Updates since 2024-03-08
<PR ID>: (activity this week / total activity) summary
There were 7 Merged pull requests:
-
1503: (10/76) cluster-logging: Add LokiStack tokenized auth proposal (periklis) (OCPSTRAT-6) (OCPSTRAT-171 (AWS STS)) (OCPSTRAT-114 (Azure WIF)) (OCPSTRAT-922 (GCP WIF)) (LOG-4540 (AWS & Azure)) (LOG-4754 (GCP))
Public cloud providers offer services that allow authentication via short-lived tokens assigned to a limited set of privileges. Currently, OpenShift supports provisioning token-based authentication on all public cloud providers via the Cloud Credential Operator (CCO), i.e. AWS STS (4.14.0), Azure (4.14.11) and GCP (4.16.0).
This enhancement enables the Loki Operator to leverage CCO resources (i.e.
CredentialsRequest) and configure LokiStack instances for object storage access via token-based authentication. This improves the user experience for Red Hat OpenShift Logging users in general (especially on product offerings as ROSA and ARO) and Loki Operator users in particular and makes the approach more seamless and unified compared to other Red Hat Operators (e.g. cert manager for Red Hat OpenShift, OADP operator). -
1531: (16/172) windows-containers: WINC-1174: WinC Disconnected Support (saifshaikh48) (OCPSTRAT-619) (WINC-936)
The goal of this enhancement is to support Windows Containers in environments with restricted networks where hosts are intentionally impeded from reaching the internet, also known as disconnected or "air-gapped" clusters. Currently, Windows nodes configured by the Windows Machine Config Operator (WMCO) rely on
containerd, the OpenShift-managed container runtime, to pull workload images. Also, the WMCO today is required to make an external request outside the cluster's internal network to pull the pause image. To support disconnected environments, all images need to be pulled from air-gapped mirror registries, whether that be the OpenShift internal image registry or other private registries.There already exists a protocol for users to publish registry mirroring configuration, namely
ImageDigestMirrorSet(IDMS),ImageTagMirrorSet(ITMS) cluster resources. These are consumed by OpenShift components like the Machine Config Operator (MCO) to apply the settings to Linux control-plane and worker nodes, Windows worker nodes do not currently consume or respect mirror registry settings when pulling images. This effort will work to plug feature disparity by making the WMCO aware of mirror registry settings at operator install time and reactive during its runtime. -
1567: (4/12) network: SDN-4154:Add troubleshooting section for upgrades to OVN IC (ricky-rav) (SDN-3905)
Allow any upgrade path that proceeds via a 4.13 self-hosted or hypershift-hosted cluster to smoothly upgrade to 4.14, which features OVNK InterConnect (IC) multizone.
-
1581: (3/4) dev-guide: start dev-guide section on adding new components (dhellmann)
- 1575: (23/35) general: OKD: Switch to using Centos Stream base container images (sdodson)
- 1587: (3/7) dev-guide: WRKLDS-1066: Host port registry: Reserve 9449 port number for cli-manager (ardaguclu)
- 1592: (3/3) housekeeping: add suleymanakbas91 as team lead for edge enablement (dhellmann)
<PR ID>: (activity this week / total activity) summary
There were 5 New pull requests:
-
1593: (2/2) ingress: Set EIP for NLB Ingress controller. (miheer)
do-not-merge/work-in-progressThis enhancement allow user to set AWS EIP for the NLB default or custom ingress controller. This is a feature request to enhance the IngressController API to be able to support static IPs during:
- Install time
- Custom NLB ingress controller creation
- Reconfiguration of the router.
-
1594: (5/5) network: SDN-4604: Networking: egress IP per destination proposal (martinkennelly) (SDN-4454)
jira/valid-referenceToday, we can use an
EgressIPto describe the source IP for a pod if it selected by anEgressIPcustom resource (CR) selectors. This includes namespace and pod selectors. If multipleEgressIPCRs select the same set of pods, the behavior is undefined. This is because we cannot reliably choose which source IP to use.This enhancement proposes adding a new selector for when we want to apply the
EgressIP. This new selector will only apply theEgressIPas the source IP to a set of pods communicating with destination IP if that destination IP is within predefined network CIDRs.If the new destination traffic selector is specified for all
EgressIPCRs that selected a set of pods and the destination networks selected do not overlap, then we can allow a set of pods to have multiple source IPs depending on the destination address. -
1595: (3/3) ingress: NE-705: IngressController subnet selection in AWS (gcs278)
do-not-merge/work-in-progress, jira/valid-referenceThis enhancement extends the IngressController API to allow a user to specify custom subnets for LoadBalancer-type services for AWS. By default, AWS auto-discovers the subnets and has its own logic for tie breaking if there are multiple subnets per availability zone. This enhancement will configure the
service.beta.kubernetes.io/aws-load-balancer-subnetsannotation on the LoadBalance-type service which will manually configure the subnets for each availability zone.it consist in selecting only those subnets which: 1) belong to the VPC of the cluster, 2) belong to the cluster (have kubernetes.io/cluster/{cluster-name} tag), 3) have public or internal ELB role (tagged with kubernetes.io/role/elb or kubernetes.io/role/internal-elb)
-
1596: (49/49) oc: WRKLDS-875: Add oc login external OIDC issuer integration enhancement (ardaguclu) (WRKLDS-875)
jira/valid-referenceThis enhancement proposal describes the mechanism for how users can log in to the cluster which relies on external OIDC issuer for authentication in lieu of internal OAuth provided by OCP via
oc login. In order to achieve this, this enhancement proposal adds new command, namelyget-token, in oc that will serve as the built-in credentials exec plugin and additionally OIDC specific flags inoc loginto support this functionality. -
1597: (4/4) node-tuning: PSAP-1236: Containerize Tuned (yanirq) (PSAP-1236)
jira/valid-referenceThe proposed enhancement is to restructure cluster-node-tuning-operator (NTO) to run TuneD from a container (e.g. using podman from a systemd service) instead of running in daemon mode so TuneD will initially set defaults and hand off ownership to other services that apply tunings.
<PR ID>: (activity this week / total activity) summary
There were 24 Active pull requests:
- 1541: (70/284) microshift: USHIFT-2188: introduce microshift API Custom certs (eslutsky) (USHIFT-2101)
- 1569: (67/121) insights: Insights Rapid Recommendations proposal (tremes) (CCXDEV-12213) (CCXDEV-12285)
- 1548: (56/244) microshift: USHIFT-2089: Add router configuration options (pacevedom) (OCPSTRAT-1069)
- 1415: (31/413) ingress: NE-1129: Make ingress operator optional on HyperShift (alebedev87) (NE-1129)
- 1571: (27/74) update: Add Change Management and Maintenance Schedules (jupierce)
- 1585: (25/41) network: SDN-4433: Configurable network diagnostics pod placement (kyrtapz) (SDN-4433)
- 1588: (20/29) network: Add proposal: communication ingress flows matrix (sabinaaledort) (TELCOSTRAT-77)
- 1465: (19/298) machine-api: OCPCLOUD-1578: Add enhancement for converting Machine API resource to Cluster API (JoelSpeed)
- 1549: (14/80) etcd: ETCD-514: Add etcd size tuning (dusk125) (ETCD-514)
- 1496: (12/368) machine-config: Managing boot images via the MCO (djoshy)
- 1431: (9/226) ingress: OCPSTRAT-139: Ingress operator dashboard (jotak) (OCPSTRAT-139) (NETOBSERV-1052)
- 1515: (7/95) machine-config: on-cluster builds enhancement (cheesesashimi) (MCO-834)
- 1546: (5/28) workload-partitioning: OCPEDGE-808: feat: add ep for cpu limits with workload partitioning (eggfoobar) (OCPEDGE-57)
- 1583: (4/24) scheduling: WRKLDS-1060: Prevent User Workloads from being scheduled on Control Plane nodes (knelasevero) (OCPSTRAT-790) (WRKLDS-1015) (WRKLDS-1060)
- 1463: (4/91) network: Mutable dual-stack VIPs (mkowalski) (OCPSTRAT-178) (OPNET-340) (OPNET-80)
- 1514: (3/245) ingress: NE-761: Support for admin configured CA trust bundle in Ingress Operator (bharath-b-rh) (RFE-2182) (OCPSTRAT-431) (NE-761)
- 1524: (2/41) observability: Add multi-cluster-observability-addon proposal (periklis) (OBSDA-356) (OBSDA-393) (LOG-4539) (OBSDA-489)
- 1502: (2/82) security: Create tls-artifacts-registry enhancement (vrutkovs) (API-1603)
- 1553: (1/142) general: HOSTEDCP-1416: Hosted Control Planes ETCD Backup API (jparrill) (HOSTEDCP-1370)
- 1574: (1/3) image-registry: Use Bound Tokens for Integrated Image Registry Authentication (sanchezl)
- 1584: (1/23) insights: Insights Operator: Gather Workload Runtime Info From Containers (jmesnil)
- 1590: (12/13) network: Enhance EgressQoS CR as a generic QoS entity (pperiyasamy) (SDN-2097) (SDN-3152)
- 1589: (4/6) cluster-logging: LOG-5190: Update log forwarding input selector api (jcantrill)
- 1411: (2/39) dev-guide: Add exception to pointer guidance for structs that must be omitted (JoelSpeed)
<PR ID>: (activity this week / total activity) summary
There were 15 Idle (no comments for at least 7 days) pull requests:
- 1267: (0/241) network: vSphere IPI Support for Static IPs (rvanderp3) (OCPPLAN-9654)
- 1368: (0/65) machine-config: OCPNODE-1525: Support Evented PLEG in Openshift (sairameshv) (OCPNODE-1525)
- 1440: (0/115) network: OPNET-268: Configure-ovs Alternative (cybertron)
- 1528: (0/382) installer: Bootstrapping Clusters with CAPI Infrastructure Providers (patrickdillon)
- 1537: (0/37) cluster-logging: WIP LOG-4928: Cluster logging v2 APIs (jcantrill)
- 1540: (0/95) cluster-logging: Performance-Tuning enhancement proposal. (alanconway) (OBSDA-549)
- 1556: (0/7) general: OCP cluster pre-upgrades with Leapp (Monnte) (OAMG-10748)
- 1559: (0/50) update: OTA-1209: enhancements/update/channel-rename-generally-available: New enhancement (wking) (OCPSTRAT-1153)
- 1566: (0/42) general: observability: Add logging-stack with UI and korrel8r integration (periklis) (LOG-5114)
- 1572: (0/9) storage: STOR-1764: Add enhancement for CSI fixes in cloud-provider-azure code (bertinatto) (STOR-1764)
- 1577: (0/3) machine-config: MCO-1049: Introduces On-Cluster-Build API, machineOSBuild, and machineOSImage (cdoern) (MCO-665)
- 1578: (0/18) api-review: Add ManagedClusterVersion CRD (2uasimojo) (HIVE-2366)
- 1582: (0/3) dev-guide: Add explanation of how component-readiness gates .0 releases (deads2k)
- 1573: (0/8) general: Add a section regarding probes, in particular startupProbe (sdodson)
- 1586: (0/2) microshift: [NO-ISSUE] Specify kube-apiserver behavior when maxsize is 0 (copejon) (USHIFT-2196)
<PR ID>: (activity this week / total activity) summary
There were 10 With lifecycle/stale or lifecycle/rotten pull requests:
- 1298: (1/295) monitoring: Metrics collection profiles (JoaoBraveCoding)
- 1424: (1/19) dev-guide: Add a continuous Kubernetes rebase proposal (bertinatto)
- 1436: (1/254) dns: NE-1325: External DNS Operator support for Shared VPCs (gcs278)
- 1468: (1/90) installer: CORS-2062: Customer configured DNS for cloud platforms AWS, Azure and GCP (sadasu) (CORS-1874)
- 1492: (1/46) update: OTA-1029: Add CVO Log level API (Davoska) (OTA-1029)
- 1506: (5/158) machine-api: [OSD-15261] CPMS: allow automatic vertical scaling. (bergmannf) (OSD-15261)
- 1509: (1/15) network: SDN-4114: initial iptables-deprecation-alerter proposal (danwinship) (SDN-4114)
- 1525: (1/127) machine-config: MCO-507: admin defined node disruption policy enhancement (yuqi-zhang) (RFE-4079)