From d3a8584212bc1882b52c9bda78060d8f72f6a2e7 Mon Sep 17 00:00:00 2001
From: Smaine Kahlouch <smaine.kahlouch@arkena.com>
Date: Tue, 19 Jan 2016 10:18:53 +0100
Subject: [PATCH 1/8] add timeout options to resolv.conf

---
 roles/dnsmasq/tasks/main.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml
index f8b9fa197..d8050d514 100644
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@@ -80,6 +80,19 @@
     follow: yes
   with_items: groups['kube-master']
 
+- name: Add options to resolv.conf
+  lineinfile:
+    line: options {{ item }}
+    dest: "{{resolvconffile}}"
+    state: present
+    regexp: "^options.*{{ item }}$"
+    insertafter: EOF
+    backup: yes
+    follow: yes
+  with_items:
+    - timeout:5
+    - attempts:2
+
 - name: disable resolv.conf modification by dhclient
   copy: src=dhclient_nodnsupdate dest=/etc/dhcp/dhclient-enter-hooks.d/nodnsupdate mode=u+x backup=yes
   when: ansible_os_family == "Debian"

From f58b4d3dd61a152acbd094d0cec1083736d7dc86 Mon Sep 17 00:00:00 2001
From: Smaine Kahlouch <smaine.kahlouch@arkena.com>
Date: Tue, 19 Jan 2016 10:29:33 +0100
Subject: [PATCH 2/8] dnsmasq listens on localhost

---
 roles/dnsmasq/tasks/main.yml            | 7 +++----
 roles/dnsmasq/templates/dnsmasq-pod.yml | 2 ++
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml
index d8050d514..105a08831 100644
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@@ -63,22 +63,21 @@
 
 - name: Add search resolv.conf
   lineinfile:
-    line: search {{ [ 'default.svc.' + dns_domain, 'svc.' + dns_domain, dns_domain ] | join(' ') }}
+    line: "search {{ [ 'default.svc.' + dns_domain, 'svc.' + dns_domain, dns_domain ] | join(' ') }}"
     dest: "{{resolvconffile}}"
     state: present
     insertbefore: BOF
     backup: yes
     follow: yes
 
-- name: Add all masters as nameserver
+- name: Add local dnsmasq to resolv.conf
   lineinfile:
-    line: nameserver {{ hostvars[item]['ansible_default_ipv4']['address'] }}
+    line: "nameserver 127.0.0.1"
     dest: "{{resolvconffile}}"
     state: present
     insertafter: "^search.*$"
     backup: yes
     follow: yes
-  with_items: groups['kube-master']
 
 - name: Add options to resolv.conf
   lineinfile:
diff --git a/roles/dnsmasq/templates/dnsmasq-pod.yml b/roles/dnsmasq/templates/dnsmasq-pod.yml
index 1150e14c7..70a826600 100644
--- a/roles/dnsmasq/templates/dnsmasq-pod.yml
+++ b/roles/dnsmasq/templates/dnsmasq-pod.yml
@@ -29,9 +29,11 @@ spec:
         - name: dns
           containerPort: 53
           hostPort: 53
+          hostIP: 127.0.0.1
           protocol: UDP
         - name: dns-tcp
           containerPort: 53
+          hostIP: 127.0.0.1
           hostPort: 53
           protocol: TCP
       volumeMounts:

From 63ae6ba5b50a28f8cae81e365e2ce41100668c27 Mon Sep 17 00:00:00 2001
From: Smaine Kahlouch <smaine.kahlouch@arkena.com>
Date: Tue, 19 Jan 2016 10:31:47 +0100
Subject: [PATCH 3/8] dnsmasq runs on all nodes

---
 roles/dnsmasq/tasks/main.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml
index 105a08831..97f4b4286 100644
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@@ -32,7 +32,6 @@
   file:
     path: /etc/dnsmasq.d
     state: directory
-  when: inventory_hostname in groups['kube-master']
 
 - name: Write dnsmasq configuration
   template:
@@ -40,17 +39,14 @@
     dest: /etc/dnsmasq.d/01-kube-dns.conf
     mode: 755
     backup: yes
-  when: inventory_hostname in groups['kube-master']
 
 - name: Create dnsmasq pod manifest
   template: src=dnsmasq-pod.yml dest=/etc/kubernetes/manifests/dnsmasq-pod.manifest
-  when: inventory_hostname in groups['kube-master']
 
 - name: Check for dnsmasq port (pulling image and running container)
   wait_for:
     port: 53
     delay: 5
-  when: inventory_hostname in groups['kube-master']
 
 - name: check resolvconf
   stat: path=/etc/resolvconf/resolv.conf.d/head

From 58e1db6aaec83b4f71cd51889273f9ce9b71d4e7 Mon Sep 17 00:00:00 2001
From: Smaine Kahlouch <smaine.kahlouch@arkena.com>
Date: Tue, 19 Jan 2016 13:32:53 +0100
Subject: [PATCH 4/8] update kubedns submodule

---
 roles/apps/k8s-kubedns | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/apps/k8s-kubedns b/roles/apps/k8s-kubedns
index b5015aed8..d6df09a89 160000
--- a/roles/apps/k8s-kubedns
+++ b/roles/apps/k8s-kubedns
@@ -1 +1 @@
-Subproject commit b5015aed8ff5eed9c325911205cfbb23ad0e57be
+Subproject commit d6df09a89721d98e2969a8abf29b4eb5e787fca6

From 4c5735cef8b55104e92068cb503e3cc1a5d4f813 Mon Sep 17 00:00:00 2001
From: Smaine Kahlouch <smaine.kahlouch@arkena.com>
Date: Tue, 19 Jan 2016 13:34:30 +0100
Subject: [PATCH 5/8] configure dnsmasq to listen on localhost only

---
 roles/dnsmasq/templates/01-kube-dns.conf.j2 | 5 +++--
 roles/dnsmasq/templates/dnsmasq-pod.yml     | 2 --
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/roles/dnsmasq/templates/01-kube-dns.conf.j2 b/roles/dnsmasq/templates/01-kube-dns.conf.j2
index e9e8d62e0..7a46bee82 100644
--- a/roles/dnsmasq/templates/01-kube-dns.conf.j2
+++ b/roles/dnsmasq/templates/01-kube-dns.conf.j2
@@ -1,5 +1,6 @@
-#Listen on all interfaces
-interface=*
+#Listen on localhost
+bind-interfaces
+listen-address=127.0.0.1
 
 addn-hosts=/etc/hosts
 
diff --git a/roles/dnsmasq/templates/dnsmasq-pod.yml b/roles/dnsmasq/templates/dnsmasq-pod.yml
index 70a826600..1150e14c7 100644
--- a/roles/dnsmasq/templates/dnsmasq-pod.yml
+++ b/roles/dnsmasq/templates/dnsmasq-pod.yml
@@ -29,11 +29,9 @@ spec:
         - name: dns
           containerPort: 53
           hostPort: 53
-          hostIP: 127.0.0.1
           protocol: UDP
         - name: dns-tcp
           containerPort: 53
-          hostIP: 127.0.0.1
           hostPort: 53
           protocol: TCP
       volumeMounts:

From 7cab7e5fefa0eb4bf7e6597da5136b3384032c29 Mon Sep 17 00:00:00 2001
From: Smaine Kahlouch <smaine.kahlouch@arkena.com>
Date: Tue, 19 Jan 2016 13:47:07 +0100
Subject: [PATCH 6/8] restarting kubelet is sometimes required after docker
 restart

---
 roles/network_plugin/handlers/main.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/roles/network_plugin/handlers/main.yml b/roles/network_plugin/handlers/main.yml
index a62817981..4a6e9e360 100644
--- a/roles/network_plugin/handlers/main.yml
+++ b/roles/network_plugin/handlers/main.yml
@@ -10,6 +10,7 @@
   notify:
     - reload systemd
     - restart docker
+    - restart kubelet
 
 - name: delete default docker bridge
   command: ip link delete docker0
@@ -28,3 +29,8 @@
   service:
     name: docker
     state: restarted
+
+- name: restart kubelet
+  service:
+    name: kubelet
+    state: restarted

From b54af6b42f1d6d16f09d829476dcc0a72120b5c5 Mon Sep 17 00:00:00 2001
From: Smaine Kahlouch <smaine.kahlouch@arkena.com>
Date: Tue, 19 Jan 2016 13:49:33 +0100
Subject: [PATCH 7/8] reduce dns timeout

---
 roles/dnsmasq/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml
index 97f4b4286..ccff170f9 100644
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@@ -85,7 +85,7 @@
     backup: yes
     follow: yes
   with_items:
-    - timeout:5
+    - timeout:2
     - attempts:2
 
 - name: disable resolv.conf modification by dhclient

From 10b2466d82e131f7dddf7391039003dc6d98296b Mon Sep 17 00:00:00 2001
From: Greg Althaus <galthaus@austin.rr.com>
Date: Tue, 19 Jan 2016 13:10:54 -0600
Subject: [PATCH 8/8] run_once only works if master[0] is first in inventory
 list of all nodes.

---
 roles/kubernetes/node/tasks/secrets.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/roles/kubernetes/node/tasks/secrets.yml b/roles/kubernetes/node/tasks/secrets.yml
index 436d51926..e574e93f9 100644
--- a/roles/kubernetes/node/tasks/secrets.yml
+++ b/roles/kubernetes/node/tasks/secrets.yml
@@ -14,7 +14,6 @@
     group={{ kube_cert_group }}
 
 - include: gen_certs.yml
-  run_once: true
   when: inventory_hostname == groups['kube-master'][0]
 
 - include: gen_tokens.yml