Commit Graph

310 Commits (af5e05d08d4af6679d85f9b9b8e65d9c22c71f39)

Author SHA1 Message Date
Wong Hoi Sing Edison a086686e9f Support multiple artifacts under individual inventory directory 2018-03-08 11:57:53 +08:00
Wong Hoi Sing Edison 6402004018 FIXUP #2424: local_provisioner directory should be created only if enabled 2018-03-08 11:57:46 +08:00
Wong Hoi Sing Edison 3f96b2da7a Add Custom ConfigMap Support for ingress-nginx 2018-03-07 21:37:45 +08:00
Michael Beatty 07657aecf4 add support for azure vnetResourceGroup 2018-03-05 13:40:25 -06:00
Wong Hoi Sing Edison fd46442188 Integrate kubernetes/ingress-nginx 0.11.0 to Kubespray 2018-03-02 23:33:19 +08:00
Aivars Sterns 8b21034b31
Merge pull request #2344 from hswong3i/local_volume_provisioner_fixup
Upgrade Local Volume Provisioner Addon to v2.0.0
2018-03-01 13:12:44 +02:00
Andrew Greenwood a40d9f3c72 Document a silent killer... (#2373)
Adding this into the default example inventory so it has less of a chance of biting others after weeks of random failures (as etcd does not  express that it has run out of RAM it just stalls).. 512MB was not  enough for us to run one of our products.
2018-02-28 15:36:51 +03:00
Brad Beam 810c10a0e9
Merge pull request #2382 from chechiachang/replace-tab-with-space-and-remove-redundant-spaces
Remove redundant spaces
2018-02-27 10:39:57 -06:00
RongZhang b7e06085c7 Upgrade to Kubernetes v1.9.3 (#2323)
Upgrade to Kubernetes v1.9.3
2018-02-27 14:31:59 +03:00
David Chang 8875e25fe9 Replace tab with space. Remove redundant spaces 2018-02-27 14:34:58 +08:00
Wong Hoi Sing Edison d4c61d2628 Fixup for gce_centos7-flannel-addons 2018-02-21 13:41:25 +08:00
Wong Hoi Sing Edison deef47c923 Upgrade Local Volume Provisioner Addon to v2.0.0 2018-02-21 13:41:25 +08:00
melkosoft f13e76d022 Added cilium support (#2236)
* Added cilium support

* Fix typo in debian test config

* Remove empty lines

* Changed cilium version from <latest> to <v1.0.0-rc3>

* Add missing changes for cilium

* Add cilium to CI pipeline

* Fix wrong file name

* Check kernel version for cilium

* fixed ci error

* fixed cilium-ds.j2 template

* added waiting for cilium pods to run

* Fixed missing EOF

* Fixed trailing spaces

* Fixed trailing spaces

* Fixed trailing spaces

* Fixed too many blank lines

* Updated tolerations,annotations in cilium DS template

* Set cilium_version to iptables-1.9 to see if bug is fixed in CI

* Update cilium image tag to v1.0.0-rc4

* Update Cilium test case CI vars filenames

* Add optional prometheus flag, adjust initial readiness delay

* Update README.md with cilium info
2018-02-16 21:37:47 -06:00
Wong Hoi Sing Edison 07075add3d Add optional StorageClass name with cephfs_provisioner_storage_class 2018-02-10 20:31:34 +08:00
mlushpenko a37c642127 Remove obsolete token variables
Tokens are generated automatically during init process and on-demand for nodes joining process
2018-02-09 15:53:12 +01:00
Wong Hoi Sing Edison b25e0f82b1 Add cephfs_provisioner Support for Kubespray 2018-02-08 22:27:54 +08:00
Wong Hoi Sing Edison 1a1d154e14 Support multiple inventory files under individual inventory directory 2018-02-08 08:08:15 +08:00
Brad Beam 384e5dd4c4
Merge pull request #2160 from kongslund/disable-read-only-port
Make the Kubelet read-only port configurable and disable it by default
2018-02-07 13:06:32 -06:00
Antoine Legrand 712bdfc82f
Merge pull request #2260 from mirwan/local_volume_provisioner_fixes
local_volume_provisioner_enabled replacement
2018-02-07 13:42:00 +01:00
Antoine Legrand fe57c13b51
Merge pull request #2172 from leseb/etcd-auth
etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH
2018-02-07 11:25:56 +01:00
Erwan Miran d53f45d4e2 missing double quotes for ansible 2018-02-07 09:24:00 +01:00
Erwan Miran e69979d5a2 keep local_volumes_enabled as deprecated 2018-02-07 07:58:50 +01:00
Antoine Legrand 138e0c2301
Merge pull request #2250 from woopstar/weave-mtu-patch
Added option to set MTU on Weave
2018-02-06 12:13:54 +01:00
Antoine Legrand a3248379db
Merge branch 'master' into local_volume_provisioner 2018-02-06 09:28:27 +01:00
woopstar 3289472e31 Added option to set MTU on Weave 2018-02-05 10:23:48 +01:00
Wong Hoi Sing Edison 7954ea2525 Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray 2018-02-05 12:21:09 +08:00
Chad Swenson bd1f0bcfd7
Merge pull request #2201 from riverzhang/ipvs
Support ipvs mode for kube-proxy
2018-02-01 22:29:52 -06:00
Wong Hoi Sing Edison fd80013917 lint and cleanup local_volume_provisioner 2018-02-01 14:14:18 +08:00
Spencer Smith bd091caaf9
Merge pull request #2200 from riverzhang/hyperkube
Upgrade to Kubernetes v1.9.2
2018-01-31 16:08:22 -05:00
Spencer Smith b455a1bf76
Merge pull request #2212 from mattymo/missing_defaults
Add missing group var default values to kubespray-defaults
2018-01-31 16:07:53 -05:00
Aivars Sterns c1267004ef
Merge pull request #2130 from ArchiFleKs/simplify_os_provider
Simplify and update OpenStack cloud provider
2018-01-31 12:02:02 +02:00
Matthew Mosesohn 62dd3d2a9d Add missing group var default values to kubespray-defaults 2018-01-30 16:04:00 +03:00
Sébastien Han fa8a128e49 etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH
Some installation are failing to authenticate with peers due to
etcd picking up/resoling the wrong node.

By setting 'etcd_peer_client_auth' to "False" you can disable peer client cert
authentication.

Signed-off-by: Sébastien Han <seb@redhat.com>
2018-01-30 11:19:12 +01:00
rong.zhang b10c308a5a Support ipvs mode for kube-proxy
Support ipvs mode for kube-proxy
2018-01-30 13:09:01 +08:00
rong.zhang e22c70e431 Upgrade to Kubernetes v1.9.2 2018-01-30 13:04:38 +08:00
Matthew Mosesohn ac66e98ae9
Upgrade to Kubernetes v1.9.1 (#2152)
Raise drain timeout to 5m
2018-01-25 18:44:44 +03:00
Brad Beam 0c8bed21ee
Merge pull request #2019 from chadswen/disable-api-insecure-port
Support for disabling apiserver insecure port (the sequel)
2018-01-24 19:58:53 -06:00
Brad Beam 98300e3165
Merge pull request #2155 from brutus333/fix/pvc
Fix for Issue #2141
2018-01-24 16:15:33 -06:00
Matthew Mosesohn bf1411060e Add optional manual dns_mode (#2178) 2018-01-23 14:28:42 +01:00
Virgil Chereches a4d142368b Renamed variable from disable_volume_zone_conflict to volume_cross_zone_attachment and removed cloud provider condition; fix identation 2018-01-23 13:14:00 +00:00
Virgil Chereches 3125f93b3f Added disable_volume_zone_conflict variable 2018-01-18 10:55:23 +00:00
Dave Carley 752fba1691 Fix spelling mistakes in group_vars (#2166) 2018-01-17 18:42:27 +03:00
Jonas Kongslund 11844c987c Make the Kubelet read-only port configurable and disable it by default. Fixes #2159. 2018-01-16 11:11:41 +04:00
ArchiFleKs ce85bcaee7 Simplify and update OpenStack cloud provider
Simplify the number of variables necessary to "just" enable OpenStack
cloud provider. Also add the new options available in K8s 1.9.
2018-01-05 12:05:24 +01:00
Matthew Mosesohn ad6fecefa8
Update Kubernetes to v1.9.0 (#2100)
Update checksum for kubeadm
Use v1.9.0 kubeadm params
Include hash of ca.crt for kubeadm join
Update tag for testing upgrades
Add workaround for testing upgrades
Remove scale CI scenarios because of slow inventory parsing
in ansible 2.4.x.

Change region for tests to us-central1 to
improve ansible performance
2017-12-25 08:57:45 +00:00
Stanislav Makar b2cb0725ac Default OpenStack Cinder Storage Class (#2083)
Add possibility to create default OpenStack Cinder Storage Class

Closes: #1609
2017-12-19 14:47:00 +00:00
Spencer Smith c4458c9d9a
Merge pull request #1997 from mrbobbytables/feature-keepalived-cloud-provider
Add minimal keepalived-cloud-provider support
2017-12-06 23:28:27 -05:00
Chad Swenson b8788421d5 Support for disabling apiserver insecure port
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled).

Rework of #1937 with kubeadm support

Also, fixed an issue in `kubeadm-migrate-certs` where the old apiserver cert was copied as the kubeadm key
2017-12-05 09:13:45 -06:00
Brad Beam c2347db934
Merge pull request #1953 from chadswen/dashboard-refactor
Kubernetes Dashboard v1.7.1 Refactor
2017-12-05 08:50:55 -06:00
Stanislav Makar 6ade7c0a8d Update k8s version to 1.8.4 (#2015)
* Update k8s version to 1.8.4

* Update main.yml
2017-12-04 16:23:04 +00:00
Matthew Mosesohn a0225507a0
Set helm deployment type to host (#2012) 2017-11-29 19:52:54 +00:00
unclejack e5d353d0a7 contiv network support (#1914)
* Add Contiv support

Contiv is a network plugin for Kubernetes and Docker. It supports
vlan/vxlan/BGP/Cisco ACI technologies. It support firewall policies,
multiple networks and bridging pods onto physical networks.

* Update contiv version to 1.1.4

Update contiv version to 1.1.4 and added SVC_SUBNET in contiv-config.

* Load openvswitch module to workaround on CentOS7.4

* Set contiv cni version to 0.1.0

Correct contiv CNI version to 0.1.0.

* Use kube_apiserver_endpoint for K8S_API_SERVER

Use kube_apiserver_endpoint as K8S_API_SERVER to make contiv talks
to a available endpoint no matter if there's a loadbalancer or not.

* Make contiv use its own etcd

Before this commit, contiv is using a etcd proxy mode to k8s etcd,
this work fine when the etcd hosts are co-located with contiv etcd
proxy, however the k8s peering certs are only in etcd group, as a
result the etcd-proxy is not able to peering with the k8s etcd on
etcd group, plus the netplugin is always trying to find the etcd
endpoint on localhost, this will cause problem for all netplugins
not runnign on etcd group nodes.
This commit make contiv uses its own etcd, separate from k8s one.
on kube-master nodes (where net-master runs), it will run as leader
mode and on all rest nodes it will run as proxy mode.

* Use cp instead of rsync to copy cni binaries

Since rsync has been removed from hyperkube, this commit changes it
to use cp instead.

* Make contiv-etcd able to run on master nodes

* Add rbac_enabled flag for contiv pods

* Add contiv into CNI network plugin lists

* migrate contiv test to tests/files

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>

* Add required rules for contiv netplugin

* Better handling json return of fwdMode

* Make contiv etcd port configurable

* Use default var instead of templating

* roles/download/defaults/main.yml: use contiv 1.1.7

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
2017-11-29 14:24:16 +00:00
Bob Killen 2140303fcc
add minimal keepalived-cloud-provider support 2017-11-23 08:43:36 -05:00
Chad Swenson 849aaf7435 Update to k8s 1.8.3 (#1971) 2017-11-15 17:43:22 +00:00
Chad Swenson 0c6f172e75 Kubernetes Dashboard v1.7.1 Refactor
This version required changing the previous access model for dashboard completely but it's a change for the better. Docs were updated.

* New login/auth options that use apiserver auth proxying by default
* Requires RBAC in `authorization_modes`
* Only serves over https
* No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL:
* Can access from https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login you will be prompted for credentials
* Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
* It is recommended to access dashboard from behind a gateway that enforces an authentication token, details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
2017-11-15 10:05:48 -06:00
Matthew Mosesohn f9b68a5d17
Revert "Support for disabling apiserver insecure port" (#1974) 2017-11-14 13:41:28 +00:00
Chad Swenson 0c7e1889e4 Support for disabling apiserver insecure port
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to:

1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS)
2. Add apiserver client cert/key to the "Wait for apiserver up" checks
3. Update apiserver liveness probe to use HTTPS ports
4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately)
5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well.

Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check.

Options:

1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not.
2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port)
3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest)

Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
2017-11-06 14:01:10 -06:00
Matthew Mosesohn 66c67dbe73
Add optional helm deployment mode for host (#1920) 2017-11-03 07:09:24 +00:00
Matthew Mosesohn c0e989b17c
New addon: local_volume_provisioner (#1909) 2017-11-01 14:25:35 +00:00
Andrew Greenwood e196adb98c
Update kubernetes 1.8.2 2017-10-29 22:09:22 -04:00
Matthew Mosesohn 25de6825df Update Kubernetes to v1.8.1 (#1858) 2017-10-24 17:05:45 +01:00
Rémi de Passmoilesel 356515222a Add possibility to insert more ip adresses in certificates (#1678)
* Add possibility to insert more ip adresses in certificates

* Add newline at end of files

* Move supp ip parameters to k8s-cluster group file

* Add supplementary addresses in kubeadm master role

* Improve openssl indexes
2017-10-17 11:06:07 +01:00
Matthew Mosesohn d487b2f927 Security best practice fixes (#1783)
* Disable basic and token auth by default

* Add recommended security params

* allow basic auth to fail in tests

* Enable TLS authentication for kubelet
2017-10-15 20:41:17 +01:00
Matthew Mosesohn ef47a73382 Add new addon Istio (#1744)
* add istio addon

* add addons to a ci job
2017-10-13 15:42:54 +01:00
Matthew Mosesohn dc515e5ac5 Remove kernel-upgrade role (#1798)
This role only support Red Hat type distros and is not maintained
or used by many users. It should be removed because it creates
feature disparity between supported OSes and is not maintained.
2017-10-13 15:36:21 +01:00
Maxim Krasilnikov ad9fa73301 Remove cert_managment var definition from k8s-cluster group vars (#1790) 2017-10-13 10:21:39 +01:00
Vijay Katam 27ed73e3e3 Rename dns_server, add var for selinux. (#1572)
* Rename dns_server to dnsmasq_dns_server so that it includes role prefix
as the var name is generic and conflicts when integrating with existing ansible automation.
*  Enable selinux state to be configurable with new var preinstall_selinux_state
2017-10-11 20:40:21 +01:00
Matthew Mosesohn eb0dcf6063 Improve proxy (#1771)
* Set no_proxy to all local ips

* Use proxy settings on all necessary tasks
2017-10-11 19:47:27 +01:00
Matthew Mosesohn f14f04c5ea Upgrade to kubernetes v1.8.0 (#1730)
* Upgrade to kubernetes v1.8.0

hyperkube no longer contains rsync, so now use cp

* Enable node authorization mode

* change kube-proxy cert group name
2017-10-05 10:51:21 +01:00
Matthew Mosesohn 327ed157ef Verify valid settings before deploy (#1705)
Also fix yaml lint issues

Fixes #1703
2017-09-27 14:47:47 +01:00
Maxim Krasilnikov 1067595b5c Change used chars for kubeadm tokens (#1701) 2017-09-26 05:56:08 +01:00
Matthew Mosesohn ef8e35e39b Create admin credential kubeconfig (#1647)
New files: /etc/kubernetes/admin.conf
           /root/.kube/config
           $GITDIR/artifacts/{kubectl,admin.conf}

Optional method to download kubectl and admin.conf if
kubeconfig_lcoalhost is set to true (default false)
2017-09-18 13:30:57 +01:00
Kevin Lefevre 9302ce0036 Enhanced OpenStack cloud provider (#1627)
- Enable Cinder API version for block storage
- Enable floating IP for LBaaS
2017-09-16 08:43:24 +01:00
Kyle Bai 016301508e Update to Kubernetes v1.7.5 (#1649) 2017-09-14 07:18:03 +01:00
Matthew Mosesohn 6744726089 kubeadm support (#1631)
* kubeadm support

* move k8s master to a subtask
* disable k8s secrets when using kubeadm
* fix etcd cert serial var
* move simple auth users to master role
* make a kubeadm-specific env file for kubelet
* add non-ha CI job

* change ci boolean vars to json format

* fixup

* Update create-gce.yml

* Update create-gce.yml

* Update create-gce.yml
2017-09-13 19:00:51 +01:00
Matthew Mosesohn 9fa1873a65 Add kube dashboard, enabled by default (#1643)
* Add kube dashboard, enabled by default

Also add rbac role for kube user

* Update main.yml
2017-09-09 23:38:03 +03:00
Matthew Mosesohn f29a42721f Clean up debug in check apiserver test (#1638)
* Clean up debug in check apiserver test

* Change password generation for kube_user

Special characters are not allowed in known_users.csv file
2017-09-08 15:47:13 +03:00
Matthew Mosesohn 7117614ee5 Use a generated password for kube user (#1624)
Removed unnecessary root user
2017-09-06 20:20:25 +03:00
Maxim Krasilnikov 9bce364b3c Update auth enabled methods in group_vars example (#1625) 2017-09-06 15:10:18 +03:00
Matthew Mosesohn ca3050ec3d Update to Kubernetes v1.7.3 (#1549)
Change kubelet deploy mode to host
Enable cri and qos per cgroup for kubelet
Update CoreOS images
Add upgrade hook for switching from kubelet deployment from docker to host.
Bump machine type for ubuntu-rkt-sep
2017-08-21 10:53:49 +03:00
Kevin Lefevre 65a9772adf Add OpenStack LBaaS support (#1506) 2017-08-20 13:59:15 +03:00
Brad Beam 460b5824c3 Merge pull request #1448 from lancomsystems/log-rotataion-example
Add logging options to default docker options
2017-08-10 08:30:23 -05:00
Spencer Smith cb6892d2ed Merge pull request #1469 from hzamani/etcd_metrics
Add etcd metrics flag
2017-07-31 09:04:07 -04:00
nico cc9f3ea938 Fix enforce-node-allocatable option
Closes #1228
pods is default enforcement

see https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/
add

update
2017-07-31 10:06:53 +02:00
timtoum 3e457e4edf Enable weave seed mode for kubespray (#1414)
* Enable weave seed mode for kubespray

* fix task Weave seed | Set peers if existing peers

* fix mac address variabilisation

* fix default values

* fix include seed condition

* change weave var to default values

* fix Set peers if existing peers
2017-07-26 19:09:34 +03:00
Hassan Zamani 3fb0383df4 Add etcd metrics flag 2017-07-25 20:00:30 +04:30
Spencer Smith 4a34514b21 Merge pull request #1447 from whereismyjetpack/template_known_users
Template out known_users.csv, optionally add groups
2017-07-25 08:55:08 -04:00
Spencer Smith 927e6d89d7 Merge pull request #1435 from delfer/master
Kubernetes upgrade to 1.6.7
2017-07-19 05:23:38 -07:00
Dann Bohn d1f58fed4c Template out known_users.csv, optionally add groups 2017-07-14 09:27:20 -04:00
Brad Beam 637f445c3f Merge pull request #1365 from AtzeDeVries/master
Give more control over IPIP, but with same default behaviour
2017-07-12 10:17:17 -05:00
Delfer 9f45eba6f6 Kubernetes upgrade to 1.6.7 2017-07-11 09:11:55 +00:00
AtzeDeVries e160018826 Fixed conflicts, ipip:true as defualt and added ipip_mode 2017-07-08 14:36:44 +02:00
Julian Poschmann 380fb986b6 Add logging options to default docker options 2017-07-07 12:39:42 +02:00
Vladimir Kozyrev e26be9cb8a add private dns server for a specific zone 2017-07-06 16:30:47 +03:00
jwfang ec2255764a docker_dns_servers_strict to control docker_dns_servers rtrim 2017-06-26 17:29:12 +08:00
AtzeDeVries 61b74f9a5b updated to direct control over ipip 2017-06-23 09:16:05 +02:00
AtzeDeVries 7332679678 Give more control over IPIP, but with same default behaviour 2017-06-20 14:50:08 +02:00
Gregory Storme fff0aec720 add configurable parameter for etcd_auto_compaction_retention 2017-06-14 10:39:38 +02:00
zoues 43408634bb Merge branch 'master' into master 2017-05-23 09:32:28 +08:00
zouyee d47fce6ce7 upgrade k8s version to 1.6.4 2017-05-23 09:30:03 +08:00
Spencer Smith 31a7b7d24e default to kubedns and set nxdomain in kubedns deployment if that's the dns_mode 2017-05-12 15:57:24 -04:00
Vincent Schwarzer 7f0c0a0922 Fix for etcd variable issue 2017-04-12 12:59:49 +02:00
Matthew Mosesohn ccc11e5680 Upgrade to Kubernetes 1.6.1 2017-04-05 13:26:36 +03:00
Matthew Mosesohn 0f64f8db90 Merge pull request #1155 from mattymo/helm
Add helm deployment
2017-03-20 17:00:06 +03:00
Matthew Mosesohn b69d4b0ecc Add helm deployment 2017-03-17 20:24:41 +03:00
Aleksandr Didenko 3a39904011 Move calico-policy-controller into separate role
By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132
2017-03-17 11:21:52 +01:00
Matthew Mosesohn 096d96e344 Merge pull request #1137 from holser/bug/1135
Turn on iptables for flannel
2017-03-15 17:06:42 +03:00
Sergii Golovatiuk 9667e8615f Turn on iptables for flannel
Closes: #1135
Closes: #1026
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-03-14 17:54:55 +01:00
Vincent Schwarzer 026da060f2 Granular authentication Control
It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.

The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.
2017-03-14 16:57:35 +01:00
Vincent Schwarzer b075960e3b Added Support for OpenID Connect Authentication
To use OpenID Connect Authentication beside deploying an OpenID Connect
Identity Provider it is necesarry to pass additional arguments to the Kube API Server.
These required arguments were added to the kube apiserver manifest.
2017-03-06 12:40:35 +01:00
Antoine Legrand 85596c2610 Merge pull request #1045 from bradbeam/vsphere
Adding vsphere cloud provider support
2017-03-06 12:34:05 +01:00
Sergii Golovatiuk d31c040dc0 Change kube-api default port from 443 to 6443
Operator can specify any port for kube-api (6443 default) This helps in
case where some pods such as Ingress require 443 exclusively.

Closes: 820
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-28 15:45:35 +01:00
Sergii Golovatiuk f9ff93c606 Make etcd data dir configurable.
Closes: #1073
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-27 21:35:51 +01:00
Jan Jungnickel df476b0088 Initial support for vsphere as cloud provider 2017-02-27 12:51:41 -06:00
Sergii Golovatiuk a098a32f7d Uncomment one key/value in all.yml
all.yaml shouldn't be empty otherwise ansible won't be able to merge 2
dicts.

Related bug: ansible/issues/21889
2017-02-24 12:25:45 +01:00
Antoine Legrand eb904668b2 Uncommented group_vars variables 2017-02-24 10:54:25 +01:00
Antoine Legrand c7d61af332 Comment all variables in group_vars 2017-02-23 14:02:57 +01:00
Antoine Legrand 5f7607412b Add default var role 2017-02-23 12:07:17 +01:00
Bogdan Dobrelya 712872efba Rework inventory all by real groups' vars
* Leave all.yml to keep only optional vars
* Store groups' specific vars by existing group names
* Fix optional vars casted as mandatory (add default())
* Fix missing defaults for an optional IP var
* Relink group_vars for terraform to reflect changes

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-02-23 09:43:42 +01:00
Sergii Golovatiuk ebf9daf73e Statically disable iptables management for docker
Docker 1.13 changes the behaviour of iptables defaults from allow
to drop. This patch disables docker's iptables management as it was
in Docker 1.12 [1]

[1] https://github.com/docker/docker/pull/28257

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-21 19:10:34 +01:00
Matthew Mosesohn 10173525d8 Update Kubernetes to v1.5.3 2017-02-20 18:14:56 +03:00
Matthew Mosesohn 2d65554cb9 Change default network plugin to Calico 2017-02-15 16:15:22 +03:00
Hung Nguyen Viet d0757ccc5e Fix typo 2017-02-14 17:18:22 +07:00
Alexander Block d2e010cbe1 Add kernel upgrade for CentOS 2017-02-10 09:29:12 +01:00
Matthew Mosesohn 60f1936a62 Merge pull request #1004 from galthaus/kubelet-load-modules
Allow kubelet to load kernel modules
2017-02-10 09:28:16 +03:00
Vladimir Rutsky f0269b28f4 fix kube_apiserver_ip/kube_apiserver_port description 2017-02-09 21:47:36 +04:00
Greg Althaus 3f0c13af8a Make kubelet_load_modules always present but false.
Update code and docs for that assumption.
2017-02-09 10:25:44 -06:00
Greg Althaus fcd78eb1f7 Due to the nsenter and other reworks, it appears that
kubelet lost the ability to load kernel modules.  This
puts that back by adding the lib/modules mount to kubelet.

The new variable kubelet_load_modules can be set to true
to enable this item.  It is OFF by default.
2017-02-09 10:02:26 -06:00
Bogdan Dobrelya 3b1a196c75 Merge pull request #902 from insequent/master
Adding vault role
2017-02-09 09:24:52 +01:00
Antoine Legrand 9c572fe54b Merge pull request #984 from rutsky/patch-2
fix typo: "explicetely"
2017-02-08 23:19:01 +01:00
Josh Conant 245e05ce61 Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00
Josh Conant f4ec2d18e5 Adding the Vault role 2017-02-08 21:31:28 +00:00
Vladimir Rutsky 6a5df4d999 fix typo: "pubilcally" 2017-02-06 21:35:02 +04:00
Vladimir Rutsky d41602088b fix typo: "explicetely" 2017-02-06 21:29:11 +04:00
Matthew Mosesohn fd30131dc2 Revert "Drop linux capabilities and rework users/groups" 2017-02-06 15:58:54 +03:00
Bogdan Dobrelya cae2982d81 Merge pull request #911 from bogdando/DROP_CAPS
Drop linux capabilities and rework users/groups
2017-02-06 12:05:51 +01:00
Brad Beam df3e11bdb8 Adding EFK logging stack 2017-02-03 16:27:08 -06:00
David Kirstein 6e35895b44 also use kube_api_pwd for root account
This makes it a bit more secure. Also the password can now be changed with a (inventory) variable (no need to edit all.yml).
2017-01-23 19:09:30 +01:00
Bogdan Dobrelya cb2e5ac776 Drop linux capabilities and rework users/groups
* Drop linux capabilities for unprivileged containerized
  worlkoads Kargo configures for deployments.
* Configure required securityContext/user/group/groups for kube
  components' static manifests, etcd, calico-rr and k8s apps,
  like dnsmasq daemonset.
* Rework cloud-init (etcd) users creation for CoreOS.
* Fix nologin paths, adjust defaults for addusers role and ensure
  supplementary groups membership added for users.
* Add netplug user for network plugins (yet unused by privileged
  networking containers though).
* Grant the kube and netplug users read access for etcd certs via
  the etcd certs group.
* Grant group read access to kube certs via the kube cert group.
* Remove priveleged mode for calico-rr and run it under its uid/gid
  and supplementary etcd_cert group.
* Adjust docs.
* Align cpu/memory limits and dropped caps with added rkt support
  for control plane.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-20 08:50:42 +01:00
Greg Althaus 6905edbeb6 Add a variable that defaults to kube_apiserver_port that defines
the which port the local nginx proxy should listen on for HA
local balancer configurations.
2017-01-14 23:38:07 -06:00
Bogdan Dobrelya caab0cdf27 Docs updates
Fix mismatching inventory examples.
Add command examples.
Clarify groups use cases.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-11 15:39:35 +01:00
Alexander Block 1d2a18b355 Introduce dns_mode and resolvconf_mode and implement docker_dns mode
Also update reset.yml to do more dns/network related cleanup.
2017-01-05 23:38:51 +01:00
Bogdan Dobrelya fb7899aa06 Minor fix to rkt version in group vars
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-05 11:11:03 +01:00
Brad Beam 8dc19374cc Allowing etcd to run via rkt 2017-01-03 10:10:38 -06:00
Brad Beam a8f2af0503 Adding initial rkt support 2017-01-03 10:08:43 -06:00
Bogdan Dobrelya 58062be2a3 Drop non systemd OS types support
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-02 12:14:03 +01:00
Bogdan Dobrelya a56d9de502 Systemd units, limits, and bin path fixes
* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
  systemd limits due to the lack of consensus in the kernel community
  requires out-of-tree kernel patches.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-28 15:49:42 +01:00
Antoine Legrand 768fe05eea Merge pull request #704 from vwfs/bastion_hosts
Add support for bastion hosts
2016-12-17 12:08:49 +01:00
Matthew Mosesohn 9df2306ee9 Bump kube_version to v1.5.1 2016-12-16 15:53:25 +03:00
Smaine Kahlouch 29874baf8a Merge pull request #708 from vwfs/cloud_network
Add support for cloud-provider based networking
2016-12-14 16:23:20 +01:00