Verify valid settings before deploy (#1705)
Also fix yaml lint issues Fixes #1703
This commit is contained in:
parent
c819238da9
commit
327ed157ef
9 changed files with 94 additions and 19 deletions
|
@ -116,6 +116,9 @@ bin_dir: /usr/local/bin
|
||||||
## Please specify true if you want to perform a kernel upgrade
|
## Please specify true if you want to perform a kernel upgrade
|
||||||
kernel_upgrade: false
|
kernel_upgrade: false
|
||||||
|
|
||||||
|
# Set to true to allow pre-checks to fail and continue deployment
|
||||||
|
#ignore_assert_errors: false
|
||||||
|
|
||||||
## Etcd auto compaction retention for mvcc key value store in hour
|
## Etcd auto compaction retention for mvcc key value store in hour
|
||||||
#etcd_compaction_retention: 0
|
#etcd_compaction_retention: 0
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
#FIXME(mattymo): Exclude built in secrets that were automatically rotated,
|
# FIXME(mattymo): Exclude built in secrets that were automatically rotated,
|
||||||
#instead of filtering manually
|
# instead of filtering manually
|
||||||
- name: Rotate Tokens | Get all serviceaccount tokens to expire
|
- name: Rotate Tokens | Get all serviceaccount tokens to expire
|
||||||
shell: >-
|
shell: >-
|
||||||
{{ bin_dir }}/kubectl get secrets --all-namespaces
|
{{ bin_dir }}/kubectl get secrets --all-namespaces
|
||||||
|
|
|
@ -63,7 +63,7 @@
|
||||||
- name: kubeadm | Initialize first master
|
- name: kubeadm | Initialize first master
|
||||||
command: timeout -k 240s 240s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --skip-preflight-checks
|
command: timeout -k 240s 240s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --skip-preflight-checks
|
||||||
register: kubeadm_init
|
register: kubeadm_init
|
||||||
#Retry is because upload config sometimes fails
|
# Retry is because upload config sometimes fails
|
||||||
retries: 3
|
retries: 3
|
||||||
when: inventory_hostname == groups['kube-master']|first and not admin_conf.stat.exists
|
when: inventory_hostname == groups['kube-master']|first and not admin_conf.stat.exists
|
||||||
failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
|
failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
|
||||||
|
@ -72,7 +72,7 @@
|
||||||
- name: kubeadm | Upgrade first master
|
- name: kubeadm | Upgrade first master
|
||||||
command: timeout -k 240s 240s {{ bin_dir }}/kubeadm upgrade apply --config={{ kube_config_dir }}/kubeadm-config.yaml {{ kube_version }} --skip-preflight-checks
|
command: timeout -k 240s 240s {{ bin_dir }}/kubeadm upgrade apply --config={{ kube_config_dir }}/kubeadm-config.yaml {{ kube_version }} --skip-preflight-checks
|
||||||
register: kubeadm_upgrade
|
register: kubeadm_upgrade
|
||||||
#Retry is because upload config sometimes fails
|
# Retry is because upload config sometimes fails
|
||||||
retries: 3
|
retries: 3
|
||||||
when: inventory_hostname == groups['kube-master']|first and (kubeadm_config.changed and admin_conf.stat.exists)
|
when: inventory_hostname == groups['kube-master']|first and (kubeadm_config.changed and admin_conf.stat.exists)
|
||||||
failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr
|
failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
- name: look up docker cgroup driver
|
- name: look up docker cgroup driver
|
||||||
shell: "docker info | grep 'Cgroup Driver' | awk -F': ' '{ print $2; }'"
|
shell: "docker info | grep 'Cgroup Driver' | awk -F': ' '{ print $2; }'"
|
||||||
register: docker_cgroup_driver_result
|
register: docker_cgroup_driver_result
|
||||||
|
|
|
@ -1,6 +1,9 @@
|
||||||
---
|
---
|
||||||
run_gitinfos: false
|
run_gitinfos: false
|
||||||
|
|
||||||
|
# Set to true to allow pre-checks to fail and continue deployment
|
||||||
|
ignore_assert_errors: false
|
||||||
|
|
||||||
epel_rpm_download_url: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
|
epel_rpm_download_url: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
|
||||||
|
|
||||||
common_required_pkgs:
|
common_required_pkgs:
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- include: pre-upgrade.yml
|
- include: verify-settings.yml
|
||||||
tags: [upgrade, bootstrap-os]
|
tags: asserts
|
||||||
|
|
||||||
- name: Force binaries directory for Container Linux by CoreOS
|
- name: Force binaries directory for Container Linux by CoreOS
|
||||||
set_fact:
|
set_fact:
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
- name: Stop if non systemd OS type
|
|
||||||
assert:
|
|
||||||
that: ansible_service_mgr == "systemd"
|
|
||||||
tags:
|
|
||||||
- asserts
|
|
71
roles/kubernetes/preinstall/tasks/verify-settings.yml
Normal file
71
roles/kubernetes/preinstall/tasks/verify-settings.yml
Normal file
|
@ -0,0 +1,71 @@
|
||||||
|
---
|
||||||
|
- name: Stop if ansible version is too low
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- ansible_version.full|version_compare('2.3.0.0', '>=')
|
||||||
|
run_once: yes
|
||||||
|
|
||||||
|
- name: Stop if non systemd OS type
|
||||||
|
assert:
|
||||||
|
that: ansible_service_mgr == "systemd"
|
||||||
|
ignore_errors: "{{ ignore_assert_errors }}"
|
||||||
|
|
||||||
|
- name: Stop if unknown OS
|
||||||
|
assert:
|
||||||
|
that: ansible_distribution in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Container Linux by CoreOS']
|
||||||
|
ignore_errors: "{{ ignore_assert_errors }}"
|
||||||
|
|
||||||
|
- name: Stop if unknown network plugin
|
||||||
|
assert:
|
||||||
|
that: network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud']
|
||||||
|
when: network_plugin is defined
|
||||||
|
ignore_errors: "{{ ignore_assert_errors }}"
|
||||||
|
|
||||||
|
- name: Stop if incompatible network plugin and cloudprovider
|
||||||
|
assert:
|
||||||
|
that: network_plugin != calico
|
||||||
|
when: cloud_provider is defined and cloud_provider == 'azure'
|
||||||
|
ignore_errors: "{{ ignore_assert_errors }}"
|
||||||
|
|
||||||
|
- name: "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
|
||||||
|
assert:
|
||||||
|
that: item|type_debug == 'bool'
|
||||||
|
run_once: yes
|
||||||
|
with_items:
|
||||||
|
- kubeadm_enabled
|
||||||
|
- download_run_once
|
||||||
|
- deploy_netchecker
|
||||||
|
- download_always_pull
|
||||||
|
- efk_enabled
|
||||||
|
- helm_enabled
|
||||||
|
- openstack_lbaas_Enabled
|
||||||
|
- rbac_enabled
|
||||||
|
ignore_errors: "{{ ignore_assert_errors }}"
|
||||||
|
|
||||||
|
- name: Stop if even number of etcd hosts
|
||||||
|
assert:
|
||||||
|
that: groups.etcd|length is not divisibleby 2
|
||||||
|
ignore_errors: "{{ ignore_assert_errors }}"
|
||||||
|
|
||||||
|
- name: Stop if memory is too small for masters
|
||||||
|
assert:
|
||||||
|
that: ansible_memtotal_mb >= 1500
|
||||||
|
ignore_errors: "{{ ignore_assert_errors }}"
|
||||||
|
when: inventory_hostname in groups['kube-master']
|
||||||
|
|
||||||
|
- name: Stop if memory is too small for nodes
|
||||||
|
assert:
|
||||||
|
that: ansible_memtotal_mb >= 1024
|
||||||
|
ignore_errors: "{{ ignore_assert_errors }}"
|
||||||
|
when: inventory_hostname in groups['kube-node']
|
||||||
|
|
||||||
|
- name: Stop if ip var does not match local ips
|
||||||
|
assert:
|
||||||
|
that: ip in ansible_all_ipv4_addresses
|
||||||
|
ignore_errors: "{{ ignore_assert_errors }}"
|
||||||
|
when: ip is defined
|
||||||
|
|
||||||
|
- name: Stop if access_ip is not pingable
|
||||||
|
command: ping -c1 {{ access_ip }}
|
||||||
|
when: access_ip is defined
|
||||||
|
ignore_errors: "{{ ignore_assert_errors }}"
|
|
@ -10,6 +10,9 @@ is_atomic: false
|
||||||
## Change this to use another Kubernetes version, e.g. a current beta release
|
## Change this to use another Kubernetes version, e.g. a current beta release
|
||||||
kube_version: v1.6.7
|
kube_version: v1.6.7
|
||||||
|
|
||||||
|
# Set to true to allow pre-checks to fail and continue deployment
|
||||||
|
ignore_assert_errors: false
|
||||||
|
|
||||||
# Directory where the binaries will be installed
|
# Directory where the binaries will be installed
|
||||||
bin_dir: /usr/local/bin
|
bin_dir: /usr/local/bin
|
||||||
docker_bin_dir: /usr/bin
|
docker_bin_dir: /usr/bin
|
||||||
|
@ -129,15 +132,15 @@ efk_enabled: false
|
||||||
enable_network_policy: false
|
enable_network_policy: false
|
||||||
|
|
||||||
## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (https://github.com/kubernetes/kubernetes/issues/50461)
|
## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (https://github.com/kubernetes/kubernetes/issues/50461)
|
||||||
#openstack_blockstorage_version: "v1/v2/auto (default)"
|
# openstack_blockstorage_version: "v1/v2/auto (default)"
|
||||||
## When OpenStack is used, if LBaaSv2 is available you can enable it with the following variables.
|
## When OpenStack is used, if LBaaSv2 is available you can enable it with the following variables.
|
||||||
openstack_lbaas_enabled: false
|
openstack_lbaas_enabled: false
|
||||||
#openstack_lbaas_subnet_id: "Neutron subnet ID (not network ID) to create LBaaS VIP"
|
# openstack_lbaas_subnet_id: "Neutron subnet ID (not network ID) to create LBaaS VIP"
|
||||||
#openstack_lbaas_floating_network_id: "Neutron network ID (not subnet ID) to get floating IP from, disabled by default"
|
# openstack_lbaas_floating_network_id: "Neutron network ID (not subnet ID) to get floating IP from, disabled by default"
|
||||||
#openstack_lbaas_create_monitor: "yes"
|
# openstack_lbaas_create_monitor: "yes"
|
||||||
#openstack_lbaas_monitor_delay: false
|
# openstack_lbaas_monitor_delay: false
|
||||||
#openstack_lbaas_monitor_timeout: false
|
# openstack_lbaas_monitor_timeout: false
|
||||||
#openstack_lbaas_monitor_max_retries: false
|
# openstack_lbaas_monitor_max_retries: false
|
||||||
|
|
||||||
## List of authorization modes that must be configured for
|
## List of authorization modes that must be configured for
|
||||||
## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
|
## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
|
||||||
|
|
Loading…
Reference in a new issue