Upstream has deprecated 'node-role.kubernetes.io/master'
to use 'node-role.kubernetes.io/control-plane' in k8s 1.24.
Platform and applications need to be updated to use 'control-plane'
with nodeSelector/Tolerations so we may upgrade from 'master'.
This updates pod nodeSelector to use
'node-role.kubernetes.io/control-plane' instead of
'node-role.kubernetes.io/master'.
This updates pod Tolerations to support both:
- 'node-role.kubernetes.io/master'
- 'node-role.kubernetes.io/control-plane'
Test Plan:
Apply both taints to controller nodes
PASS: Perform all application lifecycle actions:
upload/apply/remove/delete.
PASS: Ensure that pods are running on the controller nodes.
Story: 2010301
Task: 46675
Signed-off-by: Sachin Gopala Krishna <saching.krishna@windriver.com>
Change-Id: Ie6f951021e0c82310b4a63a095412efc9f6385eb
The ubuntu-jammy nodeset gets selected by default
and is causing problems during setup.
Collecting cffi>=1.1
Failed to build cffi
ubuntu-focal seem to work fine.
Will specify the nodeset to be focal to resolve this.
Need to update a file that is monitored by zuul
in order to trigger the failing zuul jobs.
In order to not require the legacy pip resolver, the
requirements need to be updated.
The upper constraints are also updated. When the
debian upper constraints in the build-tools repo are
updated for the appropriate docker and kubernetes, the
file in this repo can set back to empty.
Partial-Bug: 1994843
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: Ia76846f827e06a7de2908ae123566706b21a589a
As part of Armada deprecation we need to remove all Armada application
builds for all applications that have been migrated to FluxCD.
This patch removes the armada app build from centos and debian.
TEST PLAN:
PASS: Build centos
PASS: Build debian
PASS: rpm package has no armada tarball
PASS: deb package has no armada tarball
PASS: FluxCD package is unchanged
Story: 2009138
Task: 45960
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: Id66f17cc121d7612dfeb48ecdecfdc1a3ad2e404
If a Helm plugin from app (X) has the same name as other plugin from a
different app (Y), app plugins from X is not installed as there is a
plugin with the same name already installed. Internally Sysinv
AppOperator has a HashTable and its key is the plugin name, therefore
preventing adding plugins with same name.
We change nginx plugin name so that other apps with different nginx
pĺugins don't collide and prevent the platform from being able to
apply/reapply nginx-platfrom-app
001_ingres-nginx -> 0001_ks-ingress-nginx
Test Plan:
PASS: Apply Nginx together with an app with previous nginx plugin
name
PASS: Name changed at system overrides, command:
system helm-override-show nginx-ingress-controller
nginx-ingress-controller kube-system
Closes-bug: 1980394
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: I2a1b663d3867873d024c108d71ee074da1a39a5e
Updating Nginx's defaultbackend image version from defaultbackend:1.4 to
defaultbackend-amd64:1.5 to align with the upstream version.
Test Plan:
PASS: Done Helm override to enable defaultbackend and verify
defaultbackend pod is running after app re-apply.
PASS: Check defaultbackend-amd64:1.5 version pod is using the right
image version.
PASS: Simple functional test creating ingress resources and
to test the defaultbackend and nginx with curl commands.
PASS: Fresh install and verified nginx pods are running and
defaultbackend-amd64:1.5 is the image being used in default
backend.
Closes-bug: 1980355
Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/848165
Change-Id: Ie23c811d8788feda563336af9a7c6a638d4ea862
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
The reference of the stx-nginx-ingress-controller-helm package to
unpack on the centos spec is wrong. If we change the RPM version,
the build fails.
TEST PLAN
PASS build-pkgs stx-nginx-ingress-controller-helm with version changed
Closes-Bug: 1978964
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ibdf432e48a770385209ee689e6d2d91de85336a4
With the upversion of k8s on the platform to 1.23.1, the
kubernetes-client we are using doesn't support getting the
admission-webhooks with the older v1beta1 version. This is a temporary
workaround to get backups working while we evaluate the upversion of the
kubernetes-client library for Stx.8.0.
TEST PLAN
PASS Run backup playbook, no errors
LOGS: https://paste.opendev.org/show/bJaMTRrEBdjwK4XwWm8l/
Closes-Bug: 1978346
Depends-On: https://review.opendev.org/c/starlingx/config/+/845372
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ic57a05d8151a5d498e2422ca53fc0306158d28dc
The helm v3 (FluxCD) release name needs to align with the previous helm
v2 (Armada) release name so that the migrated v2 release (from the helm
2to3 plugin) information allows the helm upgrade to succeed.
Test Plan:
NOTE: Release name change only impacts upgrades so testing only
performed with CentOS
PASS: Fresh install/provision of AIO-SX
PASS: stx 6.0 -> stx 7.0 app upgrade (upgrade-activation)
Change-Id: Icfd151b50d2bb748be5db1d22cd833bd29fee27f
Story: 2009138
Task: 45610
Signed-off-by: Robert Church <robert.church@windriver.com>
Add overrides to remove CPU request by nginx.
Test Plan:
PASS: Check CPU usage request using "kubectl describe node <nodename>"
Closes-Bug: 1977763
Change-Id: Ib54275914da6281edf140c92628aced728f685a1
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
When requests that are going through the stx ingress have big body size
the platform docker-lv is temporally increasing its disk usage due to
a request body buffering on the container /tmp directory. Since the tmp
directory is not mounted to any kubernetes volume it is using the
container file system, limited to where containerd is installed [1]
To avoid docker-lv misuse and any related issue it would be interesting
to mount the controller /tmp directory on a kubernetes volume. It would
also be consistent with what is already done on some application
ingresses (e.g. stx-openstack ingress). This way we also keep consistent
documentation for operational procedures (e.g. instructing user on how
much to increase the lv available size for use cases that required huge
request body buffering).
TEST PLAN:
PASS: Build a stx-platform/ingress-nginx chart and apply it to the
system
PASS: Check that the nginx-ingress-controller pod is up and has it /tmp
directory correctly mounted to a kubernetes volume
PASS: Check that requests with body buffering are using the correct
platform kubelet-lv instead of docker-lv (stx-openstack scenario)
[1] https://opendev.org/starlingx/stx-puppet/src/branch/master/puppet-manifests/src/modules/platform/manifests/filesystem.pp#L264
Closes-Bug: 1973212
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Change-Id: Ibb53255e3f533900afa2a1921f76f164bacae437
This commit switches ingress-nginx to use the fluxcd app by default on
Debian and also preserves the armada app on the build for future
tests.
TEST PLAN
PASS Build ISO and install, verify FluxCD is the app loaded
Story: 2009138
Task: 45483
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I029cf5dc1b68182cfec90dfe8f37fa3000f41577
Since on CentOS we are not packaging any armada resources for
nginx-ingress-controller anymore, this commit cleans up the armada
package generation leftovers from the source tree.
TEST PLAN
PASS Removed previous app and tarball
PASS Install new tarball and upload app
PASS Apply app
PASS Check resources created
PASS Debian build
Logs: https://paste.opendev.org/show/bStdjE4JMDpvCnSsQ8MB/
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I643260ac41d047ea2b58a285eb3ba634c2a2140d
Add the fluxcd app for ingress-nginx to the debian build.
Due to a change on the disposition of folder inside the fluxcd-manifests
folder, this was also checked on CentOS.
TEST PLAN
PASS Install new .deb and install FluxCD nginx
PASS Verify created resources
PASS Install .rpm and test on CentOS
PASS Verify created resources
Logs Debian: https://paste.opendev.org/show/bedUKQSoajNuKua6CGh4/
Logs CentOS: https://paste.opendev.org/show/bkFkgvKlgKopsh3tXTxn/
Story: 2009138
Task: 44473
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I3e04fcc1ec0a8392dcb0991d8e2a72fd81706ddc
This commit adds the images and tags for the images used by nginx
in order for the application framework do download them with sysinv
during 'system application-apply'
Test Cases:
PASS: Built application successfully
PASS: Application install successful and pods are Running
PASS: Check that sysinv logs show images being downloaded from
registry.local
Closes-Bug: 1971981
Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/841789
Change-Id: I74b7c49ccb4ad87862831cbefcd5a66178b7521a
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
This commit renames the helm charts for the fluxcd application from
nginx-ingress to ingress-nginx. This keeps it consistent with the
armada version, for potential upgrade issues, and allows the ipfamily
overrides to be generated properly. It also adds an override for the
service name to keep it consistent with the armada helm chart, to
avoid any upgrade issues.
Story: 2009138
Task: 44452
Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/838591
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
Change-Id: I0e01214fd91387e313719685447624b0ff5fe7f7
The new version of nginx helm chart has ipFamily value set to IPv4 as
default. When the cluster is IPv6 the helm chart fails to be installed.
This code is adding a system_override to correctly set the ipFamily
according to the system in order to ensure that it works in both IPv4
and IPv6 environments.
This is also correcting a bad helm chart reference in fluxcd
helmrelease.yaml file.
Test Cases:
PASS: Apply app with system application-apply and check it properly
generates ipFamily override for that system (IPV4 or IPV6).
PASS: Apply app with system application-apply and check that it
runs successfully.
PASS: ISO built and installed successfully. Checked that nginx is
working.
PASS: Verify that the fluxcd app is also running.
PASS: Verify that the fluxcd app version is 1.1.1 and armada version
is 0.41.2
PASS: Manually copied the helm overrides generated by the helm plugin
to fluxcd system override and re-installed with success.
PASS: Verify that the app runs successfully in both IPv4 and IPv6
systems.
Story: 2009138
Task: 44697
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Change-Id: I2187e5a1457d8417fd6bb6b61322fc2923413fd4
The fluxcd version of the app will be added to the debian package in
story 2009138 task 44473.
Test Cases:
PASS: Debian package is built successfully.
Story: 2009836
Task: 44604
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Change-Id: If591edd61df3129a8447bb415bd38bf31b270ff4
This change updates only the fluxcd version of nginx to 1.1.1.
The armada version remains with version 0.41.2 and is also supported.
Test Cases:
PASS: Verify that there are no changes to the armada rpm generated
PASS: Verify that the armada version of app uses nginx 0.41.2
PASS: Run the rpm build and verify that two packages are generated:
stx-nginx-ingress-controller-helm-<version>.tis.noarch.rpm and
stx-nginx-ingress-controller-helm-fluxcd-<version>.tis.noarch.rpm
PASS: Install the new package with kustomize and verify that nginx pods
are deployed and running with success
PASS: Verify that the fluxcd version of the app uses nginx 1.1.1
Story: 2009836
Task: 44604
Change-Id: Icbabe97720eb7d0e8c8676ae2a18ec5afa62b053
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Add new manifest files to the nginx app to enable FluxCD support.
The new spec will now generate 2 rpms:
- the original one that contains the armada
version of the nginx app
- a new one that contains the new FluxCD
version of nginx app
The FluxCD archive will contain the following:
.
├── charts
│ └── ingress-nginx-3.10.1.tgz
├── checksum.md5
├── fluxcd-manifests
│ ├── base
│ │ ├── helmrepository.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── kustomization.yaml
│ └── nginx-ingress
│ ├── helmrelease.yaml
│ ├── kustomization.yaml
│ ├── nginx-ingress-static-overrides.yaml
│ └── nginx-ingress-system-overrides.yaml
├── metadata.yaml
└── plugins
└── k8sapp_nginx_ingress_controller-1.0-py2.py3-none-any.whl
The archive components are almost the same
as the armada components, only the armada manifest file
is replaced with the fluxcd-manifests directory.
Story: 2009138
Task: 44452
Change-Id: Iab30290a8889a2849e65e7b10869e97203a3bd34
Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>
"src_path" replaces the "${SRC}/files/*" in dl_hook
"src_files" replaces the "${SRC}/manifests/*" in dl_hook
"dl_files" replaces the ${NGINX_PKG} in dl_hook
And move the extracting ${NGINX_PKG} into debian/rules
Story: 2009101
Task: 43746
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I51fb22d81c6cc475eab77f6e54f08248d981f219
Removing redundant py36 Zuul jobs since we now have py39 Zuul jobs in
place with the debian nodeset
Story: 2006796
Task: 43491
Signed-off-by: Bernardo Decco <bernardo.deccodesiqueira@windriver.com>
Change-Id: I1e1297e029741736cc355c472acc842270fccc97
A toleration needs to be added to all resources that create pods since
the node-role.kubernetes.io/master taint will be restored to all master
nodes. This ensures that the pods will run on the master node.
Tested in an AIO-SX by enabling the taint and:
- Deleting pods
- Performing an application update
- Removing and reinstalling the application
- Deleting the ValidatingWebhookConfiguration and reapplying the app
In every case mentioned the resources would come up again.
Story: 2009232
Task: 43343
Change-Id: Ide2ce4ac66f01da412822f6fc7d658da80de4f32
Signed-off-by: Rafael Camargos <RafaelLucas.Camargos@windriver.com>
Due to a recent change in fm-api's directory structure, unit tests would
fail since the virtualenv would not be able to find fm-api/setup.py.
Adjust the tox.ini to point to the correct directory. Tested locally
by running tox.ini.
Depends-On: https://review.opendev.org/c/starlingx/fault/+/806046
Story: 2009101
Task: 43091
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I2b3260d086fb84595de38d5d71be3a44f22d6fb3
During backup it is required deleting the Nginx Ingress Controller
admission webhook configuration so that it doesn't block pods creation
during restore phase when the application is not fully up and running.
This is already being done automatically, but the webhook is not being
recreated.
The proposed solution is to use the lifecycle operator to set the nginx
ingress controller override and reapply the application, and with that
recreate the validating webhook after the backup and after the restore.
Note that if the validating webhook is not present before, it won't be
recreated. Also note that the override flag may be already populated
before, so this does a backup of it before setting a new value.
Tested on an AIO-SX by and backing up and restoring the system
(with and without the validating webhook).
Closes-Bug: 1943835
Depends-on: https://review.opendev.org/c/starlingx/config/+/810434
Change-Id: If477b41a2fc94d8aa4e8d820b42aeb5644312f78
Signed-off-by: Rafael Camargos <RafaelLucas.Camargos@windriver.com>
A lot of work has gone into making sure that StarlingX is python3
compatible. To ensure future compatibility, enable the python3
portability checks. Disable the checks that are raising errors.
Another set of commits will address the offending code.
Add following suppress warnings in pylint.rc:
- W1618: no-absolute-import
Story: 2006796
Task: 43226
Signed-off-by: Bernardo Decco <bernardo.deccodesiqueira@windriver.com>
Change-Id: I38b67515849b692e0b27cba217f2ef2eedc43940
Added python3.9 gate, tested by running tox locally and running
the zuul gate.
Story: 2009101
Task: 43162
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I4946d9b7b1657fc2e5b3657763ac0501d361892d
The pylint gate fails because the nodeset is not set,
set it to "ubuntu-xenial" since it runs on python2.7.
Story: 2009101
Task: 43164
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I79d97afa17866dd589176a5d6cbaaac49827bda9
Adds a lifecycle hook to migrate the user overrides
from the old chart name (nginx-ingress) into the new
one (ingress-nginx). The chart name was changed upstream
as part of a major refactor.
The lifecycle hook will listen to the pre apply event and
query the database for the overrides of the newest inactive
app (i.e. the previous version).
If it finds overrides and the version being installed do
not have overrides, the old ones will be migrated to the
new chart name.
Tested by performing an application-update from a version
before the chart name change to a version built with this hook.
Also tested a fresh install and upgrading from r4 to
master for SX and DX.
Closes-Bug: 1927003
Signed-off-by: Isac Souza <IsacSacchi.Souza@windriver.com>
Change-Id: Id328dd3bff79290d249d25e0875214c463cf76c1
This reverts commit 9189e5bc0ac06d44f0bda8ab70ba151b05349dca.
Reason for revert: Causes an ansible failure on fresh system install
Change-Id: I4f1263c2cf0957d3bb5e324b9ac7fdd8d5beda69
Adds a lifecycle hook to migrate the user overrides
from the old chart name (nginx-ingress) into the new
one (ingress-nginx). The chart name was changed upstream
as part of a major refactor.
The lifecycle hook will listen to the pre apply event and
query the database for the overrides of the newest inactive
app (i.e. the previous version).
If it finds overrides and the version being installed do
not have overrides, the old ones will be migrated to the
new chart name.
Tested by performing an application-update from a version
before the chart name change to a version built with this hook.
Also tested upgrading from r4 to master for SX and DX.
Closes-Bug: 1927003
Signed-off-by: Isac Souza <IsacSacchi.Souza@windriver.com>
Change-Id: I53083555868eac48143f4e744df73aa28ab03f85
Adds the required configuration to run Zuul on
reviews, including flake8, pylint, bandit and
unit tests.
Tested by running tox locally.
Partial-Bug: 1927003
Signed-off-by: Isac Souza <IsacSacchi.Souza@windriver.com>
Change-Id: I7906dbadc00693736dedc2f5ea88ed24f74345f7
The recent upversion of the nginx app
(https://review.opendev.org/c/starlingx/nginx-ingress-controller-armada-app/+/782326)
enabled the nginx admissionWebhook and this introduced an
issue in the restore procedure.
The proposed solution is to use the lifecycle operator to delete
the nginx admissionWebhook before the backup.
If we do this, the backup of the etcd database
will not have the nginx webhook and the restore will succeed.
Note that the solution implies a
deletion of a resource in the nginx app.
Because of this, there are some
procedural changes to the backup and restore
that the user must do:
- After backup completes the following steps must be done:
1. $ system helm-override-update nginx-ingress-controller ingress-nginx
kube-system --set controller.admissionWebhooks.enabled=true
2. reapply the nginx app to restore the admissionWebhook:
$ system application-apply nginx-ingress-controller
- After the whole restore procedure (i.e after all the nodes are
restored and unlocked, apps are in applied state
and 'system restore-complete' was executed)
the user must do the same steps as above to restore the nginx webhook:
1. $ system helm-override-update nginx-ingress-controller ingress-nginx
kube-system --set controller.admissionWebhooks.enabled=true
2. $ system application-apply nginx-ingress-controller
Depends-On: I61156db05970aa03c96ddc8533fdd4f4a680b334
Depends-On: I0ebab45f4846cbcd25fecac6bf99195d9047eb8a
Depends-On: I648e940f8104307e111213afd511f8fca19e39ab
Closes-Bug: 1923185
Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Change-Id: I9ca56329cfa353e7938a9fd8e94c50295c6a0778
This update includes removing the deprecated helm repo and previous
patches. This version is the last one that supports helm v2, and
implements nginx admission controller on port 5443 - avoiding conflict
with lighttpd.
Tested new version with cert-manager and Nodeinfo, making sure that new
routes were created when the application was manually updated, including
Openstack endpoints. Also tested with Platform Upgrade in Simplex and
Duplex deployments.
Story: 2008542
Task: 41636
Closes-Bug: #1902534
Signed-off-by: Regiani Iago <Lago.RodriguezRegiani@windriver.com>
Change-Id: I439ae16f0eb44b25c109d2a275121a60ae62c449
This reverts commit 437db6f68af305a1667a5ac5ec722d96a1c44c9c.
Reason for revert: This new version implements an admission controller that uses port 8443, conflicting with lighttpd. Reverting in order to change this port
Change-Id: I0a2c4d6ca5dddac30a0508b844dc40ab96d2a0ad
This update includes removing the deprecated helm repo and previous
patches. This version is the last one that supports helm v2.
Tested new version with cert-manager and Nodeinfo, making sure that new
routes were created when the application was manually updated, including
Openstack endpoints. Also tested with Platform Upgrade in Simplex and
Duplex deployments.
Story: 2008542
Task: 41636
Closes-Bug: #1902534
Signed-off-by: Regiani Iago <Lago.RodriguezRegiani@windriver.com>
Change-Id: I9e022ae58d75f179fce66829117d475e435c169c
Critical apps like this are prevented from being deleted or
removed.
Story: 2007960
Task: 42038
Depends-On: I93821965184d95a00fddd3398a1c214e3d730efa
Signed-off-by: Suvro Ghosh <suvrojeet.ghosh@windriver.com>
Change-Id: If6cd2967e3912d2aaf5e155f868b9417ed199457
