Skip to content
This repository was archived by the owner on Jun 29, 2022. It is now read-only.

v0.5.0

Choose a tag to compare

View all tags
@knrt10 knrt10 released this 27 Oct 17:16
· 744 commits to master since this release
v0.5.0
d4861e9

We're happy to announce the release of Lokomotive v0.5.0 (Eurostar).

This release packs new features, bug fixes, code optimizations, platform updates and security hardening.

Changes in v0.5.0

Kubernetes updates

Platform updates

AKS
  • Update Kubernetes to 1.18.8 (#1071).
Baremetal
  • Expose CNI MTU on the baremetal platform (#977).

New components

Component updates

  • Update Velero component for Packet (OpenEBS and restic plugin support) (#881).
  • istio-operator: Update to 1.7.3 (#1086).
  • prometheus-operator: Update grafana, kube-state-metrics and node_exporter (#963).
  • cert-manager: Update to 1.0.3 (#1114).

Terraform updates

  • Update to Terraform 0.13 (#824).

Features

  • Support in-cluster pod traffic encryption (#911).
  • AWS, Packet, Baremetal: use Docker instead of rkt for host containers (#946).
  • Change labels and taints format from string to structured (#1042).
  • prometheus-operator: Add external_url (#964).

Docs

  • Concepts: add document for admission webhook (#943).
  • Coding style guide (#953).
  • MetalLB: Clarify address_pools knob (#996).
  • How to guide on backing up and restoring rook-ceph volumes with Velero (#1048).

Bug fixes

  • bootkube: feed output using local rather than local_file content (#1021).
  • Dex: fix pod reload on config change (#1040).
  • MetalLB: Add missing autodiscovery labels (#990).
  • Gangway: add a ServiceAccount (#1104).
  • If there is more than one component installed in single namespace, lokoctl will now
    refuse to remove then namespace while running lokoctl component --delete with --delete-namespace flag (#1093).

Development

  • Fix error capitalization (#979).
  • pkg/terraform: unexport functions not used outside of package (#984).
  • pkg/components: remove unused List() function (#982).
  • docs/rook-ceph-storage: Use correct apply command (#1026).
  • pkg/asssets/assets_generate: Fix copyright (#1020).
  • Cleanup Terraform providers before Terraform 0.13 upgrades (#860).
  • kubelet e2e: Enable the disruptive test (#1012).
  • .golangci.yml: Re-enable linters (#1029).
  • Fix scripts/find-updates.sh (#1034), (#1068), (#1080).
  • pkg/terraform: improvements (#1027).
  • cli/cmd: cleanups part 1 (#1013).
  • test/components/kubernetes: remove kubelet pod when testing node labels (#1052).
  • Remove usage of template_file (#1046).
  • test: de-duplicate value timeout and retryInterval (#1049).
  • Packet: Read BGP peer address from metadata service (#1010).
  • pkg/assets: cleanup exported API (#936).
  • Cobra updated to v1.1.1 (#1082), (#1091).
  • cli/cmd: cleanups part 2 (#1015).
  • Add github actions (#1074).
  • Makefile: use latest Go when building in Docker (#1083).
  • cli/cmd: cleanups part 3 (#1018).
  • Add new CI config for Packet based FLUO testing (#1110).

Updating from v0.4.1

Configuration syntax changes

There have been some minor changes to the configurations of worker nodes.

The data type of labels and taints has been changed from string to map(string) for the AWS and Packet platforms.

Old:
labels = "testing=true"

taints = "nodeType=storage:NoSchedule"
New:
labels = {
  "testing" = "true"
}

taints = {
  "nodeType" = "storage:NoSchedule"
}

This release also changes the default cluster.oidc.client_id value from gangway to clusterauth.

This setting must match gangway.client_id and dex.static_client.id.

If you use default settings for oidc you'll need to add client_id = "gangway" or change the static_client.id and client_id parameters for dex and gangway to clusterauth respectively.

Old:
packet {
  oidc {
    client_id = "gangway"
  }
}
New:
packet {
  oidc {
    client_id = "clusterauth"
  }
}

Cluster update steps

Ensure your cluster is in a healthy state by running lokoctl cluster apply using the v0.4.1 version.

Updating multiple versions at a time is not supported so, if your cluster is older, update to v0.4.1 and only then proceed with the update to v0.5.0.

Due to Terraform and Kubernetes updates to v0.13+ and v1.19.3 respectively.

Some manual steps need to be performed when updating. In your cluster configuration directory, follow these steps:

  1. Update local Terraform binary to version v0.13.X. You can follow this guide to do that.

  2. Starting from your cluster directory, export your platform name and assets directory name used in your platform configuration. It will be used in next steps:

export PLATFORM="packet" && export ASSETS_DIR="assets"
  1. Remove old asset files:
rm -f $ASSETS_DIR/terraform-modules/$PLATFORM/flatcar-linux/kubernetes/require.tf \
$ASSETS_DIR/terraform-modules/$PLATFORM/flatcar-linux/kubernetes/workers/require.tf \
$ASSETS_DIR/terraform-modules/dns/route53/require.tf
  1. Go to the terraform directory:
cd $ASSETS_DIR/terraform
  1. Replace the old providers:
terraform state replace-provider -auto-approve registry.terraform.io/-/ct registry.terraform.io/poseidon/ct && \
terraform state replace-provider -auto-approve registry.terraform.io/-/template registry.terraform.io/hashicorp/template
  1. Return to original directory and use kubeconfig generated by lokomotive:
cd - && export KUBECONFIG=$ASSETS_DIR/cluster-assets/auth/kubeconfig
  1. FelixConfiguration has been moved to calico charts. To avoid firewall interruption, label and annotate it so that it can be managed by Helm while updating:
kubectl label FelixConfiguration default app.kubernetes.io/managed-by=Helm --overwrite=true && \
kubectl annotate FelixConfiguration default meta.helm.sh/release-name=calico --overwrite=true && \
kubectl annotate FelixConfiguration default meta.helm.sh/release-namespace=kube-system --overwrite=true

Finally, run the following:

lokoctl cluster apply --skip-components -v

NOTE: On clusters with a single controller node, you need to delete the old kube-apiserver ReplicaSet during cluster update.

When lokoctl prints that kube-apiserver is being updated, run the following command:

kubectl delete rs -n kube-system $(kubectl get rs -n kube-system -l k8s-app=kube-apiserver --no-headers=true --sort-by=metadata.creationTimestamp | tac | tail -n +2 | awk '{print $1}') || true

NOTE: When this gets executed the update process will get interrupted. Re-run lokoctl cluster apply --skip-components -v to proceed.

The update process typically takes about 10 minutes.
After the update, running lokoctl health should result in an output similar to the following:

Node                     Ready    Reason          Message

lokomotive-controller-0  True     KubeletReady    kubelet is posting ready status
lokomotive-1-worker-0    True     KubeletReady    kubelet is posting ready status
lokomotive-1-worker-1    True     KubeletReady    kubelet is posting ready status
lokomotive-1-worker-2    True     KubeletReady    kubelet is posting ready status
Name      Status    Message              Error

etcd-0    True      {"health":"true"}

Updating native kubelets and etcd (optional)

  • Manually update etcd following the steps mentioned in the doc here.
  • Manually update the kubelet running on the nodes, by following the steps mentioned in the doc here.

Updating cert-manager

Run the following command:

until lokoctl component render-manifest cert-manager | kubectl apply -f -; do sleep 1; done

Now it is safe to update:

lokoctl component apply cert-manager

Updating prometheus-operator

Due to a bug, the valid seccomp profiles in the prometheus-operator-admission PodSecurityPolicy don't get updated automatically.

Delete psp prometheus-operator-admission so it gets created with the right seccomp profiles:

kubectl delete psp prometheus-operator-admission

Now it is safe to update:

lokoctl component apply prometheus-operator

Updating other components

Other components are safe to update by running the following command:

lokoctl component apply <component name>
Assets 8
Loading