On an upgrade process we are going to perform different migrations; only
perform these migrations on machines that are part of the current subset of
machines to be updated.
Fixes: bsc#1100115

Mon Jul 9 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit a609b3c by David Helkowski dhelkowskiAATTsuse.com
Add configmap from pillar data to dex ldap connectors
(fate#324601)

Fri Jul 6 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 8ded363 by Michal Jura mjuraAATTsuse.com
[CPI] Add option to ignore OpenStack Cinder availability zone, bsc#1095572
Ignore OpenStack Cinder avability zone when attaching volumes. When Nova and
Cinder have different availability zones, this should be set to true. Default
is false.

Thu Jul 5 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit fd3507f by Kiall Mac Innes kiallAATTmacinnes.ie
Stop kubelet before any other services
Explicitly stop kubelet before any other services. If cri.stop is ran in
parallel to or before kubelet.stop, kubelet will be unable to successfully
drain.
bsc#1085980

Fri Jun 22 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 8a746bc by Flavio Castelli fcastelliAATTsuse.com
Do not install recommends
Instruct salt to not install recommended packages.
feature#do-not-install-recommends
Signed-off-by: Flavio Castelli

Thu Jun 21 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 97d8178 by Rafael Fernández López ereslibreAATTereslibre.es
Call to `mine.update` after `saltutil.sync_pillar` has been called.
During an upgrade we want to call to `mine.update` after
`saltutil.sync_pillar` has been called, because the `mine_functions` reside
on the pillar, we first want to make sure to sync that, and update the mine
afterwards. Otherwise, we risk doing this in a race condition when the salt
minion starts, and it could or could not lead to update orchestration
failure.
Fixes: bsc#1097478

Tue Jun 19 14:00:00 2018 containers-buildsAATTsuse.de
- Commit 45b8f7b by Maximilian Meister mmeisterAATTsuse.de
explicitly pass unix_socket
this affects only kubic for now where we use PyMySQL
we cant use the MYSQL_UNIX_PORT workaround anymore as we could do with
MySQLdb
salt#mysql-unix-socket
Signed-off-by: Maximilian Meister

Mon Jun 18 14:00:00 2018 containers-buildsAATTsuse.de
- Commit de8bd66 by Maximilian Meister mmeisterAATTsuse.de
override volume plugin dir (bsc#1084766)
kubernetes 1.10 uses /usr/libexec by default which doesnt exist, and we want
to stick with /usr/lib
Signed-off-by: Maximilian Meister

Mon Jun 18 14:00:00 2018 containers-buildsAATTsuse.de
- Commit 5804349 by Alvaro Saurin alvaro.saurinAATTgmail.com
Move the early services setup even before updating the masters (we can do
this by removing some unnecessary dependencies).
bsc#1096992

Fri Jun 15 14:00:00 2018 containers-buildsAATTsuse.de
- Commit ba20582 by Alvaro Saurin alvaro.saurinAATTgmail.com
Try to load the manifests once we have at least one updated master.
bsc#1096992

Fri Jun 15 14:00:00 2018 containers-buildsAATTsuse.de
- Commit 180e545 by Alvaro Saurin alvaro.saurinAATTgmail.com
Early setup some services on updates Removed \"allowedFlexVolumes\" in PSP (as
it doesn\'t pass the API verification in 2.1)
bsc#1096992

Wed Jun 13 14:00:00 2018 containers-buildsAATTsuse.de
- Commit a4480ed by Alvaro Saurin alvaro.saurinAATTgmail.com
Do not set the `bootstrap_complete` flag in all the nodes: do it only in the
nodes that had some role assigned. Remove the `bootstrap_in_progress` even if
the orchestration fails. Fixed typo in target.
bsc#1094078

Wed Jun 13 14:00:00 2018 containers-buildsAATTsuse.de
- Commit cf5b83b by Rafael Fernández López ereslibreAATTereslibre.es
Remove mine information when removing a node
This will avoid to render stale information about critical components, like
`etcd` endpoints in the `etcd` configuration.
`etcd` is very sensitive to this kind of misleading (stale) information, if
more endpoints are provided in `ETCD_INITIAL_CLUSTER` than the ones that
actually exist in the cluster, a new instance of etcd will refuse to start.
Fixes: bsc#1097001 Fixes: bsc#1097147

Mon Jun 11 14:00:00 2018 containers-buildsAATTsuse.de
- Commit 23ce1f2 by Rafael Fernández López ereslibreAATTereslibre.es
Force `etc-hosts` sls to be run before `etcd`
Before the real update orchestration happens we are updating etcd
certificates, so this machine isn\'t left isolated. However, in this process,
the configuration for etcd might refer to the new machine names if this
happens during the upgrade of 2.0 to 3.0. This might leave the etcd instances
in a state in which they cannot resolve other etcd peer names (because their
`/etc/hosts` file is outdated).
In order to prevent this, force the `etc-hosts` sls to be run before we
execute the `etcd` sls, so we are sure that `/etc/hosts` will contain both
the old and the new names during the upgrade, and etcd will be able to refer
to other peers using the new hostnames.
Fixes: bsc#1096750

Mon Jun 11 14:00:00 2018 containers-buildsAATTsuse.de
- Commit ec6238c by Rafael Fernández López ereslibreAATTereslibre.es
Also stop `kubelet` on masters when performing an upgrade
If some important change lands between Kubernetes updates, it might happen
that since we don\'t disable the `kubelet` service on the master nodes, when
the machine gets rebooted, `systemd` will try to start the
`kubelet` service, failing in a burst mode.
This will prevent our salt states from trying to start it again, because the
service will be in a failed state. Stop the service and disable it on the
masters too when we are performing an upgrade, this way we are sure that
we\'ll try to start and enable it when we have performed the required changes
for it to succeed.
Fixes: bsc#1096768

Wed Jun 6 14:00:00 2018 containers-buildsAATTsuse.de
- Commit c77b0ee by Alvaro Saurin alvaro.saurinAATTgmail.com
Use the cache whenever something bad happens when refreshing the Pillar from
Velum.
bsc#1093123

Tue Jun 5 14:00:00 2018 containers-buildsAATTsuse.de
- Commit 450cfdb by Alvaro Saurin alvaro.saurinAATTgmail.com
Perform some checks before starting the node removal.
feature#node_removal
Fixes: bsc#1098433
Fixes: bsc#1098064
Fixes: bsc#1098161

Fri Jun 1 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 33b39b3 by Alvaro Saurin alvaro.saurinAATTgmail.com
Skip nodes that are being removed in the list of servers in haproxy.
bsc#1095330
Commit 8484c28 by Alvaro Saurin alvaro.saurinAATTgmail.com
Fix the \"targets\" priorities for getting nodes for replacements. Minor: use
the same pattern for targeting nodes in removals.sls
as in kubernetes.sls. Do not use \"unassigned\" nodes when looking for
replacements. Minor improvements
bsc#1095336 bsc#1094078
Commit b80c8f1 by Alvaro Saurin alvaro.saurinAATTgmail.com
Minor cleanups and \"beautifications\"
feature#cleanups

Thu May 31 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 0979191 by Florian Bergmann fbergmannAATTsuse.de
Remove \'range\' imports from six.
There were problems when running \'salt\' using these imports and the
difference in semantics seems not significant.

Thu May 31 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 138358b by David Cassany dcassanyAATTsuse.de
Spec update

* make use of %license macro

* update image prefix for sle15

Fri May 25 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 2a6eb07 by Rafael Fernández López ereslibreAATTereslibre.es
Remove unsupported `--require-kubeconfig` argument deprecated in Kubernetes
(and removed in 1.10)
Fixes: bsc#1094217

Thu May 24 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 200ee84 by Florian Bergmann fbergmannAATTsuse.de
Use six compatibility library to make modules 2 and 3 compatible.

Wed May 23 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit ccde36b by Maximilian Meister mmeisterAATTsuse.de
fix crio reload and drop a duplicated reload watcher
fix#reload
Signed-off-by: Maximilian Meister
Commit 9a47960 by Maximilian Meister mmeisterAATTsuse.de
fix docker reload again
it apparently doesnt work to use service.running to do the reload. using
cmd.run is reliable
fix#reload-cert
Signed-off-by: Maximilian Meister

Tue May 22 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 7a0c421 by Kiall Mac Innes kiallAATTmacinnes.ie
Run CollaboratorCheck as part of unit test job

Tue May 22 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit a4dfabb by Kiall Mac Innes kiallAATTmacinnes.ie
Fix module tests on python3

Tue May 22 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 8b75460 by Rafael Fernández López ereslibreAATTereslibre.es
Log all CRI issues as we go, and show them if we really timeout
Related: bsc#1093918

Tue May 22 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 987f865 by Kiall Mac Innes kiallAATTmacinnes.ie
Allow salt tests to be ran via tox and Jenkins
Example to run them locally:
tox -e tests-salt-2016.11.4-py27
or:
tox -e tests-salt-2016.11.4-py34

Mon May 21 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit becdf82 by Kiall Mac Innes kiallAATTmacinnes.ie
Add Collaborator Check to flake8 job

Mon May 21 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 3935f83 by Kiall Mac Innes kiallAATTmacinnes.ie
Add Collaborator Check to flake8 job

Mon May 21 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit b5a6432 by Maximilian Meister mmeisterAATTsuse.de
also reload docker when certificates change
fix#reload-certs
Signed-off-by: Maximilian Meister

Mon May 21 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 34d9f0 by Ty Daines and Florian Bergmann
fix bsc#1091809: pillar and openstack config can use project and
domain ids
(cherry picked from commit 37556bb)

Sat May 19 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 8fa6128 by Flavio Castelli fcastelliAATTsuse.com
Add support for kube API auditing
Allow users to enable kubernetes API server auditing feature.
The auditing will produce an audit log file locally that can then be pushed
to a central logging solution (eg: by using a fluentd daemonset running on
the master nodes).
By default there\'s no auditing in place. This is enabled only when the user
provides a value for each one of the new pillars introduced by this commit.
feature#kube-api-audit fate#325337
Signed-off-by: Flavio Castelli

Fri May 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 4497dac by Flavio Castelli fcastelliAATTsuse.com
Remove unneeded state
The registries state is something from the early days of caasp. Something we
don\'t need (and use) anymore.
feature#remove-unneeded-code-registries
Signed-off-by: Flavio Castelli

Fri May 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit b501d9f by Flavio Castelli fcastelliAATTsuse.com
Provide configuration to transactional-update
Fixes bsc#1088675
Signed-off-by: Flavio Castelli

Fri May 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 22a3b23 by Florian Bergmann fbergmannAATTsuse.de
Install system wide certificates from pillars.
`cert`-state will install the certificates as trust anchors.
fixes bsc#1090067

Fri May 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 6c4ec0c by Maximilian Meister mmeisterAATTsuse.de
skip removed etcd servers (bsc#1093305)
Signed-off-by: Maximilian Meister

Fri May 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 03d371f by Rafael Fernández López ereslibreAATTereslibre.es
Remove default grace period and timeout when draining a node.
By default, the grace period is -1, or whatever the pod specifies on its
`terminationGracePeriodSeconds` spec. The pod can know better than us what it
needs to cleanly stop, and we don\'t need to apply arbitrary timeouts. If this
is not specified, the default `terminationGracePeriodSeconds` value is 30
seconds. After this grace termination period, a SIGKILL will be sent to the
process when evicting pods.
Aside from this, we should have an \"inifinite\" timeout. Given that this
process doesn\'t stall, it\'s safer to perform this operation until it
succeeds. If we have proof that this is causing problems we should add a
timeout, but in general the draining process should not hang.
The alternative is in reality the real problem: if we timeout the draining
process, it can happen that certain pods with remote volumes (nfs, rbd...)
are never evicted, and when we go to restart the machine it hangs, because
systemd fails to kill the processes when there are active mounts.
Since there are no sensible defaults for the grace period and for the global
timeout is better to let the first one to the pod definition, and the second
one to just \"infinite\" until we really hit an issue because of this.
Fixes: bsc#1085980

Thu May 17 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 876f7c7 by Rafael Fernández López ereslibreAATTereslibre.es
Lower the per-request timeout when we are checking for successful query
When we are waiting for some service to be up, if the request hangs for some
reason, we want to retry at least several times. Without setting this value
explicitly, it takes the default (`http_request_timeout` as 3600), what is
way over our `wait_for` argument set at 300 seconds.
By setting the default `http_request_timeout` to a more reasonable default
when doing this kind of checks we can ensure that the request itself will
timeout several times before we call it done.
Fixes: bsc#1093540 Fixes: bsc#1093685

Thu May 17 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit b13d89a by Rafael Fernández López ereslibreAATTereslibre.es
Only remove the master grains if there are any masters to be updated.
The `salt.function` call will be marked as failed if there were no minions to
target. Make sure that we only run this step if we know that we\'ll have some
targets available.
Fixes: bsc#1093491

Thu May 17 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit c93d25d by Alvaro Saurin alvaro.saurinAATTgmail.com
Queue the /etc/hosts update when triggered from a reactor.
Fixes part of bsc#1093123

Wed May 16 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit bc4b7ae by Alvaro Saurin alvaro.saurinAATTgmail.com
Updated diagrams
feature#docs

Wed May 16 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 442a76c by Rafael Fernández López ereslibreAATTereslibre.es
Make HAProxy work as an http proxy instead of a tcp proxy.
This allows us to add fine-grained timeouts depending on the endpoint being
accessed or with what parameters (e.g. /log?follow=true should have no
timeout as happens on the apiserver). /exec is another example, but in this
case the protocol is upgraded to spdy.
Fixes: bsc#1071994

Tue May 15 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 4b37cb9 by Maximilian Meister mmeisterAATTsuse.de
fix eviction-hard path
feature#compute-resources
bsc#1086185
Signed-off-by: Maximilian Meister

Tue May 15 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 177f774 by Kiall Mac Innes kiallAATTmacinnes.ie
Add JUnit output
Commit 28e522e by Kiall Mac Innes kiallAATTmacinnes.ie
Update README with style check steps
Commit 248c228 by Kiall Mac Innes kiallAATTmacinnes.ie
Fixup python code style issues
Commit 4712a69 by Kiall Mac Innes kiallAATTmacinnes.ie
Add flake8 job

Tue May 15 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 6de5432 by Kiall Mac Innes kiallAATTmacinnes.ie
Add Housekeeping Job

Fri May 11 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 1657de5 by Flavio Castelli fcastelliAATTsuse.com
Add missing cri-o removal states
This is required to fix node removal on clusters using CRI-O as CRI.
Fixes bsc#1092614
Signed-off-by: Flavio Castelli

Wed May 9 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit e286f9b by Flavio Castelli fcastelliAATTsuse.com
Make crictl handling more robust
Some of our states are now depending on `crictl` tool. All these states have
to depend on the `kubelet service.running` one, otherwise the
`crictl` socket won\'t be available and the state will fail.
Also, with these changes, the \"blame\" of a failure should point directly to
the guilty (`kubelet` service not running for whatever reason) instead of
falling on the `haproxy` one.
Finally, the check looking for `crictl` socket has been changed to ensure the
socket file exists and the service is actually listening.
This will help with bugs like bsc#1091419
Signed-off-by: Flavio Castelli

Wed May 9 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit bcf5415 by Flavio Castelli fcastelliAATTsuse.com
kubelet: allow resource reservation
Allow kubelet to take into account resource reservation and eviction
threshold.
== Resource reservation ==
It\'s possible to reserve resources for the `kube` and the `system`
components.
The `kube` component is the one including the kubernetes components: api
server, controller manager, scheduler, proxy, kubelet and the container
engine components (docker, containerd, cri-o, runc).
The `system` component is the `system.slice`, basically all the system
services: sshd, cron, logrotate,...
By default don\'t specify any kind of resource reservation. Note well: when
the resource reservations are in place kubelet will reduce the amount or
resources allocatable by the node. However
*
*no
*
* enforcement will be done
neither on the `kube.slice` nor on the `system.slice`.
This is not happening because:

* Resource enforcement is done using cgroups.

* The slices are created by systemd.

* systemd doesn\'t manage all the available cgroups yet.

* kubelet tries to manage cgroups that are not handled by systemd,
resulting in the kubelet failing at startup.

* Changing the cgroup driver to `systemd` doesn\'t fix the issue.
Moreover enforcing limits on the `system` and the `kube` slices can lead to
resource starvation of core components of the system. As advised even by the
official kubernetes docs, this is something that only expert users should do
only after extensive profiling of their nodes.
Finally, even if we wanted to enforce the limits, the right place would be
systemd (by tuning the slice settings).
For more information see the official documentation:
https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/
== Eviction threshold ==
By default no eviction threshold is set.
bsc#1086185
Signed-off-by: Flavio Castelli

Tue May 8 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 964deee by Maximilian Meister mmeisterAATTsuse.de
add condition to KUBE_ADMISSION_CONTROL
bsc#1092140
Signed-off-by: Maximilian Meister
Commit eaab500 by Maximilian Meister mmeisterAATTsuse.de
fix conflicting sls id\'s
they need to be globally unique
orch error happened when setting psp to false in params.sls
partially fixes https://bugzilla.suse.com/show_bug.cgi?id=1092140
bsc#1092140
Signed-off-by: Maximilian Meister

Tue May 8 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 843a9a4 by Jordi Massaguer Pla jmassaguerplaAATTsuse.de
update version to 4.0.0+dev

Mon May 7 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 8388498 by Alvaro Saurin alvaro.saurinAATTgmail.com
Try to resist existent data in the mine
https://bugzilla.suse.com/show_bug.cgi?id=1091361
bsc#1091361

Thu May 3 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 0294ed9 by Alvaro Saurin alvaro.saurinAATTgmail.com
Do not try to use the mine when we can get the same information with a
module.
(cherry picked from commit dfd3b8a6a65c7d969466b09a1f20536a525ae42a)
bsc#1091077

Wed May 2 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 17e9533 by Kiall Mac Innes kiallAATTmacinnes.ie
Harden the waiting for CRI socket to become active

* Allow more time for the CRI socket to become active - 20 seconds

* Explicitly fail if the socket does not become active within this
time.
Related to bsc#1091419

Sun Apr 29 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit c03b41d by Alvaro Saurin alvaro.saurinAATTgmail.com
Retry the `wait_for_http` when waiting for the API server. Use the same
cleanup.post-orchestration that tyhe forces removal uses. Some other removal
orchestration fixes and improvements.
feature#node_removal

Fri Apr 27 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 03242db by Kiall Mac Innes kiallAATTmacinnes.ie
Fix caasp_etcd.get_member_id error handling
caasp_etcd.get_member_id was referencing a variable that doesn\'t exist.

Thu Apr 26 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit c3b81a6 by Flavio Castelli fcastelliAATTsuse.com
Ensure swap is disabled before kubelet is started
We have to ensure the swap state is executed before the kubelet service is
started, otherwise kubelt won\'t run and this will lead to issues like the
ones causing bsc#1090337
Signed-off-by: Flavio Castelli

Wed Apr 25 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 24bea3d by Nirmoy Das ndasAATTsuse.de
cni: add cilium as alternate to flannel plugin

Tue Apr 24 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 1fd2a98 by Alvaro Saurin alvaro.saurinAATTgmail.com
Remove leftover file
feature#node_removal

Tue Apr 24 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit e1b9c75 by Kiall Mac Innes kiallAATTmacinnes.ie
Update tiller tag to 2.8.2
This matches the tag used in the updated image via SR#162727.

Tue Apr 24 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 3e70e4f by Alvaro Saurin alvaro.saurinAATTgmail.com
Use get_with_expr()
feature#node_removal
Commit b4d09dd by Alvaro Saurin alvaro.saurinAATTgmail.com
Convert integers in the pillar to real integers. Unit tests for the
get_pillar() function.
See https://trello.com/c/O7daOErL
feature#node_removal
Commit 0d65d79 by Alvaro Saurin alvaro.saurinAATTgmail.com
Fix: do not include the current node in the list
of endpoints when adding a new member. Unit tests for the etcd modoule.
See https://trello.com/c/O7daOErL
feature#node_removal
Commit 399f7ea by Alvaro Saurin alvaro.saurinAATTgmail.com
Try to resist unresponsive nodes when removing a node.

* the replacement will not be chosen from
the unresponsive nodes

* affected nodes will exclude them too. Possibility to skip any action on
the target (with the `skip` pillar), so we can remove unresponsive targets
while still looking for replacements.
See https://trello.com/c/O7daOErL
feature#node_removal

Tue Apr 24 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit f80f752 by Alvaro Saurin alvaro.saurinAATTgmail.com
Don\'t to remove some things that are not so important.
feature#node_removal

Mon Apr 23 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 44798f4 by Rafael Fernández López ereslibreAATTereslibre.es
Use `expr_form` instead of `tgt_type` until we update salt
This is producing an error on our current salt version:
`Rendering SLS \'base:cleanup.remove-post-orchestration\' failed: Jinja
error: get()
got an unexpected keyword argument \'tgt_type\'`
Go back to using `expr_form` until we update.
feature#deployment-stability

Mon Apr 23 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 352e4f5 by Rafael Fernández López ereslibreAATTereslibre.es
Always remove the \"we are removing a machine\" grain from the cluster
Even if the `removal` orchestration has failed, we want to remove this grain
from the cluster, or the subsequent `etc-hosts` orchestrations won\'t be
executed if a removal failed.
feature#deployment-stability

Mon Apr 23 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit f2190ca by Alvaro Saurin alvaro.saurinAATTgmail.com
Instead of running things on the forced-removal orchestration, move actions
to SLS files (so they can be shared with the regular removal orchestration).
feature#node_removal

Sat Apr 21 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 6d5dcda by Federico Ceratto federico.cerattoAATTsuse.de
Stop using __opts__ and os_data()
bsc#1087115

Fri Apr 20 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit ec9c37c by Flavio Castelli fcastelliAATTsuse.com
Introduce feature-gates pillar
Allow feature gates to be toggled via a dedicated pillar.
feature#feature-gates

Thu Apr 19 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 165baf2 by Federico Ceratto federico.cerattoAATTsuse.de
Switch caasp_nodename to using __opts__
bsc#1087115

Wed Apr 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 52b61c2 by Flavio Castelli fcastelliAATTsuse.com
crio: fix upgrade orchestration
Ensure everything is fine on the admin node
feature#crio
Signed-off-by: Flavio Castelli
Commit 33256f0 by Flavio Castelli fcastelliAATTsuse.com
crio: cleanup code
Several changes to reflect the feedback got on the pull request.
feature#crio
Signed-off-by: Flavio Castelli
Commit f62aaec by Flavio Castelli fcastelliAATTsuse.com
Do not rely on salt virtual_subtype grain
The `virtual_subtype` grain cannot be used to identify salt minions that are
running inside of containers started by kubernetes.
The salt core code sets this grain to `Docker` by looking at the cgroup
hierarchy of PID 1 on the minion.
On regular docker container (not managed by kubernetes!) the cgroup hierarchy
includes a `docker` slice. However all the containers started by kubelet are
placed under the `kubepods` slice.
Right now the only salt minion running inside of a container is the `ca` one,
which can be easily identified by looking at its roles.
This commit changes our salt states to use roles instead of the unreliable
`virtual_subtype` grain.
feature#crio
Signed-off-by: Flavio Castelli
Commit 569c9aa by Flavio Castelli fcastelliAATTsuse.com
Extend motd
Show information about the container runtime used on the node.
feature#crio
Signed-off-by: Flavio Castelli
Commit 1bae9eb by Flavio Castelli fcastelliAATTsuse.com
Remove unused cri abstractions
cri-o doesn\'t have yet a way to copy files from the host into its running
containers. Fortunately this feature is required only on the admin node,
which is still using docker.
This commit removes some of the abstractions introduced to be able to copy
files into running containers.
We will revert this commit later on, once we migrate the admin node to use
cri-o.
feature#crio
Signed-off-by: Flavio Castelli
Commit 0c7a2b2 by Flavio Castelli fcastelliAATTsuse.com
Fix issue caused by velum pillar override
Pillars set by velum are going to override what is set via the
`salt/pillars` files.
That caused all the nodes to be using cri-o. The following code enforces
\'docker\' to be used for all the nodes with a certain role (eg: the admin and
the ca ones).
feature#crio
Signed-off-by: Flavio Castelli
Commit 72e93b8 by Flavio Castelli fcastelliAATTsuse.com
Full support of cri-o
Allow to deploy new SUSE CaaS Platform clusters using cri-o as a container
runtime instead of docker.
The cluster will keep using docker on the admin node, while all the other
nodes are going to use cri-o.
It\'s not possible to have mixed environments, all nodes have to use the same
container runtime.
The CRI can be chosen by setting the value of the `cri:name` pillar, which is
defined inside of the `pillar/cri.sls` file. By default `docker` is being
used.
feature#crio
Signed-off-by: Flavio Castelli
Commit 8bc9d1b by Flavio Castelli fcastelliAATTsuse.com
Remove e2e image puller manifest
This is no longer used.
Commit e4b586a by Alvaro Saurin alvaro.saurinAATTgmail.com
Added support for the CRIO containers runtime

Wed Apr 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 902cc67 by Kiall Mac Innes kiallAATTmacinnes.ie
Ensure salt master and api configs are complete
This moves the external_auth section over to 50-master.conf, as this is
needed by the salt-master process, and duplicates `user: root` from
50-master.conf to 50-api.conf - which allows salt-api to start and function
without it reading 50-master.conf

Wed Apr 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 24835c2 by Alvaro Saurin alvaro.saurinAATTgmail.com
Fix: always remove the \"we-are-removing-a-node\" cluster-wide grain. Make sure
we flush the mine (for the target) after removing the target\'s key.
feature#node_removal

Wed Apr 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 9d782ee by Michal Jura mjuraAATTsuse.com
Add cinder volume type to cluster user policy, bsc#1089863

Wed Apr 18 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 32b868a by Rafael Fernández López ereslibreAATTereslibre.es
Remove unneeded variables
feature#code-cleanup

Tue Apr 17 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 2355abd by Rafael Fernández López ereslibreAATTereslibre.es
Add force removal orchestration
This orchestration will try to unregister a node on a best-effort basis, and
is considered to always succeed.
feature#force-node-removal

Tue Apr 17 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 009516d by Federico Ceratto federico.cerattoAATTsuse.de
Lowercase hostnames
bsc#1087115

Mon Apr 16 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 5e89e09 by Thorsten Kukuk kukukAATTthkukuk.de
Add pyroute2 and etcd python modules as Requires (moved from patterns)
Commit 026ea39 by Thorsten Kukuk kukukAATTthkukuk.de
Use python3 for post SLE12 and kubic as image name for Factory

Fri Apr 13 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 236835f by Alvaro Saurin alvaro.saurinAATTgmail.com
Code cleanup: use `caasp_grains.get` instead of a local version.
feature#code_cleanup

Fri Apr 13 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 0e7d745 by Alvaro Saurin alvaro.saurinAATTgmail.com
Configure taints/labels on the replacement node Fix typo
feature#node_removal

Fri Apr 13 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 69d271d by Rafael Fernández López ereslibreAATTereslibre.es
Remove unneeded includes `ca-cert` and `cert` for `velum/init.sls` and
`ldap/init.sls`
feature#deployment-stability

Fri Apr 13 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 1de5846 by Kiall Mac Innes kiallAATTmacinnes.ie
Add PodSecurityPolicy Support
Add support for PodSecurityPolicy\'s, allowing us to disable use of the
hostPath volume type.
This change adds 2 PSP\'s:

* unprivileged (Default assigned to all users)
The unprivileged PodSecurityPolicy is intended to be a reasonable compromise
between the reality of Kubernetes workloads, and suse:caasp:psp:privileged.
By default, we\'ll grant this PSP to all users and service accounts.

* privileged
The privileged PodSecurityPolicy is intended to be given only to trusted
workloads. It provides for as few restrictions as possible and should only be
assigned to highly trusted users.
Fixes bsc#1047535

Wed Apr 11 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 489cbef by Alvaro Saurin alvaro.saurinAATTgmail.com
Fix race condition on update-etc-hosts
fix#update-etc-hosts

Tue Apr 10 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 0ef0581 by Alvaro Saurin alvaro.saurinAATTgmail.com

* Do some code cleanups in caasp_etcd.py by using
the same logic for getting etcd replacements as
for getting additional etcd servers when bootstrapping.

* Move most of the removal logic to a caasp_nodes.py
Python module, as Jinja is not a proper language...

* Add the corresponding unit tests for this new
Python code.

* Do not be so strict when finding a replacement: if
the replacement is not valid for a k8s master, do not
make it unsuitable for etcd too.

* Use some basic k8s master replacement finder.

* Try to use some common logging functions

* Refactor out the grains.get code to a new
caasp_grains.py module (as it is shared by several
custom modules)
See https://trello.com/c/O7daOErL
feature#node_removal

Tue Apr 10 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit c189bca by Alvaro Saurin alvaro.saurinAATTgmail.com
Try to resist to transient node failures on updates
See https://trello.com/c/irviWd1m
feature#update_on_node_failures

Mon Apr 9 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit caa100b by Alvaro Saurin alvaro.saurinAATTgmail.com
Change the meaning of some grains:

* removal_in_progress -> node_removal_in_progress (only for
the node that is being removed)

* addition_in_progress -> node_addition_in_progress (only for
the node that is being added)

* removal_in_progress: cluster-wide grain for marking that a
removal is being done. This should avoid conflicts with the etc-hosts-update
orchestration...
https://bugzilla.suse.com/show_bug.cgi?id=1087108
bsc#1087108

Fri Apr 6 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 3a529ab by Alvaro Saurin alvaro.saurinAATTgmail.com
Reject keys of removed nodes instead of just deleting them.
https://bugzilla.suse.com/show_bug.cgi?id=1087062
bsc#1087062

Thu Apr 5 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit ae4018a by Rafael Fernández López ereslibreAATTereslibre.es
Force drain when trying to drain a node
When trying to drain a node we can get an error if the kubelet is running a
pod created by local manifests (manifests living in the local filesystem):
``` caasp-admin:~ # kubectl drain --ignore-daemonsets caasp-worker-1 node
\"caasp-worker-1\" cordoned error: unable to drain node \"caasp-worker-1\",
aborting command...
There are pending nodes to be drained:
caasp-worker-1 error: pods not managed by ReplicationController, ReplicaSet,
Job, DaemonSet or StatefulSet (use --force to override):
haproxy-caasp-worker-1
```
As opposed to:
``` caasp-admin:~ # kubectl drain --force --ignore-daemonsets caasp-worker-1
node \"caasp-worker-1\" already cordoned WARNING: Deleting pods not managed by
ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet:
haproxy-caasp-worker-1; Ignoring DaemonSet-managed pods: kube-flannel-vklfc
node \"caasp-worker-1\" drained
```
Related: bsc#1085980

Tue Apr 3 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit c7ee6be by Rafael Fernández López ereslibreAATTereslibre.es
Wait for deployments during the orchestration time.
Additionally to other checks, we should also consider the orchestration done
once that the expected pods are running.
feature#deployment-stability

Tue Mar 27 14:00:00 2018 containers-bugownerAATTsuse.de
- Commit 043a686 by Kiall Mac Innes kiallAATTmacinnes.ie
Extend certificates to one year lifespan
100 days is a very short lifespan, lets bump this to one year - a much more
common value for certificate lifetime.
Related to bsc#1082722

Thu Mar 22 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 0901ff0 by Kiall Mac Innes kiallAATTmacinnes.ie
Increase Kube-DNS replicas to 3
Having only a single Kube-DNS replica means that, during upgrades or other
failure scenarios, Kube-DNS will not be functional. A value of 3 matches what
we use for Dex.
Commit 2c42773 by Kiall Mac Innes kiallAATTmacinnes.ie
Dex should not have cluster-admin
Dex does not require cluster admin access. Instead, it should use a new role
defined with just the permissions Dex requires.
Commit 38e654d by Kiall Mac Innes kiallAATTmacinnes.ie
Kube-DNS should not have cluster-admin
Kubernetes DNS service does not require cluster admin access. Instead, it
should use the build in system:kube-dns role.
Commit 9dec359 by Kiall Mac Innes kiallAATTmacinnes.ie
Remove duplicated Dex ClusterRoleBinding
The ClusterRoleBinding\'s for Dex were duplicated - this removes the extra
copy.
Commit 0aebc0d by Kiall Mac Innes kiallAATTmacinnes.ie
Match addons/{dns,tiller} patterns to addons/dex
This pattern is cleaner, and lets Kubernetes do more of the hard work related
to applying and updating manifests changes. This will be further extended to
CNI/flannel soon.

Thu Mar 22 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 3b3f0ae by Rafael Fernández López ereslibreAATTereslibre.es
Refresh modules before we call to any `sls`, they might use undiscovered
modules
Commit 8b49308 by Rafael Fernández López ereslibreAATTereslibre.es
When we explicitly run `haproxy` sls in the update, run `etc-hosts` too.
During a rename, it might happen that `haproxy` refuses to start because it
cannot resolve the new names `nodename.infra.caasp.local` in the
configuration because its
`/etc/hosts` file hasn\'t been updated yet.

Wed Mar 21 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 0926982 by Kiall Mac Innes kiallAATTmacinnes.ie
Add flannel readiness/liveness probe
This makes sure flannel has at least reached the point where it starts the
healthz API endpoint. However, that point in the flannel code is
*very
* early
and not all that useful for actual health checking. Additionally, as long as
the HTTP gorouting is running, healthz will
*always
* respond with a 200. It
performs no actual health checking.
Even still, lets include the probe. If flannel gets better health checking,
it will be enabled for us, on the other hand, if flannel doesn\'t get better
health checking, it\'s still
*very slightly
* useful to know that flannel has
at least reached this point in it\'s code.

Wed Mar 21 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 4259116 by Rafael Fernández López ereslibreAATTereslibre.es
Wait for dex on the admin node before calling the orchestration done
When we finish the orchestration all bits and pieces should be working as
expected. Wait for the haproxy on the admin node to be correctly pointing to
dex before finishing the orchestration.

Wed Mar 21 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 113a807 by Rafael Fernández López ereslibreAATTereslibre.es
If no replacement provided do not ask for nonexistent states.
If no replacement is provided, `sync-all` was trying to refer to states that
didn\'t exist because those states also were wrapped with a `replacement`
guard.
Commit f6d8787 by Rafael Fernández López ereslibreAATTereslibre.es
Always set `replacement_provided` variable
Salt was complaining that this variable didn\'t exist in the `orch.removal`
orchestration when removing a master when no replacement was provided.

Fri Mar 16 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 30b9ae5 by Kiall Mac Innes kiallAATTmacinnes.ie
Dex: Delay liveness probe in addition to readiness probe
Delay the liveness probe by 30 seconds, matching the readiness probe.

Fri Mar 16 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 753978f by Rafael Fernández López ereslibreAATTereslibre.es
Use complete host references on haproxy configuration
This avoids an incompatibility on the admin node in which if the external
fqdn field matched any of the master nodes host, haproxy would be checking
127.0.0.1:6444 for the apiserver for healthchecks.
Now, we are using the internal infra domain suffix so we are sure we are
referring to the real /etc/hosts entry with the ip address of the target
machines.

Fri Mar 16 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 9f06d7d by Rafael Fernández López ereslibreAATTereslibre.es
PCRE grain expressions only allow the regexp on the value side.
Fix PCRE grain query expressions so they are matching what we expect.
``` caasp-admin:~ # docker exec -it 06bf salt -P \'bootstrap_complete:.
*\'
cmd.run hostname admin:
caasp-admin 6b5cb85d20f94f6eb813449b228cfe13:
caasp-worker-1 4c0e4d31bc754369940ffcbae28e2f0a:
caasp-worker-0 cb92123fa85d4170807e0aa24573501b:
caasp-master-0 66d5844bc5f14d1480896b1bc234dd92:
caasp-master-1 3f3f505c6eb3464e8a08cc0ae6fbc8f4:
caasp-master-2 caasp-admin:~ # docker exec -it 06bf salt -P
\'bootstrap_.
*:true\' cmd.run hostname No minions matched the target. No
command was sent, no jid was assigned. ERROR: No return received
```

Thu Mar 15 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit afc91fe by Kiall Mac Innes kiallAATTmacinnes.ie
Wipe out our /etc/hosts changes before reboot
This ensures the systemd/wicked logic is unaffected by our /etc/hosts
changes.

Wed Mar 14 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 292b025 by Kiall Mac Innes kiallAATTmacinnes.ie
Rename salt/dex -> salt/addons/dex
Fundamentally, there is no difference between how dex is deployed and managed
vs how kube-dns or tiller is deployed and managed. Lets treat them the same.

Wed Mar 14 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit e77e865 by Alvaro Saurin alvaro.saurinAATTgmail.com
Node removal constraint: we must have at least one k8s minion
https://trello.com/c/O7daOErL

Tue Mar 13 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 83ae5d3 by Kiall Mac Innes kiallAATTmacinnes.ie
Add liveness/readiness probes to Dex deployment
This will ensure Kubernetes waits for the pods to become ready before
starting to send them traffic, which should in turn prevent the orchestration
proceeding and bootstrap completing until we have at least one working Dex
pod
Fixes bsc#1062542

Mon Mar 12 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 0ebaf16 by Maximilian Meister mmeisterAATTsuse.de
cmd has moved to its own state for the proxy config
require the pkg instead to make sure that the docker requisite is met
Signed-off-by: Maximilian Meister

Fri Mar 9 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 1427b2f by Rafael Fernández López ereslibreAATTereslibre.es
When populating the cache, don\'t fail if this fails for some reason.
There\'s a race condition in which the cache directory does not exist, but
when tried to be created it has already been created by something else, and
an exception is raised, stopping the execution.
When populating the cache, we don\'t really care if it was correctly populated
or not in that
*specific
* call, so move on.
Fixes: bsc#1084441

Fri Mar 9 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit d0ce17c by Rafael Fernández López ereslibreAATTereslibre.es
Run the highstate on the admin after `sync_all` has been called.
The admin node might use features not yet discovered, make sure we run
`sync_all` before we enforce a `highstate` on the admin node too.

Tue Mar 6 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit d68ff78 by Rafael Fernández López ereslibreAATTereslibre.es
Remove the TODO message for using the standard `/opt/cni/bin`.
Internal constraints won\'t allow us to use `/opt`, so we\'ll stick to
`/var/lib/kubelet/cni/bin`.

Mon Mar 5 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit f129021 by Kiall Mac Innes kiallAATTmacinnes.ie
Ensure external_fqdn is not rendered to /etc/hosts if it\'s an IP

Mon Mar 5 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 7464fda by Rafael Fernández López ereslibreAATTereslibre.es
Update `etcd` certificates before updating any machine
We need to include the new SAN on all the certificates before restarting the
first machine. Otherwise, this machine (a master) can find itself isolated
without being able to contact any etcd member with the name it has (as the
rest of the nodes haven\'t updated their certificates yet to also include the
new name on the SAN).

Mon Mar 5 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 453260e by Kiall Mac Innes kiallAATTmacinnes.ie
Add a suse:caasp:tiller-user ClusterRole
This role represents the minimum RBAC requirements needed to make use of
Helm\'s Tiller service.

Mon Mar 5 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 4746436 by Rafael Fernández López ereslibreAATTereslibre.es
Make kubelet rename migration idempotent.
If the new name already exists, also do nothing. A faulty update could make
this script fail over and over again because of its `set -e` and the `kubectl
create -f` command failing as the new node name already exists.

Fri Mar 2 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit d0dd517 by Michal Jura mjuraAATTsuse.com
Add port number to flannel configuration template, bsc#1080608

Fri Mar 2 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit f0923d0 by Michal Jura mjuraAATTsuse.com
Cleaning nodes after removing them from CaaSP cluster
(cherry picked from commit 3423788fdb4e14c98b46666cae5b01e9018f5692)

Thu Mar 1 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 3f8a699 by Kiall Mac Innes kiallAATTmacinnes.ie
Add exit handler to kubelet/update-pre-orchestration.sh

Thu Mar 1 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 94971ed by Rafael Fernández López ereslibreAATTereslibre.es
Do not produce empty `require` list.
Make sure the require has at least the latest element that is always present.

Thu Mar 1 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 5d32a43 by Michal Jura mjuraAATTsuse.com
Add external API fqdn to /etc/hosts for Admin node, bsc#1080608

Wed Feb 28 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 07aada2 by Rafael Fernández López ereslibreAATTereslibre.es
Only remove the `kubelet:should_uncordon` grain when we actually uncordon the
node.
As part of the update process, we are cordoning the nodes, so they don\'t get
new jobs when we are planning to reboot them. If an update fails for whatever
reason, it might happen that we didn\'t uncordon the node, but removed the
`kubelet:should_uncordon` grain. This would cause that subsequent retries
will never uncordon the worker node again, because without this grain we\'ll
think that this node was cordoned by the user and will not take any action.

Wed Feb 28 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 49a98ec by Kiall Mac Innes kiallAATTmacinnes.ie
Ensure default labels and annotations are copied when renaming a node
This copies the default labels and annotations from the \"old\" minion-id based
node to the new hostname based node.
Fixes bsc#1083113

Tue Feb 27 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit cf52552 by Kiall Mac Innes kiallAATTmacinnes.ie
Update addon tolerations to allow execution on masters
Update all addons, dex, kube-dns, etc to tolerate running on the tainted
master nodes.
Commit 3589595 by Kiall Mac Innes kiallAATTmacinnes.ie
Taint and Label Masters
Masters should be tainted and labelled as masters, rather than setting these
nodes as unschedulable.

Tue Feb 27 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 1b37294 by Kiall Mac Innes kiallAATTmacinnes.ie
Don\'t allow docker restart/kill failures to fail the orch
This avoids a race condition between docker ps and docker kill/restart.

Tue Feb 27 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit a2a9756 by Rafael Fernández López ereslibreAATTereslibre.es
Relax dex deployment anti-affinity.
This can\'t be met on a cluster of n+2 size (n masters, 2 workers), as we are
creating a deployment of 3.
Let\'s relax the scheduling from required to preferred.

Mon Feb 26 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 0ae2ecf by Kiall Mac Innes kiallAATTmacinnes.ie
Remove unnecessary check from rebootmgr state
DevEnv no longer runs this way, so the check was doing nothing of value.

Mon Feb 26 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 940766a by Kiall Mac Innes kiallAATTmacinnes.ie
Restart instead of reload container-feeder
container-feeder is a oneshot service, where reload makes no sense and in
unsupported. If this triggers, we ended up getting:
salt-minion[2454]: [ERROR ] Command \'[\'systemd-run\', \'--scope\',
\'systemctl\', \'reload\', \'container-feeder.service\']\' failed with return code:
3
salt-minion[2454]: Failed to reload container-feeder.service: Job type reload
is not applicable for unit container-feeder.service.

Thu Feb 22 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 4667ecd by Maximilian Meister mmeisterAATTsuse.de
also add ldap to etc-hosts to make sure it\'s persisted
Signed-off-by: Maximilian Meister
Commit 6429d6f by Maximilian Meister mmeisterAATTsuse.de
add ldap.infra.caasp.local to the certificate
feature#net-ldap-cert
Signed-off-by: Maximilian Meister

Wed Feb 21 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 0bca62e by Alvaro Saurin alvaro.saurinAATTgmail.com
A very basic README on the file naming conventions

Fri Feb 16 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit f29c60a by Kiall Mac Innes kiallAATTmacinnes.ie
Comment out worker_threads salt setting
With the recent kernel update in our SLE SP3 snapshot, meltdown and spectre
mitigations have been brought in. As it stands, salt with 20 workers performs
very slowly under this configuration.
Commenting out the workers config value is a temporary fix to allow CI to
continue to pass.

Fri Feb 16 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 7b4d85e by Kiall Mac Innes kiallAATTmacinnes.ie
Velum Dash and API both attempt to bind to the same port
It\'s not possible to reliably bind to 0.0.0.0:443 for one service, and
127.0.0.1:443 for another service.
As such, we\'ll move velum-api over to 127.0.0.1:444

Fri Feb 16 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 355546f by Kiall Mac Innes kiallAATTmacinnes.ie
Add some additional logging to velum pillar module
Add some logging to the Velum pillar module so we can see when it\'s get
loaded by salt, and when it gets called by salt.

Thu Feb 15 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 12e977b by Kiall Mac Innes kiallAATTmacinnes.ie
Increase haproxy timeouts from 50sec, to 120sec
Some components have a 60 second timeout for salt request timeouts, e.g the
salt-api server which is called by Velum. Increase this timeout to double
their timeouts to allow the real failures to be disclosed.
We\'ll likely want to rework how timeouts are handled soon accross all our
components.

Thu Feb 15 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit f55acf6 by Kiall Mac Innes kiallAATTmacinnes.ie
Salt-API should log requests and timestamps
Currently, salt-api logs nothing post-startup expect for failures. This is
far from ideal when debugging, so we increase the level from warning to info,
and prefix log lines with timestamps.

Thu Feb 15 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 1706196 by Michal Jura mjuraAATTsuse.com
Add python-pyOpenSSL requires for salt x509.crl_managed module

Tue Feb 13 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit d8bc095 by Rafael Fernández López ereslibreAATTereslibre.es
When executing a highstate of `apiserver` make sure that we check the local
`apiserver` instance
When executing the highstate make sure the `apiserver` we are checking is the
local one, not
*any
* master through haproxy.
Make haproxy more reliable.
- Let it redispatch requests.
- Really restart the service when the config changes.
- Apply configuration before highstates with a small batch, so we control the
restarts.
- When the admin node\'s haproxy is restarted, wait for it to be back before
going on.
Wait for the apiserver to be up and responding behind HAProxy
Fixes: bsc#1079460

Mon Feb 12 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 3f6c945 by Alvaro Saurin alvaro.saurinAATTgmail.com
Remove the etcd discovery mechanism Mark all the etcd members of the cluster
with the \'etcd\' role before doing the update

Mon Feb 12 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit cbc22fb by Alvaro Saurin alvaro.saurinAATTgmail.com
Make sure we do not crash on pillars that are not properly formatted.

Mon Feb 12 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit c194707 by Alvaro Saurin alvaro.saurinAATTgmail.com
Remove the etcd discovery mechanism Mark all the etcd members of the cluster
with the \'etcd\' role before doing the update

Mon Feb 12 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit d85fb55 by Kiall Mac Innes kiallAATTmacinnes.ie
Move haproxy config to /etc/caasp/haproxy
This avoids a conflict between the caasp-container-manifests package, and the
haproxy package.

Thu Feb 8 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 37fccd3 by Flavio Castelli fcastelliAATTsuse.com
Dex pods: introduce anti-affinity rule
Our dex deployment creates 3 pods running the dex service. There are really
high chances (or even certainty in the case of clusters made by 1 or 2 worker
nodes) that all the dex pods end up running on the same node.
This is bad from a HA perspective, plus we end up taking away resources from
small clusters.
With the following change we enforce the kubernetes scheduler to always
spread the dex pods over different nodes.
On small clusters (1 or 2 nodes) the deployment will be running with a lower
number of replicas until new nodes are added. This doesn\'t cause our
orchestration to fail.
Adding new nodes at a later stage will allow the deployment to reach the
desired replica size without any intervention from us or the user.
Signed-off-by: Flavio Castelli

Thu Feb 8 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit b578f87 by Kiall Mac Innes kiallAATTmacinnes.ie
Dex: Avoid using the external_fqdn to reach dex
In some environments, the external_fqdn is unreachable from inside the
cluster - avoid using it where possible.

Wed Feb 7 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 6a11de3 by Kiall Mac Innes kiallAATTmacinnes.ie
Use separate Dex clients for each actual client
Previously Velum, CaaSP CLI, and Kubernetes all shared a single Dex client.
From a security perspective, this was far from ideal.
Update Dex with 3 clients, one for each actual client. Both the Velum and
CaaSP CLI clients are allowed to issue tokens for the Kubernetes client.

Wed Feb 7 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 3d63b18 by Joachim Gleissner jgleissnerAATTsuse.com
Add pillar root for public cloud specific config

Tue Feb 6 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit e23fb43 by Flavio Castelli fcastelliAATTsuse.com
Mark the haproxy as critical pod
Flag the haproxy pods providing connectivity to the API server as critical
ones.
This should force kubelet and the scheduler to never ever get rid of them. If
these pods are killed to make more space for other ones, the node would not
be able to talk with the API server making it useless.
More details inside upstream doc:
https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
Signed-off-by: Flavio Castelli

Mon Feb 5 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 21d9ab7 by Jordi Massaguer Pla jmassaguerplaAATTsuse.de
[packaging] Replace | by # in sed expression
as % is reserved for rpm macros
Signed-off-by: Jordi Massaguer Pla

Mon Feb 5 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 0126b32 by Kiall Mac Innes kiallAATTmacinnes.ie
Namespace the roles and cluster roles we create
When we create a role, rolebinding etc, we should namespace the names in
order to make it obvious these are deployed as part of CaaSP, as well as to
help ensure these are obviously part of CaaSP, not a stock part of
Kubernetes.
I\'ve gone with a \"suse:caasp:\" prefix, which matches the \"system:\" prefix for
built in roles/rolebindings/etc.

Mon Feb 5 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 40731ca by Flavio Castelli fcastelliAATTsuse.com
Update our manifests to reflect kubernetes 1.8 changes

* rbac has been promoted to stable

* deploymen is now v1beta2

* deamonset is now v1beta2
Signed-off-by: Flavio Castelli

Fri Feb 2 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 9ecb201 by Kiall Mac Innes kiallAATTmacinnes.ie
Remove old mis-named tiller deployment
Commit a66edac by Nikhil Manchanda SlickNikAATTgmail.com
helm should detect salt-installed tiller service
The helm client looks for a tiller deployment called \'tiller-deploy\' to
establish if tiller is already installed in the cluster, or not. Update our
salt install of tiller to use a deployment with the same name so that it will
be recognized by the helm client as already being installed.
Fixes: bsc#1066201

Fri Feb 2 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 5b2893d by Alvaro Saurin alvaro.saurinAATTgmail.com
Do not try to remove some flannel file that cannot be removed, and remove
some other instead

Fri Feb 2 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit cb27ba1 by Kiall Mac Innes kiallAATTmacinnes.ie
Update flannel image tag to match flannel version

Fri Feb 2 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 2eb40f1 by Jordi Massaguer Pla jmassaguerplaAATTsuse.de
replace sle12 for tumbleweed if the package is building in tumbleweed

Fri Feb 2 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 37e99c4 by Alvaro Saurin alvaro.saurinAATTgmail.com
Use the same code convention for ids in the orchestration as all the other
ids. Cleanup some files when updating CNI.

Thu Feb 1 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit cf53150 by Kiall Mac Innes kiallAATTmacinnes.ie
No longer use machine-id\'s as node names
With CaaSP 3.0, we\'re introducing a requirement for machines to have
valid+unique hostnames in order to allow for the K8S CPIs to function
correctly.
This means our generated hostname is no longer needed, as our environment
requirements force operators to provision servers with unique hostnames.

Thu Feb 1 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 4ba7007 by Kiall Mac Innes kiallAATTmacinnes.ie
Update dex binary name to caasp-dex

Wed Jan 31 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 18743e6 by Kiall Mac Innes kiallAATTmacinnes.ie
Fix breakage introduced by docker update

* Docker will no longer accept a `docker cp` over /etc/hosts

* Fix docker package name

Wed Jan 31 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 8b84809 by Flavio Castelli fcastelliAATTsuse.com
Remove contrib directory
We don\'t need these files.
Signed-off-by: Flavio Castelli

Thu Jan 25 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit dfd3b8a by Alvaro Saurin alvaro.saurinAATTgmail.com
Replace the _macros/net by a Python module, so we can get rid of the Jinja
limitations (specially when returning lists). Add a logging module (until we
use a Salt version that includes it).

Thu Jan 25 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit b6105b1 by Rafael Fernández López ereslibreAATTereslibre.es
Early mark nodes requiring update reboot as update in progress.
This will allow us to reduce the timeframe in which the update-etc-hosts
orchestration can pop up, eventually running states on minions effectively
taking their lock and making this orchestration fail. We don\'t want the
update-etc-hosts orchestration to interfere with the main update
orchestration.
We\'ll release minion per minion grain when they are done, but let\'s block all
of them at the very beginning.
Fixes: bsc#1077086

Wed Jan 24 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 6fdc440 by Rafael Fernández López ereslibreAATTereslibre.es
Retry certificate generation
This will make the certificate request to the CA more resilient to transient
errors, in case of overload or any other reasons that make the CA slow when
creating new requested certificates.
Fixes: bsc#1070989

Wed Jan 24 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit f19fbd4 by Rafael Fernández López ereslibreAATTereslibre.es
Do not remove flannel interface when updating 3.x
Between minor updates on 3.x we can get a bad timing when removing the
flannel.1 interface as the DaemonSet will start right after the worker
reboot, and we could remove the interface when flannel thinks it exists and
it goes to add arp entries to it, leading to a failure and to an invalid
kubernetes networking status.

Fri Jan 19 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit d3a3bed by Nikhil Manchanda SlickNikAATTgmail.com
Update salt to use 2.7.2 version of tiller
Update the salt template for the tiller deployment to install the
sles12/tiller:2.7.2 container image which is the latest version for this
image.

Wed Jan 17 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 9e358bb by Federico Ceratto federico.cerattoAATTsuse.de
Add swap disabling

Tue Jan 16 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 02fa131 by Maximilian Meister mmeisterAATTsuse.de
Configure docker via config file, not args docker can be configured via
/etc/docker/daemon.json
registries can be configured there too, but need to be in their own dedicated
pillar as we need to map certificates to the registry names
Signed-off-by: Maximilian Meister

Mon Jan 15 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 73189f3 by Rafael Fernández López ereslibreAATTereslibre.es
Fix version to 3.0.0+dev

Thu Jan 11 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 1215ced by Rafael Fernández López ereslibreAATTereslibre.es
Migrate CNI metadata on workers before doing anything else
This does not give any chance for kubelets to try to request a new `podCIDR`.
Also, fix node patching of the CNI migration
Before restarting the master with the new configuration we migrate the
workers to their expected `podCIDR` values, then we start with the general
update procedure: masters first, then workers.

Thu Jan 11 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit f5e1dd3 by Alvaro Saurin alvaro.saurinAATTgmail.com
Use a bath size for etcd setup equal to the number of etcd masters
(bsc#1066695) Minor cleanups and a fix for a case where caasp_etcd.py could
return 0.

Thu Jan 11 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit b8bff11 by Kiall Mac Innes kiallAATTmacinnes.ie
Remove discovered IP addresses from certs
As the discovered IP addresses are not static, that we don\'t maintain that
the certs are updated+services are reloaded upon cert change, that we\'re
including all IPs - even 127.0.0.1 - in this list, and that we don\'t make use
of any of these SAN\'s, we should remove them.

Tue Jan 9 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 94e697f by Rafael Fernández López ereslibreAATTereslibre.es
Only uncordon nodes that were cordoned because of our own processes
Fix kubelet highstate to uncordon the node only if we did cordon it by one of
our processes (like an update).
Without this patch, adding new nodes or performing an update would uncordon
all nodes unconditionally, without taking into account if a user had a node
cordoned for some reason (e.g. hardware failures or other reasons). Do not
uncordon those nodes, keep them cordoned.
Fixes: bsc#1050017

Mon Jan 8 13:00:00 2018 containers-bugownerAATTsuse.de
- Commit 208a0da by Alvaro Saurin alvaro.saurinAATTgmail.com
Let flannel calculate the Max and Min subnet from other parameters we are
providing. More documentation on the flannel configuration.

Fri Dec 22 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit cc2aae4 by Rafael Fernández López ereslibreAATTereslibre.es
Do not check if we need to uncordon this node depending on its state.
The `onlyif` section can fail its check (without retrial opportunity), making
the whole uncordon process to abort, when we really want to uncordon a node.
In the future, we need to keep track of cordoned nodes by the update so we
only uncordon those, leaving cordoned the nodes that were cordoned by the
user.
In any case, for this issue, `kubectl` will be smart enough:
- For a cordoned node, uncordoning:
```
~ KUBECONFIG=~/Downloads/kubeconfig kubectl uncordon
7a4f4985eaed4f519e27900ece559b8e.infra.caasp.local node
\"7a4f4985eaed4f519e27900ece559b8e.infra.caasp.local\" uncordoned
~ echo $? 0
```
- For an uncordoned node, uncordoning again:
```
~ KUBECONFIG=~/Downloads/kubeconfig kubectl uncordon
7a4f4985eaed4f519e27900ece559b8e.infra.caasp.local node
\"7a4f4985eaed4f519e27900ece559b8e.infra.caasp.local\" already uncordoned
~ echo $? 0
```
We know we want to uncordon the node, let\'s do that directly, and it will
just succeed in any case (unless the process of uncordoning fails for some
reason, and in that case we have the `retries` in place).
Fixes: bsc#1073919 Fixes: #336

Fri Dec 22 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 628ba55 by Alvaro Saurin alvaro.saurinAATTgmail.com
Explicitly pass the kubeconfig file to kubectl

Thu Dec 21 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 3c64b88 by Rafael Fernández López ereslibreAATTereslibre.es
Add beacon to notify network changes only on the default network interface
Fixes: bsc#1063709

Mon Dec 18 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 1863c06 by Rafael Fernández López ereslibreAATTereslibre.es
Bump dex version

Tue Dec 12 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 8fb3e79 by Alvaro Saurin alvaro.saurinAATTgmail.com
Use a sanitized version of pillar.get

Wed Nov 29 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit c91add1 by Kiall Mac Innes kiallAATTmacinnes.ie
Remove empty state from etc-hosts orch
The final state in the etc-hosts orch was not actually calling anything, and
hasn\'t been for quite a while. Lets remove it, so that the error it logs can
be finally be gone!

Wed Nov 29 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit fd431b6 by Alvaro Saurin alvaro.saurinAATTgmail.com
Run some things in only one master instead of in all the masters in the
cluster.

Wed Nov 29 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 20070dc by Alvaro Saurin alvaro.saurinAATTgmail.com
In the certs macros, do not assume \"names\" are always names and \"ips\" are
always IPs: just filter with the \"is_ip\" filter. Minor shortcuts in the
arguments.
Fixes: bsc#1069205

Tue Nov 28 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit af1428a by Rafael Fernández López ereslibreAATTereslibre.es
Never write `None` if we get `null` on the pillar override
Instead, we write an empty string, because we don\'t intend to write
`None` on the configuration file.

Tue Nov 28 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 4ed69ee by Kiall Mac Innes kiallAATTmacinnes.ie
Support IPs as Kube external FQDN in /etc/hosts
Currently, we assumed external names were FQDNs. When an IP was used instead,
we would generate an incorrect /etc/hosts.
bsc#1070154

Mon Nov 27 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 73a9fd3 by Rafael Fernández López ereslibreAATTereslibre.es
Preserve haproxy configurations for Velum

* Handle `haproxy` configuration.

* Generate `pem` certificates, that include the certificate and private key.

* Remove `velum` container restart.

Mon Nov 27 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 182c840 by Alvaro Saurin alvaro.saurinAATTgmail.com
Use some Jinja macros for getting the default interface\'s IP. (bsc#1058079)
Get rid of our custom grain.

Mon Nov 27 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit f215a10 by Rafael Fernández López ereslibreAATTereslibre.es
Include `Internal Dashboard FQDN/IP` value in the LDAP certificate
Since Dex will connect to LDAP using this FQDN/IP, make sure that the TLS
handshake will succeed by regenerating the certificate early in the
orchestration, so it includes this FQDN/IP in the SAN extensions of the LDAP
certificate.
Fixes: bsc#1069175

Thu Nov 23 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit ef4bd9b by Rafael Fernández López ereslibreAATTereslibre.es
Sync _pillar modules only.
We want to sync the pillars on the master first.

Tue Nov 21 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 072a014 by Rafael Fernández López ereslibreAATTereslibre.es
Introduce Velum pillar

* Use Velum pillar that serves json content

* Cache the result if it differs from what we got

* Serve the cached result if a connection problem happens
Fixes: bsc#1069145

Mon Nov 20 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 3af7f41 by Maximilian Meister mmeisterAATTsuse.de
only set service entries for localhost on kube-master
also explain in a comment why we need to set the apiserver for 127.0.0.1 on
all hosts
(bsc#1067219)
Signed-off-by: Maximilian Meister

Fri Nov 10 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit f74c756 by Rafael Fernández López ereslibreAATTereslibre.es
Disable container-feeder before rebooting.
This will allow us to control when container-feeder starts to load new images
from the filesystem. Due to some possible docker configuration changes it
might be restarted while container-feeder is working (if we keep it enabled).
Force to disable the service before rebooting.
Fixes: bsc#1066653

Fri Nov 10 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit ebd1907 by Rafael Fernández López ereslibreAATTereslibre.es
Generate sa key in the update orchestration
This is the safest path, but a refactor should come to make this part of the
ca highstate so the update and the kubernetes orchestrations just force the
ca highstate on both cases.
Related: bsc#1066653

Thu Nov 9 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit bc29cc9 by Kiall Mac Innes kiallAATTmacinnes.ie
Removed unused flannel iface grain
This is a followup to 129e927

Fri Nov 3 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit ce396af by Alvaro Saurin alvaro.saurinAATTgmail.com
Replace some other certificates by Jinja templates

Fri Nov 3 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 771634b by Alvaro Saurin alvaro.saurinAATTgmail.com
Reorganize the addons in a subdirectory per addon Use some Jinja macros for
running kubectl with retries, the kubectl path and the right dependencies

Mon Oct 30 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit a5fef22 by Flavio Castelli fcastelliAATTsuse.com
Retry all iptables states
Retry all iptables states to prevent failures like seen with bsc#1064186.
Signed-off-by: Flavio Castelli
Commit 2646dc4 by Flavio Castelli fcastelliAATTsuse.com
Introduce caasp_retriable
Provide a generic way to retry any kind of salt state.
Signed-off-by: Flavio Castelli

Mon Oct 30 13:00:00 2017 containers-bugownerAATTsuse.de
- Commit 2974490 by Alvaro Saurin alvaro.saurinAATTgmail.com
Increase worker threads and backlog length (bsc#1065018)

Fri Oct 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit d78fe5d by Alvaro Saurin alvaro.saurinAATTgmail.com
New \'retry[until]\' argument for caasp_cmd.run Use a unless/onlyif and
retry[until] for skipping some executions and not using some nasty loops

Thu Oct 26 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit e869357 by Alvaro Saurin alvaro.saurinAATTgmail.com
Wait for etcd before trying to set anything, or just retry of etcd is not
responding

Wed Oct 25 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit e8d8612 by Alvaro Saurin alvaro.saurinAATTgmail.com
Use http.wait_for_successful_query instead of looping with curl

Wed Oct 25 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 98c214f by Alvaro Saurin alvaro.saurinAATTgmail.com
Minor: rename k8s_etcd to caasp_etcd (following the implicit code
conventions)

Tue Oct 24 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 7e88148 by Alvaro Saurin alvaro.saurinAATTgmail.com
Use some Jinja macros for generating certificates

Tue Oct 24 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 9dedba0 by Michal Jura mjuraAATTsuse.com
Fix whitespaces striping in Kubernetes api jinja template

Tue Oct 24 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 129e927 by Alvaro Saurin alvaro.saurinAATTgmail.com
Use the default network interface instead of the hardcoded \'eth0\'
(bsc#1058079)

Tue Oct 24 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit a2f0485 by Rafael Fernández López ereslibreAATTereslibre.es
Add `caasp_cmd` state module featuring `run` with retry feature
This state module will provide `run` state with `retry` option that accepts
`attempts` and `interval` arguments. This allow us to retry a command if it
failed, and retry to this maximum number of retries, sleeping between
retries.

Fri Oct 20 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit ef91829 by Michal Jura mjuraAATTsuse.com
Add comment message about keeping update /etc/hosts in velum container
See https://github.com/kubic-project/salt/pull/265#issuecomment-337256898

Fri Oct 20 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 51f2da2 by Kiall Mac Innes kiallAATTmacinnes.ie
Correctly handle FQDN `dashboard` values in Velum cert
Ensure we correctly handle FQDN values for the `dashboard` pillar when
generating the Velum TLS certificate.
Fixes bsc#1064284

Fri Oct 20 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 21ec9f3 by Rafael Fernández López ereslibreAATTereslibre.es
Remove outdated comment and improve it.

Thu Oct 19 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 0d3cdfe by Flavio Castelli fcastelliAATTsuse.com
Add help message to etc/sysconfig/etcdctl
Quick tip about how to source the variables defined inside of the file to
quickly have etcdctl work.
Signed-off-by: Flavio Castelli

Wed Oct 18 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 863cc73 by Kiall Mac Innes kiallAATTmacinnes.ie
Manage the Velum TLS cert
This ensures that the dashboard_external_fqdn is registered within the velum
TLS certificate.
bsc#1063998

Tue Oct 17 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 061c968 by Michal Jura mjuraAATTsuse.com
Keep updated /etc/hosts on velum-dashboard container, bsc#1062728
We would like to keep /etc/hosts file updated for velum-dashboard with Admin
host. Velum needs to know external name of Kube API which will be used to
register in Dex service. Problem was discovered and discribed in bug 1062728

Tue Oct 17 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit c9d4710 by Kiall Mac Innes kiallAATTmacinnes.ie
Docker package was renamed to docker_1_12_6
Update salt to reference the new docker package name, as this was renamed
from \"docker\" to \"docker_1_12_6\"

Tue Oct 17 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 146e288 by Kiall Mac Innes kiallAATTmacinnes.ie
Revert K8S to use etcd2 storage format
With etcd3, the kubernetes api server will sit in a (slow) restart loop when
multimaster is enabled, logging a stacktrace and then restarting. This will
manifest as, most commonly, \"Unable to connect to the server: unexpected EOF\"
from kubectl. This will break bootstrap as we need to talk to K8S API to
deploy dex, kube-dns, and tiller.
bsc#1063235 bsc#1063285 bsc#1063543

Tue Oct 17 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 75145fe by Kiall Mac Innes kiallAATTmacinnes.ie
Revert \"Revert K8S to use etcd2 storage format\"
This reverts commit 5e95b0b0fb90d3d8ebd37df0e640303579c9e2c4.
This was pushed to master, rather than a branch, by accident.

Wed Oct 11 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit e3b0d3b by Rafael Fernández López ereslibreAATTereslibre.es
Fix missing requirement during the upgrade process.
Fixes: bsc#1062824

Wed Oct 11 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 1e04919 by Kiall Mac Innes kiallAATTmacinnes.ie
Allow Dex to redirect to the Dashboard\'s external FQDN
Some scenarios where the admin node\'s private IP is not accessible to the
outside world require that we use a end user provided FQDN
- e.g. as is the case on OpenStack and possibly other cloud environments.
Allow redirections to this FQDN.
Part of bsc#1062291

Tue Oct 10 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 75e85a0 by Nikhil Manchanda SlickNikAATTgmail.com
Update tiller deployment to use sles-based docker image
Currently the tiller image being used for the tiller deployment is from the
upstream registry at gcr.io. We should be using the SLES based docker image
instead of the upstream one.
Fixes: bsc#1062380

Sat Oct 7 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 1df2665 by Kiall Mac Innes kiallAATTmacinnes.ie
Update VERSION file to 2.0.0+dev

Fri Oct 6 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 497891d by Michal Jura mjuraAATTsuse.com
Add floating network to cloud-provider integration with OpenStack
We would like add new pillar value floating, which will be used to configure
floating network for cloud provider intergration with OpenStack. If this
option is specified, it will create floating ip for loadbalancer
automatically.

Fri Oct 6 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit ba9c3f8 by Rafael Fernández López ereslibreAATTereslibre.es
Set frontend settings: `dir` and `theme`.

Fri Oct 6 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 1ecef44 by Kiall Mac Innes kiallAATTmacinnes.ie
Dex: Wait for Dex to be fully up and running
We shouldn\'t allow a bootstrap to complete without Dex being up and running,
so lets wait for the Dex API to start responding.

Fri Oct 6 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit c4b42e6 by Michal Jura mjuraAATTsuse.com
Remove duplicated storage-backend option for Kubernetes API, bsc#1061810
Option storage-backend is provided two times for Kubernetes API
configuration. We have to keep only one option with value provided from
pillar.

Fri Oct 6 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 3e654d9 by Robert Roland robert.rolandAATTsuse.com
Add a URL off Velum as a valid OIDC redirect URI
This will make it so that Dex will be happy to redirect you to velum

Thu Sep 21 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 50f84f4 by Rafael Fernández López ereslibreAATTereslibre.es
Add `caasp_service.running_stable`
This new state will allow us to make sure that a service is running in a
stable manner. Also, will do some waits in case systemd will do retries on
the background, what avoids instant failure from salt being reported with a
regular `service.running`.
Fixes: bsc#1059105

Thu Sep 21 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 408ab7a by Kiall Mac Innes kiallAATTmacinnes.ie
Allow custom options to be passed to the Salt Master
Rename the salt master configurations, so that custom options can be loaded
after the stock options, allowing an override.
bsc#1059724

Thu Sep 21 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 60e6a69 by Alvaro Saurin alvaro.saurinAATTgmail.com
Do not access infra machines through the proxy (bsc#1053739)

Thu Sep 21 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit f730743 by Kiall Mac Innes kiallAATTmacinnes.ie
Ensure cluster-service labels are consistent
These were inconsistent, with some services using the labels, and others not.
Within services, some of the resoures the label should be applied to were
not, even though other parts of the same service did have the label applied.
Commit 6520870 by Kiall Mac Innes kiallAATTmacinnes.ie
Add CriticalAddonsOnly tolerations
Add CriticalAddonsOnly toleration to dex/kube-dns/timmer, this syncs them
with upstream, and allows for masters to be flagged as suitable for running
these critical contains if desired.
Commit 6cde454 by Kiall Mac Innes kiallAATTmacinnes.ie
Remove Kube addonmanager references
As Kubernetes addonmanager is not used to deploy these, we should not apply
the addonmanager labels. Should a end user deploy kube addonmanager, it will
believe these pods are under it\'s control and potentially remove or change
them.
bsc#1059516

Thu Sep 21 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 7184f5e by Kiall Mac Innes kiallAATTmacinnes.ie
Prevent update-etc-hosts conflicting with bootstrap
Fix another case where the etc hosts update orchestration would otherwise
conflict with the bootstrap / add node orchestration.
bsc#1059577

Wed Sep 20 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 8865d73 by Robert Roland rob.rolandAATTgmail.com
Making the service account key the same on all nodes (#230)
The kube-apiserver and kube-controller-manager must agree on what the
private key is for service account generation. In a multi-master scenario,
where an api server starts on one machine, and the controller-manager on
another machine becomes primary, pods cannot be created because
kube-controller-manager cannot communicate with the apiserver.
So, now, we generate the service account key on the ca minion and store it
in the mine, so that it\'s generated once.
Fixes bsc#1059398

Tue Sep 19 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 6868ea5 by Alvaro Saurin alvaro.saurinAATTgmail.com
Set a default external fqdn

Tue Sep 19 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 2df25a0 by Aishwarya Thangappa aishwarya.thangappaAATTgmail.com
Fix the race condition that occurs when starting Kube-DNS
KubeDNS may fail to apply due to a race condition within `kubectl
apply`, this mitigates that issue.

Fri Sep 15 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 5d0e520 by Kiall Mac Innes kiallAATTmacinnes.ie
Update paths to match SLES based Dex container
The SLES based dex container does not put dex in /usr/local/bin,
additionally, we install the web content in /usr/share/caasp-dex/web.
Part of bsc#1058833

Wed Sep 13 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit e966106 by Michal Jura mjuraAATTsuse.com
Add OpenStack block storage version as a option

Wed Sep 13 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 8e90c5c by Kiall Mac Innes kiallAATTmacinnes.ie
Include kube-apiserver in the dex role
Without this, We\'re seeing an error post-bootstrap, so deployments look
green, but fail with:
The following requisites were not found:
require:
id: kube-apiserver

Wed Sep 13 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit cc32e39 by Robert Roland robert.rolandAATTsuse.com
Switch to the sles12/caasp-dex image

Wed Sep 13 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 6c2b47a by Michal Jura mjuraAATTsuse.com
Add orchestration for etcd storage \'etcd2\' to \'etcd3\'
In Kubernetes v1.7 default storage backend for apiserver is \'etcd3\'. We need
orchestrate migration between version \'etcd2\' and \'etcd3\'.

Wed Sep 13 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit c26d987 by Robert Roland rob.rolandAATTgmail.com
Role-based access control (#192)
Adding role-based access control based on CoreOS Dex and OpenLDAP

Tue Sep 12 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 2b5dd9b by Nikhil Manchanda SlickNikAATTgmail.com
Add cluster role binding for tiller
Tiller requires a cluster role binding to work correctly with the new RBAC
changes. Add this cluster role binding so that helm commands work correctly.

Tue Sep 12 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit efd8877 by Rafael Fernández López ereslibreAATTereslibre.es
Set etcd3 as default backend storage

Sat Sep 9 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 3e9bcd6 by Kiall Mac Innes kiallAATTmacinnes.ie
Move External FQDN to 127.0.0.1 address
s was added to ensure Dex was always reachable, however, with multi masters,
this name was assigned to 3 different lines in /etc/hosts. Most consumers of
/etc/hosts do not deal with this as they would a round-robin DNS entry which
returns multiple IPs.
When the \"selected\" master is powered off, this name continues to resolve the
same dead IP address. As Dex uses a NodePort service, putting this to
127.0.0.1 works as we expect it to.

Fri Sep 8 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 5e89d99 by Alvaro Saurin alvaro.saurinAATTgmail.com
Refactor the wait-for-apiserver so it can be used in some other parts of the
code

Fri Sep 8 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 5a13bbc by Kiall Mac Innes kiallAATTmacinnes.ie
Ensure systemd is reloaded after units are changed
Ensure systemd is reloaded as soon as a unit is changed, rather than relying
on a task later within the orchestration to execute.
Fixes bsc#1057641

Fri Sep 8 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit a601b38 by Kiall Mac Innes kiallAATTmacinnes.ie
Include short hostname for masters
The short hostname for masters was not being set, as it was for both the
admin node, and worker nodes
Fixes bsc#1057794

Fri Sep 8 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 755ad7c by Sam Leavens rbwsamAATTgmail.com
Adding optional addon for Helm\'s tiller

Fri Sep 8 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit e0727d2 by Kiall Mac Innes kiallAATTmacinnes.ie
Combine etcd and etcd-proxy formulas
The base etcd formula is never used on it\'s own, lets remove this unnecessary
complexity.

Thu Sep 7 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit c0bbaba by Kiall Mac Innes kiallAATTmacinnes.ie
Include both v2 and v3 flags in etcdctl vars

Tue Sep 5 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit c1c851c by Robert Roland rob.rolandAATTgmail.com
Role-based access control (#192)
Adding role-based access control based on CoreOS Dex and OpenLDAP

Wed Aug 30 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 66b0de2 by Aishwarya Thangappa aishwarya.thangappaAATTgmail.com
Update docker images for KubeDNS to ones based on SLES from the rpms in
MicroOS

Tue Aug 29 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 67846f6 by Kiall Mac Innes kiallAATTmacinnes.ie
Fix flannel config for 0.8.0
Flannel in 0.8.0 rejects the \"-logtostderr\" flag we were providing, this
doesn\'t seem to have ever been an option, however it was silently ignored in
the past.

Tue Aug 29 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 5c4bf44 by Michal Jura mjuraAATTsuse.com
Set kube-apiserver storage backend as option
Parametrize Kubernetes apiserver storage backend. This will be used in future
for migration process from storage etcd2 to etcd3.

Fri Aug 25 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 0a8f3e2 by Michal Jura mjuraAATTsuse.com
Add cloud provider integration for OpenStack Storage
Commit 885cc4d by Michal Jura mjuraAATTsuse.com
Add cloud provider integration for OpenStack LoadBalancer

Tue Aug 22 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 6ac7ffb by Kiall Mac Innes kiallAATTmacinnes.ie
Use haproxy to load balance Kube API requests
Now that we can have multiple masters, we need a way for the various services
and end-users to be load balanced over the set of kube-api servers.
We install haproxy on each node, inside a docker container, configured to
load balance requests over all the cluster masters. This haproxy is
configured to listen on 0.0.0.0 on the masters, and 127.0.0.1 on the workers.
This is to allow the minions to simply \"talk\" to 127.0.0.0, and be routed to
an active kube-api server.

Mon Aug 21 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 2269176 by Kiall Mac Innes kiallAATTmacinnes.ie
Use apply instead of create for addons
kubectl apply is generally idempotent, while kubectl create is not. With
multi-master now enabled, if two masters execute this script at once, one of
them is likely to fail given the check+set race within this script -
Switching to apply removes part of this this C+S race.
The second part of this race, is it client-side decision by apply to create
or update, by retrying the command once if it fails, we can ensure when two
masters run this script at the same time, for the first time, the C+S race
will be avoided here too.

Mon Aug 21 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit b470a20 by Kiall Mac Innes kiallAATTmacinnes.ie
Ensure k8s_etcd.get_cluster_size works for multi-master
If we had enough masters to form a etcd cluster, we would end up returning
\"None\" from this method, preventing the cluster formation.

Mon Aug 21 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 06033b3 by Alvaro Saurin alvaro.saurinAATTgmail.com
Wait for the API server after starting the service.

Mon Aug 21 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit af41306 by Alvaro Saurin alvaro.saurinAATTgmail.com
Do not generate an empty --proxy line in curlrc

Fri Aug 18 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit bdd9b9c by Kiall Mac Innes kiallAATTmacinnes.ie
Grow flannel CIDR to accommodate 1024 workers
Flannel was setup such that 150 workers could obtain a subnet before there
were not none left. By growing this range, and the size of the individual
allocations, we allow for up to 1024 workers with 510 pods on each.
bsc#1047847

Thu Aug 17 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 4b40d4c by Aishwarya Thangappa aishwarya.thangappaAATTgmail.com
Add kube-dns service account

Thu Aug 17 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit e1d5650 by Kiall Mac Innes kiallAATTmacinnes.ie
Disable Salt\'s Job Cache
Salt\'s job cache is buggy, causing random failures to lookup mine data, which
in turn causes our deployments to fail.
Fixes bsc#1054256

Thu Aug 17 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 7c47d63 by Alvaro Saurin alvaro.saurinAATTgmail.com
Properly wait for a HTTP endpoint

Wed Aug 16 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit a4a049e by Kiall Mac Innes kiallAATTmacinnes.ie
Kube-API: Set storage-backend to etcd2
In our current configuration, kube-api logs a series of errors unless this is
set.

Wed Aug 9 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 6caa9fa by Robert Roland robert.rolandAATTsuse.com
Dedicated certificate for kube-controller-manager
Commit 5e5dfb5 by Robert Roland robert.rolandAATTsuse.com
Dedicated certificate for kube-proxy
Commit afe4f63 by Robert Roland robert.rolandAATTsuse.com
Dedicated certificate for kubelet
Commit 8acea7c by Robert Roland robert.rolandAATTsuse.com
Dedicated certificate for kube-scheduler
Commit e59670e by Robert Roland robert.rolandAATTsuse.com
Adapting kube-apiserver wait fix into this branch
Commit c4eef4d by Robert Roland robert.rolandAATTsuse.com
eliminated the kubernetes-master formula
the daemons are all separate now, so it\'s controlled by role membership in
the top.sls file
moved addons to a separate salt formula
Commit 9232705 by Robert Roland robert.rolandAATTsuse.com
kube-proxy as a separate salt formula
Commit 15ff190 by Robert Roland robert.rolandAATTsuse.com
kubelet as a separate salt formula
Commit 4412b9d by Robert Roland robert.rolandAATTsuse.com
kube-scheduler as its own formula
fixing a bug where we uncordon master nodes. but we should never do that.
Commit 4662dd1 by Robert Roland robert.rolandAATTsuse.com
kube-controller-manager as a separate formula
Commit ee9fb0b by Robert Roland robert.rolandAATTsuse.com
kube-apiserver as a separate formula
Makes a dedicated formula for the kube-apiserver
Generates a cert specifically for the kube-apiserver

Mon Aug 7 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 65b9e9c by Robert Roland robert.rolandAATTsuse.com
can\'t talk to 6443 without a client cert
talk to the insecure-bind-address instead.
Commit 5c6d2e1 by Kiall Mac Innes kiallAATTmacinnes.ie
Wait for Kube-API before installing Kube-DNS

Thu Aug 3 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 3a6869d by Aishwarya Thangappa aishwarya.thangappaAATTgmail.com
Install Kube-DNS by default
1. Removed the skydns template files and added kubedns template files. We
will be using deployments instead of replication controllers. 2. Modified
the deploy script to check for the existence of kube-dns deployment, kube-dns
service and config map before creating one. 3. Turned on the addon:dns flag
so as to install KubeDNS by default.

Wed Aug 2 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit d1abfaa by Thomas Hipp thippAATTsuse.de
update k8s version
Signed-off-by: Thomas Hipp

Tue Aug 1 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit bc3adf7 by Robert Roland robert.rolandAATTsuse.com
Explicit dependency ordering
Commit 1086ebf by Robert Roland robert.rolandAATTsuse.com
Run kubelet and kube-proxy on the master node
A standard Kubernetes installation runs a kubelet and kube-proxy on every
node, and then you decide where to run apiserver, controller-manager and
scheduler.
This change is required to support RBAC, DaemonSets and many other changes.
Requires an updated kubernetes-client package that contains:
https://build.opensuse.org/request/show/494998

Thu Jul 20 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 5df94da by Kiall Mac Innes kiallAATTmacinnes.ie
Delay reboots during upgrade by 15 seconds
Even with backgrounding the call, salt-minion sometimes still does not have
enough time to respond before systemd shuts down salt-minion on some
environments. By adding a 15 second delay, we give salt-minion much more time
than it should need in a healthy cluster to respond.
Additionally, switch from the deprecated syntax for supplying bg=True, to the
newer syntax which no longer logs a warning.
Followup up fix for bsc#1049200

Thu Jul 20 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 4920c7a by Rafael Fernández López ereslibreAATTereslibre.es
Do not publish the `ca.crt` from the `ca` SLS, use `mine_functions`
We will be publishing this contents when the `ca` minion starts, so there\'s
no need to do this during the orchestration.
`mine.send` is not reliable enough since we cannot confirm that the contents
are there yet, and waiting a random amount of time is not appropriate as we
are just hiding the real problem. In the near future we can do an active wait
for the content to be there using `retry`, but for now we just publish the
contents of the `ca.crt` using
`mine_functions`, so it is sent when the `ca` minion starts.
There\'s no need to refresh the mine, as this was just hiding the real problem
when we were publishing this contents during the orchestration phase.
Fixes: bsc#1049137 Fixes: bsc#1048548

Wed Jul 19 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 3e5cf9f by Kiall Mac Innes kiallAATTmacinnes.ie
Add extra requisites to the update orchestration
These additional requisites enforce a stricter ordering of tasks during the
upgrade. In some case, \"-set-update-grain\" would not execute in the right
place, potentially leading to a failed upgrade.
bsc#1045381

Wed Jul 19 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit d97a24e by Kiall Mac Innes kiallAATTmacinnes.ie
Don\'t wait for minion responses when rebooting
When we instruct a minion to reboot, we can\'t reliably wait for the response
from salt-minion letting us know that the \"systemctl reboot\" command
succeeded, as systemd may choose to shutdown the salt-minion service before
it can sent out the \"Yes, that worked\" response.
Salt does not make any attempt to finish in progress tasks when it receives a
SIGTERM, leaving us with few other viable choices for this.
Fixes bsc#1049200

Tue Jul 18 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 0692dbf by Rafael Fernández López ereslibreAATTereslibre.es
Explicitly refresh the mine on all minions after the `ca` has published the
`ca.crt`
We will explicitly force all minions to refresh the mine after the `ca`
minion has published the `ca.crt` certificate on the mine, to avoid rendering
problems with later SLS being executed. It might happen that a minion was
missing this information on its mine, so the rendering of the SLS failed,
effectively stopping the whole orchestration process.
Fixes: bsc#1048548

Mon Jul 17 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 219b7d5 by Kiall Mac Innes kiallAATTmacinnes.ie
Upgrade: Wait longer for minions to reboot
Wait 1200 seconds (20 minutes) for minions to reboot, instead of the default
300 seconds (5 minutes). We increase this to cover off cases where slower to
boot physical hardware is used.
20 minutes was chosen as, I\'ve seen physical hardware take 10-12 minutes in
the past, and someone likely has something that is slower to reboot.
bsc#1048683

Fri Jul 14 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 1e41512 by Alvaro Saurin alvaro.saurinAATTgmail.com
Add some extra naames to the AIP server certificate (bsc#1033671)

Fri Jul 14 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 6b146d5 by Maximilian Meister mmeisterAATTsuse.de
make branch safe by transforming slashes to dashes
Signed-off-by: Maximilian Meister
Commit 588b834 by Maximilian Meister mmeisterAATTsuse.de
packaging: make branch configurable
Signed-off-by: Maximilian Meister

Fri Jul 14 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 6b146d5 by Maximilian Meister mmeisterAATTsuse.de
make branch safe by transforming slashes to dashes
Signed-off-by: Maximilian Meister
Commit 588b834 by Maximilian Meister mmeisterAATTsuse.de
packaging: make branch configurable
Signed-off-by: Maximilian Meister

Fri Jul 14 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit c59070d by Rafael Fernández López ereslibreAATTereslibre.es
Fix `ca` key path
This was a leftover from the previous implementation. Now the ca key is
present under `/etc/pki/private` in the ca container too (as it mounts
`/etc/pki`)

Thu Jul 13 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit b6281ae by Kiall Mac Innes kiallAATTmacinnes.ie
Ensure grains are always refreshed periodically
Salt\'s grains_refresh_every configuration param does not quite do what we
need it to, it\'s failing to refresh grains from the `grains` file - leading
to updates going undetected.
This change adds a slightly modified version of what this config param
internally does, adding the force_refresh: True argument, ensuring we
correctly refresh.
bsc#1048583

Tue Jul 11 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 88e9ff9 by Rafael Fernández López ereslibreAATTereslibre.es
Keep `job_cache: True` as it\'s discouraged to disable it
Our deployment is also failing probably due to the fact that we were
disabling the salt `job_cache`.
Commit b0547af by Miquel Sabaté Solà msabateAATTsuse.com
Set MySQL as the job cache for the Salt master
First of all, we can specify an external job cache. If we don\'t do that, then
the `keep_jobs` option only applies to the local cache. This means that Salt
will not clean up jobs, events and returns older than the specified
`keep_jobs` value (default: 24h) for the MySQL returner that we have already
configured.
Moreover, since we\'d already be using MySQL as a job cache, we don\'t have to
use the local system (/var/cache/salt/master/jobs/) as a cache
(note that Salt would still be using this directory to avoid JID collisions).
The documentation also says that the local cache can be a burden for large
deployments.
See bsc#1044133
Signed-off-by: Miquel Sabaté Solà

Tue Jul 11 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 31ad98d by Michal Jura mjuraAATTsuse.com
Don\'t duplicate log level argument for k8s services, bsc#1046407

Tue Jul 11 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit fcbfd6b by Michal Jura mjuraAATTsuse.com
Make log level configurable for dockerd service, bsc#1046407
Set the logging level for dockerd, possible values are:
[ debug, info, warn, error, fatal ]

Tue Jul 11 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit e3c9c21 by Kiall Mac Innes kiallAATTmacinnes.ie
Add Jenkinsfile
The Jenkinsfile in each repo, if we adopt Jenkins in the end, will be very
thin, including just a single library load, and a single method call. This
prevents us from needing to keep each projects Jenkinsfile in sync as CI
changes are made.

Mon Jul 10 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 08a0960 by Kiall Mac Innes kiallAATTmacinnes.ie
Revert \"Set MySQL as the job cache for the Salt master\"
This reverts commit de22c660a99bc1425295c86be7d7dc3e79089845.

Mon Jul 10 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit de22c66 by Miquel Sabaté Solà msabateAATTsuse.com
Set MySQL as the job cache for the Salt master
First of all, we can specify an external job cache. If we don\'t do that, then
the `keep_jobs` option only applies to the local cache. This means that Salt
will not clean up jobs, events and returns older than the specified
`keep_jobs` value (default: 24h) for the MySQL returner that we have already
configured.
Moreover, since we\'d already be using MySQL as a job cache, we don\'t have to
use the local system (/var/cache/salt/master/jobs/) as a cache
(note that Salt would still be using this directory to avoid JID collisions).
The documentation also says that the local cache can be a burden for large
deployments.
See bsc#1044133
Signed-off-by: Miquel Sabaté Solà

Fri Jul 7 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit d2df0ed by Rafael Fernández López ereslibreAATTereslibre.es
When generating the certificate use the pillar path
Since we added the minion certificate location to the pillar, also take the
public key location from the pillar, or the certificate generation will fail
if the pillar value changes.

Fri Jul 7 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit ce45c56 by Rafael Fernández López ereslibreAATTereslibre.es
Remove unneeded signing policies
These signing policies were used when the CA wasn\'t containerized, when we
containerized it, they were moved to `caasp-container-manifests`, and the CA
container is mounting it from there.
If we uncontainerize the CA in the future we can move it back if needed, but
let\'s keep this clean so it\'s not misleading.

Fri Jul 7 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 871a9dc by Michal Jura mjuraAATTsuse.com
Fix JINJA escaping for docker_opts in docker state module

Thu Jul 6 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 2bd42f5 by Rafael Fernández López ereslibreAATTereslibre.es
Add prerequisite for key to be present on `cert` sls
Add a specific dependency for the key to be present when generating the
certificate for the minion.

Thu Jul 6 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit eb852df by Rafael Fernández López ereslibreAATTereslibre.es
Add kubectl client certificate
This certificate will be served by Velum when downloading the `kubeconfig`
file, and is specific for that usage.
Fixes: bsc#1046963

Fri Jun 30 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 9950702 by Kiall Mac Innes kiallAATTmacinnes.ie
Ensure bootstrap_complete grain is set
At the time this if block is called, the mine / grains sync hasn\'t happened
yet.
This reverts a change from commit fc8347c (bsc#1043589)

Fri Jun 30 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 5e7c46f by Michal Jura mjuraAATTsuse.com
Define etcdctl config file with SSL variables
Let\'s add /etc/sysconfig/etcdctl with paths to the client server TLS files
and endpoint. This will make possible to run etcdctl command in easy way,
e.g.
source /etc/sysconfig/etcdctl
etcdctl cluster-health
fixes bsc#1046818

Fri Jun 30 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 15748cd by Flavio Castelli fcastelliAATTsuse.com
Handle curl proxy settings
YaST is also configuring proxy settings inside of `/root/.curlrc`, this is
needed because zypper is using libcurl. So if you run zypper from a cronjob
or `su`, the `/etc/sysconfig/proxy` variables are not parsed and set in the
environment. Which means, zypper will not use the proxy and fail. With
`/root/.curlrc`, libcurl will use the proxies configured there.
Signed-off-by: Flavio Castelli

Thu Jun 29 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit fc8347c by Rafael Fernández López ereslibreAATTereslibre.es
Enable TLS on the salt-api service
Fixes: bsc#1043589

Thu Jun 29 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 465a4d6 by Kiall Mac Innes kiallAATTmacinnes.ie
Add proxy state to admin node
Installs proxies onto the admin node - bsc#1043538
Commit a16c19e by Kiall Mac Innes kiallAATTmacinnes.ie
Disable rebootmgr on admin node
Once the system bootstraps, we now disable rebootmgr on the admin node. This
allows the velum initiated updates to takeover and prevent any unexpected
surprises.
bsc#1046602
Commit ef8ba5b by Kiall Mac Innes kiallAATTmacinnes.ie
Render /etc/hosts on admin node
Render the /etc/hosts file on the admin node, so nodes are reacable via their
internal FQDNs everywhere. Additionally, include the admin node in the
/etc/hosts files.
bsc#1045186

Thu Jun 29 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit eadd8e1 by Kiall Mac Innes kiallAATTmacinnes.ie
Increase salt-master timeout
When dealing with a large number of minions, timeouts are visible when using
the default value of 5 seconds. Increasing the CPU/RAM resources allocated
to the master helps, but given it it\'s short bursts of heavy usage
(bootstrap and upgrade), this shouldn\'t be necessary.
We increase the timeout from 5 to 20 seconds, allowing tasks to take longer
yet still succeed.

Wed Jun 28 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 3f2c44b by Graham Hayes graham.hayesAATTsuse.com
bsc#1045381 Ensure updates do not conflict with etc-hosts
This ensure that the etc-hosts orchestration does not run during an upgrade,
as this can cause conflicts on the nodes, which cause salt to fail to
complete an
`orch.update` run.

Tue Jun 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 5f492f9 by Graham Hayes graham.hayesAATTsuse.com
Turn off `auto_accept`

Mon Jun 26 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 197d164 by Michal Jura mjuraAATTsuse.com
Enable etcd authentication based on client certificates
Enable ETCD_CLIENT_CERT_AUTH and ETCD_PEER_CLIENT_CERT_AUTH in etcd-proxy
state module.
- Enable client cert authentication ETCD_CLIENT_CERT_AUTH=\"true\"
- Enable peer client cert authentication. ETCD_PEER_CLIENT_CERT_AUTH=\"true\"
Commit 970a590 by Michal Jura mjuraAATTsuse.com
Use Kubernetes API server etcd ssl
Commit 776bf33 by Michal Jura mjuraAATTsuse.com
Enable https for flanneld service
Commit b762959 by Michal Jura mjuraAATTsuse.com
Add ssl pillar profile
Commit 07a5652 by Michal Jura mjuraAATTsuse.com
Enable https for etcd-proxy services
All these fixes bsc#1043595

Fri Jun 23 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit a567814 by Kiall Mac Innes kiallAATTmacinnes.ie
Ensure CA fields are static (bsc#1045766)
As the DHCP domain name can change, we should avoid using it in our CA cert
in order to prevent it being unnecessarily regenerated.
Fixes bsc#1045766

Thu Jun 22 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 9e20d89 by Alvaro Saurin alvaro.saurinAATTgmail.com
Option for using the proxy settings system-wide (bsc#1036627)

Wed Jun 21 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 5042479 by Rafael Fernández López ereslibreAATTereslibre.es
Do not run etcd discovery on every orchestration run, only the first time
When adding new nodes, the `orch.kubernetes` orchestration was failing
because etcd is refusing to start since the etcd discovery mechanism was
already used when bootstrapping the cluster.
With this change we ensure that we use the discovery mechanism only when we
are boostrapping the cluster.

Tue Jun 20 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit e51791e by Kiall Mac Innes kiallAATTmacinnes.ie
Set etcd batch size to 3 nodes
Currently, we never ask for more than 3 members. Setting this to 3 ensures we
don\'t let more than 3 members attempt etcd discovery before a cluster has
been fully formed. If we have less this 3, this will still succeed, as the
exact number of members we expect will also end up attempting discovery at
the same time.

Tue Jun 20 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit a13010e by Rafael Fernández López ereslibreAATTereslibre.es
Do not fail if `salt.function` has no minions to target
Currently, `update-etc-hosts` orchestration fails because `update_mine`
`salt.function` cannot target any minions at the beginning, and since this is
a prerequisite for other states, the Reactor orchestration fails.
Only call to these `salt.function` if there are any minions to target.

Fri Jun 16 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit d2f8840 by Rafael Fernández López ereslibreAATTereslibre.es
Add missing `tgt_type` so we target the minions we intend to
This last step on the orchestration was returning a `False` result because no
targets were found to execute the grain set.

Fri Jun 16 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 9ddaa5a by Flavio Castelli fcastelliAATTsuse.com
salt-api: listen to localhost [bsc#1043589]
Do not expose the salt-api to the entire world. This is needed only by Velum
to trigger salt actions. Given both the containers use the same network
namespace we can just bind this service to localhost.
By doing that we are going to reduce the attack surface.
This fixes one of the two issues reported by bsc#1043589
Signed-off-by: Flavio Castelli

Thu Jun 15 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit a99d516 by Aishwarya Thangappa aishwarya.thangappaAATTgmail.com
Making the cluster-dns and cluster-domain arguments default
Right now, caasp doesn\'t support kube-dns out of the box. If customers wanted
to have dns support, they have to bring it up on their own by using `kubectl
create -f kubedns.yaml`. But this will not work until you add the cluster-dns
and cluster-domain arguments to kubelet args and restart the kubelet.
While doing this manually in every node is one pain point, salt will try to
bring it back to its original state. Meaning that the changes you made to the
kubelet args will no longer be there. So, unless you bring up the caasp
cluster with the addon set to true, you cannot have kube-dns working reliably
on the cluster.
This change will make it a little easier, by having these arguements by
default in every node.

Wed Jun 14 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 706837b by Graham Hayes graham.hayesAATTsuse.com
Ensure that reactor states only run on completed nodes
This ensures that we do not run reactor orchestrations on nodes that have not
completed bootstrapping.
This ensures that a node cannot have 2 states applied to it at the same time.

Wed Jun 14 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit e44cf82 by Kiall Mac Innes kiallAATTmacinnes.ie
Remove concurrent=True from orchestrations
Salt\'s documentation calls this option out as dangerous, staging that the
state must be able to be ran concurrently. This is not something we can
reasonably ensure works, so lets not use it.
From Salt\'s documentation:
This flag is potentially dangerous. It is designed for use
when multiple state runs can safely be run at the same
time. Do not use this flag for performance optimization.

Wed Jun 14 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 3fd0d08 by Kiall Mac Innes kiallAATTmacinnes.ie
Refresh grains at the start of orchestration
Additionally, refresh pillars at the start of update-etc-hosts.sls for
consistency.

Wed Jun 14 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 7d0a037 by Graham Hayes graham.hayesAATTsuse.com
Update transactional-update to use \"salt\" option
This will ensure that the transactional-update code will write a grain
(`tx_update_reboot_needed:true`) on the node instead of rebooting the node.
This also allows for increasing the frequency of the snapshots being built

Tue Jun 13 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 91d649f by Alvaro Saurin alvaro.saurinAATTgmail.com
React to IP changes by using beacons

Mon Jun 12 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 53e389f by Rafael Fernández López ereslibreAATTereslibre.es
Only run `service.dead` on salt minions that we know support it.
The `ca` container was reporting this error during the orchestration:
``` service.dead {
\"__run_num__\": 0,
\"_stamp\": \"2017-06-12T10:33:29.009340\",
\"changes\": {},
\"comment\": \"State \'service.dead\' was not found in SLS \'rebootmgr\'
Reason:
\'service\' __virtual__ returned False: No service execution module loaded:
check support for service management on SLES-12
\",
\"name\": \"rebootmgr\",
\"result\": false,
\"retcode\": 2
}
```
Also, the overall result of the orchestration was not successfully (despite
individual highstates reported success) because of this. Containers don\'t
have `systemctl` available, so `salt` doesn\'t know how to handle this.
Right now, rely on our roles for doing this (despite we could have used
`virtual` grain -- but for some reason a container reports `physical`, which
doesn\'t help) -- at least with the `salt` version we are currently using.
The orchestration result overall looks like this with this change:
```
\"outputter\": \"highstate\",
\"retcode\": 0
},
\"success\": true,
\"user\": \"saltapi\"
}
```

Mon Jun 12 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 0cd2559 by Graham Hayes graham.hayesAATTsuse.com
Batch runs of the `cert` state
This allows more nodes to be deployed without causing timeouts and failed
runs on the `cert` state.
Also, remove concurrecny from the etcd member and proxy to ensure members are
created before proxies
bsc#1038814

Fri Jun 9 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 9b3652a by Kiall Mac Innes kiallAATTmacinnes.ie
Revert \"Add module for removing etcd cluster members\" - bsc#1043676
This reverts commit 27a4e81c331dc345e56266a57c5dcd86d1c1a177
Commit befe0b5 by Kiall Mac Innes kiallAATTmacinnes.ie
Revert \"Add etcd_info salt grain module\" - bsc#1043676
This reverts commit da17af3f0f9cb89a9057618b7561074a4e35818e.

Wed Jun 7 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 4132fa9 by Rafael Fernández López ereslibreAATTereslibre.es
Remove hardcoded secrets

Wed Jun 7 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 27a4e81 by Michal Jura mjuraAATTsuse.com
Add module for removing etcd cluster members

Tue Jun 6 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 40d8e9b by Robert Roland robert.rolandAATTsuse.com
Fixing broken build
Need to remove a reference to /var/lib/etcd if salt isn\'t managing it anymore

Tue Jun 6 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 1100cfe by Graham Hayes graham.hayesAATTsuse.com
Stop managing /var/lib/etcd in salt
This dir is created by the etcd rpm, and permissions are maintained by etcd
when it is running
The salt and etcd disagree an what these permissions are causing extra
\"changed\" entries. As etcd is changing them to what it needs, and the
directory is created by etcd (and its RPM) we should not try and manage it.

Tue Jun 6 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 26fa83b by Jordi Massaguer Pla jmassaguerplaAATTsuse.de
use git revision in package version
this way zypper sees each new commit as an update Otherwise, using the date,
will create a conflict if 2 commits are from the same day
Signed-off-by: Jordi Massaguer Pla

Fri Jun 2 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit e706873 by Michal Jura mjuraAATTusers.noreply.github.com
Enable https for all services and create dedicated ssl pillar profile (#86)

* Enable https for etcd-proxy services

* Enable https for flanneld service

* Add ssl pillar profile

* Use Kubernetes API server etcd ssl

Fri Jun 2 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit da17af3 by Michal Jura mjuraAATTsuse.com
Add etcd_info salt grain module
To maintaine etcd cluster configuration by salt, it is needed to get etcd
status about members and their roles in etcd cluster. This etcd_info grain
module provides followind information:
- \'etcd_module\' - return \"available\" if python-etcd
module is installed
- \'members_all\' - return list of all members in
etcd cluster
- \'member_type\' - return role of local etcd service,
possible values \"proxy\", \"member\",
\"leader\"
- \'member_id\' - return unique id of local etcd service
in the cluster
This grain module will be used by salt_delete state module for removing etcd
nodes from the cluster.
To run this module is required to install following packages:
- python-etcd
- python-urllib3
- python-dnspython

Fri Jun 2 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 7031d71 by Victor Palade vpaladeAATTsuse.com
disable reboot manager when orchestration happens

Fri Jun 2 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 9815b3b by Rafael Fernández López ereslibreAATTereslibre.es
Ensure our states are idempotent
- Adapt some `cmd.run` to use `onchanges`, so they only execute when their
`watched` states change.
- Add `stateful: True` to some `cmd.run`s, so following the salt protocol
for this we ensure that the command didn\'t change anything in the system
state.
- Move `ca-cert` to its own SLS, so `cert` will only now generate the
`/etc/pki/minion.{key,crt}` files.
- The `cert` SLS will now be the only responsible for generating
certificates depending on the role of the machine. This way we ensure
that without mattering how this SLS is included it behaves in the same
way under all conditions. We might want to use a certificate for different
services, but that will need some extra changes.
- Change some `module.run` to `module.wait` so they only execute when the
`watched` states change.
- Remove cleanups that make it impossible to have idempotent states.

Fri Jun 2 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit c0667e3 by Kiall Mac Innes kiallAATTmacinnes.ie
Don\'t change the system hostname
Operators don\'t want us to change the system hostname, which we previously
did to account for environments which don\'t provide unique DHCP hostnames.
We\'ll undo this change, as we have now removed our reliance on the system
default hostname.
Fixes bsc#1041789

Thu Jun 1 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 86ae430 by Alvaro Saurin alvaro.saurinAATTgmail.com
Update the /etc/hosts by using a loop, so the file doesn not grow
indefinetively. Do not set the IP address for API server in the API servers
to 127.0.0.1
Commit acb76f3 by Alvaro Saurin alvaro.saurinAATTgmail.com
Add the kubelet port configurable with a Pillar variable Open the kubelet
port in the firewall

Thu Jun 1 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 8bc25b2 by Kiall Mac Innes kiallAATTmacinnes.ie
Add a caasp_fqdn grain and migrate to it
This adds a caasp_fqdn grain and migrates usage of fqdn to it. This is needed
because the fqdn grain has proved unrelable, where we know
*exactly
* what we
want, and salt\'s detection will be broken by a upcoming change.
Partial fix for bsc#1041789

Thu Jun 1 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 7f7d9aa by Graham Hayes graham.hayesAATTsuse.com
Initial framework of update orchestration

Thu Jun 1 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 631ea1d by Kiall Mac Innes kiallAATTmacinnes.ie
Allow for clean shutdown of nodes
Add a stop SLS for each service we wish to shutdown clearly, doing any
necessary pre-stop actions such as draining kubelet.

Tue May 30 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit d8ce355 by Rafael Fernández López ereslibreAATTereslibre.es
Do not include etcd-proxy on this last action
This triggers a chain reaction when the reboot sls is called directly
(salt-call state.apply reboot) on the last step of the orchestration, since
etcd-proxy includes etcd, and etcd includes cert.
Cert sls will generate a new certificate overriding the current one with all
the correct DNS names and IP addresses, by one that only contains `fqdn` as
the only dns name.
Fixes: bsc#1040858

Mon May 29 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit daadead by Rafael Fernández López ereslibreAATTereslibre.es
- Make cert always include `fqdn`
-
- The only component that was adding `fqdn` to the list of dns names of SAN
- certificates is the `kube-master` role.
-
- However, depending on the size of the cluster and other possible reasons it
- might happen that a etcd member falls in a `kube-minion` instance, where the
- certificate is missing local ip addresses, as well as the `fqdn` of the
- machine. With this change, we are enforcing `cert` to always generate this
- information automatically, while we still allow to extend it, in case that\'s
- still necessary (for example, as kubernetes-master still requires).
-
- Check https://bugzilla.novell.com/show_bug.cgi?id=1039269#c9 for further
- information.
-
- Fixes: bsc#1039269

Fri May 26 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit ce5954e by Alvaro Saurin alvaro.saurinAATTgmail.com
- Minor changes in etcd: do not remoove /var/lib/etcd and close some ports we
- don\'t really need

Thu May 25 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 7317ca8 by Miquel Sabaté Solà msabateAATTsuse.com
- docker: reload container-feeder after starting docker
-
- See bsc#1040579
-
- Signed-off-by: Miquel Sabaté Solà

Tue May 23 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 6013d74 by Robert Roland rob.rolandAATTgmail.com
- Update etcd.conf
-
- Stray + character was causing this line to not execute, and I ended up with a
- cluster with both folders present, preventing etcd from starting.

Mon May 22 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 824101b by Alvaro Saurin alvaro.saurinAATTgmail.com
- Fix some problems with Docker when HTTP proxy vars are empty

Thu May 18 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 4f664e1 by PI-Victor palade.ionutAATTgmail.com
- revert changes to etcd systemd drop-in unit

Thu May 18 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit bace710 by Rafael Fernández López ereslibreAATTereslibre.es
- Add apiserver main hostname
-
- Fixes: bsc#1039437

Thu May 18 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit 88c1434 by Michal Jura mjuraAATTsuse.com
- Configure ETCD_INITIAL_ADVERTISE_PEER_URLS only with FQDN
-
- We have to remove IP based ETCD_INITIAL_ADVERTISE_PEER_URLS, because they use
- HTTPS, which is failing for IP URLS with following error
-
- health check for peer 100fbbb05571e58f could not connect: x509:
- cannot validate certificate for 10.17.3.176 because it doesn\'t contain any
- IP SANs

Thu May 18 14:00:00 2017 containers-bugownerAATTsuse.de
- Commit fcc6f23 by Alvaro Saurin alvaro.saurinAATTgmail.com
- Handle proxies in the docker daemon

Tue May 16 14:00:00 2017 containers-bugownerAATTsuse.de
- Use colons as nesting instead of dots

Tue May 16 14:00:00 2017 containers-bugownerAATTsuse.de
- Do a deeper cleanup before restarting etcd Some etcd deps Take flannel setup out of the master Perform flannel setup before k8s master setup

Thu May 11 14:00:00 2017 containers-bugownerAATTsuse.de
- bump number of worker threads
* to avoid minion calls to master timing out
* fixes https://github.com/kubic-project/salt/issues/62

Mon May 8 14:00:00 2017 containers-bugownerAATTsuse.de
- Initial config files for the reactor, with an example sls for presence

Tue May 2 14:00:00 2017 containers-bugownerAATTsuse.de
- Renamed docker registry variable

Tue May 2 14:00:00 2017 containers-bugownerAATTsuse.de
- Update etcd member count logic

Tue May 2 14:00:00 2017 containers-bugownerAATTsuse.de
- Cleanup the docker options

Thu Apr 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Set Hostname to match machine-id

Thu Apr 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Fix Jinja2 syntax error in kubelet.jinja

Thu Apr 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Fix Jinja2 syntax error in kubeconfig.jinja

Thu Apr 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Use some constant names for the API server

Thu Apr 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Use machine ID and domain as kubelet hostname

Thu Apr 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Update default etcd cluster size to match number of masters

Thu Apr 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Configure kube-{scheduler/controller-manager} leader elections

Tue Apr 25 14:00:00 2017 containers-bugownerAATTsuse.de
- [WIP] Use machine ID as kubelet hostname

Mon Apr 24 14:00:00 2017 containers-bugownerAATTsuse.de
- Replace the SVGs by PNGs

Mon Apr 24 14:00:00 2017 containers-bugownerAATTsuse.de
- Some docs

Wed Apr 19 14:00:00 2017 containers-bugownerAATTsuse.de
- Cleanup

Wed Apr 19 14:00:00 2017 containers-bugownerAATTsuse.de
- Do not assume minion_id is hostname/fqdn

Tue Apr 18 14:00:00 2017 containers-bugownerAATTsuse.de
- Allow the kubelet to run on Kubernetes 1.6

Mon Apr 10 14:00:00 2017 containers-bugownerAATTsuse.de
- Bug 1032379 - Must install flanneld on the kubernetes master node

Wed Mar 29 14:00:00 2017 containers-bugownerAATTsuse.de
- Actually use `grains.get` default value

Tue Mar 28 14:00:00 2017 containers-bugownerAATTsuse.de
- Always set `CN`. Even if no grains are set (because the domain could not be inferred), set the default dns domain from the pillar.

Tue Mar 28 14:00:00 2017 containers-bugownerAATTsuse.de
- Fix etcd deps

Tue Mar 28 14:00:00 2017 containers-bugownerAATTsuse.de
- Make etcd state a requirement for states that need etcd running on localhost

Mon Mar 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Do not indent (it\'s not a mine_function)

Mon Mar 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Fixed the infra container path for CaaSP

Mon Mar 27 14:00:00 2017 containers-bugownerAATTsuse.de
- Do not set certificate `CN` if domain was not specified by a grain

Thu Mar 23 13:00:00 2017 containers-bugownerAATTsuse.de
- Added parameters for passing extra arguments

Tue Mar 21 13:00:00 2017 containers-bugownerAATTsuse.de
- Renamed API server vars

Mon Mar 20 13:00:00 2017 containers-bugownerAATTsuse.de
- fix infra container image (=pause image) for opensuse

Mon Mar 20 13:00:00 2017 containers-bugownerAATTsuse.de
- pod_infra_container_image is not optional anymore

Mon Mar 20 13:00:00 2017 containers-bugownerAATTsuse.de
- Revert 6bae304 and fe1677c

Mon Mar 20 13:00:00 2017 containers-bugownerAATTsuse.de
- fix etcd proxy instance failure on restart

Mon Mar 20 13:00:00 2017 containers-bugownerAATTsuse.de
- Renamed API server vars

Fri Mar 17 13:00:00 2017 containers-bugownerAATTsuse.de
- packaging: fix name of tarball directory

Fri Mar 17 13:00:00 2017 containers-bugownerAATTsuse.de
- packaging: fix name of tarball directory

Fri Mar 17 13:00:00 2017 containers-bugownerAATTsuse.de
- packaging: fix name of tarball directory

Thu Mar 9 13:00:00 2017 jmassaguerplaAATTsuse.com
- Disable service as it needs to be this way in the final repo

Fri Mar 3 13:00:00 2017 alvaro.saurinAATTsuse.com
- Updated for CaaSP

Thu Feb 23 13:00:00 2017 alvaro.saurinAATTsuse.com
- Updated for k8s 1.5.3

Thu Feb 23 13:00:00 2017 alvaro.saurinAATTsuse.com
- Initial version