We contentedly announce the release of: magnum 7.2.0: Container Management project for OpenStack This release is part of the rocky stable release series. The source is available from: https://opendev.org/openstack/magnum Download the package from: https://tarballs.openstack.org/null/ Please report issues through: https://bugs.launchpad.net/magnum/+bugs For more details, please see below. 7.2.0 ^^^^^ New Features ************ * To get a better cluster template versioning and relieve the pain of maintaining public cluster template, now the name of cluster template can be changed. * Add heat_container_agent_tag label to allow users select the heat- agent tag. Rocky default: rocky-stable * Now cloud-provider-openstack of Kubernetes has a webhook to support Keystone authorization and authentication. With this feature, user can use a new label 'keystone-auth-enabled' to enable the keystone authN and authZ. * Add a new option 'octavia' for the label 'ingress_controller' and a new label 'octavia_ingress_controller_tag' to enable the deployment of octavia-ingress-controller (https://github.com/kubernetes/cloud- provider- openstack/blob/master/docs/using-octavia-ingress- controller.md) in the kubernetes cluster. The 'ingress_controller_role' label is not used for this option. * k8s_fedora_atomic_v1 Add PodSecurityPolicy for privileged pods. Use privileged PSP for calico and node-problem-detector. Add PSP for flannel from upstream. Bug Fixes ********* * Fixes the problem with Mesos cluster creation where the nodes_affinity_policy was not properly conveyed as it is required in order to create the corresponding server group in Nova. https://storyboard.openstack.org/#!/story/2005116 * Add iptables -P FORWARD ACCEPT unit. On node reboot, kubelet and kube-proxy set iptables -P FORWARD DROP which doesn't work with flannel in the way we use it. Add a systemd unit to set the rule to ACCEPT after flannel, docker, kubelet, kube-proxy. * In kubernetes cluster, a floating IP is created and associated with the vip of a load balancer which is created corresponding to the service of LoadBalancer type inside kubernetes, it should be deleted when the cluster is deleted. Changes in magnum 7.1.0..7.2.0 ------------------------------ 1df886df k8s_fedora: Move rp_filter=1 for calico up 925628b6 k8s_fedora_atomic: Add PodSecurityPolicy dbe2abd2 k8s: Clear cni configuration 174fc15a fix: Deploy enable_service last (rocky only) 7aa12a55 k8s_fedora: Label master nodes with kubectl ca7eed7a k8s: stop introspecting instance name e430da9b Fix proportional autoscaler image 9c79084a Using Fedora Atomic 29 as default image 660e62b0 Revert "support http/https proxy for discovery url" acb30af7 Fix registry on k8s_fedora_atomic 98847b8c Blacklist bandit 1.6.0 and cap Sphinx on Python2 f12a91ca Partial backport: Disable broken image building 62ab17f6 Use rocky heat-container-agent for stable/rocky da3c37c3 OpenDev Migration Patch 29324920 Replace openstack.org git:// URLs with https:// dfa0d515 k8s_fedora: Add ca_key before all deployments 5d3e0eac Ensure http proxy environment is available during 'atomic install' for k8s fb47454f make sure to set node_affinity_policy for Mesos template definition 263d0788 Add iptables -P FORWARD ACCEPT unit c056ac4c Delete loadbalancers and floatingips for service and ingress 4d814229 Allow cluster template being renamed b153fb5e Support octavia-ingress-controller 50bddcb1 [k8s_fedora_atomic] Delete floating ip for load balancer a7dc26a2 Support Keystone AuthN and AuthZ for k8s 21720308 Add heat_container_agent_tag label a2097745 Fix prometheus monitoring e8d0ee1b support http/https proxy for discovery url baf46f03 Bump k8s version up to v1.11.5 Diffstat (except docs and test files) ------------------------------------- .gitreview | 2 +- .zuul.yaml | 20 +- devstack/lib/magnum | 13 +- devstack/plugin.sh | 3 +- magnum/common/neutron.py | 76 +++++++ magnum/common/octavia.py | 13 +- magnum/db/sqlalchemy/api.py | 7 +- .../kubernetes/fragments/configure-etcd.sh | 12 ++ .../fragments/configure-kubernetes-master.sh | 76 ++++++- .../fragments/configure-kubernetes-minion.sh | 39 +++- .../kubernetes/fragments/core-dns-service.sh | 2 +- .../fragments/enable-ingress-controller.sh | 19 +- .../kubernetes/fragments/enable-ingress-octavia.sh | 122 ++++++++++++ .../kubernetes/fragments/enable-keystone-auth.sh | 185 +++++++++++++++++ .../kubernetes/fragments/enable-node-exporter.sh | 32 --- .../fragments/enable-prometheus-monitoring.sh | 89 ++++++++- .../kubernetes/fragments/enable-services-master.sh | 10 +- .../kubernetes/fragments/flannel-service.sh | 23 +++ .../fragments/kube-apiserver-to-kubelet-role.sh | 72 ++++++- .../kubernetes/fragments/make-cert-client.sh | 3 +- .../templates/kubernetes/fragments/make-cert.sh | 1 - .../kubernetes/fragments/start-container-agent.sh | 14 +- .../fragments/write-heat-params-master.yaml | 7 + .../kubernetes/fragments/write-heat-params.yaml | 4 + .../kubernetes/fragments/write-kube-os-config.sh | 1 + .../templates/swarm/fragments/network-service.sh | 23 +++ magnum/drivers/heat/k8s_fedora_template_def.py | 6 +- magnum/drivers/heat/k8s_template_def.py | 25 ++- .../templates/fragments/enable-kubelet-master.yaml | 4 +- .../templates/fragments/enable-kubelet-minion.yaml | 4 +- .../templates/kubecluster.yaml | 47 ++++- .../k8s_fedora_atomic_v1/templates/kubemaster.yaml | 35 +++- .../k8s_fedora_atomic_v1/templates/kubeminion.yaml | 15 +- .../templates/kubecluster.yaml | 3 + .../templates/kubeminion_software_configs.yaml | 7 - magnum/drivers/mesos_ubuntu_v1/template_def.py | 5 + .../api/controllers/v1/test_cluster_template.py | 21 +- .../handlers/test_k8s_cluster_conductor.py | 25 ++- .../handlers/test_mesos_cluster_conductor.py | 5 + playbooks/magnum-buildimages-base.yaml | 2 +- playbooks/magnum-functional-base.yaml | 2 +- playbooks/pre/prepare-workspace.yaml | 6 +- ...cy-for-mesos-template-def-82627eb231aa4d28.yaml | 7 + ...er-template-being-renamed-82f7d5d1f33a7957.yaml | 7 + .../notes/flannel-reboot-fix-f1382818daed4fa8.yaml | 7 + .../heat-container-agent-tag-92848c1062c16c76.yaml | 5 + .../notes/k8s-delete-vip-fip-b2ddf61ddbc080bc.yaml | 6 + .../notes/k8s-keystone-auth-6c88c1a2d406fb61.yaml | 7 + ...ctavia-ingress-controller-32c0b97031fd0dd4.yaml | 8 + .../notes/podsecuritypolicy-2400063d73524e06.yaml | 6 + test-requirements.txt | 5 +- 59 files changed, 1562 insertions(+), 155 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index 209b0c4b..ff04da12 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -8 +8 @@ -bandit>=1.1.0 # Apache-2.0 +bandit!=1.6.0,>=1.1.0 # Apache-2.0 @@ -20 +20,2 @@ pytz>=2013.6 # MIT -sphinx!=1.6.6,!=1.6.7,>=1.6.2 # BSD +sphinx!=1.6.6,!=1.6.7,>=1.6.2;python_version>='3.4' # BSD +sphinx!=1.6.6,!=1.6.7,>=1.6.2,<2.0.0;python_version=='2.7' # BSD