C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Normalize tags in all places to prepare for tag fixing in future (#1739)

Browse source
This commit is contained in:
Aivars Sterns 2017-10-05 10:43:04 +03:00 committed by Matthew Mosesohn
parent cb611b5ed0
commit 9c86da1403
48 changed files with 501 additions and 189 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
roles/bootstrap-os/tasks/bootstrap-coreos.yml
View file

@ -3,7 +3,8 @@
raw: stat /opt/bin/.bootstrapped
register: need_bootstrap
failed_when: false
tags: facts
tags:
- facts
- name: Bootstrap | Run bootstrap.sh
script: bootstrap.sh
@ -11,7 +12,8 @@
- set_fact:
ansible_python_interpreter: "/opt/bin/python"
tags: facts
tags:
- facts
- name: Bootstrap | Check if we need to install pip
shell: "{{ansible_python_interpreter}} -m pip --version"
@ -20,7 +22,8 @@
changed_when: false
check_mode: no
when: need_bootstrap.rc != 0
tags: facts
tags:
- facts
- name: Bootstrap | Copy get-pip.py
copy:

6
roles/bootstrap-os/tasks/bootstrap-ubuntu.yml
View file

@ -8,7 +8,8 @@
with_items:
- python
- pip
tags: facts
tags:
- facts
- name: Bootstrap | Install python 2.x and pip
raw:
@ -19,4 +20,5 @@
- set_fact:
ansible_python_interpreter: "/usr/bin/python"
tags: facts
tags:
- facts

4
roles/dnsmasq/meta/main.yml
View file

@ -3,4 +3,6 @@ dependencies:
- role: download
file: "{{ downloads.dnsmasq }}"
when: dns_mode == 'dnsmasq_kubedns' and download_localhost|default(false)
tags: [download, dnsmasq]
tags:
- download
- dnsmasq

6
roles/dnsmasq/tasks/main.yml
View file

@ -3,13 +3,15 @@
file:
path: /etc/dnsmasq.d
state: directory
tags: bootstrap-os
tags:
- bootstrap-os
- name: ensure dnsmasq.d-available directory exists
file:
path: /etc/dnsmasq.d-available
state: directory
tags: bootstrap-os
tags:
- bootstrap-os
- name: check system nameservers
shell: awk '/^nameserver/ {print $NF}' /etc/resolv.conf

9
roles/docker/tasks/main.yml
View file

@ -12,11 +12,13 @@
paths:
- ../vars
skip: true
tags: facts
tags:
- facts
- include: set_facts_dns.yml
when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
tags: facts
tags:
- facts
- name: check for minimum kernel version
fail:
@ -25,7 +27,8 @@
{{ docker_kernel_min_version }} on
{{ ansible_distribution }}-{{ ansible_distribution_version }}
when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]) and (ansible_kernel|version_compare(docker_kernel_min_version, "<"))
tags: facts
tags:
- facts
- name: ensure docker repository public key is installed
action: "{{ docker_repo_key_info.pkg_key }}"

35
roles/download/tasks/main.yml
View file

@ -7,7 +7,8 @@
when:
- download.enabled|bool
- not download.container|bool
tags: bootstrap-os
tags:
- bootstrap-os
- name: file_download | Download item
get_url:
@ -50,7 +51,8 @@
- set_fact:
download_delegate: "{% if download_localhost|bool %}localhost{% else %}{{groups['kube-master'][0]}}{% endif %}"
run_once: true
tags: facts
tags:
- facts
- name: container_download | Create dest directory for saved/loaded container images
file:
@ -62,7 +64,8 @@
when:
- download.enabled|bool
- download.container|bool
tags: bootstrap-os
tags:
- bootstrap-os
# This is required for the download_localhost delegate to work smooth with Container Linux by CoreOS cluster nodes
- name: container_download | Hack python binary path for localhost
@ -70,7 +73,8 @@
delegate_to: localhost
when: download_delegate == 'localhost'
failed_when: false
tags: localhost
tags:
- localhost
- name: container_download | create local directory for saved/loaded container images
file:
@ -85,7 +89,8 @@
- download.enabled|bool
- download.container|bool
- download_delegate == 'localhost'
tags: localhost
tags:
- localhost
- name: container_download | Make download decision if pull is required by tag or sha256
include: set_docker_image_facts.yml
@ -94,7 +99,8 @@
- download.container|bool
delegate_to: "{{ download_delegate if download_run_once|bool or omit }}"
run_once: "{{ download_run_once|bool }}"
tags: facts
tags:
- facts
- name: container_download | Download containers if pull is required or told to always pull
command: "{{ docker_bin_dir }}/docker pull {{ pull_args }}"
@ -112,7 +118,8 @@
- set_fact:
fname: "{{local_release_dir}}/containers/{{download.repo|regex_replace('/|\0|:', '_')}}:{{download.tag|default(download.sha256)|regex_replace('/|\0|:', '_')}}.tar"
run_once: true
tags: facts
tags:
- facts
- name: "container_download | Set default value for 'container_changed' to false"
set_fact:
@ -126,7 +133,8 @@
- download.container|bool
- pull_required|bool|default(download_always_pull)
run_once: "{{ download_run_once|bool }}"
tags: facts
tags:
- facts
- name: container_download | Stat saved container image
stat:
@ -140,7 +148,8 @@
delegate_to: "{{ download_delegate }}"
become: false
run_once: true
tags: facts
tags:
- facts
- name: container_download | save container images
shell: "{{ docker_bin_dir }}/docker save {{ pull_args }} | gzip -{{ download_compress }} > {{ fname }}"
@ -188,7 +197,9 @@
- download_run_once|bool
- download.enabled|bool
- download.container|bool
tags: [upload, upgrade]
tags:
- upload
- upgrade
- name: container_download | load container images
shell: "{{ docker_bin_dir }}/docker load < {{ fname }}"
@ -198,4 +209,6 @@
- download_run_once|bool
- download.enabled|bool
- download.container|bool
tags: [upload, upgrade]
tags:
- upload
- upgrade

4
roles/etcd/meta/main.yml
View file

@ -3,8 +3,10 @@ dependencies:
- role: adduser
user: "{{ addusers.etcd }}"
when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic)
- role: download
file: "{{ downloads.etcd }}"
tags: download
tags:
- download
# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"

3
roles/etcd/tasks/configure.yml
View file

@ -6,7 +6,8 @@
changed_when: false
check_mode: no
when: is_etcd_master
tags: facts
tags:
- facts
- name: Configure | Add member to the cluster if it is not there
when: is_etcd_master and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0

3
roles/etcd/tasks/gen_certs_script.yml
View file

@ -83,7 +83,8 @@
'node-{{ node }}-key.pem',
{% endfor %}]"
my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
tags: facts
tags:
- facts
- name: Gen_certs | Gather etcd master certs
shell: "tar cfz - -C {{ etcd_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"

6
roles/etcd/tasks/gen_certs_vault.yml
View file

@ -1,11 +1,13 @@
---
- include: sync_etcd_master_certs.yml
when: inventory_hostname in groups.etcd
tags: etcd-secrets
tags:
- etcd-secrets
- include: sync_etcd_node_certs.yml
when: inventory_hostname in etcd_node_cert_hosts
tags: etcd-secrets
tags:
- etcd-secrets
# Issue master certs to Etcd nodes
- include: ../../vault/tasks/shared/issue_cert.yml

13
roles/etcd/tasks/main.yml
View file

@ -1,13 +1,17 @@
---
- include: check_certs.yml
when: cert_management == "script"
tags: [etcd-secrets, facts]
tags:
- etcd-secrets
- facts
- include: "gen_certs_{{ cert_management }}.yml"
tags: etcd-secrets
tags:
- etcd-secrets
- include: upd_ca_trust.yml
tags: etcd-secrets
tags:
- etcd-secrets
- name: "Gen_certs | Get etcd certificate serials"
shell: "openssl x509 -in {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem -noout -serial | cut -d= -f2"
@ -16,7 +20,8 @@
- include: "install_{{ etcd_deployment_type }}.yml"
when: is_etcd_master
tags: upgrade
tags:
- upgrade
- include: set_cluster_health.yml
when: is_etcd_master and etcd_cluster_setup

3
roles/etcd/tasks/set_cluster_health.yml
View file

@ -6,4 +6,5 @@
changed_when: false
check_mode: no
when: is_etcd_master
tags: facts
tags:
- facts

3
roles/etcd/tasks/upd_ca_trust.yml
View file

@ -9,7 +9,8 @@
{%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
/etc/ssl/certs/etcd-ca.pem
{%- endif %}
tags: facts
tags:
- facts
- name: Gen_certs | add CA to trusted CA dir
copy:

18
roles/kubernetes-apps/ansible/tasks/main.yml
View file

@ -16,7 +16,8 @@
resource: "{{ item }}"
state: absent
with_items: ['deploy', 'svc']
tags: upgrade
tags:
- upgrade
- name: Kubernetes Apps | Delete kubeadm kubedns
kube:
@ -46,7 +47,8 @@
when:
- dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
- rbac_enabled or item.type not in rbac_resources
tags: dnsmasq
tags:
- dnsmasq
# see https://github.com/kubernetes/kubernetes/issues/45084, only needed for "old" kube-dns
- name: Kubernetes Apps | Patch system:kube-dns ClusterRole
@ -64,7 +66,8 @@
when:
- dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
- rbac_enabled and kubedns_version|version_compare("1.11.0", "<", strict=True)
tags: dnsmasq
tags:
- dnsmasq
- name: Kubernetes Apps | Start Resources
kube:
@ -79,14 +82,17 @@
- dns_mode != 'none'
- inventory_hostname == groups['kube-master'][0]
- not item|skipped
tags: dnsmasq
tags:
- dnsmasq
- name: Kubernetes Apps | Netchecker
include: tasks/netchecker.yml
when: deploy_netchecker
tags: netchecker
tags:
- netchecker
- name: Kubernetes Apps | Dashboard
include: tasks/dashboard.yml
when: dashboard_enabled
tags: dashboard
tags:
- dashboard

7
roles/kubernetes-apps/ansible/tasks/netchecker.yml
View file

@ -4,7 +4,9 @@
stat:
path: "{{ kube_config_dir }}/netchecker-server-deployment.yml.j2"
register: netchecker_server_manifest
tags: ['facts', 'upgrade']
tags:
- facts
- upgrade
- name: Kubernetes Apps | Apply netchecker-server manifest to update annotations
kube:
@ -15,7 +17,8 @@
resource: "deploy"
state: latest
when: inventory_hostname == groups['kube-master'][0] and netchecker_server_manifest.stat.exists
tags: upgrade
tags:
- upgrade
- name: Kubernetes Apps | Lay Down Netchecker Template
template:

30
roles/kubernetes-apps/meta/main.yml
View file

@ -3,16 +3,34 @@ dependencies:
- role: download
file: "{{ downloads.netcheck_server }}"
when: deploy_netchecker
tags: [download, netchecker]
tags:
- download
- netchecker
- role: download
file: "{{ downloads.netcheck_agent }}"
when: deploy_netchecker
tags: [download, netchecker]
- {role: kubernetes-apps/ansible, tags: apps}
- {role: kubernetes-apps/kpm, tags: [apps, kpm]}
tags:
- download
- netchecker
- role: kubernetes-apps/ansible
tags:
- apps
- role: kubernetes-apps/kpm
tags:
- apps
- kpm
- role: kubernetes-apps/efk
when: efk_enabled
tags: [ apps, efk ]
tags:
- apps
- efk
- role: kubernetes-apps/helm
when: helm_enabled
tags: [ apps, helm ]
tags:
- apps
- helm

15
roles/kubernetes-apps/network_plugin/meta/main.yml
View file

@ -2,13 +2,20 @@
dependencies:
- role: kubernetes-apps/network_plugin/calico
when: kube_network_plugin == 'calico'
tags: calico
tags:
- calico
- role: kubernetes-apps/network_plugin/canal
when: kube_network_plugin == 'canal'
tags: canal
tags:
- canal
- role: kubernetes-apps/network_plugin/flannel
when: kube_network_plugin == 'flannel'
tags: flannel
tags:
- flannel
- role: kubernetes-apps/network_plugin/weave
when: kube_network_plugin == 'weave'
tags: weave
tags:
- weave

4
roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
View file

@ -3,7 +3,9 @@
set_fact:
calico_cert_dir: "{{ canal_cert_dir }}"
when: kube_network_plugin == 'canal'
tags: [facts, canal]
tags:
- facts
- canal
- name: Get calico-policy-controller version if running
shell: "{{ bin_dir }}/kubectl -n {{ system_namespace }} get rs calico-policy-controller -o=jsonpath='{$.spec.template.spec.containers[:1].image}' | cut -d':' -f2"

26
roles/kubernetes-apps/policy_controller/meta/main.yml
View file

@ -2,13 +2,23 @@
dependencies:
- role: download
file: "{{ downloads.calico_policy }}"
when: enable_network_policy and
kube_network_plugin in ['calico', 'canal']
tags: [download, canal, policy-controller]
when:
- enable_network_policy
- kube_network_plugin in ['calico', 'canal']
tags:
- download
- canal
- policy-controller
- role: policy_controller/calico
when: kube_network_plugin == 'calico' and
enable_network_policy
tags: policy-controller
when:
- kube_network_plugin == 'calico'
- enable_network_policy
tags:
- policy-controller
- role: policy_controller/calico
when: kube_network_plugin == 'canal'
tags: policy-controller
when:
- kube_network_plugin == 'canal'
tags:
- policy-controller

3
roles/kubernetes/client/tasks/main.yml
View file

@ -11,7 +11,8 @@
{%- else -%}
https://{{ first_kube_master }}:{{ kube_apiserver_port }}
{%- endif -%}
tags: facts
tags:
- facts
- name: Gather certs for admin kubeconfig
slurp:

3
roles/kubernetes/kubeadm/tasks/main.yml
View file

@ -8,7 +8,8 @@
{{ kube_apiserver_endpoint }}
{%- endif %}
when: not is_kube_master
tags: facts
tags:
- facts
- name: Check if kubelet.conf exists
stat:

4
roles/kubernetes/master/meta/main.yml
View file

@ -2,4 +2,6 @@
dependencies:
- role: download
file: "{{ downloads.hyperkube }}"
tags: [download, hyperkube]
tags:
- download
- hyperkube

3
roles/kubernetes/master/tasks/kubeadm-setup.yml
View file

@ -48,7 +48,8 @@
{%- if hostvars[host]['access_ip'] is defined %}{{ hostvars[host]['access_ip'] }}{% endif %}
{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
{%- endfor %}
tags: facts
tags:
- facts
- name: kubeadm | Copy etcd cert dir under k8s cert dir
command: "cp -TR {{ etcd_cert_dir }} {{ kube_config_dir }}/ssl/etcd"

15
roles/kubernetes/master/tasks/main.yml
View file

@ -1,6 +1,7 @@
---
- include: pre-upgrade.yml
tags: k8s-pre-upgrade
tags:
- k8s-pre-upgrade
# upstream bug: https://github.com/kubernetes/kubeadm/issues/441
- name: Disable kube_basic_auth until kubeadm/441 is fixed
@ -18,12 +19,16 @@
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
changed_when: false
tags: [hyperkube, kubectl, upgrade]
tags:
- hyperkube
- kubectl
- upgrade
- name: Install kubectl bash completion
shell: "{{ bin_dir }}/kubectl completion bash >/etc/bash_completion.d/kubectl.sh"
when: ansible_os_family in ["Debian","RedHat"]
tags: kubectl
tags:
- kubectl
- name: Set kubectl bash completion file
file:
@ -32,7 +37,9 @@
group: root
mode: 0755
when: ansible_os_family in ["Debian","RedHat"]
tags: [kubectl, upgrade]
tags:
- kubectl
- upgrade
- task: Include kubeadm setup if enabled
include: kubeadm-setup.yml

24
roles/kubernetes/master/tasks/static-pod-setup.yml
View file

@ -4,7 +4,8 @@
src: manifests/kube-apiserver.manifest.j2
dest: "{{ kube_manifest_dir }}/kube-apiserver.manifest"
notify: Master | wait for the apiserver to be running
tags: kube-apiserver
tags:
- kube-apiserver
- meta: flush_handlers
@ -13,7 +14,8 @@
src: namespace.j2
dest: "{{kube_config_dir}}/{{system_namespace}}-ns.yml"
when: inventory_hostname == groups['kube-master'][0]
tags: apps
tags:
- apps
- name: Check if kube system namespace exists
command: "{{ bin_dir }}/kubectl get ns {{system_namespace}}"
@ -21,7 +23,8 @@
changed_when: False
failed_when: False
when: inventory_hostname == groups['kube-master'][0]
tags: apps
tags:
- apps
- name: Create kube system namespace
command: "{{ bin_dir }}/kubectl create -f {{kube_config_dir}}/{{system_namespace}}-ns.yml"
@ -31,30 +34,35 @@
until: create_system_ns.rc == 0
changed_when: False
when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0
tags: apps
tags:
- apps
- name: Write kube-scheduler kubeconfig
template:
src: kube-scheduler-kubeconfig.yaml.j2
dest: "{{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml"
tags: kube-scheduler
tags:
- kube-scheduler
- name: Write kube-scheduler manifest
template:
src: manifests/kube-scheduler.manifest.j2
dest: "{{ kube_manifest_dir }}/kube-scheduler.manifest"
notify: Master | wait for kube-scheduler
tags: kube-scheduler
tags:
- kube-scheduler
- name: Write kube-controller-manager kubeconfig
template:
src: kube-controller-manager-kubeconfig.yaml.j2
dest: "{{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml"
tags: kube-controller-manager
tags:
- kube-controller-manager
- name: Write kube-controller-manager manifest
template:
src: manifests/kube-controller-manager.manifest.j2
dest: "{{ kube_manifest_dir }}/kube-controller-manager.manifest"
notify: Master | wait for kube-controller-manager
tags: kube-controller-manager
tags:
- kube-controller-manager

72
roles/kubernetes/node/meta/main.yml
View file

@ -2,44 +2,90 @@
dependencies:
- role: download
file: "{{ downloads.hyperkube }}"
tags: [download, hyperkube, kubelet, network, canal, calico, weave, kube-controller-manager, kube-scheduler, kube-apiserver, kube-proxy, kubectl]
tags:
- download
- hyperkube
- kubelet
- network
- canal
- calico
- weave
- kube-controller-manager
- kube-scheduler
- kube-apiserver
- kube-proxy
- kubectl
- role: download
file: "{{ downloads.pod_infra }}"
tags: [download, kubelet]
tags:
- download
- kubelet
- role: download
file: "{{ downloads.install_socat }}"
tags: [download, kubelet]
when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
tags:
- download
- kubelet
- role: download
file: "{{ downloads.kubeadm }}"
tags: [download, kubelet, kubeadm]
when: kubeadm_enabled
tags:
- download
- kubelet
- kubeadm
- role: kubernetes/secrets
when: not kubeadm_enabled
tags: k8s-secrets
tags:
- k8s-secrets
- role: download
file: "{{ downloads.nginx }}"
tags: [download, nginx]
tags:
- download
- nginx
- role: download
file: "{{ downloads.testbox }}"
tags: download
tags:
- download
- role: download
file: "{{ downloads.netcheck_server }}"
when: deploy_netchecker
tags: [download, netchecker]
tags:
- download
- netchecker
- role: download
file: "{{ downloads.netcheck_agent }}"
when: deploy_netchecker
tags: [download, netchecker]
tags:
- download
- netchecker
- role: download
file: "{{ downloads.kubedns }}"
tags: [download, dnsmasq]
tags:
- download
- dnsmasq
- role: download
file: "{{ downloads.dnsmasq_nanny }}"
tags: [download, dnsmasq]
tags:
- download
- dnsmasq
- role: download
file: "{{ downloads.dnsmasq_sidecar }}"
tags: [download, dnsmasq]
tags:
- download
- dnsmasq
- role: download
file: "{{ downloads.kubednsautoscaler }}"
tags: [download, dnsmasq]
tags:
- download
- dnsmasq

12
roles/kubernetes/node/tasks/install.yml
View file

@ -11,19 +11,22 @@
'/usr/share/ca-certificates',
{% endif -%}
]"
tags: facts
tags:
- facts
- name: Set kubelet deployment to host if kubeadm is enabled
set_fact:
kubelet_deployment_type: host
when: kubeadm_enabled
tags: kubeadm
tags:
- kubeadm
- name: install | Copy kubeadm binary from download dir
command: rsync -piu "{{ local_release_dir }}/kubeadm" "{{ bin_dir }}/kubeadm"
changed_when: false
when: kubeadm_enabled
tags: kubeadm
tags:
- kubeadm
- name: install | Set kubeadm binary permissions
file:
@ -31,7 +34,8 @@
mode: "0755"
state: file
when: kubeadm_enabled
tags: kubeadm
tags:
- kubeadm
- include: "install_{{ kubelet_deployment_type }}.yml"

4
roles/kubernetes/node/tasks/install_host.yml
View file

@ -6,7 +6,9 @@
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
changed_when: false
tags: [hyperkube, upgrade]
tags:
- hyperkube
- upgrade
notify: restart kubelet
- name: install | Copy socat wrapper for Container Linux

34
roles/kubernetes/node/tasks/main.yml
View file

@ -1,9 +1,11 @@
---
- include: facts.yml
tags: facts
tags:
- facts
- include: pre_upgrade.yml
tags: kubelet
tags:
- kubelet
- name: Ensure /var/lib/cni exists
file:
@ -12,11 +14,13 @@
mode: 0755
- include: install.yml
tags: kubelet
tags:
- kubelet
- include: nginx-proxy.yml
when: is_kube_master == false and loadbalancer_apiserver_localhost|default(true)
tags: nginx
tags:
- nginx
- name: Write kubelet config file (non-kubeadm)
template:
@ -25,7 +29,8 @@
backup: yes
when: not kubeadm_enabled
notify: restart kubelet
tags: kubelet
tags:
- kubelet
- name: Write kubelet config file (kubeadm)
template:
@ -34,7 +39,9 @@
backup: yes
when: kubeadm_enabled
notify: restart kubelet
tags: ['kubelet', 'kubeadm']
tags:
- kubelet
- kubeadm
- name: write the kubecfg (auth) file for kubelet
template:
@ -46,7 +53,8 @@
- kube-proxy
when: not kubeadm_enabled
notify: restart kubelet
tags: kubelet
tags:
- kubelet
- name: Ensure nodePort range is reserved
sysctl:
@ -56,7 +64,8 @@
state: present
reload: yes
when: kube_apiserver_node_port_range is defined
tags: kube-proxy
tags:
- kube-proxy
- name: Verify if br_netfilter module exists
shell: "modinfo br_netfilter"
@ -94,14 +103,16 @@
src: manifests/kube-proxy.manifest.j2
dest: "{{ kube_manifest_dir }}/kube-proxy.manifest"
when: not kubeadm_enabled
tags: kube-proxy
tags:
- kube-proxy
- name: Purge proxy manifest for kubeadm
file:
path: "{{ kube_manifest_dir }}/kube-proxy.manifest"
state: absent
when: kubeadm_enabled
tags: kube-proxy
tags:
- kube-proxy
# reload-systemd
- meta: flush_handlers
@ -111,4 +122,5 @@
name: kubelet
enabled: yes
state: started
tags: kubelet
tags:
- kubelet

2
roles/kubernetes/node/tasks/pre_upgrade.yml
View file

@ -8,4 +8,4 @@
- name: "Pre-upgrade | ensure kubelet container is stopped if using host deployment"
command: docker stop kubelet
failed_when: false
when: kubelet_deployment_type == "host"
when: kubelet_deployment_type == 'host'

5
roles/kubernetes/preinstall/meta/main.yml
View file

@ -2,5 +2,6 @@
dependencies:
- role: adduser
user: "{{ addusers.kube }}"
tags: kubelet
when: not is_atomic
when: not is_atomic
tags:
- kubelet

99
roles/kubernetes/preinstall/tasks/main.yml
View file

@ -1,12 +1,14 @@
---
- include: verify-settings.yml
tags: asserts
tags:
- asserts
- name: Force binaries directory for Container Linux by CoreOS
set_fact:
bin_dir: "/opt/bin"
when: ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
tags: facts
tags:
- facts
- name: check bin dir exists
file:
@ -14,10 +16,12 @@
state: directory
owner: root
become: true
tags: bootstrap-os
tags:
- bootstrap-os
- include: set_facts.yml
tags: facts
tags:
- facts
- name: gather os specific variables
include_vars: "{{ item }}"
@ -32,7 +36,8 @@
paths:
- ../vars
skip: true
tags: facts
tags:
- facts
- name: Create kubernetes directories
file:
@ -40,7 +45,16 @@
state: directory
owner: kube
when: inventory_hostname in groups['k8s-cluster']
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
tags:
- kubelet
- k8s-secrets
- kube-controller-manager
- kube-apiserver
- bootstrap-os
- apps
- network
- master
- node
with_items:
- "{{ kube_config_dir }}"
- "{{ kube_config_dir }}/ssl"
@ -53,13 +67,17 @@
when:
- cloud_provider is defined
- cloud_provider not in ['generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere']
tags: [cloud-provider, facts]
tags:
- cloud-provider
- facts
- include: "{{ cloud_provider }}-credential-check.yml"
when:
- cloud_provider is defined
- cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
tags: [cloud-provider, facts]
tags:
- cloud-provider
- facts
- name: Create cni directories
file:
@ -72,7 +90,12 @@
when:
- kube_network_plugin in ["calico", "weave", "canal", "flannel"]
- inventory_hostname in groups['k8s-cluster']
tags: [network, calico, weave, canal, bootstrap-os]
tags:
- network
- calico
- weave
- canal
- bootstrap-os
- name: Update package management cache (YUM)
yum:
@ -85,7 +108,8 @@
when:
- ansible_pkg_mgr == 'yum'
- not is_atomic
tags: bootstrap-os
tags:
- bootstrap-os
- name: Install latest version of python-apt for Debian distribs
apt:
@ -94,7 +118,8 @@
update_cache: yes
cache_valid_time: 3600
when: ansible_os_family == "Debian"
tags: bootstrap-os
tags:
- bootstrap-os
- name: Install python-dnf for latest RedHat versions
command: dnf install -y python-dnf yum
@ -106,7 +131,8 @@
- ansible_distribution == "Fedora"
- ansible_distribution_major_version > 21
changed_when: False
tags: bootstrap-os
tags:
- bootstrap-os
- name: Install epel-release on RedHat/CentOS
shell: rpm -qa | grep epel-release || rpm -ivh {{ epel_rpm_download_url }}
@ -121,7 +147,8 @@
delay: "{{ retry_stagger | random + 3 }}"
changed_when: False
check_mode: no
tags: bootstrap-os
tags:
- bootstrap-os
- name: Install packages requirements
action:
@ -134,7 +161,8 @@
delay: "{{ retry_stagger | random + 3 }}"
with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}"
when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic)
tags: bootstrap-os
tags:
- bootstrap-os
# Todo : selinux configuration
- name: Confirm selinux deployed
@ -151,7 +179,8 @@
- ansible_os_family == "RedHat"
- slc.stat.exists == True
changed_when: False
tags: bootstrap-os
tags:
- bootstrap-os
- name: Disable IPv6 DNS lookup
lineinfile:
@ -162,18 +191,21 @@
when:
- disable_ipv6_dns
- not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
tags: bootstrap-os
tags:
- bootstrap-os
- name: set default sysctl file path
set_fact:
sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
tags: bootstrap-os
tags:
- bootstrap-os
- name: Stat sysctl file configuration
stat:
path: "{{sysctl_file_path}}"
register: sysctl_file_stat
tags: bootstrap-os
tags:
- bootstrap-os
- name: Change sysctl file path to link source if linked
set_fact:
@ -181,7 +213,8 @@
when:
- sysctl_file_stat.stat.islnk is defined
- sysctl_file_stat.stat.islnk
tags: bootstrap-os
tags:
- bootstrap-os
- name: Enable ip forwarding
sysctl:
@ -189,7 +222,8 @@
name: net.ipv4.ip_forward
value: 1
state: present
tags: bootstrap-os
tags:
- bootstrap-os
- name: Write cloud-config
template:
@ -201,39 +235,50 @@
- inventory_hostname in groups['k8s-cluster']
- cloud_provider is defined
- cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
tags: [cloud-provider]
tags:
- cloud-provider
- include: etchosts.yml
tags: [bootstrap-os, etchosts]
tags:
- bootstrap-os
- etchosts
- include: resolvconf.yml
when:
- dns_mode != 'none'
- resolvconf_mode == 'host_resolvconf'
tags: [bootstrap-os, resolvconf]
tags:
- bootstrap-os
- resolvconf
- include: dhclient-hooks.yml
when:
- dns_mode != 'none'
- resolvconf_mode == 'host_resolvconf'
- not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
tags: [bootstrap-os, resolvconf]
tags:
- bootstrap-os
- resolvconf
- include: dhclient-hooks-undo.yml
when:
- dns_mode != 'none'
- resolvconf_mode != 'host_resolvconf'
- not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
tags: [bootstrap-os, resolvconf]
tags:
- bootstrap-os
- resolvconf
- name: Check if we are running inside a Azure VM
stat:
path: /var/lib/waagent/
register: azure_check
tags: bootstrap-os
tags:
- bootstrap-os
- include: growpart-azure-centos-7.yml
when:
- azure_check.stat.exists
- ansible_distribution in ["CentOS","RedHat"]
tags: bootstrap-os
tags:
- bootstrap-os

5
roles/kubernetes/preinstall/tasks/set_facts.yml
View file

@ -12,4 +12,7 @@
when: is_atomic
- include: set_resolv_facts.yml
tags: [bootstrap-os, resolvconf, facts]
tags:
- bootstrap-os
- resolvconf
- facts

18
roles/kubernetes/secrets/tasks/gen_certs_script.yml
View file

@ -6,8 +6,17 @@
owner: kube
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
when: gen_certs|default(false)
tags:
- kubelet
- k8s-secrets
- kube-controller-manager
- kube-apiserver
- bootstrap-os
- apps
- network
- master
- node
- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
file:
@ -16,8 +25,10 @@
owner: kube
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
tags: [k8s-secrets, bootstrap-os]
when: gen_certs|default(false)
tags:
- k8s-secrets
- bootstrap-os
- name: Gen_certs | write openssl config
template:
@ -87,7 +98,8 @@
'node-{{ inventory_hostname }}-key.pem',
'kube-proxy-{{ inventory_hostname }}.pem',
'kube-proxy-{{ inventory_hostname }}-key.pem']
tags: facts
tags:
- facts
- name: Gen_certs | Gather master certs
shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"

32
roles/kubernetes/secrets/tasks/main.yml
View file

@ -1,9 +1,13 @@
---
- include: check-certs.yml
tags: [k8s-secrets, facts]
tags:
- k8s-secrets
- facts
- include: check-tokens.yml
tags: [k8s-secrets, facts]
tags:
- k8s-secrets
- facts
- name: Make sure the certificate directory exits
file:
@ -31,8 +35,17 @@
owner: kube
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
when: gen_certs|default(false) or gen_tokens|default(false)
tags:
- kubelet
- k8s-secrets
- kube-controller-manager
- kube-apiserver
- bootstrap-os
- apps
- network
- master
- node
- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
file:
@ -41,8 +54,10 @@
owner: kube
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
tags: [k8s-secrets, bootstrap-os]
when: gen_certs|default(false) or gen_tokens|default(false)
tags:
- k8s-secrets
- bootstrap-os
- name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})"
file:
@ -55,10 +70,12 @@
when: gen_tokens|default(false)
- include: "gen_certs_{{ cert_management }}.yml"
tags: k8s-secrets
tags:
- k8s-secrets
- include: upd_ca_trust.yml
tags: k8s-secrets
tags:
- k8s-secrets
- name: "Gen_certs | Get certificate serials on kube masters"
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@ -93,4 +110,5 @@
when: inventory_hostname in groups['k8s-cluster']
- include: gen_tokens.yml
tags: k8s-secrets
tags:
- k8s-secrets

3
roles/kubernetes/secrets/tasks/upd_ca_trust.yml
View file

@ -9,7 +9,8 @@
{%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
/etc/ssl/certs/kube-ca.pem
{%- endif %}
tags: facts
tags:
- facts
- name: Gen_certs | add CA to trusted CA dir
copy:

15
roles/network_plugin/calico/meta/main.yml
View file

@ -2,13 +2,20 @@
dependencies:
- role: download
file: "{{ downloads.calico_cni }}"
tags: download
tags:
- download
- role: download
file: "{{ downloads.calico_node }}"
tags: download
tags:
- download
- role: download
file: "{{ downloads.calicoctl }}"
tags: download
tags:
- download
- role: download
file: "{{ downloads.hyperkube }}"
tags: download
tags:
- download

8
roles/network_plugin/calico/tasks/main.yml
View file

@ -54,7 +54,9 @@
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
changed_when: false
tags: [hyperkube, upgrade]
tags:
- hyperkube
- upgrade
- name: Calico | Copy cni plugins from calico/cni container
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'"
@ -64,7 +66,9 @@
delay: "{{ retry_stagger | random + 3 }}"
changed_when: false
when: overwrite_hyperkube_cni|bool
tags: [hyperkube, upgrade]
tags:
- hyperkube
- upgrade
- name: Calico | Set cni directory permissions
file:

19
roles/network_plugin/canal/meta/main.yml
View file

@ -2,16 +2,25 @@
dependencies:
- role: download
file: "{{ downloads.flannel }}"
tags: download
tags:
- download
- role: download
file: "{{ downloads.calico_node }}"
tags: download
tags:
- download
- role: download
file: "{{ downloads.calicoctl }}"
tags: download
tags:
- download
- role: download
file: "{{ downloads.calico_cni }}"
tags: download
tags:
- download
- role: download
file: "{{ downloads.calico_policy }}"
tags: download
tags:
- download

8
roles/network_plugin/canal/tasks/main.yml
View file

@ -56,7 +56,9 @@
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
changed_when: false
tags: [hyperkube, upgrade]
tags:
- hyperkube
- upgrade
- name: Canal | Copy cni plugins from calico/cni
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'"
@ -65,7 +67,9 @@
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
changed_when: false
tags: [hyperkube, upgrade]
tags:
- hyperkube
- upgrade
- name: Canal | Set cni directory permissions
file:

7
roles/network_plugin/flannel/meta/main.yml
View file

@ -2,7 +2,10 @@
dependencies:
- role: download
file: "{{ downloads.flannel }}"
tags: download
tags:
- download
- role: download
file: "{{ downloads.flannel_cni }}"
tags: download
tags:
- download

16
roles/network_plugin/meta/main.yml
View file

@ -2,15 +2,23 @@
dependencies:
- role: network_plugin/calico
when: kube_network_plugin == 'calico'
tags: calico
tags:
- calico
- role: network_plugin/flannel
when: kube_network_plugin == 'flannel'
tags: flannel
tags:
- flannel
- role: network_plugin/weave
when: kube_network_plugin == 'weave'
tags: weave
tags:
- weave
- role: network_plugin/canal
when: kube_network_plugin == 'canal'
tags: canal
tags:
- canal
- role: network_plugin/cloud
when: kube_network_plugin == 'cloud'

7
roles/network_plugin/weave/meta/main.yml
View file

@ -2,7 +2,10 @@
dependencies:
- role: download
file: "{{ downloads.weave_kube }}"
tags: download
tags:
- download
- role: download
file: "{{ downloads.weave_npc }}"
tags: download
tags:
- download

4
roles/network_plugin/weave/tasks/main.yml
View file

@ -9,7 +9,9 @@
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
changed_when: false
tags: [hyperkube, upgrade]
tags:
- hyperkube
- upgrade
- name: Weave | Create weave-net manifest
template:

18
roles/network_plugin/weave/tasks/seed.yml
View file

@ -4,28 +4,32 @@
seed: '{% for host in groups["k8s-cluster"] %}{{ hostvars[host]["ansible_default_ipv4"]["macaddress"] }}{% if not loop.last %},{% endif %}{% endfor %}'
when: "weave_seed == 'uninitialized'"
run_once: true
tags: confweave
tags:
- confweave
- name: Weave seed | Set seed if not first time
set_fact:
seed: '{{ weave_seed }}'
when: "weave_seed != 'uninitialized'"
run_once: true
tags: confweave
tags:
- confweave
- name: Weave seed | Set peers if fist time
set_fact:
peers: '{{ weave_ip_current_cluster }}'
when: "weave_peers == 'uninitialized'"
run_once: true
tags: confweave
tags:
- confweave
- name: Weave seed | Set peers if existing peers
set_fact:
peers: '{{ weave_peers }}{% for ip in weave_ip_current_cluster.split(" ") %}{% if ip not in weave_peers.split(" ") %} {{ ip }}{% endif %}{% endfor %}'
when: "weave_peers != 'uninitialized'"
run_once: true
tags: confweave
tags:
- confweave
- name: Weave seed | Save seed
lineinfile:
@ -36,7 +40,8 @@
become: no
delegate_to: 127.0.0.1
run_once: true
tags: confweave
tags:
- confweave
- name: Weave seed | Save peers
lineinfile:
@ -47,4 +52,5 @@
become: no
delegate_to: 127.0.0.1
run_once: true
tags: confweave
tags:
- confweave

39
roles/reset/tasks/main.yml
View file

@ -9,7 +9,8 @@
- vault
- etcd
failed_when: false
tags: ['services']
tags:
- services
- name: reset | remove services
file:
@ -21,7 +22,8 @@
- vault
- calico-node
register: services_removed
tags: ['services']
tags:
- services
- name: reset | remove docker dropins
file:
@ -31,7 +33,8 @@
- docker-dns.conf
- docker-options.conf
register: docker_dropins_removed
tags: ['docker']
tags:
- docker
- name: reset | systemctl daemon-reload
command: systemctl daemon-reload
@ -43,31 +46,36 @@
retries: 4
until: remove_all_containers.rc == 0
delay: 5
tags: ['docker']
tags:
- docker
- name: reset | restart docker if needed
service:
name: docker
state: restarted
when: docker_dropins_removed.changed
tags: ['docker']
tags:
- docker
- name: reset | gather mounted kubelet dirs
shell: mount | grep /var/lib/kubelet | awk '{print $3}' | tac
check_mode: no
register: mounted_dirs
tags: ['mounts']
tags:
- mounts
- name: reset | unmount kubelet dirs
command: umount {{item}}
with_items: '{{ mounted_dirs.stdout_lines }}'
tags: ['mounts']
tags:
- mounts
- name: flush iptables
iptables:
flush: yes
when: flush_iptables|bool
tags: ['iptables']
tags:
- iptables
- name: reset | delete some files and directories
file:
@ -115,7 +123,8 @@
- "{{ bin_dir }}/helm"
- "{{ bin_dir }}/calicoctl"
- "{{ bin_dir }}/weave"
tags: ['files']
tags:
- files
- name: reset | remove dns settings from dhclient.conf
blockinfile:
@ -127,7 +136,9 @@
with_items:
- /etc/dhclient.conf
- /etc/dhcp/dhclient.conf
tags: ['files', 'dns']
tags:
- files
- dns
- name: reset | remove host entries from /etc/hosts
blockinfile:
@ -135,7 +146,9 @@
state: absent
follow: yes
marker: "# Ansible inventory hosts {mark}"
tags: ['files', 'dns']
tags:
- files
- dns
- name: reset | Restart network
service:
@ -147,4 +160,6 @@
{%- endif %}
state: restarted
when: ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"]
tags: ['services', 'network']
tags:
- services
- network

3
roles/rkt/tasks/install.yml
View file

@ -12,7 +12,8 @@
paths:
- ../vars
skip: true
tags: facts
tags:
- facts
- name: install rkt pkg on ubuntu
apt:

4
roles/vault/meta/main.yml
View file

@ -3,6 +3,8 @@
dependencies:
- role: adduser
user: "{{ vault_adduser_vars }}"
- role: download
file: "{{ vault_download_vars }}"
tags: download
tags:
- download