Automatic merge from submit-queue
[Federation] Downsize the release binary distribution v2.
Second attempt of PR #29632.
There are two things that this PR does:
1. It removes `federation-apiserver` and `federation-controller-manager` from binaries and docker_wrapped_binaries target lists.
2. Build the docker image for `hyperkube` on-the-fly while pushing the federation images.
```release-note
Federation binaries and their corresponding docker images - `federation-apiserver` and `federation-controller-manager` are now folded in to the `hyperkube` binary. If you were using one of these binaries or docker images, please switch to using the `hyperkube` version. Please refer to the federation manifests - `federation/manifests/federation-apiserver.yaml` and `federation/manifests/federation-controller-manager-deployment.yaml` for examples.
```
cc @kubernetes/sig-cluster-federation @colhom
Fixes Issue #28633
Automatic merge from submit-queue
Proper phase/finalizer logic in federated namespace controller
Part 1 of delete logic cleanup.
Part 2 will contain namespace content deletion and tests.
cc: @quinton-hoole @kubernetes/sig-cluster-federation
Automatic merge from submit-queue
return destroy func to clean up internal resources of storage
What?
Provide a destroy func to clean up internal resources of storage.
It changes **unit tests** to clean up resources. (Maybe fix integration test in another PR.)
Why?
Although apiserver is designed to be long running, there are some cases that it's not.
See https://github.com/kubernetes/kubernetes/issues/31262#issuecomment-242208771
We need to gracefully shutdown and clean up resources.
Also build the hyperkube docker image on-the-fly.
This is only a temporary fix until the proposal in issue
https://github.com/kubernetes/kubernetes/issues/28630 is implemented.
Also, the new build/deployment method completely obviates this step.
We use debian image instead of busybox and do not build hyperkube as a
static binary yet. Wait until PR
https://github.com/kubernetes/kubernetes/pull/26028 is merged to build
static hyperkube binaries.
The idea behind this separation is that it provides a clear distinction
between the dev environment and the prod environment. The
deploy/deploy.sh script will be shipped to the users, but
develop/develop.sh will be purely for development purposes and won't
be part of a release distribution.
Purely for developer convenience, all the deployment functionality is
made available through the develop/develop.sh script.
This change also copies deploy/* files into the release distribution.
Automatic merge from submit-queue
ObjectMeta equivalence in federated controller handlers + update in fed secrets
Federated secrets should trigger also on data/type update, not only on object meta.
cc: @quinton-hoole @kubernetes/sig-cluster-federation
Automatic merge from submit-queue
Add Cluster field in ObjectMeta
There will be no sub-rs, but add `Cluster` field to the ObjectMeta (for all the objects)
"To distinguish the object at the federation level from it's constituents at the cluster level we will add a "Cluster" field to the metadata of all objects (where the federation itself will also have a cluster identifier). That way it is possible to list, interact with, and distinguish between the objects either at the federation level or at the individual cluster level based on the cluster identifier. "
@quinton-hoole @nikhiljindal @deepak-vij @mfanjie @huangyuqi
[]()
Automatic merge from submit-queue
federation: Adding support for namespace admission controls in federation-apiserver
Now that we have namespaces in federation apiserver, we can support namespace admission controls.
There are 3 of these:
namespace/autoprovision, namespace/exists and namespace/lifecycle.
namespace/autoprovision, namespace/exists should be deprecated in kubernetes(https://github.com/kubernetes/kubernetes/issues/31195). Adding support for namespace/lifecycle to federation-apiserver.
As in kube-apiserver, enabling namespace/lifecycle by default.
```release-note
Action required: If you have a running federation control plane, you will have to ensure that for all federation resources, the corresponding namespace exists in federation control plane.
federation-apiserver now supports NamespaceLifecycle admission control, which is enabled by default. Set the --admission-control flag on the server to change that.
```
cc @kubernetes/sig-cluster-federation @quinton-hoole
Automatic merge from submit-queue
Object meta fixes in federation controllers
This PR adds helper functions for handling object meta structs and applies them to the existing controllers.
cc: @quinton-hoole @jianhuiz @kubernetes/sig-cluster-federation
Automatic merge from submit-queue
pkg/genericapiserver/options: don't import pkg/apiserver
Refactor the authorization options for the API server so
pkg/apiserver isn't directly imported by the options package.
Closes#28544
cc @smarterclayton
@madhusudancs, @nikhiljindal I've updated `federation/cmd/federation-apiserver/app/server.go` to include the RBAC options with this change. I don't know if this was intentionally left out in the first place but would like your feedback.
Automatic merge from submit-queue
Federation informer use kube clientset for target
This is to use kubernetes clientset as the federation informer target clientset as it's used to talking the k8s cluster.
#29939#30669#30207
@mwielgus @quinton-hoole @kshafiee @deepak-vij
Automatic merge from submit-queue
change all PredicateFunc to use SelectionPredicate
What?
- This PR changes all PredicateFunc in registry to return SelectionPredicate instead of Matcher interface.
Why?
- We want to pass SelectionPredicate to storage layer. Matcher interface did not expose enough information for indexing.
Automatic merge from submit-queue
Handle secret namespace and data properly in federated secret controller
This PR fixes what was missed in #30669 review. It uses both namespace and secret name for keying and propagates secret data to underlying clusters.
cc: @quinton-hoole @kshafiee @kubernetes/sig-cluster-federation
Automatic merge from submit-queue
federation: updating cluster name validation to allow DNS labels only
Forked from https://github.com/kubernetes/kubernetes/pull/28921
Summarizing the discussion from that PR:
* Right now, we allow name of the Cluster resource in federation/v1beta1 group version to be a subdomain (group of DNS labels separated by dots). This prevents us from using the cluster name in our dns search paths, since there is a restriction of 6 domain labels there.
* Restricting cluster name to DNS label will give us the flexibility to be able to do that in the future, if we want to. Though we do not have a concrete use case right now, the possibility is attractive.
* There is not a strong argument in favor of allowing subdomains as cluster names right now. If in future, there is one then we can get more permissive but its better to start with a stricter model.
Note that we are breaking a beta API, but it should be fine since we do not expect anyone to be using subdomain as cluster name. Have added release-note-action-required label
```release-note
Action required: federation-only: Please update your cluster name to be a valid DNS label.
Updating federation.v1beta1.Cluster API to disallow subdomains as valid cluster names. Only DNS labels are allowed as valid cluster names now.
```
Automatic merge from submit-queue
Support for preexisting replicas and estimated capacity in federated replicaset controller
With this PR the planer will be able to:
* Keep already existing replicas in their current clusters if rebalance = false and min/max boundaries are met.
* Limit the number of replicas in a cluster to the level that was measured by the count of running and unschedulable pods. And provide an estimate how much more pods would be nice to put in a cluster so that if they are scheduled we will be closer to the desired layout or to schedule the desired number of replicas at all.
cc: @quinton-hoole @jianhuiz @wojtek-t @kubernetes/sig-cluster-federation
Automatic merge from submit-queue
Move UTs that block on apiserver to integration tests.
In validating etcd.v3client we had uncovered that a change in the behavior of the client https://github.com/coreos/etcd/issues/6162 , caused a number of unit tests to fail. These test failures were due to the fact that the unit tests were trying to standup a apiserver even though there was no etcd backend stood up.
This PR simply shuffles those tests to integration tests, which is where they should be.
/cc @kubernetes/sig-scalability @wojtek-t @hongchaodeng @xiang90
Automatic merge from submit-queue
Fix deadlock possibility in federated informer
On cluster add subinformer locks and tries to add cluster to federated informer. When someone checks if everything is in sync federated informer is locked and then subinformer is inspected what apparently requires a lock. With really bad timing this can create a deadlock.
This PR ensures that there is always at most 1 lock taken in federated informer.
cc: @quinton-hoole @kubernetes/sig-cluster-federation
Fixes: #30855
Automatic merge from submit-queue
Federated namespace controller
Implemented based on federation common libs.
Depends on #30126.
cc: @quinton-hoole @wojtek-t @kubernetes/sig-cluster-federation
Automatic merge from submit-queue
Update dnsprovider multi-type support test to test for an A-record and an AAAA-record.
Having an A-record and a CNAME-record in the tests led to a confusion
that dns providers support such configurations. This change avoids
that confusion by putting only compatible records for the same domain
name in the tests.
cc @kubernetes/sig-cluster-federation
Automatic merge from submit-queue
Fixing the error in registering /v1 api
Temporary fix for https://github.com/kubernetes/kubernetes/issues/30635.
Am working on a proper fix, but its much bigger.
Would be good to unblock devs in the meantime.
cc @lavalamp @kubernetes/sig-api-machinery
Having an A-record and a CNAME-record in the tests led to a confusion
that dns providers support such configurations. This change avoids
that confusion by putting only compatible records for the same domain
name in the tests.
Automatic merge from submit-queue
SetClientFactory in FederatedInformer
For unit tests.
cc: @quinton-hoole @wojtek-t @kubernetes/sig-cluster-federation
Automatic merge from submit-queue
Move new etcd storage (low level storage) into cacher
In an effort for #29888, we are pushing forward this:
What?
- It changes creating etcd storage.Interface impl into creating config
- In creating cacher storage (StorageWithCacher), it passes config created above and new etcd storage inside.
Why?
- We want to expose the information of (etcd) kv client to cacher. Cacher storage uses this information to talk to remote storage.
Automatic merge from submit-queue
A build and deploy script to manage cluster federation lifecycle and a Makefile wrapper to drive that process.
Also includes a sample config file to describe clusters.
The build script implements the following things:
1. Generates the required configs.
2. Builds the hyperkube binary and the corresponding docker image.
3. Pushes the image to a specified repository.
4. Pulls the federation installer docker images.
5. Builds the Kubernetes clusters described the config.json file.
6. Pushes the federation components to one of the Kubernetes clusters
built in the previous step.
7. Also turns down the federation components and the Kubernetes
clusters.
**NOTE**: Installer images are right now being pulled from my public repository of docker images. I am working on pushing them to our release repository.
```release-note
Cluster Federation components can now be built and deployed using the make command. Please see federation/README.md for details.
```
cc @kubernetes/sig-cluster-federation @colhom
Fixes: Issue #26655
Kubernetes Submit Queue