Commit graph

3941 commits

Author SHA1 Message Date
Kenichi Omichi
bd4407199c
Add metrics_server_resizer option (#8018) (#8031)
The addon-resizer container can reduce resource limits of cpu and
memory of metrics-server container in the pod, and that caused
OOMKilled.
In addition, the original metrics-server manifest doesn't contain
the addon-resizer container as [1].
So this adds metrics_server_resizer option to control the addon-resizer
container deployment and the default value is false to make it stable
for most environments.

This is a cherry-pick of 8d3961edbe

[1]: 527679e5e8/manifests/base/deployment.yaml
2021-09-28 11:15:16 -07:00
Kenichi Omichi
6cfa3bbb22
Remove allowPrivilegeEscalation from metrics-server (#8014) (#8025)
"allowPrivilegeEscalation: false" blocks deploying metrics-server
on CentOS7. In addition, the original metrics-server manifest doesn't
contain it as [1]. This removes it.

[1]: 527679e5e8/manifests/base/deployment.yaml
2021-09-27 23:54:43 -07:00
Hari Hud
30cd91dc6b
Add option to kubeadm upgrade command to control certificates renewal during control plane upgrade (#7976)
* Add option to kubeadm upgrade command to control certificates renewal during control plane upgrade

* Remove training whitespace
2021-09-17 04:31:00 -07:00
Florian Ruynat
f2fa9c3b31 Update hashes with new versions 2021-09-17 00:39:02 -07:00
Florian Ruynat
30a7dfa4f8
Fix ubuntu16/centos8 CI jobs (#7972) 2021-09-16 23:39:01 -07:00
Samuel Liu
62ab477838
remove kube_proxy_conntrack_max var (#7971) 2021-09-15 08:22:31 -07:00
rtsp
f8a57f7598
Fix iptables missing on Debian 11 if APT::Install-Recommends=0 (#7964)
On Debian 11, `ipset` just recommend `iptables` so on the system that apt is configured with `APT::Install-Recommends "0";` iptables will not install automatically.
2021-09-14 08:19:09 -07:00
Bryan Hundven
35c928798d
Fix missing file mode (risky-file-permissions) (#7959)
* Fix missing file mode (risky-file-permissions)

Found this using ansible-lint.

Signed-off-by: Bryan Hundven <bryanhundven@gmail.com>

* Fix another missing file mode (risky-file-permissions)

This one fixes `/etc/crio/config.json`

Signed-off-by: Bryan Hundven <bryanhundven@gmail.com>
2021-09-09 23:35:59 -07:00
jhchong92
83f64a7ff9
Bugfix/cinder csi cloud config template (#7955)
* Fix invalid condition for username and password inclusion

* Use length filter to test variable conditions
2021-09-09 10:04:11 -07:00
Florian Ruynat
60853fa682 Update kube-ovn to 1.7.2 2021-09-09 08:14:10 -07:00
Florian Ruynat
b66356be65 Update cilium to 1.9.10 2021-09-09 08:14:10 -07:00
jhchong92
efae2dbad6
Update snapshot-controller repository and image versions (#7957) 2021-09-09 08:10:11 -07:00
jhchong92
bd8b8916a8
Remove invalid spec - deployment.spec.serviceName (#7949) 2021-09-08 13:05:56 -07:00
jhchong92
57063b6828
Replace incorrect {% end %} tags with {% endif %} in csi_crd templates (#7947) 2021-09-08 12:59:57 -07:00
Ole Mathias Aa. Heggem
69b67a293a
Calico: Add kube_service_addresses_ipv6 to serviceClusterIPs (#7889) (#7944)
Add IPv6 Service Addresses to BGP advertisement when 
calico_advertise_cluster_ips is true.
2021-09-08 00:37:20 -07:00
Cristian Calin
d57ddf0be8
Feature DynamicKubeletConfig is deprecated in 1.22 and will not move to GA (#7938)
* Feature DynamicKubeletConfig is deprecated in 1.22 and will not move to GA

* Add check for dynamic_kubelet_configuration with kube >= 1.22
2021-09-07 10:47:16 -07:00
Cristian Calin
43e7e2d663
nginx-ingress: bump to 1.0.0 to support kube 1.22 (#7942) 2021-09-06 04:50:36 -07:00
Cristian Calin
d355b43dce
ContainerD: bump containerd version to 1.4.9 (#7940) 2021-09-06 04:50:29 -07:00
Cristian Calin
5d52025266
crictl: add hashes for 1.22 (#7936) 2021-09-06 04:46:29 -07:00
Cristian Calin
db470f8529
Update CSI snaphotter and make it independent (#7943)
* CSI: update CSI snapshot CRDs

* CSI: update snapshot controller tag version with kubernetes specific versions

* CSI: allow enabling csi_snapshot_controller independent of Cinder CSI

* CSI: Align csi-snapshot-controller with upstream and use a Deployment instead of a StatefulSet
2021-09-06 04:24:29 -07:00
kranthi guttikonda
81bf4f9304
cri-o registry auth support (#7837)
* cri-o registry auth support

* yaml lint for comments

* crio_registry_auth from registry_auth

* crio_registry_auth as defaults
2021-09-01 10:20:59 -07:00
Maciej Wereski
e1967b0700
MetalLB: keep nodeSelector in one place (#7931)
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
2021-09-01 09:05:00 -07:00
Olivier Lemasle
507091ec8b
Replace cluster_name by dns_domain (#7923)
`cluster_name` defaults to `dns_domain` value (see [here][1] and [here][2])
but they could have different values.

`dns_domain` should be used here instead of `cluster_name` because the DNS
resolution is configured to use `dns_domain`.

[1]: 0ef7af76bc/roles/kubespray-defaults/defaults/main.yaml (L104)
[2]: 1afdb05ea9/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml (L196)
2021-09-01 08:18:59 -07:00
Maciej Wereski
48ceca4919
MetalLB: update to v0.10.2 (#7925)
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
2021-09-01 03:00:59 -07:00
Cristian Calin
426ad81db0
Calico: replace hashes for latest 3.17 and 3.18 to the .5 minor versions (#7924) 2021-08-31 13:38:21 -07:00
Olivier Lemasle
497d2ca306
Fix Calico's FelixConfiguration when "IP in IP" is disabled (#7926)
When using Calico with:

- `calico_network_backend: vxlan`,
- `calico_ipip_mode: "Never"`,
- `calico_vxlan_mode: "Always"`,

the `FelixConfiguration` object has `ipipEnabled: true`, when it should be false:

This is caused by an error in the `| bool` conversion in the install task:
when `calico_ipip_mode` is `Never`,
`{{ calico_ipip_mode != 'Never' | bool }}` evaluates to `true`:
2021-08-31 13:14:21 -07:00
Calvin Park
9d3888a756
During pre-upgrade add a flag to always cordon (#7892)
* During pre-upgrade add a flag to always cordon

* empty

* empty

* empty

* Better default val
2021-08-30 10:56:09 -07:00
rtsp
c8e090c17f
Add preliminary Debian 11 (bullseye) support (#7853)
- Use python3-apt instead because python-apt was removed in Debian 11
- Add gnupg (fix "container-engine/containerd : ensure containerd repository public key is installed" task failed)
- Remove aufs-tools

Signed-off-by: rtsp <git@rtsp.us>
2021-08-30 09:53:06 -07:00
Florian Ruynat
1ccf32e08f
Update docker to 20.10.8 (#7918) 2021-08-30 08:25:06 -07:00
Florian Ruynat
17af348be8 Add bunch of Kubernetes versions missing 2021-08-30 08:17:05 -07:00
Cristian Calin
1afdb05ea9
Fedora and RHEL use etc_t and the convention is <type_name>_t (#7891)
* Fedora and RHEL use etc_t and the convention is <type_name>_t

* Docs: specify all values for preinstall_selinux_state

* CI: Add Fedora 34 with SELinux in enforcing mode
2021-08-27 14:20:53 -07:00
Sergey
89993e4833
fix error metrics server capabilities name (#7905) 2021-08-25 12:06:15 -07:00
Cristian Calin
1c3d33e146
Calico: 3.20.0 policy update to allow access to endpointslices (#7899) 2021-08-25 12:06:01 -07:00
Cristian Calin
f66c49bf42
Calico: replace version 3.19.1 with 3.19.2 and set as default (#7867)
Bump calico version to 3.19.2 due to adding 3.20.0 earlier
2021-08-25 07:32:41 -07:00
rtsp
4c9d7dedb3
addons/cert_manager: retries until webhook pods has been created (#7850)
Fix task 'Cert Manager | Wait for Webhook pods become ready' failed due to webhook pods don't exist yet by using `retries..until` trick like kubernetes-sigs/kubespray#7842

This fix should be removed in the future if the kubernetes/kubernetes#83242 is resolved.

Signed-off-by: rtsp <git@rtsp.us>
2021-08-25 07:16:41 -07:00
Sergey
5336943a8c
add cilium_operator_api_serve_addr to cilium operator config (#7901) 2021-08-24 03:49:13 -07:00
Samuel
a040e521b4
feat(containerd): auth support (#7868)
* feat(containerd): auth support

* fix(registry-auth): rename variable
2021-08-23 06:40:00 -07:00
Cristian Calin
0ac364dfae
Calico: use --allow-version-mismatch in calicoctl.sh to allow upgrades (#7873) 2021-08-20 14:30:48 -07:00
rtsp
79166496f3
debian: Fix test failed after bullseye release (#7888) 2021-08-19 15:37:24 -07:00
Frank Ritchie
1f09229740
Update cilium to 1.9.9 (#7871)
Now that 1.10 is out this is to make 1.9.9 the default. I am running
this version successfully.
2021-08-16 13:34:22 -07:00
Léopold Jacquot
c06896a352
Update metrics-server to 0.5.0 (#7864) 2021-08-12 08:19:48 -07:00
Cristian Calin
c119620f7c
Calico: add v3.20.0 hashes (#7855) 2021-08-11 07:50:46 -07:00
Daniil Muidinov
7f309bb092
fix parameters for module replace in 0060-resolvconf (#7858) 2021-08-10 17:13:26 -07:00
Eugene Artemenko
e2b67b5700
Add suport of Vsphere CSI driver 2.2.X versions (#7848) 2021-08-09 08:19:38 -07:00
rtsp
82a9064d8d
addons/cert_manager: fix kubernetes-sigs#7085 by adding retries..until (#7842)
Fix task 'Cert Manager | Apply ClusterIssuer manifest' failed due to service/endpoints updating delayed even though the wekhook pod status is ready.

Signed-off-by: rtsp <git@rtsp.us>
2021-08-09 08:19:31 -07:00
Victor Morales
a70fab2249
Bump crun to 0.21 version (#7854) 2021-08-09 08:11:31 -07:00
Smita Srivastava
31a5a4e808
retry to fetch binary if it fails first time (#7839) 2021-07-30 00:17:38 -07:00
Vitaliy D
5db86f4c2b
Update vSphere CPI (#7838)
Changes:
  * ClusterRole updated according to the latest manifests from
    https://github.com/kubernetes/cloud-provider-vsphere
  * vSphere CPI/CSI default versions bumped and
    tested successfully on K8S 1.21.1
  * vSphere documentation updated

Signed-off-by: Vitaliy D <vi7alya@gmail.com>
2021-07-29 18:17:37 -07:00
AnatomicJC
627a06e30d
CRI-O: Install libseccomp2 from backports on Debian 10 (#7816)
* CRI-O: Install libseccomp2 from backports on Debian 10

libseccomp2 is a required dependency of cri-o-runc package

The one provided in Debian 10 repositories is outdated

* 7816: Remove useless when condition

As this condition is handled by block
2021-07-23 07:07:16 -07:00
Kenichi Omichi
56e230863a
Separate gvisor_download_url for runsc and shim (#7760)
To download necessary files in advance for offline deployment,
we can see all file URLs with contrib/offline/generate_list.sh
Most URLs are downloadable, but gvisor's one is not because the
URL is a part of full URLs for gvisor.
To download gvisor's files from the URLs directory, this separates
into two URLs for runsc and the shim.
2021-07-22 07:51:51 -07:00