Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Re-use private key after failed CSR
**What this PR does / why we need it**:
This fixes a regression introduced in 1.11.
If we create a new key on each CSR, if CSR fails the next attempt will
create a new one instead of reusing previous CSR.
If approver/signer don't handle CSRs as quickly as new nodes come up,
they can pile up and approver would keep handling old abandoned CSRs and
Nodes would keep timing out on startup.
**Release note**:
```release-note
NONE
```
If we create a new key on each CSR, if CSR fails the next attempt will
create a new one instead of reusing previous CSR.
If approver/signer don't handle CSRs as quickly as new nodes come up,
they can pile up and approver would keep handling old abandoned CSRs and
Nodes would keep timing out on startup.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add kms-plugin-container.manifest to release manifest tarball.
**What this PR does / why we need it**:
cluster/gce/manifests/kms-plugin-container.manifest needs to be included into the manifests' release tarball.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
dockershim/network: add dcbw to OWNERS as an approver
I've been involved with the kubelet network code, including most
of this code, for a couple years and contributed a good number
of PRs for these directories. I've also been a SIG Network
co-lead for couple years.
I've also been on the CNI maintainers team for a couple years.
```release-note
NONE
```
@freehan @thockin @kubernetes/sig-network-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 64974, 65009, 65018). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Increase logexporter timeout and add debug logs
Ref - https://github.com/kubernetes/kubernetes/issues/63030#issuecomment-396335294
So it seems that logexporter isn't running on too many nodes on our 5k node cluster (~40% of nodes). As a result we fallback to ssh-based copying for so many nodes which is slow and hence the job times out. My feeling is it's because of slow scheduling of logexporter pods (and hence quite some nodes didn't even get the chance to run those pods before we delete the daemonset).
/cc @wojtek-t @krzyzacy
```release-note
NONE
```
/sig scalability
/kind bug
/priority important-soon
/milestone v1.11
/status approved-for-milestone
Automatic merge from submit-queue (batch tested with PRs 64974, 65009, 65018). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
daemon: add custom node indexer
**What this PR does / why we need it**:
<img width="863" alt="screen shot 2018-06-11 at 20 54 03" src="https://user-images.githubusercontent.com/44136/41279030-ad842020-6e2b-11e8-80d4-0a71ee415d30.png">
Based on this CPU profile, it looks like a lot of CPU cycles/cores are spend by retrieving a list of **all** pods in the cluster. On large clusters with multiple daemonset this might lead to locking the shared pod informer List() of every other controller that might need it or use it.
The indexer in the PR will index the pods based on nodeName assigned for these pods. That means the amount of pods returned from the ByIndex() function is fairly small and the call should be fast.
Additionally we can also use this index to check whether a node already run the pod without listing all pods in the cluster again.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Fix small-ish bugs for v1.11
**What this PR does / why we need it**:
Fixes a bunch of bugs I noticed when I was reading the source code:
- `--cloud-provider` should also be propagated to the kubelet when converting configs from v1alpha1 to v1alpha2
- The validation for `.NodeRegistration.Name` is practically non-existent, just verifies the name isn't in upper case. Instead we currently do that validation in preflight checks, which is in the totally wrong place.
- Now that we pull images in preflight checks, the timeout for the kubelet to start the Static Pods should be kinda short, as it doesn't depend on internet connection
- I think the shorthand for `kubeadm reset --force` ought to be `-f`
- The common flags between `upgrade apply` and `upgrade plan` were registered as global flags for the `upgrade` command, although they make no sense for `upgrade diff` and/or `upgrade node config`. Hence, I moved them to be locally registered.
- Just because we vendor `glog` we have a lot of unnecessary/annoying flags registered in glog's `init()` function. Let's hide these properly.
- I saw that `kubeadm upgrade apply` doesn't write down the new kubelet config that should be used, now that is the case. Also, the CRISocket annotation information is now preserved properly on upgrade (and is configurable using the `--cri-socket` flag)
- If `kubeadm join` is run against a v1.10 cluster without the `kubelet-config-1.10` configmap, it shouldn't fail.
What I will still investigate:
- `kubeadm token create` should have a flag called `--ttl`, not `--token-ttl` as it is now (this snuck in in this dev cycle)
- That `--dry-run` works properly for `upgrade`, end to end.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 64862, 65020). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm - fix local etcd grpc gateway
**What this PR does / why we need it**:
etcd 3.2 uses the server certificate as the client cert for the grpc
gateway, this updates the generation of the etcd server certificate to
add client usage to resolve the issue.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubeadm/issues/910
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Revert #64189: Fix Windows CNI for the sandbox case
**What this PR does / why we need it**:
This reverts PR #64189, which breaks DNS for Windows containers.
Refer https://github.com/kubernetes/kubernetes/pull/64189#issuecomment-395248704
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#64861
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
cc @madhanrm @PatrickLang @alinbalutoiu @dineshgovindasamy
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adding scale error retries
**What this PR does / why we need it**:
ScaleWithRetries will retry all retryable errors, not only conflict error.
ref #63030
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
- etcd 3.2 uses the server certificate as the client cert for the grpc
gateway, this updates the generation of the etcd server certificate to
add client usage to resolve the issue.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm - set peer urls for default etcd instance
**What this PR does / why we need it**:
Override the default peer URLs for the default etcd instance. Previously we left the defaults, which meant the peer URL was unsecured previously.
**Release note**:
```release-note
kubeadm - Ensure the peer port is secured by explicitly setting the peer URLs for the default etcd instance.
kubeadm - Ensure that the etcd certificates are generated using a proper CN
kubeadm - Update generated etcd peer certificate to include localhost addresses for the default configuration.
kubeadm - Increase the manifest update timeout to make upgrades a bit more reliable.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Extended e2e/aggr test wait on sample-apiserver
**What this PR does / why we need it**:
The e2e/aggegator test usually passes. When it does it seems
to take almost 30 seconds for the sample-apiserver to start returning
2xx rather than 4xx to flunder requests. On the failing tests I looked
at it was taking almost 45 seconds for the sample-apiserver to become
healthy. I bumped the wait/timeout in the test for this case to 60
seconds. I also added a log statement to make it easier to track how
long it was taking for the sample-apiserver to come up.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#63622
**Special notes for your reviewer**:
Once we have a bit more history I will log a bug for the long start up time.
We should also determine how far back we want to check compatibility.
The current test is checking 1.7.
**Release note**:
```release-note
None
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
volume: decrease memory allocations for debugging messages
**What this PR does / why we need it**:
<img width="1769" alt="screen shot 2018-06-11 at 13 15 31" src="https://user-images.githubusercontent.com/44136/41230128-ebf7233c-6d7e-11e8-899d-6251a5fde236.png">
On large clusters, where the glog is not running on V(5) using the format as: `glog.V(5).Infof(fmt.Sprintf(....))` will cause the code inside `Infof()` to be ran and generate a tons of memory allocations even if the output of those messages are not returned to the console...
This patch should reduce those calls and also the string allocations done by message generation.
**Release note**:
```release-note
NONE
```
