From 7dc271cce109e5e90ced053fa4f5eaf6e3b65736 Mon Sep 17 00:00:00 2001 From: Mikkel Oscar Lyderik Larsen Date: Tue, 20 Sep 2022 14:15:08 +0200 Subject: [PATCH 1/7] Fix VPA update permissions Signed-off-by: Mikkel Oscar Lyderik Larsen --- .../01-vertical-pod-autoscaler/rbac.yaml | 43 +++++++++++++++++-- cluster/manifests/deletions.yaml | 5 +++ 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/cluster/manifests/01-vertical-pod-autoscaler/rbac.yaml b/cluster/manifests/01-vertical-pod-autoscaler/rbac.yaml index 7fdfce856f..da547d4bbe 100644 --- a/cluster/manifests/01-vertical-pod-autoscaler/rbac.yaml +++ b/cluster/manifests/01-vertical-pod-autoscaler/rbac.yaml @@ -284,7 +284,7 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:admission-controller + name: system:vpa-admission-controller labels: application: kubernetes component: vpa-admission-controller @@ -325,19 +325,56 @@ rules: - get - list - watch + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - update + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: system:admission-controller + name: system:vpa-admission-controller labels: application: kubernetes component: vpa-admission-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:admission-controller + name: system:vpa-admission-controller subjects: - kind: ServiceAccount name: vpa-admission-controller namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:vpa-status-reader +rules: + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:vpa-status-reader-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:vpa-status-reader +subjects: +- kind: ServiceAccount + name: vpa-updater + namespace: kube-system diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml index c5e4e2109a..d0d2d82d73 100644 --- a/cluster/manifests/deletions.yaml +++ b/cluster/manifests/deletions.yaml @@ -39,6 +39,11 @@ pre_apply: component: metrics-scraper namespace: kube-system kind: Deployment +# cleanup old vpa related roles +- name: system:admission-controller + kind: ClusterRole +- name: system:admission-controller + kind: ClusterRoleBinding # everything defined under here will be deleted after applying the manifests post_apply: From 03bec51473a6ed733fc97d19ba1e994db3e285e4 Mon Sep 17 00:00:00 2001 From: Alexander Yastrebov Date: Tue, 20 Sep 2022 21:15:12 +0200 Subject: [PATCH 2/7] fabric: update controller version Signed-off-by: Alexander Yastrebov --- cluster/manifests/fabric-gateway/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/manifests/fabric-gateway/deployment.yaml b/cluster/manifests/fabric-gateway/deployment.yaml index a98a761878..e1fe1b2713 100644 --- a/cluster/manifests/fabric-gateway/deployment.yaml +++ b/cluster/manifests/fabric-gateway/deployment.yaml @@ -1,4 +1,4 @@ -{{ $version := "master-120" }} +{{ $version := "master-126" }} apiVersion: apps/v1 kind: Deployment From 522016d0ec0b0e05daab00d118e3a50fe7b5b12f Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Tue, 20 Sep 2022 14:56:41 +0200 Subject: [PATCH 3/7] Update kube-ingress-aws-controller for SAToken refresh --- cluster/manifests/ingress-controller/deployment.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cluster/manifests/ingress-controller/deployment.yaml b/cluster/manifests/ingress-controller/deployment.yaml index 8aa224cdae..db08eef33c 100644 --- a/cluster/manifests/ingress-controller/deployment.yaml +++ b/cluster/manifests/ingress-controller/deployment.yaml @@ -5,7 +5,7 @@ metadata: namespace: kube-system labels: application: kube-ingress-aws-controller - version: v0.13.14 + version: v0.13.18 spec: replicas: 1 selector: @@ -15,7 +15,7 @@ spec: metadata: labels: application: kube-ingress-aws-controller - version: v0.13.14 + version: v0.13.18 annotations: logging/destination: "{{.Cluster.ConfigItems.log_destination_both}}" prometheus.io/path: /metrics @@ -30,7 +30,7 @@ spec: serviceAccountName: kube-ingress-aws-controller containers: - name: controller - image: container-registry.zalando.net/teapot/kube-ingress-aws-controller:v0.13.14 + image: container-registry.zalando.net/teapot/kube-ingress-aws-controller:v0.13.18 args: - --stack-termination-protection - --ssl-policy={{ .ConfigItems.kube_aws_ingress_controller_ssl_policy }} From f4f35ce35050d4dffff4165b476e49e7bd01f577 Mon Sep 17 00:00:00 2001 From: Mikkel Oscar Lyderik Larsen Date: Wed, 21 Sep 2022 09:13:52 +0200 Subject: [PATCH 4/7] Update to ingress-controller v0.13.23 https://github.com/zalando-incubator/kube-ingress-aws-controller/releases/tag/v0.13.23 Signed-off-by: Mikkel Oscar Lyderik Larsen --- cluster/manifests/ingress-controller/deployment.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cluster/manifests/ingress-controller/deployment.yaml b/cluster/manifests/ingress-controller/deployment.yaml index db08eef33c..6101c4e1c8 100644 --- a/cluster/manifests/ingress-controller/deployment.yaml +++ b/cluster/manifests/ingress-controller/deployment.yaml @@ -5,7 +5,7 @@ metadata: namespace: kube-system labels: application: kube-ingress-aws-controller - version: v0.13.18 + version: v0.13.23 spec: replicas: 1 selector: @@ -15,7 +15,7 @@ spec: metadata: labels: application: kube-ingress-aws-controller - version: v0.13.18 + version: v0.13.23 annotations: logging/destination: "{{.Cluster.ConfigItems.log_destination_both}}" prometheus.io/path: /metrics @@ -30,7 +30,7 @@ spec: serviceAccountName: kube-ingress-aws-controller containers: - name: controller - image: container-registry.zalando.net/teapot/kube-ingress-aws-controller:v0.13.18 + image: container-registry.zalando.net/teapot/kube-ingress-aws-controller:v0.13.23 args: - --stack-termination-protection - --ssl-policy={{ .ConfigItems.kube_aws_ingress_controller_ssl_policy }} From 4f43d1e35722dee276d605fe5c464cf4d84977ac Mon Sep 17 00:00:00 2001 From: Alexander Yastrebov Date: Wed, 21 Sep 2022 13:18:30 +0200 Subject: [PATCH 5/7] fabric: make resources configurable * adds missing cpu limit config Signed-off-by: Alexander Yastrebov --- cluster/config-defaults.yaml | 3 ++- cluster/manifests/fabric-gateway/deployment.yaml | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml index f732b54732..d70ea6e648 100644 --- a/cluster/config-defaults.yaml +++ b/cluster/config-defaults.yaml @@ -277,7 +277,8 @@ skipper_cluster_scaling_schedules: "" # - production: adds "True() && True()" predicates to routes, updates FabricGateway status # fabric_gateway_controller_mode: "disabled" - +fabric_gateway_controller_cpu: "100m" +fabric_gateway_controller_memory: "1Gi" fabric_gateway_crd_v1_enabled: "false" # kube-api-server settings diff --git a/cluster/manifests/fabric-gateway/deployment.yaml b/cluster/manifests/fabric-gateway/deployment.yaml index e1fe1b2713..a5a5c06b40 100644 --- a/cluster/manifests/fabric-gateway/deployment.yaml +++ b/cluster/manifests/fabric-gateway/deployment.yaml @@ -53,7 +53,8 @@ spec: - -log-level=info resources: requests: - cpu: 100m - memory: 1Gi + cpu: {{ .ConfigItems.fabric_gateway_controller_cpu }} + memory: {{ .ConfigItems.fabric_gateway_controller_memory }} limits: - memory: 1Gi + cpu: {{ .ConfigItems.fabric_gateway_controller_cpu }} + memory: {{ .ConfigItems.fabric_gateway_controller_memory }} From 9f8544af60a796ab6323aac944b6a0eb513567d4 Mon Sep 17 00:00:00 2001 From: Mikkel Oscar Lyderik Larsen Date: Wed, 21 Sep 2022 17:01:40 +0200 Subject: [PATCH 6/7] Allow rolling back external-dns version Signed-off-by: Mikkel Oscar Lyderik Larsen --- cluster/config-defaults.yaml | 5 +++++ cluster/manifests/external-dns/01-rbac.yaml | 4 ++++ cluster/manifests/external-dns/deployment.yaml | 4 ++++ 3 files changed, 13 insertions(+) diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml index d70ea6e648..3b8e63db23 100644 --- a/cluster/config-defaults.yaml +++ b/cluster/config-defaults.yaml @@ -649,6 +649,11 @@ external_dns_excluded_domains: cluster.local # synchronization policy between Kubernetes and AWS Route53 (default: sync, options: sync, upsert-only, create-only) external_dns_policy: sync +# eternal-dns version for controlling roll-out, can be "current" or "legacy" +# current => v0.12.2-master-29 +# legacy => v0.9.0-master-26 +external_dns_version: "current" + # select which cache to use for Cluster DNS: unbound or dnsmasq. dns_cache: "dnsmasq" diff --git a/cluster/manifests/external-dns/01-rbac.yaml b/cluster/manifests/external-dns/01-rbac.yaml index 10d562556a..f613891577 100644 --- a/cluster/manifests/external-dns/01-rbac.yaml +++ b/cluster/manifests/external-dns/01-rbac.yaml @@ -22,7 +22,11 @@ rules: - apiGroups: [""] resources: ["services", "endpoints", "pods", "nodes"] verbs: ["list"] +{{- if eq .Cluster.ConfigItems.external_dns_version "current" }} - apiGroups: ["networking.k8s.io"] +{{- else }} +- apiGroups: ["extensions"] +{{- end }} resources: ["ingresses"] verbs: ["list"] - apiGroups: ["zalando.org"] diff --git a/cluster/manifests/external-dns/deployment.yaml b/cluster/manifests/external-dns/deployment.yaml index 96981e68eb..8a564f8580 100644 --- a/cluster/manifests/external-dns/deployment.yaml +++ b/cluster/manifests/external-dns/deployment.yaml @@ -34,7 +34,11 @@ spec: serviceAccountName: external-dns containers: - name: external-dns + {{- if eq .Cluster.ConfigItems.external_dns_version "current" }} image: container-registry.zalando.net/teapot/external-dns:v0.12.2-master-29 + {{- else }} + image: container-registry.zalando.net/teapot/external-dns:v0.9.0-master-26 + {{- end }} args: - --source=service - --source=ingress From d3a84854ff053e4a21312af15b63d3c946e9dcc0 Mon Sep 17 00:00:00 2001 From: Mikkel Oscar Lyderik Larsen Date: Wed, 21 Sep 2022 17:01:40 +0200 Subject: [PATCH 7/7] Allow rolling back external-dns version Signed-off-by: Mikkel Oscar Lyderik Larsen --- cluster/config-defaults.yaml | 5 +++++ cluster/manifests/external-dns/01-rbac.yaml | 4 ++++ cluster/manifests/external-dns/deployment.yaml | 4 ++++ 3 files changed, 13 insertions(+) diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml index f732b54732..1c35e6a75f 100644 --- a/cluster/config-defaults.yaml +++ b/cluster/config-defaults.yaml @@ -648,6 +648,11 @@ external_dns_excluded_domains: cluster.local # synchronization policy between Kubernetes and AWS Route53 (default: sync, options: sync, upsert-only, create-only) external_dns_policy: sync +# eternal-dns version for controlling roll-out, can be "current" or "legacy" +# current => v0.12.2-master-29 +# legacy => v0.9.0-master-26 +external_dns_version: "current" + # select which cache to use for Cluster DNS: unbound or dnsmasq. dns_cache: "dnsmasq" diff --git a/cluster/manifests/external-dns/01-rbac.yaml b/cluster/manifests/external-dns/01-rbac.yaml index 10d562556a..f613891577 100644 --- a/cluster/manifests/external-dns/01-rbac.yaml +++ b/cluster/manifests/external-dns/01-rbac.yaml @@ -22,7 +22,11 @@ rules: - apiGroups: [""] resources: ["services", "endpoints", "pods", "nodes"] verbs: ["list"] +{{- if eq .Cluster.ConfigItems.external_dns_version "current" }} - apiGroups: ["networking.k8s.io"] +{{- else }} +- apiGroups: ["extensions"] +{{- end }} resources: ["ingresses"] verbs: ["list"] - apiGroups: ["zalando.org"] diff --git a/cluster/manifests/external-dns/deployment.yaml b/cluster/manifests/external-dns/deployment.yaml index 96981e68eb..8a564f8580 100644 --- a/cluster/manifests/external-dns/deployment.yaml +++ b/cluster/manifests/external-dns/deployment.yaml @@ -34,7 +34,11 @@ spec: serviceAccountName: external-dns containers: - name: external-dns + {{- if eq .Cluster.ConfigItems.external_dns_version "current" }} image: container-registry.zalando.net/teapot/external-dns:v0.12.2-master-29 + {{- else }} + image: container-registry.zalando.net/teapot/external-dns:v0.9.0-master-26 + {{- end }} args: - --source=service - --source=ingress