Enable federation for origin clusters

[marun]

TODO

• build openshift-specific server image
• build kubefed that targets the openshift-specific server image
• update kubefed to report openshift version (e.g. 3.6) instead of kube version (e.g. 1.6)
• update kubefed init to use rh-specific etcd image
• test compatibility of kubefed init's PV annotation with openshift

[derekwaynecarr]

@marun -- so far looks fine. i thought the second commit would have a dockerfile?

[marun]

@stevekuznetsov I can't seem to get ldflags to work, the federation image names end up blank. Help?

[stevekuznetsov]

This should be "${OS_BUILD_LDFLAGS_IMAGE_PREFIX}-federation"

[marun]

Done

[stevekuznetsov]

This looks like it should work -- maybe it's weird since it's also the entrypoint? @smarterclayton thoughts?

[marun]

I've switched to target the pkg instead of the entrypoint. Not that I can test it - the new release build mechanism has hosed what was formerly a working dev setup.

[stevekuznetsov]

If you expect the hyperkube binary to be shipped to customers it will be in the RPM so install using yum a la origin-pod.

[marun]

@smarterclayton I'm not sure there's a point in packaging hyperkube, given that this is unlikely to be the method for shipping the federation servers in the future. What's the simplest acceptable solution to getting this image built for 3.6?

[stevekuznetsov]

What's the simplest acceptable solution to getting this image built for 3.6?

To be clear... my comment is prefixed with that "IF" for a reason. If we are shipping this, we need to RPM install it. If we are not, just keep doing what you're doing.

[smarterclayton]

Is hyperkube a symlink?

[marun]

No, it is not a symlink.

[marun]

@stevekuznetsov Where are the docs for the new build mechanisms? In addition to requiring the manual installation of a bunch of dependencies via yum and imagebuilder via go get, there is apparently a dependency on being able to an authorized pull of the openshift/source image?

openshift/origin-pod: /home/dev/src/os/bin/imagebuilder
openshift/origin-pod: --> Image openshift/origin-source was not found, pulling ...
openshift/origin-pod: unable to pull image (from: openshift/origin-source, tag: latest): unauthorized: authentication required

[detiber]

@marun I needed to run hack/build-base-images.sh before I could run make release (with the same error you are seeing).

[stevekuznetsov]

@marun you should be able to divorce yourself from any dependencies with our release container:

OS_BUILD_ENV_PRESERVE="_output/local" hack/env OS_ONLY_BUILD_PLATFORMS="linux/amd64" make release

I'll open a PR to see if we can make at least some of those env vars default so you don't have to set them.

[marun]

[test]

[openshift-bot]

Evaluated for origin test up to cac7f93

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/1708/) (Base Commit: 483738e)

[stevekuznetsov]

Changes LGTM

[derekwaynecarr]

LGTM

[derekwaynecarr]

[merge][severity: bug]

eparis: I'm really sorry if this does break the actual build...

[openshift-bot]

Evaluated for origin merge up to cac7f93

[detiber]

@marun seeing the following error when trying to join clusters to the federation:

I0525 02:24:42.705278       1 clustercontroller.go:122] It's a new cluster, a cluster client will be created
W0525 02:24:42.709866       1 cluster_util.go:121] error in fetching secret: User "system:serviceaccount:federation-system:federation-controller-manager" cannot get secrets in project "federation-system"
...
W0525 02:25:42.716880       1 cluster_util.go:121] error in fetching secret: User "system:serviceaccount:federation-system:federation-controller-manager" cannot get secrets in project "federation-system"
E0525 02:25:42.716908       1 clustercontroller.go:125] Failed to create cluster client, err: timed out waiting for secret: timed out waiting for the condition
I0525 02:25:42.716914       1 clustercontroller.go:163] Failed to Get the status of cluster: jdetiber-fed-us-west1-a

[detiber]

@marun I was able to resolve by running:

oc adm policy add-role-to-user admin system:serviceaccount:federation-system:federation-controller-manager -n federation-system

I suspect there are more limited permissions rather than admin that I could have added, but this unblocked my testing.

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/801/) (Base Commit: 1d30fc4) (Extended Tests: bug) (Image: devenv-rhel7_6273)

[derekwaynecarr]

woot!

[smarterclayton]

well done Maru

…

On Fri, May 26, 2017 at 10:34 AM, Derek Carr ***@***.***> wrote: woot! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#14239 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p-LOXPZb461mc9S3xgdfEsYzSqCSks5r9uL5gaJpZM4Ne3vA> .

[smarterclayton]

Follow up item: the federation image is 800M of unshared layers with the rest of OpenShift (i.e. if you download origin onto a node, to get federation you have to get 800M of additional content). That sucks and we need to fix it in a follow up.