You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 9, 2023. It is now read-only.
The 0.6 release of Tarmak comes with many more features and improvements to
internals. Notable new additions include pre-built AMI images that are used when
one has not yet been built, making getting a cluster running for new users much
faster. A new worker AMI image type that will pre-install and configure Kubernetes
worker nodes so nodes become ready much faster during auto scaling. Finally, we
have also included an option to deploy Calico using Kubernetes as a backend,
rather than using Etcd directly.
A large focus of this release has been on improving the use of SSH by now
utilising the in package standard Go libraries. This has meant we now have
better control of SSH connections whilst running. We have also developed a
significant change to how SSH host keys are handled, whereby instances will now
tag themselves with their public keys securely, via an Amazon Lambda function.
These tags are then used to populate, verify and update our local host key file
during SSH connections.
We do not report any specific action required for upgrading to 0.6.0 from 0.5.3
besides our normal upgrade method.
More detailed and other changes not mentioned are as follows:
Added
Add Packer image that pre-installs Kubernetes dependencies drastically improving node ready time (#390 @MattiasGees)
Expose feature flags for Kubernetes components in Tarmak configuration (#431 @joshvanl)
Use puppet to install and manage configuration and Systemd Units on Vault instances (#494 @joshvanl)
New command tarmak environment destroy to destroy all clusters in an environment (#527 @MattiasGees)
New command tarmak cluster logs to gather systemd logs from target instances (#575 @JoshVanL)
Allow custom Vault-Helper URLs to be used to download (#619 @joshvanl)
Proposal on how to manage the SSH known hosts file and securely propagate instance public keys (#643 @joshvanl)
Create OWNER files in sub paths of the Tarmak project (#656 @simonswine)
Documentation on how to install and use Ark in Tarmak (#657 @alljames)
Wing tags its instance through an Amazon Lambda function securely to advertise it's public key with trust. Tarmak relies on these keys for SSH connection. (#664 @joshvanl)
Wing dev mode now also enabled for the bastion instance (#678 @joshvanl)
Release pre-built packer images with every release (#682 @simonswine)
Give optional Kubernetes backend to calico add-on (#683 @joshvanl)
Tarmak created Kubernetes resources have their life cycle managed by Kube-Addon-Manager (#688 @joshvanl)
Documentation on how to add Pod Security Policies to arbitrary Namespaces (#694 @MattiasGees)
Use Core-DNS DNS and Service Discovery project instead of Kube-DNS for clusters >= 0.10 (#715 @joshvanl)
programmatic end to end testing with Sonobuoy (#743 @joshvanl)
Disable Overlay ETCD servers when calico in Kubernetes backend mode (#724 @joshvanl)
More rigorous fluent-bit acceptance tests (#747 @simonswine)
Adds AddListener and RemoveListenerCertificates permissions to ELB nodes (#749 @joshvanl)
Adds de-register permissions to ELB nodes (#750 @joshvanl)
Changed
Enable dry mode for vault-helper ensure to ensure to write during plan and when in a converged state (#572 @joshvanl)
Use in package SSH over a forked exec of OpenSSH. This gives greater control and efficiency of SSH connections in Tarmak (#635 @joshvanl)
Hard code Centos version to mitigate errors during minor releases (#649 @simonswine)
Upgrade Vault to 0.9.6 and Consul to 1.2.4 (#674 @joshvanl)
Use Jetstack's patch metrics-server to scrape Kubelet summary via the Kubernetes API server proxy. Enabled Scraping Kubelets on Master nodes. (#712 @joshvanl)
SSH tunnels have a timeout after 10 minutes of inactivity (#730 @joshvanl)
Heapster, InfluxDB and Grafana have toggles in the Tarmak configuration. They
are enabled for current clusters but disable by default for all newly created
clusters via init (#740 @joshvanl)
Upgrade default Kubernetes version to 1.12.5 (#753 @simonswine)
Bugfix release to fix regression that come up in the 0.5 release branch.
Notably now hard coding the Centos release to 7.5. To avoid instability from a
new Centos minor version.
Changed
Hardcode centos image release to 7.5.1804 (#649, @simonswine)
Fixed
Override local kubeconfig if errors (#652, @JoshVanL)
Correctly mount nvme drives on etcd instances (#538, @JoshVanL)
Fix centos 7.6 aws cli, download it through pip if it's not working (#646, @simonswine)
Release to update default Kubernetes version to 1.11.5: CVE-2018-1002105: proxy
request handling in kube-apiserver can leave vulnerable TCP connections
(details).
Changed
Update default kubernetes version for new clusters to 1.11.5 (#645, @JoshVanL)
The 0.5 release of Tarmak adds support for Kubernetes up to minor version 1.12.
A focus of the release was to ensure all data stores are encrypted at rest.
Another focus was on the stability of tarmak. Various components had version
and/or configuration upgrades to ensure resiliency in the operation.
This detailed changes have happend since the last minor version of Tarmak:
Added
Update default kubernetes version for new clusters to 1.11.4 (#638, @simonswine)
Istio example in documentation (#551, @charlieegan3)
Add Tarmak Terraform provider for ordering infrastructure creation (#12, @simonswine)
Add support for automatically adding taints and labels to instance pools (#369, @charlieegan3)
Support log forwarding (#197, @dippynark)
Add Jenkins module to Terraform stack (#240, @MattiasGees)
Support autoscaling arbitrary worker instance pools (#325, @dippynark)
Changed
Merged Terraform stacks (state, bastion, vault, network, kubernetes) into a single stack. This allows a plan to be run against all infrastructure at the same time and also benefit from Terraform's parallelisation capabilities (#148, @dippynark)
Vendor Terraform instead of shelling out to binary inside the Tarmak Docker container. This gives us more control over how terraform is run and the version used. Care must be take when running terraform commands within the Tarmak debug shell as using a version of Tarmak higher than the version vendored by Tarmak will prevent Tarmak from running further Terraform commands
Change cgroup driver from systemd to cgroupfs as cgroupfs has better support in the kubelet for enforcing node allocatable (#300, @dippynark)
Fixed
Add security group to allow cluster autoscaler scaping (#338, @dippynark)
Adds signal handling to Wing to handle TERM and HUP, SIGHUP: Cause a node to be reconverged, SIGTERM: Forward sigterm to puppet subprocess (if exists) (#32, @JoshVanL)
Sign released binaries using GPG (#58, @simonswine)
Update default kubernetes version to 1.7.10 (#54, @simonswine)
Add support for API server aggregation, enabled by default for kubernetes 1.7+ (#53, @simonswine)
Validate minCount and maxCount of Instance Pool (#52, @JoshVanL)
Enable authorization and authentication for kubelet (#46, @simonswine)
Enable Node authorizer and related admission controller for 1.8 compatibility (#41, @simonswine)
Add experimental support for deploying clusters into existing AWS VPCs (#31, @kragniz)
Changed
Allow master to communicate with workers on any port (#50, @simonswine)
Raise the master LoadBalancer time out to 3600 seconds (#49, @simonswine)
Verify at least one image exists before running terraform apply (#36, @JoshVanL)
Disable apiserver binding insecure-port on the master (#48, @simonswine)
Update vendored k8s.io packages to target release-1.8/release-5.0 branches (#15, @simonswine)
Disable source/destination check on cloud-provider AWS using a controller run on kubernetes masters. No need to authorize worker instances for ec2:ModifyInstanceAttribute anymore. (#28, @mattbates)
Update vendored vault-helper and vault-unsealer to latest releases (#20, @JoshVanL)
Update kubernetes master taints and cgroup fixes (#38, @simonswine)
Disclaimer - please note that current releases of Tarmak are alpha (unless
explicitly marked). Although we do not anticipate breaking changes, at this
stage this cannot be absolutely guaranteed.