Merge pull request #2804 from zalando-incubator/beta-to-stable

beta to stable
zalando-incubator · Dec 18, 2019 · 906e39b · 906e39b
2 parents 304a330 + 2a63a29
commit 906e39b
Show file tree

Hide file tree

Showing 17 changed files with 60 additions and 91 deletions.
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -5,11 +5,7 @@ autoscaling_buffer_cpu_scale: "1"
 autoscaling_buffer_memory_scale: "0.85"
 autoscaling_buffer_cpu_reserved: "1250m"
 autoscaling_buffer_memory_reserved: "3Gi"
-{{if eq .Environment "production"}}
-autoscaling_buffer_pods: "1"
-{{else}}
 autoscaling_buffer_pods: "0"
-{{end}}
 cluster_autoscaler_cpu: "100m"
 cluster_autoscaler_memory: "300Mi"
 
@@ -61,11 +57,7 @@ enable_skipper_eastwest: "true"
 
 # skipper tcp lifo
 # See: https://opensource.zalando.com/skipper/operation/operation/#tcp-lifo
-{{if eq .Environment "production"}}
-skipper_enable_tcp_queue: "false"
-{{else}}
 skipper_enable_tcp_queue: "true"
-{{end}}
 skipper_expected_bytes_per_request: "51200"
 skipper_max_tcp_listener_concurrency: "-1"
 skipper_max_tcp_listener_queue: "-1"
@@ -148,7 +140,7 @@ zmon_worker_cpu: "750m"
 zmon_worker_count: "16"
 {{end}}
 zmon_scalyr_region: "eu"
-zmon_worker_version: "v209-py2eol-53-g458f8ba-v251-py2eol"
+zmon_worker_version: "v209-py2eol-61-gcd2c760-v251-py2eol"
 zmon_agent_version: "0.4-19-ga12da10-zv5"
 logging_watcher_mem: "200Mi"
 logging_scalyr_mem: "175Mi"

diff --git a/cluster/manifests/01-vertical-pod-autoscaler/admission-controller-deployment.yaml b/cluster/manifests/01-vertical-pod-autoscaler/admission-controller-deployment.yaml
@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   labels:
     application: vpa-admission-controller
-    version: v0.6.1-internal.2
+    version: v0.6.1-internal.4
     component: vpa
 spec:
   replicas: 1
@@ -16,7 +16,7 @@ spec:
     metadata:
       labels:
         application: vpa-admission-controller
-        version: v0.6.1-internal.2
+        version: v0.6.1-internal.4
         component: vpa
       annotations:
         config/hash: {{"secret.yaml" | manifestHash}}
@@ -25,7 +25,7 @@ spec:
       serviceAccountName: vpa-admission-controller
       containers:
       - name: admission-controller
-        image: registry.opensource.zalan.do/teapot/vpa-admission-controller:v0.6.1-internal.2
+        image: registry.opensource.zalan.do/teapot/vpa-admission-controller:v0.6.1-internal.4
         volumeMounts:
           - name: tls-certs
             mountPath: "/etc/tls-certs"

diff --git a/cluster/manifests/01-vertical-pod-autoscaler/recommender-deployment.yaml b/cluster/manifests/01-vertical-pod-autoscaler/recommender-deployment.yaml
@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   labels:
     application: vpa-recommender
-    version: v0.6.1-internal.2
+    version: v0.6.1-internal.4
     component: vpa
 spec:
   replicas: 1
@@ -16,14 +16,14 @@ spec:
     metadata:
       labels:
         application: vpa-recommender
-        version: v0.6.1-internal.2
+        version: v0.6.1-internal.4
         component: vpa
     spec:
       serviceAccountName: vpa-recommender
       priorityClassName: system-cluster-critical
       containers:
       - name: recommender
-        image: registry.opensource.zalan.do/teapot/vpa-recommender:v0.6.1-internal.2
+        image: registry.opensource.zalan.do/teapot/vpa-recommender:v0.6.1-internal.4
         args:
         - --stderrthreshold=info
         - --v=5

diff --git a/cluster/manifests/01-vertical-pod-autoscaler/updater-deployment.yaml b/cluster/manifests/01-vertical-pod-autoscaler/updater-deployment.yaml
@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   labels:
     application: vpa-updater
-    version: v0.6.1-internal.2
+    version: v0.6.1-internal.4
     component: vpa
 spec:
   replicas: 1
@@ -16,14 +16,14 @@ spec:
     metadata:
       labels:
         application: vpa-updater
-        version: v0.6.1-internal.2
+        version: v0.6.1-internal.4
         component: vpa
     spec:
       serviceAccountName: vpa-updater
       priorityClassName: system-cluster-critical
       containers:
       - name: updater
-        image: registry.opensource.zalan.do/teapot/vpa-updater:v0.6.1-internal.2
+        image: registry.opensource.zalan.do/teapot/vpa-updater:v0.6.1-internal.4
         command:
           - ./updater
         args:

diff --git a/cluster/manifests/02-kube-aws-iam-controller/deployment.yaml b/cluster/manifests/02-kube-aws-iam-controller/deployment.yaml
@@ -38,5 +38,8 @@ spec:
       tolerations:
       - key: node-role.kubernetes.io/master
         effect: NoSchedule
+      - key: node.kubernetes.io/role
+        value: master
+        effect: NoSchedule
       nodeSelector:
-        node-role.kubernetes.io/master: ""
+        node.kubernetes.io/role: master
diff --git a/cluster/manifests/admission-control/daemonset.yaml b/cluster/manifests/admission-control/daemonset.yaml
@@ -28,6 +28,9 @@ spec:
       tolerations:
       - key: node-role.kubernetes.io/master
         effect: NoSchedule
+      - key: node.kubernetes.io/role
+        value: master
+        effect: NoSchedule
       containers:
       - name: cluster-autoscaler
         image: registry.opensource.zalan.do/teapot/admission-controller:master-45
@@ -48,7 +51,7 @@ spec:
             mountPath: /meta/credentials
             readOnly: true
       nodeSelector:
-        node-role.kubernetes.io/master: ""
+        node.kubernetes.io/role: master
       volumes:
         - name: credentials
           secret:

diff --git a/cluster/manifests/audittrail-adapter/daemonset.yaml b/cluster/manifests/audittrail-adapter/daemonset.yaml
@@ -21,13 +21,8 @@ spec:
     spec:
       serviceAccountName: audittrail-adapter
       priorityClassName: system-node-critical
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: node-role.kubernetes.io/master
-                operator: Exists
+      nodeSelector:
+        node.kubernetes.io/role: master
       tolerations:
       - operator: Exists
         effect: NoSchedule

diff --git a/cluster/manifests/cluster-lifecycle-controller/deployment.yaml b/cluster/manifests/cluster-lifecycle-controller/deployment.yaml
@@ -28,6 +28,9 @@ spec:
       tolerations:
       - key: node-role.kubernetes.io/master
         effect: NoSchedule
+      - key: node.kubernetes.io/role
+        value: master
+        effect: NoSchedule
       - key: node.kubernetes.io/not-ready
         operator: Exists
       containers:
@@ -61,4 +64,4 @@ spec:
         secret:
           secretName: cluster-lifecycle-controller-aws-iam-credentials
       nodeSelector:
-        node-role.kubernetes.io/master: ""
+        node.kubernetes.io/role: master
diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml
@@ -1,38 +1,13 @@
 # everything defined under here will be deleted before applying the manifests
-pre_apply:
-- name: kube-state-metrics
-  kind: ClusterRoleBinding
+pre_apply: []
 
 # everything defined under here will be deleted after applying the manifests
 post_apply:
-- name: node-problem-detector
-  namespace: kube-system
-  kind: ConfigMap
-- name: node-problem-detector
-  namespace: kube-system
-  kind: DaemonSet
-- name: node-problem-detector
-  namespace: kube-system
-  kind: Service
-- name: node-problem-detector
-  namespace: kube-system
-  kind: ServiceAccount
-- name: node-problem-detector-psp
-  namespace: kube-system
-  kind: RoleBinding
-- name: node-problem-detector
-  kind: ClusterRoleBinding
-- name: compute-resources
-  namespace: visibility
-  kind: ResourceQuota
 {{ if eq .ConfigItems.teapot_admission_controller_process_resources "true" }}
 - name: limits
   namespace: default
   kind: LimitRange
 {{ end }}
-- name: kube-job-cleaner
-  namespace: kube-system
-  kind: CronJob
 {{ if ne .ConfigItems.enable_ingress_template_controller "true" }}
 - name: ingresstemplates.zalando.org
   kind: CustomResourceDefinition
@@ -47,30 +22,3 @@ post_apply:
 - name: ingress-template-controller
   kind: ClusterRoleBinding
 {{ end }}
-- name: nvidia-driver-installer
-  namespace: kube-system
-  kind: DaemonSet
-- name: admission-controller
-  namespace: kube-system
-  kind: ServiceAccount
-- name: admission-controller
-  kind: ClusterRole
-- name: admission-controller
-  kind: ClusterRoleBinding
-- name: zmon-scheduler
-  kind: VerticalPodAutoscaler
-  namespace: visibility
-- name: kubernetes-dashboard
-  kind: RoleBinding
-  namespace: kube-system
-- name: privileged-psp
-  namespace: kube-system
-  kind: RoleBinding
-- name: cdp-deployer
-  kind: ClusterRoleBinding
-- name: poweruser
-  kind: ClusterRoleBinding
-- name: readonly
-  kind: ClusterRoleBinding
-- name: zmon-external
-  kind: ClusterRoleBinding
diff --git a/cluster/manifests/etcd-backup/cronjob.yaml b/cluster/manifests/etcd-backup/cronjob.yaml
@@ -59,8 +59,11 @@ spec:
           tolerations:
           - key: node-role.kubernetes.io/master
             effect: NoSchedule
+          - key: node.kubernetes.io/role
+            value: master
+            effect: NoSchedule
           nodeSelector:
-            node-role.kubernetes.io/master: ""
+            node.kubernetes.io/role: master
 {{ if eq .ConfigItems.kube_aws_iam_controller_kube_system_enable "true"}}
           volumes:
           - name: aws-iam-credentials

diff --git a/cluster/manifests/flannel/configmap.yaml b/cluster/manifests/flannel/configmap.yaml
@@ -8,12 +8,17 @@ metadata:
 data:
   cni-conf.json: |
     {
-        "name": "podnet",
-        "type": "flannel",
-        "delegate": {
+      "name": "podnet",
+      "cniVersion": "0.3.1",
+      "plugins": [
+        {
+          "type": "flannel",
+          "delegate": {
             "isDefaultGateway": true,
             "hairpinMode": true
+          }
         }
+      ]
     }
   net-conf.json: |
     {

diff --git a/cluster/manifests/flannel/daemonset.yaml b/cluster/manifests/flannel/daemonset.yaml
@@ -35,7 +35,7 @@ spec:
           - name: CNI_CONFIG_SOURCE
             value: /etc/kube-flannel/cni-conf.json
           - name: CNI_CONFIG_TARGET
-            value: /etc/cni/net.d/10-flannel.conf
+            value: /etc/cni/net.d/10-flannel.conflist
         resources:
           requests:
             cpu: 25m

diff --git a/cluster/manifests/ingress-controller/deployment.yaml b/cluster/manifests/ingress-controller/deployment.yaml
@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   labels:
     application: kube-ingress-aws-controller
-    version: v0.9.3
+    version: v0.9.6
 spec:
   replicas: 1
   selector:
@@ -15,7 +15,7 @@ spec:
     metadata:
       labels:
         application: kube-ingress-aws-controller
-        version: v0.9.3
+        version: v0.9.6
 {{ if eq .ConfigItems.kube_aws_iam_controller_kube_system_enable "false"}}
       annotations:
         iam.amazonaws.com/role: "{{ .LocalID }}-app-ingr-ctrl"
@@ -29,7 +29,7 @@ spec:
       serviceAccountName: kube-ingress-aws-controller
       containers:
       - name: controller
-        image: registry.opensource.zalan.do/teapot/kube-ingress-aws-controller:v0.9.3
+        image: registry.opensource.zalan.do/teapot/kube-ingress-aws-controller:v0.9.6
         args:
         - --stack-termination-protection
         - --ssl-policy={{ .ConfigItems.kube_aws_ingress_controller_ssl_policy }}
@@ -38,6 +38,8 @@ spec:
         - --nlb-cross-zone
         {{ end }}
         env:
+        - name: CUSTOM_FILTERS
+          value: "tag:kubernetes.io/cluster/{{ .Cluster.ID }}=owned tag:node.kubernetes.io/role=worker" # TODO: tag:zalando.org/ingress-enabled=true"
         - name: AWS_REGION
           value: {{ .Region }}
 {{ if eq .ConfigItems.kube_aws_iam_controller_kube_system_enable "true"}}

diff --git a/cluster/manifests/kube-cluster-autoscaler/daemonset.yaml b/cluster/manifests/kube-cluster-autoscaler/daemonset.yaml
@@ -31,6 +31,9 @@ spec:
       tolerations:
       - key: node-role.kubernetes.io/master
         effect: NoSchedule
+      - key: node.kubernetes.io/role
+        value: master
+        effect: NoSchedule
       containers:
       - name: cluster-autoscaler
         image: registry.opensource.zalan.do/teapot/kube-cluster-autoscaler:v1.12.2-internal-2.5
@@ -60,4 +63,4 @@ spec:
           - name: KUBE_MAX_PD_VOLS
             value: "26"
       nodeSelector:
-        node-role.kubernetes.io/master: ""
+        node.kubernetes.io/role: master
diff --git a/cluster/manifests/skipper/deployment.yaml b/cluster/manifests/skipper/deployment.yaml
@@ -38,7 +38,7 @@ spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: skipper-ingress
       nodeSelector:
-        kubernetes.io/role: worker
+        node.kubernetes.io/role: worker
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       containers:

diff --git a/cluster/node-pools/worker-default/stack.yaml b/cluster/node-pools/worker-default/stack.yaml
@@ -48,6 +48,12 @@ Resources:
       - Key: node.kubernetes.io/role
         PropagateAtLaunch: true
         Value: worker
+# only node pools without taints should be attached to Ingress Load balancer
+{{- if not (index .NodePool.ConfigItems "taints") }}
+      - Key: zalando.org/ingress-enabled
+        Value: "true"
+        PropagateAtLaunch: true
+{{- end }}
       - Key: k8s.io/cluster-autoscaler/enabled
         PropagateAtLaunch: true
         Value: ''

diff --git a/cluster/node-pools/worker-splitaz/stack.yaml b/cluster/node-pools/worker-splitaz/stack.yaml
@@ -52,6 +52,12 @@ Resources:
       - Key: node.kubernetes.io/role
         PropagateAtLaunch: true
         Value: worker
+# only node pools without taints should be attached to Ingress Load balancer
+{{- if not (index $data.NodePool.ConfigItems "taints") }}
+      - Key: zalando.org/ingress-enabled
+        Value: "true"
+        PropagateAtLaunch: true
+{{- end }}
       - Key: k8s.io/cluster-autoscaler/enabled
         PropagateAtLaunch: true
         Value: ''