Hello community, here is the log from the commit of package kubernetes-salt for openSUSE:Factory checked in at 2018-03-26 13:06:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kubernetes-salt (Old) and /work/SRC/openSUSE:Factory/.kubernetes-salt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kubernetes-salt" Mon Mar 26 13:06:58 2018 rev:8 rq:590602 version:3.0.0+git_r666_603e9dc Changes: -------- --- /work/SRC/openSUSE:Factory/kubernetes-salt/kubernetes-salt.changes 2018-03-22 12:12:13.138400408 +0100 +++ /work/SRC/openSUSE:Factory/.kubernetes-salt.new/kubernetes-salt.changes 2018-03-26 13:07:02.288772975 +0200 @@ -1,0 +2,52 @@ +Thu Mar 22 16:53:56 UTC 2018 - containers-bugow...@suse.de + +- Commit 0901ff0 by Kiall Mac Innes ki...@macinnes.ie + Increase Kube-DNS replicas to 3 + + Having only a single Kube-DNS replica means that, during upgrades or other + failure scenarios, Kube-DNS will not be functional. A value of 3 matches what + we use for Dex. + + Commit 2c42773 by Kiall Mac Innes ki...@macinnes.ie + Dex should not have cluster-admin + + Dex does not require cluster admin access. Instead, it should use a new role + defined with just the permissions Dex requires. + + Commit 38e654d by Kiall Mac Innes ki...@macinnes.ie + Kube-DNS should not have cluster-admin + + Kubernetes DNS service does not require cluster admin access. Instead, it + should use the build in system:kube-dns role. + + Commit 9dec359 by Kiall Mac Innes ki...@macinnes.ie + Remove duplicated Dex ClusterRoleBinding + + The ClusterRoleBinding's for Dex were duplicated - this removes the extra + copy. + + Commit 0aebc0d by Kiall Mac Innes ki...@macinnes.ie + Match addons/{dns,tiller} patterns to addons/dex + + This pattern is cleaner, and lets Kubernetes do more of the hard work related + to applying and updating manifests changes. This will be further extended to + CNI/flannel soon. + + +------------------------------------------------------------------- +Thu Mar 22 11:54:08 UTC 2018 - containers-bugow...@suse.de + +- Commit 3b3f0ae by Rafael Fernández López eresli...@ereslibre.es + Refresh modules before we call to any `sls`, they might use undiscovered + modules + + Commit 8b49308 by Rafael Fernández López eresli...@ereslibre.es + When we explicitly run `haproxy` sls in the update, run `etc-hosts` too. + + During a rename, it might happen that `haproxy` refuses to start because it + cannot resolve the new names `nodename.infra.caasp.local` in the + configuration because its + `/etc/hosts` file hasn't been updated yet. + + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kubernetes-salt.spec ++++++ --- /var/tmp/diff_new_pack.nF9Tw8/_old 2018-03-26 13:07:04.420696334 +0200 +++ /var/tmp/diff_new_pack.nF9Tw8/_new 2018-03-26 13:07:04.424696190 +0200 @@ -32,7 +32,7 @@ Name: kubernetes-salt %define gitrepo salt -Version: 3.0.0+git_r657_c294782 +Version: 3.0.0+git_r666_603e9dc Release: 0 BuildArch: noarch Summary: Production-Grade Container Scheduling and Management ++++++ master.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/pillar/params.sls new/salt-master/pillar/params.sls --- old/salt-master/pillar/params.sls 2018-03-21 18:10:02.000000000 +0100 +++ new/salt-master/pillar/params.sls 2018-03-22 17:53:50.000000000 +0100 @@ -46,7 +46,7 @@ dns: cluster_ip: '172.24.0.2' domain: 'cluster.local' - replicas: '1' + replicas: '3' # user and group for running services and some other stuff... kube_user: 'kube' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/dex/manifests/05-clusterrole.yaml new/salt-master/salt/addons/dex/manifests/05-clusterrole.yaml --- old/salt-master/salt/addons/dex/manifests/05-clusterrole.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/salt-master/salt/addons/dex/manifests/05-clusterrole.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: suse:caasp:dex +rules: +- apiGroups: ["dex.coreos.com"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/dex/manifests/10-clusterrolebinding.yaml new/salt-master/salt/addons/dex/manifests/10-clusterrolebinding.yaml --- old/salt-master/salt/addons/dex/manifests/10-clusterrolebinding.yaml 2018-03-21 18:10:02.000000000 +0100 +++ new/salt-master/salt/addons/dex/manifests/10-clusterrolebinding.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -4,25 +4,25 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: suse:caasp:dex +roleRef: + kind: ClusterRole + name: suse:caasp:dex + apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: dex namespace: kube-system -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io --- # Map the LDAP Administrators group to the Kubernetes cluster-admin role kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: suse:caasp:ldap-administrators -subjects: -- kind: Group - name: "{{ pillar['ldap']['admin_group_name'] }}" - apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io +subjects: +- kind: Group + name: "{{ pillar['ldap']['admin_group_name'] }}" + apiGroup: rbac.authorization.k8s.io diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/dex/manifests/10-rrolebinding.yaml new/salt-master/salt/addons/dex/manifests/10-rrolebinding.yaml --- old/salt-master/salt/addons/dex/manifests/10-rrolebinding.yaml 2018-03-21 18:10:02.000000000 +0100 +++ new/salt-master/salt/addons/dex/manifests/10-rrolebinding.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,28 +0,0 @@ ---- -# Map the Dex SA to the Kubernetes cluster-admin role -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: suse:caasp:dex -subjects: -- kind: ServiceAccount - name: dex - namespace: kube-system -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io ---- -# Map the LDAP Administrators group to the Kubernetes cluster-admin role -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: suse:caasp:ldap-administrators -subjects: -- kind: Group - name: "{{ pillar['ldap']['admin_group_name'] }}" - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/dns/init.sls new/salt-master/salt/addons/dns/init.sls --- old/salt-master/salt/addons/dns/init.sls 2018-03-21 18:10:02.000000000 +0100 +++ new/salt-master/salt/addons/dns/init.sls 2018-03-22 17:53:50.000000000 +0100 @@ -4,11 +4,11 @@ - kube-apiserver - kubectl-config -{% from '_macros/kubectl.jinja' import kubectl, kubectl_apply_template with context %} +{% from '_macros/kubectl.jinja' import kubectl, kubectl_apply_dir_template with context %} -{{ kubectl_apply_template("salt://addons/dns/kubedns.yaml.jinja", - "/etc/kubernetes/addons/kubedns.yaml", - check_cmd="kubectl get deploy kube-dns -n kube-system | grep kube-dns") }} + +{{ kubectl_apply_dir_template("salt://addons/dns/manifests/", + "/etc/kubernetes/addons/dns/") }} # TODO: Transitional code, remove for CaaSP v4 {{ kubectl("remove-old-kube-dns-clusterrolebinding", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/dns/kubedns-sa.yaml new/salt-master/salt/addons/dns/kubedns-sa.yaml --- old/salt-master/salt/addons/dns/kubedns-sa.yaml 2018-03-21 18:10:02.000000000 +0100 +++ new/salt-master/salt/addons/dns/kubedns-sa.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-dns - namespace: kube-system - labels: - kubernetes.io/cluster-service: "true" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/dns/kubedns.yaml.jinja new/salt-master/salt/addons/dns/kubedns.yaml.jinja --- old/salt-master/salt/addons/dns/kubedns.yaml.jinja 2018-03-21 18:10:02.000000000 +0100 +++ new/salt-master/salt/addons/dns/kubedns.yaml.jinja 1970-01-01 01:00:00.000000000 +0100 @@ -1,203 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-dns - namespace: kube-system - labels: - kubernetes.io/cluster-service: "true" - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: suse:caasp:kube-dns -subjects: -- kind: ServiceAccount - name: kube-dns - namespace: kube-system -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io - ---- -apiVersion: apps/v1beta2 -kind: Deployment -metadata: - name: kube-dns - namespace: kube-system - labels: - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" -spec: - replicas: {{ pillar['dns']['replicas'] }} - strategy: - rollingUpdate: - maxSurge: 10% - maxUnavailable: 0 - selector: - matchLabels: - k8s-app: kube-dns - template: - metadata: - labels: - k8s-app: kube-dns - annotations: - scheduler.alpha.kubernetes.io/critical-pod: '' - spec: - tolerations: - - key: node-role.kubernetes.io/master - operator: Exists - effect: NoSchedule - - key: "CriticalAddonsOnly" - operator: "Exists" - volumes: - - name: kube-dns-config - configMap: - name: kube-dns - containers: - - name: kubedns - image: sles12/kubedns:1.0.0 - resources: - # TODO: Set memory limits when we've profiled the container for large - # clusters, then set request = limit to keep this container in - # guaranteed class. Currently, this container falls into the - # "burstable" category so the kubelet doesn't backoff from restarting it. - limits: - memory: 170Mi - requests: - cpu: 100m - memory: 70Mi - livenessProbe: - httpGet: - path: /healthcheck/kubedns - port: 10054 - scheme: HTTP - initialDelaySeconds: 60 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /readiness - port: 8081 - scheme: HTTP - # we poll on pod startup for the Kubernetes master service and - # only setup the /readiness HTTP server once that's available. - initialDelaySeconds: 3 - timeoutSeconds: 5 - args: - - --domain={{ pillar['dns']['domain'] }} - - --dns-port=10053 - - --config-dir=/kube-dns-config - - --v=2 - env: - - name: PROMETHEUS_PORT - value: "10055" - ports: - - containerPort: 10053 - name: dns-local - protocol: UDP - - containerPort: 10053 - name: dns-tcp-local - protocol: TCP - - containerPort: 10055 - name: metrics - protocol: TCP - volumeMounts: - - name: kube-dns-config - mountPath: /kube-dns-config - - name: dnsmasq - image: sles12/dnsmasq-nanny:1.0.0 - livenessProbe: - httpGet: - path: /healthcheck/dnsmasq - port: 10054 - scheme: HTTP - initialDelaySeconds: 60 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - args: - - -v=2 - - -logtostderr - - -configDir=/etc/k8s/dns/dnsmasq-nanny - - -restartDnsmasq=true - - -- - - -k - - --cache-size=1000 - - --log-facility=- - - --server=/{{ pillar['dns']['domain'] }}/127.0.0.1#10053 - - --server=/in-addr.arpa/127.0.0.1#10053 - - --server=/ip6.arpa/127.0.0.1#10053 - ports: - - containerPort: 53 - name: dns - protocol: UDP - - containerPort: 53 - name: dns-tcp - protocol: TCP - # see: https://github.com/kubernetes/kubernetes/issues/29055 for details - resources: - requests: - cpu: 150m - memory: 20Mi - volumeMounts: - - name: kube-dns-config - mountPath: /etc/k8s/dns/dnsmasq-nanny - - name: sidecar - image: sles12/sidecar:1.0.0 - livenessProbe: - httpGet: - path: /metrics - port: 10054 - scheme: HTTP - initialDelaySeconds: 60 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - args: - - --v=2 - - --logtostderr - - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.{{ pillar['dns']['domain'] }},5,A - - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.{{ pillar['dns']['domain'] }},5,A - ports: - - containerPort: 10054 - name: metrics - protocol: TCP - resources: - requests: - memory: 20Mi - cpu: 10m - dnsPolicy: Default # Don't use cluster DNS. - serviceAccountName: kube-dns - ---- -apiVersion: v1 -kind: Service -metadata: - name: kube-dns - namespace: kube-system - labels: - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "KubeDNS" -spec: - selector: - k8s-app: kube-dns - clusterIP: {{ pillar['dns']['cluster_ip'] }} - ports: - - name: dns - port: 53 - protocol: UDP - - name: dns-tcp - port: 53 - protocol: TCP - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: kube-dns - namespace: kube-system diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/dns/manifests/05-serviceaccount.yaml new/salt-master/salt/addons/dns/manifests/05-serviceaccount.yaml --- old/salt-master/salt/addons/dns/manifests/05-serviceaccount.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/salt-master/salt/addons/dns/manifests/05-serviceaccount.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-dns + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/dns/manifests/10-clusterrolebinding.yaml new/salt-master/salt/addons/dns/manifests/10-clusterrolebinding.yaml --- old/salt-master/salt/addons/dns/manifests/10-clusterrolebinding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/salt-master/salt/addons/dns/manifests/10-clusterrolebinding.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -0,0 +1,13 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: suse:caasp:kube-dns +roleRef: + kind: ClusterRole + name: system:kube-dns + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: kube-dns + namespace: kube-system diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/dns/manifests/15-configmap.yaml new/salt-master/salt/addons/dns/manifests/15-configmap.yaml --- old/salt-master/salt/addons/dns/manifests/15-configmap.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/salt-master/salt/addons/dns/manifests/15-configmap.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kube-dns + namespace: kube-system diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/dns/manifests/20-deployment.yaml new/salt-master/salt/addons/dns/manifests/20-deployment.yaml --- old/salt-master/salt/addons/dns/manifests/20-deployment.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/salt-master/salt/addons/dns/manifests/20-deployment.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -0,0 +1,151 @@ +--- +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: kube-dns + namespace: kube-system + labels: + k8s-app: kube-dns + kubernetes.io/cluster-service: "true" +spec: + replicas: {{ pillar['dns']['replicas'] }} + strategy: + rollingUpdate: + maxSurge: 10% + maxUnavailable: 0 + selector: + matchLabels: + k8s-app: kube-dns + template: + metadata: + labels: + k8s-app: kube-dns + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + - key: "CriticalAddonsOnly" + operator: "Exists" + volumes: + - name: kube-dns-config + configMap: + name: kube-dns + containers: + - name: kubedns + image: sles12/kubedns:1.0.0 + resources: + # TODO: Set memory limits when we've profiled the container for large + # clusters, then set request = limit to keep this container in + # guaranteed class. Currently, this container falls into the + # "burstable" category so the kubelet doesn't backoff from restarting it. + limits: + memory: 170Mi + requests: + cpu: 100m + memory: 70Mi + livenessProbe: + httpGet: + path: /healthcheck/kubedns + port: 10054 + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /readiness + port: 8081 + scheme: HTTP + # we poll on pod startup for the Kubernetes master service and + # only setup the /readiness HTTP server once that's available. + initialDelaySeconds: 3 + timeoutSeconds: 5 + args: + - --domain={{ pillar['dns']['domain'] }} + - --dns-port=10053 + - --config-dir=/kube-dns-config + - --v=2 + env: + - name: PROMETHEUS_PORT + value: "10055" + ports: + - containerPort: 10053 + name: dns-local + protocol: UDP + - containerPort: 10053 + name: dns-tcp-local + protocol: TCP + - containerPort: 10055 + name: metrics + protocol: TCP + volumeMounts: + - name: kube-dns-config + mountPath: /kube-dns-config + - name: dnsmasq + image: sles12/dnsmasq-nanny:1.0.0 + livenessProbe: + httpGet: + path: /healthcheck/dnsmasq + port: 10054 + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + args: + - -v=2 + - -logtostderr + - -configDir=/etc/k8s/dns/dnsmasq-nanny + - -restartDnsmasq=true + - -- + - -k + - --cache-size=1000 + - --log-facility=- + - --server=/{{ pillar['dns']['domain'] }}/127.0.0.1#10053 + - --server=/in-addr.arpa/127.0.0.1#10053 + - --server=/ip6.arpa/127.0.0.1#10053 + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + # see: https://github.com/kubernetes/kubernetes/issues/29055 for details + resources: + requests: + cpu: 150m + memory: 20Mi + volumeMounts: + - name: kube-dns-config + mountPath: /etc/k8s/dns/dnsmasq-nanny + - name: sidecar + image: sles12/sidecar:1.0.0 + livenessProbe: + httpGet: + path: /metrics + port: 10054 + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + args: + - --v=2 + - --logtostderr + - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.{{ pillar['dns']['domain'] }},5,A + - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.{{ pillar['dns']['domain'] }},5,A + ports: + - containerPort: 10054 + name: metrics + protocol: TCP + resources: + requests: + memory: 20Mi + cpu: 10m + dnsPolicy: Default # Don't use cluster DNS. + serviceAccountName: kube-dns diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/dns/manifests/25-service.yaml new/salt-master/salt/addons/dns/manifests/25-service.yaml --- old/salt-master/salt/addons/dns/manifests/25-service.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/salt-master/salt/addons/dns/manifests/25-service.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: kube-dns + namespace: kube-system + labels: + k8s-app: kube-dns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: "KubeDNS" +spec: + selector: + k8s-app: kube-dns + clusterIP: {{ pillar['dns']['cluster_ip'] }} + ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/tiller/init.sls new/salt-master/salt/addons/tiller/init.sls --- old/salt-master/salt/addons/tiller/init.sls 2018-03-21 18:10:02.000000000 +0100 +++ new/salt-master/salt/addons/tiller/init.sls 2018-03-22 17:53:50.000000000 +0100 @@ -4,11 +4,10 @@ - kube-apiserver - kubectl-config -{% from '_macros/kubectl.jinja' import kubectl, kubectl_apply_template with context %} +{% from '_macros/kubectl.jinja' import kubectl, kubectl_apply_dir_template with context %} -{{ kubectl_apply_template("salt://addons/tiller/tiller.yaml.jinja", - "/etc/kubernetes/addons/tiller.yaml", - check_cmd="kubectl get deploy tiller-deploy -n kube-system | grep tiller-deploy") }} +{{ kubectl_apply_dir_template("salt://addons/tiller/manifests/", + "/etc/kubernetes/addons/tiller/") }} # TODO: Transitional code, remove for CaaSP v4 {{ kubectl("remove-old-tiller-clusterrolebinding", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/tiller/manifests/05-clusterrole.yaml new/salt-master/salt/addons/tiller/manifests/05-clusterrole.yaml --- old/salt-master/salt/addons/tiller/manifests/05-clusterrole.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/salt-master/salt/addons/tiller/manifests/05-clusterrole.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -0,0 +1,18 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: suse:caasp:tiller-user +rules: +- apiGroups: + - "" + resources: + - pods/portforward + verbs: + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/tiller/manifests/05-serviceaccount.yaml new/salt-master/salt/addons/tiller/manifests/05-serviceaccount.yaml --- old/salt-master/salt/addons/tiller/manifests/05-serviceaccount.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/salt-master/salt/addons/tiller/manifests/05-serviceaccount.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tiller + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/tiller/manifests/10-clusterrolebinding.yaml new/salt-master/salt/addons/tiller/manifests/10-clusterrolebinding.yaml --- old/salt-master/salt/addons/tiller/manifests/10-clusterrolebinding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/salt-master/salt/addons/tiller/manifests/10-clusterrolebinding.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -0,0 +1,13 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: suse:caasp:tiller +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: tiller + namespace: kube-system diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/tiller/manifests/20-deployment.yaml new/salt-master/salt/addons/tiller/manifests/20-deployment.yaml --- old/salt-master/salt/addons/tiller/manifests/20-deployment.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/salt-master/salt/addons/tiller/manifests/20-deployment.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -0,0 +1,58 @@ +--- +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app: helm + name: tiller + kubernetes.io/cluster-service: "true" + name: tiller-deploy + namespace: kube-system +spec: + selector: + matchLabels: + app: helm + name: tiller + strategy: {} + template: + metadata: + creationTimestamp: null + labels: + app: helm + name: tiller + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + - key: "CriticalAddonsOnly" + operator: "Exists" + containers: + - env: + - name: TILLER_NAMESPACE + value: kube-system + image: sles12/tiller:2.7.2 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /liveness + port: 44135 + initialDelaySeconds: 1 + timeoutSeconds: 1 + name: tiller + ports: + - containerPort: 44134 + name: tiller + readinessProbe: + httpGet: + path: /readiness + port: 44135 + initialDelaySeconds: 1 + timeoutSeconds: 1 + resources: {} + nodeSelector: + beta.kubernetes.io/os: linux + serviceAccountName: tiller diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/tiller/manifests/25-service.yaml new/salt-master/salt/addons/tiller/manifests/25-service.yaml --- old/salt-master/salt/addons/tiller/manifests/25-service.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/salt-master/salt/addons/tiller/manifests/25-service.yaml 2018-03-22 17:53:50.000000000 +0100 @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: helm + name: tiller + kubernetes.io/cluster-service: "true" + kubernetes.io/name: "Tiller" + name: tiller + namespace: kube-system +spec: + type: ClusterIP + ports: + - name: tiller + port: 44134 + targetPort: tiller + selector: + app: helm + name: tiller diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/addons/tiller/tiller.yaml.jinja new/salt-master/salt/addons/tiller/tiller.yaml.jinja --- old/salt-master/salt/addons/tiller/tiller.yaml.jinja 2018-03-21 18:10:02.000000000 +0100 +++ new/salt-master/salt/addons/tiller/tiller.yaml.jinja 1970-01-01 01:00:00.000000000 +0100 @@ -1,125 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tiller - namespace: kube-system - labels: - kubernetes.io/cluster-service: "true" - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: suse:caasp:tiller -subjects: -- kind: ServiceAccount - name: tiller - namespace: kube-system -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: suse:caasp:tiller-user -rules: -- apiGroups: - - "" - resources: - - pods/portforward - verbs: - - create -- apiGroups: - - "" - resources: - - pods - verbs: - - list - ---- -apiVersion: apps/v1beta2 -kind: Deployment -metadata: - creationTimestamp: null - labels: - app: helm - name: tiller - kubernetes.io/cluster-service: "true" - name: tiller-deploy - namespace: kube-system -spec: - selector: - matchLabels: - app: helm - name: tiller - strategy: {} - template: - metadata: - creationTimestamp: null - labels: - app: helm - name: tiller - annotations: - scheduler.alpha.kubernetes.io/critical-pod: '' - spec: - tolerations: - - key: node-role.kubernetes.io/master - operator: Exists - effect: NoSchedule - - key: "CriticalAddonsOnly" - operator: "Exists" - containers: - - env: - - name: TILLER_NAMESPACE - value: kube-system - image: sles12/tiller:2.7.2 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /liveness - port: 44135 - initialDelaySeconds: 1 - timeoutSeconds: 1 - name: tiller - ports: - - containerPort: 44134 - name: tiller - readinessProbe: - httpGet: - path: /readiness - port: 44135 - initialDelaySeconds: 1 - timeoutSeconds: 1 - resources: {} - nodeSelector: - beta.kubernetes.io/os: linux - serviceAccountName: tiller -status: {} - ---- -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: null - labels: - app: helm - name: tiller - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "Tiller" - name: tiller - namespace: kube-system -spec: - ports: - - name: tiller - port: 44134 - targetPort: tiller - selector: - app: helm - name: tiller - type: ClusterIP -status: - loadBalancer: {} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/haproxy/init.sls new/salt-master/salt/haproxy/init.sls --- old/salt-master/salt/haproxy/init.sls 2018-03-21 18:10:02.000000000 +0100 +++ new/salt-master/salt/haproxy/init.sls 2018-03-22 17:53:50.000000000 +0100 @@ -53,7 +53,7 @@ # Send a SIGTERM to haproxy when the config changes # TODO: There should be a better way to handle this, but currently, there is not. See # kubernetes/kubernetes#24957 -haproxy_restart: +haproxy-restart: cmd.run: - name: |- haproxy_id=$(docker ps | grep -E "k8s_haproxy.*_kube-system_" | awk '{print $1}') @@ -68,10 +68,12 @@ {% if "admin" in salt['grains.get']('roles', []) %} # The admin node is serving the internal API with the pillars. Wait for it to come back # before going on with the orchestration/highstates. -wait_for_haproxy: - cmd.run: - - name: |- - until $(docker ps | grep -E "k8s_haproxy.*_kube-system_" &> /dev/null); do - sleep 1 - done +wait-for-haproxy: + http.wait_for_successful_query: + - name: https://localhost:444/internal-api/v1/pillar.json + - wait_for: 300 + - status: 401 + - verify_ssl: False + - onchanges: + - haproxy-restart {% endif %} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/salt-master/salt/orch/update.sls new/salt-master/salt/orch/update.sls --- old/salt-master/salt/orch/update.sls 2018-03-21 18:10:02.000000000 +0100 +++ new/salt-master/salt/orch/update.sls 2018-03-22 17:53:50.000000000 +0100 @@ -1,11 +1,3 @@ -admin-apply-haproxy: - salt.state: - - tgt: 'roles:admin' - - tgt_type: grain - - batch: 1 - - sls: - - haproxy - # Ensure all nodes with updates are marked as upgrading. This will reduce the time window in which # the update-etc-hosts orchestration can run in between machine restarts. set-update-grain: @@ -17,39 +9,33 @@ - update_in_progress - true -# Generate sa key (we should refactor this as part of the ca highstate along with its counterpart -# in orch/kubernetes.sls) -generate-sa-key: - salt.state: - - tgt: 'roles:ca' - - tgt_type: grain - - sls: - - kubernetes-common.generate-serviceaccount-key - # Generic Updates sync-pillar: salt.runner: - name: saltutil.sync_pillar + - require: + - set-update-grain update-pillar: salt.function: - tgt: '*' - name: saltutil.refresh_pillar - require: - - generate-sa-key + - sync-pillar update-grains: salt.function: - tgt: '*' - name: saltutil.refresh_grains + - require: + - update-pillar update-mine: salt.function: - tgt: '*' - name: mine.update - require: - - update-pillar - - update-grains + - update-grains update-modules: salt.function: @@ -60,13 +46,35 @@ - require: - update-mine +# Generate sa key (we should refactor this as part of the ca highstate along with its counterpart +# in orch/kubernetes.sls) +generate-sa-key: + salt.state: + - tgt: 'roles:ca' + - tgt_type: grain + - sls: + - kubernetes-common.generate-serviceaccount-key + - require: + - update-modules + +admin-apply-haproxy: + salt.state: + - tgt: 'roles:admin' + - tgt_type: grain + - batch: 1 + - sls: + - etc-hosts + - haproxy + - require: + - generate-sa-key + admin-setup: salt.state: - tgt: 'roles:admin' - tgt_type: grain - highstate: True - require: - - update-modules + - admin-apply-haproxy # Perform any migrations necessary before starting the update orchestration. All services and # machines should be running and we can migrate some data on the whole cluster and then proceed