From 8b151d12b91f1cf2d56a7cba3a9822bfec4c68e1 Mon Sep 17 00:00:00 2001 From: Brad Beam Date: Thu, 24 Aug 2017 04:09:52 -0500 Subject: [PATCH] Adding yamllinter to ci steps (#1556) * Adding yaml linter to ci check * Minor linting fixes from yamllint * Changing CI to install python pkgs from requirements.txt - adding in a secondary requirements.txt for tests - moving yamllint to tests requirements --- .gitlab-ci.yml | 17 ++-- .yamllint | 16 ++++ roles/bootstrap-os/tasks/bootstrap-coreos.yml | 1 - roles/bootstrap-os/tasks/main.yml | 1 - roles/bootstrap-os/tasks/setup-pipelining.yml | 1 - roles/dnsmasq/defaults/main.yml | 8 +- roles/dnsmasq/tasks/main.yml | 1 - .../dnsmasq/templates/dnsmasq-autoscaler.yml | 26 +++--- roles/dnsmasq/templates/dnsmasq-deploy.yml | 2 - roles/docker/defaults/main.yml | 1 + roles/docker/handlers/main.yml | 2 +- roles/docker/tasks/main.yml | 14 +-- roles/docker/tasks/set_facts_dns.yml | 2 +- roles/docker/vars/debian.yml | 1 + roles/docker/vars/fedora-20.yml | 1 + roles/docker/vars/fedora.yml | 1 + roles/docker/vars/redhat.yml | 3 +- roles/download/defaults/main.yml | 2 +- roles/download/tasks/main.yml | 2 +- roles/etcd/defaults/main.yml | 2 +- roles/etcd/handlers/backup.yml | 1 - roles/etcd/handlers/main.yml | 1 - roles/etcd/tasks/check_certs.yml | 1 - roles/etcd/tasks/gen_certs_script.yml | 39 ++++----- roles/etcd/tasks/gen_certs_vault.yml | 11 +-- roles/etcd/tasks/install_docker.yml | 34 ++++---- roles/etcd/tasks/pre_upgrade.yml | 1 + roles/etcd/tasks/refresh_config.yml | 2 +- roles/etcd/tasks/sync_etcd_master_certs.yml | 4 +- roles/etcd/tasks/sync_etcd_node_certs.yml | 6 +- .../templates/{etcd.env.yml => etcd.env.j2} | 0 roles/kernel-upgrade/defaults/main.yml | 7 +- .../kubernetes-apps/ansible/defaults/main.yml | 3 +- roles/kubernetes-apps/ansible/tasks/main.yml | 4 +- .../ansible/tasks/netchecker.yml | 3 +- .../kubedns-autoscaler-clusterrole.yml | 1 + .../kubedns-autoscaler-clusterrolebinding.yml | 1 + .../templates/kubedns-autoscaler-sa.yml | 1 + ...toscaler.yml => kubedns-autoscaler.yml.j2} | 23 ++--- ...bedns-deploy.yml => kubedns-deploy.yml.j2} | 1 + .../ansible/templates/kubedns-sa.yml | 1 + .../ansible/templates/kubedns-svc.yml | 2 +- .../efk/elasticsearch/defaults/main.yml | 2 +- .../efk/elasticsearch/meta/main.yml | 1 + .../efk/elasticsearch/tasks/main.yml | 1 - .../templates/efk-clusterrolebinding.yml | 1 + .../efk/elasticsearch/templates/efk-sa.yml | 1 + .../efk/fluentd/defaults/main.yml | 2 +- .../kubernetes-apps/efk/fluentd/meta/main.yml | 1 + .../efk/fluentd/tasks/main.yml | 1 - .../efk/kibana/defaults/main.yml | 2 +- .../kubernetes-apps/efk/kibana/meta/main.yml | 1 + .../kubernetes-apps/efk/kibana/tasks/main.yml | 4 +- roles/kubernetes-apps/efk/meta/main.yml | 1 + roles/kubernetes-apps/helm/defaults/main.yml | 1 + roles/kubernetes-apps/helm/meta/main.yml | 1 + .../templates/tiller-clusterrolebinding.yml | 1 + .../helm/templates/tiller-sa.yml | 1 + roles/kubernetes-apps/meta/main.yml | 1 + .../network_plugin/canal/tasks/main.yml | 4 +- .../network_plugin/meta/main.yml | 12 +-- .../network_plugin/weave/tasks/main.yml | 5 +- .../calico/defaults/main.yml | 1 + .../policy_controller/calico/tasks/main.yml | 1 + roles/kubernetes/master/defaults/main.yml | 5 +- roles/kubernetes/master/tasks/main.yml | 1 - roles/kubernetes/node/defaults/main.yml | 3 +- roles/kubernetes/node/tasks/install.yml | 1 - roles/kubernetes/node/tasks/install_rkt.yml | 5 +- roles/kubernetes/preinstall/handlers/main.yml | 1 + .../tasks/azure-credential-check.yml | 2 - roles/kubernetes/preinstall/tasks/main.yml | 16 ++-- .../tasks/vsphere-credential-check.yml | 1 + roles/kubernetes/preinstall/vars/centos.yml | 1 + roles/kubernetes/preinstall/vars/debian.yml | 1 + roles/kubernetes/preinstall/vars/fedora.yml | 1 + roles/kubernetes/preinstall/vars/redhat.yml | 1 + .../kubernetes/secrets/tasks/check-certs.yml | 1 - .../secrets/tasks/gen_certs_script.yml | 45 +++++----- .../secrets/tasks/gen_certs_vault.yml | 6 +- .../secrets/tasks/sync_kube_node_certs.yml | 4 +- roles/kubespray-defaults/defaults/main.yaml | 7 +- roles/kubespray-defaults/tasks/main.yaml | 1 + roles/network_plugin/calico/handlers/main.yml | 2 +- .../calico/rr/handlers/main.yml | 2 +- roles/network_plugin/calico/rr/meta/main.yml | 1 + roles/network_plugin/canal/defaults/main.yml | 2 +- roles/network_plugin/cloud/tasks/main.yml | 1 - .../network_plugin/flannel/handlers/main.yml | 2 +- .../flannel/templates/flannel-pod.yml | 86 +++++++++---------- roles/network_plugin/meta/main.yml | 28 +++--- .../weave/tasks/pre-upgrade.yml | 1 + roles/rkt/tasks/install.yml | 14 +-- roles/upgrade/post-upgrade/tasks/main.yml | 2 - roles/upgrade/pre-upgrade/defaults/main.yml | 2 +- roles/vault/defaults/main.yml | 2 +- .../tasks/bootstrap/create_etcd_role.yml | 3 +- .../tasks/bootstrap/start_vault_temp.yml | 3 +- .../tasks/bootstrap/sync_vault_certs.yml | 2 - roles/vault/tasks/cluster/main.yml | 3 +- roles/vault/tasks/shared/auth_backend.yml | 3 +- roles/vault/tasks/shared/check_vault.yml | 5 +- roles/vault/tasks/shared/find_leader.yml | 2 +- roles/vault/tasks/shared/gen_userpass.yml | 2 +- roles/vault/tasks/shared/issue_cert.yml | 2 +- tests/requirements.txt | 5 ++ 106 files changed, 301 insertions(+), 274 deletions(-) create mode 100644 .yamllint rename roles/etcd/templates/{etcd.env.yml => etcd.env.j2} (100%) rename roles/kubernetes-apps/ansible/templates/{kubedns-autoscaler.yml => kubedns-autoscaler.yml.j2} (72%) rename roles/kubernetes-apps/ansible/templates/{kubedns-deploy.yml => kubedns-deploy.yml.j2} (99%) create mode 100644 tests/requirements.txt diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 948ef2983..6a456f9df 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -18,10 +18,7 @@ variables: # us-west1-a before_script: - - pip install ansible==2.3.0 - - pip install netaddr - - pip install apache-libcloud==0.20.1 - - pip install boto==2.9.0 + - pip install -r tests/requirements.txt - mkdir -p /.ssh - cp tests/ansible.cfg . @@ -75,10 +72,7 @@ before_script: - $HOME/.cache before_script: - docker info - - pip install ansible==2.3.0 - - pip install netaddr - - pip install apache-libcloud==0.20.1 - - pip install boto==2.9.0 + - pip install -r tests/requirements.txt - mkdir -p /.ssh - mkdir -p $HOME/.ssh - echo $PRIVATE_KEY | base64 -d > $HOME/.ssh/id_rsa @@ -642,6 +636,13 @@ syntax-check: - ansible-playbook -i inventory/local-tests.cfg -u root -e ansible_ssh_user=root -b --become-user=root extra_playbooks/upgrade-only-k8s.yml -vvv --syntax-check except: ['triggers', 'master'] +yamllint: + <<: *job + stage: unit-tests + script: + - yamllint roles + except: ['triggers', 'master'] + tox-inventory-builder: stage: unit-tests <<: *job diff --git a/.yamllint b/.yamllint new file mode 100644 index 000000000..50e7b167e --- /dev/null +++ b/.yamllint @@ -0,0 +1,16 @@ +--- +extends: default + +rules: + braces: + min-spaces-inside: 0 + max-spaces-inside: 1 + brackets: + min-spaces-inside: 0 + max-spaces-inside: 1 + indentation: + spaces: 2 + indent-sequences: consistent + line-length: disable + new-line-at-end-of-file: disable + truthy: disable diff --git a/roles/bootstrap-os/tasks/bootstrap-coreos.yml b/roles/bootstrap-os/tasks/bootstrap-coreos.yml index 892da1c04..2a2271055 100644 --- a/roles/bootstrap-os/tasks/bootstrap-coreos.yml +++ b/roles/bootstrap-os/tasks/bootstrap-coreos.yml @@ -49,4 +49,3 @@ pip: name: "{{ item }}" with_items: "{{pip_python_modules}}" - diff --git a/roles/bootstrap-os/tasks/main.yml b/roles/bootstrap-os/tasks/main.yml index 73268031e..e7cb01b13 100644 --- a/roles/bootstrap-os/tasks/main.yml +++ b/roles/bootstrap-os/tasks/main.yml @@ -27,4 +27,3 @@ hostname: name: "{{inventory_hostname}}" when: ansible_hostname == 'localhost' - diff --git a/roles/bootstrap-os/tasks/setup-pipelining.yml b/roles/bootstrap-os/tasks/setup-pipelining.yml index 7143f260e..559cef25e 100644 --- a/roles/bootstrap-os/tasks/setup-pipelining.yml +++ b/roles/bootstrap-os/tasks/setup-pipelining.yml @@ -6,4 +6,3 @@ regexp: '^\w+\s+requiretty' dest: /etc/sudoers state: absent - diff --git a/roles/dnsmasq/defaults/main.yml b/roles/dnsmasq/defaults/main.yml index bf670c788..15fb7f169 100644 --- a/roles/dnsmasq/defaults/main.yml +++ b/roles/dnsmasq/defaults/main.yml @@ -4,12 +4,12 @@ # Max of 4 names is allowed and no more than 256 - 17 chars total # (a 2 is reserved for the 'default.svc.' and'svc.') -#searchdomains: -# - foo.bar.lc +# searchdomains: +# - foo.bar.lc # Max of 2 is allowed here (a 1 is reserved for the dns_server) -#nameservers: -# - 127.0.0.1 +# nameservers: +# - 127.0.0.1 dns_forward_max: 150 cache_size: 1000 diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml index edc50703d..56ec80d98 100644 --- a/roles/dnsmasq/tasks/main.yml +++ b/roles/dnsmasq/tasks/main.yml @@ -86,4 +86,3 @@ port: 53 timeout: 180 when: inventory_hostname == groups['kube-node'][0] and groups['kube-node'][0] in ansible_play_hosts - diff --git a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml index 4e5e2ddcc..aff99f08d 100644 --- a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml +++ b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml @@ -1,3 +1,4 @@ +--- # Copyright 2016 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -34,17 +35,16 @@ spec: - name: autoscaler image: gcr.io/google_containers/cluster-proportional-autoscaler-amd64:1.1.1 resources: - requests: - cpu: "20m" - memory: "10Mi" + requests: + cpu: "20m" + memory: "10Mi" command: - - /cluster-proportional-autoscaler - - --namespace=kube-system - - --configmap=dnsmasq-autoscaler - - --target=Deployment/dnsmasq - # When cluster is using large nodes(with more cores), "coresPerReplica" should dominate. - # If using small nodes, "nodesPerReplica" should dominate. - - --default-params={"linear":{"nodesPerReplica":{{ dnsmasq_nodes_per_replica }},"preventSinglePointFailure":true}} - - --logtostderr=true - - --v={{ kube_log_level }} - + - /cluster-proportional-autoscaler + - --namespace=kube-system + - --configmap=dnsmasq-autoscaler + - --target=Deployment/dnsmasq + # When cluster is using large nodes(with more cores), "coresPerReplica" should dominate. + # If using small nodes, "nodesPerReplica" should dominate. + - --default-params={"linear":{"nodesPerReplica":{{ dnsmasq_nodes_per_replica }},"preventSinglePointFailure":true}} + - --logtostderr=true + - --v={{ kube_log_level }} diff --git a/roles/dnsmasq/templates/dnsmasq-deploy.yml b/roles/dnsmasq/templates/dnsmasq-deploy.yml index e811e1995..6f11363b3 100644 --- a/roles/dnsmasq/templates/dnsmasq-deploy.yml +++ b/roles/dnsmasq/templates/dnsmasq-deploy.yml @@ -35,7 +35,6 @@ spec: capabilities: add: - NET_ADMIN - imagePullPolicy: IfNotPresent resources: limits: cpu: {{ dns_cpu_limit }} @@ -64,4 +63,3 @@ spec: hostPath: path: /etc/dnsmasq.d-available dnsPolicy: Default # Don't use cluster DNS. - diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index e262d908a..fa29b32f2 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,3 +1,4 @@ +--- docker_version: '1.13' docker_package_info: diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index 90d7aacb8..a43d843ee 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -8,7 +8,7 @@ - Docker | pause while Docker restarts - Docker | wait for docker -- name : Docker | reload systemd +- name: Docker | reload systemd shell: systemctl daemon-reload - name: Docker | reload docker.socket diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 09240bf9d..ef7e7fe8d 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -3,14 +3,14 @@ include_vars: "{{ item }}" with_first_found: - files: - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}.yml" - - "{{ ansible_os_family|lower }}.yml" - - defaults.yml + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}.yml" + - "{{ ansible_os_family|lower }}.yml" + - defaults.yml paths: - - ../vars + - ../vars skip: true tags: facts diff --git a/roles/docker/tasks/set_facts_dns.yml b/roles/docker/tasks/set_facts_dns.yml index 64a09bff2..13f342ea9 100644 --- a/roles/docker/tasks/set_facts_dns.yml +++ b/roles/docker/tasks/set_facts_dns.yml @@ -48,7 +48,7 @@ - name: add system search domains to docker options set_fact: docker_dns_search_domains: "{{ docker_dns_search_domains | union(system_search_domains.stdout.split(' ')|default([])) | unique }}" - when: system_search_domains.stdout != "" + when: system_search_domains.stdout != "" - name: check number of nameservers fail: diff --git a/roles/docker/vars/debian.yml b/roles/docker/vars/debian.yml index a4689ffbc..240e86ea4 100644 --- a/roles/docker/vars/debian.yml +++ b/roles/docker/vars/debian.yml @@ -1,3 +1,4 @@ +--- docker_kernel_min_version: '3.10' # https://apt.dockerproject.org/repo/dists/debian-wheezy/main/filelist diff --git a/roles/docker/vars/fedora-20.yml b/roles/docker/vars/fedora-20.yml index c74cd9f28..31d431ee8 100644 --- a/roles/docker/vars/fedora-20.yml +++ b/roles/docker/vars/fedora-20.yml @@ -1,3 +1,4 @@ +--- docker_kernel_min_version: '0' # versioning: docker-io itself is pinned at docker 1.5 diff --git a/roles/docker/vars/fedora.yml b/roles/docker/vars/fedora.yml index f89c90a52..b82e5fc30 100644 --- a/roles/docker/vars/fedora.yml +++ b/roles/docker/vars/fedora.yml @@ -1,3 +1,4 @@ +--- docker_kernel_min_version: '0' # https://docs.docker.com/engine/installation/linux/fedora/#install-from-a-package diff --git a/roles/docker/vars/redhat.yml b/roles/docker/vars/redhat.yml index 7abf2cda7..8b20def55 100644 --- a/roles/docker/vars/redhat.yml +++ b/roles/docker/vars/redhat.yml @@ -1,3 +1,4 @@ +--- docker_kernel_min_version: '0' # https://yum.dockerproject.org/repo/main/centos/7/Packages/ @@ -8,7 +9,7 @@ docker_versioned_pkg: '1.12': docker-engine-1.12.6-1.el7.centos '1.13': docker-engine-1.13.1-1.el7.centos 'stable': docker-engine-17.03.0.ce-1.el7.centos - 'edge': docker-engine-17.03.0.ce-1.el7.centos + 'edge': docker-engine-17.03.0.ce-1.el7.centos # https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package # https://download.docker.com/linux/centos/7/x86_64/stable/Packages/ diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index e5a4aa31b..e5d24072b 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -20,7 +20,7 @@ download_always_pull: False # Versions kube_version: v1.7.3 etcd_version: v3.2.4 -#TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults +# TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults # after migration to container download calico_version: "v1.1.3" calico_cni_version: "v1.8.0" diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index 24d1b5bca..f9ae253d1 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -111,7 +111,7 @@ - download.enabled|bool - download.container|bool -#NOTE(bogdando) this brings no docker-py deps for nodes +# NOTE(bogdando) this brings no docker-py deps for nodes - name: Download containers if pull is required or told to always pull command: "{{ docker_bin_dir }}/docker pull {{ pull_args }}" register: pull_task_result diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml index 7d1d976af..6b6fde38d 100644 --- a/roles/etcd/defaults/main.yml +++ b/roles/etcd/defaults/main.yml @@ -21,7 +21,7 @@ etcd_metrics: "basic" etcd_memory_limit: 512M # Uncomment to set CPU share for etcd -#etcd_cpu_limit: 300m +# etcd_cpu_limit: 300m etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr', [])) }}" diff --git a/roles/etcd/handlers/backup.yml b/roles/etcd/handlers/backup.yml index 68fe71f07..7ec42f4b6 100644 --- a/roles/etcd/handlers/backup.yml +++ b/roles/etcd/handlers/backup.yml @@ -43,4 +43,3 @@ ETCDCTL_API: 3 retries: 3 delay: "{{ retry_stagger | random + 3 }}" - diff --git a/roles/etcd/handlers/main.yml b/roles/etcd/handlers/main.yml index 45da999ee..2575c25a4 100644 --- a/roles/etcd/handlers/main.yml +++ b/roles/etcd/handlers/main.yml @@ -30,4 +30,3 @@ - name: set etcd_secret_changed set_fact: etcd_secret_changed: true - diff --git a/roles/etcd/tasks/check_certs.yml b/roles/etcd/tasks/check_certs.yml index fe96ea01c..8795fe820 100644 --- a/roles/etcd/tasks/check_certs.yml +++ b/roles/etcd/tasks/check_certs.yml @@ -66,4 +66,3 @@ {%- set _ = certs.update({'sync': True}) -%} {% endif %} {{ certs.sync }} - diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml index f70c6ee21..000f6842b 100644 --- a/roles/etcd/tasks/gen_certs_script.yml +++ b/roles/etcd/tasks/gen_certs_script.yml @@ -73,11 +73,10 @@ 'member-{{ node }}-key.pem', {% endfor %}]" my_master_certs: ['ca-key.pem', - 'admin-{{ inventory_hostname }}.pem', - 'admin-{{ inventory_hostname }}-key.pem', - 'member-{{ inventory_hostname }}.pem', - 'member-{{ inventory_hostname }}-key.pem' - ] + 'admin-{{ inventory_hostname }}.pem', + 'admin-{{ inventory_hostname }}-key.pem', + 'member-{{ inventory_hostname }}.pem', + 'member-{{ inventory_hostname }}-key.pem'] all_node_certs: "['ca.pem', {% for node in (groups['k8s-cluster'] + groups['calico-rr']|default([]))|unique %} 'node-{{ node }}.pem', @@ -111,22 +110,22 @@ sync_certs|default(false) and inventory_hostname not in groups['etcd'] notify: set etcd_secret_changed -#NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k -#char limit when using shell command - -#FIXME(mattymo): Use tempfile module in ansible 2.3 -- name: Gen_certs | Prepare tempfile for unpacking certs - shell: mktemp /tmp/certsXXXXX.tar.gz - register: cert_tempfile - when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and - inventory_hostname != groups['etcd'][0] +# NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k +# char limit when using shell command -- name: Gen_certs | Write master certs to tempfile - copy: - content: "{{etcd_master_cert_data.stdout}}" - dest: "{{cert_tempfile.stdout}}" - owner: root - mode: "0600" +# FIXME(mattymo): Use tempfile module in ansible 2.3 +- name: Gen_certs | Prepare tempfile for unpacking certs + shell: mktemp /tmp/certsXXXXX.tar.gz + register: cert_tempfile + when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and + inventory_hostname != groups['etcd'][0] + +- name: Gen_certs | Write master certs to tempfile + copy: + content: "{{etcd_master_cert_data.stdout}}" + dest: "{{cert_tempfile.stdout}}" + owner: root + mode: "0600" when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and inventory_hostname != groups['etcd'][0] diff --git a/roles/etcd/tasks/gen_certs_vault.yml b/roles/etcd/tasks/gen_certs_vault.yml index a0bf6cfdc..e59d376e9 100644 --- a/roles/etcd/tasks/gen_certs_vault.yml +++ b/roles/etcd/tasks/gen_certs_vault.yml @@ -7,7 +7,6 @@ when: inventory_hostname in etcd_node_cert_hosts tags: etcd-secrets - - name: gen_certs_vault | Read in the local credentials command: cat /etc/vault/roles/etcd/userpass register: etcd_vault_creds_cat @@ -33,15 +32,15 @@ - name: gen_certs_vault | Set fact for vault_client_token set_fact: - vault_client_token: "{{ etcd_vault_login_result.get('json', {}).get('auth', {}).get('client_token') }}" + vault_client_token: "{{ etcd_vault_login_result.get('json', {}).get('auth', {}).get('client_token') }}" run_once: true - name: gen_certs_vault | Set fact for Vault API token set_fact: etcd_vault_headers: - Accept: application/json - Content-Type: application/json - X-Vault-Token: "{{ vault_client_token }}" + Accept: application/json + Content-Type: application/json + X-Vault-Token: "{{ vault_client_token }}" run_once: true when: vault_client_token != "" @@ -96,5 +95,3 @@ with_items: "{{ etcd_node_certs_needed|d([]) }}" when: inventory_hostname in etcd_node_cert_hosts notify: set etcd_secret_changed - - diff --git a/roles/etcd/tasks/install_docker.yml b/roles/etcd/tasks/install_docker.yml index f87caeb4c..76eead2a2 100644 --- a/roles/etcd/tasks/install_docker.yml +++ b/roles/etcd/tasks/install_docker.yml @@ -1,5 +1,5 @@ --- -#Plan A: no docker-py deps +# Plan A: no docker-py deps - name: Install | Copy etcdctl binary from docker container command: sh -c "{{ docker_bin_dir }}/docker rm -f etcdctl-binarycopy; {{ docker_bin_dir }}/docker create --name etcdctl-binarycopy {{ etcd_image_repo }}:{{ etcd_image_tag }} && @@ -12,21 +12,21 @@ delay: "{{ retry_stagger | random + 3 }}" changed_when: false -#Plan B: looks nicer, but requires docker-py on all hosts: -#- name: Install | Set up etcd-binarycopy container -# docker: -# name: etcd-binarycopy -# state: present -# image: "{{ etcd_image_repo }}:{{ etcd_image_tag }}" -# when: etcd_deployment_type == "docker" +# Plan B: looks nicer, but requires docker-py on all hosts: +# - name: Install | Set up etcd-binarycopy container +# docker: +# name: etcd-binarycopy +# state: present +# image: "{{ etcd_image_repo }}:{{ etcd_image_tag }}" +# when: etcd_deployment_type == "docker" # -#- name: Install | Copy etcdctl from etcd-binarycopy container -# command: /usr/bin/docker cp "etcd-binarycopy:{{ etcd_container_bin_dir }}etcdctl" "{{ bin_dir }}/etcdctl" -# when: etcd_deployment_type == "docker" +# - name: Install | Copy etcdctl from etcd-binarycopy container +# command: /usr/bin/docker cp "etcd-binarycopy:{{ etcd_container_bin_dir }}etcdctl" "{{ bin_dir }}/etcdctl" +# when: etcd_deployment_type == "docker" # -#- name: Install | Clean up etcd-binarycopy container -# docker: -# name: etcd-binarycopy -# state: absent -# image: "{{ etcd_image_repo }}:{{ etcd_image_tag }}" -# when: etcd_deployment_type == "docker" +# - name: Install | Clean up etcd-binarycopy container +# docker: +# name: etcd-binarycopy +# state: absent +# image: "{{ etcd_image_repo }}:{{ etcd_image_tag }}" +# when: etcd_deployment_type == "docker" diff --git a/roles/etcd/tasks/pre_upgrade.yml b/roles/etcd/tasks/pre_upgrade.yml index 0f171094a..e86a0d947 100644 --- a/roles/etcd/tasks/pre_upgrade.yml +++ b/roles/etcd/tasks/pre_upgrade.yml @@ -1,3 +1,4 @@ +--- - name: "Pre-upgrade | check for etcd-proxy unit file" stat: path: /etc/systemd/system/etcd-proxy.service diff --git a/roles/etcd/tasks/refresh_config.yml b/roles/etcd/tasks/refresh_config.yml index e6f8186d3..0691d1df9 100644 --- a/roles/etcd/tasks/refresh_config.yml +++ b/roles/etcd/tasks/refresh_config.yml @@ -1,7 +1,7 @@ --- - name: Refresh config | Create etcd config file template: - src: etcd.env.yml + src: etcd.env.j2 dest: /etc/etcd.env notify: restart etcd when: is_etcd_master diff --git a/roles/etcd/tasks/sync_etcd_master_certs.yml b/roles/etcd/tasks/sync_etcd_master_certs.yml index 27ce303e9..d436c97f5 100644 --- a/roles/etcd/tasks/sync_etcd_master_certs.yml +++ b/roles/etcd/tasks/sync_etcd_master_certs.yml @@ -1,7 +1,7 @@ --- - name: sync_etcd_master_certs | Create list of master certs needing creation - set_fact: + set_fact: etcd_master_cert_list: >- {{ etcd_master_cert_list|default([]) + [ "admin-" + item + ".pem", @@ -11,7 +11,7 @@ run_once: true - include: ../../vault/tasks/shared/sync_file.yml - vars: + vars: sync_file: "{{ item }}" sync_file_dir: "{{ etcd_cert_dir }}" sync_file_hosts: "{{ groups.etcd }}" diff --git a/roles/etcd/tasks/sync_etcd_node_certs.yml b/roles/etcd/tasks/sync_etcd_node_certs.yml index 2f82dcffd..e535168fc 100644 --- a/roles/etcd/tasks/sync_etcd_node_certs.yml +++ b/roles/etcd/tasks/sync_etcd_node_certs.yml @@ -1,12 +1,12 @@ --- - name: sync_etcd_node_certs | Create list of node certs needing creation - set_fact: + set_fact: etcd_node_cert_list: "{{ etcd_node_cert_list|default([]) + ['node-' + item + '.pem'] }}" with_items: "{{ etcd_node_cert_hosts }}" - include: ../../vault/tasks/shared/sync_file.yml - vars: + vars: sync_file: "{{ item }}" sync_file_dir: "{{ etcd_cert_dir }}" sync_file_hosts: "{{ etcd_node_cert_hosts }}" @@ -24,7 +24,7 @@ sync_file_results: [] - include: ../../vault/tasks/shared/sync_file.yml - vars: + vars: sync_file: ca.pem sync_file_dir: "{{ etcd_cert_dir }}" sync_file_hosts: "{{ etcd_node_cert_hosts }}" diff --git a/roles/etcd/templates/etcd.env.yml b/roles/etcd/templates/etcd.env.j2 similarity index 100% rename from roles/etcd/templates/etcd.env.yml rename to roles/etcd/templates/etcd.env.j2 diff --git a/roles/kernel-upgrade/defaults/main.yml b/roles/kernel-upgrade/defaults/main.yml index 8a1116785..688e6e018 100644 --- a/roles/kernel-upgrade/defaults/main.yml +++ b/roles/kernel-upgrade/defaults/main.yml @@ -1,9 +1,8 @@ --- - elrepo_key_url: 'https://www.elrepo.org/RPM-GPG-KEY-elrepo.org' -elrepo_rpm : elrepo-release-7.0-3.el7.elrepo.noarch.rpm -elrepo_mirror : http://www.elrepo.org +elrepo_rpm: elrepo-release-7.0-3.el7.elrepo.noarch.rpm +elrepo_mirror: http://www.elrepo.org -elrepo_url : '{{elrepo_mirror}}/{{elrepo_rpm}}' +elrepo_url: '{{elrepo_mirror}}/{{elrepo_rpm}}' elrepo_kernel_package: "kernel-lt" diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index d42b2ffed..42c4a027d 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -1,5 +1,6 @@ +--- # Versions -kubedns_version : 1.14.2 +kubedns_version: 1.14.2 kubednsautoscaler_version: 1.1.1 # Limits for dnsmasq/kubedns apps diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index e7bd934de..4f9b6ef1d 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -14,12 +14,12 @@ dest: "{{kube_config_dir}}/{{item.file}}" with_items: - {name: kubedns, file: kubedns-sa.yml, type: sa} - - {name: kubedns, file: kubedns-deploy.yml, type: deployment} + - {name: kubedns, file: kubedns-deploy.yml.j2, type: deployment} - {name: kubedns, file: kubedns-svc.yml, type: svc} - {name: kubedns-autoscaler, file: kubedns-autoscaler-sa.yml, type: sa} - {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrole.yml, type: clusterrole} - {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding} - - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment} + - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml.j2, type: deployment} register: manifests when: - dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] diff --git a/roles/kubernetes-apps/ansible/tasks/netchecker.yml b/roles/kubernetes-apps/ansible/tasks/netchecker.yml index 2d88b288c..ca8535c2a 100644 --- a/roles/kubernetes-apps/ansible/tasks/netchecker.yml +++ b/roles/kubernetes-apps/ansible/tasks/netchecker.yml @@ -1,3 +1,4 @@ +--- - name: Kubernetes Apps | Lay Down Netchecker Template template: src: "{{item.file}}" @@ -24,7 +25,7 @@ state: absent when: inventory_hostname == groups['kube-master'][0] -#FIXME: remove if kubernetes/features#124 is implemented +# FIXME: remove if kubernetes/features#124 is implemented - name: Kubernetes Apps | Purge old Netchecker daemonsets kube: name: "{{item.item.name}}" diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrole.yml b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrole.yml index a194426c6..f80d3d90c 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrole.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrole.yml @@ -1,3 +1,4 @@ +--- # Copyright 2016 The Kubernetes Authors. All rights reserved # # Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml index a368ae333..eb76f2d4e 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml @@ -1,3 +1,4 @@ +--- # Copyright 2016 The Kubernetes Authors. All rights reserved # # Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-sa.yml b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-sa.yml index 9544a7dd9..542ae86ce 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-sa.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-sa.yml @@ -1,3 +1,4 @@ +--- # Copyright 2016 The Kubernetes Authors. All rights reserved # # Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 similarity index 72% rename from roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml rename to roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 index 9e0462290..04f93fd84 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 @@ -1,3 +1,4 @@ +--- # Copyright 2016 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -34,18 +35,18 @@ spec: - name: autoscaler image: "{{ kubednsautoscaler_image_repo }}:{{ kubednsautoscaler_image_tag }}" resources: - requests: - cpu: "20m" - memory: "10Mi" + requests: + cpu: "20m" + memory: "10Mi" command: - - /cluster-proportional-autoscaler - - --namespace={{ system_namespace }} - - --configmap=kubedns-autoscaler - # Should keep target in sync with cluster/addons/dns/kubedns-controller.yaml.base - - --target=Deployment/kube-dns - - --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}} - - --logtostderr=true - - --v=2 + - /cluster-proportional-autoscaler + - --namespace={{ system_namespace }} + - --configmap=kubedns-autoscaler + # Should keep target in sync with cluster/addons/dns/kubedns-controller.yaml.base + - --target=Deployment/kube-dns + - --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}} + - --logtostderr=true + - --v=2 {% if rbac_enabled %} serviceAccountName: cluster-proportional-autoscaler {% endif %} diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 similarity index 99% rename from roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml rename to roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 index 7e4615676..149a16ebd 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 @@ -1,3 +1,4 @@ +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-sa.yml b/roles/kubernetes-apps/ansible/templates/kubedns-sa.yml index e520ccbfc..f399fd6f4 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-sa.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-sa.yml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: ServiceAccount metadata: diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-svc.yml b/roles/kubernetes-apps/ansible/templates/kubedns-svc.yml index 0565a01e8..1c4710db1 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-svc.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-svc.yml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Service metadata: @@ -19,4 +20,3 @@ spec: - name: dns-tcp port: 53 protocol: TCP - diff --git a/roles/kubernetes-apps/efk/elasticsearch/defaults/main.yml b/roles/kubernetes-apps/efk/elasticsearch/defaults/main.yml index e5af87425..d38ba6a6b 100644 --- a/roles/kubernetes-apps/efk/elasticsearch/defaults/main.yml +++ b/roles/kubernetes-apps/efk/elasticsearch/defaults/main.yml @@ -1,5 +1,5 @@ --- -elasticsearch_cpu_limit: 1000m +elasticsearch_cpu_limit: 1000m elasticsearch_mem_limit: 0M elasticsearch_cpu_requests: 100m elasticsearch_mem_requests: 0M diff --git a/roles/kubernetes-apps/efk/elasticsearch/meta/main.yml b/roles/kubernetes-apps/efk/elasticsearch/meta/main.yml index cd0a80606..3dc6f3ca1 100644 --- a/roles/kubernetes-apps/efk/elasticsearch/meta/main.yml +++ b/roles/kubernetes-apps/efk/elasticsearch/meta/main.yml @@ -1,3 +1,4 @@ +--- dependencies: - role: download file: "{{ downloads.elasticsearch }}" diff --git a/roles/kubernetes-apps/efk/elasticsearch/tasks/main.yml b/roles/kubernetes-apps/efk/elasticsearch/tasks/main.yml index 7e3626571..de514b563 100644 --- a/roles/kubernetes-apps/efk/elasticsearch/tasks/main.yml +++ b/roles/kubernetes-apps/efk/elasticsearch/tasks/main.yml @@ -38,4 +38,3 @@ command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-service.yaml -n {{ system_namespace }}" run_once: true when: es_service_manifest.changed - diff --git a/roles/kubernetes-apps/efk/elasticsearch/templates/efk-clusterrolebinding.yml b/roles/kubernetes-apps/efk/elasticsearch/templates/efk-clusterrolebinding.yml index 2c11e566b..a5aba61ae 100644 --- a/roles/kubernetes-apps/efk/elasticsearch/templates/efk-clusterrolebinding.yml +++ b/roles/kubernetes-apps/efk/elasticsearch/templates/efk-clusterrolebinding.yml @@ -1,3 +1,4 @@ +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/roles/kubernetes-apps/efk/elasticsearch/templates/efk-sa.yml b/roles/kubernetes-apps/efk/elasticsearch/templates/efk-sa.yml index b73c2a49d..e79e26be8 100644 --- a/roles/kubernetes-apps/efk/elasticsearch/templates/efk-sa.yml +++ b/roles/kubernetes-apps/efk/elasticsearch/templates/efk-sa.yml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: ServiceAccount metadata: diff --git a/roles/kubernetes-apps/efk/fluentd/defaults/main.yml b/roles/kubernetes-apps/efk/fluentd/defaults/main.yml index eeb95b71a..e8d93732c 100644 --- a/roles/kubernetes-apps/efk/fluentd/defaults/main.yml +++ b/roles/kubernetes-apps/efk/fluentd/defaults/main.yml @@ -1,5 +1,5 @@ --- -fluentd_cpu_limit: 0m +fluentd_cpu_limit: 0m fluentd_mem_limit: 200Mi fluentd_cpu_requests: 100m fluentd_mem_requests: 200Mi diff --git a/roles/kubernetes-apps/efk/fluentd/meta/main.yml b/roles/kubernetes-apps/efk/fluentd/meta/main.yml index 1ba777c76..0e1e03813 100644 --- a/roles/kubernetes-apps/efk/fluentd/meta/main.yml +++ b/roles/kubernetes-apps/efk/fluentd/meta/main.yml @@ -1,3 +1,4 @@ +--- dependencies: - role: download file: "{{ downloads.fluentd }}" diff --git a/roles/kubernetes-apps/efk/fluentd/tasks/main.yml b/roles/kubernetes-apps/efk/fluentd/tasks/main.yml index 31b41412e..c91bf6827 100644 --- a/roles/kubernetes-apps/efk/fluentd/tasks/main.yml +++ b/roles/kubernetes-apps/efk/fluentd/tasks/main.yml @@ -20,4 +20,3 @@ command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/fluentd-ds.yaml -n {{ system_namespace }}" run_once: true when: fluentd_ds_manifest.changed - diff --git a/roles/kubernetes-apps/efk/kibana/defaults/main.yml b/roles/kubernetes-apps/efk/kibana/defaults/main.yml index ad6215c93..baf07cdf2 100644 --- a/roles/kubernetes-apps/efk/kibana/defaults/main.yml +++ b/roles/kubernetes-apps/efk/kibana/defaults/main.yml @@ -1,5 +1,5 @@ --- -kibana_cpu_limit: 100m +kibana_cpu_limit: 100m kibana_mem_limit: 0M kibana_cpu_requests: 100m kibana_mem_requests: 0M diff --git a/roles/kubernetes-apps/efk/kibana/meta/main.yml b/roles/kubernetes-apps/efk/kibana/meta/main.yml index 34d0ab21a..775880d54 100644 --- a/roles/kubernetes-apps/efk/kibana/meta/main.yml +++ b/roles/kubernetes-apps/efk/kibana/meta/main.yml @@ -1,3 +1,4 @@ +--- dependencies: - role: download file: "{{ downloads.kibana }}" diff --git a/roles/kubernetes-apps/efk/kibana/tasks/main.yml b/roles/kubernetes-apps/efk/kibana/tasks/main.yml index 5e2b15f71..4c14d1945 100644 --- a/roles/kubernetes-apps/efk/kibana/tasks/main.yml +++ b/roles/kubernetes-apps/efk/kibana/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: "Kibana | Write Kibana deployment" - template: + template: src: kibana-deployment.yml.j2 dest: "{{ kube_config_dir }}/kibana-deployment.yaml" register: kibana_deployment_manifest @@ -17,7 +17,7 @@ run_once: true - name: "Kibana | Write Kibana service " - template: + template: src: kibana-service.yml.j2 dest: "{{ kube_config_dir }}/kibana-service.yaml" register: kibana_service_manifest diff --git a/roles/kubernetes-apps/efk/meta/main.yml b/roles/kubernetes-apps/efk/meta/main.yml index e11bbae29..550ba9497 100644 --- a/roles/kubernetes-apps/efk/meta/main.yml +++ b/roles/kubernetes-apps/efk/meta/main.yml @@ -1,3 +1,4 @@ +--- dependencies: - role: kubernetes-apps/efk/elasticsearch - role: kubernetes-apps/efk/fluentd diff --git a/roles/kubernetes-apps/helm/defaults/main.yml b/roles/kubernetes-apps/helm/defaults/main.yml index b1b2dfca9..bb7ca244e 100644 --- a/roles/kubernetes-apps/helm/defaults/main.yml +++ b/roles/kubernetes-apps/helm/defaults/main.yml @@ -1,3 +1,4 @@ +--- helm_enabled: false # specify a dir and attach it to helm for HELM_HOME. diff --git a/roles/kubernetes-apps/helm/meta/main.yml b/roles/kubernetes-apps/helm/meta/main.yml index 805439250..5092ec83b 100644 --- a/roles/kubernetes-apps/helm/meta/main.yml +++ b/roles/kubernetes-apps/helm/meta/main.yml @@ -1,3 +1,4 @@ +--- dependencies: - role: download file: "{{ downloads.helm }}" diff --git a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml index 0ac9341ee..0c8db4c78 100644 --- a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml +++ b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml @@ -1,3 +1,4 @@ +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/roles/kubernetes-apps/helm/templates/tiller-sa.yml b/roles/kubernetes-apps/helm/templates/tiller-sa.yml index c840f57f8..26e575fb6 100644 --- a/roles/kubernetes-apps/helm/templates/tiller-sa.yml +++ b/roles/kubernetes-apps/helm/templates/tiller-sa.yml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: ServiceAccount metadata: diff --git a/roles/kubernetes-apps/meta/main.yml b/roles/kubernetes-apps/meta/main.yml index c2dd39d73..9652e1a96 100644 --- a/roles/kubernetes-apps/meta/main.yml +++ b/roles/kubernetes-apps/meta/main.yml @@ -1,3 +1,4 @@ +--- dependencies: - role: download file: "{{ downloads.netcheck_server }}" diff --git a/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml b/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml index f5ffc4393..a65a86c43 100644 --- a/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml +++ b/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: Create canal ConfigMap run_once: true kube: @@ -7,7 +8,7 @@ resource: "configmap" namespace: "{{system_namespace}}" -#FIXME: remove if kubernetes/features#124 is implemented +# FIXME: remove if kubernetes/features#124 is implemented - name: Purge old flannel and canal-node run_once: true kube: @@ -29,4 +30,3 @@ namespace: "{{system_namespace}}" state: "{{ item | ternary('latest','present') }}" with_items: "{{ canal_node_manifest.changed }}" - diff --git a/roles/kubernetes-apps/network_plugin/meta/main.yml b/roles/kubernetes-apps/network_plugin/meta/main.yml index 43382f2ae..4559d25c6 100644 --- a/roles/kubernetes-apps/network_plugin/meta/main.yml +++ b/roles/kubernetes-apps/network_plugin/meta/main.yml @@ -1,8 +1,8 @@ --- dependencies: - - role: kubernetes-apps/network_plugin/canal - when: kube_network_plugin == 'canal' - tags: canal - - role: kubernetes-apps/network_plugin/weave - when: kube_network_plugin == 'weave' - tags: weave + - role: kubernetes-apps/network_plugin/canal + when: kube_network_plugin == 'canal' + tags: canal + - role: kubernetes-apps/network_plugin/weave + when: kube_network_plugin == 'weave' + tags: weave diff --git a/roles/kubernetes-apps/network_plugin/weave/tasks/main.yml b/roles/kubernetes-apps/network_plugin/weave/tasks/main.yml index 232f2d781..c25702b44 100644 --- a/roles/kubernetes-apps/network_plugin/weave/tasks/main.yml +++ b/roles/kubernetes-apps/network_plugin/weave/tasks/main.yml @@ -1,4 +1,5 @@ -#FIXME: remove if kubernetes/features#124 is implemented +--- +# FIXME: remove if kubernetes/features#124 is implemented - name: Weave | Purge old weave daemonset kube: name: "weave-net" @@ -9,7 +10,6 @@ state: absent when: inventory_hostname == groups['kube-master'][0] and weave_manifest.changed - - name: Weave | Start Resources kube: name: "weave-net" @@ -21,7 +21,6 @@ with_items: "{{ weave_manifest.changed }}" when: inventory_hostname == groups['kube-master'][0] - - name: "Weave | wait for weave to become available" uri: url: http://127.0.0.1:6784/status diff --git a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml index 7a4db0ea8..93d12c901 100644 --- a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml +++ b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml @@ -1,3 +1,4 @@ +--- # Limits for calico apps calico_policy_controller_cpu_limit: 100m calico_policy_controller_memory_limit: 256M diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml index 8b4271d6a..de102f31d 100644 --- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml +++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml @@ -1,3 +1,4 @@ +--- - set_fact: calico_cert_dir: "{{ canal_cert_dir }}" when: kube_network_plugin == 'canal' diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml index 7cfe9cc9a..979622731 100644 --- a/roles/kubernetes/master/defaults/main.yml +++ b/roles/kubernetes/master/defaults/main.yml @@ -1,3 +1,4 @@ +--- # An experimental dev/test only dynamic volumes provisioner, # for PetSets. Works for kube>=v1.3 only. kube_hostpath_dynamic_provisioner: "false" @@ -52,14 +53,14 @@ kube_oidc_auth: false ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) -#kube_oidc_url: https:// ... +# kube_oidc_url: https:// ... # kube_oidc_client_id: kubernetes ## Optional settings for OIDC # kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem # kube_oidc_username_claim: sub # kube_oidc_groups_claim: groups -##Variables for custom flags +## Variables for custom flags apiserver_custom_flags: [] controller_mgr_custom_flags: [] diff --git a/roles/kubernetes/master/tasks/main.yml b/roles/kubernetes/master/tasks/main.yml index 6922e6a51..24a3a495a 100644 --- a/roles/kubernetes/master/tasks/main.yml +++ b/roles/kubernetes/master/tasks/main.yml @@ -88,4 +88,3 @@ - include: post-upgrade.yml tags: k8s-post-upgrade - diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml index 6e2ff835f..940bdfff4 100644 --- a/roles/kubernetes/node/defaults/main.yml +++ b/roles/kubernetes/node/defaults/main.yml @@ -1,3 +1,4 @@ +--- # Valid options: docker (default), rkt, or host kubelet_deployment_type: host @@ -49,7 +50,7 @@ kube_apiserver_node_port_range: "30000-32767" kubelet_load_modules: false -##Support custom flags to be passed to kubelet +## Support custom flags to be passed to kubelet kubelet_custom_flags: [] # This setting is used for rkt based kubelet for deploying hyperkube diff --git a/roles/kubernetes/node/tasks/install.yml b/roles/kubernetes/node/tasks/install.yml index ad4cbacf1..692f8247c 100644 --- a/roles/kubernetes/node/tasks/install.yml +++ b/roles/kubernetes/node/tasks/install.yml @@ -21,4 +21,3 @@ dest: "/etc/systemd/system/kubelet.service" backup: "yes" notify: restart kubelet - diff --git a/roles/kubernetes/node/tasks/install_rkt.yml b/roles/kubernetes/node/tasks/install_rkt.yml index 68e90860c..d19b099bd 100644 --- a/roles/kubernetes/node/tasks/install_rkt.yml +++ b/roles/kubernetes/node/tasks/install_rkt.yml @@ -20,8 +20,8 @@ path: /var/lib/kubelet - name: Create kubelet service systemd directory - file: - path: /etc/systemd/system/kubelet.service.d + file: + path: /etc/systemd/system/kubelet.service.d state: directory - name: Write kubelet proxy drop-in @@ -30,4 +30,3 @@ dest: /etc/systemd/system/kubelet.service.d/http-proxy.conf when: http_proxy is defined or https_proxy is defined or no_proxy is defined notify: restart kubelet - diff --git a/roles/kubernetes/preinstall/handlers/main.yml b/roles/kubernetes/preinstall/handlers/main.yml index 35fec7d94..dab1bf7de 100644 --- a/roles/kubernetes/preinstall/handlers/main.yml +++ b/roles/kubernetes/preinstall/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: Preinstall | restart network command: /bin/true notify: diff --git a/roles/kubernetes/preinstall/tasks/azure-credential-check.yml b/roles/kubernetes/preinstall/tasks/azure-credential-check.yml index ca50d5843..fa2d82fd2 100644 --- a/roles/kubernetes/preinstall/tasks/azure-credential-check.yml +++ b/roles/kubernetes/preinstall/tasks/azure-credential-check.yml @@ -48,5 +48,3 @@ fail: msg: "azure_route_table_name is missing" when: azure_route_table_name is not defined or azure_route_table_name == "" - - diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml index e3f27192f..b6a246684 100644 --- a/roles/kubernetes/preinstall/tasks/main.yml +++ b/roles/kubernetes/preinstall/tasks/main.yml @@ -1,6 +1,6 @@ --- - include: pre-upgrade.yml - tags: [upgrade, bootstrap-os] + tags: [upgrade, bootstrap-os] - name: Force binaries directory for Container Linux by CoreOS set_fact: @@ -27,14 +27,14 @@ include_vars: "{{ item }}" with_first_found: - files: - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}.yml" - - "{{ ansible_os_family|lower }}.yml" - - defaults.yml + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}.yml" + - "{{ ansible_os_family|lower }}.yml" + - defaults.yml paths: - - ../vars + - ../vars skip: true tags: facts diff --git a/roles/kubernetes/preinstall/tasks/vsphere-credential-check.yml b/roles/kubernetes/preinstall/tasks/vsphere-credential-check.yml index b91726d50..9beeb6b50 100644 --- a/roles/kubernetes/preinstall/tasks/vsphere-credential-check.yml +++ b/roles/kubernetes/preinstall/tasks/vsphere-credential-check.yml @@ -1,3 +1,4 @@ +--- - name: check vsphere environment variables fail: msg: "{{ item.name }} is missing" diff --git a/roles/kubernetes/preinstall/vars/centos.yml b/roles/kubernetes/preinstall/vars/centos.yml index c1be4b9b3..b2fbcd80a 100644 --- a/roles/kubernetes/preinstall/vars/centos.yml +++ b/roles/kubernetes/preinstall/vars/centos.yml @@ -1,3 +1,4 @@ +--- required_pkgs: - libselinux-python - device-mapper-libs diff --git a/roles/kubernetes/preinstall/vars/debian.yml b/roles/kubernetes/preinstall/vars/debian.yml index 596d2ac8b..dfcb0bc34 100644 --- a/roles/kubernetes/preinstall/vars/debian.yml +++ b/roles/kubernetes/preinstall/vars/debian.yml @@ -1,3 +1,4 @@ +--- required_pkgs: - python-apt - aufs-tools diff --git a/roles/kubernetes/preinstall/vars/fedora.yml b/roles/kubernetes/preinstall/vars/fedora.yml index c1be4b9b3..b2fbcd80a 100644 --- a/roles/kubernetes/preinstall/vars/fedora.yml +++ b/roles/kubernetes/preinstall/vars/fedora.yml @@ -1,3 +1,4 @@ +--- required_pkgs: - libselinux-python - device-mapper-libs diff --git a/roles/kubernetes/preinstall/vars/redhat.yml b/roles/kubernetes/preinstall/vars/redhat.yml index c1be4b9b3..b2fbcd80a 100644 --- a/roles/kubernetes/preinstall/vars/redhat.yml +++ b/roles/kubernetes/preinstall/vars/redhat.yml @@ -1,3 +1,4 @@ +--- required_pkgs: - libselinux-python - device-mapper-libs diff --git a/roles/kubernetes/secrets/tasks/check-certs.yml b/roles/kubernetes/secrets/tasks/check-certs.yml index 69b82d957..3870a3e96 100644 --- a/roles/kubernetes/secrets/tasks/check-certs.yml +++ b/roles/kubernetes/secrets/tasks/check-certs.yml @@ -105,4 +105,3 @@ {%- set _ = certs.update({'sync': True}) -%} {% endif %} {{ certs.sync }} - diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml index 80fb4a506..41d91362b 100644 --- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml +++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml @@ -56,26 +56,25 @@ - set_fact: all_master_certs: "['ca-key.pem', + 'apiserver.pem', + 'apiserver-key.pem', + 'kube-scheduler.pem', + 'kube-scheduler-key.pem', + 'kube-controller-manager.pem', + 'kube-controller-manager-key.pem', + {% for node in groups['kube-master'] %} + 'admin-{{ node }}.pem', + 'admin-{{ node }}-key.pem', + {% endfor %}]" + my_master_certs: ['ca-key.pem', + 'admin-{{ inventory_hostname }}.pem', + 'admin-{{ inventory_hostname }}-key.pem', 'apiserver.pem', 'apiserver-key.pem', 'kube-scheduler.pem', 'kube-scheduler-key.pem', 'kube-controller-manager.pem', - 'kube-controller-manager-key.pem', - {% for node in groups['kube-master'] %} - 'admin-{{ node }}.pem', - 'admin-{{ node }}-key.pem', - {% endfor %}]" - my_master_certs: ['ca-key.pem', - 'admin-{{ inventory_hostname }}.pem', - 'admin-{{ inventory_hostname }}-key.pem', - 'apiserver.pem', - 'apiserver-key.pem', - 'kube-scheduler.pem', - 'kube-scheduler-key.pem', - 'kube-controller-manager.pem', - 'kube-controller-manager-key.pem', - ] + 'kube-controller-manager-key.pem'] all_node_certs: "['ca.pem', {% for node in groups['k8s-cluster'] %} 'node-{{ node }}.pem', @@ -84,11 +83,10 @@ 'kube-proxy-{{ node }}-key.pem', {% endfor %}]" my_node_certs: ['ca.pem', - 'node-{{ inventory_hostname }}.pem', - 'node-{{ inventory_hostname }}-key.pem', - 'kube-proxy-{{ inventory_hostname }}.pem', - 'kube-proxy-{{ inventory_hostname }}-key.pem', - ] + 'node-{{ inventory_hostname }}.pem', + 'node-{{ inventory_hostname }}-key.pem', + 'kube-proxy-{{ inventory_hostname }}.pem', + 'kube-proxy-{{ inventory_hostname }}-key.pem'] tags: facts - name: Gen_certs | Gather master certs @@ -114,10 +112,10 @@ sync_certs|default(false) and inventory_hostname != groups['kube-master'][0] -#NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k -#char limit when using shell command +# NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k +# char limit when using shell command -#FIXME(mattymo): Use tempfile module in ansible 2.3 +# FIXME(mattymo): Use tempfile module in ansible 2.3 - name: Gen_certs | Prepare tempfile for unpacking certs shell: mktemp /tmp/certsXXXXX.tar.gz register: cert_tempfile @@ -195,4 +193,3 @@ - name: Gen_certs | update ca-certificates (RedHat) command: update-ca-trust extract when: kube_ca_cert.changed and ansible_os_family == "RedHat" - diff --git a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml index e516db0f2..308ac9260 100644 --- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml +++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml @@ -33,9 +33,9 @@ - name: gen_certs_vault | Set fact for Vault API token set_fact: kube_vault_headers: - Accept: application/json - Content-Type: application/json - X-Vault-Token: "{{ kube_vault_login_result.get('json',{}).get('auth', {}).get('client_token') }}" + Accept: application/json + Content-Type: application/json + X-Vault-Token: "{{ kube_vault_login_result.get('json',{}).get('auth', {}).get('client_token') }}" run_once: true # Issue certs to kube-master nodes diff --git a/roles/kubernetes/secrets/tasks/sync_kube_node_certs.yml b/roles/kubernetes/secrets/tasks/sync_kube_node_certs.yml index b97b85e17..7aafab5c8 100644 --- a/roles/kubernetes/secrets/tasks/sync_kube_node_certs.yml +++ b/roles/kubernetes/secrets/tasks/sync_kube_node_certs.yml @@ -6,7 +6,7 @@ with_items: "{{ groups['k8s-cluster'] }}" - include: ../../../vault/tasks/shared/sync_file.yml - vars: + vars: sync_file: "{{ item }}" sync_file_dir: "{{ kube_cert_dir }}" sync_file_group: "{{ kube_cert_group }}" @@ -26,7 +26,7 @@ sync_file_results: [] - include: ../../../vault/tasks/shared/sync_file.yml - vars: + vars: sync_file: ca.pem sync_file_dir: "{{ kube_cert_dir }}" sync_file_group: "{{ kube_cert_group }}" diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index c2152814f..03b05c5bd 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -1,3 +1,4 @@ +--- ## Required for bootstrap-os/preinstall/download roles and setting facts # Valid bootstrap options (required): ubuntu, coreos, centos, none bootstrap_os: none @@ -88,8 +89,10 @@ kube_network_node_prefix: 24 # The port the API Server will be listening on. kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}" -kube_apiserver_port: 6443 # (https) -kube_apiserver_insecure_port: 8080 # (http) +# https +kube_apiserver_port: 6443 +# http +kube_apiserver_insecure_port: 8080 # Path used to store Docker data docker_daemon_graph: "/var/lib/docker" diff --git a/roles/kubespray-defaults/tasks/main.yaml b/roles/kubespray-defaults/tasks/main.yaml index 5b2cb96a0..11b9e3653 100644 --- a/roles/kubespray-defaults/tasks/main.yaml +++ b/roles/kubespray-defaults/tasks/main.yaml @@ -1,3 +1,4 @@ +--- - name: Configure defaults debug: msg: "Check roles/kubespray-defaults/defaults/main.yml" diff --git a/roles/network_plugin/calico/handlers/main.yml b/roles/network_plugin/calico/handlers/main.yml index 78dad7505..05cc73289 100644 --- a/roles/network_plugin/calico/handlers/main.yml +++ b/roles/network_plugin/calico/handlers/main.yml @@ -5,7 +5,7 @@ - Calico | reload systemd - Calico | reload calico-node -- name : Calico | reload systemd +- name: Calico | reload systemd shell: systemctl daemon-reload - name: Calico | reload calico-node diff --git a/roles/network_plugin/calico/rr/handlers/main.yml b/roles/network_plugin/calico/rr/handlers/main.yml index efd0e12ac..cb166bda1 100644 --- a/roles/network_plugin/calico/rr/handlers/main.yml +++ b/roles/network_plugin/calico/rr/handlers/main.yml @@ -5,7 +5,7 @@ - Calico-rr | reload systemd - Calico-rr | reload calico-rr -- name : Calico-rr | reload systemd +- name: Calico-rr | reload systemd shell: systemctl daemon-reload - name: Calico-rr | reload calico-rr diff --git a/roles/network_plugin/calico/rr/meta/main.yml b/roles/network_plugin/calico/rr/meta/main.yml index 55104953e..511b89744 100644 --- a/roles/network_plugin/calico/rr/meta/main.yml +++ b/roles/network_plugin/calico/rr/meta/main.yml @@ -1,3 +1,4 @@ +--- dependencies: - role: etcd - role: docker diff --git a/roles/network_plugin/canal/defaults/main.yml b/roles/network_plugin/canal/defaults/main.yml index d4018db4d..38696b87a 100644 --- a/roles/network_plugin/canal/defaults/main.yml +++ b/roles/network_plugin/canal/defaults/main.yml @@ -1,3 +1,4 @@ +--- # The interface used by canal for host <-> host communication. # If left blank, then the interface is chosing using the node's # default route. @@ -30,4 +31,3 @@ calicoctl_memory_limit: 170M calicoctl_cpu_limit: 100m calicoctl_memory_requests: 32M calicoctl_cpu_requests: 25m - diff --git a/roles/network_plugin/cloud/tasks/main.yml b/roles/network_plugin/cloud/tasks/main.yml index 36fa8e57d..7b6650372 100644 --- a/roles/network_plugin/cloud/tasks/main.yml +++ b/roles/network_plugin/cloud/tasks/main.yml @@ -14,4 +14,3 @@ owner: kube recurse: true mode: "u=rwX,g-rwx,o-rwx" - diff --git a/roles/network_plugin/flannel/handlers/main.yml b/roles/network_plugin/flannel/handlers/main.yml index bd4058976..3726c900e 100644 --- a/roles/network_plugin/flannel/handlers/main.yml +++ b/roles/network_plugin/flannel/handlers/main.yml @@ -18,7 +18,7 @@ - Flannel | pause while Docker restarts - Flannel | wait for docker -- name : Flannel | reload systemd +- name: Flannel | reload systemd shell: systemctl daemon-reload - name: Flannel | reload docker.socket diff --git a/roles/network_plugin/flannel/templates/flannel-pod.yml b/roles/network_plugin/flannel/templates/flannel-pod.yml index 92ecada69..5ca78ae1d 100644 --- a/roles/network_plugin/flannel/templates/flannel-pod.yml +++ b/roles/network_plugin/flannel/templates/flannel-pod.yml @@ -1,44 +1,44 @@ --- - kind: "Pod" - apiVersion: "v1" - metadata: - name: "flannel" - namespace: "{{system_namespace}}" - labels: - app: "flannel" - version: "v0.1" - spec: - volumes: - - name: "subnetenv" - hostPath: - path: "/run/flannel" - - name: "etcd-certs" - hostPath: - path: "{{ flannel_cert_dir }}" - containers: - - name: "flannel-container" - image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}" - imagePullPolicy: {{ k8s_image_pull_policy }} - resources: - limits: - cpu: {{ flannel_cpu_limit }} - memory: {{ flannel_memory_limit }} - requests: - cpu: {{ flannel_cpu_requests }} - memory: {{ flannel_memory_requests }} - command: - - "/bin/sh" - - "-c" - - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network -etcd-cafile {{ flannel_cert_dir }}/ca_cert.crt -etcd-certfile {{ flannel_cert_dir }}/cert.crt -etcd-keyfile {{ flannel_cert_dir }}/key.pem {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}" - ports: - - hostPort: 10253 - containerPort: 10253 - volumeMounts: - - name: "subnetenv" - mountPath: "/run/flannel" - - name: "etcd-certs" - mountPath: "{{ flannel_cert_dir }}" - readOnly: true - securityContext: - privileged: true - hostNetwork: true +kind: "Pod" +apiVersion: "v1" +metadata: + name: "flannel" + namespace: "{{system_namespace}}" + labels: + app: "flannel" + version: "v0.1" +spec: + volumes: + - name: "subnetenv" + hostPath: + path: "/run/flannel" + - name: "etcd-certs" + hostPath: + path: "{{ flannel_cert_dir }}" + containers: + - name: "flannel-container" + image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}" + imagePullPolicy: {{ k8s_image_pull_policy }} + resources: + limits: + cpu: {{ flannel_cpu_limit }} + memory: {{ flannel_memory_limit }} + requests: + cpu: {{ flannel_cpu_requests }} + memory: {{ flannel_memory_requests }} + command: + - "/bin/sh" + - "-c" + - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network -etcd-cafile {{ flannel_cert_dir }}/ca_cert.crt -etcd-certfile {{ flannel_cert_dir }}/cert.crt -etcd-keyfile {{ flannel_cert_dir }}/key.pem {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}" + ports: + - hostPort: 10253 + containerPort: 10253 + volumeMounts: + - name: "subnetenv" + mountPath: "/run/flannel" + - name: "etcd-certs" + mountPath: "{{ flannel_cert_dir }}" + readOnly: true + securityContext: + privileged: true + hostNetwork: true diff --git a/roles/network_plugin/meta/main.yml b/roles/network_plugin/meta/main.yml index a1c970efe..d9834a3cd 100644 --- a/roles/network_plugin/meta/main.yml +++ b/roles/network_plugin/meta/main.yml @@ -1,16 +1,16 @@ --- dependencies: - - role: network_plugin/calico - when: kube_network_plugin == 'calico' - tags: calico - - role: network_plugin/flannel - when: kube_network_plugin == 'flannel' - tags: flannel - - role: network_plugin/weave - when: kube_network_plugin == 'weave' - tags: weave - - role: network_plugin/canal - when: kube_network_plugin == 'canal' - tags: canal - - role: network_plugin/cloud - when: kube_network_plugin == 'cloud' + - role: network_plugin/calico + when: kube_network_plugin == 'calico' + tags: calico + - role: network_plugin/flannel + when: kube_network_plugin == 'flannel' + tags: flannel + - role: network_plugin/weave + when: kube_network_plugin == 'weave' + tags: weave + - role: network_plugin/canal + when: kube_network_plugin == 'canal' + tags: canal + - role: network_plugin/cloud + when: kube_network_plugin == 'cloud' diff --git a/roles/network_plugin/weave/tasks/pre-upgrade.yml b/roles/network_plugin/weave/tasks/pre-upgrade.yml index 0b10a7551..bcf3c2af2 100644 --- a/roles/network_plugin/weave/tasks/pre-upgrade.yml +++ b/roles/network_plugin/weave/tasks/pre-upgrade.yml @@ -1,3 +1,4 @@ +--- - name: Weave pre-upgrade | Stop legacy weave command: weave stop failed_when: false diff --git a/roles/rkt/tasks/install.yml b/roles/rkt/tasks/install.yml index 76719eebb..0cc8f8898 100644 --- a/roles/rkt/tasks/install.yml +++ b/roles/rkt/tasks/install.yml @@ -3,14 +3,14 @@ include_vars: "{{ item }}" with_first_found: - files: - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}.yml" - - "{{ ansible_os_family|lower }}.yml" - - defaults.yml + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}.yml" + - "{{ ansible_os_family|lower }}.yml" + - defaults.yml paths: - - ../vars + - ../vars skip: true tags: facts diff --git a/roles/upgrade/post-upgrade/tasks/main.yml b/roles/upgrade/post-upgrade/tasks/main.yml index e7efa0601..ec6fdcf90 100644 --- a/roles/upgrade/post-upgrade/tasks/main.yml +++ b/roles/upgrade/post-upgrade/tasks/main.yml @@ -1,7 +1,5 @@ --- - - name: Uncordon node command: "{{ bin_dir }}/kubectl uncordon {{ inventory_hostname }}" delegate_to: "{{ groups['kube-master'][0] }}" when: (needs_cordoning|default(false)) and ( {%- if inventory_hostname in groups['kube-node'] -%} true {%- else -%} false {%- endif -%} ) - diff --git a/roles/upgrade/pre-upgrade/defaults/main.yml b/roles/upgrade/pre-upgrade/defaults/main.yml index c87b7e9ea..89334f87c 100644 --- a/roles/upgrade/pre-upgrade/defaults/main.yml +++ b/roles/upgrade/pre-upgrade/defaults/main.yml @@ -1,3 +1,3 @@ +--- drain_grace_period: 90 drain_timeout: 120s - diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml index 7e14374bf..47bb39d44 100644 --- a/roles/vault/defaults/main.yml +++ b/roles/vault/defaults/main.yml @@ -63,7 +63,7 @@ vault_needs_gen: false vault_port: 8200 # Although "cert" is an option, ansible has no way to auth via cert until # upstream merges: https://github.com/ansible/ansible/pull/18141 -vault_role_auth_method: userpass +vault_role_auth_method: userpass vault_roles: - name: etcd group: etcd diff --git a/roles/vault/tasks/bootstrap/create_etcd_role.yml b/roles/vault/tasks/bootstrap/create_etcd_role.yml index 57518f944..5e0b88a39 100644 --- a/roles/vault/tasks/bootstrap/create_etcd_role.yml +++ b/roles/vault/tasks/bootstrap/create_etcd_role.yml @@ -1,8 +1,7 @@ --- - - include: ../shared/create_role.yml vars: - create_role_name: "{{ item.name }}" + create_role_name: "{{ item.name }}" create_role_group: "{{ item.group }}" create_role_policy_rules: "{{ item.policy_rules }}" create_role_options: "{{ item.role_options }}" diff --git a/roles/vault/tasks/bootstrap/start_vault_temp.yml b/roles/vault/tasks/bootstrap/start_vault_temp.yml index 4a5e6bc5e..49585a5d9 100644 --- a/roles/vault/tasks/bootstrap/start_vault_temp.yml +++ b/roles/vault/tasks/bootstrap/start_vault_temp.yml @@ -1,5 +1,4 @@ --- - - name: bootstrap/start_vault_temp | Ensure vault-temp isn't already running shell: if docker rm -f {{ vault_temp_container_name }} 2>&1 1>/dev/null;then echo true;else echo false;fi register: vault_temp_stop_check @@ -13,7 +12,7 @@ -v /etc/vault:/etc/vault {{ vault_image_repo }}:{{ vault_version }} server -#FIXME(mattymo): Crashes on first start with aufs docker storage. See hashicorp/docker-vault#19 +# FIXME(mattymo): Crashes on first start with aufs docker storage. See hashicorp/docker-vault#19 - name: bootstrap/start_vault_temp | Start again single node Vault with file backend command: docker start {{ vault_temp_container_name }} diff --git a/roles/vault/tasks/bootstrap/sync_vault_certs.yml b/roles/vault/tasks/bootstrap/sync_vault_certs.yml index ab088753f..9e6eff05c 100644 --- a/roles/vault/tasks/bootstrap/sync_vault_certs.yml +++ b/roles/vault/tasks/bootstrap/sync_vault_certs.yml @@ -1,5 +1,4 @@ --- - - include: ../shared/sync_file.yml vars: sync_file: "ca.pem" @@ -29,4 +28,3 @@ - name: bootstrap/sync_vault_certs | Unset sync_file_results after api.pem sync set_fact: sync_file_results: [] - diff --git a/roles/vault/tasks/cluster/main.yml b/roles/vault/tasks/cluster/main.yml index db97dd078..c21fd0d73 100644 --- a/roles/vault/tasks/cluster/main.yml +++ b/roles/vault/tasks/cluster/main.yml @@ -1,5 +1,4 @@ --- - - include: ../shared/check_vault.yml when: inventory_hostname in groups.vault @@ -26,7 +25,7 @@ - include: ../shared/find_leader.yml when: inventory_hostname in groups.vault -- include: ../shared/pki_mount.yml +- include: ../shared/pki_mount.yml when: inventory_hostname == groups.vault|first - include: ../shared/config_ca.yml diff --git a/roles/vault/tasks/shared/auth_backend.yml b/roles/vault/tasks/shared/auth_backend.yml index ad5b191c9..82a4c94fb 100644 --- a/roles/vault/tasks/shared/auth_backend.yml +++ b/roles/vault/tasks/shared/auth_backend.yml @@ -1,11 +1,10 @@ --- - - name: shared/auth_backend | Test if the auth backend exists uri: url: "{{ vault_leader_url }}/v1/sys/auth/{{ auth_backend_path }}/tune" headers: "{{ vault_headers }}" validate_certs: false - ignore_errors: true + ignore_errors: true register: vault_auth_backend_check - name: shared/auth_backend | Add the cert auth backend if needed diff --git a/roles/vault/tasks/shared/check_vault.yml b/roles/vault/tasks/shared/check_vault.yml index 257843d95..83328768a 100644 --- a/roles/vault/tasks/shared/check_vault.yml +++ b/roles/vault/tasks/shared/check_vault.yml @@ -1,5 +1,4 @@ --- - # Stop temporary Vault if it's running (can linger if playbook fails out) - name: stop vault-temp container shell: docker stop {{ vault_temp_container_name }} || rkt stop {{ vault_temp_container_name }} @@ -22,8 +21,8 @@ vault_is_running: "{{ vault_local_service_health|succeeded }}" vault_is_initialized: "{{ vault_local_service_health.get('json', {}).get('initialized', false) }}" vault_is_sealed: "{{ vault_local_service_health.get('json', {}).get('sealed', true) }}" - #vault_in_standby: "{{ vault_local_service_health.get('json', {}).get('standby', true) }}" - #vault_run_version: "{{ vault_local_service_health.get('json', {}).get('version', '') }}" + # vault_in_standby: "{{ vault_local_service_health.get('json', {}).get('standby', true) }}" + # vault_run_version: "{{ vault_local_service_health.get('json', {}).get('version', '') }}" - name: check_vault | Set fact about the Vault cluster's initialization state set_fact: diff --git a/roles/vault/tasks/shared/find_leader.yml b/roles/vault/tasks/shared/find_leader.yml index 1aaa8513e..3afee482d 100644 --- a/roles/vault/tasks/shared/find_leader.yml +++ b/roles/vault/tasks/shared/find_leader.yml @@ -15,7 +15,7 @@ vault_leader_url: "{{ vault_config.listener.tcp.tls_disable|d()|ternary('http', 'https') }}://{{ item }}:{{ vault_port }}" with_items: "{{ groups.vault }}" when: "hostvars[item]['vault_leader_check'].get('status') in [200,503]" - #run_once: true + # run_once: true - name: find_leader| show vault_leader_url debug: var=vault_leader_url verbosity=2 diff --git a/roles/vault/tasks/shared/gen_userpass.yml b/roles/vault/tasks/shared/gen_userpass.yml index ab3d171b8..4ef301171 100644 --- a/roles/vault/tasks/shared/gen_userpass.yml +++ b/roles/vault/tasks/shared/gen_userpass.yml @@ -22,7 +22,7 @@ - name: shared/gen_userpass | Copy credentials to all hosts in the group copy: content: > - {{ + {{ {'username': gen_userpass_username, 'password': gen_userpass_password} | to_nice_json(indent=4) }} diff --git a/roles/vault/tasks/shared/issue_cert.yml b/roles/vault/tasks/shared/issue_cert.yml index 4854e8b9e..3b6b6d315 100644 --- a/roles/vault/tasks/shared/issue_cert.yml +++ b/roles/vault/tasks/shared/issue_cert.yml @@ -26,7 +26,7 @@ - name: issue_cert | Ensure target directory exists file: - path: "{{ issue_cert_path | dirname }}" + path: "{{ issue_cert_path | dirname }}" state: directory group: "{{ issue_cert_file_group | d('root' )}}" mode: "{{ issue_cert_dir_mode | d('0755') }}" diff --git a/tests/requirements.txt b/tests/requirements.txt new file mode 100644 index 000000000..77b7f5868 --- /dev/null +++ b/tests/requirements.txt @@ -0,0 +1,5 @@ +-r ../requirements.txt +yamllint +apache-libcloud==0.20.1 +boto==2.9.0 +tox