Commit Graph

1472 Commits (637604d08f7ab64993c89f37a434c745b4b80d57)

Author SHA1 Message Date
unclejack e5d353d0a7 contiv network support (#1914)
* Add Contiv support

Contiv is a network plugin for Kubernetes and Docker. It supports
vlan/vxlan/BGP/Cisco ACI technologies. It support firewall policies,
multiple networks and bridging pods onto physical networks.

* Update contiv version to 1.1.4

Update contiv version to 1.1.4 and added SVC_SUBNET in contiv-config.

* Load openvswitch module to workaround on CentOS7.4

* Set contiv cni version to 0.1.0

Correct contiv CNI version to 0.1.0.

* Use kube_apiserver_endpoint for K8S_API_SERVER

Use kube_apiserver_endpoint as K8S_API_SERVER to make contiv talks
to a available endpoint no matter if there's a loadbalancer or not.

* Make contiv use its own etcd

Before this commit, contiv is using a etcd proxy mode to k8s etcd,
this work fine when the etcd hosts are co-located with contiv etcd
proxy, however the k8s peering certs are only in etcd group, as a
result the etcd-proxy is not able to peering with the k8s etcd on
etcd group, plus the netplugin is always trying to find the etcd
endpoint on localhost, this will cause problem for all netplugins
not runnign on etcd group nodes.
This commit make contiv uses its own etcd, separate from k8s one.
on kube-master nodes (where net-master runs), it will run as leader
mode and on all rest nodes it will run as proxy mode.

* Use cp instead of rsync to copy cni binaries

Since rsync has been removed from hyperkube, this commit changes it
to use cp instead.

* Make contiv-etcd able to run on master nodes

* Add rbac_enabled flag for contiv pods

* Add contiv into CNI network plugin lists

* migrate contiv test to tests/files

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>

* Add required rules for contiv netplugin

* Better handling json return of fwdMode

* Make contiv etcd port configurable

* Use default var instead of templating

* roles/download/defaults/main.yml: use contiv 1.1.7

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
2017-11-29 14:24:16 +00:00
Di Xu de422c822d update nginx tag to use multi-arch docker image (#2009) 2017-11-29 10:39:52 +00:00
Matthew Mosesohn 4d3326b542
Raise default vault lease TTL to 10y (#2008) 2017-11-29 10:38:59 +00:00
riverzhang 1b82138142 Delete helm home
Delete helm home
2017-11-29 13:27:09 +08:00
Christopher Randles 208ff8e350 Allow for more customization of the tiller deploy (#1946) 2017-11-28 18:33:57 +00:00
Matthew Mosesohn ec54b36e05
add retries for calico/canal etcd commands (#2007) 2017-11-28 16:39:55 +00:00
Spencer Smith 38e8522cbf
Merge pull request #1983 from tomdee/bump-flannel-ver
Bump flannel version to v0.9.1
2017-11-28 11:38:55 -05:00
Spencer Smith 52f8687397
Merge pull request #1977 from mattymo/initializers
Disable initializers feature gate if istio is not used
2017-11-28 11:37:41 -05:00
Spencer Smith 43600ffcf8
Merge pull request #1972 from chadswen/master-static-pod-flush
Additional flush for static pod master upgrade
2017-11-28 11:36:38 -05:00
Christopher Randles 938d2d9e6e update helm/tiller to v2.7.2 -- security bugfix (#1986) 2017-11-28 14:52:42 +00:00
Kevin Lefevre 9368dbe0e7 update calico to 2.6.2 (#1874)
Move RS to deployment so no need to take care of the revision history
limits :
  - Delete the old RS
  - Make Calico manifest a deployment
  - move deployments to apps/v1beta2 API since Kubernetes 1.8
2017-11-28 12:01:30 +00:00
abelgana fe3290601a
The variable altnames is used by this task.
Since the value will change on the default. It needs to change here also.
2017-11-27 06:57:16 -05:00
abelgana e7173e1d62
Change altnames to alt_names
Hi,

Could you please check if it was a typo?

https://www.vaultproject.io/api/secret/pki/

Regards,
2017-11-25 17:29:21 -05:00
Bogdan Dobrelya 8aafe64397
Defaults for apiserver_loadbalancer_domain_name (#1993)
* Defaults for apiserver_loadbalancer_domain_name

When loadbalancer_apiserver is defined, use the
apiserver_loadbalancer_domain_name with a given default value.

Fix unconsistencies for checking if apiserver_loadbalancer_domain_name
is defined AND using it with a default value provided at once.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

* Define defaults for LB modes in common defaults

Adjust the defaults for apiserver_loadbalancer_domain_name and
loadbalancer_apiserver_localhost to come from a single source, which is
kubespray-defaults. Removes some confusion and simplefies the code.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-11-23 16:15:48 +00:00
Bob Killen 2140303fcc
add minimal keepalived-cloud-provider support 2017-11-23 08:43:36 -05:00
brx b80ded63ca
Update main.yml
just a small spelling mistake
2017-11-21 22:37:52 +01:00
Tom Denham 15b9d54a32
Bump flannel version to v0.9.1 2017-11-16 12:52:18 -07:00
Spencer Smith bc1a4e12ad fix broken variable in ansible 2.4.1.0 and ensure tasks for calico-rr (#1982) 2017-11-16 18:44:15 +00:00
Matthew Mosesohn 67419e8d0a
Run rotate_tokens role only once (#1970) 2017-11-15 18:50:23 +00:00
Chad Swenson 849aaf7435 Update to k8s 1.8.3 (#1971) 2017-11-15 17:43:22 +00:00
Chad Swenson a89ee8c406 Add ability to use custom cert secret instead of init container provisioned self-signed certs 2017-11-15 10:05:52 -06:00
Chad Swenson 0c6f172e75 Kubernetes Dashboard v1.7.1 Refactor
This version required changing the previous access model for dashboard completely but it's a change for the better. Docs were updated.

* New login/auth options that use apiserver auth proxying by default
* Requires RBAC in `authorization_modes`
* Only serves over https
* No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL:
* Can access from https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login you will be prompted for credentials
* Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
* It is recommended to access dashboard from behind a gateway that enforces an authentication token, details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
2017-11-15 10:05:48 -06:00
Matthew Mosesohn a67349b076 Disable initializers feature gate if istio is not used 2017-11-15 12:56:36 +00:00
Matthew Mosesohn f9b68a5d17
Revert "Support for disabling apiserver insecure port" (#1974) 2017-11-14 13:41:28 +00:00
chenhonggc c7910b51a1 --peers DEPRECATED - --endpoints should be used instead (#1943) 2017-11-14 11:28:35 +00:00
Chad Swenson 1f99710b21 Additional flush for static pod master upgrade
Thought this wasn't required at first but I forgot there's no auto flush at the end of these tasks since the `kubernetes/master` role is not the end of the play.
2017-11-13 18:11:57 -06:00
Aivars Sterns 5e558c361b update weave-net to 2.0.5 version (#1877) 2017-11-13 16:11:47 +00:00
neith00 5f39efcdfd adding mount for kubelet to enable rbd mounts (#1957)
* adding mount for kubelet to enable rbd mounts

* fix conditionnal variable name
2017-11-13 14:04:13 +00:00
Stanislav Makar 037edf1215 Fix failed task of setting up bash completion for helm (#1968)
Closes: #1967
2017-11-13 10:15:53 +00:00
Hyunsun Moon 37125866ca Make calico_node_ignorelooserpf have an effect (#1945) 2017-11-13 09:35:13 +00:00
Günther Grill 421e73b87c Add missing exclamation mark in shebang line (#1966) 2017-11-13 09:34:21 +00:00
Brad Beam c115e5677e
Merge pull request #1828 from hzamani/patch-1
Use etcd_access_addresses for vault_etcd_url
2017-11-10 10:56:37 -05:00
Spencer Smith 09d85631dc
Merge pull request #1944 from chadswen/reload-master-pods
Master component and kubelet container upgrade fixes
2017-11-08 22:23:12 -05:00
Brad Beam f25e4dc3ed
Merge pull request #1937 from chadswen/disable-api-insecure-port
Support for disabling apiserver insecure port
2017-11-08 18:13:49 -05:00
Spencer Smith 0126168472 provide environment for rkt trust and run with etcd 2017-11-08 12:57:22 -05:00
Chad Swenson e9f795c5ce Master component and kubelet container upgrade fixes
* Fixes an issue where apiserver and friends (controller manager, scheduler) were prevented from restarting after manifests/secrets are changed. This occurred when a replaced kubelet doesn't reconcile new master manifests, which caused old master component versions to linger during deployment. In my case this was causing upgrades from k8s 1.6/1.7 -> k8s 1.8 to fail
* Improves transitions from kubelet container to host kubelet by preventing issues where kubelet container reappeared during the deployment
2017-11-08 01:40:33 -06:00
Chad Swenson 0c7e1889e4 Support for disabling apiserver insecure port
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to:

1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS)
2. Add apiserver client cert/key to the "Wait for apiserver up" checks
3. Update apiserver liveness probe to use HTTPS ports
4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately)
5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well.

Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check.

Options:

1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not.
2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port)
3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest)

Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
2017-11-06 14:01:10 -06:00
Günther Grill 0d55ed3600 Avoid that some read-only tasks cause an ansible-change (#1910) 2017-11-06 13:51:07 +00:00
Haiwei Liu ad0cd6939a Add support cAdvisor (#1908)
Signed-off-by: Haiwei Liu <carllhw@gmail.com>
2017-11-06 13:50:28 +00:00
Stanislav Makar 33adb334cd Fix openstack tenant id variable name (#1932) 2017-11-05 08:40:41 +00:00
Spencer Smith ef87a8a1f0
Merge pull request #1916 from vtomasr5/master
Fix bad handler directory name in kubeadm role
2017-11-03 18:14:48 -04:00
Spencer Smith a595c84f7e
Merge pull request #1928 from chadswen/flannel-rbac-fix
Flannel RBAC Fix
2017-11-03 18:12:16 -04:00
Chad Swenson b158dbcf79 Docker Version Update
Update default docker version to 17.03.1
2017-11-03 12:34:45 -05:00
Matthew Mosesohn ab3832f3e7
Set host IP for kubelet always (#1924)
* Set host IP for kubelet always

Use ansible default IP if ip var is not set.

* Update main.yml
2017-11-03 10:19:37 +00:00
Kevin Lefevre 9bf415f749 update helm to v2.7.0 (#1875)
* update helm to v2.7.0

* Update main.yml
2017-11-03 07:15:00 +00:00
Günther Grill a2bda9e5f1 Eliminate jinja2 template expression warning and rename coreos-python var (#1911)
* Change deprecated vagrant ansible flag 'sudo' to 'become'

* Emphasize, that the name of the pip_pyton_modules is only considered in coreos

* Remove useless unused variable

* Fix warning when jinja2 template-delimiters used in when statement

There is no need for jinja2 template-delimiters like {{ }} or {% %}
any more. They can just be omitted as described in https://github.com/ansible/ansible/issues/22397

* Fix broken link in getting-started guide
2017-11-03 07:11:36 +00:00
Günther Grill 0195725563 Workaround ansible bug where access var via dict doesn't get real value (#1912)
* Change deprecated vagrant ansible flag 'sudo' to 'become'

* Workaround ansible bug where access var via dict doesn't get real value

When accessing a variable via it's name "{{ foo }}" its value is
retrieved. But when the variable value is retrieved via the vars-dict
"{{ vars['foo'] }}" this doesn't resolve the expression of the variable
any more due to a bug. So e.g. a expression foo="{{ 1 == 1 }}" isn't
longer resolved but just returned as string "1 == 1".

* Make file yamllint complient
2017-11-03 07:11:14 +00:00
Spencer Smith ec1170bd37 only mount volumes if local_volumes_enabled is true. fix mount flags in rkt. (#1923) 2017-11-03 07:10:37 +00:00
Matthew Mosesohn 66c67dbe73
Add optional helm deployment mode for host (#1920) 2017-11-03 07:09:24 +00:00
Chad Swenson 16ae2c1809 Flannel RBAC Fix
Fixes a bug that can occur if `cni-flannel-rbac.yml` was written but the playbook failed before it was applied. Uses the same approach as calico.
2017-11-02 23:20:23 -05:00
Spencer Smith 4771716ab2
Merge pull request #1907 from mattymo/disable_anon_auth
Block anonymous auth requests to kubelet
2017-11-02 12:01:39 -04:00
Spencer Smith b156585739
Merge pull request #1917 from chadswen/docker-daemon-graph
Fix kubelet container with alternate Docker data paths
2017-11-02 11:58:55 -04:00
Matthew Mosesohn 520103df78 Change namespace for provisioner account 2017-11-02 10:16:08 +00:00
Matthew Mosesohn 3e3787de15 Fix local volume provisioner mount point for rkt 2017-11-02 09:45:26 +00:00
Chad Swenson 0c824d5ef1 Fix kubelet container with alternate Docker data paths
Some time ago I think the hardcoded `/var/lib/docker` was required, but kubelet running in a container has been aware of the Docker path since at least as far back as k8s 1.6.

Without this change, you see a large number of errors in the kubelet logs if you installed with a non-default `docker_daemon_graph`
2017-11-01 13:25:15 -05:00
Matthew Mosesohn c0e989b17c
New addon: local_volume_provisioner (#1909) 2017-11-01 14:25:35 +00:00
Vicenç Juan Tomàs Montserrat 5218b3af82 Fix bad handler directory name in kubeadm role 2017-11-01 14:36:28 +01:00
Spencer Smith ef0a91da27
Merge pull request #1891 from rsmitty/proxy-fixes
Improved proxy support
2017-10-31 14:32:12 -04:00
Spencer Smith 8412181746
Merge pull request #1899 from skyscooby/update_kube182
Update to Kubernetes 1.8.2
2017-10-31 14:30:56 -04:00
Spencer Smith 400ee2aa57
Merge pull request #1898 from skyscooby/update_kubedns
Update kubedns to 1.14.7 release
2017-10-31 14:30:36 -04:00
Spencer Smith 05b8466f87
Merge pull request #1890 from chadswen/apt-repo-params
Parameterize dockerproject apt repo endpoints
2017-10-31 14:29:19 -04:00
Spencer Smith 19962f6b6a fix indentation for master template (#1906) 2017-10-31 06:43:54 +00:00
Matthew Mosesohn f7703dbca3 Block anonymous auth requests to kubelet 2017-10-30 19:06:54 +00:00
Spencer Smith 74a9eedb93 helm template check for http/https_proxy 2017-10-30 13:11:04 -04:00
Spencer Smith 6df104b275 don't check for no_proxy, only http/https_proxy. fix linting issues. 2017-10-30 11:42:14 -04:00
Spencer Smith b27453d8d8 improved proxy support 2017-10-30 11:42:14 -04:00
Spencer Smith 4470ee4ccf
Merge pull request #1887 from mattymo/fix_indent_apiserver
fix indentation for network policy option
2017-10-30 11:33:13 -04:00
Andrew Greenwood 8a86acf75d
Update kubespray-defaults kubernetes to v1.8.2 2017-10-30 09:34:32 -04:00
abelgana d738acf638 Update kubelet.kubeadm.env.j2 (#1901) 2017-10-30 11:33:02 +00:00
tanshanshan 84d92aa3c7 fix-bug (#1900) 2017-10-30 11:23:24 +00:00
Andrew Greenwood dd01cabcdc
Update to kubernetes 1.8.2 2017-10-29 22:13:06 -04:00
Andrew Greenwood c383c7e2c1
Update kubedns image to latest 2017-10-29 21:58:05 -04:00
Andrew Greenwood 958bb5285d
Update kubedns image to latest 2017-10-29 21:57:32 -04:00
Spencer Smith f0317ae70b
Merge pull request #1876 from ArchiFleKs/update_flannel
update flannel
2017-10-27 15:22:54 -04:00
Spencer Smith 591941bd39
Merge pull request #1884 from abelgana/master
Sysctl reload if needed after IP forward enabling
2017-10-27 15:12:08 -04:00
Spencer Smith e90769c869
Merge pull request #1888 from chapsuk/issue_1885
Disable swap in vagrant vms
2017-10-27 15:10:16 -04:00
Chad Swenson 256bbb1a8a Parameterize apt repo endpoints
This allows overriding of apt repo endpoints when internet sources are not accessible. Additionally, switch to using the dockerproject.org gpg key url for apt instead of keyservers.net
2017-10-27 13:48:11 -05:00
mkrasilnikov 2c7c956be9 Disable swap in vagrant vms 2017-10-27 19:57:54 +03:00
Matthew Mosesohn fe81bba08d Force kubelet certificates to be generated as lowercase (#1886)
All nodes get converted to lowercase, so certs should set
CN with lowercase as well.
2017-10-27 15:58:25 +01:00
Matthew Mosesohn 564de07963 fix indentation for network policy option 2017-10-27 14:56:22 +01:00
Aivars Sterns 84cf6fbe83 change ssh_args/bastion configuration (#1883) 2017-10-27 12:18:39 +01:00
abelgana d9160f19c0 Sysctl reload if needed after IP forward enabling
Add reload yes to reload sysctl if the value of net.ipv4.ip_forward changes.

- name: Enable ip forwarding
  sysctl:
    sysctl_file: "{{sysctl_file_path}}"
    name: net.ipv4.ip_forward
    value: 1
    state: present
    reload: yes
  tags:
    - bootstrap-os
2017-10-26 13:06:21 -04:00
Brad Beam ba0a03a8ba Merge pull request #1880 from mattymo/node_auth_fixes2
Move cluster roles and system namespace to new role
2017-10-26 10:02:24 -05:00
Matthew Mosesohn b0f04d925a Update network policy setting for Kubernetes 1.8 (#1879)
It is now enabled by default in 1.8 with the api changed
to networking.k8s.io/v1 instead of extensions/v1beta1.
2017-10-26 15:35:26 +01:00
Matthew Mosesohn ec53b8b66a Move cluster roles and system namespace to new role
This should be done after kubeconfig is set for admin and
before network plugins are up.
2017-10-26 14:36:05 +01:00
ArchiFleKs 6e949bf951 update flannel 2017-10-26 11:18:06 +02:00
Matthew Mosesohn 86fb669fd3 Idempotency fixes (#1838) 2017-10-25 21:19:40 +01:00
Matthew Mosesohn 7123956ecd update checksum for kubeadm (#1869) 2017-10-25 21:15:16 +01:00
Spencer Smith 46cf6b77cf Merge pull request #1857 from pmontanari/patch-1
Use same kubedns_version: 1.14.5 in downloads  and kubernetes-apps/ansible roles
2017-10-25 10:05:43 -04:00
Matthew Mosesohn a52bc44f5a Fix broken CI jobs (#1854)
* Fix broken CI jobs

Adjust image and image_family scenarios for debian.
Checkout CI file for upgrades

* add debugging to file download

* Fix download for alternate playbooks

* Update ansible ssh args to force ssh user

* Update sync_container.yml
2017-10-25 11:45:54 +01:00
Matthew Mosesohn acb63a57fa Only limit etcd memory on small hosts (#1860)
Also disable oom killer on etcd
2017-10-25 10:25:15 +01:00
Flavio Percoco Premoli 5b08277ce4 Access dict item's value keys using .value (#1865) 2017-10-24 20:49:36 +01:00
Chiang Fong Lee 5dc56df64e Fix ordering of kube-apiserver admission control plug-ins (#1841) 2017-10-24 17:28:07 +01:00
Matthew Mosesohn 33c4d64b62 Make ClusterRoleBinding to admit all nodes with right cert (#1861)
This is to work around #1856 which can occur when kubelet
hostname and resolvable hostname (or cloud instance name)
do not match.
2017-10-24 17:05:58 +01:00
Matthew Mosesohn 25de6825df Update Kubernetes to v1.8.1 (#1858) 2017-10-24 17:05:45 +01:00
Peter Lee 0b60201a1e fix etcd health check bug (#1480) 2017-10-24 16:10:56 +01:00
Haiwei Liu cfea99c4ee Fix scale.yml to supoort kubeadm (#1863)
Signed-off-by: Haiwei Liu <carllhw@gmail.com>
2017-10-24 16:08:48 +01:00
Matthew Mosesohn cea41a544e Use include instead of import tasks to support v2.3 (#1855)
Eventually 2.3 support will be dropped, so this is
a temporary change.
2017-10-23 13:56:03 +01:00
pmontanari 8371a060a0 Update main.yml
Match kubedns_version with roles/download/defaults/main.yml:kubedns_version: 1.14.5
2017-10-22 23:48:51 +02:00
Matthew Mosesohn 7ed140cea7 Update refs to kubernetes version to v1.8.0 (#1845) 2017-10-20 08:29:28 +01:00