salt, kubernetes: remove apiServer from BootstrapConfiguration

We no longer need this since we provide in-cluster HA for `kube-apiserver` access. If this is desired for out-of-cluster access, we can provide this using a `LoadBalancer` `Service` once we have the infrastructure to support this in place. This also removed the optional deployment of `keepalived`. See: #2103 See: #1788
scality · Dec 6, 2019 · 7c93b7c · 7c93b7c
1 parent 19c669d
commit 7c93b7c
Show file tree

Hide file tree

Showing 16 changed files with 6 additions and 294 deletions.
diff --git a/Vagrantfile b/Vagrantfile
@@ -136,10 +136,6 @@ networks:
   workloadPlane: #{WORKLOAD_PLANE_IP}/#{prefixlen(WORKLOAD_PLANE_NETMASK)}
 ca:
   minion: bootstrap
-apiServer:
-  host: #{IPAddr.new(CONTROL_PLANE_IP).mask(CONTROL_PLANE_NETMASK).to_range.last(2).first.to_s}
-  keepalived:
-    enabled: true
 archives:
   - /srv/scality/metalk8s-$VERSION
 EOF

diff --git a/buildchain/buildchain/image.py b/buildchain/buildchain/image.py
@@ -222,21 +222,6 @@ def _operator_image(name: str, **kwargs: Any) -> targets.OperatorImage:
         name='salt-master',
         build_args={'SALT_VERSION': versions.SALT_VERSION},
     ),
-    _local_image(
-        name='keepalived',
-        build_args={
-            'KEEPALIVED_IMAGE': versions.CENTOS_BASE_IMAGE,
-            'KEEPALIVED_IMAGE_SHA256': versions.CENTOS_BASE_IMAGE_SHA256,
-            'KEEPALIVED_VERSION': versions.KEEPALIVED_VERSION,
-            'BUILD_DATE': datetime.datetime.now(datetime.timezone.utc)
-                            .astimezone()
-                            .isoformat(),
-            'VCS_REF': constants.GIT_REF or '<unknown>',
-            'VERSION': versions.CONTAINER_IMAGES_MAP['keepalived'].version,
-            'METALK8S_VERSION': versions.VERSION,
-        },
-        file_dep=[constants.ROOT/'images'/'keepalived'/'entrypoint.sh'],
-    ),
     _local_image(
         name='metalk8s-ui',
         dockerfile=constants.ROOT/'ui'/'Dockerfile',

diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py
@@ -19,7 +19,6 @@
 
 CALICO_VERSION     : str = '3.8.2'
 K8S_VERSION        : str = '1.15.5'
-KEEPALIVED_VERSION : str = '1.3.5-16.el7'
 SALT_VERSION       : str = '2018.3.4'
 
 def load_version_information() -> None:
@@ -67,7 +66,6 @@ def load_version_information() -> None:
 # This should be reset to 1 when the service exposed by the container changes
 # version.
 SALT_MASTER_BUILD_ID = 1
-KEEPALIVED_BUILD_ID  = 1
 
 
 def _version_prefix(version: str, prefix: str = 'v') -> str:
@@ -184,13 +182,6 @@ def _version_prefix(version: str, prefix: str = 'v') -> str:
         digest='sha256:ed3ec0597c2d5b7102a7f62c661a23d8e4b34d910693fc23fd40bfb1d9404dcf',
     ),
     # Local images
-    Image(
-        name='keepalived',
-        version='{version}-{build_id}'.format(
-            version=KEEPALIVED_VERSION, build_id=KEEPALIVED_BUILD_ID
-        ),
-        digest=None,
-    ),
     Image(
         name='metalk8s-ui',
         version=VERSION,

diff --git a/docs/developer/architecture/deployment.rst b/docs/developer/architecture/deployment.rst
@@ -57,19 +57,6 @@ which can vary from one installation to another:
 
   Default: ``10.96.0.0/12``
 
-- VIP for the ``kube-apiserver`` and ``keepalived`` toggle
-
-  Used as the address of ``kube-apiserver`` where required. This can either be
-  a VIP managed by custom load-balancing/high-availability infrastructure, in
-  which case the ``keepalived`` toggle must be off, or one which our platform
-  will manage using ``keepalived``.
-
-  If ``keepalived`` is enabled, this VIP must sit in a control plane CIDR
-  shared by all control plane nodes.
-
-  Note: we run ``keepalived`` in unicast mode, which is an extension of classic
-  VRRP, but removes the need for multicast support on the network.
-
 Firewall
 ^^^^^^^^
 
@@ -81,7 +68,6 @@ We assume SSH access is not blocked by the host-based firewall.
 
 These services include:
 
-- VRRP if ``keepalived`` is enabled on control-plane nodes
 - HTTPS on the bootstrap node, for ``nginx`` fronting the OCI registry and
   serving the yum repository
 - ``salt-master`` on the bootstrap node

diff --git a/docs/developer/architecture/requirements.rst b/docs/developer/architecture/requirements.rst
@@ -204,9 +204,6 @@ discovered through an updated DNS entry), it must be possible to reconfigure
 the deployment accordingly, with as little impact as possible (i.e., requiring
 as little changes as possible). This related to the `DNS` section above.
 
-For some services, e.g. `keepalived` configuration, IP addresses are mandatory,
-so these are permitted.
-
 Multi-Homed Servers
 -------------------
 A deployment can specify subnet CIDRs for various purposes, e.g. control-plane,

diff --git a/docs/developer/running/ui.rst b/docs/developer/running/ui.rst
@@ -30,8 +30,12 @@ Procedure
        'salt-call', 'pillar.get', 'metalk8s', '--out', 'json'
    ])
    pillar = json.loads(output)['local']
+   output = subprocess.check_output([
+       'salt-call', 'grains.get', 'metalk8s:control_plane_ip', '--out', 'json'
+   ])
+   control_plane_ip = json.loads(output)['local']
    ui_conf = {
-       'url': 'https://{}:6443'.format(pillar['api_server']['host']),
+       'url': 'https://{}:6443'.format(control_plane_ip),
        'url_salt': 'https://{salt[ip]}:{salt[ports][api]}'.format(
            salt=pillar['endpoints']['salt-master']
        ),

diff --git a/docs/quickstart/bootstrap.rst b/docs/quickstart/bootstrap.rst
@@ -38,8 +38,6 @@ Configuration
         workloadPlane: <CIDR-notation>
       ca:
         minion: <hostname-of-the-bootstrap-node>
-      apiServer:
-        host: <IP-of-the-bootstrap-node>
       archives:
         - <path-to-metalk8s-iso>
 
@@ -50,7 +48,6 @@ system is configured to re-mount them automatically after a reboot.
 .. todo::
 
    - Explain the role of this config file and its values
-   - Add a note about setting HA for ``apiServer``
 
 
 .. _quickstart-bootstrap-ssh:

diff --git a/eve/main.yml b/eve/main.yml
@@ -213,8 +213,6 @@ models:
           workloadPlane: 10.100.0.0/16
         ca:
           minion: $(hostname)
-        apiServer:
-          host: $(ip route get 10.100.0.0 | awk '/10.100.0.0/{ print $6 }')
         archives:
           - "/srv/scality/metalk8s-${PRODUCT_VERSION}"
         END

diff --git a/eve/workers/openstack-multiple-nodes/terraform/scripts/bootstrap-config.sh b/eve/workers/openstack-multiple-nodes/terraform/scripts/bootstrap-config.sh
@@ -17,8 +17,6 @@ networks:
   workloadPlane: 10.100.0.0/16
 ca:
   minion: $(cat /etc/salt/minion_id)
-apiServer:
-  host: $(ip route get 10.100.0.0 | awk '/10.100.0.0/{ print $6 }')
 archives:
   - /var/tmp/metalk8s
 EOF

diff --git a/eve/workers/openstack-single-node-rhel/terraform/scripts/bootstrap-config.sh b/eve/workers/openstack-single-node-rhel/terraform/scripts/bootstrap-config.sh
@@ -17,8 +17,6 @@ networks:
   workloadPlane: 10.100.0.0/16
 ca:
   minion: $(cat /etc/salt/minion_id)
-apiServer:
-  host: $(ip route get 10.100.0.0 | awk '/10.100.0.0/{ print $6 }')
 archives:
   - /var/tmp/metalk8s
 EOF

diff --git a/images/keepalived/Dockerfile b/images/keepalived/Dockerfile
diff --git a/images/keepalived/entrypoint.sh b/images/keepalived/entrypoint.sh
diff --git a/salt/_pillar/metalk8s.py b/salt/_pillar/metalk8s.py
@@ -70,39 +70,6 @@ def _load_ca(config_data):
     }
 
 
-def _load_apiserver(config_data):
-    errors = __utils__['pillar_utils.assert_keys'](config_data, ['apiServer'])
-    if errors:
-        return __utils__['pillar_utils.errors_to_dict'](errors)
-
-    as_data = config_data['apiServer']
-
-    result = {
-        'host': None,
-        'keepalived': {
-            'enabled': False,
-            'virtualRouterId': 1,
-            'authPassword': 'MeTaLk8s',
-        },
-        'kubeconfig': '/etc/kubernetes/admin.conf'
-    }
-
-    errors = __utils__['pillar_utils.assert_keys'](as_data, ['host'])
-    if errors:
-        return __utils__['pillar_utils.errors_to_dict'](errors)
-
-    result['host'] = as_data['host']
-
-    if 'keepalived' in as_data:
-        k_data = as_data['keepalived']
-        k_result = result['keepalived']
-
-        for (key, default) in k_result.items():
-            k_result[key] = k_data.get(key, default)
-
-    return result
-
-
 def _load_iso_path(config_data):
     """Load iso path from BootstrapConfiguration
 
@@ -133,7 +100,6 @@ def ext_pillar(minion_id, pillar, bootstrap_config):
         metal_data = {
             'archives': _load_iso_path(config),
             'ca': _load_ca(config),
-            'api_server': _load_apiserver(config)
         }
 
     result = {
@@ -144,7 +110,7 @@ def ext_pillar(minion_id, pillar, bootstrap_config):
     if not isinstance(metal_data['archives'], list):
         # Special case for archives in pillar
         __utils__['pillar_utils.promote_errors'](metal_data, 'archives')
-    for key in ['ca', 'api_server']:
+    for key in ['ca',]:
         __utils__['pillar_utils.promote_errors'](metal_data, key)
     for key in ['networks', 'metalk8s']:
         __utils__['pillar_utils.promote_errors'](result, key)

diff --git a/salt/metalk8s/kubernetes/apiserver/certs/server.sls b/salt/metalk8s/kubernetes/apiserver/certs/server.sls
@@ -26,7 +26,6 @@ Create kube-apiserver private key:
     'kubernetes.default.svc.cluster.local',
     kubernetes_service_ip,
     grains['metalk8s']['control_plane_ip'],
-    pillar['metalk8s']['api_server']['host'],
     '127.0.0.1',
 ]
 %}