During bootstrap process kubernetes node is not ready due to missed CNI.
It will be installed later but for a few deployments/jobs it's critical.
They can't start pods and looping in a while.
Workaround is here: add tolerations.
Change-Id: I8b3dacb71a7f102e7f74a6e4b6aee963ef12b8ed
Unrestrict octal values rule since benefits of file modes readability
exceed possible issues with yaml 1.2 adoption in future k8s versions.
These issues will be addressed when/if they occur.
Also ensure osh-infra is a required project for lint job, that matters
when running job against another project.
Change-Id: Ic5e327cf40c4b09c90738baff56419a6cef132da
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
This commit rewrites lint job to make template linting available.
Currently yamllint is run in warning mode against all templates
rendered with default values. Duplicates detected and issues will be
addressed in subsequent commits.
Also all y*ml files are added for linting and corresponding code changes
are made. For non-templates warning rules are disabled to improve
readability. Chart and requirements yamls are also modified in the name
of consistency.
Change-Id: Ife6727c5721a00c65902340d95b7edb0a9c77365
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
This moves from using the docker profile to the default
runtime profile - which allows container engines other than
docker to work out of the box.
Change-Id: Ica5a48f8c43b90f07969b41e10dc472a772b5b43
Signed-off-by: Pete Birley <pete@port.direct>
This patch set updates and tests the apiVersion for rbac.authorization.k8s.io
from v1beta1 to v1 in preparation for its removal in k8s 1.20.
Change-Id: I4e68db1f75ff72eee55ecec93bd59c68c179c627
Signed-off-by: Tin Lam <tin@irrational.io>
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintained
Change-Id: I5bfdc156ae228ab16da57569ac6b05a9a125cb6a
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This PS fixes the use of the security context macros for the
calico chart.
Change-Id: I2ed8a5e994726b625d76a2c308895441c7d174a9
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
This updates the Calico-etcd chart to include the pod
security context on the pod template
This also adds the container security context to set
readOnlyRootFilesystem to true
Change-Id: I10ff398d7a552d5287d841ca39c77ea097f7e67e
The string "false" isn't boolean false.
Where possible use booleans in the values so constructs like:
{{ if not .Values.some.thing }}
# some thing is not set
{{ end }}
work as expected.
In the places it's expanded and passed into the pod environment
variables it is converted to a string; we update those all the same so
that template logic will work.
Change-Id: I6142b9d514b2b21381dbf0de2f1351f5ab94e696
These changes aim to remove blanket privileges from Calico and replace them
with the default pod privileges granted by Docker plus the few extended
privileges that Calico needs
Change-Id: I1342ef02086877bc69f752403a33278c9670ed86
This adds the release-annotation to the pod spec for the charts in
openstack-helm-infra. This also adds missing configmap annotations
to charts in openstack-helm-infra
Change-Id: Ie23f0c16a7a21d3929e98928db2bbcef69ae6490
This updates daemonsets and deployments from extensions/v1beta1 to
apps/v1. These templates were either missed or overlooked when
added, and this change brings them up to the same api version used
for all other daemonsets and deployments
Change-Id: I6d2aba7791ad5eabd23785c01aed01d4f8e53d39
No longer use networking.settings.ippool.ipip.mode, rather take from
conf.node.CALICO_IPV4POOL_IPIP (this avoids duplication and
possibility of setting them differently).
Logging values previously required Titlecase in some places, lower in
others (and it changed across versions); have the chart DTRT where it
matters to avoid configuration problems.
Change-Id: Idb7ccb5be8f9e1cb184ed86a9fd0875704912564
PS provides possibility to use TLS in etcd (for Calico).
The ansible scripts were updated as well.
Change-Id: I522a78043a125660153aaa60f13d61ba8e325e75
This creates a new section in calico/values.yaml that enables
BGP communities to be applied to a cidr by using the bird_ipam
templates.
Change-Id: I4dbbc8d8e761e0484eeb7c8bf0fefa28d29493e5
Update the comment URL references to v3.4 to match the code; other
than ipPool (which was extended) the previous objects versions match
the current version.
Change-Id: I1dae92c99992e3a808bea2c270b9d6070274e9f6
- If a rule set in the network policy override for the calico
chart is empty, it causes the calico-settings job to fail. This
safety valve should handle the empty list gracefully.
Change-Id: I4b8a39941f05a8eb86734ff129b2d73830883236
Expose the early logging level for calico-node.
Use conf.node.FELIX_LOGSEVERITYSCREEN to set logging level in
BGPConfiguration and FelixConfiguration (whilst this is an odd
name/location it backwards compatible and will in most cases set
things as expected).
Change-Id: I70c3028423eddb4721456f645c4475da4af7ced5
- Adds AppArmor profile to the privileged pod
using kubernetes_manadatory_access_control_annotation.
- Added apparmor install to the gate jobs.
Change-Id: I8b53e0b8ddc2695fa278481edf5688efa23ab06b
Allow Calico resources such as NetworkPolicy, GlobalNetworkPolicy,
WorkloadEndpoint, etc to be specified using values.
To avoid the complexities of list management with helm we use a
dictionary that contains a relative priority and set of objects
(called rules).
For example:
network:
policy:
someName:
priority: 0
rules:
- apiVersion: projectcalico.org/v3
... some useful resource object ...
- apiVersion: projectcalico.org/v3
... some other useful resource object ...
someOtherName:
priority: 1
rules:
- apiVersion: projectcalico.org/v3
... rules that come later ...
lastSetOfRules:
priority: 9
rules:
- apiVersion: projectcalico.org/v3
... rules that come last ... maybe hostendpoints ...
By having named groups of rules each with it's own priority you can
update, delete and amend individual sets of rules without provided you
set the appropriate "priority" value.
Change-Id: Id441350bcc8b95a91ef4d1b89d1bc3c417f50b13
This PS realigns Calico v2 with the pending Calico v3.2 chart in order
to minimize differences. It's mostly refactoring with a few small fixes.
Change-Id: Ie5157b4ae324b6eb4c8ccb5cc07d8b9bc5a83ebd
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Change-Id: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Signed-off-by: Pete Birley <pete@port.direct>
This removes some obsolete calico version information that
was leftover from the original manifest after which this chart
was modeled.
Change-Id: Ic592923484c498216025bb5a7b0bda1f2be9e871
This PS removes the use of the `quote and truncate` approach to
suppress output from gotpl actions in templates and replaces it
with the recommended practice of defining `$_` instead.
Change-Id: I5fedc3471dcbecef37d2fe1302bf9760b3163467
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves to use the current ga version for kubernetes daemonsets,
additionally any remaining deployments that were using the
`extensions/v1beta1` have been updated to `apps/v1`.
Story: 2002205
Task: 21735
Change-Id: If9703162dc472af1e6096bf2b9062802fd5ce8ab
Signed-off-by: Pete Birley <pete@port.direct>
Move to v0.3.1 of kubernetes-entrypoint which has 2 breaking changes to
pod dependencies, and also adds support for depending on jobs via
labels.
Change-Id: I2bafc2153ddd46b3833b253a2e7950bccbccf8ed
This ps proposes adding a common template for the image_repo_sync
jobs for consumption by the charts
Change-Id: I48476d1e4fd94bd1b08b13b46983e3d999f8d8ca
This ps adds more granular node selectors for the charts in osh
infra to match what is currently done in osh
Change-Id: I8957a95053b9fb3ea329fd37ff049cd223a7695d
This PS simplify the logic for dyanmicly merging the image management
depenencies into pod deps when active.
Change-Id: I0cf6c93173bc5fbce697ac15be8697d3b1326d0a
