K8s improvements #2918

atsikham · 2022-01-24T14:21:17Z

See changelog for details.

What I would test here:

All standard K8s cases including control plane scaling up
Certs renewal
kubeadm reset + apply
During apply and upgrade apiserver certificate should have the same expiration days amount as other certificates
Apiserver certificate SANs: openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout | grep DNS:

przemyslavic · 2022-01-24T17:17:53Z

/azp run

ansible/playbooks/roles/kubernetes_master/tasks/apiserver-certificates.yml

ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml

ansible/playbooks/roles/kubernetes_master/tasks/main.yml

ansible/playbooks/roles/upgrade/tasks/kubernetes/patch-kubeadm-apiserver.yml

ansible/playbooks/roles/kubernetes_node/tasks/node-join.yml

Co-authored-by: to-bar <[email protected]>

przemyslavic · 2022-01-28T12:17:37Z

/azp run

przemyslavic · 2022-01-31T11:48:54Z

❌ It fails when promoting the cluster to HA.

2022-01-31T11:03:38.7051497Z[38;21m11:03:38 INFO cli.engine.ansible.AnsibleCommand - TASK [kubernetes_promote : Get kube-proxy config map] **************************
2022-01-31T11:03:39.2226226Z[31;21m11:03:39 ERROR cli.engine.ansible.AnsibleCommand - fatal: [ci-devprazurubucanal-kubernetes-master-vm-0]: FAILED! => {"changed": true, "cmd": "kubectl get configmap kube-proxy  --namespace kube-system  --output yaml | sed 's|server: .*$|server: https://localhost:3446|' | kubectl apply  --namespace kube-system  -f-\n", "delta": "0:00:00.115034", "end": "2022-01-31 11:03:39.185764", "msg": "non-zero return code", "rc": 1, "start": "2022-01-31 11:03:39.070730", "stderr": "Unable to connect to the server: x509: certificate is valid for ci-devprazurubucanal-kubernetes-master-vm-0, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not localhost\nUnable to connect to the server: x509: certificate is valid for ci-devprazurubucanal-kubernetes-master-vm-0, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not localhost", "stderr_lines": ["Unable to connect to the server: x509: certificate is valid for ci-devprazurubucanal-kubernetes-master-vm-0, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not localhost", "Unable to connect to the server: x509: certificate is valid for ci-devprazurubucanal-kubernetes-master-vm-0, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not localhost"], "stdout": "", "stdout_lines": []}

To reproduce:

Deploy non-HA cluster (1 master + x nodes)
Add the following configuration:

---
kind: configuration/shared-config
title: "Shared configuration that will be visible to all roles"
name: default
specification:
  use_ha_control_plane: true
  promote_to_ha: true

Run apply command again

przemyslavic · 2022-01-31T12:26:29Z

/azp run

przemyslavic · 2022-01-31T13:58:09Z

Found another issue that occurred when re-applying the HA configuration with the certificate renewal option enabled:

---
kind: configuration/kubernetes-master
name: default
provider: azure
specification:
  advanced:
    certificates:
      expiration_days: 10
      renew: true

---
kind: configuration/shared-config
title: Shared configuration that will be visible to all roles
name: default
provider: azure
specification:
  use_ha_control_plane: true

2022-01-31T13:44:38.3213879Z[38;21m13:44:38 INFO cli.engine.ansible.AnsibleCommand - TASK [kubernetes_master : Generate new CSR] ************************************
2022-01-31T13:44:39.9738331Z[31;21m13:44:39 ERROR cli.engine.ansible.AnsibleCommand - fatal: [ci-devazurrhelcanal-kubernetes-master-vm-1]: FAILED! => {"changed": true, "cmd": ["kubeadm", "certs", "generate-csr", "--cert-dir=csr", "--kubeconfig-dir=csr", "--config=/etc/kubeadm/kubeadm-config.yml"], "delta": "0:00:00.032666", "end": "2022-01-31 13:44:39.746734", "msg": "non-zero return code", "rc": 1, "start": "2022-01-31 13:44:39.714068", "stderr": "unable to read config from \"/etc/kubeadm/kubeadm-config.yml\" : open /etc/kubeadm/kubeadm-config.yml: no such file or directory\nTo see the stack trace of this error execute with --v=5 or higher", "stderr_lines": ["unable to read config from \"/etc/kubeadm/kubeadm-config.yml\" : open /etc/kubeadm/kubeadm-config.yml: no such file or directory", "To see the stack trace of this error execute with --v=5 or higher"], "stdout": "", "stdout_lines": []}
2022-01-31T13:44:40.1148153Z[38;21m13:44:40 INFO cli.engine.ansible.AnsibleCommand -[0m
2022-01-31T13:44:40.1156238Z[38;21m13:44:40 INFO cli.engine.ansible.AnsibleCommand - TASK [kubernetes_master : Restore certificates] ********************************
2022-01-31T13:44:41.8368267Z[38;21m13:44:41 INFO cli.engine.ansible.AnsibleCommand - changed: [ci-devazurrhelcanal-kubernetes-master-vm-1 -> ci-devazurrhelcanal-kubernetes-master-vm-1]
2022-01-31T13:44:41.8666240Z[38;21m13:44:41 INFO cli.engine.ansible.AnsibleCommand -[0m
2022-01-31T13:44:41.8674906Z[38;21m13:44:41 INFO cli.engine.ansible.AnsibleCommand - TASK [kubernetes_master : Fail certificates generation] ************************
2022-01-31T13:44:41.9649903Z[31;21m13:44:41 ERROR cli.engine.ansible.AnsibleCommand - fatal: [ci-devazurrhelcanal-kubernetes-master-vm-1]: FAILED! => {"changed": false, "msg": "Certificates generation failed, restored an initial state"}

przemyslavic · 2022-02-02T09:34:45Z

/azp run

przemyslavic · 2022-02-03T15:01:08Z

/azp run

* K8s improvements (#2918) * Removal of Logstash component - next steps #2833 (#2941) * Add information about manual package removal that needs to be performed by cluster admin * include information about inventory file * Fix for ansible_default_ipv4 empty value (#2922) * Fix for ansible_default_ipv4 empty value * Fix after ToBar review * Add check if there is only one default routing config * Add check for different metrics value in case more than one default routing * Review fixes * Update fail_msg Co-authored-by: to-bar <[email protected]> * Extend k8s schema validation (#2929) * Extend deprecation note with Ignite removal steps (#2949) * Escalate permissions for ip command (#2952) * Changed autoscaling_group to plain EC2 VMs on AWS. (#2939) - Replaced AWS auto_scaling_groups with plain EC2 VM creation. - Added proper host sorting how it was implemented for the any and azure providers: #1076 - Sync up features with Azure Terraform implementation - Added support for use_network_security_groups flag #959 - Updated DoD for bugs to reflect changes made for #2832 Co-authored-by: Anatoli Tsikhamirau <[email protected]> Co-authored-by: Irek Głownia <[email protected]> Co-authored-by: to-bar <[email protected]> Co-authored-by: Luuk van Venrooij <[email protected]>

* K8s improvements (hitachienergy#2918) * Removal of Logstash component - next steps hitachienergy#2833 (hitachienergy#2941) * Add information about manual package removal that needs to be performed by cluster admin * include information about inventory file * Fix for ansible_default_ipv4 empty value (hitachienergy#2922) * Fix for ansible_default_ipv4 empty value * Fix after ToBar review * Add check if there is only one default routing config * Add check for different metrics value in case more than one default routing * Review fixes * Update fail_msg Co-authored-by: to-bar <[email protected]> * Extend k8s schema validation (hitachienergy#2929) * Extend deprecation note with Ignite removal steps (hitachienergy#2949) * Escalate permissions for ip command (hitachienergy#2952) * Changed autoscaling_group to plain EC2 VMs on AWS. (hitachienergy#2939) - Replaced AWS auto_scaling_groups with plain EC2 VM creation. - Added proper host sorting how it was implemented for the any and azure providers: hitachienergy#1076 - Sync up features with Azure Terraform implementation - Added support for use_network_security_groups flag hitachienergy#959 - Updated DoD for bugs to reflect changes made for hitachienergy#2832 Co-authored-by: Anatoli Tsikhamirau <[email protected]> Co-authored-by: Irek Głownia <[email protected]> Co-authored-by: to-bar <[email protected]> Co-authored-by: Luuk van Venrooij <[email protected]>

* K8s improvements (#2918) * Removal of Logstash component - next steps #2833 (#2941) * Add information about manual package removal that needs to be performed by cluster admin * include information about inventory file * Fix for ansible_default_ipv4 empty value (#2922) * Fix for ansible_default_ipv4 empty value * Fix after ToBar review * Add check if there is only one default routing config * Add check for different metrics value in case more than one default routing * Review fixes * Update fail_msg Co-authored-by: to-bar <[email protected]> * Extend k8s schema validation (#2929) * Extend deprecation note with Ignite removal steps (#2949) * Escalate permissions for ip command (#2952) * Changed autoscaling_group to plain EC2 VMs on AWS. (#2939) - Replaced AWS auto_scaling_groups with plain EC2 VM creation. - Added proper host sorting how it was implemented for the any and azure providers: #1076 - Sync up features with Azure Terraform implementation - Added support for use_network_security_groups flag #959 - Updated DoD for bugs to reflect changes made for #2832 Co-authored-by: Anatoli Tsikhamirau <[email protected]> Co-authored-by: Irek Głownia <[email protected]> Co-authored-by: to-bar <[email protected]> Co-authored-by: Luuk van Venrooij <[email protected]>

* K8s improvements (hitachienergy#2918) * Removal of Logstash component - next steps hitachienergy#2833 (hitachienergy#2941) * Add information about manual package removal that needs to be performed by cluster admin * include information about inventory file * Fix for ansible_default_ipv4 empty value (hitachienergy#2922) * Fix for ansible_default_ipv4 empty value * Fix after ToBar review * Add check if there is only one default routing config * Add check for different metrics value in case more than one default routing * Review fixes * Update fail_msg Co-authored-by: to-bar <[email protected]> * Extend k8s schema validation (hitachienergy#2929) * Extend deprecation note with Ignite removal steps (hitachienergy#2949) * Escalate permissions for ip command (hitachienergy#2952) * Changed autoscaling_group to plain EC2 VMs on AWS. (hitachienergy#2939) - Replaced AWS auto_scaling_groups with plain EC2 VM creation. - Added proper host sorting how it was implemented for the any and azure providers: hitachienergy#1076 - Sync up features with Azure Terraform implementation - Added support for use_network_security_groups flag hitachienergy#959 - Updated DoD for bugs to reflect changes made for hitachienergy#2832 Co-authored-by: Anatoli Tsikhamirau <[email protected]> Co-authored-by: Irek Głownia <[email protected]> Co-authored-by: to-bar <[email protected]> Co-authored-by: Luuk van Venrooij <[email protected]>

* K8s improvements (#2918) * Removal of Logstash component - next steps #2833 (#2941) * Add information about manual package removal that needs to be performed by cluster admin * include information about inventory file * Fix for ansible_default_ipv4 empty value (#2922) * Fix for ansible_default_ipv4 empty value * Fix after ToBar review * Add check if there is only one default routing config * Add check for different metrics value in case more than one default routing * Review fixes * Update fail_msg Co-authored-by: to-bar <[email protected]> * Extend k8s schema validation (#2929) * Extend deprecation note with Ignite removal steps (#2949) * Escalate permissions for ip command (#2952) * Changed autoscaling_group to plain EC2 VMs on AWS. (#2939) - Replaced AWS auto_scaling_groups with plain EC2 VM creation. - Added proper host sorting how it was implemented for the any and azure providers: #1076 - Sync up features with Azure Terraform implementation - Added support for use_network_security_groups flag #959 - Updated DoD for bugs to reflect changes made for #2832 Co-authored-by: Anatoli Tsikhamirau <[email protected]> Co-authored-by: Irek Głownia <[email protected]> Co-authored-by: to-bar <[email protected]> Co-authored-by: Luuk van Venrooij <[email protected]>

* K8s improvements (hitachienergy#2918) * Removal of Logstash component - next steps hitachienergy#2833 (hitachienergy#2941) * Add information about manual package removal that needs to be performed by cluster admin * include information about inventory file * Fix for ansible_default_ipv4 empty value (hitachienergy#2922) * Fix for ansible_default_ipv4 empty value * Fix after ToBar review * Add check if there is only one default routing config * Add check for different metrics value in case more than one default routing * Review fixes * Update fail_msg Co-authored-by: to-bar <[email protected]> * Extend k8s schema validation (hitachienergy#2929) * Extend deprecation note with Ignite removal steps (hitachienergy#2949) * Escalate permissions for ip command (hitachienergy#2952) * Changed autoscaling_group to plain EC2 VMs on AWS. (hitachienergy#2939) - Replaced AWS auto_scaling_groups with plain EC2 VM creation. - Added proper host sorting how it was implemented for the any and azure providers: hitachienergy#1076 - Sync up features with Azure Terraform implementation - Added support for use_network_security_groups flag hitachienergy#959 - Updated DoD for bugs to reflect changes made for hitachienergy#2832 Co-authored-by: Anatoli Tsikhamirau <[email protected]> Co-authored-by: Irek Głownia <[email protected]> Co-authored-by: to-bar <[email protected]> Co-authored-by: Luuk van Venrooij <[email protected]>

* K8s improvements (#2918) * Removal of Logstash component - next steps #2833 (#2941) * Add information about manual package removal that needs to be performed by cluster admin * include information about inventory file * Fix for ansible_default_ipv4 empty value (#2922) * Fix for ansible_default_ipv4 empty value * Fix after ToBar review * Add check if there is only one default routing config * Add check for different metrics value in case more than one default routing * Review fixes * Update fail_msg Co-authored-by: to-bar <[email protected]> * Extend k8s schema validation (#2929) * Extend deprecation note with Ignite removal steps (#2949) * Escalate permissions for ip command (#2952) * Changed autoscaling_group to plain EC2 VMs on AWS. (#2939) - Replaced AWS auto_scaling_groups with plain EC2 VM creation. - Added proper host sorting how it was implemented for the any and azure providers: #1076 - Sync up features with Azure Terraform implementation - Added support for use_network_security_groups flag #959 - Updated DoD for bugs to reflect changes made for #2832 Co-authored-by: Anatoli Tsikhamirau <[email protected]> Co-authored-by: Irek Głownia <[email protected]> Co-authored-by: to-bar <[email protected]> Co-authored-by: Luuk van Venrooij <[email protected]>

* Define additional disks with defined sizes to VMs for Azure (#2953) * Additional disks for azure DRAFT * Simplify config * add changelog note * Change starting index value in names * Change value of lun attribute to alling with disks indexing * Merge 'develop' into 'feature/rook-ceph-storage' (#2959) * K8s improvements (#2918) * Removal of Logstash component - next steps #2833 (#2941) * Add information about manual package removal that needs to be performed by cluster admin * include information about inventory file * Fix for ansible_default_ipv4 empty value (#2922) * Fix for ansible_default_ipv4 empty value * Fix after ToBar review * Add check if there is only one default routing config * Add check for different metrics value in case more than one default routing * Review fixes * Update fail_msg Co-authored-by: to-bar <[email protected]> * Extend k8s schema validation (#2929) * Extend deprecation note with Ignite removal steps (#2949) * Escalate permissions for ip command (#2952) * Changed autoscaling_group to plain EC2 VMs on AWS. (#2939) - Replaced AWS auto_scaling_groups with plain EC2 VM creation. - Added proper host sorting how it was implemented for the any and azure providers: #1076 - Sync up features with Azure Terraform implementation - Added support for use_network_security_groups flag #959 - Updated DoD for bugs to reflect changes made for #2832 Co-authored-by: Anatoli Tsikhamirau <[email protected]> Co-authored-by: Irek Głownia <[email protected]> Co-authored-by: to-bar <[email protected]> Co-authored-by: Luuk van Venrooij <[email protected]> * Add Ansible Rook role (#2960) * Add initial ansible rook role * Fix issue with no yet existing template * Add Rook schema related files * Remove already setup vars, add missing enters * Fix issue with feature mapping * Add configuration support * Move kubeconfig to rook role yaml * Update changelog * Add started dashes to yaml defaults for Rook * Add RH fix suggested by cicharka * Add rook cluster helm chart installation * Add separate chart values definitions * Limit fact checking in rook role * Add initial rook/ceph documentation * Update documentation for Rook * Update download requirements * Persistent Storage: Note about disks on AWS (#2998) * Updated changelog * Rearrange and update documentation * Update components * Fix after review * Limit hosts where apply is specified * Add comment about repository facts gathering * Make rook namespace configurable * Add linter comments to disable false positive * Add requested comments * Change shell to command module * Change mode to preserve for temp configuration data * Update documentation * Update ansible/playbooks/roles/repository/files/download-requirements/requirements/x86_64/images.yml Co-authored-by: przemyslavic <[email protected]> * Update ansible/playbooks/roles/repository/files/download-requirements/requirements/x86_64/images.yml Co-authored-by: przemyslavic <[email protected]> * Update ansible/playbooks/roles/repository/files/download-requirements/requirements/x86_64/images.yml Co-authored-by: przemyslavic <[email protected]> * Update ansible/playbooks/roles/repository/files/download-requirements/requirements/x86_64/images.yml Co-authored-by: przemyslavic <[email protected]> * Update ansible/playbooks/roles/repository/files/download-requirements/requirements/x86_64/images.yml Co-authored-by: przemyslavic <[email protected]> * Update ansible/playbooks/roles/repository/files/download-requirements/requirements/x86_64/images.yml Co-authored-by: przemyslavic <[email protected]> * Update ansible/playbooks/roles/repository/files/download-requirements/requirements/x86_64/images.yml Co-authored-by: przemyslavic <[email protected]> * Update ansible/playbooks/roles/repository/files/download-requirements/requirements/x86_64/images.yml Co-authored-by: przemyslavic <[email protected]> * use newer version of rook (#3053) * Feature/rook ceph storage additions (#3064) * rook/ceph: add default values in epiphany configuration * rook/ceph (#3068) * add default values in epiphany configuration * bump up verison of rook * Revert schema defaults (#3074) * Revert "rook/ceph (#3068)" This reverts commit 989be85. * Revert "Feature/rook ceph storage additions (#3064)" This reverts commit 17c49af. * minor fixes for schema and docs * add rook feature_mapping for single and custom * rook: modify tests and schema for image registry * rook: offline mode * enahnce playbook to allow chart files use images from local image registry * remove unused condition for chart and operator specification which is always defined now * modify path for rook/ceph image in order to be compliant with values.yml Signed-off-by: cicharka <[email protected]> * rook: add missing csiaddons for offline mode Signed-off-by: cicharka <[email protected]> Co-authored-by: Anatoli Tsikhamirau <[email protected]> Co-authored-by: Irek Głownia <[email protected]> Co-authored-by: to-bar <[email protected]> Co-authored-by: Luuk van Venrooij <[email protected]> Co-authored-by: cicharka <[email protected]> Co-authored-by: przemyslavic <[email protected]> Co-authored-by: cicharka <[email protected]>

atsikham added 2 commits January 24, 2022 09:22

Remove force join attempt for k8s node

4399db8

Re-generate certificates only when required

52f2677

Update changelog

2577e17

atsikham marked this pull request as ready for review January 25, 2022 14:18

erzetpe previously approved these changes Jan 26, 2022

View reviewed changes

seriva previously approved these changes Jan 26, 2022

View reviewed changes

Merge branch 'develop' into feature/k8s-improvements

ed4167f

atsikham dismissed stale reviews from seriva and erzetpe via ed4167f January 26, 2022 12:25

atsikham requested review from erzetpe and seriva January 26, 2022 12:26

seriva previously approved these changes Jan 26, 2022

View reviewed changes

erzetpe previously approved these changes Jan 27, 2022

View reviewed changes

to-bar reviewed Jan 27, 2022

View reviewed changes

Apply suggestions from code review

c0864a5

Co-authored-by: to-bar <[email protected]>

atsikham dismissed stale reviews from erzetpe and seriva via c0864a5 January 27, 2022 11:32

Apply fixes after review

f899d5c

to-bar previously approved these changes Jan 28, 2022

View reviewed changes

seriva previously approved these changes Jan 28, 2022

View reviewed changes

Revert localhost removal from SANs

f6bbd2a

atsikham dismissed stale reviews from seriva and to-bar via f6bbd2a January 31, 2022 12:24

Remove unnecessary apiserver cert generation tasks

05efa4d

atsikham force-pushed the feature/k8s-improvements branch from 020f25c to 05efa4d Compare February 1, 2022 22:18

atsikham added 2 commits February 3, 2022 15:53

Handle change of automation_designated_master

3e3fbbf

Extend doc about k8s control plane certificates renewal

24871e6

atsikham force-pushed the feature/k8s-improvements branch from 562f8f2 to 24871e6 Compare February 3, 2022 14:57

przemyslavic approved these changes Feb 3, 2022

View reviewed changes

to-bar approved these changes Feb 3, 2022

View reviewed changes

atsikham merged commit 6a1e7e8 into hitachienergy:develop Feb 4, 2022

rafzei pushed a commit to rafzei/epiphany that referenced this pull request Feb 8, 2022

K8s improvements (hitachienergy#2918)

0d74d4a

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

K8s improvements #2918

K8s improvements #2918

atsikham commented Jan 24, 2022 •

edited

Loading

przemyslavic commented Jan 24, 2022

przemyslavic commented Jan 28, 2022

przemyslavic commented Jan 31, 2022

przemyslavic commented Jan 31, 2022

przemyslavic commented Jan 31, 2022

przemyslavic commented Feb 2, 2022

przemyslavic commented Feb 3, 2022

K8s improvements #2918

K8s improvements #2918

Conversation

atsikham commented Jan 24, 2022 • edited Loading

przemyslavic commented Jan 24, 2022

przemyslavic commented Jan 28, 2022

przemyslavic commented Jan 31, 2022

przemyslavic commented Jan 31, 2022

przemyslavic commented Jan 31, 2022

przemyslavic commented Feb 2, 2022

przemyslavic commented Feb 3, 2022

atsikham commented Jan 24, 2022 •

edited

Loading