From 40857b98591ec49fb3afaf34a420b37c95071525 Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Tue, 16 Feb 2021 11:44:58 -0500 Subject: [PATCH] Ensure kubeadm doesn't use proxy (#7275) * Move proxy_env to kubespray-defaults/defaults There is no reasons to use set_facts here Signed-off-by: Etienne Champetier * Ensure kubeadm doesn't use proxy *_proxy variables might be present in the environment (/etc/environment, bash profile, ...) When this is the case we end up with those proxy configuration in /etc/kubernetes/manifests/kube-*.yaml manifests We cannot unset env variables, but kubeadm is nice enough to ignore empty vars https://github.com/kubernetes/kubernetes/blob/93d288e2a47fa6d497b50d37c8b3a04e91da4228/cmd/kubeadm/app/util/env.go#L27 Signed-off-by: Etienne Champetier (cherry picked from commit 1c5391dda78b43fc629320dd59f1234e81afb2ad) --- roles/download/tasks/prep_kubeadm_images.yml | 1 + .../kubeadm/tasks/kubeadm_etcd_node.yml | 1 + roles/kubernetes/kubeadm/tasks/main.yml | 5 +++-- .../master/tasks/kubeadm-fix-apiserver.yml | 1 + .../master/tasks/kubeadm-secondary.yml | 4 ++-- .../kubernetes/master/tasks/kubeadm-setup.yml | 5 +++-- .../master/tasks/kubeadm-version.yml | 1 + roles/kubernetes/node/tasks/kubelet.yml | 1 + roles/kubespray-defaults/defaults/main.yaml | 20 +++++++++++++++++++ roles/kubespray-defaults/tasks/main.yaml | 13 ------------ scale.yml | 1 + 11 files changed, 34 insertions(+), 19 deletions(-) diff --git a/roles/download/tasks/prep_kubeadm_images.yml b/roles/download/tasks/prep_kubeadm_images.yml index fa829e8f0..d004f9367 100644 --- a/roles/download/tasks/prep_kubeadm_images.yml +++ b/roles/download/tasks/prep_kubeadm_images.yml @@ -38,6 +38,7 @@ shell: "set -o pipefail && {{ bin_dir }}/kubeadm config images list --config={{ kube_config_dir }}/kubeadm-images.yaml | grep -Ev 'coredns|pause'" args: executable: /bin/bash + environment: "{{ proxy_disable_env }}" register: kubeadm_images_raw run_once: true changed_when: false diff --git a/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml b/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml index b5c0f2552..27e0c5f93 100644 --- a/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml +++ b/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml @@ -22,6 +22,7 @@ {{ kubeadm_discovery_address }} args: creates: "{{ kube_cert_dir }}/apiserver-etcd-client.key" + environment: "{{ proxy_disable_env }}" - name: Delete unneeded certificates file: diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml index 75bffc781..63ea87f9b 100644 --- a/roles/kubernetes/kubeadm/tasks/main.yml +++ b/roles/kubernetes/kubeadm/tasks/main.yml @@ -36,6 +36,7 @@ - name: Create kubeadm token for joining nodes with 24h expiration (default) command: "{{ bin_dir }}/kubeadm token create" + environment: "{{ proxy_disable_env }}" register: temp_token delegate_to: "{{ groups['kube-master'][0] }}" when: kubeadm_token is not defined @@ -48,6 +49,7 @@ - name: Get the kubeadm version command: "{{ bin_dir }}/kubeadm version -o short" + environment: "{{ proxy_disable_env }}" register: kubeadm_output changed_when: false @@ -63,8 +65,7 @@ when: not is_kube_master - name: Join to cluster if needed - environment: - PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}:/sbin" # Make sure we can workaround RH / CentOS conservative path management + environment: '{{ proxy_disable_env | combine({"PATH": "{{ bin_dir }}:{{ ansible_env.PATH }}:/sbin"}) }}' when: not is_kube_master and (not kubelet_conf.stat.exists) block: diff --git a/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml b/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml index 6ebfb179a..c589dd76d 100644 --- a/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml +++ b/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml @@ -20,6 +20,7 @@ {{ bin_dir }}/kubeadm init phase kubeconfig all --config {{ kube_config_dir }}/kubeadm-config.yaml --kubeconfig-dir {{ kubeconfig_temp_dir.path }} + environment: "{{ proxy_disable_env }}" when: kubeconfig_correct_apiserver.rc != 0 - name: Copy new kubeconfigs to kube config dir diff --git a/roles/kubernetes/master/tasks/kubeadm-secondary.yml b/roles/kubernetes/master/tasks/kubeadm-secondary.yml index 75eea9132..13b844204 100644 --- a/roles/kubernetes/master/tasks/kubeadm-secondary.yml +++ b/roles/kubernetes/master/tasks/kubeadm-secondary.yml @@ -16,6 +16,7 @@ --config {{ kube_config_dir }}/kubeadm-config.yaml upload-certs --upload-certs + environment: "{{ proxy_disable_env }}" register: kubeadm_upload_cert when: - inventory_hostname == groups['kube-master']|first @@ -57,6 +58,7 @@ {{ bin_dir }}/kubeadm join --config {{ kube_config_dir }}/kubeadm-controlplane.yaml --ignore-preflight-errors=all + environment: '{{ proxy_disable_env | combine({"PATH": "{{ bin_dir }}:{{ ansible_env.PATH }}"}) }}' register: kubeadm_join_control_plane retries: 3 throttle: 1 @@ -64,8 +66,6 @@ when: - inventory_hostname != groups['kube-master']|first - kubeadm_already_run is not defined or not kubeadm_already_run.stat.exists - environment: - PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}" - name: Set secret_changed to false to avoid extra token rotation set_fact: diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml index 43655a30d..32fbaba0e 100644 --- a/roles/kubernetes/master/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml @@ -156,8 +156,7 @@ until: kubeadm_init is succeeded or "field is immutable" in kubeadm_init.stderr when: inventory_hostname == groups['kube-master']|first and not kubeadm_already_run.stat.exists failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr - environment: - PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}" + environment: '{{ proxy_disable_env | combine({"PATH": "{{ bin_dir }}:{{ ansible_env.PATH }}"}) }}' notify: Master | restart kubelet - name: set kubeadm certificate key @@ -172,6 +171,7 @@ shell: >- {{ bin_dir }}/kubeadm --kubeconfig /etc/kubernetes/admin.conf token delete {{ kubeadm_token }} || :; {{ bin_dir }}/kubeadm --kubeconfig /etc/kubernetes/admin.conf token create {{ kubeadm_token }} + environment: "{{ proxy_disable_env }}" changed_when: false when: - inventory_hostname == groups['kube-master']|first @@ -182,6 +182,7 @@ - name: Create kubeadm token for joining nodes with 24h expiration (default) command: "{{ bin_dir }}/kubeadm --kubeconfig /etc/kubernetes/admin.conf token create" + environment: "{{ proxy_disable_env }}" changed_when: false register: temp_token retries: 5 diff --git a/roles/kubernetes/master/tasks/kubeadm-version.yml b/roles/kubernetes/master/tasks/kubeadm-version.yml index 8c7feea35..2793c77ab 100644 --- a/roles/kubernetes/master/tasks/kubeadm-version.yml +++ b/roles/kubernetes/master/tasks/kubeadm-version.yml @@ -1,6 +1,7 @@ --- - name: Get the kubeadm version command: "{{ bin_dir }}/kubeadm version -o short" + environment: "{{ proxy_disable_env }}" register: kubeadm_output changed_when: false diff --git a/roles/kubernetes/node/tasks/kubelet.yml b/roles/kubernetes/node/tasks/kubelet.yml index cb95cc174..68cd0ff63 100644 --- a/roles/kubernetes/node/tasks/kubelet.yml +++ b/roles/kubernetes/node/tasks/kubelet.yml @@ -8,6 +8,7 @@ - name: Get the kubeadm version command: "{{ bin_dir }}/kubeadm version -o short" + environment: "{{ proxy_disable_env }}" register: kubeadm_output changed_when: false diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 31fe27953..3c23edd47 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -532,3 +532,23 @@ host_architecture: >- # Sets the eventRecordQPS parameter in kubelet-config.yaml. The default value is 5 (see types.go) # Setting it to 0 allows unlimited requests per second. kubelet_event_record_qps: 5 + +proxy_env: + http_proxy: "{{ http_proxy | default ('') }}" + HTTP_PROXY: "{{ http_proxy | default ('') }}" + https_proxy: "{{ https_proxy | default ('') }}" + HTTPS_PROXY: "{{ https_proxy | default ('') }}" + no_proxy: "{{ no_proxy | default ('') }}" + NO_PROXY: "{{ no_proxy | default ('') }}" + +proxy_disable_env: + ALL_PROXY: '' + FTP_PROXY: '' + HTTPS_PROXY: '' + HTTP_PROXY: '' + NO_PROXY: '' + all_proxy: '' + ftp_proxy: '' + http_proxy: '' + https_proxy: '' + no_proxy: '' diff --git a/roles/kubespray-defaults/tasks/main.yaml b/roles/kubespray-defaults/tasks/main.yaml index 7c0c5d240..fe268e953 100644 --- a/roles/kubespray-defaults/tasks/main.yaml +++ b/roles/kubespray-defaults/tasks/main.yaml @@ -5,19 +5,6 @@ tags: - always -- name: "Set up proxy environment" - set_fact: - proxy_env: - http_proxy: "{{ http_proxy | default ('') }}" - HTTP_PROXY: "{{ http_proxy | default ('') }}" - https_proxy: "{{ https_proxy | default ('') }}" - HTTPS_PROXY: "{{ https_proxy | default ('') }}" - no_proxy: "{{ no_proxy | default ('') }}" - NO_PROXY: "{{ no_proxy | default ('') }}" - no_log: true - tags: - - always - # do not run gather facts when bootstrap-os in roles - name: set fallback_ips import_tasks: fallback_ips.yml diff --git a/scale.yml b/scale.yml index 52f59d22c..a47e67507 100644 --- a/scale.yml +++ b/scale.yml @@ -69,6 +69,7 @@ --config {{ kube_config_dir }}/kubeadm-config.yaml upload-certs --upload-certs + environment: "{{ proxy_disable_env }}" register: kubeadm_upload_cert changed_when: false - name: set fact 'kubeadm_certificate_key' for later use