Merge remote-tracking branch 'origin' into CPDEV_105612_k8s_1.31_adop…

…tion
Netcracker · Oct 15, 2024 · e572b9b · e572b9b
2 parents db384c3 + 6a62cab
commit e572b9b
Show file tree

Hide file tree

Showing 17 changed files with 131 additions and 97 deletions.
diff --git a/.github/workflows/integration_tests.yaml b/.github/workflows/integration_tests.yaml
@@ -12,10 +12,10 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v3
-      - name: Set up Python 3.9
+      - name: Set up Python 3.12
         uses: actions/setup-python@v4
         with:
-          python-version: "3.9"
+          python-version: "3.12"
       - name: Install software
         run: pip3 install yq
       - name: Parse kubernetes versions
@@ -48,10 +48,10 @@ jobs:
           ssh-keyscan -H 172.17.0.1 >> ~/.ssh/known_hosts
       - name: Test ssh connection
         run: ssh -i ~/.ssh/id_rsa 172.17.0.1 echo "Test"
-      - name: Set up Python 3.9
+      - name: Set up Python 3.12
         uses: actions/setup-python@v4
         with:
-          python-version: "3.9"
+          python-version: "3.12"
       - name: Install Kubemarine with dependencies
         run: |
           python -m pip install --upgrade pip
@@ -110,10 +110,10 @@ jobs:
         run: sudo ifconfig docker0:0 172.17.1.1 up
       - name: Test ssh connection
         run: ssh -i ~/.ssh/id_rsa 172.17.0.1 echo "Test"
-      - name: Set up Python 3.9
+      - name: Set up Python 3.12
         uses: actions/setup-python@v4
         with:
-          python-version: "3.9"
+          python-version: "3.12"
       - name: Install Kubemarine with dependencies
         run: |
           python -m pip install --upgrade pip
@@ -160,7 +160,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
-          python-version: "3.9"
+          python-version: "3.12"
       - name: Install dependencies
         run: pip install . && pip uninstall -y kubemarine
       - name: Run scripts/thirdparties/sync.py

diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -30,7 +30,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
-          python-version: "3.9"
+          python-version: "3.12"
       # Install coverage and kubemarine with all dependencies except ansible.
       # Then uninstall only kubemarine to avoid ambiguity and to surely run coverage on sources.
       - run: pip install coverage . && pip uninstall -y kubemarine
@@ -41,7 +41,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
-          python-version: "3.9"
+          python-version: "3.12"
       # Install pylint and kubemarine with all dependencies except ansible.
       # Then uninstall only kubemarine to avoid ambiguity and to surely run pylint on sources.
       - run: pip install .[pylint] && pip install -r requirements-pyinstaller.txt && pip uninstall -y kubemarine
@@ -56,7 +56,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
-          python-version: "3.9"
+          python-version: "3.12"
       - run: pip install radon xenon
         # Use `radon cc {paths} -a` locally for full report per function
         # xenon checks, if radon absolute result is A

diff --git a/documentation/Kubecheck.md b/documentation/Kubecheck.md
@@ -82,6 +82,7 @@ This section provides information about the Kubecheck functionality.
     - [229 Audit Policy Configuration](#229-audit-policy-configuration)
     - [231 Audit Daemon Rules](#231-audit-daemon-rules)
     - [232 Kernel Parameters Configuration](#232-kernel-parameters-configuration)
+    - [235 Kubernetes version](#235-kubernetes-version)
 - [Report File Generation](#report-file-generation)
   - [HTML Report](#html-report)
   - [CSV Report](#csv-report)
@@ -437,6 +438,7 @@ The task tree is as follows:
   * audit
     * policy
   * admission
+  * version
 * etcd
   * health_status
 * control_plane
@@ -778,6 +780,14 @@ This test compares the kernel parameters on the nodes
 with the parameters specified in the inventory or with the default parameters.
 If the configured parameters are not presented, the test fails.
 
+##### 235 Kubernetes version
+
+*Task*: `kubernetes.version`
+
+This test checks if used kubernetes version is deprecated in current kubemarine release.
+It means, that this version is going to be excluded from support in future kubemarine soon.
+So it's recommended to update kubernetes version to new one.
+
 ### Report File Generation
 
 In addition to the resulting table in the log output, the same report is presented in the form of files.

diff --git a/documentation/Troubleshooting.md b/documentation/Troubleshooting.md
@@ -42,6 +42,7 @@ This section provides troubleshooting information for Kubemarine and Kubernetes
   - [Troubleshooting an Installation That Ended Incorrectly](#troubleshooting-an-installation-that-ended-incorrectly)
   - [Upgrade Procedure to v1.28.3 Fails on ETCD Step](#upgrade-procedure-to-v1283-fails-on-etcd-step)
   - [kubectl logs and kubectl exec fail](#kubectl-logs-and-kubectl-exec-fail)
+  - [OpenSSH server becomes unavailable during cluster installation on Centos9](#openssh-server-becomes-unavailable-during-cluster-installation-on-centos9)
 
 # Kubemarine Errors
 
@@ -1404,3 +1405,27 @@ Error from server: error dialing backend: remote error: tls: internal error
 **Root cause**: The `kubelet` server certificate is not approved, whereas the cluster has been configured not to use self-signed certificates for the `kubelet` server.
 
 **Solution**: Perform CSR approval steps from the maintenance guide. Refer to the [Kubelet Server Certificate Approval](https://github.com/Netcracker/KubeMarine/blob/main/documentation/internal/Hardening.md#kubelet-server-certificate-approval) section for details.
+
+## OpenSSH server becomes unavailable during cluster installation on Centos9
+
+**Sympthoms**: Installation fails on `kubemarine.system.reboot_nodes`, OpenSSH server becomes unavailable due to OpenSSL version missmatch error.
+
+The following lines can be found in the OpenSSH server logs:
+```
+OpenSSL version mismatch. Built against 30000070, you have 30200010
+sshd.service: Main process exited, code=exited, status=255/EXEPTION
+sshd.service: Failed with result 'exit-code'.
+Failed to start OpenSSH server daemon.
+```
+
+**Root cause**: Since OpenSSL is updated by default when deploying a cluster with KubeMarine, the version incompatibility problem arises. OpenSSH was compiled with OpenSSL version 3.0.0 (30000070) and after the update, version 3.2.0 (30200010) is installed.
+Probably, OpenSSL does not provide backward compatibility.
+
+**Solution**: Add the upgrade section for OpenSSH server in the **cluster.yaml** file.
+
+```yaml
+services:
+  packages:
+    upgrade:
+      - openssh-server
+```
diff --git a/kubemarine/kubernetes/__init__.py b/kubemarine/kubernetes/__init__.py
@@ -904,11 +904,13 @@ def verify_allowed_version(version: str) -> str:
     return version
 
 
-def verify_supported_version(target_version: str, logger: log.EnhancedLogger) -> None:
+def verify_supported_version(target_version: str, logger: log.EnhancedLogger) -> bool:
     minor_version = utils.minor_version(target_version)
     supported_versions = static.KUBERNETES_VERSIONS['kubernetes_versions']
     if not supported_versions.get(minor_version, {}).get("supported", False):
-        logger.warning(f"Specified target Kubernetes version {target_version!r} - is not supported!")
+        logger.warning(f"Specified target Kubernetes version {target_version!r} - is deprecated!")
+        return False
+    return True
 
 
 def expect_kubernetes_version(cluster: KubernetesCluster, version: str,

diff --git a/kubemarine/patches/__init__.py b/kubemarine/patches/__init__.py
@@ -22,10 +22,8 @@
 from typing import List
 
 from kubemarine.core.patch import Patch
-from kubemarine.patches.p1_pin_kubernetes_version import PinKubernetesVersion
 
 patches: List[Patch] = [
-    PinKubernetesVersion(),
 ]
 """
 List of patches that is sorted according to the Patch.priority() before execution.

diff --git a/kubemarine/patches/p1_pin_kubernetes_version.py b/kubemarine/patches/p1_pin_kubernetes_version.py
diff --git a/kubemarine/patches/software_upgrade.yaml b/kubemarine/patches/software_upgrade.yaml
@@ -8,11 +8,7 @@
 # The order of upgrade of defined by the implementation.
 
 thirdparties:
-  calicoctl:
-  - v1.28.9
-  - v1.29.1
-  - v1.29.4
-  - v1.30.1
+  calicoctl: []
   crictl: []
 packages:
   containerd:
@@ -32,19 +28,7 @@ packages:
     version_rhel9: false
     version_debian: false
 plugins:
-  calico:
-  - v1.28.9
-  - v1.29.1
-  - v1.29.4
-  - v1.30.1
-  nginx-ingress-controller:
-  - v1.28.9
-  - v1.29.1
-  - v1.29.4
-  - v1.30.1
+  calico: []
+  nginx-ingress-controller: []
   kubernetes-dashboard: []
-  local-path-provisioner:
-  - v1.28.9
-  - v1.29.1
-  - v1.29.4
-  - v1.30.1
+  local-path-provisioner: []
diff --git a/kubemarine/procedures/check_paas.py b/kubemarine/procedures/check_paas.py
@@ -109,7 +109,7 @@ def _check_same_os(cluster: KubernetesCluster) -> None:
     different_os = set(os_ids.values())
     if len(different_os) > 1:
         cluster.log.warning(
-            f"Nodes have different OS families or versions, packages versions cannot be checked. "
+            f"Nodes have different OS families or versions, packages versions cannot be checked."
             f"List of (OS family, version): {list(different_os)}")
         raise TestFailure(f"Nodes have different OS families or versions")
 
@@ -1021,7 +1021,7 @@ def verify_modprobe_rules(cluster: KubernetesCluster) -> None:
         else:
             raise TestFailure('invalid',
                               hint=f"Modprobe rules do not match those loaded in modprobe on cluster nodes. Check "
-                                   f"manually what the differences are and make changes on the appropriate nodes.")
+                                   f"the differences manually and make changes on the appropriate nodes.")
 
 
 def verify_sysctl_config(cluster: KubernetesCluster) -> None:
@@ -1042,7 +1042,7 @@ def verify_sysctl_config(cluster: KubernetesCluster) -> None:
         else:
             raise TestFailure('invalid',
                               hint=f"Some configured kernel parameters are not loaded on the cluster nodes.\n"
-                                   f"Check manually what the differences are, and make changes on the appropriate nodes.")
+                                   f"Check the differences manually and make changes on the appropriate nodes.")
 
 
 def verify_system_audit_rules(cluster: KubernetesCluster) -> None:
@@ -1063,7 +1063,7 @@ def verify_system_audit_rules(cluster: KubernetesCluster) -> None:
         else:
             raise TestFailure('invalid',
                               hint=f"Some configured Audit rules are not loaded on the cluster nodes.\n"
-                                   f"Check manually what the differences are, and make changes on the appropriate nodes.")
+                                   f"Check the differences manually and make changes on the appropriate nodes.")
 
 
 def etcd_health_status(cluster: KubernetesCluster) -> None:
@@ -1569,6 +1569,18 @@ def kubernetes_admission_status(cluster: KubernetesCluster) -> None:
         cluster.log.debug(kube_admission_status)
         tc.success(results='enabled')
 
+def verify_kubernetes_version(cluster: KubernetesCluster) -> None:
+    """
+    The method checks if used kubernetes version is deprecated in kubemarine
+    """
+    with TestCase(cluster, '225', "Kubernetes", "Version") as tc:
+        target_version = cluster.inventory['services']['kubeadm']['kubernetesVersion']
+        if not kubernetes.verify_supported_version(target_version, cluster.log):
+            raise TestWarn(f"Kubernetes version {target_version} is deprecated",
+                           hint=f"Used Kubernetes version is deprecated and will be excluded from support "
+                                f"in future Kubemarine releases. Please plan upgrade to the newer version.")
+
+        tc.success(results='Kubernetes version is OK')
 
 def geo_check(cluster: KubernetesCluster) -> None:
     """
@@ -1606,7 +1618,7 @@ def geo_check(cluster: KubernetesCluster) -> None:
 
         peers = yaml.safe_load(io.StringIO(peers_result))
         if len(peers) == 0:
-            raise TestFailure("configuration error", hint="geo-monitor instance has no peers")
+            raise TestFailure("configuration error", hint="geo-monitor instance has no peers.")
 
         for peer in peers:
             status = peer["clusterIpStatus"]
@@ -1636,7 +1648,7 @@ def geo_check(cluster: KubernetesCluster) -> None:
 
     with TestCase(cluster, '226', "Geo Monitor", "Geo check - Pod-to-service") as tc_svc:
         if not status_collected:
-            raise TestFailure("configuration error", hint="DNS check failed with error, statuses not collected")
+            raise TestFailure("configuration error", hint="DNS check failed with error, statuses not collected.")
 
         if svc_status["failed"]:
             raise TestFailure("found unavailable peer services",
@@ -1647,7 +1659,7 @@ def geo_check(cluster: KubernetesCluster) -> None:
 
     with TestCase(cluster, '226', "Geo Monitor", "Geo check - Pod-to-pod") as tc_pod:
         if not status_collected:
-            raise TestFailure("configuration error", hint="DNS check failed with error, statuses not collected")
+            raise TestFailure("configuration error", hint="DNS check failed with error, statuses not collected.")
 
         if pod_status["failed"]:
             raise TestFailure("found unavailable peer pod",
@@ -1703,7 +1715,7 @@ def verify_apparmor_config(cluster: KubernetesCluster) -> None:
                 tc.success(results='valid')
             else:
                 raise TestFailure('invalid',
-                        hint=f"Some nodes do not have properly configured Apparmor service")
+                        hint=f"Some nodes do not have properly configured Apparmor service.")
         else:
             tc.success(results='skipped')
 
@@ -1793,6 +1805,7 @@ def verify_apparmor_config(cluster: KubernetesCluster) -> None:
             'policy': kubernetes_audit_policy_configuration,
         },
         'admission': kubernetes_admission_status,
+        'version': verify_kubernetes_version,
     },
     'etcd': {
         "health_status": etcd_health_status

diff --git a/kubemarine/resources/configurations/compatibility/kubernetes_versions.yaml b/kubemarine/resources/configurations/compatibility/kubernetes_versions.yaml
@@ -1,7 +1,7 @@
 # This section can be changed manually, but it is also synchronized automatically with the 'compatibility_map' section below.
 kubernetes_versions:
   v1.26:
-    supported: true
+    supported: false
   v1.27:
     supported: true
   v1.28:

diff --git a/kubemarine/version b/kubemarine/version
@@ -1 +1 @@
-v0.32.2
+v0.32.3
diff --git a/pyproject.toml b/pyproject.toml
@@ -42,7 +42,7 @@ dependencies = [
     "deepdiff==7.0.*",
     "ordered-set==4.1.*",
     # Each time cryptography version is updated, need to regenerate scripts/ci/custom-hooks/hook-cryptography.py
-    "cryptography==42.0.7",
+    "cryptography==43.0.1",
     "paramiko==3.4.*",
     "jsonschema==4.22.*",
     "referencing==0.35.*",
@@ -84,7 +84,7 @@ Issues = "https://github.com/Netcracker/KubeMarine/issues/"
 # 1. pip install bumpver
 # 2. bumpver update --set-version <new version>
 [tool.bumpver]
-current_version = "v0.32.2"
+current_version = "v0.32.3"
 version_pattern = "vMAJOR.MINOR.PATCH"
 commit_message = "bump version to {new_version}"
 commit = true