alpha to beta

cluster/config-defaults.yaml

@@ -568,6 +568,9 @@ downscaler_scale_statefulsets: "false"
 horizontal_pod_autoscaler_sync_period: "30s"
 horizontal_pod_autoscaler_tolerance: "0.1"
 horizontal_pod_downscale_stabilization: "5m0s"
+# Enable the feature Flag HPAConfigurableTolerance
+# https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#tolerance
+horizontal_pod_autoscaler_configurable_tolerance: "false"
 
 # Vertical pod autoscaler version for controlling roll-out, can be "current" or "legacy"
 # current => v1.0.0-internal.20
@@ -1105,9 +1108,6 @@ zmon_accessible_s3_buckets: ""
 # disable zmon-appliance worker tracking in Prometheus
 disable_zmon_appliance_worker_tracking: "true"
 
-# Add ClusterRole for clusters required by hyped-article-lifecycle-management controller
-hyped_article_lifecycle_management: "false"
-
 # Add ClusterRole for clusters required by business-partner and config-provider controller
 business_partner_service: "false"
 config_provider_service: "false"

cluster/manifests/02-admission-control/deployment.yaml

@@ -33,7 +33,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
       - name: admission-controller
-        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-274
+        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-277
         lifecycle:
           preStop:
             sleep:

cluster/manifests/02-routegroup/routegroup-crd.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: routegroups.zalando.org
 spec:
   group: zalando.org
@@ -96,13 +96,15 @@ spec:
                         `dynamic` - use the backend provided by filters. This allows skipper as library users to do proxy calls to a certain target from their own implementation dynamically looked up by their filters.
                         `lb` - balance the load across multiple network endpoints using specified algorithm. If algorithm is not specified it will use the default algorithm set by Skipper at start.
                         `network` - use arbitrary HTTP or HTTPS URL.
+                        `forward` - replaced by a network backend chosen by skipper -forward-backend-url.
                       enum:
                       - service
                       - shunt
                       - loopback
                       - dynamic
                       - lb
                       - network
+                      - forward
                       type: string
                   required:
                   - name

cluster/manifests/deletions.yaml

@@ -179,12 +179,6 @@ post_apply:
   name: open-policy-agent-config
   namespace: kube-system
 {{ end }}
-{{ if eq .Cluster.ConfigItems.hyped_article_lifecycle_management "false" }}
-- name: hyped-articles-lifecycle-management
-  kind: ClusterRole
-- name: hyped-articles-lifecycle-management
-  kind: ClusterRoleBinding
-{{ end }}
 {{ if eq .Cluster.ConfigItems.business_partner_service "false" }}
 - name: business-partner-service
   kind: ClusterRole

cluster/node-pools/master-default/userdata.yaml

@@ -155,7 +155,7 @@ write_files:
           - "--oidc-username-prefix=okta:"
           - --oidc-groups-claim=groups
           - "--oidc-groups-prefix=okta:"
-          - --feature-gates=HPAScaleToZero={{ .Cluster.ConfigItems.enable_hpa_scale_to_zero }},StatefulSetAutoDeletePVC={{ .Cluster.ConfigItems.enable_statefulset_autodelete_pvc }},MaxUnavailableStatefulSet={{.Cluster.ConfigItems.max_unavailable_statefulset_enabled}},KMSv1=true{{if eq .Cluster.ConfigItems.enable_image_volumes "true"}},ImageVolume=true{{end}}
+          - --feature-gates=HPAScaleToZero={{ .Cluster.ConfigItems.enable_hpa_scale_to_zero }},StatefulSetAutoDeletePVC={{ .Cluster.ConfigItems.enable_statefulset_autodelete_pvc }},MaxUnavailableStatefulSet={{.Cluster.ConfigItems.max_unavailable_statefulset_enabled}},KMSv1=true{{if eq .Cluster.ConfigItems.enable_image_volumes "true"}},ImageVolume=true{{end}}{{if eq .Cluster.ConfigItems.horizontal_pod_autoscaler_configurable_tolerance "true"}},HPAConfigurableTolerance=true{{end}}
           - --service-account-key-file=/etc/kubernetes/ssl/service-account-public-key.pem
           - --service-account-signing-key-file=/etc/kubernetes/ssl/service-account-private-key.pem
           - --service-account-issuer={{ .Cluster.APIServerURL }}
@@ -219,7 +219,7 @@ write_files:
             limits:
               memory: {{ .Values.InstanceInfo.MemoryFraction (parseInt64 .Cluster.ConfigItems.apiserver_memory_limit_percent)}}
 {{- end }}
-        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-274
+        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-277
           name: admission-controller
           lifecycle:
             preStop:
@@ -287,7 +287,7 @@ write_files:
             - mountPath: /etc/kubernetes/ssl
               name: ssl-certs-kubernetes
               readOnly: true
-        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/k8s-authnz-webhook:master-151
+        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/k8s-authnz-webhook:master-152
           name: webhook
           ports:
           - containerPort: 8081
@@ -620,7 +620,7 @@ write_files:
           - --root-ca-file=/etc/kubernetes/ssl/ca.pem
           - --cloud-provider=external
           - --cloud-config=/etc/kubernetes/cloud-config.ini
-          - --feature-gates=StatefulSetAutoDeletePVC={{ .Cluster.ConfigItems.enable_statefulset_autodelete_pvc }},MaxUnavailableStatefulSet={{.Cluster.ConfigItems.max_unavailable_statefulset_enabled}}{{if eq .Cluster.ConfigItems.enable_image_volumes "true"}},ImageVolume=true{{end}}
+          - --feature-gates=StatefulSetAutoDeletePVC={{ .Cluster.ConfigItems.enable_statefulset_autodelete_pvc }},MaxUnavailableStatefulSet={{.Cluster.ConfigItems.max_unavailable_statefulset_enabled}}{{if eq .Cluster.ConfigItems.enable_image_volumes "true"}},ImageVolume=true{{end}}{{if eq .Cluster.ConfigItems.horizontal_pod_autoscaler_configurable_tolerance "true"}},HPAConfigurableTolerance=true{{end}}
           - --use-service-account-credentials=true
           - --configure-cloud-routes=false
           - --allocate-node-cidrs=true

test/e2e/apiserver.go

@@ -30,6 +30,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/util/retry"
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/e2e/framework/job"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
@@ -262,12 +263,19 @@ var _ = describe("Image Policy Tests (Pods Update Path)", func() {
 
 		By("Updating pod " + namePrefix + " in namespace " + namespace)
 
-		pod, err = cs.CoreV1().Pods(namespace).Get(context.TODO(), pod.Name, metav1.GetOptions{})
-		framework.ExpectNoError(err)
+		err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			// Get the latest version of the resource
+			pod, err = cs.CoreV1().Pods(namespace).Get(context.TODO(), pod.Name, metav1.GetOptions{})
+			if err != nil {
+				return err
+			}
 
-		pod.Spec.Containers[0].Image = compliantImage4
+			pod.Spec.Containers[0].Image = compliantImage4
 
-		_, err = cs.CoreV1().Pods(namespace).Update(context.TODO(), pod, metav1.UpdateOptions{})
+			// Try to update
+			_, err = cs.CoreV1().Pods(namespace).Update(context.TODO(), pod, metav1.UpdateOptions{})
+			return err
+		})
 		framework.ExpectNoError(err)
 
 		_, err = e2epod.WaitForPodsWithLabelRunningReady(context.TODO(), cs, namespace, appLabelSelector(appLabel), 1, waitForPodTimeout)
@@ -295,14 +303,21 @@ var _ = describe("Image Policy Tests (Pods Update Path)", func() {
 		_, err = e2epod.WaitForPodsWithLabelRunningReady(context.TODO(), cs, namespace, appLabelSelector(appLabel), 1, waitForPodTimeout)
 		framework.ExpectNoError(err)
 
-		pod, err = cs.CoreV1().Pods(namespace).Get(context.TODO(), pod.Name, metav1.GetOptions{})
-		framework.ExpectNoError(err)
-
 		By("Updating pod " + namePrefix + " in namespace " + namespace)
 
-		pod.Spec.Containers[0].Image = nonCompliantImage5
+		err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			// Get the latest version of the resource
+			pod, err = cs.CoreV1().Pods(namespace).Get(context.TODO(), pod.Name, metav1.GetOptions{})
+			if err != nil {
+				return err
+			}
+
+			pod.Spec.Containers[0].Image = nonCompliantImage5
 
-		_, err = cs.CoreV1().Pods(namespace).Update(context.TODO(), pod, metav1.UpdateOptions{})
+			// Try to update
+			_, err = cs.CoreV1().Pods(namespace).Update(context.TODO(), pod, metav1.UpdateOptions{})
+			return err
+		})
 		Expect(err).To(HaveOccurred())
 	})
 })
@@ -337,14 +352,21 @@ var _ = describe("Image Policy Tests (Pods Update Path) (when disabled)", func()
 		_, err = e2epod.WaitForPodsWithLabelRunningReady(context.TODO(), cs, namespace, appLabelSelector(appLabel), 1, waitForPodTimeout)
 		framework.ExpectNoError(err)
 
-		pod, err = cs.CoreV1().Pods(namespace).Get(context.TODO(), pod.Name, metav1.GetOptions{})
-		framework.ExpectNoError(err)
-
 		By("Updating pod " + namePrefix + " in namespace " + namespace)
 
-		pod.Spec.Containers[0].Image = nonCompliantImage6
+		err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			// Get the latest version of the resource
+			pod, err = cs.CoreV1().Pods(namespace).Get(context.TODO(), pod.Name, metav1.GetOptions{})
+			if err != nil {
+				return err
+			}
+
+			pod.Spec.Containers[0].Image = nonCompliantImage6
 
-		_, err = cs.CoreV1().Pods(namespace).Update(context.TODO(), pod, metav1.UpdateOptions{})
+			// Try to update
+			_, err = cs.CoreV1().Pods(namespace).Update(context.TODO(), pod, metav1.UpdateOptions{})
+			return err
+		})
 		framework.ExpectNoError(err)
 
 		_, err = e2epod.WaitForPodsWithLabelRunningReady(context.TODO(), cs, namespace, appLabelSelector(appLabel), 1, waitForPodTimeout)