AWS China region support #390
Conversation
* coreos/master: Emit a warning message when `t2.nano` or `t2.micro` is set for `*instanceType` closes #258 Drop deprecated `hostedZone`(not `hostedZoneId`) in cluster.yaml closes #287 fix(e2e): The second and the subsequent testinfra stacks fail to be created closes #367 fix(e2e): node pool "Fleet2" fails to be created closes #362 feat: Managed HA etcd cluster Add additional EBS volumes to worker nodes. Update ROADMAP.md Fix customSettings unavailability for node pools Make tests which depends on `clusterName` to pass on Travis Fix the inconsistent S3 object prefix issue Add a test to reproduce the inconsistent S3 object prefix issue Fix missing Name and ControllerHost in `status` and `up` commands Add support for ALBs Target Groups Fix typo in provisioner.go Fix typo in comment credentials: Add /O=systems:master for kube-admin Add experimental support for pod security policies README: remove the design decisions README: make the initial instructions self-contained README: remove the survey
* coreos/master: Emit a warning message when `t2.nano` or `t2.micro` is set for `*instanceType` closes #258 Drop deprecated `hostedZone`(not `hostedZoneId`) in cluster.yaml closes #287 fix(e2e): The second and the subsequent testinfra stacks fail to be created closes #367 fix(e2e): node pool "Fleet2" fails to be created closes #362 feat: Managed HA etcd cluster Add additional EBS volumes to worker nodes. Update ROADMAP.md Fix customSettings unavailability for node pools Make tests which depends on `clusterName` to pass on Travis Fix the inconsistent S3 object prefix issue Add a test to reproduce the inconsistent S3 object prefix issue Fix missing Name and ControllerHost in `status` and `up` commands Add support for ALBs Target Groups Fix typo in provisioner.go Fix typo in comment credentials: Add /O=systems:master for kube-admin Add experimental support for pod security policies README: remove the design decisions README: make the initial instructions self-contained README: remove the survey
Option for rkt to pull from Docker repos.
cfnstack/assets.go
Outdated
| url = fmt.Sprintf("https://s3.amazonaws.com/%s/%s", l.Bucket, l.Key) | ||
| } | ||
| log.Printf("Using S3 URL: %s on region: %s", url, l.S3Region) | ||
| return url |
There was a problem hiding this comment.
As we have the Region type in model/region.go today, perhaps we'd better implement func (r Region) S3EndpointName() string to return e.g. "s3.cn-north-1.amazonaws.com.cn" for cn-north-1 or "s3.amazonaws.com" otherwise, to be used here.
cfnstack/assets.go
Outdated
| Key string | ||
| Bucket string | ||
| Path string | ||
| S3Region string |
There was a problem hiding this comment.
This should be Region Region rather than S3Region string once https://github.com/coreos/kube-aws/pull/390/files#r104814373 is implemented.
| RemainAfterExit=true | ||
| ExecStartPre=/usr/bin/docker pull {{.PauseImage.Repo}} | ||
| ExecStart=/usr/bin/docker tag {{.PauseImage.Repo}} gcr.io/google_containers/pause-amd64:3.0 | ||
| {{end}} |
| " {{.AWSCliImageRepo}}:{{.AWSCliTag}} -- aws s3 --region $REGION cp {{ .S3URI }}/{{ .StackName }}/$USERDATA_FILE /var/run/coreos/", | ||
| {{- if .AWSCliImage.RktPullDocker }} | ||
| " --insecure-options=image \\", | ||
| {{- end }} |
There was a problem hiding this comment.
To reduce ifs in templates and make it more testable, how about implementing something like:
func (i Image) RktOptions() string {
if i.RktPullDocker {
return "--insecure-options=image"
}
return ""
}and refer to it from here?
| {{- if .AWSCliImage.RktPullDocker }} | ||
| " --insecure-options=image \\", | ||
| {{- end }} | ||
| " {{ if .AWSCliImage.RktPullDocker }}docker://{{ end }}{{.AWSCliImage.Repo}}:{{.AWSCliTag}} --exec=aws -- s3 --region $REGION cp {{ .S3URI }}/{{ .StackName }}/$USERDATA_FILE /var/run/coreos/", |
There was a problem hiding this comment.
Almost the same as above at heart but how about implementing something like:
func (i Image) RktImage() string {
if i.RktPullDocker {
return fmt.Sprintf("docker://%s:%s", i.Repo, i.Tag)
}
return fmt.Sprintf("%s:%s", i.Repo, i.Tag)
}and refer to it from here?
I guess we'd better to drop *Tags e.g. AWSCliTag and integrate it to the Image struct to achieve this.
core/nodepool/config/config.go
Outdated
| KMSKeyARN: c.KMSKeyARN, | ||
| EncryptService: c.providedEncryptService, | ||
| }) | ||
| if stackConfig.ComputedConfig.IsChinaRegion { |
There was a problem hiding this comment.
If IsChinaRegion is almost meant for not TLSAssetsEncryptionEnabled in the context of this PR,
can we introduce new func like:
func (c *Cluster) TLSAssetsEncryptionEnabled() bool {
return c.ManageCertificate && !c.IsChinaRegion
}according to https://github.com/coreos/kube-aws/pull/390/files#diff-954229fc24045500f68b18079524f6e1R222 and refer to it from here and various locations including templates?
| " {{$.AWSCliImageRepo}}:{{$.AWSCliTag}} -- aws s3 --region $REGION cp {{ $.S3URI }}/{{ $.StackName }}/$USERDATA_FILE /var/run/coreos/", | ||
| {{- if $.AWSCliImage.RktPullDocker }} | ||
| " --insecure-options=image \\", | ||
| {{- end }} |
There was a problem hiding this comment.
| {{.AWSCliImageRepo}}:{{.AWSCliTag}} --exec=/bin/bash -- \ | ||
| {{- if .AWSCliImage.RktPullDocker }} | ||
| --insecure-options=image \ | ||
| {{- end }} |
There was a problem hiding this comment.
| {{.AWSCliImageRepo}}:{{.AWSCliTag}} --exec=/bin/bash -- \ | ||
| {{- if .AWSCliImage.RktPullDocker }} | ||
| --insecure-options=image \ | ||
| {{- end }} |
There was a problem hiding this comment.
| {{.AWSCliImageRepo}}:{{.AWSCliTag}} --exec=/bin/bash -- \ | ||
| {{- if .AWSCliImage.RktPullDocker }} | ||
| --insecure-options=image \ | ||
| {{- end }} |
There was a problem hiding this comment.
|
Thanks @camilb @mpucholblasco, I'm really impressed to see your great work!
Sounds good at this stage 👍
👍
Although I'd prefer adding
👍
Sorry for being very nit picky but perhaps you're missing something like Anyway, this guidance of cloning AMIs among regions would help everyone trying kube-aws within the China region in the future. |
|
@mumoshu thanks for your feedback. We agree with all of your suggestions and we'll make the changes these days. |
Codecov Report
@@ Coverage Diff @@
## master #390 +/- ##
==========================================
- Coverage 38.71% 38.53% -0.19%
==========================================
Files 29 30 +1
Lines 2278 2351 +73
==========================================
+ Hits 882 906 +24
- Misses 1277 1324 +47
- Partials 119 121 +2
Continue to review full report at Codecov.
|
| @@ -326,7 +326,7 @@ | |||
| "Action": [ | |||
| "s3:GetObject" | |||
| ], | |||
| "Resource": "arn:aws:s3:::{{$.UserDataWorkerS3Path}}" | |||
| "Resource": "arn:aws{{if .IsChinaRegion}}-cn{{end}}:s3:::{{$.UserDataWorkerS3Path}}" | |||
There was a problem hiding this comment.
nit but func (r Region) Partition() string to return aws-cn or aws according to http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html would be slightly better.
| c.HyperkubeImage.Tag = c.K8sVer | ||
| c.AWSCliImage.MergeIfEmpty(main.AWSCliImage) | ||
| c.CalicoCtlImage.MergeIfEmpty(main.CalicoCtlImage) | ||
| c.PauseImage.MergeIfEmpty(main.PauseImage) |
core/controlplane/config/config.go
Outdated
|
|
||
| func (i *Image) RepoWithTag() string { | ||
| return fmt.Sprintf("%s:%s", i.Repo, i.Tag) | ||
| } |
There was a problem hiding this comment.
nit but the type Image could be moved to the model package i.e. model/image.go
| @@ -348,7 +348,7 @@ | |||
| "Effect": "Allow", | |||
| "Resource": | |||
| { "Fn::Join": [ "", [ | |||
| "arn:aws:cloudformation:", | |||
| "arn:aws{{if .IsChinaRegion}}-cn{{end}}:cloudformation:", | |||
There was a problem hiding this comment.
Could be changed to arn:{{$.Region.Partition}}:cloudformation: if https://github.com/coreos/kube-aws/pull/390/files#r105572866 was addressed
|
Thanks for your effort @camilb 🙇 |
|
Thanks @mpucholblasco, sure 👍 |
|
LGTM. Great job, @camilb and @mpucholblasco! |
Also align to work from kubernetes-retired#390 by allowing image repo/tag to be overridden.
* Introduce the rescheduler For #118. - Currently using raw Pod as per [salt setup](https://github.com/kubernetes/kubernetes/blob/master/cluster/salt base/salt/rescheduler/rescheduler.manifest0 - Logging routed via standard streams - gcr image used, not sure if hyperkube has the rescheduler * Rescheduler is off by default, can be enabled Also align to work from #390 by allowing image repo/tag to be overridden. * Comment on experimental nature of rescheduler * Remove resource todo * Correct default to v0.2.2 v0.3.0 is not ready until k8s 1.6 * Change rescheduler to Deployment Rescheduler currently crashes if there is more than one present * Add validation tests
* kubernetes-incubator/master: (29 commits) Emit errors when kube-aws sees unexpected keys in cluster.yaml Resolves kubernetes-retired#404 Tag controller nodes appropriately with `kubernetes.io/role`. Resolves kubernetes-retired#370 Make Container Linux AMI fetching a bit more reliable Stop locksmithd errors on etcd nodes Upgrade heapster to version 1.3.0 (kubernetes-retired#420) Auth token file support (kubernetes-retired#418) Update README.md Update README accordingly to the new git repo AWS China region support (kubernetes-retired#390) Conform as a Kubernetes Incubator Project Fixed typo in template upgrade aws-sdk to latest version Fix kubernetes-retired#388 Upgrade Kubernetes version to v1.5.4 Fix assumed public hostnames for EC2 instances in us-east-1 Fix assumed public hostnames for EC2 instances in us-east-1 typo fix: etcdDataVolumeEncrypted not creating encrypted volumes fixes kubernetes-retired#383 Allow disabling wait signals fixes kubernetes-retired#371 Update file paths in readme Fix an issue with glue security group documentation ...
AWS China region support + Parameterized docker/rkt images * Added S3 China * Parameterized images * Remove "decrypt" dependencies for China region. * Fix ca cert for China region. * Fix ARN names for China region. * Adding logging * Remove KMS from China region in nodepools. * Add "amd64-pause" image service for China. * Added testing and fixing * Removed parameter s3-region from all commands * Added image properties * Used TLSAssetsEncryptionEnabled instead of asking for China Region * Changed region string by region model
* Introduce the rescheduler For kubernetes-retired#118. - Currently using raw Pod as per [salt setup](https://github.com/kubernetes/kubernetes/blob/master/cluster/salt base/salt/rescheduler/rescheduler.manifest0 - Logging routed via standard streams - gcr image used, not sure if hyperkube has the rescheduler * Rescheduler is off by default, can be enabled Also align to work from kubernetes-retired#390 by allowing image repo/tag to be overridden. * Comment on experimental nature of rescheduler * Remove resource todo * Correct default to v0.2.2 v0.3.0 is not ready until k8s 1.6 * Change rescheduler to Deployment Rescheduler currently crashes if there is more than one present * Add validation tests
Hi @mumoshu, my colleague @mpucholblasco and I were working to adapt
kube-awsfor AWS China region and we need community feedback.There were several problems we encountered and tried to fix:
there is no KMS support in
cn-north-1region. We preferred to disable this entirely for this region only.We think later using https://github.com/mozilla/sops to encrypt the certificates fields.China region has a different S3 endpoint. For now we are passing a flag "--s3-region=cn-north-1" when starting the cluster but we are working to get the region automatically from
cluster.yamlthere are different ARNs. We automatically detect and change them for
cn-north-1most of the docker or rkt images are not pulled from dockerhub or quay and gcr.io is completely blocked in China. On large images, like hyperkube, you get many timeouts from quay.
We added an option to specify your own images, hosted on a registry in China.
We are using Alibaba Cloud registry, which is very fast. We also added an option for rkt to pull images from docker repos.
A special case is with
amd64-pauseimage that kubernetes is using it and can not change its name or download it. In this case we added a simple service that pulls the image from our registry in China and tag it asgcr.io/google_containers/pause-amd64:3.0CoreOS AMIs in
cn-north-1are outdated, so we're using a simple method to clone a AMI from Singapore region.#ap-south-1
mkfs.ext4 /dev/xvdb
mkdir /ami
mount /dev/xvdb /ami
cd /ami
dd if=/dev/xvda of=root.img bs=1M
scp -i core.pem /ami/root.img core@cn-north-1_ip_address:/home/core
#cn-north-1
dd if=/home/core/root.img of=/dev/xvdb bs=1M oflag=direct
mkdir -p /ami
mount /dev/xvdb9 /ami
rm /ami/home/core/.ssh/authorized_keys
rm /ami/home/core/.ssh/authorized_keys.d/*
umount /ami
Create a snapshot of the volume.
Create an AMI from the snapshot.
After all of these changes we can successfully deploy kubernetes with
kube-awsincn-north-1as fast as for other regions and without errors or additional configurations.We are waiting for suggestions from the community before clean the commits and rebase.