diff --git a/README.md b/README.md index 59b7e99d8..40dc74502 100644 --- a/README.md +++ b/README.md @@ -123,12 +123,9 @@ vagrant up - [Fedora CoreOS bootstrap](docs/operating_systems/fcos.md) - [openSUSE setup](docs/operating_systems/opensuse.md) - [Downloaded artifacts](docs/advanced/downloads.md) -- [Cloud providers](docs/cloud_providers/cloud.md) -- [OpenStack](docs/cloud_providers/openstack.md) -- [AWS](docs/cloud_providers/aws.md) -- [Azure](docs/cloud_providers/azure.md) -- [vSphere](docs/cloud_providers/vsphere.md) - [Equinix Metal](docs/cloud_providers/equinix-metal.md) +- [OpenStack](docs/cloud_controllers/openstack.md) +- [vSphere](docs/cloud_controllerss/vsphere.md) - [Large deployments](docs/operations/large-deployments.md) - [Adding/replacing a node](docs/operations/nodes.md) - [Upgrades basics](docs/operations/upgrades.md) diff --git a/contrib/terraform/openstack/README.md b/contrib/terraform/openstack/README.md index f9ba8aa4f..a8e7cb8f2 100644 --- a/contrib/terraform/openstack/README.md +++ b/contrib/terraform/openstack/README.md @@ -620,7 +620,7 @@ Edit `inventory/$CLUSTER/group_vars/k8s_cluster/k8s_cluster.yml`: - Set variable **kube_network_plugin** to your desired networking plugin. - **flannel** works out-of-the-box - - **calico** requires [configuring OpenStack Neutron ports](/docs/cloud_providers/openstack.md) to allow service and pod subnets + - **calico** requires [configuring OpenStack Neutron ports](/docs/cloud_controllers/openstack.md) to allow service and pod subnets ```yml # Choose network plugin (calico, weave or flannel) diff --git a/docs/_sidebar.md b/docs/_sidebar.md index e0a5bab87..d30ec2a37 100644 --- a/docs/_sidebar.md +++ b/docs/_sidebar.md @@ -15,13 +15,14 @@ * [Ansible](/docs/ansible/ansible.md) * [Ansible Collection](/docs/ansible/ansible_collection.md) * [Vars](/docs/ansible/vars.md) +* Cloud Controllers + * [Openstack](/docs/cloud_controllers/openstack.md) + * [Vsphere](/docs/cloud_controllers/vsphere.md) * Cloud Providers * [Aws](/docs/cloud_providers/aws.md) * [Azure](/docs/cloud_providers/azure.md) * [Cloud](/docs/cloud_providers/cloud.md) * [Equinix-metal](/docs/cloud_providers/equinix-metal.md) - * [Openstack](/docs/cloud_providers/openstack.md) - * [Vsphere](/docs/cloud_providers/vsphere.md) * CNI * [Calico](/docs/CNI/calico.md) * [Cilium](/docs/CNI/cilium.md) diff --git a/docs/advanced/gcp-lb.md b/docs/advanced/gcp-lb.md index 8e8f8c427..80369186a 100644 --- a/docs/advanced/gcp-lb.md +++ b/docs/advanced/gcp-lb.md @@ -1,5 +1,7 @@ # GCP Load Balancers for type=LoadBalacer of Kubernetes Services +> **Removed**: Since v1.31 (the Kubespray counterpart is v2.27), Kubernetes no longer supports `cloud_provider`. (except external cloud provider) + Google Cloud Platform can be used for creation of Kubernetes Service Load Balancer. This feature is able to deliver by adding parameters to `kube-controller-manager` and `kubelet`. You need specify: diff --git a/docs/ansible/vars.md b/docs/ansible/vars.md index 9d91894be..2ad0b0c68 100644 --- a/docs/ansible/vars.md +++ b/docs/ansible/vars.md @@ -104,8 +104,7 @@ following default cluster parameters: * *enable_coredns_k8s_endpoint_pod_names* - If enabled, it configures endpoint_pod_names option for kubernetes plugin. on the CoreDNS service. -* *cloud_provider* - Enable extra Kubelet option if operating inside GCE or - OpenStack (default is unset) +* *cloud_provider* - The provider for cloud services. (default is unset, Set to `external` for running with an external cloud provider) * *kube_feature_gates* - A list of key=value pairs that describe feature gates for alpha/experimental Kubernetes features. (defaults is `[]`). diff --git a/docs/cloud_providers/openstack.md b/docs/cloud_controllers/openstack.md similarity index 100% rename from docs/cloud_providers/openstack.md rename to docs/cloud_controllers/openstack.md diff --git a/docs/cloud_providers/vsphere.md b/docs/cloud_controllers/vsphere.md similarity index 100% rename from docs/cloud_providers/vsphere.md rename to docs/cloud_controllers/vsphere.md diff --git a/docs/cloud_providers/aws.md b/docs/cloud_providers/aws.md index 45938980c..41706fdd5 100644 --- a/docs/cloud_providers/aws.md +++ b/docs/cloud_providers/aws.md @@ -1,5 +1,7 @@ # AWS +> **Removed**: Since v1.31 (the Kubespray counterpart is v2.27), Kubernetes no longer supports `cloud_provider`. (except external cloud provider) + To deploy kubespray on [AWS](https://aws.amazon.com/) uncomment the `cloud_provider` option in `group_vars/all.yml` and set it to `'aws'`. Refer to the [Kubespray Configuration](#kubespray-configuration) for customizing the provider. Prior to creating your instances, you **must** ensure that you have created IAM roles and policies for both "kubernetes-master" and "kubernetes-node". You can find the IAM policies [here](https://github.com/kubernetes-sigs/kubespray/tree/master/contrib/aws_iam/). See the [IAM Documentation](https://aws.amazon.com/documentation/iam/) if guidance is needed on how to set these up. When you bring your instances online, associate them with the respective IAM role. Nodes that are only to be used for Etcd do not need a role. diff --git a/docs/cloud_providers/azure.md b/docs/cloud_providers/azure.md index a164ea757..50d2f1d1c 100644 --- a/docs/cloud_providers/azure.md +++ b/docs/cloud_providers/azure.md @@ -1,5 +1,7 @@ # Azure +> **Removed**: Since v1.31 (the Kubespray counterpart is v2.27), Kubernetes no longer supports `cloud_provider`. (except external cloud provider) + To deploy Kubernetes on [Azure](https://azure.microsoft.com) uncomment the `cloud_provider` option in `group_vars/all/all.yml` and set it to `'azure'`. All your instances are required to run in a resource group and a routing table has to be attached to the subnet your instances are in. diff --git a/docs/cloud_providers/cloud.md b/docs/cloud_providers/cloud.md index d7fcfef7f..d88a3aecc 100644 --- a/docs/cloud_providers/cloud.md +++ b/docs/cloud_providers/cloud.md @@ -1,5 +1,7 @@ # Cloud providers +> **Removed**: Since v1.31 (the Kubespray counterpart is v2.27), Kubernetes no longer supports `cloud_provider`. (except external cloud provider) + ## Provisioning You can deploy instances in your cloud environment in several ways. Examples include Terraform, Ansible (ec2 and gce modules), and manual creation. diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml index 5ada833c1..1a34ff7a6 100644 --- a/inventory/sample/group_vars/all/all.yml +++ b/inventory/sample/group_vars/all/all.yml @@ -42,9 +42,7 @@ loadbalancer_apiserver_healthcheck_port: 8081 ## There are some changes specific to the cloud providers ## for instance we need to encapsulate packets with some network plugins -## If set the possible values are either 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', or 'external' -## When openstack is used make sure to source in the openstack credentials -## like you would do when using openstack-client before starting the playbook. +## If set the possible values only 'external' after K8s v1.31. # cloud_provider: ## When cloud_provider is set to 'external', you can set the cloud controller to deploy diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml index 5a6f6375a..9639879db 100644 --- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml +++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml @@ -140,11 +140,7 @@ kube_proxy_nodeport_addresses: >- {%- endif -%} # If non-empty, will use this string as identification instead of the actual hostname -# kube_override_hostname: >- -# {%- if cloud_provider is defined and cloud_provider in ['aws'] -%} -# {%- else -%} -# {{ inventory_hostname }} -# {%- endif -%} +# kube_override_hostname: {{ inventory_hostname }} ## Encrypting Secret Data at Rest kube_encrypt_secret_data: false diff --git a/roles/kubernetes-apps/cloud_controller/oci/defaults/main.yml b/roles/kubernetes-apps/cloud_controller/oci/defaults/main.yml deleted file mode 100644 index 9d7ddf01d..000000000 --- a/roles/kubernetes-apps/cloud_controller/oci/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -oci_security_list_management: All -oci_use_instance_principals: false -oci_cloud_controller_version: 0.7.0 -oci_cloud_controller_pull_source: iad.ocir.io/oracle/cloud-provider-oci diff --git a/roles/kubernetes-apps/cloud_controller/oci/tasks/credentials-check.yml b/roles/kubernetes-apps/cloud_controller/oci/tasks/credentials-check.yml deleted file mode 100644 index 9eb87949d..000000000 --- a/roles/kubernetes-apps/cloud_controller/oci/tasks/credentials-check.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- - -- name: "OCI Cloud Controller | Credentials Check | oci_private_key" - fail: - msg: "oci_private_key is missing" - when: - - not oci_use_instance_principals - - oci_private_key is not defined or not oci_private_key - -- name: "OCI Cloud Controller | Credentials Check | oci_region_id" - fail: - msg: "oci_region_id is missing" - when: - - not oci_use_instance_principals - - oci_region_id is not defined or not oci_region_id - -- name: "OCI Cloud Controller | Credentials Check | oci_tenancy_id" - fail: - msg: "oci_tenancy_id is missing" - when: - - not oci_use_instance_principals - - oci_tenancy_id is not defined or not oci_tenancy_id - -- name: "OCI Cloud Controller | Credentials Check | oci_user_id" - fail: - msg: "oci_user_id is missing" - when: - - not oci_use_instance_principals - - oci_user_id is not defined or not oci_user_id - -- name: "OCI Cloud Controller | Credentials Check | oci_user_fingerprint" - fail: - msg: "oci_user_fingerprint is missing" - when: - - not oci_use_instance_principals - - oci_user_fingerprint is not defined or not oci_user_fingerprint - -- name: "OCI Cloud Controller | Credentials Check | oci_compartment_id" - fail: - msg: "oci_compartment_id is missing. This is the compartment in which the cluster resides" - when: - - oci_compartment_id is not defined or not oci_compartment_id - -- name: "OCI Cloud Controller | Credentials Check | oci_vnc_id" - fail: - msg: "oci_vnc_id is missing. This is the Virtual Cloud Network in which the cluster resides" - when: - - oci_vnc_id is not defined or not oci_vnc_id - -- name: "OCI Cloud Controller | Credentials Check | oci_subnet1_id" - fail: - msg: "oci_subnet1_id is missingg. This is the first subnet to which loadbalancers will be added" - when: - - oci_subnet1_id is not defined or not oci_subnet1_id - -- name: "OCI Cloud Controller | Credentials Check | oci_subnet2_id" - fail: - msg: "oci_subnet2_id is missing. Two subnets are required for load balancer high availability" - when: - - oci_cloud_controller_version is version_compare('0.7.0', '<') - - oci_subnet2_id is not defined or not oci_subnet2_id - -- name: "OCI Cloud Controller | Credentials Check | oci_security_list_management" - fail: - msg: "oci_security_list_management is missing, or not defined correctly. Valid options are (All, Frontend, None)." - when: - - oci_security_list_management is not defined or oci_security_list_management not in ["All", "Frontend", "None"] diff --git a/roles/kubernetes-apps/cloud_controller/oci/tasks/main.yml b/roles/kubernetes-apps/cloud_controller/oci/tasks/main.yml deleted file mode 100644 index a5913ecc7..000000000 --- a/roles/kubernetes-apps/cloud_controller/oci/tasks/main.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- - -- name: OCI Cloud Controller | Check Oracle Cloud credentials - import_tasks: credentials-check.yml - -- name: "OCI Cloud Controller | Generate Cloud Provider Configuration" - template: - src: controller-manager-config.yml.j2 - dest: "{{ kube_config_dir }}/controller-manager-config.yml" - mode: "0644" - when: inventory_hostname == groups['kube_control_plane'][0] - -- name: "OCI Cloud Controller | Slurp Configuration" - slurp: - src: "{{ kube_config_dir }}/controller-manager-config.yml" - register: controller_manager_config - -- name: "OCI Cloud Controller | Encode Configuration" - set_fact: - controller_manager_config_base64: "{{ controller_manager_config.content }}" - when: inventory_hostname == groups['kube_control_plane'][0] - -- name: "OCI Cloud Controller | Generate Manifests" - template: - src: oci-cloud-provider.yml.j2 - dest: "{{ kube_config_dir }}/oci-cloud-provider.yml" - mode: "0644" - when: inventory_hostname == groups['kube_control_plane'][0] - -- name: "OCI Cloud Controller | Apply Manifests" - kube: - kubectl: "{{ bin_dir }}/kubectl" - filename: "{{ kube_config_dir }}/oci-cloud-provider.yml" - state: latest - when: inventory_hostname == groups['kube_control_plane'][0] diff --git a/roles/kubernetes-apps/cloud_controller/oci/templates/controller-manager-config.yml.j2 b/roles/kubernetes-apps/cloud_controller/oci/templates/controller-manager-config.yml.j2 deleted file mode 100644 index d585de1f0..000000000 --- a/roles/kubernetes-apps/cloud_controller/oci/templates/controller-manager-config.yml.j2 +++ /dev/null @@ -1,89 +0,0 @@ -{% macro private_key() %}{{ oci_private_key }}{% endmacro %} - -{% if oci_use_instance_principals %} - # (https://docs.us-phoenix-1.oraclecloud.com/Content/Identity/Tasks/callingservicesfrominstances.htm). - # Ensure you have setup the following OCI policies and your kubernetes nodes are running within them - # allow dynamic-group [your dynamic group name] to read instance-family in compartment [your compartment name] - # allow dynamic-group [your dynamic group name] to use virtual-network-family in compartment [your compartment name] - # allow dynamic-group [your dynamic group name] to manage load-balancers in compartment [your compartment name] -useInstancePrincipals: true -{% else %} -useInstancePrincipals: false -{% endif %} - -auth: - -{% if oci_use_instance_principals %} - # This key is put here too for backwards compatibility - useInstancePrincipals: true -{% else %} - useInstancePrincipals: false - - region: {{ oci_region_id }} - tenancy: {{ oci_tenancy_id }} - user: {{ oci_user_id }} - key: | - {{ oci_private_key }} - - {% if oci_private_key_passphrase is defined %} - passphrase: {{ oci_private_key_passphrase }} - {% endif %} - - - fingerprint: {{ oci_user_fingerprint }} -{% endif %} - -# compartment configures Compartment within which the cluster resides. -compartment: {{ oci_compartment_id }} - -# vcn configures the Virtual Cloud Network (VCN) within which the cluster resides. -vcn: {{ oci_vnc_id }} - -loadBalancer: - # subnet1 configures one of two subnets to which load balancers will be added. - # OCI load balancers require two subnets to ensure high availability. - subnet1: {{ oci_subnet1_id }} -{% if oci_subnet2_id is defined %} - # subnet2 configures the second of two subnets to which load balancers will be - # added. OCI load balancers require two subnets to ensure high availability. - subnet2: {{ oci_subnet2_id }} -{% endif %} - # SecurityListManagementMode configures how security lists are managed by the CCM. - # "All" (default): Manage all required security list rules for load balancer services. - # "Frontend": Manage only security list rules for ingress to the load - # balancer. Requires that the user has setup a rule that - # allows inbound traffic to the appropriate ports for kube - # proxy health port, node port ranges, and health check port ranges. - # E.g. 10.82.0.0/16 30000-32000. - # "None": Disables all security list management. Requires that the - # user has setup a rule that allows inbound traffic to the - # appropriate ports for kube proxy health port, node port - # ranges, and health check port ranges. E.g. 10.82.0.0/16 30000-32000. - # Additionally requires the user to mange rules to allow - # inbound traffic to load balancers. - securityListManagementMode: {{ oci_security_list_management }} - -{% if oci_security_lists is defined and oci_security_lists | length > 0 %} - # Optional specification of which security lists to modify per subnet. This does not apply if security list management is off. - securityLists: -{% for subnet_ocid, list_ocid in oci_security_lists.items() %} - {{ subnet_ocid }}: {{ list_ocid }} -{% endfor %} -{% endif %} - -{% if oci_rate_limit is defined and oci_rate_limit | length > 0 %} -# Optional rate limit controls for accessing OCI API -rateLimiter: -{% if oci_rate_limit.rate_limit_qps_read %} - rateLimitQPSRead: {{ oci_rate_limit.rate_limit_qps_read }} -{% endif %} -{% if oci_rate_limit.rate_limit_qps_write %} - rateLimitQPSWrite: {{ oci_rate_limit.rate_limit_qps_write }} -{% endif %} -{% if oci_rate_limit.rate_limit_bucket_read %} - rateLimitBucketRead: {{ oci_rate_limit.rate_limit_bucket_read }} -{% endif %} -{% if oci_rate_limit.rate_limit_bucket_write %} - rateLimitBucketWrite: {{ oci_rate_limit.rate_limit_bucket_write }} -{% endif %} -{% endif %} diff --git a/roles/kubernetes-apps/cloud_controller/oci/templates/oci-cloud-provider.yml.j2 b/roles/kubernetes-apps/cloud_controller/oci/templates/oci-cloud-provider.yml.j2 deleted file mode 100644 index e1fc11d21..000000000 --- a/roles/kubernetes-apps/cloud_controller/oci/templates/oci-cloud-provider.yml.j2 +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: v1 -data: - cloud-provider.yaml: {{ controller_manager_config_base64 }} -kind: Secret -metadata: - name: oci-cloud-controller-manager - namespace: kube-system -type: Opaque - ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: oci-cloud-controller-manager - namespace: kube-system - labels: - k8s-app: oci-cloud-controller-manager -spec: - selector: - matchLabels: - component: oci-cloud-controller-manager - tier: control-plane - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - component: oci-cloud-controller-manager - tier: control-plane - spec: -{% if oci_cloud_controller_pull_secret is defined %} - imagePullSecrets: - - name: {{ oci_cloud_controller_pull_secret }} -{% endif %} - serviceAccountName: cloud-controller-manager - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - nodeSelector: - node-role.kubernetes.io/control-plane: "" - tolerations: - - key: node.cloudprovider.kubernetes.io/uninitialized - value: "true" - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule - volumes: - - name: cfg - secret: - secretName: oci-cloud-controller-manager - - name: kubernetes - hostPath: - path: /etc/kubernetes - containers: - - name: oci-cloud-controller-manager - image: {{ oci_cloud_controller_pull_source }}:{{ oci_cloud_controller_version }} - command: ["/usr/local/bin/oci-cloud-controller-manager"] - args: - - --cloud-config=/etc/oci/cloud-provider.yaml - - --cloud-provider=oci - - --leader-elect-resource-lock=configmaps - - -v=2 - volumeMounts: - - name: cfg - mountPath: /etc/oci - readOnly: true - - name: kubernetes - mountPath: /etc/kubernetes - readOnly: true diff --git a/roles/kubernetes-apps/cluster_roles/files/oci-rbac.yml b/roles/kubernetes-apps/cluster_roles/files/oci-rbac.yml deleted file mode 100644 index 5e3b82bfb..000000000 --- a/roles/kubernetes-apps/cluster_roles/files/oci-rbac.yml +++ /dev/null @@ -1,124 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cloud-controller-manager - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:cloud-controller-manager -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - '*' - -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch - -- apiGroups: - - "" - resources: - - services - verbs: - - list - - watch - - patch - -- apiGroups: - - "" - resources: - - services/status - verbs: - - update - -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - -# For leader election -- apiGroups: - - "" - resources: - - endpoints - verbs: - - create - -- apiGroups: - - "" - resources: - - endpoints - resourceNames: - - "cloud-controller-manager" - verbs: - - get - - list - - watch - - update - -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - -- apiGroups: - - "" - resources: - - configmaps - resourceNames: - - "cloud-controller-manager" - verbs: - - get - - update - -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - -# For the PVL -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - list - - watch - - patch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: oci-cloud-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:cloud-controller-manager -subjects: -- kind: ServiceAccount - name: cloud-controller-manager - namespace: kube-system diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml index ef4737eac..bbb53a399 100644 --- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml +++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml @@ -59,13 +59,6 @@ - inventory_hostname == groups['kube_control_plane'][0] tags: node-webhook -- name: Configure Oracle Cloud provider - include_tasks: oci.yml - tags: oci - when: - - cloud_provider is defined - - cloud_provider == 'oci' - - name: PriorityClass | Copy k8s-cluster-critical-pc.yml file copy: src: k8s-cluster-critical-pc.yml diff --git a/roles/kubernetes-apps/cluster_roles/tasks/oci.yml b/roles/kubernetes-apps/cluster_roles/tasks/oci.yml deleted file mode 100644 index e5bef6701..000000000 --- a/roles/kubernetes-apps/cluster_roles/tasks/oci.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Copy OCI RBAC Manifest - copy: - src: "oci-rbac.yml" - dest: "{{ kube_config_dir }}/oci-rbac.yml" - mode: "0640" - when: - - cloud_provider is defined - - cloud_provider == 'oci' - - inventory_hostname == groups['kube_control_plane'][0] - -- name: Apply OCI RBAC - kube: - kubectl: "{{ bin_dir }}/kubectl" - filename: "{{ kube_config_dir }}/oci-rbac.yml" - when: - - cloud_provider is defined - - cloud_provider == 'oci' - - inventory_hostname == groups['kube_control_plane'][0] diff --git a/roles/kubernetes-apps/external_cloud_controller/meta/main.yml b/roles/kubernetes-apps/external_cloud_controller/meta/main.yml index 468fae8eb..fffd57a32 100644 --- a/roles/kubernetes-apps/external_cloud_controller/meta/main.yml +++ b/roles/kubernetes-apps/external_cloud_controller/meta/main.yml @@ -2,9 +2,7 @@ dependencies: - role: kubernetes-apps/external_cloud_controller/openstack when: - - cloud_provider is defined - cloud_provider == "external" - - external_cloud_provider is defined - external_cloud_provider == "openstack" - inventory_hostname == groups['kube_control_plane'][0] tags: @@ -12,9 +10,7 @@ dependencies: - external-openstack - role: kubernetes-apps/external_cloud_controller/vsphere when: - - cloud_provider is defined - cloud_provider == "external" - - external_cloud_provider is defined - external_cloud_provider == "vsphere" - inventory_hostname == groups['kube_control_plane'][0] tags: @@ -22,9 +18,7 @@ dependencies: - external-vsphere - role: kubernetes-apps/external_cloud_controller/hcloud when: - - cloud_provider is defined - cloud_provider == "external" - - external_cloud_provider is defined - external_cloud_provider == "hcloud" - inventory_hostname == groups['kube_control_plane'][0] tags: @@ -32,9 +26,7 @@ dependencies: - external-hcloud - role: kubernetes-apps/external_cloud_controller/huaweicloud when: - - cloud_provider is defined - cloud_provider == "external" - - external_cloud_provider is defined - external_cloud_provider == "huaweicloud" - inventory_hostname == groups['kube_control_plane'][0] tags: @@ -42,9 +34,7 @@ dependencies: - external-huaweicloud - role: kubernetes-apps/external_cloud_controller/oci when: - - cloud_provider is defined - cloud_provider == "external" - - external_cloud_provider is defined - external_cloud_provider == "oci" - inventory_hostname == groups['kube_control_plane'][0] tags: diff --git a/roles/kubernetes-apps/meta/main.yml b/roles/kubernetes-apps/meta/main.yml index 37bd10921..af69da415 100644 --- a/roles/kubernetes-apps/meta/main.yml +++ b/roles/kubernetes-apps/meta/main.yml @@ -103,14 +103,6 @@ dependencies: tags: - container_engine_accelerator - - role: kubernetes-apps/cloud_controller/oci - when: - - cloud_provider is defined - - cloud_provider == "oci" - - inventory_hostname == groups['kube_control_plane'][0] - tags: - - oci - - role: kubernetes-apps/gateway_api when: - gateway_api_enabled diff --git a/roles/kubernetes-apps/persistent_volumes/meta/main.yml b/roles/kubernetes-apps/persistent_volumes/meta/main.yml index e3066bb62..8cc9e69f2 100644 --- a/roles/kubernetes-apps/persistent_volumes/meta/main.yml +++ b/roles/kubernetes-apps/persistent_volumes/meta/main.yml @@ -1,12 +1,5 @@ --- dependencies: - - role: kubernetes-apps/persistent_volumes/openstack - when: - - cloud_provider is defined - - cloud_provider in [ 'openstack' ] - tags: - - persistent_volumes_openstack - - role: kubernetes-apps/persistent_volumes/cinder-csi when: - cinder_csi_enabled diff --git a/roles/kubernetes-apps/persistent_volumes/openstack/defaults/main.yml b/roles/kubernetes-apps/persistent_volumes/openstack/defaults/main.yml deleted file mode 100644 index 05a3d944e..000000000 --- a/roles/kubernetes-apps/persistent_volumes/openstack/defaults/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -persistent_volumes_enabled: false -storage_classes: - - name: standard - is_default: true - parameters: - availability: nova diff --git a/roles/kubernetes-apps/persistent_volumes/openstack/tasks/main.yml b/roles/kubernetes-apps/persistent_volumes/openstack/tasks/main.yml deleted file mode 100644 index 90b3ad7f4..000000000 --- a/roles/kubernetes-apps/persistent_volumes/openstack/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: Kubernetes Persistent Volumes | Lay down OpenStack Cinder Storage Class template - template: - src: "openstack-storage-class.yml.j2" - dest: "{{ kube_config_dir }}/openstack-storage-class.yml" - mode: "0644" - register: manifests - when: - - inventory_hostname == groups['kube_control_plane'][0] - -- name: Kubernetes Persistent Volumes | Add OpenStack Cinder Storage Class - kube: - name: storage-class - kubectl: "{{ bin_dir }}/kubectl" - resource: StorageClass - filename: "{{ kube_config_dir }}/openstack-storage-class.yml" - state: "latest" - when: - - inventory_hostname == groups['kube_control_plane'][0] - - manifests.changed diff --git a/roles/kubernetes-apps/persistent_volumes/openstack/templates/openstack-storage-class.yml.j2 b/roles/kubernetes-apps/persistent_volumes/openstack/templates/openstack-storage-class.yml.j2 deleted file mode 100644 index 973353c4c..000000000 --- a/roles/kubernetes-apps/persistent_volumes/openstack/templates/openstack-storage-class.yml.j2 +++ /dev/null @@ -1,27 +0,0 @@ -{% for class in storage_classes %} ---- -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: "{{ class.name }}" - annotations: - storageclass.kubernetes.io/is-default-class: "{{ class.is_default | default(false) | ternary("true","false") }}" -provisioner: kubernetes.io/cinder -{% if class.mount_options is defined %} -mountOptions: -{% for option in class.mount_options | default([]) %} - - "{{ option }}" -{% endfor %} -{% endif %} -parameters: -{% for key, value in (class.parameters | default({})).items() %} - "{{ key }}": "{{ value }}" -{% endfor %} -{% if class.reclaim_policy is defined %} -reclaimPolicy: "{{ class.reclaim_policy }}" -{% endif %} -{% if class.volume_binding_mode is defined %} -volumeBindingMode: "{{ class.volume_binding_mode }}" -{% endif %} -allowVolumeExpansion: {{ expand_persistent_volumes }} -{% endfor %} diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml index 30b71b149..d3a28bc21 100644 --- a/roles/kubernetes/control-plane/defaults/main/main.yml +++ b/roles/kubernetes/control-plane/defaults/main/main.yml @@ -184,13 +184,6 @@ kube_encryption_algorithm: "secretbox" # Which kubernetes resources to encrypt kube_encryption_resources: [secrets] -# If non-empty, will use this string as identification instead of the actual hostname -kube_override_hostname: >- - {%- if cloud_provider is defined and cloud_provider in ['aws'] -%} - {%- else -%} - {{ inventory_hostname }} - {%- endif -%} - secrets_encryption_query: "resources[*].providers[0].{{ kube_encryption_algorithm }}.keys[0].secret" ## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 index f8c32c448..123a68ad5 100644 --- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 +++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 @@ -24,7 +24,7 @@ nodeRegistration: taints: [] {% endif %} criSocket: {{ cri_socket }} -{% if cloud_provider is defined and cloud_provider in ["external"] %} +{% if cloud_provider == "external" %} kubeletExtraArgs: cloud-provider: external {% endif %} @@ -210,10 +210,6 @@ apiServer: {% if kube_apiserver_feature_gates or kube_feature_gates %} feature-gates: "{{ kube_apiserver_feature_gates | default(kube_feature_gates, true) | join(',') }}" {% endif %} -{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] %} - cloud-provider: {{ cloud_provider }} - cloud-config: {{ kube_config_dir }}/cloud_config -{% endif %} {% if tls_min_version is defined %} tls-min-version: {{ tls_min_version }} {% endif %} @@ -230,13 +226,8 @@ apiServer: {% if kube_apiserver_tracing %} tracing-config-file: {{ kube_config_dir }}/tracing/apiserver-tracing.yaml {% endif %} -{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] ) or apiserver_extra_volumes or ssl_ca_dirs | length %} +{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or apiserver_extra_volumes or ssl_ca_dirs | length %} extraVolumes: -{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] %} - - name: cloud-config - hostPath: {{ kube_config_dir }}/cloud_config - mountPath: {{ kube_config_dir }}/cloud_config -{% endif %} {% if kube_token_auth %} - name: token-auth-config hostPath: {{ kube_token_dir }} @@ -326,10 +317,6 @@ controllerManager: {% for key in kube_kubeadm_controller_extra_args %} {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}" {% endfor %} -{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] %} - cloud-provider: {{ cloud_provider }} - cloud-config: {{ kube_config_dir }}/cloud_config -{% endif %} {% if kube_network_plugin is defined and kube_network_plugin not in ["cloud"] %} configure-cloud-routes: "false" {% endif %} @@ -343,18 +330,8 @@ controllerManager: tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %} {% endif %} -{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] or controller_manager_extra_volumes %} +{% if controller_manager_extra_volumes %} extraVolumes: -{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %} - - name: openstackcacert - hostPath: "{{ kube_config_dir }}/openstack-cacert.pem" - mountPath: "{{ kube_config_dir }}/openstack-cacert.pem" -{% endif %} -{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] %} - - name: cloud-config - hostPath: {{ kube_config_dir }}/cloud_config - mountPath: {{ kube_config_dir }}/cloud_config -{% endif %} {% for volume in controller_manager_extra_volumes %} - name: {{ volume.name }} hostPath: {{ volume.hostPath }} diff --git a/roles/kubernetes/kubeadm/defaults/main.yml b/roles/kubernetes/kubeadm/defaults/main.yml index 5047de509..8f5111937 100644 --- a/roles/kubernetes/kubeadm/defaults/main.yml +++ b/roles/kubernetes/kubeadm/defaults/main.yml @@ -6,10 +6,3 @@ kubeadm_join_timeout: 120s # Enable kubeadm file discovery if anonymous access has been removed kubeadm_use_file_discovery: "{{ remove_anonymous_access }}" - -# If non-empty, will use this string as identification instead of the actual hostname -kube_override_hostname: >- - {%- if cloud_provider is defined and cloud_provider in ['aws'] -%} - {%- else -%} - {{ inventory_hostname }} - {%- endif -%} diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml index d37878840..c51e00f0e 100644 --- a/roles/kubernetes/node/defaults/main.yml +++ b/roles/kubernetes/node/defaults/main.yml @@ -134,13 +134,6 @@ kubelet_logfiles_max_size: 10Mi ## Support custom flags to be passed to kubelet kubelet_custom_flags: [] -# If non-empty, will use this string as identification instead of the actual hostname -kube_override_hostname: >- - {%- if cloud_provider is defined and cloud_provider in ['aws'] -%} - {%- else -%} - {{ inventory_hostname }} - {%- endif -%} - # The read-only port for the Kubelet to serve on with no authentication/authorization. kube_read_only_port: 0 @@ -153,61 +146,6 @@ kubelet_healthz_bind_address: 127.0.0.1 # sysctl_file_path to add sysctl conf to sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf" -# For the openstack integration kubelet will need credentials to access -# openstack apis like nova and cinder. Per default this values will be -# read from the environment. -openstack_auth_url: "{{ lookup('env', 'OS_AUTH_URL') }}" -openstack_username: "{{ lookup('env', 'OS_USERNAME') }}" -openstack_password: "{{ lookup('env', 'OS_PASSWORD') }}" -openstack_region: "{{ lookup('env', 'OS_REGION_NAME') }}" -openstack_tenant_id: "{{ lookup('env', 'OS_TENANT_ID') | default(lookup('env', 'OS_PROJECT_ID') | default(lookup('env', 'OS_PROJECT_NAME'), true), true) }}" -openstack_tenant_name: "{{ lookup('env', 'OS_TENANT_NAME') }}" -openstack_domain_name: "{{ lookup('env', 'OS_USER_DOMAIN_NAME') }}" -openstack_domain_id: "{{ lookup('env', 'OS_USER_DOMAIN_ID') }}" - -# For the vsphere integration, kubelet will need credentials to access -# vsphere apis -# Documentation regarding these values can be found -# https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/vsphere/vsphere.go#L105 -vsphere_vcenter_ip: "{{ lookup('env', 'VSPHERE_VCENTER') }}" -vsphere_vcenter_port: "{{ lookup('env', 'VSPHERE_VCENTER_PORT') }}" -vsphere_user: "{{ lookup('env', 'VSPHERE_USER') }}" -vsphere_password: "{{ lookup('env', 'VSPHERE_PASSWORD') }}" -vsphere_datacenter: "{{ lookup('env', 'VSPHERE_DATACENTER') }}" -vsphere_datastore: "{{ lookup('env', 'VSPHERE_DATASTORE') }}" -vsphere_working_dir: "{{ lookup('env', 'VSPHERE_WORKING_DIR') }}" -vsphere_insecure: "{{ lookup('env', 'VSPHERE_INSECURE') }}" -vsphere_resource_pool: "{{ lookup('env', 'VSPHERE_RESOURCE_POOL') }}" - -vsphere_scsi_controller_type: pvscsi -# vsphere_public_network is name of the network the VMs are joined to -vsphere_public_network: "{{ lookup('env', 'VSPHERE_PUBLIC_NETWORK') | default('') }}" - -## When azure is used, you need to also set the following variables. -## see docs/azure.md for details on how to get these values -# azure_tenant_id: -# azure_subscription_id: -# azure_aad_client_id: -# azure_aad_client_secret: -# azure_resource_group: -# azure_location: -# azure_subnet_name: -# azure_security_group_name: -# azure_vnet_name: -# azure_route_table_name: -# supported values are 'standard' or 'vmss' -# azure_vmtype: standard -# Sku of Load Balancer and Public IP. Candidate values are: basic and standard. -azure_loadbalancer_sku: basic -# excludes control plane nodes from standard load balancer. -azure_exclude_master_from_standard_lb: true -# disables the outbound SNAT for public load balancer rules -azure_disable_outbound_snat: false -# use instance metadata service where possible -azure_use_instance_metadata: true -# use specific Azure API endpoints -azure_cloud: AzurePublicCloud - ## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. # tls_min_version: "" diff --git a/roles/kubernetes/node/tasks/cloud-credentials/azure-credential-check.yml b/roles/kubernetes/node/tasks/cloud-credentials/azure-credential-check.yml deleted file mode 100644 index c5d603084..000000000 --- a/roles/kubernetes/node/tasks/cloud-credentials/azure-credential-check.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- -- name: Check azure_tenant_id value - fail: - msg: "azure_tenant_id is missing" - when: azure_tenant_id is not defined or not azure_tenant_id - -- name: Check azure_subscription_id value - fail: - msg: "azure_subscription_id is missing" - when: azure_subscription_id is not defined or not azure_subscription_id - -- name: Check azure_aad_client_id value - fail: - msg: "azure_aad_client_id is missing" - when: azure_aad_client_id is not defined or not azure_aad_client_id - -- name: Check azure_aad_client_secret value - fail: - msg: "azure_aad_client_secret is missing" - when: azure_aad_client_secret is not defined or not azure_aad_client_secret - -- name: Check azure_resource_group value - fail: - msg: "azure_resource_group is missing" - when: azure_resource_group is not defined or not azure_resource_group - -- name: Check azure_location value - fail: - msg: "azure_location is missing" - when: azure_location is not defined or not azure_location - -- name: Check azure_subnet_name value - fail: - msg: "azure_subnet_name is missing" - when: azure_subnet_name is not defined or not azure_subnet_name - -- name: Check azure_security_group_name value - fail: - msg: "azure_security_group_name is missing" - when: azure_security_group_name is not defined or not azure_security_group_name - -- name: Check azure_vnet_name value - fail: - msg: "azure_vnet_name is missing" - when: azure_vnet_name is not defined or not azure_vnet_name - -- name: Check azure_vnet_resource_group value - fail: - msg: "azure_vnet_resource_group is missing" - when: azure_vnet_resource_group is not defined or not azure_vnet_resource_group - -- name: Check azure_route_table_name value - fail: - msg: "azure_route_table_name is missing" - when: azure_route_table_name is not defined or not azure_route_table_name - -- name: Check azure_loadbalancer_sku value - fail: - msg: "azure_loadbalancer_sku has an invalid value '{{ azure_loadbalancer_sku }}'. Supported values are 'basic', 'standard'" - when: azure_loadbalancer_sku not in ["basic", "standard"] - -- name: "Check azure_exclude_master_from_standard_lb is a bool" - assert: - that: azure_exclude_master_from_standard_lb | type_debug == 'bool' - -- name: "Check azure_disable_outbound_snat is a bool" - assert: - that: azure_disable_outbound_snat | type_debug == 'bool' - -- name: "Check azure_use_instance_metadata is a bool" - assert: - that: azure_use_instance_metadata | type_debug == 'bool' - -- name: Check azure_vmtype value - fail: - msg: "azure_vmtype is missing. Supported values are 'standard' or 'vmss'" - when: azure_vmtype is not defined or not azure_vmtype - -- name: Check azure_cloud value - fail: - msg: "azure_cloud has an invalid value '{{ azure_cloud }}'. Supported values are 'AzureChinaCloud', 'AzureGermanCloud', 'AzurePublicCloud', 'AzureUSGovernmentCloud'." - when: azure_cloud not in ["AzureChinaCloud", "AzureGermanCloud", "AzurePublicCloud", "AzureUSGovernmentCloud"] diff --git a/roles/kubernetes/node/tasks/cloud-credentials/openstack-credential-check.yml b/roles/kubernetes/node/tasks/cloud-credentials/openstack-credential-check.yml deleted file mode 100644 index 7354d43af..000000000 --- a/roles/kubernetes/node/tasks/cloud-credentials/openstack-credential-check.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -- name: Check openstack_auth_url value - fail: - msg: "openstack_auth_url is missing" - when: openstack_auth_url is not defined or not openstack_auth_url - -- name: Check openstack_username value - fail: - msg: "openstack_username is missing" - when: openstack_username is not defined or not openstack_username - -- name: Check openstack_password value - fail: - msg: "openstack_password is missing" - when: openstack_password is not defined or not openstack_password - -- name: Check openstack_region value - fail: - msg: "openstack_region is missing" - when: openstack_region is not defined or not openstack_region - -- name: Check openstack_tenant_id value - fail: - msg: "one of openstack_tenant_id or openstack_trust_id must be specified" - when: - - openstack_tenant_id is not defined or not openstack_tenant_id - - openstack_trust_id is not defined - -- name: Check openstack_trust_id value - fail: - msg: "one of openstack_tenant_id or openstack_trust_id must be specified" - when: - - openstack_trust_id is not defined or not openstack_trust_id - - openstack_tenant_id is not defined diff --git a/roles/kubernetes/node/tasks/cloud-credentials/vsphere-credential-check.yml b/roles/kubernetes/node/tasks/cloud-credentials/vsphere-credential-check.yml deleted file mode 100644 index b18583af0..000000000 --- a/roles/kubernetes/node/tasks/cloud-credentials/vsphere-credential-check.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: Check vsphere environment variables - fail: - msg: "{{ item.name }} is missing" - when: item.value is not defined or not item.value - with_items: - - name: vsphere_vcenter_ip - value: "{{ vsphere_vcenter_ip }}" - - name: vsphere_vcenter_port - value: "{{ vsphere_vcenter_port }}" - - name: vsphere_user - value: "{{ vsphere_user }}" - - name: vsphere_password - value: "{{ vsphere_password }}" - - name: vsphere_datacenter - value: "{{ vsphere_datacenter }}" - - name: vsphere_datastore - value: "{{ vsphere_datastore }}" - - name: vsphere_working_dir - value: "{{ vsphere_working_dir }}" - - name: vsphere_insecure - value: "{{ vsphere_insecure }}" diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml index 572850ba0..4e38a95a5 100644 --- a/roles/kubernetes/node/tasks/main.yml +++ b/roles/kubernetes/node/tasks/main.yml @@ -137,53 +137,6 @@ tags: - kube-proxy -- name: Check cloud provider credentials - include_tasks: "cloud-credentials/{{ cloud_provider }}-credential-check.yml" - when: - - cloud_provider is defined - - cloud_provider in [ 'openstack', 'azure', 'vsphere' ] - tags: - - cloud-provider - - facts - -- name: Test if openstack_cacert is a base64 string - set_fact: - openstack_cacert_is_base64: "{% if openstack_cacert is search('^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}= | [A-Za-z0-9+/]{2}==)?$') %}true{% else %}false{% endif %}" - when: - - cloud_provider is defined - - cloud_provider == 'openstack' - - openstack_cacert is defined - - openstack_cacert | length > 0 - - -- name: Write cacert file - copy: - src: "{{ openstack_cacert if not openstack_cacert_is_base64 else omit }}" - content: "{{ openstack_cacert | b64decode if openstack_cacert_is_base64 else omit }}" - dest: "{{ kube_config_dir }}/openstack-cacert.pem" - group: "{{ kube_cert_group }}" - mode: "0640" - when: - - cloud_provider is defined - - cloud_provider == 'openstack' - - openstack_cacert is defined - - openstack_cacert | length > 0 - tags: - - cloud-provider - -- name: Write cloud-config - template: - src: "cloud-configs/{{ cloud_provider }}-cloud-config.j2" - dest: "{{ kube_config_dir }}/cloud_config" - group: "{{ kube_cert_group }}" - mode: "0640" - when: - - cloud_provider is defined - - cloud_provider in [ 'openstack', 'azure', 'vsphere', 'aws', 'gce' ] - notify: Node | restart kubelet - tags: - - cloud-provider - - name: Install kubelet import_tasks: kubelet.yml tags: diff --git a/roles/kubernetes/node/templates/cloud-configs/aws-cloud-config.j2 b/roles/kubernetes/node/templates/cloud-configs/aws-cloud-config.j2 deleted file mode 100644 index f6d0c3de0..000000000 --- a/roles/kubernetes/node/templates/cloud-configs/aws-cloud-config.j2 +++ /dev/null @@ -1,11 +0,0 @@ -[Global] -zone={{ aws_zone|default("") }} -vpc={{ aws_vpc|default("") }} -subnetId={{ aws_subnet_id|default("") }} -routeTableId={{ aws_route_table_id|default("") }} -roleArn={{ aws_role_arn|default("") }} -kubernetesClusterTag={{ aws_kubernetes_cluster_tag|default("") }} -kubernetesClusterId={{ aws_kubernetes_cluster_id|default("") }} -disableSecurityGroupIngress={{ "true" if aws_disable_security_group_ingress|default(False) else "false" }} -disableStrictZoneCheck={{ "true" if aws_disable_strict_zone_check|default(False) else "false" }} -elbSecurityGroup={{ aws_elb_security_group|default("") }} diff --git a/roles/kubernetes/node/templates/cloud-configs/azure-cloud-config.j2 b/roles/kubernetes/node/templates/cloud-configs/azure-cloud-config.j2 deleted file mode 100644 index 2b1c101aa..000000000 --- a/roles/kubernetes/node/templates/cloud-configs/azure-cloud-config.j2 +++ /dev/null @@ -1,26 +0,0 @@ -{ - "cloud": "{{ azure_cloud }}", - "tenantId": "{{ azure_tenant_id }}", - "subscriptionId": "{{ azure_subscription_id }}", - "aadClientId": "{{ azure_aad_client_id }}", - "aadClientSecret": "{{ azure_aad_client_secret }}", - "resourceGroup": "{{ azure_resource_group }}", - "location": "{{ azure_location }}", - "subnetName": "{{ azure_subnet_name }}", - "securityGroupName": "{{ azure_security_group_name }}", - "securityGroupResourceGroup": "{{ azure_security_group_resource_group | default(azure_vnet_resource_group) }}", - "vnetName": "{{ azure_vnet_name }}", - "vnetResourceGroup": "{{ azure_vnet_resource_group }}", - "routeTableName": "{{ azure_route_table_name }}", - "routeTableResourceGroup": "{{ azure_route_table_resource_group | default(azure_vnet_resource_group) }}", - "vmType": "{{ azure_vmtype }}", -{% if azure_primary_availability_set_name is defined %} - "primaryAvailabilitySetName": "{{ azure_primary_availability_set_name }}", -{%endif%} - "useInstanceMetadata": {{azure_use_instance_metadata | lower }}, -{% if azure_loadbalancer_sku == "standard" %} - "excludeMasterFromStandardLB": {{ azure_exclude_master_from_standard_lb | lower }}, - "disableOutboundSNAT": {{ azure_disable_outbound_snat | lower }}, -{% endif%} - "loadBalancerSku": "{{ azure_loadbalancer_sku }}" -} diff --git a/roles/kubernetes/node/templates/cloud-configs/gce-cloud-config.j2 b/roles/kubernetes/node/templates/cloud-configs/gce-cloud-config.j2 deleted file mode 100644 index 399512677..000000000 --- a/roles/kubernetes/node/templates/cloud-configs/gce-cloud-config.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[global] -node-tags = {{ gce_node_tags }} diff --git a/roles/kubernetes/node/templates/cloud-configs/openstack-cloud-config.j2 b/roles/kubernetes/node/templates/cloud-configs/openstack-cloud-config.j2 deleted file mode 100644 index b1f8e0a24..000000000 --- a/roles/kubernetes/node/templates/cloud-configs/openstack-cloud-config.j2 +++ /dev/null @@ -1,54 +0,0 @@ -[Global] -auth-url="{{ openstack_auth_url }}" -username="{{ openstack_username }}" -password="{{ openstack_password }}" -region="{{ openstack_region }}" -{% if openstack_trust_id is defined and openstack_trust_id != "" %} -trust-id="{{ openstack_trust_id }}" -{% else %} -tenant-id="{{ openstack_tenant_id }}" -{% endif %} -{% if openstack_tenant_name is defined and openstack_tenant_name != "" %} -tenant-name="{{ openstack_tenant_name }}" -{% endif %} -{% if openstack_domain_name is defined and openstack_domain_name != "" %} -domain-name="{{ openstack_domain_name }}" -{% elif openstack_domain_id is defined and openstack_domain_id != "" %} -domain-id ="{{ openstack_domain_id }}" -{% endif %} -{% if openstack_cacert is defined and openstack_cacert != "" %} -ca-file="{{ kube_config_dir }}/openstack-cacert.pem" -{% endif %} - -[BlockStorage] -{% if openstack_blockstorage_version is defined %} -bs-version={{ openstack_blockstorage_version }} -{% endif %} -{% if openstack_blockstorage_ignore_volume_az is defined and openstack_blockstorage_ignore_volume_az|bool %} -ignore-volume-az={{ openstack_blockstorage_ignore_volume_az }} -{% endif %} -{% if node_volume_attach_limit is defined and node_volume_attach_limit != "" %} -node-volume-attach-limit="{{ node_volume_attach_limit }}" -{% endif %} - -{% if openstack_lbaas_enabled and openstack_lbaas_subnet_id is defined %} -[LoadBalancer] -subnet-id={{ openstack_lbaas_subnet_id }} -{% if openstack_lbaas_floating_network_id is defined %} -floating-network-id={{ openstack_lbaas_floating_network_id }} -{% endif %} -{% if openstack_lbaas_use_octavia is defined %} -use-octavia={{ openstack_lbaas_use_octavia }} -{% endif %} -{% if openstack_lbaas_method is defined %} -lb-method={{ openstack_lbaas_method }} -{% endif %} -{% if openstack_lbaas_provider is defined %} -lb-provider={{ openstack_lbaas_provider }} -{% endif %} - -create-monitor={{ openstack_lbaas_create_monitor }} -monitor-delay={{ openstack_lbaas_monitor_delay }} -monitor-timeout={{ openstack_lbaas_monitor_timeout }} -monitor-max-retries={{ openstack_lbaas_monitor_max_retries }} -{% endif %} diff --git a/roles/kubernetes/node/templates/cloud-configs/vsphere-cloud-config.j2 b/roles/kubernetes/node/templates/cloud-configs/vsphere-cloud-config.j2 deleted file mode 100644 index 2cda7f6d6..000000000 --- a/roles/kubernetes/node/templates/cloud-configs/vsphere-cloud-config.j2 +++ /dev/null @@ -1,36 +0,0 @@ -[Global] -user = "{{ vsphere_user }}" -password = "{{ vsphere_password }}" -port = {{ vsphere_vcenter_port }} -insecure-flag = {{ vsphere_insecure }} - -datacenters = "{{ vsphere_datacenter }}" - -[VirtualCenter "{{ vsphere_vcenter_ip }}"] - - -[Workspace] -server = "{{ vsphere_vcenter_ip }}" -datacenter = "{{ vsphere_datacenter }}" -folder = "{{ vsphere_working_dir }}" -default-datastore = "{{ vsphere_datastore }}" -{% if vsphere_resource_pool is defined and vsphere_resource_pool != "" %} -resourcepool-path = "{{ vsphere_resource_pool }}" -{% endif %} - - -[Disk] -scsicontrollertype = {{ vsphere_scsi_controller_type }} - -{% if vsphere_public_network is defined and vsphere_public_network != "" %} -[Network] -public-network = {{ vsphere_public_network }} -{% endif %} - -[Labels] -{% if vsphere_zone_category is defined and vsphere_zone_category != "" %} -zone = {{ vsphere_zone_category }} -{% endif %} -{% if vsphere_region_category is defined and vsphere_region_category != "" %} -region = {{ vsphere_region_category }} -{% endif %} diff --git a/roles/kubernetes/node/templates/kubelet.env.v1beta1.j2 b/roles/kubernetes/node/templates/kubelet.env.v1beta1.j2 index 576b9c8fd..a5280410a 100644 --- a/roles/kubernetes/node/templates/kubelet.env.v1beta1.j2 +++ b/roles/kubernetes/node/templates/kubelet.env.v1beta1.j2 @@ -21,9 +21,7 @@ KUBELET_VOLUME_PLUGIN="--volume-plugin-dir={{ kubelet_flexvolumes_plugins_dir }} {% if kube_network_plugin is defined and kube_network_plugin == "cloud" %} KUBELET_NETWORK_PLUGIN="--hairpin-mode=promiscuous-bridge --network-plugin=kubenet" {% endif %} -{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] %} -KUBELET_CLOUDPROVIDER="--cloud-provider={{ cloud_provider }} --cloud-config={{ kube_config_dir }}/cloud_config" -{% elif cloud_provider is defined and cloud_provider in ["external"] %} +{% if cloud_provider == "external" %} KUBELET_CLOUDPROVIDER="--cloud-provider={{ cloud_provider }}" {% else %} KUBELET_CLOUDPROVIDER="" diff --git a/roles/kubernetes/preinstall/tasks/0020-set_facts.yml b/roles/kubernetes/preinstall/tasks/0020-set_facts.yml index 263bca400..6109479c1 100644 --- a/roles/kubernetes/preinstall/tasks/0020-set_facts.yml +++ b/roles/kubernetes/preinstall/tasks/0020-set_facts.yml @@ -87,9 +87,6 @@ {% for d in default_searchdomains | default([]) + searchdomains | default([]) -%} {{ dns_domain }}.{{ d }}./{{ d }}.{{ d }}./com.{{ d }}./ {%- endfor %} - cloud_resolver: "{{ ['169.254.169.254'] if cloud_provider is defined and cloud_provider == 'gce' else - ['169.254.169.253'] if cloud_provider is defined and cloud_provider == 'aws' else - [] }}" - name: Check if kubelet is configured stat: diff --git a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml index e06b22417..2e57b1a1c 100644 --- a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml +++ b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml @@ -151,13 +151,6 @@ - dashboard_enabled - not ignore_assert_errors -- name: Stop if RBAC is not enabled when OCI cloud controller is enabled - assert: - that: rbac_enabled - when: - - cloud_provider is defined and cloud_provider == "oci" - - not ignore_assert_errors - - name: Stop if kernel version is too low assert: that: ansible_kernel.split('-')[0] is version('4.9.17', '>=') @@ -173,10 +166,19 @@ - name: Check cloud_provider value assert: - that: cloud_provider in ['gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external'] - msg: "If set the 'cloud_provider' var must be set either to 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci' or 'external'" + that: cloud_provider == 'external' when: - - cloud_provider is defined + - cloud_provider + - not ignore_assert_errors + tags: + - cloud-provider + - facts + +- name: Check external_cloud_provider value + assert: + that: external_cloud_provider in ['hcloud', 'huaweicloud', 'oci', 'openstack', 'vsphere'] + when: + - cloud_provider == 'external' - not ignore_assert_errors tags: - cloud-provider diff --git a/roles/kubespray-defaults/defaults/main/main.yml b/roles/kubespray-defaults/defaults/main/main.yml index 65d9458b5..939027f87 100644 --- a/roles/kubespray-defaults/defaults/main/main.yml +++ b/roles/kubespray-defaults/defaults/main/main.yml @@ -253,11 +253,7 @@ kube_apiserver_bind_address: 0.0.0.0 kube_apiserver_port: 6443 # If non-empty, will use this string as identification instead of the actual hostname -kube_override_hostname: >- - {%- if cloud_provider is defined and cloud_provider in ['aws'] -%} - {%- else -%} - {{ inventory_hostname }} - {%- endif -%} +kube_override_hostname: "{{ inventory_hostname }}" # define kubelet config dir for dynamic kubelet # kubelet_config_dir: @@ -275,6 +271,15 @@ kubelet_shutdown_grace_period: 60s # to give normal pods time to be gracefully evacuated kubelet_shutdown_grace_period_critical_pods: 20s +# Cloud Provider +# This variable can only be set to "external" or empty string, otherwise the check will fail. +cloud_provider: "" +# External Cloud Controller Manager (Formerly known as cloud provider) +# cloud_provider must be "external", otherwise this setting is invalid. +# Supported external cloud controllers are: 'openstack', 'vsphere', 'oci', 'huaweicloud' and 'hcloud' +# If you fill in a value other than the above, the check will fail. +external_cloud_provider: "" + # Whether to deploy the container engine deploy_container_engine: "{{ 'k8s_cluster' in group_names or etcd_deployment_type == 'docker' }}" diff --git a/roles/network_plugin/calico/tasks/check.yml b/roles/network_plugin/calico/tasks/check.yml index 7f73a08c4..aef34bb2c 100644 --- a/roles/network_plugin/calico/tasks/check.yml +++ b/roles/network_plugin/calico/tasks/check.yml @@ -24,17 +24,6 @@ delegate_to: "{{ groups['kube_control_plane'][0] }}" -- name: Stop if incompatible network plugin and cloudprovider - assert: - that: - - calico_ipip_mode == 'Never' - - calico_vxlan_mode in ['Always', 'CrossSubnet'] - msg: "When using cloud_provider azure and network_plugin calico calico_ipip_mode must be 'Never' and calico_vxlan_mode 'Always' or 'CrossSubnet'" - when: - - cloud_provider is defined and cloud_provider == 'azure' - run_once: true - delegate_to: "{{ groups['kube_control_plane'][0] }}" - - name: Stop if supported Calico versions assert: that: diff --git a/roles/network_plugin/calico/tasks/pre.yml b/roles/network_plugin/calico/tasks/pre.yml index 969699f6c..ab236155e 100644 --- a/roles/network_plugin/calico/tasks/pre.yml +++ b/roles/network_plugin/calico/tasks/pre.yml @@ -29,7 +29,7 @@ register: calico_kubelet_name delegate_to: "{{ groups['kube_control_plane'][0] }}" when: - - "cloud_provider is defined" + - cloud_provider - name: Calico | Gather os specific variables include_vars: "{{ item }}" diff --git a/tests/testcases/040_check-network-adv.yml b/tests/testcases/040_check-network-adv.yml index 4ff1c9ddb..79147104c 100644 --- a/tests/testcases/040_check-network-adv.yml +++ b/tests/testcases/040_check-network-adv.yml @@ -9,7 +9,7 @@ | select('contains', '/' ~ calico_pool_blocksize|d(26)) | select('contains', 'tunl0') | length == 0 when: - - (calico_ipip_mode is defined and calico_ipip_mode != 'Never' or cloud_provider is defined) + - (calico_ipip_mode is defined and calico_ipip_mode != 'Never') - kube_network_plugin | default('calico') == 'calico'