Merge branch 'issue-1182' of github.com:aylei/tidb-operator into issu…

…e-1182
pingcap · Nov 23, 2019 · d109f36 · d109f36
2 parents 6682235 + 2ec8481
commit d109f36
Show file tree

Hide file tree

Showing 10 changed files with 281 additions and 21 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,65 @@
+# TiDB Operator v1.0.4 Release Notes
+
+## v1.0.4 What's New
+
+### Action Required
+
+There is no action required if you are upgrading from [v1.0.3](#tidb-operator-v103-release-notes).
+
+### Highlights
+
+[#1202](https://github.com/pingcap/tidb-operator/pull/1202) introduced `HostNetwork` support, which offers better performance compared to the Pod network. Check out our [benchmark report](https://pingcap.com/docs/dev/benchmark/sysbench-in-k8s/#pod-network-vs-host-network) for details.
+
+> **Note:**
+>
+> Due to [this issue of Kubernetes](https://github.com/kubernetes/kubernetes/issues/78420), the Kubernetes cluster must be one of the following versions to enable `HostNetwork` of the TiDB cluster:
+>  - `v1.13.11` or later
+>  - `v1.14.7` or later
+>  - `v1.15.4` or later
+>  - any version since `v1.16.0`
+
+[#1175](https://github.com/pingcap/tidb-operator/pull/1175) added the `podSecurityContext` support for TiDB cluster Pods. We recommend setting the namespaced kernel parameters for TiDB cluster Pods according to our [Environment Recommendation](https://pingcap.com/docs/dev/tidb-in-kubernetes/deploy/prerequisites/#the-configuration-of-kernel-parameters).
+
+New Helm chart `tidb-lightning` brings [TiDB Lightning](https://pingcap.com/docs/stable/reference/tools/tidb-lightning/overview/) support for TiDB in Kubernetes. Check out the [document](https://pingcap.com/docs/dev/tidb-in-kubernetes/maintain/lightning/) for detailed user guide.
+
+Another new Helm chart `tidb-drainer` brings multiple drainers support for TiDB Binlog in Kubernetes. Check out the [document](https://pingcap.com/docs/dev/tidb-in-kubernetes/maintain/tidb-binlog/#deploy-multiple-drainers) for detailed user guide.
+
+### Improvements
+
+- Support HostNetwork ([#1202](https://github.com/pingcap/tidb-operator/pull/1202))
+- Support configuring sysctls for Pods and enable net.* ([#1175](https://github.com/pingcap/tidb-operator/pull/1175))
+- Add tidb-lightning support ([#1161](https://github.com/pingcap/tidb-operator/pull/1161))
+- Add new helm chart tidb-drainer to support multiple drainers ([#1160](https://github.com/pingcap/tidb-operator/pull/1160))
+
+## Detailed Bug Fixes and Changes
+
+- Add e2e scripts and simplify the e2e Jenkins file ([#1174](https://github.com/pingcap/tidb-operator/pull/1174))
+- Fix the pump/drainer data directory to avoid data loss caused by bad configuration ([#1183](https://github.com/pingcap/tidb-operator/pull/1183))
+- Add init sql case to e2e ([#1199](https://github.com/pingcap/tidb-operator/pull/1199))
+- Keep the instance label of drainer same with the TiDB cluster in favor of monitoring ([#1170](https://github.com/pingcap/tidb-operator/pull/1170))
+- Set `podSecuriyContext` to nil by default in favor of backward compatibility ([#1184](https://github.com/pingcap/tidb-operator/pull/1184))
+
+## Additional Notes for Users of v1.1.0.alpha branch
+
+For historical reasons, `v1.1.0.alpha` is a hot-fix branch and got this name by mistake. All fixes in that branch are cherry-picked to `v1.0.4` and the `v1.1.0.alpha` branch will be discarded to keep things clear.
+
+We strongly recommend you to upgrade to `v1.0.4` if you are using any version under `v1.1.0.alpha`.
+
+`v1.0.4` introduces the following fixes comparing to `v1.1.0.alpha.3`:
+
+- Support HostNetwork ([#1202](https://github.com/pingcap/tidb-operator/pull/1202))
+- Add the permit host option for tidb-initializer job ([#779](https://github.com/pingcap/tidb-operator/pull/779))
+- Fix drainer misconfiguration in tidb-cluster chart ([#945](https://github.com/pingcap/tidb-operator/pull/945))
+- Set the default `externalTrafficPolicy` to be Local for TiDB services ([#960](https://github.com/pingcap/tidb-operator/pull/960))
+- Fix tidb-operator crash when users modify sts upgrade strategy improperly ([#969](https://github.com/pingcap/tidb-operator/pull/969))
+- Add the `maxFailoverCount` limit to TiKV ([#976](https://github.com/pingcap/tidb-operator/pull/976))
+- Fix values file customization for tidb-operator on aliyun ([#983](https://github.com/pingcap/tidb-operator/pull/983))
+- Do not limit failover count when maxFailoverCount = 0 ([#978](https://github.com/pingcap/tidb-operator/pull/978))
+- Suspend the `ReplaceUnhealthy` process for TiKV auto-scaling-group on AWS ([#1027](https://github.com/pingcap/tidb-operator/pull/1027))
+- Fix the issue that the `create_tidb_cluster_release` variable does not work ([#1066](https://github.com/pingcap/tidb-operator/pull/1066)))
+- Add `v1` to statefulset apiVersions ([#1056](https://github.com/pingcap/tidb-operator/pull/1056))
+- Add timezone support ([#1126](https://github.com/pingcap/tidb-operator/pull/1027))
+
 # TiDB Operator v1.0.3 Release Notes
 
 ## v1.0.3 What's New

diff --git a/charts/tidb-operator/templates/admission/certManager/certificate.yaml b/charts/tidb-operator/templates/admission/certManager/certificate.yaml
@@ -0,0 +1,22 @@
+{{- if and (eq .Values.admissionWebhook.enabled true) (eq .Values.admissionWebhook.certProvider "certManager") }}
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: tidb-admission-webhook-crt
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component:  admission-cert-create
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+spec:
+  secretName: tidb-admission-webhook-certs
+  commonName: tidb-admission-webhook
+  dnsNames:
+  - tidb-admission-webhook
+  - tidb-admission-webhook.{{ $.Release.Namespace }}
+  - tidb-admission-webhook.{{ $.Release.Namespace }}.svc
+  issuerRef:
+    name: tidb-selfsigning-issuer
+    kind: ClusterIssuer
+{{- end }}
diff --git a/charts/tidb-operator/templates/admission/certManager/issuer.yaml b/charts/tidb-operator/templates/admission/certManager/issuer.yaml
@@ -0,0 +1,14 @@
+{{- if and (eq .Values.admissionWebhook.enabled true) (eq .Values.admissionWebhook.certProvider "certManager") }}
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: tidb-selfsigning-issuer
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component:  admission-cert-create
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+spec:
+  selfSigned: {}
+{{- end }}
diff --git a/charts/tidb-operator/templates/admission/jobPatch/pre-install-secret-job.yaml b/charts/tidb-operator/templates/admission/jobPatch/pre-install-secret-job.yaml
@@ -0,0 +1,42 @@
+{{- if and (eq .Values.admissionWebhook.enabled true) (eq .Values.admissionWebhook.certProvider "autoGenerator") }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name:  {{ template "chart.name" . }}-admission-create
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component:  admission-cert-create
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+spec:
+  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
+  # Alpha feature since k8s 1.12
+  ttlSecondsAfterFinished: 0
+  {{- end }}
+  template:
+    metadata:
+      name:  {{ template "chart.name" . }}-admission-create
+    labels:
+      app: {{ template "chart.name" . }}-admission-create
+    serviceAccountName: tidb-admission-webhook-sa
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 2000
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: create
+          image: {{ .Values.admissionWebhook.autoGenerator.image.repository }}:{{ .Values.admissionWebhook.autoGenerator.image.tag }}
+          imagePullPolicy: {{ .Values.imagePullPolicy | default "IfNotPresent" }}
+          args:
+            - create
+            - --host=tidb-admission-webhook,tidb-admission-webhook.{{ $.Release.Namespace }},tidb-admission-webhook.{{ $.Release.Namespace }}.svc
+            - --namespace={{ $.Release.Namespace }}
+            - --secret-name=tidb-admission-webhook-certs
+            - --key-name=key.pem
+            - --cert-name=cert.pem
+{{- end }}
diff --git a/charts/tidb-operator/templates/admission/jobPatch/rbac.yaml b/charts/tidb-operator/templates/admission/jobPatch/rbac.yaml
@@ -0,0 +1,61 @@
+{{- if and (eq .Values.admissionWebhook.enabled true) (eq .Values.admissionWebhook.certProvider "autoGenerator") }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name:  tidb-admission-webhook-sa
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component:  admission-cert
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name:  tidb-admission-webhook-role
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component:  admission-cert
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name:  {{ template "chart.name" . }}-rb
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component:  admission-cert
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tidb-admission-webhook-role
+subjects:
+  - kind: ServiceAccount
+    name: tidb-admission-webhook-sa
+    namespace: {{ $.Release.Namespace }}
+---
+{{- end }}
diff --git a/charts/tidb-operator/templates/admission/selfProvide/certSecret.yaml b/charts/tidb-operator/templates/admission/selfProvide/certSecret.yaml
@@ -0,0 +1,17 @@
+{{- if and (eq .Values.admissionWebhook.enabled true) (eq .Values.admissionWebhook.certProvider "selfProvider") }}
+apiVersion: v1
+data:
+  ca: {{ .Values.admissionWebhook.selfProvider.ca }}
+  cert.pem: {{ .Values.admissionWebhook.selfProvider.cert }}
+  key.pem: {{ .Values.admissionWebhook.selfProvider.key }}
+kind: Secret
+metadata:
+  name: tidb-admission-webhook-certs
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: admission-cert
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+type: Opaque
+{{- end }}
diff --git a/charts/tidb-operator/values.yaml b/charts/tidb-operator/values.yaml
@@ -175,3 +175,22 @@ advancedStatefulset:
   #   operator: Equal
   #   value: tidb-operator
   #   effect: "NoSchedule"
+
+admissionWebhook:
+  enabled: false
+  ## only support autoGenerator / selfProvider / certManager
+  certProvider: "autoGenerator"
+  ## `autoGenerator` would create a job before `operator chart install` and the job would create secret for webhook cert
+  ## and autoClean the secret after the `operator chart` was deleted
+  autoGenerator:
+    image:
+      repository: jettech/kube-webhook-certgen
+      tag: v1.2.0
+  ## `selfProvider` need user to provide their own ca/cert/key for webhook
+  selfProvider:
+    ca: ""
+    key: ""
+    cert: ""
+  ## `certManager` would create an self-signed Issuer and a Certificate for webhook cert managed by cert-manager
+  certManager:
+
diff --git a/ci/pingcap_tidb_operator_build_kind.groovy b/ci/pingcap_tidb_operator_build_kind.groovy
@@ -14,7 +14,7 @@ def getChangeLogText() {
 	return changeLogText
 }
 
-def call(BUILD_BRANCH, CREDENTIALS_ID) {
+def call(BUILD_BRANCH, CREDENTIALS_ID, CODECOV_CREDENTIALS_ID) {
 
 	def GITHASH
 	def UCLOUD_OSS_URL = "http://pingcap-dev.hk.ufileos.com"
@@ -27,22 +27,43 @@ def call(BUILD_BRANCH, CREDENTIALS_ID) {
 				def WORKSPACE = pwd()
 				dir("${PROJECT_DIR}"){
 					stage('build tidb-operator binary'){
-						checkout changelog: false, poll: false, scm: [$class: 'GitSCM', branches: [[name: "${BUILD_BRANCH}"]], doGenerateSubmoduleConfigurations: false, extensions: [], submoduleCfg: [], userRemoteConfigs: [[credentialsId: "${CREDENTIALS_ID}", refspec: '+refs/pull/*:refs/remotes/origin/pr/*', url: "${BUILD_URL}"]]]
-						//git credentialsId: "k8s", url: "${BUILD_URL}", branch: "${ghprbActualCommit}"
+						checkout changelog: false,
+						poll: false,
+						scm: [
+							$class: 'GitSCM',
+							branches: [[name: "${BUILD_BRANCH}"]],
+							doGenerateSubmoduleConfigurations: false,
+							extensions: [],
+							submoduleCfg: [],
+							userRemoteConfigs: [[
+								credentialsId: "${CREDENTIALS_ID}",
+								refspec: '+refs/heads/*:refs/remotes/origin/* +refs/pull/*:refs/remotes/origin/pr/*',
+								url: "${BUILD_URL}",
+							]]
+						]
+
 						GITHASH = sh(returnStdout: true, script: "git rev-parse HEAD").trim()
-						sh """
-						export GOPATH=${WORKSPACE}/go
-						export PATH=${WORKSPACE}/go/bin:\$PATH
-						if ! hash hg 2>/dev/null; then
-							sudo yum install -y mercurial
-						fi
-						hg --version
-						make check-setup
-						make check
-						make test
-						make
-						make e2e-build
-						"""
+						withCredentials([string(credentialsId: "${CODECOV_CREDENTIALS_ID}", variable: 'codecovToken')]) {
+							sh """
+							export GOPATH=${WORKSPACE}/go
+							export PATH=${WORKSPACE}/go/bin:\$PATH
+							if ! hash hg 2>/dev/null; then
+								sudo yum install -y mercurial
+							fi
+							hg --version
+							make check-setup
+							make check
+							if [ ${BUILD_BRANCH} == "master" ]
+							then
+								make test GO_COVER=y
+								curl -s https://codecov.io/bash | bash -s - -t ${codecovToken} || echo'Codecov did not collect coverage reports'
+							else
+								make test
+							fi
+							make
+							make e2e-build
+							"""
+						}
 					}
 				}
 				stash excludes: "${PROJECT_DIR}/vendor/**,${PROJECT_DIR}/deploy/**", includes: "${PROJECT_DIR}/**", name: "tidb-operator"
@@ -119,7 +140,7 @@ def call(BUILD_BRANCH, CREDENTIALS_ID) {
 					}
 				}
 
-				if ( BUILD_BRANCH == "master") {
+				if ( BUILD_BRANCH !=~ /[a-z0-9]{40}/) {
 					stage('upload tidb-operator binary and charts'){
 						//upload binary and charts
 						sh """
@@ -156,7 +177,7 @@ def call(BUILD_BRANCH, CREDENTIALS_ID) {
 			return
 		}
 
-		if ( BUILD_BRANCH == "master" ){
+		if ( BUILD_BRANCH !=~ /[a-z0-9]{40}/ ){
 			slackmsg = "${slackmsg}" + "\n" +
 			"Binary Download URL:" + "\n" +
 			"${UCLOUD_OSS_URL}/builds/pingcap/operator/${GITHASH}/centos7/tidb-operator.tar.gz"

diff --git a/deploy/modules/gcp/tidb-operator/versions.tf b/deploy/modules/gcp/tidb-operator/versions.tf
@@ -2,8 +2,10 @@
 terraform {
   required_version = ">= 0.12"
   required_providers {
-    google      = "~> 2.16"
-    google-beta = "~> 2.16"
+    # TODO: remove the restriction of < 2.19 once the `ip_allocation_policy.0.use_ip_aliases` error fixes
+    # https://github.com/terraform-providers/terraform-provider-google/blob/master/CHANGELOG.md#2190-november-05-2019
+    google      = ">= 2.16, < 2.19"
+    google-beta = ">= 2.16, < 2.19"
     external    = "~> 1.2"
     helm        = "~> 0.10"
     null        = "~> 2.1"

diff --git a/hack/check-terraform.sh b/hack/check-terraform.sh
@@ -9,7 +9,7 @@ source $ROOT/hack/lib.sh
 
 hack::ensure_terraform
 
-terraform_modules=$(find ${ROOT}/deploy -not -path '*/\.*' -type f -name variables.tf | xargs dirname)
+terraform_modules=$(find ${ROOT}/deploy -not -path '*/\.*' -type f -name variables.tf | xargs -I{} -n1 dirname {})
 
 for module in $terraform_modules; do
     echo "Checking module ${module}"