------------------------------------------------------------------- Fri Sep 1 14:55:10 UTC 2017 - containers-bugowner@suse.de - Commit a39c1c6 by Jordi Massaguer Pla jmassaguerpla@suse.de update requirements of docker images admin-node-setup.sh script expects images to have a .tag file in order to substitute the __TAG__ tags in public.yaml and private.yaml This .tag is in the update images, which are >= 1.1.0 Signed-off-by: Jordi Massaguer Pla ------------------------------------------------------------------- Wed Aug 30 13:56:31 UTC 2017 - containers-bugowner@suse.de - Commit b1ab0c3 by Kiall Mac Innes kiall@macinnes.ie Use the tagfiles rather than hardcoding a tag This decouples our manifests from the tag of the images contained within the RPMs. These tagfiles will contain the latest, and most specifc, tag for a given image. (cherry picked from commit 5ed140b8c1726828d780b8826ced5b6765cce60e) ------------------------------------------------------------------- Tue Jul 25 08:55:55 UTC 2017 - containers-bugowner@suse.de - Commit 42e94d3 by Flavio Castelli fcastelli@suse.com Improve comment about how to access velum Be explicit about using `https://`, some users tried to access velum using `http://velum-ip:443`. Fixes bsc#1047310 (cherry picked from commit 16553956d341321e7733eab36679b88b631dd4b2) ------------------------------------------------------------------- Mon Jul 24 12:40:09 UTC 2017 - containers-bugowner@suse.de - Commit 20fef89 by Rafael Fernández López ereslibre@ereslibre.es Cache the grains on the `ca` container Rendering grains on the `ca` takes a fair amount of time if they are not cached, as lots of grains are falling back to other cases, making other calls like `publish.publish` timeout (timeouts by default after 5 seconds). Forcing the grains cache will be slow only the first time, when the grains get populated, and will get cached, making future uses faster. Fixes: bsc#1049886 ------------------------------------------------------------------- Fri Jul 21 12:47:52 UTC 2017 - containers-bugowner@suse.de - Commit c436fd9 by Rafael Fernández López ereslibre@ereslibre.es Add fingerprints to the velum issue By adding SHA1 and SHA256 fingerprints to the Velum issue, we can ensure that the instance we are accessing is the right one, and we are not mistaken (several clusters) or to reject a MITM, since the certificates chain of trust does not exist (the CA is autogenerated), and the customer has no way to import the CA as trusted for now. Fixes: bsc#1048135 ------------------------------------------------------------------- Fri Jul 14 13:48:35 UTC 2017 - containers-bugowner@suse.de - Commit 001ac9f by Maximilian Meister mmeister@suse.de make branch safe by transforming slashes to dashes Signed-off-by: Maximilian Meister (cherry picked from commit d376008e7402a94592885caf07755ea0e86ba577) Commit d6f5250 by Maximilian Meister mmeister@suse.de packaging: make branch configurable Signed-off-by: Maximilian Meister (cherry picked from commit 4cfa01c0e5eeadbd4e3927881d8b43662a265adb) ------------------------------------------------------------------- Fri Jul 14 13:47:20 UTC 2017 - containers-bugowner@suse.de - Commit 1e3ef9e by Kiall Mac Innes kiall@macinnes.ie Add Jenkinsfile The Jenkinsfile in each repo, if we adopt Jenkins in the end, will be very thin, including just a single library load, and a single method call. This prevents us from needing to keep each projects Jenkinsfile in sync as CI changes are made. ------------------------------------------------------------------- Tue Jul 11 10:27:54 UTC 2017 - containers-bugowner@suse.de - Commit 1e3ef9e by Kiall Mac Innes kiall@macinnes.ie Add Jenkinsfile The Jenkinsfile in each repo, if we adopt Jenkins in the end, will be very thin, including just a single library load, and a single method call. This prevents us from needing to keep each projects Jenkinsfile in sync as CI changes are made. ------------------------------------------------------------------- Thu Jul 6 12:38:26 UTC 2017 - containers-bugowner@suse.de - Commit 2a2a6af by Kiall Mac Innes kiall@macinnes.ie Reinstate critical flag on x509 extensions Reinstate the critiical flag on two x509 extenstions: * X509v3 Basic Constraints (CA=False) * X509v3 Key Usage (Digital Signature, Non Repudiation, Key Encipherment) bsc#1046708 ------------------------------------------------------------------- Tue Jul 4 16:47:24 UTC 2017 - containers-bugowner@suse.de - Commit c685e59 by Kiall Mac Innes kiall@macinnes.ie Match up TLS cert generation to genca.sh * Remove critical constraints * Add nonRepudiation and digitalSignature key usages * Include only the keyid Authority Identifier bsc#1046708 Commit eb05991 by Kiall Mac Innes kiall@macinnes.ie Include a UUID in the CA's Subject field Including a random UUID in the CA's subject fields ensures that browsers do not cache certs from older deployments, preventing access to replacement deployments. bsc#1046881 Commit ee9d3ab by Kiall Mac Innes kiall@macinnes.ie Include x509 Subject and Authority IDs in certs e.g: X509v3 extensions: X509v3 Subject Key Identifier: 15:5F:91:F5:63:EA:85:B6:91:AB:8C:A9:9E:C2:36:F0:FD:11:B8:2E X509v3 Authority Key Identifier: keyid:F2:AA:7D:21:48:9D:45:00:FA:0C:94:40:48:81:B7:92:33:B5:27:12 bsc#1046881 Commit 69a738d by Kiall Mac Innes kiall@macinnes.ie End entity TLS certs should not be CA certs Use different extentions when self signing the CA cert, and when signing end entity certs. bsc#1047177 Commit 0c4bbd7 by Kiall Mac Innes kiall@macinnes.ie CA: Add some logging to more easily identify the steps ------------------------------------------------------------------- Fri Jun 30 11:54:29 UTC 2017 - containers-bugowner@suse.de - Commit 7ae4dac by Rafael Fernández López ereslibre@ereslibre.es Rename `velum-dashboard-autoyast` to `velum-autoyast` We have a lot of processes in the development, e2e-tests and debugging environments that use `velum-dashboard`. Renaming the autoyast serving to `velum-autoyast` will make them still only match one container, the one they expect (actually both of them are practically the same thing, but to keep things as they were). ------------------------------------------------------------------- Fri Jun 30 09:50:00 UTC 2017 - containers-bugowner@suse.de - Commit ab71633 by Jordi Massaguer Pla jmassaguerpla@suse.de fix requirements for the docker images This is needed to fix bsc#1046378 Signed-off-by: Jordi Massaguer Pla ------------------------------------------------------------------- Thu Jun 29 17:10:53 UTC 2017 - containers-bugowner@suse.de - Commit f9ee78a by Rafael Fernández López ereslibre@ereslibre.es Add gen-certs script This script will generate a CA and both certificates for services that require to start with TLS enabled: `velum` and `salt-api`. Thanks to Robert Roland (@robdaemon) for providing the original script. Fixes: bsc#1043570 Fixes: bsc#1043589 ------------------------------------------------------------------- Wed Jun 28 16:21:10 UTC 2017 - containers-bugowner@suse.de - Commit 6714137 by Kiall Mac Innes kiall@macinnes.ie Clear TX update grains on admin node boot bsc#1045379 Clear the tx_update_{reboot_needed,failed} grains upon boot. This ensures the UI doesn't continue to show an admin node upgrade after we've upgraded. ------------------------------------------------------------------- Wed Jun 28 12:45:13 UTC 2017 - containers-bugowner@suse.de - Commit aa1a388 by Alvaro Saurin alvaro.saurin@gmail.com Minor: some comments ------------------------------------------------------------------- Wed Jun 28 12:27:04 UTC 2017 - containers-bugowner@suse.de - Commit 0ea70ff by Kiall Mac Innes kiall@macinnes.ie Remove unnecessary code from activate.sh See SR#135010, SR#134883, SR#134572 ------------------------------------------------------------------- Wed Jun 28 11:06:58 UTC 2017 - containers-bugowner@suse.de - Commit b738430 by Graham Hayes graham.hayes@suse.com bsc#1045350 Accept salt keys that have been pre-generated Currently the admin nodes salt minion starts before the container that generates and accepts keys is ran. This means that the salt minion is started with a key that is not accepted, and goes to a pending state. This checks if the key is pre-generated, and if we have accepted a key from this minion before. If the key has been generated, but not accepted, we accept the key and continue. ------------------------------------------------------------------- Tue Jun 27 15:16:44 UTC 2017 - containers-bugowner@suse.de - Commit bf6b0f0 by Graham Hayes graham.hayes@suse.com bsc#1043592 Use mktemp to create tmp directories Use `mktemp` to ensure that directory has a random name ------------------------------------------------------------------- Tue Jun 27 11:48:39 UTC 2017 - containers-bugowner@suse.de - Commit 2ab0646 by Thorsten Kukuk kukuk@thkukuk.de Fix ordner number of velum.conf for issue.d (we use only two digit numbers) ------------------------------------------------------------------- Tue Jun 27 11:42:22 UTC 2017 - containers-bugowner@suse.de - Commit 09c947b by Jordi Massaguer Pla jmassaguerpla@suse.de add the admin-node-setup script and service to the package This is the 3rd step to fix bsc#1045378 - activate.sh was not reran after admin node upgrade Commit 81a7983 by Jordi Massaguer Pla jmassaguerpla@suse.de add admin-node-setup service This is the second step to fix bsc#1045378 - activate.sh was not reran after admin node upgrade We create a service that will run the admin-node-setup.sh on every reboot (thus on every update) Enable this in the activate.sh Commit 68926c0 by Jordi Massaguer Pla jmassaguerpla@suse.de split activate into 2 This is the first step to fix bsc#1045378 - activate.sh was not reran after admin node upgrade. We need to split the script in 2: - activate.sh: run only once after the installation - admin-node-setup.sh: run on every reboot (thus in every update) ------------------------------------------------------------------- Mon Jun 26 11:40:59 UTC 2017 - containers-bugowner@suse.de - Commit d5a5ccc by Graham Hayes graham.hayes@suse.com bsc#1043592 Add pre-generation of minion keys Generates 2 salt keys (ca and admin) and places them in the correct directories. This allows us to remove *auto_accept* from the master config file and select the rest of the members of the cluster. The admin key is writen out to */etc/salt/pki/minion/minion.(pub|pem)* The ca key is written out the same path in the container. bsc#1043592 ------------------------------------------------------------------- Fri Jun 23 10:24:50 UTC 2017 - containers-bugowner@suse.de - Commit 1f5680c by Rafael Fernández López ereslibre@ereslibre.es Mount `salt-master` and `salt-minion-ca` caches from the host This way we ensure that the mine information and other cached information survives reboots. Fixes: bsc#1045368 ------------------------------------------------------------------- Thu Jun 22 09:47:54 UTC 2017 - containers-bugowner@suse.de - Commit 5e81ace by Graham Hayes graham.hayes@suse.com Add 'grains_refresh_every' to config ------------------------------------------------------------------- Tue Jun 20 11:26:20 UTC 2017 - containers-bugowner@suse.de - Commit ea55036 by Rafael Fernández López ereslibre@ereslibre.es Connect the `salt-minion` in the administration dashboard machine to the `salt-master` Set the `admin` role to the administration dashboard machine, as well as the minion configuration (`id` and `master` location). This way we will leave the `salt-minion` in the administration dashboard connected to the `salt-master` for future orchestrated upgrades. ------------------------------------------------------------------- Thu Jun 8 12:32:35 UTC 2017 - containers-bugowner@suse.de - Commit 6db8409 by Rafael Fernández López ereslibre@ereslibre.es Do not mount `/usr/share/salt/kubernetes/config/master.d` from the host We will mounting other volumes on top of this on the containers, and they will fail because on the host, `/usr/share/salt/kubernetes/config/master.d` is a `RO` volume. We fix this by mounting all specific files in the containers instead of the top level directory of the hierarchy. This imposes us the restriction to modify the container manifests every time a new config file appears, but that should not happen very often. Otherwise, we cannot add our own configuration files on top of the `RO` mounted volume, because they will fail. In this case, the mounted folder on the containers will be `/etc/salt/master.d`, but in this case this folder won't be mounted from `/usr/share/salt/kubernetes/config/master.d`, it will live only in the container, and we will mount the specific files under it, what will avoid the `RO` volume problems from the host. ------------------------------------------------------------------- Thu Jun 8 09:52:55 UTC 2017 - containers-bugowner@suse.de - Commit faa0ddb by Rafael Fernández López ereslibre@ereslibre.es Do not mount these three mountpoints readonly Related to infrastructure secrets. It makes the container initialization to fail. Ideally they should be read-only, as they will only read from here, but something is trying to write in there, avoiding containers to start. ------------------------------------------------------------------- Thu Jun 8 07:54:36 UTC 2017 - containers-bugowner@suse.de - Commit 46e5def by Rafael Fernández López ereslibre@ereslibre.es Install setup folder -- we need it to mount the initialization scripts Related to hardcoded secrets removal, was a bug in the packaging side ------------------------------------------------------------------- Wed Jun 7 14:15:24 UTC 2017 - containers-bugowner@suse.de - Commit 5c48335 by Rafael Fernández López ereslibre@ereslibre.es Remove hardcoded secrets We will be generating secrets with init containers. These secrets will be created in a volume mounted from the host, so they survive reboots. While being sufficient for our GA purposes we will need to rethink how we do this in a HA environment. Some secrets are generated with the init containers: * mysql root password * mysql velum user password * mysql salt user password * saltapi user password Once we have generated all the passwords, we need to write this configuration on files that will be mounted on the different containers, so the different services can read the files where the passwords are written. By default, passwords will be created in files with permissions 400. Password generation uses `/dev/random`, performing a `base64` encoding to that random content, and pick up a line of the `base64` output. Images will take this environment variables and they will use their entrypoint to perform the required actions. Example: * mariadb container will set the root password and do some initializations * salt-master container will `chpasswd` the `saltapi` user to the generated saltapi password. ------------------------------------------------------------------- Tue Jun 6 11:40:57 UTC 2017 - containers-bugowner@suse.de - Commit bf0bce0 by Kiall Mac Innes kiall@macinnes.ie Bump image tag for salt pods to 2016.11.4 ------------------------------------------------------------------- Fri Jun 2 15:05:53 UTC 2017 - containers-bugowner@suse.de - Commit 331fd9b by Kiall Mac Innes kiall@macinnes.ie Update RPM spec for salt 2016.11.4 As the RPM names have changed with the new tag, we need to update the spec to require the new salt version. ------------------------------------------------------------------- Thu May 25 19:59:20 UTC 2017 - containers-bugowner@suse.de - Commit 1880b3f by Rafael Fernández López ereslibre@ereslibre.es - Make substitution in a safer way for --pod-infra-container-image argument - - This wasn't working on our production image because we are using Kubernetes - 1.5 that in our config comes with the following setting in - /etc/kubernetes/kubelet: - - KUBELET_ARGS="--config=/etc/kubernetes/manifests" - - On 1.6, --config has been completely removed and it will use - --pod-manifest-path, but not on our current installed configuration. - - By adding this change, we ensure that we only make the replacement once (if - the pod-manifest-path is already there we won't do anything), and we don't - rely on the current contents for making the substitution. - - Fixes: bsc#1039863 ------------------------------------------------------------------- Wed May 24 17:24:18 UTC 2017 - containers-bugowner@suse.de - Commit f24962e by Rafael Fernández López ereslibre@ereslibre.es - Mount MariaDB configuration under `/etc/my.cnf.d` - - * Under SLE the configuration lives under `/etc/my.cnf.d` - * Add `[mysqld]` section to the skip-networking file so it will be - processed by mysqld (otherwise it's ignored) - * Mount only the `skip-networking.cnf` file, as other cnf files come - pre-installed in `/etc/my.cnf.d` and we would be shadowing them ------------------------------------------------------------------- Tue May 23 15:10:52 UTC 2017 - containers-bugowner@suse.de - Commit b050481 by Michal Jura mjura@suse.com - Kubernetes does not pick the sles12/pause image, bsc#1039863 - - Kubernetes does not pick the sles12/pause image, but the one from GCR on - OpenStack. - - After Kubernetes version upgrade KUBELET_ARGS changed and option --config for - sed regular expresion is not matched. - - This change is fixing sed regular expresion for - /etc/kubernetes/kubelet config file. ------------------------------------------------------------------- Fri May 12 10:45:17 UTC 2017 - containers-bugowner@suse.de - Share ssh public key for autoyast profile, bsc#1030876 ------------------------------------------------------------------- Mon May 8 12:01:02 UTC 2017 - containers-bugowner@suse.de - Use the configuration files found in the kubernetes-salt package ------------------------------------------------------------------- Wed May 3 15:13:12 UTC 2017 - containers-bugowner@suse.de - activate.sh: notify that velum is starting (bsc#1031682) ------------------------------------------------------------------- Wed May 3 14:08:27 UTC 2017 - containers-bugowner@suse.de - Set the presence flag ------------------------------------------------------------------- Wed Apr 26 14:22:47 UTC 2017 - containers-bugowner@suse.de - Mount mysql data dir ------------------------------------------------------------------- Tue Apr 25 17:21:11 UTC 2017 - containers-bugowner@suse.de - Update salt-master configuration ------------------------------------------------------------------- Tue Apr 25 15:22:22 UTC 2017 - containers-bugowner@suse.de - Update mysql paths after checking manifests in production - Migrate https://github.com/kubic-project/velum/pull/104 to production ------------------------------------------------------------------- Tue Apr 25 10:58:37 UTC 2017 - containers-bugowner@suse.de - Migrate https://github.com/kubic-project/velum/pull/126/files to production ------------------------------------------------------------------- Wed Apr 19 18:04:08 UTC 2017 - containers-bugowner@suse.de - Add missing VELUM_SALT_PASSWORD ------------------------------------------------------------------- Tue Apr 18 14:10:00 UTC 2017 - containers-bugowner@suse.de - activate.sh: fix bsc#1032651 ------------------------------------------------------------------- Fri Mar 31 13:13:58 UTC 2017 - containers-bugowner@suse.de - Persist CA certificates and issued certificates ------------------------------------------------------------------- Tue Mar 28 13:45:34 UTC 2017 - containers-bugowner@suse.de - Enable etcd using the activate.sh script ------------------------------------------------------------------- Mon Mar 27 14:44:56 UTC 2017 - containers-bugowner@suse.de - Added a temporary fix for the pause container in the dashboard ------------------------------------------------------------------- Fri Mar 24 15:59:56 UTC 2017 - containers-bugowner@suse.de - Rename database ------------------------------------------------------------------- Fri Mar 24 11:04:47 UTC 2017 - containers-bugowner@suse.de - Remove leftover that made the kubelet ignore salt.yaml file ------------------------------------------------------------------- Thu Mar 23 17:28:13 UTC 2017 - containers-bugowner@suse.de - fix call to init ------------------------------------------------------------------- Thu Mar 23 16:20:16 UTC 2017 - containers-bugowner@suse.de - use bundle as this is a symlink now in the image - review entry commands ------------------------------------------------------------------- Thu Mar 23 16:16:16 UTC 2017 - containers-bugowner@suse.de - Fix TODO comments about path prefixes - Add velum configuration settings ------------------------------------------------------------------- Thu Mar 23 13:56:22 UTC 2017 - containers-bugowner@suse.de - Use port 80 by default ------------------------------------------------------------------- Thu Mar 23 13:35:01 UTC 2017 - containers-bugowner@suse.de - fix velum version in spec - replace opensuse by sles12 images ------------------------------------------------------------------- Thu Mar 23 11:58:37 UTC 2017 - containers-bugowner@suse.de - redirect errors to standard error ------------------------------------------------------------------- Wed Mar 22 14:48:12 UTC 2017 - containers-bugowner@suse.de - check if the activate is being run by YaST or by cloud-init ------------------------------------------------------------------- Wed Mar 22 11:51:39 UTC 2017 - containers-bugowner@suse.de - Clarify the important assumption that DB container will not move to a different host after it is started for the very first time. ------------------------------------------------------------------- Wed Mar 22 11:48:43 UTC 2017 - containers-bugowner@suse.de - fix enabled services in controller node ------------------------------------------------------------------- Wed Mar 22 11:34:44 UTC 2017 - containers-bugowner@suse.de - add executable permissions to activate.sh ------------------------------------------------------------------- Tue Mar 21 14:46:37 UTC 2017 - containers-bugowner@suse.de - fix velum name ------------------------------------------------------------------- Mon Mar 20 16:57:20 UTC 2017 - containers-bugowner@suse.de - add the required images for caasp as Requires ------------------------------------------------------------------- Fri Mar 17 15:11:16 UTC 2017 - containers-bugowner@suse.de - add activate in rpm ------------------------------------------------------------------- Fri Mar 17 12:34:31 UTC 2017 - containers-bugowner@suse.de - Revert "add pv-recycler-node image" ------------------------------------------------------------------- Wed Mar 15 16:44:37 UTC 2017 - containers-bugowner@suse.de - Revert "add pv-recycler-node image" ------------------------------------------------------------------- Wed Mar 15 16:38:29 UTC 2017 - containers-bugowner@suse.de - add pv-recycler-node image ------------------------------------------------------------------- Wed Mar 15 16:32:27 UTC 2017 - containers-bugowner@suse.de - use mariadb docker image based on sles12sp2 ------------------------------------------------------------------- Wed Mar 15 16:29:12 UTC 2017 - containers-bugowner@suse.de - update salt images to sles12 images ------------------------------------------------------------------- Tue Mar 14 17:21:30 UTC 2017 - containers-bugowner@suse.de - packaging: don't expand inner variables in the template ------------------------------------------------------------------- Tue Mar 14 17:02:27 UTC 2017 - containers-bugowner@suse.de - packaging: help automated packaging for caasp-container-manifests ------------------------------------------------------------------- Thu Mar 9 13:18:52 UTC 2017 - jmassaguerpla@suse.com - Add configuration files ------------------------------------------------------------------- Thu Mar 2 10:39:12 UTC 2017 - hguo@suse.com - New package, initial release.