Commit Graph

1753 Commits (32743868c797bdb63f7e764b477b66ac7fb67e1c)

Author SHA1 Message Date
Florian Ruynat 142b9e1eff
Update k8s hashes and set default version to 1.18.8 (#6532) 2020-08-21 00:09:39 -07:00
Michal Petko 91ae87fa60
Fix setting node label if kube_override_hostname is defined (#6557) 2020-08-20 06:23:30 -07:00
Samuel Liu a42d811420
fix scale playbook (#6482) 2020-08-20 04:33:23 -07:00
holmesb d8a749fd27
Update apiserver-audit-policy.yaml.j2 (#6526) 2020-08-18 00:49:37 -07:00
Florian Ruynat 78ceef6b15
Remove unused variable (#6522) 2020-08-18 00:45:29 -07:00
Arthur Outhenin-Chalandre 33ec13293b
Fix cilium_deploy_additionally with kubeadm etcd (#6514)
Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
2020-08-18 00:35:36 -07:00
Erwan Miran ef3e98807e
tlsminversion and tlsciphersuites kubelet (#6490) 2020-08-13 02:48:13 -07:00
Maxime Guyot fc23f37af7
Fix E306 in roles/kubernetes (#6500) 2020-08-05 07:56:28 -07:00
Sulochan Acharya bfe143808f
Allows tls verify skip on webhook auth url (#6472) 2020-08-05 05:02:29 -07:00
Florent Monbillard 39b907cdfb
Remove workaround for kubeadm upgrade (#6478)
https://github.com/kubernetes/kubeadm/issues/1498 was closed
2020-08-03 01:17:40 -07:00
Konstantin Lebedev 2364a84579
fix src for audit webhook config yaml (#6470) 2020-08-01 00:33:56 -07:00
fulii ce22c0e6a4
Add option to configure IPVS timeouts in kube-proxy configration manifest. (#6396) 2020-08-01 00:33:40 -07:00
Kuralamudhan Ramakrishnan 90e5f8ffe1
adding ovn4nfv in kubespray (#6381)
Signed-off-by: Kuralamudhan Ramakrishnan <kuralamudhan.ramakrishnan@intel.com>
2020-07-31 07:33:08 -07:00
Florian Ruynat a78e861a89
Fix test if openstack_cacert is a base64 string (#6421) 2020-07-30 13:15:17 -07:00
Maxime Guyot 214e08f8c9
Fix ansible-lint E305 (#6459) 2020-07-28 01:39:08 -07:00
Maxime Guyot e70f27dd79
Add noqa and disable .ansible-lint global exclusions (#6410) 2020-07-27 06:24:17 -07:00
Florian Ruynat b680cdd0e4
Move healthz check to secure ports (#6446) 2020-07-27 00:26:17 -07:00
Igor Vuk ea67bb6e41
Fix typo: Modprode -> Modprobe (#6429) 2020-07-21 23:58:25 -07:00
Konstantin Lebedev a7ec0ed587
add audit webhook support (#6317)
* add audit webhook support

* use generic name auditsink
2020-07-20 01:32:54 -07:00
Arthur Outhenin-Chalandre 1a1fe99669
Add a way to deploy cilium alongside another CNI (#6373)
Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
2020-07-17 05:57:01 -07:00
Florian Ruynat 5e22574402
Remove allow-release-candidate-upgrades already include in experimental-upgrades flag (#6349) 2020-07-15 00:26:37 -07:00
Arthur Outhenin-Chalandre abfa1636e4
Fix kube-proxy post deployment removal (#5554)
* Fix kube-proxy removal

* Fix unwanted skipped task for kube-proxy
* Fix kube_proxy_remove default

Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>

* Add test for kube-router svc proxy

Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
2020-07-13 07:12:33 -07:00
Arthur Outhenin-Chalandre 05b9f14b76
Update cilium minimum kernel preinstall check (#6376)
Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
2020-07-13 04:44:32 -07:00
Hans Feldt 22996babcf
allow kubeadm to upgrade etcd (#6345)
Co-authored-by: Hans Feldt <hafe@users.noreply.github.com>
2020-07-07 12:36:00 -07:00
Maxime Guyot 57eefdd458
Fix azure-cloud-config.j2 JSON syntax (#6364) 2020-07-02 23:38:47 -07:00
Florian Ruynat 2a82dff3ae
Remove runtime-config from kubeadm if empty (#6311) 2020-06-30 11:22:05 -07:00
Hans Feldt ae003af262
Fix kubelet cgroup driver detection for crio (#6331)
* Fix kubelet cgroup driver detection for crio

Remove fact standalone_kubelet since it is not used

* Fix yamllint complaints of roles/kubernetes/node/tasks/facts.yml

Co-authored-by: Hans Feldt <hafe@users.noreply.github.com>
2020-06-30 02:32:05 -07:00
Joel Seguillon 4c1e0b188d
Add .editorconfig file (#6307) 2020-06-29 12:39:59 -07:00
bozzo 09b23f96d7
Use NetworkManager to manage resolv.conf in FedoraCoreOS (#6291) 2020-06-29 00:26:17 -07:00
Erwan Miran d3ca9d1db9
kube_encryption_resources must be output as yaml (#6309) 2020-06-25 23:59:31 -07:00
Mike Dziedziela 8ca2a9a7d5
added azure_cloud parameter to Azure's cloud_config (#6321) 2020-06-25 14:35:30 -07:00
bozzo 276c450759
Use `connection: local` when `delegate_to: localhost` (#6322)
This will avoid SSH connection on the local host
2020-06-25 08:14:38 -07:00
Samuel Liu c29b21717d
Add event-ttl duration (#6310)
* Add event-ttl duration

* Fix wrong location
2020-06-24 08:15:17 -07:00
Maxime Guyot c6588856c7
Add Ubuntu 20.04 support and use Python 3 (#6157) 2020-06-16 13:04:05 -07:00
Samuel Liu dba645421f
ADD tls cipher suites support (#6024)
* ADD tls cipher suites support

yaml lint

yamllint

* update test case

* update test case
2020-06-16 04:10:05 -07:00
mohsen 10e54eca26
make better condition for applying nf_conntrack kernel tweak (#6267)
* MINOR: Check kernel version before enable modprobe nf_conntrack

* CLEANUP: no more need to ignore error of this task

* MINOR: Fixing yaml and ansible lint error - remove trailling-space
2020-06-16 00:34:06 -07:00
Hans Feldt a8740c6e13
fix a few tasks falsely reporting "changed" (#6269)
Co-authored-by: Hans Feldt <hafe@users.noreply.github.com>
2020-06-16 00:24:03 -07:00
Y0UZ45 06391b6dd9
Fix kubectl.sh parameter quoting (#6239)
If the special parameter "$@" is not quoted, the following command will not work:

./kubectl.sh patch storageclass my-storage-class -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
2020-06-14 13:57:57 -07:00
Florian Ruynat a9de6dde33
Cleanup unneeded elif in kubelet env file (#6261) 2020-06-12 01:27:55 -07:00
Unai Arríen 1912df7e3e
Create /etc/gai.conf if not exists when disable_ipv6_dns is 'true' (#6258) 2020-06-12 00:55:55 -07:00
404notfoundhard d036a04d4d
restart kubelet service when kube-config.yml is changed (#5402)
* fix(kubelet): exec notify restart kubelet service when kube-config.yml changed

* Revert "refactor(kubelet handler): change task name("reload kubelet") this is misleading"

This reverts commit 8f5d29560802c7c997293adb1ce9f84d3b20b6cb.

* fix(handlers,kubelet): setting right notify task name
2020-05-19 10:13:37 -07:00
bozzo d948839320
Fix resolv.conf configuration for Fedora CoreOS. (#6138) 2020-05-18 02:27:36 -07:00
Mateus Caruccio a5af58c05a
Fix apiserver port when upgrading (#6136) 2020-05-18 01:21:36 -07:00
Matthew Mosesohn fda05df5f1
Only fix kube-proxy address on evaluating kube_master hosts (#6152)
Change-Id: I83a7101a6cd99eb531d8385de5c31aee4f474469
2020-05-17 13:05:36 -07:00
Florent Monbillard 324106e91e
Remove Kubernetes <1.16 conditionals (#6088) 2020-05-08 00:45:43 -07:00
Florian Ruynat ca45d5ffbe
Fix retries keyword missing until instruction (#5989) 2020-04-21 07:20:56 -07:00
Maxime Guyot 3134dd4c0d
Drop support for Fedora 28 and add Fedora 30 and 31 (#5969) 2020-04-18 06:35:36 -07:00
Sergey 6318bb9f96
Return the ability to start control plain from the hyperkube image (#5422) 2020-04-18 05:59:36 -07:00
Florian Ruynat 83fe607f62
Cleanup deprecated labels beta.kubernetes.io/arch and beta.kubernetes.io/os (#5964) 2020-04-17 05:51:06 -07:00
Lovro Seder b09fe64ff1
Calculate inventory list only once (#5956) 2020-04-16 06:12:45 -07:00
Florent Monbillard 54debdbda2
Generate unique username per cluster in client kubeconfig (#5943)
* Generate unique username per cluster

* rename admin kubeconfig shell output to raw_admin_kubeconfig

* Make the linter happy

* Fix lint errors

* Cleaning up tasks
2020-04-16 05:32:45 -07:00
Florian Ruynat 473a8beff0
Remove hard-coded dependance to docker.service in kubelet.service file (#5917) 2020-04-09 08:43:46 -07:00
Maxime Guyot 7eaa7c957a
Fix conntrack for opensuse and docker support (#5880) 2020-04-08 07:37:44 -07:00
spaced 157c247563
fix readonly flexvolume in fcos and coreos (#5885) 2020-04-08 01:41:43 -07:00
Etienne Champetier a35b6dc1af
Fix scaling (#5889)
* etcd: etcd-events doesn't depend on etcd_cluster_setup

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>

* etcd: remove condition already present on include_tasks

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>

* etcd: fix scaling up

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>

* etcd: use *access_addresses, do not delegate to etcd[0]

We want to wait for the full cluster to be healthy,
so use all the cluster addresses
Also we should be able to run the playbook when etcd[0] is down
(not tested), so do not delegate to etcd[0]

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>

* etcd: use failed_when for health check

unhealthy cluster is expected on first run, so use failed_when
instead of ignore_errors to remove scary red messages

Also use run_once

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>

* kubernetes/preinstall: ensure ansible_fqdn is up to date after changing /etc/hosts

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>

* kubernetes/master: regenerate apiserver cert if needed

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2020-04-08 01:27:43 -07:00
spaced 0c51352a74
remove unused kubelet options (#5903) 2020-04-07 11:51:44 -07:00
Vinayaka V Ladwa f8ad44a99f
Azure vmss - kubelet: failed to get instance ID from cloud provider: instance not found #5824 (#5855)
* kubernetes-sigs-kubespray #5824

Added support nodes which are part of Virtual Machine Scale Sets(VMSS)

* kubernetes-sigs-kubespray #5824

* kubernetes-sigs-kubespray #5824

Added comments and updatetd azure docs.

* kubernetes-sigs-kubespray #5824

Added supported values comments for "azure_vmtype" in azure.yml
2020-03-31 10:12:40 -07:00
Xiaodu 63fa406c3c
Move host_architecture to kubespray-defaults (#5811)
The variable is defined in `kubernetes/preinstall` role and used in several roles. Since `kubernetes/preinstall` is not always included when `ansible-playbook` is run with tag selectors (see #5734 for reason), they will fail, or individual roles must copy the same fact definitions (as in #3846). Moving the definition to the always-included `kubespray-defaults` role will resolve the dependency problem.
2020-03-25 12:58:25 -07:00
Stephen Schmidt 0379a52f03
Fix etcd install with docker and etcd_kubeadm_enabled (#5777)
- This solves issue #5721 & #5713 (dupes)
  - Provide a cleaner default usage pattern for the download role
    around etcd that supports 'host' and 'docker' properly
  - Extract the 'etcdctl' as a separate task install piece and reuse it where
    appropriate
  - Update the kubeadm-etcd task to reflect the above change
2020-03-24 08:12:47 -07:00
Sergey b8d628c5f3
rename handler to fix ansible 2.8 issue (#5801) 2020-03-20 13:54:08 -07:00
Maxime Guyot a7a204ebca
Add kube_encryption_resources variable to configure which resources are encrypted at rest (#5797) 2020-03-20 04:14:36 -07:00
spaced 8ce5a9dd19
remove atomic support because reached end of live (#5783) 2020-03-17 14:31:27 -07:00
spaced 876d4de6be
Fedora CoreOS support (#5657)
* fedora coreos support
- bootstrap and new fact for

* fedora coreos support
- fix bootstrap condition

* fedora coreos support
- allow customize packages for fedora coreos bootstrap

* fedora coreos support
- prevent install ptyhon3 and epel via dnf for fedora coreos

* fedora coreos support
- handle all ostree like os in same way

* fedora coreos support
- handle all ostree like os in same way for crio

* fedora coreos support
- add fcos documentations
2020-03-17 03:12:21 -07:00
Qingkun Li 43020bd064
Fix the command for kube-proxy cleanup (#5671) 2020-03-13 05:32:39 -07:00
Xiaodu c47f441b13
fix kube-proxy server address when local apiserver lb is disabled (#5730)
refs #5277

As the issue describes, when no external or local load-balanced is used,
kube-proxy won't be able to contact apiserver at 127.0.0.1. So the
config map should be left as is.
2020-03-12 10:40:39 -07:00
Sergey 9f3ed7d855
change ignore_errors: to when: in assert tasks (#5716) 2020-03-10 08:09:36 -07:00
Sergey 221b429c24
move var preinstall_selinux_state: to roles/kubespray-defaults/defaults/main.yaml (#5715) 2020-03-10 07:45:35 -07:00
Kubernetes Prow Robot 66408a87ee
Refactor download role (#5697)
* download file

* download containers

* fix push image to nodes

* pull if none image on host

* fix

* improve docker image tag checks.
do not pull already cached images

* rebase fix merge conflict

* add support download_run_once when upgrade and scale cluster
add some test with download_run_once

* set default values to temp flag for every download cycle

* add save,load abilty for containerd and crio when download_run_once=true

* return redefine image save/load command to  set_docker_image_facts.yml

* move set command to set_container_facts

* ctr in containerd_bin_dir

* fix order of ctr image export arguments

* temporary disable download_run_once for containerd and crio
due https://github.com/containerd/containerd/issues/4075

* remove unused files

* fix strict yaml linter warning and errors

* refactor logical conditions to pull and cache container images

* remove comment due lint check

* document role

* remove image_load_on_localhost, because cached images are always loaded to docker on remote sites

* remove XXX from debug output
2020-03-05 07:31:39 -08:00
Sergey 678ed5ced5
fix upgrade procedure when in playbook (#5695)
exists role kubernetes/preinstall and not exists role container-engine

 error 'yum_repo_dir' is undefined
2020-02-28 01:56:38 -08:00
Lovro Seder 7f87ce0362
Upgrade container-engine after draining (#5601)
* Run 'container-engine' after drain.

Move possibly disruptive role 'container-engine' to run after the node
is drained.

As that role have to be run on non-cluster nodes as well (etcd and
calico-rr), and those nodes are not drained, add play for that case.

* Check if api is up before upgrade.

If container engine is restarted in previous role, api controller can
take some time to start. This check ensures api is up before upgrade.
2020-02-27 11:47:28 -08:00
Javeria Khan 6368c626c5
Ignore assertion comparison for kube_network_node_prefix when using calico (#5632)
* Fix incorrect assertion comparison for kube_network_node_prefix

* Ignore assertion comparison for kube_network_node_prefix when using calico

* Adding more var docs description for kube_network_node_prefix

* Fixing trailing whitespaces
2020-02-20 00:39:03 -08:00
Adrien Gooris da86457cda
remove unused var 'kube_apiserver_admission_control' (#5648) (#5651) 2020-02-19 05:08:25 -08:00
Ali Sanhaji 646fd5f47b
External OpenStack Cloud Controller Manager implementation (#5491)
* External OpenStack Cloud Controller Manager implementation

* Adding controller image tag

* Minor fixes

* Restructuring the external cloud controller to work with KubeADM
2020-02-18 04:47:28 -08:00
Sylvain Chateau 0ca7aa126b
added "Flatcar", "Flatcar Container Linux by Kinvolk" for all coreOS role (#5607) 2020-02-18 00:15:29 -08:00
Sergey 36c1f32ef9
remove legacy docker repo in kubernetes/preinstall before any packages installed (#5640) 2020-02-17 08:59:28 -08:00
Erwan Miran 26700e7882
kubelet_config_extra_args and kubelet_node_config_extra_args (#5623)
* Introduce kubelet_config_extra_args and kubelet_node_config_extra_args to pass params to kubelet via YAML config

* kubelet_config_extra_args is not the alternative
2020-02-14 16:05:28 -08:00
Sergey 14b1cab5d2
force rotate control plane certifcate on master node when upgrade cluster (#5596) 2020-02-10 06:09:54 -08:00
Florian Ruynat e570e2e736
Remove last rkt references (#5606) 2020-02-07 02:19:43 -08:00
aca 9d32e2c3b0
fix duplicates when scheduler_extra_volumes defined (#5566) 2020-02-07 02:09:44 -08:00
Etienne Champetier 5e9479cded Ensure we always fixup kube-proxy kubeconfig (#5524)
When running with serial != 100%, like upgrade_cluster.yml, we need to apply this fixup each time
Problem was introduced in 05dc2b3a09

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2020-01-14 02:45:09 -08:00
Damon Wang 48c41bcbe7 kube-proxy need conntrack (#5478) 2020-01-06 02:31:35 -08:00
Matthew Mosesohn 5fab610fab Clean kubectl cache after upgrade on first master (#5479)
Resolves issue where kubectl cache of <v1.16 api schema
interferes with interacting with daemonsets and deployments.

Change-Id: I63b7046958f2008eb144b6da0004c598f945e0ae
2020-01-06 02:23:35 -08:00
Matthew Mosesohn 696fcaf391 Ensure 0644 mode for ca.crt on nodes (#5428)
Change-Id: I5e018dfaeffe314300b373aeb7ed5f59929cf4f9
2019-12-11 00:54:04 -08:00
Sergey 9fda84b1c9 set node label via kubectl label command (#5257)
* set varios node label via kubectl label command, not kubelet options

* remove node_labels from KUBELET_ARGS
2019-12-09 01:43:09 -08:00
Etienne Champetier 42702dc1a3 Fixes for CentOS 8 (#5213)
* Fix python3-libselinux installation for RHEL/CentOS 8

In bootstrap-centos.yml we haven't gathered the facts,
so #5127 couldn't work

Minimum ansible version to run kubespray is 2.7.8,
so ansible_distribution_major_version is defined an there is no need to default it

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>

* Restart NetworkManager for RHEL/CentOS 8

network.service doesn't exist anymore
 # systemctl status network
 Unit network.service could not be found.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>

* Add module_hotfixes=True to docker / containerd yum repo config

https://bugzilla.redhat.com/show_bug.cgi?id=1734081
https://bugzilla.redhat.com/show_bug.cgi?id=1756473
Without this setting you end up with the following error:
 # yum install docker-ce
 Failed to set locale, defaulting to C
 Last metadata expiration check: 0:03:21 ago on Thu Sep 26 22:00:05 2019.
 Error:
  Problem: package docker-ce-3:19.03.2-3.el7.x86_64 requires containerd.io >= 1.2.2-3, but none of the providers can be installed
   - cannot install the best candidate for the job
   - package containerd.io-1.2.2-3.3.el7.x86_64 is excluded
   - package containerd.io-1.2.2-3.el7.x86_64 is excluded
   - package containerd.io-1.2.4-3.1.el7.x86_64 is excluded
   - package containerd.io-1.2.5-3.1.el7.x86_64 is excluded
   - package containerd.io-1.2.6-3.3.el7.x86_64 is excluded
 (try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2019-12-09 01:37:10 -08:00
Maxime Guyot b15d41a96a Add support to Ansible 2.9 (#5361) 2019-12-05 07:24:32 -08:00
Hugo Blom f7aea8ed89 update oidc to contain quotes (#5406) 2019-12-05 00:24:32 -08:00
Matthew Mosesohn 57fef8f75e Allow customizing kubelet healthz port and bind addr (#5403)
Change-Id: I1634ba2d2d3337243ffcdea86750003a559f2576
2019-12-03 11:56:58 -08:00
Matthew Mosesohn f599a4a859 force other resolvers to be secondary when using systemd-resolved (#5391)
Change-Id: I33d46c7e0c5374467e22c5a652b282d1703dea85
2019-12-02 08:41:04 -08:00
Matthew Mosesohn 18cee65c4b Add support for k8s v1.17.0-rc.1, remove hyperkube (#5378)
Change-Id: I3fff04f0211cd9c2e8235acaf51c3aa98abc8bb7
2019-11-28 05:41:03 -08:00
Yujun Zhang aec5080a47 kubernetes/masters: fix task name in kubeadm setup (#5377) 2019-11-27 06:05:20 -08:00
Michael Shen 6924c6e5a3 [FIX] fix match because trim removes leading/trailing whitespace (#5356) 2019-11-19 22:35:18 -08:00
Matthew Mosesohn 85c851f519 scale down coredns on each master during graceful upgrade (#5344)
This fixes the scenario where masters are upgraded one at a time
and coredns gets improperly scaled back up to 2 replicas.

Change-Id: I7cc9283f40efcfd61b5813c89a5805c95d901567
2019-11-18 00:13:41 -08:00
Matthew Mosesohn 8b67159239 Do not run kubeadm upgrade on first deploy (#5339)
Change-Id: I68a962a9dd28c83ef07eaeaf53eb98287f38bca9
2019-11-14 02:05:34 -08:00
LuciferInLove 4f70da2731 Added Amazon Linux 2 support for deploying with docker (#5301) 2019-11-11 07:05:41 -08:00
Matthew Mosesohn db5040e6ea Set certs and files with kubeadm token to mode 0640 (#5325)
Change-Id: I298496e55a6889c158b2085fcadeda5e679a873e
2019-11-11 05:41:41 -08:00
Matthew Mosesohn 1c25ed669c Remove unnecessary and risky reload network for resolvconf propagation (#5322)
Change-Id: I54d706f7941b4b86c4c6cd45340295577155b884
2019-11-06 10:11:52 -08:00
Matthew Mosesohn a005d19f6f Enable systemd-resolved DNS resolution mode (#5318)
Change-Id: If3e253a40782e03cde7fc4a91493517ae31fda17
2019-11-06 03:33:52 -08:00
Matthew Mosesohn 471589f1f4 Scale down coredns created by kubeadm upgrade to 0 replicas (#5308)
Change-Id: I128b0f9c1acbb956d9a6c4e5510b45a36e296af7
2019-11-05 03:34:38 -08:00
Matthew Mosesohn 186ec13579 Fix incorrect suggestion to enable old k8s apis (#5292)
Change-Id: If965cc6aa0daaca232dcf2ca0efd649aa097497f
2019-10-30 01:58:53 -07:00
Matthew Mosesohn 81da231b1e Set cluster DNS in kubeadm config for kubelet dynamic config (#5293)
Change-Id: I23116efefe8626d361d1904fc6fb8448f66cf3c5
2019-10-25 02:23:40 -07:00
Sergey 3118437e10 check on all cluster node - kubelet_max_pods <= (2 ** (32 - kube_network_node_prefix | int)) - 2 (#5279) 2019-10-17 05:48:38 -07:00
Michael Oglesby c672681ce5 Revert Pull Request #5084 (#5120)
Kubespray Pull Request #5084 (https://github.com/kubernetes-sigs/kubespray/pull/5084) caused more problems than it solved due to limitations with the synchronize module. See comments on Kubespray Issues #5059 (https://github.com/kubernetes-sigs/kubespray/issues/5059) and #5116 (https://github.com/kubernetes-sigs/kubespray/issues/5116). Details from Ansible documentation: "Currently, synchronize is limited to elevating permissions via passwordless sudo. This is because rsync itself is connecting to the remote machine and rsync doesn’t give us a way to pass sudo credentials in. ... Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been determined for those connection types. Note that the connection for these must not need a password as rsync itself is making the connection and rsync does not provide us a way to pass a password to the connection. ..." Thus, reverting Pull Request #5084.
2019-10-17 05:26:37 -07:00
yelhouti d332a254ee install python3 instead of python2 for fedora >= 30 fixes 5056, fixes 4802 (#5111) 2019-10-17 05:04:38 -07:00
Matthew Rapa 3debb8aab5 add KUBELET_VOLUME_PLUGIN to kubelet.env (#5128) 2019-10-16 20:08:38 -07:00
YichenWong aada6e7e40 Add etcd_data_dir variable to the kubeadm config (#5263) 2019-10-16 19:50:39 -07:00
Matthew Mosesohn ac60786c6f Add support for restart handlers for control plane on crio/containerd (#5250)
* Add support for restart handlers for control plane on crio/containerd

Change-Id: I8343cc4e9df7f55b732628ed01cc6e7ea5dcee85

* Update main.yml
2019-10-16 18:58:39 -07:00
Robin Elfrink faaff8bd72 Add RotateCertificates to kubelet config if kubelet_rotate_certificates is set. (#5152)
Signed-off-by: Robin Elfrink <robin.elfrink@eu.equinix.com>
2019-10-16 04:31:41 -07:00
Qingkun Li a51b729817 add ignore_errors to the kube-proxy deletion task (#5236)
When using cluster.yml or scale.yml to add/scale nodes in the existing
k8s cluster, the `kubeadm init` wouldn't run. As a result, kube-proxy
wouldn't be created, and therefore the kube-proxy deletion task would
fail, e.g. in the case where kube-router is used and "kube_proxy_remove"
is set to true. As a workaround, add ignore_errors to the kube-proxy
deletion task.
2019-10-16 04:23:40 -07:00
Matthew Mosesohn dea9304968 Enable openstack_cacert to be either file or base64 string (#5243) 2019-10-09 02:19:49 -07:00
Matthew Mosesohn 2864e13ff9 Reset between kubeadm secondary control plane join attempts (#5240)
Change-Id: Ic9425bf90552d7e3d42b02409af9773d99376384
2019-10-08 00:15:12 -07:00
Matthew Mosesohn a43e0d3f95 Switch to Kubernetes v1.16.0 (#5189)
* Switch to Kubernetes v1.16.0

Change-Id: I5d6a9528b2d443750fc5e031aff15ad3ffead158

* Fix download localhost cached file path

Change-Id: I65e79b70e3d1b37265ebc60f41b460cf4b0a0d47

* fix kubeadm etcd for v1.16

Change-Id: I6888a00fd48b530a38b0b31c4095492476af42d2

* disable tf packet jobs

Change-Id: I075c4666547fdea4c50ec04864f38e2cfaa79154

* Disable contiv packet jobs. Fix kube-router

Change-Id: I3170e8789e60711d4cee8faf65f2094480b79b8d

* bump sonobuoy version

Change-Id: Ib946905629c7c53ed88f08fb2f41c454457a0097
2019-10-02 02:21:07 -07:00
Richard Scott 75e4cc2fd9 Updated kubectl.sh (#5156)
The script is not usable unless you are in the '.vagrant/provisioners/ansible/inventory/artifacts' folder.
This update makes this usable from anywhere.
2019-09-26 04:23:07 -07:00
Etienne Champetier 81cb302399 MetalLB: fail if kube_proxy_strict_arp is false (#5180)
When using IPVS, kube_proxy_strict_arp = true is required
https://github.com/danderson/metallb/issues/153#issuecomment-518651132

Add kube_proxy_strict_arp to inventory/sample
2019-09-26 04:21:06 -07:00
Sergey 1cf6a99df4 generate kubeadm download image list with options useHyperKubeImage (#5203) 2019-09-25 18:03:06 -07:00
陈谭军 2fc02ed456 fix-typo (#5199) 2019-09-25 04:04:00 -07:00
Sergey 8984096f35 use hyperkubeimage to run controlplane containers (#5178) 2019-09-17 18:33:28 -07:00
Matthew Mosesohn 6fe2248314 Use more native way to update kubeconfigs using kubeadm (#5165)
Change-Id: I1076b418f85a26d9896be69910052128afc51cee
2019-09-13 03:40:29 -07:00
Matthew Mosesohn 27ec548b88 Add support for k8s v1.16.0-beta.2 (#5148)
Cleaned up deprecated APIs:
apps/v1beta1
apps/v1beta2
extensions/v1beta1 for ds,deploy,rs

Add workaround for deploying helm using incompatible
deployment manifest.
Change-Id: I78b36741348f47a999df3841ee63cf4e6f377830
2019-09-10 12:06:54 -07:00
Florent Monbillard 637f09f140 Fix ansible task titles (#5154)
* Fix ansible task titles for CRI connection tasks

* Fix Azure subscription ID check task title
2019-09-10 01:34:54 -07:00
Matthew Mosesohn 9b0f57a0a6 Adjust endpoints for kube-proxy,controller,scheduler to proper ip (#5150)
Change-Id: I5aa009358bee7035922b5a10327997e47c9ba434
2019-09-09 10:33:20 -07:00
Matthew Mosesohn 7f74906d33 Make haproxy/nginx client timeout configurable (#5140)
Change-Id: I61319a06eb33d9fc868e19941924f387088b856b
2019-09-05 00:32:51 -07:00
Richard Arends 4d95bb1421 Use python3-libselinux on RHEL8/Centos8 (#5127)
* Use python3-libselinux on RHEL8/Centos8

* The fact ansible_facts.distribution_major_version is not present on older Ansible version.
Default it to 0 in when not present and use libselinux-python as package to get current
default behaviour.
2019-08-28 02:33:15 -07:00
rptaylor 10e0fe86fb remove unimplemented custom_flags vars, document the extra_args vars (issue 4352) (#5108) 2019-08-23 01:21:18 -07:00
Michael Oglesby 07ecef86e3 Replace fetch with synchronize due to memory error (#5084)
Fix for Kubespray Issue #5059 (https://github.com/kubernetes-sigs/kubespray/issues/5059). There is a known issue with the 'fetch' module that will sometimes lead to it failing with a memory error. See ansible/ansible#11702 (https://github.com/ansible/ansible/issues/11702). I encountered this issue with the "Copy kubectl binary to ansible host" task in kubespray/roles/kubernetes/client/tasks/main.yml, and it caused my entire deployment to error out (see "Output of ansible run" above). Replacing 'fetch' with 'synchronize' fixes this issue.
2019-08-22 02:40:32 -07:00
Tony Fouchard f6a63d88a7 Allow to configure strict ARP on kube-proxy (#5092) 2019-08-20 18:21:17 -07:00
Hugo Blom 4dba34bd02 add cinder max attached volumes (#5089) 2019-08-19 23:45:32 -07:00
Ali Sanhaji a1ff1de975 fix openstack_cacert conditional (#5078) 2019-08-15 05:50:34 -07:00
Zou Nengren 1bfbc5bbc4 remove resource-container default value for kube-proxy (#4994) 2019-08-15 05:30:33 -07:00
Matthew Mosesohn 771ce96e6d Set initial kubeadm token if specified in kubeadm init (#5057)
Change-Id: I7fd94ec6d195af60d237b3cfe91668ca1f707d26
2019-08-15 02:26:33 -07:00
Matthew Mosesohn 0a2f4edfc6 Always download coredns images with kubeadm (#5071)
Fixes situation when using manual mode because it
tries to download coredns v1.3.1 from the same
image repository where kubernetes images are
downloaded from.

Change-Id: Ibbec8a72c8162ce8befa74e2013a268737ea5f8a
2019-08-13 08:53:43 -07:00
Matthew Mosesohn 023108a733 Refactor calico route reflector to run in k8s cluster (#4975)
* Refactor calico-rr to run in k8s cluster with taint

Change-Id: I75a3169ff5b36ce8302fc7ef1c32d3eb697b5afa

* add preinstall checks

* rework calico/rr role

Change-Id: I2f0a7e6cb77cf91ad4a615923680760d2e5d9ca8

* add empty calico-rr group

Change-Id: I006c0a60db9b72d02245bf8fdfabcf982144a5ad
2019-08-08 07:37:22 -07:00
Matthew Mosesohn 7cf8ad4dc7 Optionally refresh kubeadm token every time (#5043)
Change-Id: I278cb14aa93abf20160cc001f69e2f472504e6d8
2019-08-06 00:59:53 -07:00
Remous-Aris Koutsiamanis 02ec72fa40 Fix commands for using experimental kubeadm control plane (#5006) 2019-08-05 07:31:50 -07:00
Mark Janssen f3df0d5f4a Always create bash_completion.d folder (#5039) 2019-08-04 18:15:48 -07:00
koriukiv 54b1fe83f3 Add an option to reserve resources for OS system daemons (#5007) 2019-07-31 11:24:15 -07:00
Oilbeater 1be788f785 add Kube-OVN cni to kubespray (#5020) 2019-07-30 20:10:20 -07:00
Jeff Bornemann da50ed0936 move flexvolume plugin directory creation to preinstall (#4999)
* move flexvolume plugin directory creation to preinstall

* changes per pr feedback
2019-07-30 12:00:10 -07:00
刘旭 fe29c97ae8 add ansible_hostname and ansible_fqdn to apiserver_sans (#4990) 2019-07-22 00:48:53 -07:00
Tilman Beitter 69f796f0c7 use the locally deployed kubectl binary within the kubectl.sh helper script (#4311) 2019-07-16 02:23:25 -07:00
刘旭 de9443a694 remove unused code (#4981) 2019-07-16 01:39:24 -07:00
Matthew Mosesohn 23ae6027ab remove support for calico v2.x (#4974)
* Remove support for calico below version v3.0.0

Change-Id: If8fe3036b9e054901a8b2c48516eff1e1271970f

* Update main.yml

* fixup node peering

Change-Id: Ifac4d363deba826f0c80e390ce80a28df9827323

* fixups

Change-Id: Ic35417330af6741962003b3930604393c90804d1

* fixups

Change-Id: I0ea82d634bb0c81d9b7dc50569c70988bc8d3a3b
2019-07-15 07:47:09 -07:00
Matthew Mosesohn b15b6e834f fix parsing refresh of kubeadm cert key (#4971)
* fix parsing refresh of kubeadm cert key

Change-Id: I4de2a1df6498790a80351b4bc7d88e6c9e470358

* Update kubeadm-secondary-experimental.yml
2019-07-15 00:45:06 -07:00
Jeff Bornemann 728155a2a1 Support for Oracle Linux (#3655)
Fixed Issue #1032

test case for OEL7 AIL with kubeadm

Add packet CI stuff for oracle 7
2019-07-11 23:17:05 -07:00
Matthew Mosesohn cdf9a9f4fc Generate certificate key before kubeadm control plane config (#4964) 2019-07-11 05:30:54 -07:00
Matthew Mosesohn 29307740dd Enable containerd to deploy vanilla containerd package (#4951)
* Enable containerd to deploy vanilla containerd package

Fixes kubeadm references to CRI socket for containerd
Fixes download role cache feature to work with containerd

Change-Id: I2ab8f0031107e2f0d1a85c39b4beb66f08509a01

* use containerd for flannel-addons job

Change-Id: Ied375c7d65e64a625ffbd995ff16f2374067dee6

* add containerd vars

Change-Id: Ib9a8a04e501c481a86235413cbec63f3672baf91

* fixup vars

Change-Id: Ibea64e4b18405a578b52a13da100384582aa24c2

* more fixes

* fix rh repo

Change-Id: I00575a77cfb7b81d6095db5d918a52023c8f13ba

* Adjust helm host install for containerd
2019-07-10 23:46:54 -07:00
Matthew Mosesohn 352297cf8d
Fixup deploy of kubeadm etcd for Kubernetes v1.15.0 (#4952)
* Fixup deploy of kubeadm etcd for Kubernetes v1.15.0

Change-Id: If42c2c75c4d278ba9475ebf76c243f3e6ee4d02e

* undo renaming cloud config file

Change-Id: Iafbd27c3887d6a2a6d0819c711f150ecf70c515d
2019-07-09 15:41:59 +03:00
andreyshestakov c81b443d93 Fix order of names in /etc/hosts (#4940)
Configure fqdn properly
2019-07-08 06:08:34 -07:00
okamototk f2b8a3614d Use K8s 1.15 (#4905)
* Use K8s 1.15

* Use Kubernetes 1.15 and use kubeadm.k8s.io/v1beta2 for
  InitConfiguration.
* bump to v1.15.0

* Remove k8s 1.13 checksums.

* Update README kubernetes version 1.15.0.

* Update metrics server 0.3.3 for k8s 1.15

* Remove less than k8s 1.14 related code

* Use kubeadm with --upload-certs instead of --experimental-upload-certs due to depricate

* Update dnsautoscaler 1.6.0

* Skip certificateKey if it's not defined

* Add kubeadm-conftolplane.v2beta2 for k8s 1.15 or later

* Support kubeadm control plane for k8s 1.15

* Update sonobuoy version 0.15.0 for k8s 1.15
2019-07-02 01:51:08 -07:00
Matthew Mosesohn e89b47c7ee Add nginx stub metrics if health check enabled (#4938)
Change-Id: Iac90beef20e63fb4a539f91836231469c573f402
2019-07-01 13:38:37 -07:00
Matthew Mosesohn 2aa66eb12d Default to refreshing kubeadm etcd key (#4931)
Change-Id: Icc0176773b6d581c43647de433214079440d7321
2019-06-30 03:37:22 -07:00
okamototk 4c8b93e5b9 containerd support (#4664)
* Add limited containerd support

Containerd support for Ubuntu + Calico

* Added CRI-O support for ubuntu

* containerd support.

* Reset  containerd support.

* fix lint.

* implemented feedback

* Change task name cri xx instead of cri-o in reset task and timeout condition.

* set crictl to fixed version

* Use docker-ce's container.io package for containerd.

* Add check containerd is installable or not.

* Avoid stop docker when use containerd and optimize retry for reset.

* Add config.toml.

* Fixed containerd for kubelet.env.

* Merge PR #4629

* Remove unused ubuntu variable for containerd

* Polish code for containerd and cri-o

* Refactoring cri socket configuration.

* Configurable conmon.

* Remove unused crictl/runc download

* Now crictl and runc is downloaded by common crictl.yml.

* fixed yamllint error

* Fixed brokenfiles by conflict.

* Remove commented line in config.toml

* Remove readded v1.12.x version

* Fixed broken set_docker_image_facts

* Fix yamllint errors.

* Remove unused apt source

* Fix crictl could not be installed

* Add containerd config from skolekonov's PR #4601
2019-06-29 14:09:20 -07:00
Tony Fouchard 216631bf02 Repair kube_proxy_exclude_cidrs (#4909) 2019-06-28 00:39:37 -07:00
Erwan Miran c7f3123e28 kubeadm_discovery_address should not contain proto (#4930) 2019-06-28 00:37:37 -07:00
Simon Lelievre f599c2a691 add macvlan cni to kubespray (#4901)
* add macvlan cni to kubespray

* macvlan: lint yaml files and fix sample config file

* macvlan: add OWNERS file

* add macvlan to README

* macvlan : CI first shoot

* macvlan : CI add full masquerade

* delegate retrive pod cidr to master only

* macvlan: add config for CI

* macvlan: add netchecker deployment
2019-06-28 00:35:38 -07:00
Matthew Mosesohn 465dfd68bc Fix empty kube_override_hostname in apiserver_sans (#4916)
kubernetes/master role defines this value as an empty string
when using a cloud provider, not undefined. The check was updated
accordingly.

Change-Id: I58dc31ef4fd568a717a6753eb89ca687933018ae
2019-06-25 08:00:37 -07:00
Matthew Mosesohn 73f45fbe94
Revert "Filter undefined SANs for apiserver cert (#4913)" (#4914)
This reverts commit d270678bda.
2019-06-25 06:56:00 -07:00
Matthew Mosesohn d270678bda Filter undefined SANs for apiserver cert (#4913)
Change-Id: I37442fb095fb4217f67f74744ad07c1d5d8229ea
2019-06-25 05:54:36 -07:00
andreyshestakov b5406b752d Add kube_override_hostname to kubeadm certs. (#4903) 2019-06-23 23:19:56 -07:00
Matthew Mosesohn 4348e78b24 Enable kubeadm etcd mode (#4818)
* Enable kubeadm etcd mode

Uses cert commands from kubeadm experimental control plane to
enable non-master nodes to obtain etcd certs.

Related story: PROD-29434

Change-Id: Idafa1d223e5c6ceadf819b6f9c06adf4c4f74178

* Add validation checks and exclude calico kdd mode

Change-Id: Ic234f5e71261d33191376e70d438f9f6d35f358c

* Move etcd mode test to ubuntu flannel HA job

Change-Id: I9af6fd80a1bbb1692ab10d6da095eb368f6bc732

* rename etcd_mode to etcd_kubeadm_enabled

Change-Id: Ib196d6c8a52f48cae370b026f7687ff9ca69c172
2019-06-20 11:12:51 -07:00
刘旭 a3a7fe7c8e fix start CoreDNS when init secondary master (#4867) 2019-06-11 04:56:18 -07:00
Neven Miculinic 27a99e0a3f Added configurable min memory assertions (#4307) 2019-06-10 23:22:15 -07:00
Andreas Krüger 3cc351dff9 Require min version of Kubernetes (#4860)
* Require minimum version of Kubernetes

* Remove checksums for kubernetes version 1.12

* Add kube_version to precheck output and add min required version to README

* Fix merge

* Fix defaults

* Fix typo in precheck
2019-06-10 23:18:15 -07:00
Matthew Mosesohn 3b7797b1a1 Ensure haproxy and nginx reload when config changes (#4862)
Change-Id: Ia9a41e7b1cfcb1e6acb2dbae6eecc541dce25a74
2019-06-10 05:59:08 -07:00
Frank Ritchie ab6f0012cc Make local volume provisioner dir mode a variable (#4821)
* Make local volume provisioner dir mode a variable

I need to change this for Nagios monitoring. Others may
need to as well. Had to close previous commits, sorry for
the spam.

* Make local volume provisioner dir mode a variable

I need to change this for Nagios monitoring. Others may
need to as well. Had to close previous commits, sorry for
the spam.
2019-06-06 04:36:14 -07:00
mervynzhang a8dfcbbfc7 Switch /root references to ansible_env.HOME (#4842)
* kube config dir for current/ansible become user

* remove extra /

* fix default value
2019-06-06 02:06:11 -07:00
Andreas Krüger 818aa7aeb1 Set dnsPolicy to ClusterFirstWithHostNet when hostNetwork is true (#4843) 2019-06-05 03:17:55 -07:00
Dani Comnea d540560619 Preinstall fails on checking etcd group length (#4839) 2019-06-05 01:37:53 -07:00
Andreas Krüger 797bfd85b0 Only create kubeadm compat cert dir link if it does not exist (#4840) 2019-06-05 01:27:53 -07:00
Sergey Nuzhdin 07cb8ebef7 Add support for arm images for hyperkube, kubeadm and cni_binary (#4261)
* Add support for arm images for hyperkube, kubeadm and cni_binary

* Add dummy etcd checksum for arm

This commit adds dummy etcd checksum for arm to avoid "no attribute" error
during setup.

* Add etcd host assert check

* Add 1.13.4 checksums of kubeadm and hyperkube for arm

* Update checksums of kubeadm and hyperkube for arm

* Add dummy checksums for calicoctl_binary_checksums dict

* disable gather_facts because it causes tests to fail

* Remove architecture check for etcd, due to unable to run tests
2019-06-05 00:05:55 -07:00
Matthew Mosesohn 6347419233 Avoid duplicating nameservers (#4833) 2019-06-04 00:13:02 -07:00
Andreas Krüger b41530ba5d Add missing extraArgs to kubeadm-config (#4814) 2019-05-28 03:57:52 -07:00
Maxime Guyot b45f3f0004 Add tf-ovh_coreos CI job (#4763) 2019-05-28 01:51:53 -07:00
Vitaliy Dmitriev 333f1a4a40 kubeadm join path fixed for RH linux (#4798) 2019-05-27 01:49:51 -07:00
Andreas Krüger 1e470b0473 Fix certificate-key param for kubeadm init (#4789)
* Fix certificate-key param for kubeadm init

* Fix yamllint error
2019-05-22 02:06:11 -07:00
Jacopo Secchiero 5d9946184a Add ignore_assert_errors to "kube-master, ... (#4779)
... kube-node or etcd is empty" task
As a assert must be ignored if ignore_assert_errors is true
2019-05-20 11:25:14 -07:00
Mateus Caruccio 8485136f9a var node_labels as string (#4764) 2019-05-19 12:31:10 -07:00
Maxime Guyot ff1bc739f1 Change default for kubelet_flexvolumes_plugins_dir (#4752) 2019-05-19 12:29:10 -07:00
Florent Monbillard 8e28ba38d2 Add Load Balancer IP to API servers SANs (#4775)
- Add loadbalancer_apiserver.address to apiserver_sans
2019-05-16 01:23:42 -07:00
MarkusTeufelberger 73c2ff17dd Fix Ansible-lint error [E502] (#4743) 2019-05-16 00:27:43 -07:00
Andreas Krüger 044dcbaed0 Add Kubelet config, remove deprecated flags and fix minor bugs (#4724)
* Add kubelet config

* Change kubelet_authorization_mode_webhook to true

* Fix lint

* Sync env file

* Refactor the kubernetes node folder

* Remove deprecated flag and fix lint
2019-05-08 13:38:36 -07:00
Andreas Krüger bf3c6aeed1 Add kube anon auth settings to kubeadm config templates (#4713)
* Disable kube_api_anonymous_auth by default to secure the setup

* Disable metrics-server in addons. Health endpoint is slow and unstable

* Fix anonymous-auth missing in configuration

* Cleanup a bit

* Fix kube anon auth
2019-05-07 12:52:34 -07:00
Dmitri Rubinstein 03bded2b6b Fix adding output of kubeadm to the admin.conf downloaded to the artifacts directory (#4696)
Fixes issue https://github.com/kubernetes-sigs/kubespray/issues/4695
2019-05-06 03:29:36 -07:00
Manuel Cintron d5c0829d61 Removing unnecessary httplib2 install (#4708) 2019-05-03 17:55:38 -07:00
Alex Barcelo 00369303de Fixing `msg` parameter for `debug` module (#4702)
According to [`debug` module documentation](https://docs.ansible.com/ansible/latest/modules/debug_module.html?highlight=msg), the correct parameter name is `msg`.

With the previous `message` parameter name I was getting FAILED messages while ansible was trying to debug previous FAILED tasks.
2019-05-03 12:21:42 -07:00
MarkusTeufelberger e67f848abc ansible-lint: add spaces around variables [E206] (#4699) 2019-05-02 14:24:21 -07:00
Timoses d6fd0d2aca Enable delegating all downloads (binaries, images, kubeadm images) (#4420)
* Download to delegate and sync files when download_run_once

* Fail on error after saving container image

* Do not set changed status when downloaded container was up to date

* Only sync containers when they are actually required

Previously, non-required images (pull_required=false as
image existed on target host) were synced to the target
hosts. This failed as the image was not downloaded to
the download_delegate and hence was not available for
syncing.

* Sync containers when only missing on some hosts

* Consider images with multiple repo tags

* Enable kubeadm images pull/syncing with download_delegate

* Use kubeadm images list to pull/sync

'kubeadm config images pull' is replaced by collecting the images
list with 'kubeadm config images list' and using the commonly
used method of pull/syncing the images.

* Ensure containers are downloaded and synced for all hosts

* Fix download/syncing when download_delegate is a kubernetes host
2019-05-01 01:10:56 -07:00
Matthew Mosesohn 15eb7db36d Fix k8s api endpoint for secondary nodes in control plane mode (#4675)
Change-Id: I1588458b54c52443ad8d0afbd266f77ac0afea67
2019-04-29 07:50:24 -07:00
Andreas Krüger 38af93b60c Remove rkt support (#4671) 2019-04-29 01:14:20 -07:00
Dmitry b8f0de3074 Fixed etcd-servers-overrides in kubeadm config (#4668)
* kube-apiserver will fail if used comma as separator
2019-04-28 23:02:20 -07:00
MarkusTeufelberger 88d919337e ansible-lint: don't compare to empty string [E602] (#4665) 2019-04-28 23:00:20 -07:00
Matthew Mosesohn 338eb4ce65 Fix kubeadm upload certs with when condition (#4659)
* Fix kubeadm upload certs with when condition

Change-Id: I916dd2375b71eea2386047c7f185a2f8361f7a61

* Update kubeadm-secondary-experimental.yml
2019-04-27 01:14:20 -07:00
Sergey Kolekonov 4a10dca7d4 Add an ability to provide oidc cert in base64 (#4618) 2019-04-24 09:40:01 -07:00
Matthew Mosesohn 4d57ed314d Clean up check for setting kubeadm certificate key (#4634)
Change-Id: I2c97c4753089eb3ec2e6b01b2681a8be98ecbb57
2019-04-24 07:14:12 -07:00
Vincent Gramer f47a666227 support azure loadbalancer standard sku (#4150) (#4476)
add the support of the folling property in azure-credential-check.yml
  - azure_loadbalancer_sku: Sku of Load Balancer and Public IP. Candidate values are: basic and standard.
  - azure_exclude_master_from_standard_lb: excludes master nodes from standard load balancer.
  - azure_disable_outbound_snat: disables the outbound SNAT for public load balancer rules
  - useInstanceMetadata: Use instance metadata service where possible
  - azure_primary_availability_set: (Optional) The name of the availability set that should be used as the load balancer backend
2019-04-24 02:14:01 -07:00
Matthew Mosesohn fc072300ea Purge legacy cleanup tasks from older than 1 year (#4450)
We don't need to support upgrades from 2 year old installs,
just from the last major version.

Also changed most retried tasks to 1s delay instead of longer.
2019-04-24 00:08:05 -07:00
MarkusTeufelberger a65605b17a ansible-lint: Don't use bare variables (#4608)
Circumvented one false positive from ansible-lint
Moved a block of jinja magic into its own variable
2019-04-23 22:20:00 -07:00
MarkusTeufelberger 424e59805f ansible-lint: Fix commands that are also available as module (#4619) 2019-04-23 22:18:00 -07:00
Matthew Mosesohn d6d7458d68 Fix control plane setup without a hardcoded key (#4610) 2019-04-23 14:37:59 -07:00
Matthew Mosesohn 09fe95bc60 Avoid creating k8s cert dir on non-k8s nodes (#4602) 2019-04-21 15:27:43 -07:00
Vedran Bartonicek 33ab615072 Wait longer for node to join the cluster (#4549) 2019-04-20 07:05:40 -07:00
Matthew Mosesohn 05dc2b3a09 Use K8s 1.14 and add kubeadm experimental control plane mode (#4514)
* Use K8s 1.14 and add kubeadm experimental control plane mode

This reverts commit d39c273d96.

* Cleanup kubeadm setup run on first master

* pin kubeadm_certificate_key in test

* Remove kubelet autolabel of kube-node, add symlink for pki dir

Change-Id: Id5e74dd667c60675dbfe4193b0bc9fb44380e1ca
2019-04-19 06:01:54 -07:00
Victor Morales c6586829de Ensure /etc/bash_completion.d/ folder exists (#4543)
The Stateless ClearLinux feature[1] requires the creation of folders
in /etc folder. This change ensure the existence of the
/etc/bash_completion.d/ folder for ClearLinux Distribution.

[1] https://clearlinux.org/features/stateless
2019-04-18 02:24:10 -07:00
Maxime Guyot b218e17f44 ansible-lint: E403 Package installs should not use latest (#4500) 2019-04-18 01:34:08 -07:00
Maxime Guyot 37eac010c8 ansible-lint: Don’t compare to literal True/False (#4499) 2019-04-17 08:42:03 -07:00
Maxime Guyot ec3daedf9e Revert "Fix for unknown 'kubernetes.io' or 'k8s.io' labels specified with --node-labels (#4320)" (#4553)
This reverts commit 586ad89d50.
2019-04-17 07:58:06 -07:00
Matthew Mosesohn c5fb734098 Switch calicoctl from a container to a binary (#4524) 2019-04-15 04:24:04 -07:00
Matthew Mosesohn d39c273d96 Revert "Use K8s 1.14 and add kubeadm experimental control plane mode (#4317)" (#4510)
This reverts commit 316508626d.
2019-04-11 12:52:43 -07:00
Matthew Mosesohn 316508626d Use K8s 1.14 and add kubeadm experimental control plane mode (#4317)
* Use Kubernetes 1.14 and experimental control plane support

* bump to v1.14.0
2019-04-11 05:30:13 -07:00
Qasim Sarfraz 3af90f8772 disable cloud-routes for non-cloud plugin (#4443) 2019-04-10 23:50:09 -07:00
Sergey 3b9d13fda9 Return back bind API server node loadbalancer to 127.0.0.1 for security purposes. (#4489) 2019-04-10 12:20:08 -07:00
Andreas Krüger 5e0249ae7c Add HAProxy as internal loadbalancer (#4480) 2019-04-10 05:56:18 -07:00
Neven Miculinic a30ad1e5a5 Added generic CNI network plugin (#4322)
* Added generic CNI network plugin

* Added CNI network plugin documentation

* added necessary fix
2019-04-10 04:16:15 -07:00
Robert Neumann 586ad89d50 Fix for unknown 'kubernetes.io' or 'k8s.io' labels specified with --node-labels (#4320)
* Fix the file path for all.yml and k8s-cluster.yml

* Fix --node-labels namespace error "unknown labels specified"

* Update templates and configs kubelet node-labels
2019-04-10 04:14:12 -07:00
André R. de Miranda 097806dfe8 Added tag kube-proxy (#4272)
Signed-off-by: André R. de Miranda <andre@miranda.work>
2019-04-09 05:25:06 -07:00
Abdulaziz AlMalki 7cdf1fd388 quote values for kube_oidc_groups_prefix and kube_oidc_username_prefix values to accept colon, e.g oidc: (#4305)
This will fix error: error converting YAML to JSON: yaml: line 36: mapping values are not allowed in this context

Signed-off-by: Abdulaziz AlMalki <almalki.a@gmail.com>
2019-04-09 05:23:06 -07:00
Maxime Guyot 913fed0089 kubeadmn init: add 'until' to make 'retries' effective (#4464)
an 'until' clause is required or 'retries' is ignored

(see note @ https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html#do-until-loops)
2019-04-09 00:21:04 -07:00
rptaylor f52584a715 robust handling of API server SANs (#4435)
* robust handling of API server SANs

* use apiserver_loadbalancer_domain_name if it is defined, according to PR 3977
2019-04-08 08:10:35 -07:00
Andreas Krüger d18ad63e49 Update nginx to 1.15. Update manifest and performance optimize (#4458) 2019-04-08 02:02:29 -07:00
Maxime Guyot 8ad74404c9 Remove bash-completion (#4431) 2019-04-05 01:23:22 -07:00
Maxime Guyot 1ce2f04f47 allow Suse OS family (#4430) 2019-04-04 03:02:51 -07:00
Xavi 20b12751af add Cinder allowVolumeExpansion option (#4415) 2019-04-04 02:36:50 -07:00
Sergey 55890e1b82 keep compatibility as it was before (#4268) 2019-04-03 01:39:42 -07:00
Sergey 740d8b0a26 enable kubelet client certificate rotation (#4081)
* enable kubelet client certificate rotation

* change to variable kubelet_rotate_certificates
2019-04-03 01:35:44 -07:00
Matthew Mosesohn 5f12b7aedf Remove kubedns and dnsmasq. Move dns_late phase after apps (#4406)
Both kubedns and dnsmasq modes are long not maintained.
We should run dns_late steps at the end because sshd
makes DNS lookups during Ansible run and has 2s timeouts
for each failed lookup trying to connect to coredns before
it is ready.
2019-04-01 12:32:34 -07:00
Dmitry Chepurovskiy 0440e45d65 Fix supplementary_addresses rendering error (#4403) 2019-03-29 00:26:13 -07:00
Dmitry Chepurovskiy 669ab10c17 Added livenessProbe for local nginx apiserver proxy liveness probe (#4222)
* Added configurable local apiserver proxy liveness probe

* Enable API LB healthcheck by default

* Fix template spacing and moved healthz location to nginx http section

* Fix healthcheck listen address to allow kubelet request healthcheck
2019-03-28 06:20:46 -07:00
Etienne d0ae316934 Use proxy_env with kubeadm phase commands (#4325) 2019-03-26 03:03:19 -07:00
Matthew Mosesohn b7fd462944 Fix support for ansible 2.7.9 (#4375) 2019-03-20 11:29:42 -07:00
Matthew Mosesohn ec08303f82 Revert "Fix #4237: update kube cert path (#4354)" (#4369)
This reverts commit ea7a6f1cf1.

This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters.
2019-03-20 05:56:57 -07:00
Dmitry Chepurovskiy ea7a6f1cf1 Fix #4237: update kube cert path (#4354) 2019-03-17 23:55:11 -07:00
Matthew Mosesohn 150a969cf4
Forcefully delete pods when necessary (#4328)
Pods on down/unresponsive nodes can't be deleted without
--force --grace-period=0.

Fixes #4314
2019-03-14 07:45:46 -07:00
Matthew Mosesohn acbf3db233 Remove hard dependence on facts for all nodes (#4304)
* Remove hard dependence on facts for all nodes

* Update main.yaml

* Update main.yaml
2019-03-05 03:04:39 -08:00
Matthew Mosesohn adf6a7121f Reenable set_facts task for dns_late (#4312) 2019-03-01 05:39:30 -08:00
hikoz 67832aada9 changed_when:false (#4189) 2019-02-25 20:09:30 -08:00
Ryler Hockenbury 88249308a0 Add labels to vsphere cloud config (#4275) 2019-02-25 19:58:15 -08:00
Gabor Lekeny b4aaa7b908 Speed up tasks (#4278)
* fact gathering should run only once per node
* eliminate ansible version check, it is at the beginning of each
  playbook
2019-02-25 19:56:23 -08:00
Matthew Mosesohn b07641c3f3 Move kube_proxy_remove out of set_facts and set default (#4180) 2019-02-25 00:08:06 -08:00
Frank Ritchie 9805fb7a34 Add flexvolume plugin dir to kubeadm kubelet (#4168)
This was already approved in #4106 but there are CI issues
with that PR due to references to kubernetes incubator.

After upgrading to Kubespray 2.8.1 with Kubeadm enabled Rook
Ceph volume provision failed due to the flexvolume plugin dir not
being correct. Adding the var fixed the issue
2019-02-20 15:02:02 -08:00
Abdulaziz AlMalki eafab9636f fix wrong indent of oidc-username-prefix and oidc-groups-prefix in kubeadm config template (#4263) 2019-02-19 23:22:32 -08:00
Seungkyu Ahn 107bfb259a This PS is to fix the bug when Workers can't join the cluster (#4276)
because of etc-kubernetes-manifests not empty.
2019-02-19 22:13:59 -08:00
Rong Zhang d4a36aa55b
Merge pull request #4027 from riverzhang/kube-proxy
Add update server field in kube-proxy kubeconfig
2019-02-20 13:41:06 +08:00
Manuel Cintron 07b2894080 Adding ability to maintain existing Encryption Secrets at Rest. (#4255)
* Adding ability to maintain existing Encryption Secrets at Rest.

If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token.

This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets.

* Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
2019-02-19 07:31:45 -08:00
hikoz e03588f431 use swapon -s (#4216) 2019-02-14 02:35:17 -08:00
Sorin Sbarnea 22a5a00c49 Improve kubeadm join tasks (#4206)
Fix issue where `kubeadm join` could wait forever for joining.

Fix issue where `kubeadm join` were not reaching the user, making
impossible to find the cause of the failure.

New behaviour is to first attempt to join without bypassing the
verifications checks and to display them if needed.

If this fails it still attempts to join by ignoring the check in
order to make previous behavior.

A timeout of 60 seconds is allocated for a joining.

Related-bug: #3973
2019-02-12 13:42:56 -08:00
Sergey fbce6349c4 check kube_pods_subnet and kube_service_addresses to valid ip network range, not single ip address (#4188) 2019-02-11 14:12:06 -08:00
Chad Swenson 038a2eb862
Merge pull request #3949 from trogeat/patch-fix-missing-ca-cert-apiserver
kubespray: fix missing ca-certificate path in apiserver
2019-02-11 15:40:04 -06:00
Chad Swenson 6878c2af4e Fix kube_hostname_override inconsistencies (#4185) 2019-02-06 22:20:11 -08:00
Earl C. Ruby III 52e0aa7a80 Install the latest filesystem creation packages (#3904)
This PR ensures that the e2fsprogs and xfsprogs packages are
installed on all Kubernetes nodes and that the packages are
the latest versions. It also ensures that the nodes can
create XFS filesystems when necessary, since not all distros
install xfsprogs by default.

e2fsprogs - ext2/ext3/ext4 file system utilities
xfsprogs - Utilities for managing the XFS filesystem
2019-02-04 12:23:33 -08:00
peerapach bd9474bafd fix kubeadm-setup when enable access_ip (#4145) 2019-02-01 20:10:34 -08:00
Sorin Sbarnea 316b73178d Add timeout to Get current version of calico cluster version (#4149)
Avoid waiting forever for this task that should be very quick.

Fixes: #4148
2019-02-01 20:09:04 -08:00
Vasilis Remmas cd7924f8c9 Add oidc prefixes to kubeadm templates (#4159) 2019-01-31 15:31:43 -08:00
Erwan Miran 7f93a5a0f5 Fix deprecation warnings (#4130)
* use not deprecated ansible_play_hosts variable

* Using tests as filters is deprecated

* Fix deprecation warning about pkg list
2019-01-31 14:57:22 -08:00
Thomas Nys 68fd7e39da Set cluster DNS correctly in case of nodelocal dns cache (#3879)
* Set cluster DNS correctly in case of nodelocal dns cache

* Pass in cluster_ip based on dns mode

* Disable nodelocaldns by default

* Fix syntax error

* Fix syntax issue

* Add nodelocadns ip to vars of node installation

* Change location of nodelocaldns_ip

* Try to remove newlines from jinja template

* Add debug for config file

* Move parameter logic outside of template

* Adapt templates after feedback

* Remove debugging
2019-01-28 23:39:27 -08:00
wangxf a096761306 [PR-Calico]Support calico 3.4.0 (#4102)
* Suport calico 3.4.0

Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com>

* Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips

* scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
2019-01-28 11:03:49 -08:00
Florent Monbillard 2054a98cf7 Run kubeadm and hyperkube outside of local_release_dir (#4098)
Addressing the discussion started in #4064, this PR moves kubeadm and
hyperkube binaries to /usr/local/bin before running them on the master
nodes.

It is to address the case where local_release_dir points to /tmp
(kubespray default) and /tmp is mounted with noexec mode, preventing
any binaries to be run in that partition.

In role "node", we still move kubeadm to bin_dir only on the worker
nodes.
2019-01-28 02:00:49 -08:00
Sergey ce8ba1f170 create artifacts_dir (#4079) 2019-01-28 01:59:15 -08:00
Danny Kulchinsky 96688269f8 Support both --address and --bind-address for scheduler and controller-manager (#4112) 2019-01-27 23:43:34 -08:00
rongzhang 3ed5f89cf5 Add update server field in kube-proxy kubeconfig
I know this is a bit hack.
If you use cloud LB, you can use kubeadm's controlPlaneEndpoint to configure kube-proxy's server field.
But for nginx-proxy, it didn't start when kubeadm init.
2019-01-28 14:45:43 +08:00
Matthew Mosesohn 77d31e679a
fixup external kube-apiserver port (#4075) 2019-01-21 14:43:27 +03:00
Florent Monbillard decbcdc423 Use external LB IP for external api endpoint (#4060)
* Use external LB IP for external api endpoint

Use loadbalancer_apiserver.address instead of apiserver_loadbalancer_domain_name for kudadm init --apiserver-advertise-address argument

https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/#options states apiserver-advertise-address needs to be a IPv4 or IPv6 address

* only use loadbalancer IP if it is defined
2019-01-21 12:27:42 +03:00
Chad Swenson e3ffa21303
Merge pull request #4019 from chadswen/kubeadm-env
Fix PATH for kubeadm init
2019-01-18 11:27:57 -06:00
Matthew Mosesohn eecaba6b84
Generate external admin.conf with kubeadm (#4056)
* Generate external admin.conf with kubeadm

* Fix apiserver sans
2019-01-16 16:30:50 +03:00
Thomas Rogeat 83e11f9ef7 kubespray: fix missing ca-certificate path in apiserver 2019-01-16 11:48:24 +01:00
Chad Swenson 0697ab4b4f
Merge pull request #4048 from chadswen/readonly-writable-fix
Fix kubeadm config extra volumes
2019-01-15 13:02:04 -06:00
Chad Swenson 13e3e867ac Fix kubeadm config extra volumes
I found a potential use case where `writable` could be null and therfore
not treated like a boolean, so this adds an extra default statement to
avoid negating a non-boolean as boolean which would lead to undefined. refs #4020
2019-01-15 12:35:22 -06:00
rongzhang bab2e5ed0d Use --bind-address instead of --address
--address deprecated
2019-01-11 12:22:47 +08:00
Chad Swenson 1d9c0c7d17 Fix readOnly flag in kubeadm-config.v1beta1.yaml.j2
In v1beta1 of `ClusterConfiguration` the extraVolumes `writable` field was changed to `readOnly` and its boolean value must be negated.

Also, the json field for `useHyperKubeImage` was incorrectly capitalized.
2019-01-09 20:43:35 -06:00
Chad Swenson aa1d5b8970 Fix PATH for kubeadm init
Right now we're consistently getting warnings about kubelet not found in
path during `kubeadm init`. We fixed this for `kubeadm join` in #3342, and this brings the change to init
as well.
2019-01-09 18:38:02 -06:00
Chad Swenson 72802e4d8d Bugfixes for Local Volume Provisioner
- Fixed an issue where storage class host directories were looped
through excessive target hosts
- Fixes examples in the LVP `README.md` to use nested dicts instead of a
list of dicts
2019-01-08 17:45:20 -06:00
Wilmar den Ouden 4fb8adb9e4 More dynamic local-storage-provisioner approach (#3472)
* Makes local volume provisioner more dynamic

* Correct variable name in local storage provisioner defaults

* Updates external-provisioner readme

* Updates variable naming to be more clear, more documentation, fixes sample inventory

* Variable refactor, untangled some jinja2 loops

* Corrects variable name

* No variable substitution in dict keys, replaced with anchor

* Fixes default storage_classes dict, inline docs

* Fixes spelling in inline docs

* Addresses comments in review

* Updates all the defaults

* Fix failing CI task

* Fixes external provisioner daemonset
2019-01-08 12:36:44 -08:00
Andreas Holmsten 4d5b41b8db Allow override of bind addr for controller-manager and scheduler (#3968)
* allows to override the bind addresses for controller-manager and scheduler

Useful for Prometheus metrics monitoring

* Add bind addr override support in kubeadm/v1beta1

Adds support for override of bind addresses for controller-manager
and scheduler in kubeadm/v1beta1

* Move location of bind address vars

* Remove double declaration of schedulerExtraArgs
2019-01-07 20:41:54 -08:00
okamototk 8216e821d3 Fix kubeadm v1beta1 configuration taint (#3928)
* Use master node taint same as kubeadm configuration v1alpha3 or before.
2019-01-03 03:42:23 -08:00
Andreas Holmsten a34139e19e (Re)add line break for supplementary addr in SANs (#3952)
The change implemented in #3908 remove line breaks for supplementary
addresses in kubeadm SANs, causing errors in the config file and
failure to bring cluster up. This commit reimplement line breaks in
between supplementary addresses.
2019-01-03 00:12:00 -08:00
Chad Swenson 80379f6cab Fix kube-proxy configuration for kubeadm (#3958)
- Creates and defaults an ansible variable for every configuration option in the `kubeproxy.config.k8s.io/v1alpha1` type spec
  - Fixes vars that were orphaned by removing non-kubeadm
  - Fixes previously harcoded kubeadm values
- Introduces a `main` directory for role default files per component (requires ansible 2.6.0+)
  - Split out just `kube-proxy.yml` in this first effort
- Removes the kube-proxy server field patch task

We should continue to pull out other components from `main.yml` into their own defaults files as I did here for `defaults/main/kube-proxy.yml`. I hope for and will need others to join me in this refactoring across the project until each component config template has a matching role defaults file, with shared defaults in `kubespray-defaults` or `downloads`
2019-01-03 00:04:26 -08:00
Rong Zhang 5834e609a6 Add scale master features (#3946)
* Add scale master features

* Add certificate management with kubeadm

* Add kubeadm kubeconfig

* Fix ymalroles error

* fix upgrade cluster fialed

* force update cert and keys when you reconfigure cluster
2018-12-27 23:27:27 -08:00
Gautam Divgi 320f4d4d7f Added filters for integer conversion of kubelet_max_pods and kube_network_node_prefix (#3857) 2018-12-26 13:58:53 -08:00
Seongjin Cho 16715adfa0 Adds support for webhook token auth. (#3939)
Webhook token auth:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication

Fixes #3063.
2018-12-26 01:52:53 -08:00
rongzhang 1bb1ba2274 Fix GPU node Scheduling 2018-12-25 21:37:10 +08:00
Zefool 6ebcaab2bb controlPlaneEndpoint set up through load balancer should be possible … (#3888)
* controlPlaneEndpoint set up through load balancer should be possible  even in single master setups

Enable load balancer for single-master setups
Fixes an issue where single-master setups are not reachable using the usual admin.conf from outside the cluster. 

controlPlaneEndpoint set up through load balancer should be possible  even in single master setups

* add fix to other api versions

* remove obsolete check completely

* remove check, pass 2

* removes checks in client configuration

* delete 'and'
2018-12-25 00:03:32 -08:00
Rong Zhang cd42e649a7 Fix reconfigure and upgrade cluster (#3938) 2018-12-24 23:06:27 -08:00
rongzhang dd4159fe65 Delete unused controlPlane for join node
it is used for join master or use --experimental-control-plane argments
2018-12-23 00:31:01 +08:00
Seongjin Cho e7b835eb4c Fix duplicate storage-backend (#3906) 2018-12-20 01:01:39 -08:00
Rong Zhang 925a820b56 Fix skip upgrade first master (#3915) 2018-12-19 05:16:14 -08:00
Matthew Mosesohn 50b884a32d Fixup line breaks for kubeadm SANs (#3908) 2018-12-19 02:47:31 -08:00
Ganesh Maharaj Mahalingam 73aee004ac Enable ClearLinux as a distro in kubespray (#3855)
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
2018-12-18 01:39:25 -08:00
ihard 30a9149b52 add vars for cilium init container (#3893)
* add vars for cilium init container

* make yamllint happy

* add var cilium_init in downloads
2018-12-18 00:34:19 -08:00
Egor dc8a8011be Load nf_conntrack module if nf_conntrack_ipv4 failed (#3764) 2018-12-12 05:33:54 -08:00
Maxim Snezhkov 5e84dabb46 Fix assertion for alone etcd nodes (#3847) 2018-12-12 05:21:54 -08:00
Maxim Snezhkov 90a7941d56 Fix disabling swap on ubuntu systems (#3864) 2018-12-11 02:42:00 -08:00
Egor 7da9880ff7 Move node-cidr-mask-size to ControllerManagerextraArgs (#3845) 2018-12-07 04:23:17 -08:00
pasqualet ea833a4cd7 Fix apiServerCertSANs in kubeadm config file (#3839) 2018-12-07 00:11:08 -08:00
Andreas Krüger d5ce5874e8 Streamline path to certs dir (#3836)
* Streamline path to certs dir

* More fixes

* Set path to etcd certs in kubernetes defaults instead
2018-12-06 23:11:53 -08:00
Rong Zhang 225f765b56 Upgrade kubernetes to v1.13.0 (#3810)
* Upgrade kubernetes to v1.13.0

* Remove all precense of scheduler.alpha.kubernetes.io/critical-pod in templates

* Fix cert dir

* Use kubespray v2.8 as baseline for gitlab
2018-12-06 12:11:48 -08:00
Andreas Krüger ddffdb63bf Remove non-kubeadm deployment (#3811)
* Remove non-kubeadm deployment

* More cleanup

* More cleanup

* More cleanup

* More cleanup

* Fix gitlab

* Try stop gce first before absent to make the delete process work

* More cleanup

* Fix bug with checking if kubeadm has already run

* Fix bug with checking if kubeadm has already run

* More fixes

* Fix test

* fix

* Fix gitlab checkout untill kubespray 2.8 is on quay

* Fixed

* Add upgrade path from non-kubeadm to kubeadm. Revert ssl path

* Readd secret checking

* Do gitlab checks from v2.7.0 test upgrade path to 2.8.0

* fix typo

* Fix CI jobs to kubeadm again. Fix broken hyperkube path

* Fix gitlab

* Fix rotate tokens

* More fixes

* More fixes

* Fix tokens
2018-12-06 02:33:38 -08:00
Andreas Krüger 432f8e9841 Fix basic auth tokens for kubeadm deployment. (#3801)
* Fix basic auth tokens for kubeadm deployment.

* Tokens should be a dependancy on master, not nodes
2018-12-03 10:44:29 -08:00
karbyshevds b109f52dab Set configure-cloud-routes=false as default if no network plugin is used (#3788)
* Set configure-cloud-routes=false as default if no network plugin is used

As configure-cloud-routes default value is `true`, so it need to be set to `false` when not required to avoid error messages like:
"Couldn't reconcile node routes: error listing routes: unable to find route table for AWS cluster" 
on, for example, AWS installations that don't use cloud native routing.

* Update kube-controller-manager.manifest.j2

remove extra spaces
2018-12-03 05:04:03 -08:00
Chad Swenson 487cfa5e6c Add options for configuring control plane component extra volumes (#3779)
This takes care of a few arbitrary use cases that may require custom mounts
inside of apiserver, controller manager, or scheduler.
2018-11-28 23:16:55 -08:00
Chad Swenson b59d5c35bc Fix kubeadm_controller_extra_args (#3778) 2018-11-27 19:30:43 -08:00
Michal Belica 8331f7b056 Add support for setting custom node taints (#3774)
Introduced variable node_taints which can be set in inventory for
specific hosts or in group_vars, which generates --register-with-taints
command line argument for kubelet.
2018-11-27 15:56:49 -08:00
Rong Zhang ddc19f43ba Add cloud provider config to kubeadm deployments (#3766) 2018-11-27 05:03:03 -08:00
Egor 9a5438ce2f Fix kubeadm-config: add kube_network_node_prefix (#3761) 2018-11-27 00:12:16 -08:00
Aivars Sterns b07e93e08b
Merge pull request #3754 from MiaoZhou/fix-aws-node-label-error
Fix AWS Node Labels Error
2018-11-27 09:09:54 +02:00
Andreas Krüger bad886ca9b Update defaults to match k8s 1.12 suggestions (#3760)
* Update defaults to match k8s 1.12 suggestions

* Test if Netchecker works with node ip instead of localhost

* Update defaults to ipvs and coredns

* Update defaults for kube_apiserver_insecure_port

* Update main.yaml
2018-11-26 15:36:39 -08:00
Miao Zhou 885c6cff71 Fix AWS Node Labels Error
Now the `kubespray-aws-inventory.py` script always set a node_labels key
to ansible_host.

When AWS instance did not set property labels, it would be an empty
string.

The TASK `Write kubelet config file (kubeadm or non-kubeadm)` will
failed with a msg:

`AnsibleUndefinedVariable: 'unicode object' has no attribute 'items'`.
2018-11-23 17:37:41 +08:00
Rong Zhang 0cfcd39d55 Switch to kubeadm deployment mode (#3461)
* Switch to kubeadm deployment mode

Discuss:https://github.com/kubernetes-incubator/kubespray/issues/3301

* Add non-kubeadm upgrage to kubeadm cluster
2018-11-21 01:35:40 -08:00
Matthew Mosesohn daa290100c Fix helper script to refer to admin.conf as relative path (#3738) 2018-11-19 18:28:51 -08:00
Matthew Mosesohn ac00d23b80 Skip etcd upgrade steps in kubeadm because it is not used (#3737) 2018-11-19 06:29:58 -08:00
Danny Kulchinsky 9ae2eefb9a Add resource-container flag to kube-proxy manifest (#3519)
* Add resource-container flag to kube-proxy manifest

* add resourceContainer: "" to kubeadm kube-proxy configs
2018-11-19 00:39:29 -08:00
Andreas Krüger 6e01c1e377 Fix missing run_once (#3733) 2018-11-18 21:39:29 -08:00
Matthew Mosesohn ff09141a14 Retry kubeadm proxy and secondary master init tasks (#3715)
Due to suboptimal external loadbalancer configs, the LoadBalancer
might point to a downed kube-apiserver that is not set up yet.
2018-11-15 10:03:23 -08:00
Arslanbekov Denis d188876a91 Added feature-gates flags in kubelet.env (for kubeadm) (#3713) 2018-11-15 10:01:53 -08:00
Andreas Krüger 931c76e58f Add DNS entries to node certs (#3710) 2018-11-14 13:58:17 -08:00
Erwan Miran 3fafa583d1 hostnameOverride on a per-node basis (#3708) 2018-11-14 09:37:53 -08:00
Dann 98d766c68e Moves apiserver port to bindPort when using controlPlaneEndpoint (#3449) 2018-11-14 00:23:30 -08:00
Arnaud MAZIN 633bfa7ebc Bring static tokens and user back to 1.12 (#3593) 2018-11-13 10:25:59 -08:00
Andreas Krüger afc3f7dce4 Create certificates for each node too (#3698) 2018-11-13 07:10:59 -08:00
Ryler Hockenbury e8901a2422 Apply linux node selector to coreDNS deployment (#3688)
* Apply linux node selector to coreDNS deployment

* Remove comment before linux node selector on manifests

* mend
2018-11-13 04:54:15 -08:00
Miao Zhou fefa1670a6 fix calico_version wrong get (#3694)
the ':' makes wrong return of calico_version after the calicoctl downloaded && before the cluster is up
2018-11-12 07:35:21 -08:00
Antoine Legrand 3dcb914607 Remove Vault (#3684)
* Remove Vault

* Remove reference to 'kargo' in the doc

* change check order
2018-11-10 08:51:24 -08:00
Bily Zhang b2b421840c Fix some typos (#3690)
Signed-off-by: mooncake <xcoder@tenxcloud.com>
2018-11-10 15:53:58 +01:00
RuriRyan c2710899ed Fixes network restart for Ubuntu Bionic Beaver (#3600)
As Ubuntu Bionic Beaver uses systemd-networkd the step fails
if it tries to restart networking, as it is nonexistent.
2018-11-09 08:13:57 -08:00
Erwan Miran a6932b6b81 Install ipvsadm when kube_proxy_mode is ipvs (#3548) 2018-11-07 14:04:11 -08:00
Erwan Miran 77d705ca9f cluster_name is to be set in initConfiguration too (#3661) 2018-11-07 12:41:11 -08:00
Erwan Miran 1e22c83f0f kube_override_hostname must be in kubernetes/master role defaults (#3647) 2018-11-07 12:38:19 -08:00
Erwan Miran 1ad1e80ae3 Checking new CA key presence is not relevant to determine if kubeadm has already run (#3653) 2018-11-07 11:46:11 -08:00
Matthew Mosesohn 2ba4e9bda5 Skip most of kubernetes/preinstall role during late DNS config (#3627)
When using resolvconf_mode host_resolvconf, there is an early DNS
config stage where Kubernetes cluster DNS is not injected for host
DNS intially. Later, the cluster DNS is enabled, but we do not
need to run every task from the kubernetes/preinstall role.
2018-11-01 08:08:50 -07:00
Louis a84508d6b9 remove deprecated parameters of blockinfile module (#3581) 2018-10-30 05:56:58 -07:00
Louis 93104d9224 fix typo 2018-10-24 11:39:15 +08:00
Matthew Mosesohn 7e84de2ae1 Purge /root/.kube/config when migrating to kubeadm (#3566) 2018-10-23 05:09:11 -07:00
Maxim Makarov 8a17de327e Not necessary run on Nginx proxy all cpu cores (#3559) 2018-10-20 13:56:53 -07:00
Matthew Mosesohn 127969d65f Align node-role value for kubeadm compatibility (#3558)
kubeadm sets node label node-role.kubernetes.io/master=''
and this is not configurable. We should use it everywhere.
2018-10-20 07:12:54 -07:00
Matthew Mosesohn 4bdd0ce417 Allow kubeadm master untaint to fail (#3549) 2018-10-19 00:38:12 -07:00
Erwan Miran 87193fd270 Fix ansible syntax to avoid ansible warnings (one more) (#3536)
* warning on meta flush_handlers

* avoid rm

* avoid "Module remote_tmp /root/.ansible/tmp did not exist and was created with a mode of 0700, this may cause issues when running as another user. To avoid this, create the remote_tmp dir with the correct permissions manually" warning on subsequent tasks using blockinfile

* is match
2018-10-17 12:27:11 -07:00
Erwan Miran 7bec169d58 Fix ansible syntax to avoid ansible deprecation warnings (#3512)
* failed

* version_compare

* succeeded

* skipped

* success

* version_compare becomes version since ansible 2.5

* ansible minimal version updated in doc and spec

* last version_compare
2018-10-16 15:33:30 -07:00
Rong Zhang 76fe84fe93 Use imageRepository instead of the unifiedControlPlaneImage (#3484) 2018-10-16 07:26:04 -07:00
刘旭 cf4dd645a7 fix --etcd-servers-overrides invalid (#3470) 2018-10-16 07:25:03 -07:00
JuanJo Ciarlante a5edd0d709 [jjo] add kube-router support (#3339)
* [jjo] add kube-router support

Fixes cloudnativelabs/kube-router#147.

* add kube-router as another network_plugin choice
* support most used kube-router flags via
  `kube_router_foo` vars as other plugins
* implement replacing kube-proxy (--run-service-proxy=true) via
  `kube_proxy_mode: none`, verified in a _non kubeadm_enabled_
  install, should also work for recent kubeadm releases via
  `skipKubeProxyInstall: true` config

* [jjo] address PR#3339 review from @woopstar

* add busybox image used by kube-router to downloads

* fix busybox download groups key

* rework kubeadm_enabled + kube_router_run_service_proxy

- verify it working ok w/the kubeadm_enabled and
  kube_router_run_service_proxy true or false

- introduce `kube_proxy_remove` fact, to decouple logic
  from kube_proxy_mode (which affects kubeadm configmap
  settings, thus no-good to ab-use it to 'none')

* improve kube-router.md re: kubeadm_enabled and kube_router_run_service_proxy

* address @woopstar latest review

* add inventory/sample/group_vars/k8s-cluster/k8s-net-kube-router.yml

* fix kube_router_run_service_proxy conditional for kube-proxy removal

* fix kube_proxy_remove fact (w/ |bool), add some needed kube-proxy tags on my and existing changes

* update kube-router tolerations for 1.12 compatibility

* add PriorityClass to kube-router DaemonSet
2018-10-16 07:15:05 -07:00
anarcat c33e08c3fa show FQDN first in /etc/hosts (closes: #3521) (#3522)
The hosts(5) manpage clearly states that the first entry is the
"canonical name", or FQDN (Fully-Qualified Domain Name):

    IP_address canonical_hostname [aliases...]

By using the alias as a first entry, `hostname -f` does not return the
correct domain which breaks all sorts of unrelated functionality (it
has impact over email server configuration, for example).
2018-10-16 03:55:55 -07:00
Erwan Miran fcd8d850dc Fix ansible syntax to avoid ansible warnings (again) (#3509)
* Fix ansible syntax to avoid ansible warnings (again)

* warn: false on tar -cfz

* wrong placement of warn:false
2018-10-15 23:47:04 -07:00
JuanJo Ciarlante 4077934519 [jjo] add DIND support to contrib/ (#3468)
* [jjo] add DIND support to contrib/

- add contrib/dind with ansible playbook to
  create "node" containers, and setup them to mimic
  host nodes as much as possible (using Ubuntu images),
  see contrib/dind/README.md

- nodes' /etc/hosts editing via `blockinfile` and
  `lineinfile` need `unsafe_writes: yes` because /etc/hosts
  are mounted by docker, and thus can't be handled atomically
  (modify copy + rename)

* dind-host role: set node container hostname on creation

* add "Resulting deployment" section with some CLI outputs

* typo

* selectable node_distro: debian, ubuntu

* some fixes for node_distro: ubuntu

* cpu optimization: add early `pkill -STOP agetty`

* typo

* add centos dind support ;)

* add kubespray-dind.yaml, support fedora

- add kubespray-dind.yaml (former custom.yaml at README.md)
- rework README.md as per above
- use some YAML power to share distros' commonality
- add fedora support

* create unique /etc/machine-id and other updates

- create unique /etc/machine-id in each docker node,
  used as seed for e.g. weave mac addresses

- with above, now netchecker 100% passes WoHooOO!
  🎉 🎉 🎉

- updated README.md output from (1.12.1, verified
  netcheck)

* minor typos

* fix centos node creation, needs earlier udevadm removal to avoid flaky facts, also verified netcheck Ok \o/

* add Q&D test-distros.sh, back to manual /etc/machine-id hack

* run-test-distros.sh cosmetics and minor fixes

* run-test-distros.sh: $rc fix and minor formatting changes

* run-test-distros.sh output cosmetics
2018-10-15 09:44:02 +02:00
Loic Gouarin 36322901a6 fix kube-controller-manager config with openstack-cacert (#3435) 2018-10-12 06:39:58 -07:00
Johann Queuniet 1911fe5ca8 fix nginx proxy configuration conflicts (#3489)
* Allow configuration of nginx proxy config path

* Fix the internal nginx configuration location

Signed-off-by: Johann Queuniet <contact@lordran.net>
2018-10-11 06:33:18 -07:00
Andreas Krüger 2117e8167d Update pre-install verify settings with network checks and etc. (#3504)
* Update pre-install verify settings with network checks and etc.

* Remove upstream dns server check. It's bogus
2018-10-11 06:28:21 -07:00
Erwan Miran dd5327ef9e Fix ansible syntax to avoid ansible warnings (#3499) 2018-10-11 00:45:00 -07:00
Erwan Miran 2ab2f3a0a3 Ability to define SSL certificates duration and SSL key size (#3482)
* Ability to specify ssl certificate duration and ssl key size - etcd/secrets

* Ability to specify ssl certificate duration and ssl key size - helm/contiv + fix contiv missing copy certs generation script
2018-10-09 04:43:30 -07:00
okamototk c825f4d180 Untaint master when it has node role (#3466) 2018-10-09 01:40:43 -07:00
Dylan 30132d8c35 Removed hostname truncation. (#3409) 2018-10-08 05:14:01 -07:00
Chad Swenson 6602760a48 Support multiple local volume provisioner StorageClasses (#3450)
- Local Volume StorageClass configuration is now manged by `local_volume_provisioner_storage_classes`, a list of maps that specifies local storage classes with `name` `host_dir` and `mount_dir` keys per entry
- Tasks and templates updated to loop through local volume storage classes
- Previous defaults for path/class names were not changed
- Fixed an issue where a `kubernetes/preinstall` was creating directories inconsistently with the `kubernetes-apps/external_provisioner/local_volume_provisioner` task
2018-10-05 05:52:25 -07:00
Rong Zhang af97febb04 Upgrade kubernetes to v1.12.0 (#3410)
* Upgrade kubernetes to v1.12.0

Use kubeadm v1alpha3 config

* Upgrade coredns and etcd

* Upgrage docker to 18.06
2018-10-04 02:05:55 -07:00
LiuDui 192f7967c9 Remove excess space (#3421) 2018-10-01 00:09:45 -07:00
rboyapat d9f495d391 Fix the dic iteration method in the kubelet template (#3415)
* Fix the jinja expression for openstack_tenant_id

OS_PROJECT_ID is obsolete in keystone v3 and jinja expression
doesn't set openstack_tenant_id as expected because of
undefined env var. Fixed the expression.

* Fix the dic iteration method in the kubelet template

Kubelet template rendering errors when additional Node lables are
added and using Python3. Update the method to be compatible to both
python2/3

Node lables doesn't work
2018-09-30 05:10:12 -07:00
sangwook 0536125f75 Better fix for openstack cinder zone issue using ignore-volume-az option (#2980)
* Better fix for openstack cinder zone issue[1][2]
using ignore-volume-az option[3].
[1]: https://github.com/kubernetes-incubator/kubespray/pull/2155
[2]: https://github.com/kubernetes-incubator/kubespray/pull/2346
[3]: https://github.com/kubernetes/kubernetes/pull/53523

* Remove kube-scheduler-policy.yaml
2018-09-27 22:15:47 -07:00
Shida Qiu 8b8e534769 remove the redundant space (#3400) 2018-09-27 03:32:26 -07:00
Kuldip Madnani 36898a2c39 Adding pod priority for all the components. (#3361)
* Changes to assign pod priority to kube components.

* Removed the boolean flag pod_priority_assignment

* Created new priorityclass k8s-cluster-critical

* Created new priorityclass k8s-cluster-critical

* Fixed the trailing spaces

* Fixed the trailing spaces

* Added kube version check while creating Priority Class k8s-cluster-critical

* Moved k8s-cluster-critical.yml

* Moved k8s-cluster-critical.yml to kube_config_dir
2018-09-25 07:50:22 -07:00
Andreas Krüger d6ebe8c3e7 Sync manifests with kubeadm (#3383) 2018-09-24 02:17:18 -07:00
Sergey Magidovich 2197330727 Add check that kube-master, kube-node and etcd groups are not empty. 2018-09-21 17:02:53 +03:00
k8s-ci-robot 51a5f54fc4
Merge pull request #3335 from AtzeDeVries/fix/ubuntu-xenial-resolv-conf
Fix/ubuntu xenial resolv conf
2018-09-20 23:16:11 -07:00
Rajitha Perera e3d562bcdb Support for AWS cloud-config (#1465)
* Support for AWS cloud-config

* Update docs

* Fix version incompatibilities

* Do not use shorthand `default`

* Add new cloud config variable, roleArn
2018-09-20 16:31:28 +02:00
rongzhang 4d1055f5d5 Remove some useless files 2018-09-20 20:24:06 +08:00
Andreas Kruger 09b67c1ad5 Remove EFK from Kubespray 2018-09-20 10:44:17 +02:00
k8s-ci-robot 8512cc5cca
Merge pull request #3280 from wozniakjan/openstack/openstack_cacert
Check `openstack_cacert` for empty string
2018-09-19 22:42:37 -07:00
k8s-ci-robot 34d1f0bff2
Merge pull request #3351 from woopstar/kubeadm_token_basic_auth_fix
Mount basic auth or token auth dirs to support it on kubeadm deployments
2018-09-19 07:50:43 -07:00
Jan Wozniak a330b281e8 Check `openstack_cacert` for empty string 2018-09-19 16:37:24 +02:00
k8s-ci-robot a8a62afd74
Merge pull request #3304 from kubernetes-incubator/gpu2
Add support for GPU accelerator
2018-09-19 07:12:32 -07:00
k8s-ci-robot 7fa682bdd5
Merge pull request #3342 from okamototk/fix_path_for_kubeadm_join
Add kubelet path for kubeadm.
2018-09-19 06:17:47 -07:00
Aivars Sterns 34019291b8
Merge pull request #3143 from jbcraig/add_os_trust_id
add support for openstack trust to cloud provider config
2018-09-19 16:07:03 +03:00
Antoine Legrand 08179018d4
Merge branch 'master' into gpu2 2018-09-19 15:02:51 +02:00
k8s-ci-robot 39c567de47
Merge pull request #3307 from kaarolch/upgrade_docs
Calico version verification before cluster upgrade begin.
2018-09-19 05:15:55 -07:00
Andreas Kruger cac485756b Mount basic auth or token auth dirs to support it on kubeadm deployments 2018-09-19 13:21:58 +02:00
Andreas Kruger c058e7a5ec Remove audit again from Kubeadm 1.10.x. Write mounts not supported untill 1.11 2018-09-19 13:15:14 +02:00
Andreas Kruger e0ddabc463 Add support for kubelet_node_custom_flags 2018-09-19 12:58:06 +02:00
Andreas Kruger 940d2fdbb1 Add missing enforce-node-allocatable to kubelet for kubeadm deployments 2018-09-19 11:54:34 +02:00
Andreas Kruger 1c999b2a61 Move kube_kubeadm_controller_extra_args to controllerManagerExtraArgs section. It was placed in controllerManagerExtraVolumes 2018-09-19 11:24:19 +02:00
Andreas Kruger 8e37841a2e Add audit support to v1alpha1 of Kubeadm 2018-09-19 11:01:30 +02:00
Andreas Kruger 8d1c0c469c Added missing enable-aggregator-routing option 2018-09-19 10:58:46 +02:00
Andreas Kruger 26d7380c2e Sync manifests from non-kubeadm to kubeadm deploy 2018-09-19 10:01:45 +02:00
Takashi Okamoto 95703fb6f2 Add kubelet path for kubeadm. 2018-09-19 03:04:03 +00:00
Karol Chrapek 0121bce9e5 Instead of doc update, change the verify step 2018-09-18 22:13:15 +02:00
AtzeDeVries 4cbd97667d Merge remote-tracking branch 'upstream/master' into fix/ubuntu-xenial-resolv-conf 2018-09-18 09:51:46 +02:00
rongzhang 77e08ba204 Support dynamic kubelet config
https://kubernetes.io/blog/2018/07/11/dynamic-kubelet-configuration/
2018-09-18 08:44:39 +08:00
AtzeDeVries 482857611a added extra var for ubuntu 18 netplan resolv 2018-09-17 09:01:55 +02:00
AtzeDeVries 8d8bbc294a fix for resolvconf in ubuntu18 2018-09-17 09:00:55 +02:00
rongzhang 84c4c7dc82 Use synchronize module 2018-09-16 20:36:44 +08:00
rongzhang 1d4aa7abcc Fix upgrade k8s 2018-09-16 10:35:12 +08:00
Rong Zhang aa0da221e9
Merge pull request #2880 from hfinucane/rh7-paths
Fix #2261 by supporting Red Hat's limited PATH
2018-09-15 19:27:22 +08:00
k8s-ci-robot ffbe9e7fd8
Merge pull request #1973 from guenhter/rsync-cmd-to-synchronize
Replace the raw rsync command with the synchronize module
2018-09-13 03:12:05 -07:00
AtzeDeVries 91b02c057e Add support for GPU accelerator 2018-09-13 11:53:11 +02:00
Erwan Miran af74d85b7d Remove --insecure-bind-address when insecure-port=0 2018-09-12 08:22:11 +02:00
Chad Swenson 97e5f28537
Revert "Remove insecure-port and insecure-bind-address when possible" 2018-09-11 17:42:12 -05:00
k8s-ci-robot 5c2e9a5376
Merge pull request #3252 from mirwan/remove_insecure-bind-address_when_insecure-bind-port_is_0
Remove insecure-port and insecure-bind-address when possible
2018-09-07 07:41:21 -07:00
k8s-ci-robot b3a689658b
Merge pull request #3255 from mlushpenko/calico_check
Fix calico health checks
2018-09-07 07:39:20 -07:00
k8s-ci-robot 9c49e071d3
Merge pull request #3260 from riverzhang/discoverytimeout
Add discovery_timeout to join configuration
2018-09-07 05:20:19 -07:00
rongzhang 0f63924ed4 Add discovery_timeout to join configuration
https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha2#JoinConfiguration
2018-09-07 16:28:53 +08:00
mlushpenko ea2c9d8f57 Fix yaml checks 2018-09-06 16:26:57 +02:00
k8s-ci-robot 27905bbddf
Merge pull request #3250 from mattymo/openstack_cacert
Fix openstack cacert task
2018-09-06 06:15:59 -07:00
Erwan Miran a5509fc2ce Remove insecure-port and insecure-bind-address when possible 2018-09-06 13:46:09 +02:00
Matthew Mosesohn b614a3504b Fix openstack cacert task 2018-09-06 14:06:06 +03:00
Matthew Mosesohn 991b3dbe54 put back endif in kubelet rkt template 2018-09-06 13:21:22 +03:00
Matthew Mosesohn faedfb6307 remove broken endifs in kubelet rkt mode 2018-09-06 11:59:25 +03:00