From 712872efba38cd08f9f12e11cb8bedd582596caa Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Tue, 27 Dec 2016 16:39:00 +0100 Subject: [PATCH] Rework inventory all by real groups' vars * Leave all.yml to keep only optional vars * Store groups' specific vars by existing group names * Fix optional vars casted as mandatory (add default()) * Fix missing defaults for an optional IP var * Relink group_vars for terraform to reflect changes Signed-off-by: Bogdan Dobrelya --- contrib/terraform/group_vars | 1 + .../terraform/openstack/group_vars/all.yml | 1 - docs/ansible.md | 4 +- inventory/group_vars/all.yml | 237 ++++-------------- inventory/group_vars/calico-rr.yml | 33 +++ inventory/group_vars/etcd.yml | 38 +++ inventory/group_vars/k8s-cluster.yml | 113 +++++++++ inventory/group_vars/kube-master.yml | 9 + roles/adduser/defaults/main.yml | 2 + roles/download/defaults/main.yml | 1 + roles/kubernetes-apps/kpm/tasks/main.yml | 4 +- roles/kubernetes/node/templates/nginx.conf.j2 | 2 +- roles/kubernetes/preinstall/defaults/main.yml | 5 +- .../kubernetes/preinstall/tasks/set_facts.yml | 6 +- roles/kubernetes/secrets/defaults/main.yml | 2 + roles/network_plugin/calico/tasks/main.yml | 4 +- roles/rkt/defaults/main.yml | 2 +- 17 files changed, 263 insertions(+), 201 deletions(-) create mode 120000 contrib/terraform/group_vars delete mode 120000 contrib/terraform/openstack/group_vars/all.yml create mode 100644 inventory/group_vars/calico-rr.yml create mode 100644 inventory/group_vars/etcd.yml create mode 100644 inventory/group_vars/k8s-cluster.yml create mode 100644 inventory/group_vars/kube-master.yml create mode 100644 roles/kubernetes/secrets/defaults/main.yml diff --git a/contrib/terraform/group_vars b/contrib/terraform/group_vars new file mode 120000 index 000000000..febd29cb3 --- /dev/null +++ b/contrib/terraform/group_vars @@ -0,0 +1 @@ +../../inventory/group_vars \ No newline at end of file diff --git a/contrib/terraform/openstack/group_vars/all.yml b/contrib/terraform/openstack/group_vars/all.yml deleted file mode 120000 index eb4e855dc..000000000 --- a/contrib/terraform/openstack/group_vars/all.yml +++ /dev/null @@ -1 +0,0 @@ -../../../../inventory/group_vars/all.yml \ No newline at end of file diff --git a/docs/ansible.md b/docs/ansible.md index 875cf3766..b47f3d705 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -67,7 +67,9 @@ Group vars and overriding variables precedence ---------------------------------------------- The group variables to control main deployment options are located in the directory ``inventory/group_vars``. - +Optional variables are located in the ```inventory/group_vars/all.yml```. +Mandatory variables that are common for at least one role (or a node group) can be found in the +```inventory/group_vars/k8s-cluster.yml```. There are also role vars for docker, rkt, kubernetes preinstall and master roles. According to the [ansible docs](http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable), those cannot be overriden from the group vars. In order to override, one should use diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml index adb183361..17652ef50 100644 --- a/inventory/group_vars/all.yml +++ b/inventory/group_vars/all.yml @@ -1,176 +1,60 @@ -# Valid bootstrap options (required): ubuntu, coreos, centos, none -bootstrap_os: none -# Directory where the binaries will be installed -bin_dir: /usr/local/bin +## The access_ip variable is used to define how other nodes should access +## the node. This is used in flannel to allow other flannel nodes to see +## this node for example. The access_ip is really useful AWS and Google +## environments where the nodes are accessed remotely by the "public" ip, +## but don't know about that address themselves. +#access_ip: 1.1.1.1 -# Kubernetes configuration dirs and system namespace. -# Those are where all the additional config stuff goes -# the kubernetes normally puts in /srv/kubernets. -# This puts them in a sane location and namespace. -# Editing those values will almost surely break something. -kube_config_dir: /etc/kubernetes -kube_script_dir: "{{ bin_dir }}/kubernetes-scripts" -kube_manifest_dir: "{{ kube_config_dir }}/manifests" -system_namespace: kube-system +### LOADBALANCING AND ACCESS MODES +## Enable multiaccess to configure etcd clients to access all of the etcd members directly +## as the "http://hostX:port, http://hostY:port, ..." and ignore the proxy loadbalancers. +## This may be the case if clients support and loadbalance multiple etcd servers natively. +#etcd_multiaccess: true -# This is where all the cert scripts and certs will be located -kube_cert_dir: "{{ kube_config_dir }}/ssl" +## External LB example config +## apiserver_loadbalancer_domain_name: "elb.some.domain" +#loadbalancer_apiserver: +# address: 1.2.3.4 +# port: 1234 -# This is where all of the bearer tokens will be stored -kube_token_dir: "{{ kube_config_dir }}/tokens" +## Internal loadbalancers for apiservers +#loadbalancer_apiserver_localhost: true -# This is where to save basic auth file -kube_users_dir: "{{ kube_config_dir }}/users" +## Local loadbalancer should use this port instead, if defined. +## Defaults to kube_apiserver_port (443) +#nginx_kube_apiserver_port: 8443 -## Change this to use another Kubernetes version, e.g. a current beta release -kube_version: v1.5.3 +### OTHER OPTIONAL VARIABLES +## For some things, kubelet needs to load kernel modules. For example, dynamic kernel services are needed +## for mounting persistent volumes into containers. These may not be loaded by preinstall kubernetes +## processes. For example, ceph and rbd backed volumes. Set to true to allow kubelet to load kernel +## modules. +# kubelet_load_modules: false -# Where the binaries will be downloaded. -# Note: ensure that you've enough disk space (about 1G) -local_release_dir: "/tmp/releases" -# Random shifts for retrying failed ops like pushing/downloading -retry_stagger: 5 +## Internal network total size. This is the prefix of the +## entire network. Must be unused in your environment. +#kube_network_prefix: 18 -# Uncomment this line for CoreOS only. -# Directory where python binary is installed -# ansible_python_interpreter: "/opt/bin/python" - -# This is the group that the cert creation scripts chgrp the -# cert files to. Not really changable... -kube_cert_group: kube-cert - -# Cluster Loglevel configuration -kube_log_level: 2 - -# Kubernetes 1.5 added a new flag to the apiserver to disable anonymous auth. In previos versions, anonymous auth was -# not implemented. As the new flag defaults to true, we have to explicitly disable it. Change this line if you want the -# 1.5 default behavior. The flag is actually only added if the used kubernetes version is >= 1.5 -kube_api_anonymous_auth: false - -# -# For some things, kubelet needs to load kernel modules. For example, dynamic kernel services are needed -# for mounting persistent volumes into containers. These may not be loaded by preinstall kubernetes -# processes. For example, ceph and rbd backed volumes. Set to true to allow kubelet to load kernel -# modules. -# -kubelet_load_modules: false - -# Users to create for basic auth in Kubernetes API via HTTP -kube_api_pwd: "changeme" -kube_users: - kube: - pass: "{{kube_api_pwd}}" - role: admin - root: - pass: "{{kube_api_pwd}}" - role: admin - -# Kubernetes cluster name, also will be used as DNS domain -cluster_name: cluster.local -# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods -ndots: 2 -# Deploy netchecker app to verify DNS resolve as an HTTP service -deploy_netchecker: false - -# For some environments, each node has a publicly accessible -# address and an address it should bind services to. These are -# really inventory level variables, but described here for consistency. -# -# When advertising access, the access_ip will be used, but will defer to -# ip and then the default ansible ip when unspecified. -# -# When binding to restrict access, the ip variable will be used, but will -# defer to the default ansible ip when unspecified. -# -# The ip variable is used for specific address binding, e.g. listen address -# for etcd. This is use to help with environments like Vagrant or multi-nic -# systems where one address should be preferred over another. -# ip: 10.2.2.2 -# -# The access_ip variable is used to define how other nodes should access -# the node. This is used in flannel to allow other flannel nodes to see -# this node for example. The access_ip is really useful AWS and Google -# environments where the nodes are accessed remotely by the "public" ip, -# but don't know about that address themselves. -# access_ip: 1.1.1.1 - -# Etcd access modes: -# Enable multiaccess to configure clients to access all of the etcd members directly -# as the "http://hostX:port, http://hostY:port, ..." and ignore the proxy loadbalancers. -# This may be the case if clients support and loadbalance multiple etcd servers natively. -etcd_multiaccess: true - -# Assume there are no internal loadbalancers for apiservers exist and listen on -# kube_apiserver_port (default 443) -loadbalancer_apiserver_localhost: true - -# Choose network plugin (calico, canal, weave or flannel) -# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing -kube_network_plugin: calico - -# Kubernetes internal network for services, unused block of space. -kube_service_addresses: 10.233.0.0/18 - -# internal network. When used, it will assign IP -# addresses from this range to individual pods. -# This network must be unused in your network infrastructure! -kube_pods_subnet: 10.233.64.0/18 - -# internal network total size (optional). This is the prefix of the -# entire network. Must be unused in your environment. -# kube_network_prefix: 18 - -# internal network node size allocation (optional). This is the size allocated -# to each node on your network. With these defaults you should have -# room for 4096 nodes with 254 pods per node. -kube_network_node_prefix: 24 - -# With calico it is possible to distributed routes with border routers of the datacenter. -peer_with_router: false -# Warning : enabling router peering will disable calico's default behavior ('node mesh'). -# The subnets of each nodes will be distributed by the datacenter router - -# API Server service IP address in Kubernetes internal network. -kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}" -# The port the API Server will be listening on. -kube_apiserver_port: 443 # (https) -kube_apiserver_insecure_port: 8080 # (http) -# local loadbalancer should use this port instead - default to kube_apiserver_port -nginx_kube_apiserver_port: "{{ kube_apiserver_port }}" - -# Internal DNS configuration. -# Kubernetes can create and mainatain its own DNS server to resolve service names -# into appropriate IP addresses. It's highly advisable to run such DNS server, -# as it greatly simplifies configuration of your applications - you can use -# service names instead of magic environment variables. - -# Can be dnsmasq_kubedns, kubedns or none -dns_mode: dnsmasq_kubedns - -# Can be docker_dns, host_resolvconf or none -resolvconf_mode: docker_dns +## With calico it is possible to distributed routes with border routers of the datacenter. +## Warning : enabling router peering will disable calico's default behavior ('node mesh'). +## The subnets of each nodes will be distributed by the datacenter router +#peer_with_router: false ## Upstream dns servers used by dnsmasq #upstream_dns_servers: # - 8.8.8.8 # - 8.8.4.4 -dns_domain: "{{ cluster_name }}" +## There are some changes specific to the cloud providers +## for instance we need to encapsulate packets with some network plugins +## If set the possible values are either 'gce', 'aws', 'azure' or 'openstack' +## When openstack is used make sure to source in the openstack credentials +## like you would do when using nova-client before starting the playbook. +#cloud_provider: -# Ip address of the kubernetes skydns service -skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}" -dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}" - -# There are some changes specific to the cloud providers -# for instance we need to encapsulate packets with some network plugins -# If set the possible values are either 'gce', 'aws', 'azure' or 'openstack' -# When openstack is used make sure to source in the openstack credentials -# like you would do when using nova-client before starting the playbook. -# When azure is used, you need to also set the following variables. -# cloud_provider: - -# see docs/azure.md for details on how to get these values +## When azure is used, you need to also set the following variables. +## see docs/azure.md for details on how to get these values #azure_tenant_id: #azure_subscription_id: #azure_aad_client_id: @@ -182,46 +66,25 @@ dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') #azure_vnet_name: #azure_route_table_name: - ## Set these proxy values in order to update docker daemon to use proxies -# http_proxy: "" -# https_proxy: "" -# no_proxy: "" - -# Path used to store Docker data -docker_daemon_graph: "/var/lib/docker" - -## A string of extra options to pass to the docker daemon. -## This string should be exactly as you wish it to appear. -## An obvious use case is allowing insecure-registry access -## to self hosted registries like so: -docker_options: "--insecure-registry={{ kube_service_addresses }} --graph={{ docker_daemon_graph }} --iptables=false" -docker_bin_dir: "/usr/bin" +#http_proxy: "" +#https_proxy: "" +#no_proxy: "" ## Uncomment this if you want to force overlay/overlay2 as docker storage driver ## Please note that overlay2 is only supported on newer kernels #docker_storage_options: -s overlay2 -# K8s image pull policy (imagePullPolicy) -k8s_image_pull_policy: IfNotPresent - -# default packages to install within the cluster -kpm_packages: [] +## Default packages to install within the cluster, f.e: +#kpm_packages: # - name: kube-system/grafana -# Settings for containerized control plane (etcd/kubelet) -rkt_version: 1.21.0 -etcd_deployment_type: docker -kubelet_deployment_type: docker -vault_deployment_type: docker - -efk_enabled: false ## Certificate Management ## This setting determines whether certs are generated via scripts or whether a ## cluster of Hashicorp's Vault is started to issue certificates (using etcd ## as a backend). Options are "script" or "vault" -cert_management: script +#cert_management: script -# Please specify true if you want to perform a kernel upgrade -kernel_upgrade: false +## Please specify true if you want to perform a kernel upgrade +#kernel_upgrade: false diff --git a/inventory/group_vars/calico-rr.yml b/inventory/group_vars/calico-rr.yml new file mode 100644 index 000000000..5de7d7347 --- /dev/null +++ b/inventory/group_vars/calico-rr.yml @@ -0,0 +1,33 @@ +## Required for bootstrap-os/preinstall/download roles and setting facts +# Valid bootstrap options (required): ubuntu, coreos, centos, none +bootstrap_os: none + +# Directory where the binaries will be installed +bin_dir: /usr/local/bin +docker_bin_dir: /usr/bin + +# Where the binaries will be downloaded. +# Note: ensure that you've enough disk space (about 1G) +local_release_dir: "/tmp/releases" +# Random shifts for retrying failed ops like pushing/downloading +retry_stagger: 5 + +kube_service_addresses: 10.233.0.0/18 +kube_apiserver_port: 443 # (https) +kube_apiserver_insecure_port: 8080 # (http) + +# DNS configuration. +# Kubernetes cluster name, also will be used as DNS domain +cluster_name: cluster.local +# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods +ndots: 2 +# Can be dnsmasq_kubedns, kubedns or none +dns_mode: dnsmasq_kubedns +# Can be docker_dns, host_resolvconf or none +resolvconf_mode: docker_dns +# Deploy netchecker app to verify DNS resolve as an HTTP service +deploy_netchecker: false +# Ip address of the kubernetes skydns service +skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}" +dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}" +dns_domain: "{{ cluster_name }}" diff --git a/inventory/group_vars/etcd.yml b/inventory/group_vars/etcd.yml new file mode 100644 index 000000000..8769967fa --- /dev/null +++ b/inventory/group_vars/etcd.yml @@ -0,0 +1,38 @@ +## Required for bootstrap-os/preinstall/download roles and setting facts +# Valid bootstrap options (required): ubuntu, coreos, centos, none +bootstrap_os: none + +# Directory where the binaries will be installed +bin_dir: /usr/local/bin +docker_bin_dir: /usr/bin + +# Where the binaries will be downloaded. +# Note: ensure that you've enough disk space (about 1G) +local_release_dir: "/tmp/releases" +# Random shifts for retrying failed ops like pushing/downloading +retry_stagger: 5 + +# Settings for containerized control plane (etcd/secrets) +etcd_deployment_type: docker +cert_management: script +vault_deployment_type: docker + +kube_service_addresses: 10.233.0.0/18 +kube_apiserver_port: 443 # (https) +kube_apiserver_insecure_port: 8080 # (http) + +# DNS configuration. +# Kubernetes cluster name, also will be used as DNS domain +cluster_name: cluster.local +# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods +ndots: 2 +# Can be dnsmasq_kubedns, kubedns or none +dns_mode: dnsmasq_kubedns +# Can be docker_dns, host_resolvconf or none +resolvconf_mode: docker_dns +# Deploy netchecker app to verify DNS resolve as an HTTP service +deploy_netchecker: false +# Ip address of the kubernetes skydns service +skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}" +dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}" +dns_domain: "{{ cluster_name }}" diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml new file mode 100644 index 000000000..b7c155202 --- /dev/null +++ b/inventory/group_vars/k8s-cluster.yml @@ -0,0 +1,113 @@ +# Valid bootstrap options (required): ubuntu, coreos, centos, none +bootstrap_os: none + +# Directory where the binaries will be installed +bin_dir: /usr/local/bin + +# Kubernetes configuration dirs and system namespace. +# Those are where all the additional config stuff goes +# the kubernetes normally puts in /srv/kubernets. +# This puts them in a sane location and namespace. +# Editting those values will almost surely break something. +kube_config_dir: /etc/kubernetes +kube_script_dir: "{{ bin_dir }}/kubernetes-scripts" +kube_manifest_dir: "{{ kube_config_dir }}/manifests" +system_namespace: kube-system + +# Logging directory (sysvinit systems) +kube_log_dir: "/var/log/kubernetes" + +# This is where all the cert scripts and certs will be located +kube_cert_dir: "{{ kube_config_dir }}/ssl" + +# This is where all of the bearer tokens will be stored +kube_token_dir: "{{ kube_config_dir }}/tokens" + +# This is where to save basic auth file +kube_users_dir: "{{ kube_config_dir }}/users" + +## Change this to use another Kubernetes version, e.g. a current beta release +kube_version: v1.5.3 + +# Where the binaries will be downloaded. +# Note: ensure that you've enough disk space (about 1G) +local_release_dir: "/tmp/releases" +# Random shifts for retrying failed ops like pushing/downloading +retry_stagger: 5 + +# This is the group that the cert creation scripts chgrp the +# cert files to. Not really changable... +kube_cert_group: kube-cert + +# Cluster Loglevel configuration +kube_log_level: 2 + +# Users to create for basic auth in Kubernetes API via HTTP +kube_api_pwd: "changeme" +kube_users: + kube: + pass: "{{kube_api_pwd}}" + role: admin + root: + pass: "{{kube_api_pwd}}" + role: admin + +# Choose network plugin (calico, weave or flannel) +# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing +kube_network_plugin: calico + +# Kubernetes internal network for services, unused block of space. +kube_service_addresses: 10.233.0.0/18 + +# internal network. When used, it will assign IP +# addresses from this range to individual pods. +# This network must be unused in your network infrastructure! +kube_pods_subnet: 10.233.64.0/18 + +# internal network node size allocation (optional). This is the size allocated +# to each node on your network. With these defaults you should have +# room for 4096 nodes with 254 pods per node. +kube_network_node_prefix: 24 + +# The port the API Server will be listening on. +kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}" +kube_apiserver_port: 443 # (https) +kube_apiserver_insecure_port: 8080 # (http) + +# DNS configuration. +# Kubernetes cluster name, also will be used as DNS domain +cluster_name: cluster.local +# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods +ndots: 2 +# Can be dnsmasq_kubedns, kubedns or none +dns_mode: dnsmasq_kubedns +# Can be docker_dns, host_resolvconf or none +resolvconf_mode: docker_dns +# Deploy netchecker app to verify DNS resolve as an HTTP service +deploy_netchecker: false +# Ip address of the kubernetes skydns service +skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}" +dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}" +dns_domain: "{{ cluster_name }}" + +# Path used to store Docker data +docker_daemon_graph: "/var/lib/docker" + +## A string of extra options to pass to the docker daemon. +## This string should be exactly as you wish it to appear. +## An obvious use case is allowing insecure-registry access +## to self hosted registries like so: +docker_options: "--insecure-registry={{ kube_service_addresses }} --graph={{ docker_daemon_graph }} --iptables=false" +docker_bin_dir: "/usr/bin" + +# Settings for containerized control plane (etcd/kubelet/secrets) +etcd_deployment_type: docker +kubelet_deployment_type: docker +cert_management: script +vault_deployment_type: docker + +# K8s image pull policy (imagePullPolicy) +k8s_image_pull_policy: IfNotPresent + +# Monitoring apps for k8s +efk_enabled: false diff --git a/inventory/group_vars/kube-master.yml b/inventory/group_vars/kube-master.yml new file mode 100644 index 000000000..7e75bf859 --- /dev/null +++ b/inventory/group_vars/kube-master.yml @@ -0,0 +1,9 @@ +# Kubernetes 1.5 added a new flag to the apiserver to disable anonymous auth. In previos versions, anonymous auth was +# not implemented. As the new flag defaults to true, we have to explicetely disable it. Change this line if you want the +# 1.5 default behavior. The flag is actually only added if the used kubernetes version is >= 1.5 +kube_api_anonymous_auth: false + +# Kubernetes internal network for services, unused block of space. +kube_service_addresses: 10.233.0.0/18 + +kube_version: v1.5.3 diff --git a/roles/adduser/defaults/main.yml b/roles/adduser/defaults/main.yml index b3a69229c..ab24b6cf4 100644 --- a/roles/adduser/defaults/main.yml +++ b/roles/adduser/defaults/main.yml @@ -1,4 +1,6 @@ --- +kube_cert_group: kube-cert + addusers: etcd: name: etcd diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index ea95048f6..23e87bbbd 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -18,6 +18,7 @@ download_localhost: False download_always_pull: False # Versions +kube_version: v1.5.3 etcd_version: v3.0.6 #TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults # after migration to container download diff --git a/roles/kubernetes-apps/kpm/tasks/main.yml b/roles/kubernetes-apps/kpm/tasks/main.yml index 7e88cc30d..9aadc07ea 100644 --- a/roles/kubernetes-apps/kpm/tasks/main.yml +++ b/roles/kubernetes-apps/kpm/tasks/main.yml @@ -4,7 +4,7 @@ name: "kpm" state: "present" version: "0.16.1" - when: kpm_packages | length > 0 + when: kpm_packages|default([])| length > 0 - name: manage kubernetes applications kpm: @@ -14,7 +14,7 @@ version: "{{item.version | default(omit)}}" variables: "{{item.variables | default(omit)}}" name: "{{item.name}}" - with_items: "{{kpm_packages}}" + with_items: "{{kpm_packages|default([])}}" register: kpmresults environment: PATH: "{{ ansible_env.PATH }}:{{ bin_dir }}" diff --git a/roles/kubernetes/node/templates/nginx.conf.j2 b/roles/kubernetes/node/templates/nginx.conf.j2 index 6e8622ed4..360b024f8 100644 --- a/roles/kubernetes/node/templates/nginx.conf.j2 +++ b/roles/kubernetes/node/templates/nginx.conf.j2 @@ -16,7 +16,7 @@ stream { } server { - listen 127.0.0.1:{{ nginx_kube_apiserver_port }}; + listen 127.0.0.1:{{ nginx_kube_apiserver_port|default(kube_apiserver_port) }}; proxy_pass kube_apiserver; proxy_timeout 10m; proxy_connect_timeout 1s; diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml index 6aa7d7e7c..59076c204 100644 --- a/roles/kubernetes/preinstall/defaults/main.yml +++ b/roles/kubernetes/preinstall/defaults/main.yml @@ -17,6 +17,8 @@ common_required_pkgs: # GCE docker repository disable_ipv6_dns: false +kube_cert_group: kube-cert +kube_config_dir: /etc/kubernetes # For the openstack integration kubelet will need credentials to access # openstack apis like nova and cinder. Per default this values will be @@ -27,9 +29,6 @@ openstack_password: "{{ lookup('env','OS_PASSWORD') }}" openstack_region: "{{ lookup('env','OS_REGION_NAME') }}" openstack_tenant_id: "{{ lookup('env','OS_TENANT_ID')|default(lookup('env','OS_PROJECT_ID'),true) }}" -# All clients access each node individually, instead of using a load balancer. -etcd_multiaccess: true - # Container Linux by CoreOS cloud init config file to define /etc/resolv.conf content # for hostnet pods and infra needs resolveconf_cloud_init_conf: /etc/resolveconf_cloud_init.conf diff --git a/roles/kubernetes/preinstall/tasks/set_facts.yml b/roles/kubernetes/preinstall/tasks/set_facts.yml index 214aeccef..2481fcd7f 100644 --- a/roles/kubernetes/preinstall/tasks/set_facts.yml +++ b/roles/kubernetes/preinstall/tasks/set_facts.yml @@ -20,8 +20,8 @@ - set_fact: kube_apiserver_endpoint: |- - {% if not is_kube_master and loadbalancer_apiserver_localhost -%} - https://localhost:{{ nginx_kube_apiserver_port }} + {% if not is_kube_master and loadbalancer_apiserver_localhost|default(false) -%} + https://localhost:{{ nginx_kube_apiserver_port|default(kube_apiserver_port) }} {%- elif is_kube_master and loadbalancer_apiserver is not defined -%} http://127.0.0.1:{{ kube_apiserver_insecure_port }} {%- else -%} @@ -57,7 +57,7 @@ {%- endfor %} - set_fact: - etcd_access_endpoint: "{% if etcd_multiaccess %}{{ etcd_access_addresses }}{% else %}{{ etcd_endpoint }}{% endif %}" + etcd_access_endpoint: "{% if etcd_multiaccess|default(true) %}{{ etcd_access_addresses }}{% else %}{{ etcd_endpoint }}{% endif %}" - set_fact: etcd_member_name: |- diff --git a/roles/kubernetes/secrets/defaults/main.yml b/roles/kubernetes/secrets/defaults/main.yml new file mode 100644 index 000000000..e6177857e --- /dev/null +++ b/roles/kubernetes/secrets/defaults/main.yml @@ -0,0 +1,2 @@ +--- +kube_cert_group: kube-cert diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml index eefed471f..549ece3b3 100644 --- a/roles/network_plugin/calico/tasks/main.yml +++ b/roles/network_plugin/calico/tasks/main.yml @@ -223,7 +223,7 @@ "apiVersion": "v1", "metadata": {"node": "{{ inventory_hostname }}", "scope": "node", - "peerIP": "{{ hostvars[item]["calico_rr_ip"]|default(hostvars[item]["ip"]) }}"} + "peerIP": "{{ hostvars[item]["calico_rr_ip"]|default(hostvars[item]["ip"])|default(hostvars[item]["ansible_default_ipv4.address"]) }}"} }' | {{ bin_dir }}/calicoctl create --skip-exists -f - with_items: "{{ groups['calico-rr'] | default([]) }}" @@ -245,7 +245,7 @@ peer_with_router|default(false) and inventory_hostname in groups['k8s-cluster']) - name: Calico (old) | Configure peering with route reflectors - shell: "{{ bin_dir }}/calicoctl node bgp peer add {{ hostvars[item]['calico_rr_ip']|default(hostvars[item]['ip']) }} as {{ local_as | default(global_as_num) }}" + shell: "{{ bin_dir }}/calicoctl node bgp peer add {{ hostvars[item]['calico_rr_ip']|default(hostvars[item]['ip'])|default(hostvars[item]['ansible_default_ipv4.address']) }} as {{ local_as | default(global_as_num) }}" with_items: "{{ groups['calico-rr'] | default([]) }}" when: (legacy_calicoctl and peer_with_calico_rr|default(false) and inventory_hostname in groups['k8s-cluster'] diff --git a/roles/rkt/defaults/main.yml b/roles/rkt/defaults/main.yml index 6794429a5..c73a6fd77 100644 --- a/roles/rkt/defaults/main.yml +++ b/roles/rkt/defaults/main.yml @@ -1,6 +1,6 @@ --- -rkt_version: 1.12.0 +rkt_version: 1.21.0 rkt_pkg_version: "{{ rkt_version }}-1" rkt_download_src: https://github.com/coreos/rkt rkt_download_url: "{{ rkt_download_src }}/releases/download/v{{ rkt_version }}"