Merge branch 'main' into fix/upgrade-check-more-logs

.github/pull_request_template.md

@@ -42,6 +42,7 @@ Results:
 ### Checklist
 - [ ] I have commented my code, particularly in hard-to-understand areas
 - [ ] I have made corresponding changes to the documentation
+- [ ] There is no breaking changes, or migration patch is provided
 - [ ] Integration CI passed
 - [ ] Unit tests. If Yes list of new/changed tests with brief description
 - [ ] There is no merge conflicts

README.md

@@ -33,6 +33,20 @@ Kubemarine is an open source, lightweight and powerful management tool built for
 - Package extension with [open extension API](documentation/PackageExtension.md)
 - Support different deployment schemes (all-in-one, mini-HA, HA, and so on)
 
+## Repository structure
+
+There are following key locations in the repository
+
+| Paths | Description |
+| ----- | ----------- |
+| `.github/workflows/`, `ci/` | Contain GitHub Actions configuration which runs unit/integration tests, builds/publishes artifacts, etc |
+| `documentation/`, `examples/`, `README.md` | Contain documentation and examples |
+| `kubemarine/` | Contains source code for KubeMarine python package |
+| `test/` | Contains tests |
+| `bin/`, `scripts/ci/` | Contains auxiliary scripts used during KubeMarine build |
+| `scripts/thirdparties/` | Contains auxiliary script used to update KubeMarine thirdparties versions | 
+| `Dockerfile`, `kubemarine.spec`, `MANIFEST.in`, `pyproject.toml`, `requirements-pyinstaller.txt`, `setup.py` | Different files used to build KubeMarine artifacts (image, binaries, package) |
+
 ## Kubemarine Binary Installation
 Proceed the following steps to install Kubemarine  on your environment:
 1. Download the binary file for your system from the latest [release](https://github.com/Netcracker/KubeMarine/releases)
@@ -174,6 +188,10 @@ Also, check out the following inventory examples:
 - [cluster.yaml](examples/cluster.yaml)
 - [procedure.yaml](examples/procedure.yaml)
 
+For maintainers and developers there is useful [internal documentation](/documentation/internal/), for example:
+* [How to write patches](/documentation/internal/Patches.md)
+* [How to make new release](/documentation/internal/Release.md)
+
 ## Issues, Questions
 If you have any problems while working with Kubemarine, feel free to open a [new issue](https://github.com/netcracker/kubemarine/issues) or even
 [PR](https://github.com/netcracker/kubemarine/pulls) with related changes.

documentation/internal/Release.md

@@ -0,0 +1,14 @@
+# Releasing KubeMarine
+
+If you want to make a new KubeMarine release, you need to do following:
+1. On the `main` branch, update KubeMarine version and create tag (replace `X.X.X` with actual version):
+    ```
+    python3 -m pip install bumpver
+    python3 -m bumpver update --set-version=X.X.X
+    ```
+2. Wait for [GitHub Actions](https://github.com/Netcracker/KubeMarine/actions) completion and verify newly create pre-release on [GitHub Release page](https://github.com/Netcracker/KubeMarine/releases). Following artifacts are essential for each release:
+    * KubeMarine binaries for different OS. They could be found in release assets.
+    * KubeMarine python distribution package. It could be found in release assets.
+    * [KubeMarine image](https://github.com/Netcracker/KubeMarine/pkgs/container/kubemarine).
+    * [Kubemarine documentation](https://github.com/Netcracker/KubeMarine/tree/main/documentation).
+3. Once you have verified that KubeMarine artifacts are OK, change your release from `pre-release` to `latest release` on [GitHub Release page](https://github.com/Netcracker/KubeMarine/releases). This will publish KubeMarine distribution package to PyPI.

kubemarine/apt.py

@@ -34,7 +34,8 @@ def backup_repo(group: NodeGroup) -> Optional[RunnersGroupResult]:
         return None
     # all files in directory will be renamed: xxx.repo -> xxx.repo.bak
     # if there already any files with ".bak" extension, they should not be renamed to ".bak.bak"!
-    return group.sudo("find /etc/apt/ -type f -name '*.list' | "
+    # since Ubuntu 24.04 default repos are in ubuntu.sources file
+    return group.sudo("find /etc/apt/ -type f -name '*.list' -o -name '*.sources'| "
                       "sudo xargs -t -iNAME mv -bf NAME NAME.bak")
 
 

kubemarine/cri/containerd.py

@@ -263,7 +263,7 @@ def get_config_path(inventory: dict) -> Optional[str]:
     return config_path
 
 
-def configure_containerd(group: NodeGroup) -> RunnersGroupResult:
+def configure_containerd(group: NodeGroup, wait_restart: bool = False) -> RunnersGroupResult:
     cluster = group.cluster
     log = cluster.log
 
@@ -303,8 +303,9 @@ def configure_containerd(group: NodeGroup) -> RunnersGroupResult:
             node.sudo(
                 f"chmod 600 {os_specific_associations['config_location']} && "
                 f"sudo systemctl restart {os_specific_associations['service_name']} && "
-                f"systemctl status {os_specific_associations['service_name']} && "
-                f"timeout 10 sh -c 'until sudo ctr version 2>&1; do sleep 1; done' ", callback=collector) 
+                f"systemctl status {os_specific_associations['service_name']}", callback=collector)
+            if wait_restart:
+                node.sudo( f"timeout 60 sh -c 'until sudo crictl version 2>&1; do sleep 1; done' ", callback=collector)
     return collector.result
 
 

kubemarine/kubernetes/__init__.py

@@ -867,7 +867,7 @@ def upgrade_cri_if_required(group: NodeGroup) -> None:
 
     # upgrade of sandbox_image is currently not supported for migrate_kubemarine
     if cluster.context["upgrade"]["required"].get('containerdConfig', False):
-        containerd.configure_containerd(group)
+        containerd.configure_containerd(group, wait_restart=True)
     else:
         log.debug("'containerd' configuration upgrade is not required")
 

kubemarine/plugins/yaml/calico-apiserver-v3.27.4-original.yaml

@@ -0,0 +1,304 @@
+# This is a tech-preview manifest which installs the Calico API server. Note that this manifest is liable to change
+# or be removed in future releases without further warning.
+#
+# Namespace and namespace-scoped resources.
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    name: calico-apiserver
+  name: calico-apiserver
+spec:
+
+---
+
+# Policy to ensure the API server isn't cut off. Can be modified, but ensure
+# that the main API server is always able to reach the Calico API server.
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-apiserver
+  namespace: calico-apiserver
+spec:
+  podSelector:
+    matchLabels:
+      apiserver: "true"
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 5443
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: calico-api
+  namespace: calico-apiserver
+spec:
+  ports:
+  - name: apiserver
+    port: 443
+    protocol: TCP
+    targetPort: 5443
+  selector:
+    apiserver: "true"
+  type: ClusterIP
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    apiserver: "true"
+    k8s-app: calico-apiserver
+  name: calico-apiserver
+  namespace: calico-apiserver
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      apiserver: "true"
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        apiserver: "true"
+        k8s-app: calico-apiserver
+      name: calico-apiserver
+      namespace: calico-apiserver
+    spec:
+      containers:
+      - args:
+        - --secure-port=5443
+        - -v=5
+        env:
+        - name: DATASTORE_TYPE
+          value: kubernetes
+        image: calico/apiserver:v3.27.4
+        livenessProbe:
+          httpGet:
+            path: /version
+            port: 5443
+            scheme: HTTPS
+          initialDelaySeconds: 90
+          periodSeconds: 10
+        name: calico-apiserver
+        readinessProbe:
+          exec:
+            command:
+            - /code/filecheck
+          failureThreshold: 5
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        securityContext:
+          privileged: false
+          runAsUser: 0
+        volumeMounts:
+        - mountPath: /code/apiserver.local.config/certificates
+          name: calico-apiserver-certs
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: Always
+      serviceAccount: calico-apiserver
+      serviceAccountName: calico-apiserver
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+      volumes:
+      - name: calico-apiserver-certs
+        secret:
+          secretName: calico-apiserver-certs
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-apiserver
+  namespace: calico-apiserver
+
+---
+
+# Cluster-scoped resources below here.
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v3.projectcalico.org
+spec:
+  group: projectcalico.org
+  groupPriorityMinimum: 1500
+  service:
+    name: calico-api
+    namespace: calico-apiserver
+    port: 443
+  version: v3
+  versionPriority: 200
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: calico-crds
+rules:
+- apiGroups:
+  - extensions
+  - networking.k8s.io
+  - ""
+  resources:
+  - networkpolicies
+  - nodes
+  - namespaces
+  - pods
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - globalnetworkpolicies
+  - networkpolicies
+  - clusterinformations
+  - hostendpoints
+  - globalnetworksets
+  - networksets
+  - bgpconfigurations
+  - bgppeers
+  - bgpfilters
+  - felixconfigurations
+  - kubecontrollersconfigurations
+  - ippools
+  - ipreservations
+  - ipamblocks
+  - blockaffinities
+  - caliconodestatuses
+  - ipamconfigs
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - policy
+  resourceNames:
+  - calico-apiserver
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: calico-extension-apiserver-auth-access
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - extension-apiserver-authentication
+  resources:
+  - configmaps
+  verbs:
+  - list
+  - watch
+  - get
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: calico-webhook-reader
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-apiserver-access-crds
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-crds
+subjects:
+- kind: ServiceAccount
+  name: calico-apiserver
+  namespace: calico-apiserver
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-apiserver-delegate-auth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: calico-apiserver
+  namespace: calico-apiserver
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-apiserver-webhook-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-webhook-reader
+subjects:
+- kind: ServiceAccount
+  name: calico-apiserver
+  namespace: calico-apiserver
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-extension-apiserver-auth-access
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-extension-apiserver-auth-access
+subjects:
+- kind: ServiceAccount
+  name: calico-apiserver
+  namespace: calico-apiserver