C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Normalize tags in all places to prepare for tag fixing in future (#1739)

Browse source
This commit is contained in:
Aivars Sterns 2017-10-05 10:43:04 +03:00 committed by Matthew Mosesohn
parent cb611b5ed0
commit 9c86da1403
48 changed files with 501 additions and 189 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
roles/bootstrap-os/tasks/bootstrap-coreos.yml
View file

@ -3,7 +3,8 @@
raw: stat /opt/bin/.bootstrapped raw: stat /opt/bin/.bootstrapped
register: need_bootstrap register: need_bootstrap
failed_when: false failed_when: false
tags: facts tags:
- facts
- name: Bootstrap | Run bootstrap.sh - name: Bootstrap | Run bootstrap.sh
script: bootstrap.sh script: bootstrap.sh
@ -11,7 +12,8 @@
- set_fact: - set_fact:
ansible_python_interpreter: "/opt/bin/python" ansible_python_interpreter: "/opt/bin/python"
tags: facts tags:
- facts
- name: Bootstrap | Check if we need to install pip - name: Bootstrap | Check if we need to install pip
shell: "{{ansible_python_interpreter}} -m pip --version" shell: "{{ansible_python_interpreter}} -m pip --version"
@ -20,7 +22,8 @@
changed_when: false changed_when: false
check_mode: no check_mode: no
when: need_bootstrap.rc != 0 when: need_bootstrap.rc != 0
tags: facts tags:
- facts
- name: Bootstrap | Copy get-pip.py - name: Bootstrap | Copy get-pip.py
copy: copy:

6
roles/bootstrap-os/tasks/bootstrap-ubuntu.yml
View file

@ -8,7 +8,8 @@
with_items: with_items:
- python - python
- pip - pip
tags: facts tags:
- facts
- name: Bootstrap | Install python 2.x and pip - name: Bootstrap | Install python 2.x and pip
raw: raw:
@ -19,4 +20,5 @@
- set_fact: - set_fact:
ansible_python_interpreter: "/usr/bin/python" ansible_python_interpreter: "/usr/bin/python"
tags: facts tags:
- facts

4
roles/dnsmasq/meta/main.yml
View file

@ -3,4 +3,6 @@ dependencies:
- role: download - role: download
file: "{{ downloads.dnsmasq }}" file: "{{ downloads.dnsmasq }}"
when: dns_mode == 'dnsmasq_kubedns' and download_localhost|default(false) when: dns_mode == 'dnsmasq_kubedns' and download_localhost|default(false)
tags: [download, dnsmasq] tags:
- download
- dnsmasq

6
roles/dnsmasq/tasks/main.yml
View file

@ -3,13 +3,15 @@
file: file:
path: /etc/dnsmasq.d path: /etc/dnsmasq.d
state: directory state: directory
tags: bootstrap-os tags:
- bootstrap-os
- name: ensure dnsmasq.d-available directory exists - name: ensure dnsmasq.d-available directory exists
file: file:
path: /etc/dnsmasq.d-available path: /etc/dnsmasq.d-available
state: directory state: directory
tags: bootstrap-os tags:
- bootstrap-os
- name: check system nameservers - name: check system nameservers
shell: awk '/^nameserver/ {print $NF}' /etc/resolv.conf shell: awk '/^nameserver/ {print $NF}' /etc/resolv.conf

9
roles/docker/tasks/main.yml
View file

@ -12,11 +12,13 @@
paths: paths:
- ../vars - ../vars
skip: true skip: true
tags: facts tags:
- facts
- include: set_facts_dns.yml - include: set_facts_dns.yml
when: dns_mode != 'none' and resolvconf_mode == 'docker_dns' when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
tags: facts tags:
- facts
- name: check for minimum kernel version - name: check for minimum kernel version
fail: fail:
@ -25,7 +27,8 @@
{{ docker_kernel_min_version }} on {{ docker_kernel_min_version }} on
{{ ansible_distribution }}-{{ ansible_distribution_version }} {{ ansible_distribution }}-{{ ansible_distribution_version }}
when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]) and (ansible_kernel|version_compare(docker_kernel_min_version, "<")) when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]) and (ansible_kernel|version_compare(docker_kernel_min_version, "<"))
tags: facts tags:
- facts
- name: ensure docker repository public key is installed - name: ensure docker repository public key is installed
action: "{{ docker_repo_key_info.pkg_key }}" action: "{{ docker_repo_key_info.pkg_key }}"

35
roles/download/tasks/main.yml
View file

@ -7,7 +7,8 @@
when: when:
- download.enabled|bool - download.enabled|bool
- not download.container|bool - not download.container|bool
tags: bootstrap-os tags:
- bootstrap-os
- name: file_download | Download item - name: file_download | Download item
get_url: get_url:
@ -50,7 +51,8 @@
- set_fact: - set_fact:
download_delegate: "{% if download_localhost|bool %}localhost{% else %}{{groups['kube-master'][0]}}{% endif %}" download_delegate: "{% if download_localhost|bool %}localhost{% else %}{{groups['kube-master'][0]}}{% endif %}"
run_once: true run_once: true
tags: facts tags:
- facts
- name: container_download | Create dest directory for saved/loaded container images - name: container_download | Create dest directory for saved/loaded container images
file: file:
@ -62,7 +64,8 @@
when: when:
- download.enabled|bool - download.enabled|bool
- download.container|bool - download.container|bool
tags: bootstrap-os tags:
- bootstrap-os
# This is required for the download_localhost delegate to work smooth with Container Linux by CoreOS cluster nodes # This is required for the download_localhost delegate to work smooth with Container Linux by CoreOS cluster nodes
- name: container_download | Hack python binary path for localhost - name: container_download | Hack python binary path for localhost
@ -70,7 +73,8 @@
delegate_to: localhost delegate_to: localhost
when: download_delegate == 'localhost' when: download_delegate == 'localhost'
failed_when: false failed_when: false
tags: localhost tags:
- localhost
- name: container_download | create local directory for saved/loaded container images - name: container_download | create local directory for saved/loaded container images
file: file:
@ -85,7 +89,8 @@
- download.enabled|bool - download.enabled|bool
- download.container|bool - download.container|bool
- download_delegate == 'localhost' - download_delegate == 'localhost'
tags: localhost tags:
- localhost
- name: container_download | Make download decision if pull is required by tag or sha256 - name: container_download | Make download decision if pull is required by tag or sha256
include: set_docker_image_facts.yml include: set_docker_image_facts.yml
@ -94,7 +99,8 @@
- download.container|bool - download.container|bool
delegate_to: "{{ download_delegate if download_run_once|bool or omit }}" delegate_to: "{{ download_delegate if download_run_once|bool or omit }}"
run_once: "{{ download_run_once|bool }}" run_once: "{{ download_run_once|bool }}"
tags: facts tags:
- facts
- name: container_download | Download containers if pull is required or told to always pull - name: container_download | Download containers if pull is required or told to always pull
command: "{{ docker_bin_dir }}/docker pull {{ pull_args }}" command: "{{ docker_bin_dir }}/docker pull {{ pull_args }}"
@ -112,7 +118,8 @@
- set_fact: - set_fact:
fname: "{{local_release_dir}}/containers/{{download.repo|regex_replace('/|\0|:', '_')}}:{{download.tag|default(download.sha256)|regex_replace('/|\0|:', '_')}}.tar" fname: "{{local_release_dir}}/containers/{{download.repo|regex_replace('/|\0|:', '_')}}:{{download.tag|default(download.sha256)|regex_replace('/|\0|:', '_')}}.tar"
run_once: true run_once: true
tags: facts tags:
- facts
- name: "container_download | Set default value for 'container_changed' to false" - name: "container_download | Set default value for 'container_changed' to false"
set_fact: set_fact:
@ -126,7 +133,8 @@
- download.container|bool - download.container|bool
- pull_required|bool|default(download_always_pull) - pull_required|bool|default(download_always_pull)
run_once: "{{ download_run_once|bool }}" run_once: "{{ download_run_once|bool }}"
tags: facts tags:
- facts
- name: container_download | Stat saved container image - name: container_download | Stat saved container image
stat: stat:
@ -140,7 +148,8 @@
delegate_to: "{{ download_delegate }}" delegate_to: "{{ download_delegate }}"
become: false become: false
run_once: true run_once: true
tags: facts tags:
- facts
- name: container_download | save container images - name: container_download | save container images
shell: "{{ docker_bin_dir }}/docker save {{ pull_args }} | gzip -{{ download_compress }} > {{ fname }}" shell: "{{ docker_bin_dir }}/docker save {{ pull_args }} | gzip -{{ download_compress }} > {{ fname }}"
@ -188,7 +197,9 @@
- download_run_once|bool - download_run_once|bool
- download.enabled|bool - download.enabled|bool
- download.container|bool - download.container|bool
tags: [upload, upgrade] tags:
- upload
- upgrade
- name: container_download | load container images - name: container_download | load container images
shell: "{{ docker_bin_dir }}/docker load < {{ fname }}" shell: "{{ docker_bin_dir }}/docker load < {{ fname }}"
@ -198,4 +209,6 @@
- download_run_once|bool - download_run_once|bool
- download.enabled|bool - download.enabled|bool
- download.container|bool - download.container|bool
tags: [upload, upgrade] tags:
- upload
- upgrade

4
roles/etcd/meta/main.yml
View file

@ -3,8 +3,10 @@ dependencies:
- role: adduser - role: adduser
user: "{{ addusers.etcd }}" user: "{{ addusers.etcd }}"
when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic) when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic)
- role: download - role: download
file: "{{ downloads.etcd }}" file: "{{ downloads.etcd }}"
tags: download tags:
- download
# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault" # NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"

3
roles/etcd/tasks/configure.yml
View file

@ -6,7 +6,8 @@
changed_when: false changed_when: false
check_mode: no check_mode: no
when: is_etcd_master when: is_etcd_master
tags: facts tags:
- facts
- name: Configure | Add member to the cluster if it is not there - name: Configure | Add member to the cluster if it is not there
when: is_etcd_master and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0 when: is_etcd_master and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0

3
roles/etcd/tasks/gen_certs_script.yml
View file

@ -83,7 +83,8 @@
'node-{{ node }}-key.pem', 'node-{{ node }}-key.pem',
{% endfor %}]" {% endfor %}]"
my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem'] my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
tags: facts tags:
- facts
- name: Gen_certs | Gather etcd master certs - name: Gen_certs | Gather etcd master certs
shell: "tar cfz - -C {{ etcd_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0" shell: "tar cfz - -C {{ etcd_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"

6
roles/etcd/tasks/gen_certs_vault.yml
View file

@ -1,11 +1,13 @@
--- ---
- include: sync_etcd_master_certs.yml - include: sync_etcd_master_certs.yml
when: inventory_hostname in groups.etcd when: inventory_hostname in groups.etcd
tags: etcd-secrets tags:
- etcd-secrets
- include: sync_etcd_node_certs.yml - include: sync_etcd_node_certs.yml
when: inventory_hostname in etcd_node_cert_hosts when: inventory_hostname in etcd_node_cert_hosts
tags: etcd-secrets tags:
- etcd-secrets
# Issue master certs to Etcd nodes # Issue master certs to Etcd nodes
- include: ../../vault/tasks/shared/issue_cert.yml - include: ../../vault/tasks/shared/issue_cert.yml

13
roles/etcd/tasks/main.yml
View file

@ -1,13 +1,17 @@
--- ---
- include: check_certs.yml - include: check_certs.yml
when: cert_management == "script" when: cert_management == "script"
tags: [etcd-secrets, facts] tags:
- etcd-secrets
- facts
- include: "gen_certs_{{ cert_management }}.yml" - include: "gen_certs_{{ cert_management }}.yml"
tags: etcd-secrets tags:
- etcd-secrets
- include: upd_ca_trust.yml - include: upd_ca_trust.yml
tags: etcd-secrets tags:
- etcd-secrets
- name: "Gen_certs | Get etcd certificate serials" - name: "Gen_certs | Get etcd certificate serials"
shell: "openssl x509 -in {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem -noout -serial | cut -d= -f2" shell: "openssl x509 -in {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem -noout -serial | cut -d= -f2"
@ -16,7 +20,8 @@
- include: "install_{{ etcd_deployment_type }}.yml" - include: "install_{{ etcd_deployment_type }}.yml"
when: is_etcd_master when: is_etcd_master
tags: upgrade tags:
- upgrade
- include: set_cluster_health.yml - include: set_cluster_health.yml
when: is_etcd_master and etcd_cluster_setup when: is_etcd_master and etcd_cluster_setup

3
roles/etcd/tasks/set_cluster_health.yml
View file

@ -6,4 +6,5 @@
changed_when: false changed_when: false
check_mode: no check_mode: no
when: is_etcd_master when: is_etcd_master
tags: facts tags:
- facts

3
roles/etcd/tasks/upd_ca_trust.yml
View file

@ -9,7 +9,8 @@
{%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%} {%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
/etc/ssl/certs/etcd-ca.pem /etc/ssl/certs/etcd-ca.pem
{%- endif %} {%- endif %}
tags: facts tags:
- facts
- name: Gen_certs | add CA to trusted CA dir - name: Gen_certs | add CA to trusted CA dir
copy: copy:

18
roles/kubernetes-apps/ansible/tasks/main.yml
View file

@ -16,7 +16,8 @@
resource: "{{ item }}" resource: "{{ item }}"
state: absent state: absent
with_items: ['deploy', 'svc'] with_items: ['deploy', 'svc']
tags: upgrade tags:
- upgrade
- name: Kubernetes Apps | Delete kubeadm kubedns - name: Kubernetes Apps | Delete kubeadm kubedns
kube: kube:
@ -46,7 +47,8 @@
when: when:
- dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] - dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
- rbac_enabled or item.type not in rbac_resources - rbac_enabled or item.type not in rbac_resources
tags: dnsmasq tags:
- dnsmasq
# see https://github.com/kubernetes/kubernetes/issues/45084, only needed for "old" kube-dns # see https://github.com/kubernetes/kubernetes/issues/45084, only needed for "old" kube-dns
- name: Kubernetes Apps | Patch system:kube-dns ClusterRole - name: Kubernetes Apps | Patch system:kube-dns ClusterRole
@ -64,7 +66,8 @@
when: when:
- dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] - dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
- rbac_enabled and kubedns_version|version_compare("1.11.0", "<", strict=True) - rbac_enabled and kubedns_version|version_compare("1.11.0", "<", strict=True)
tags: dnsmasq tags:
- dnsmasq
- name: Kubernetes Apps | Start Resources - name: Kubernetes Apps | Start Resources
kube: kube:
@ -79,14 +82,17 @@
- dns_mode != 'none' - dns_mode != 'none'
- inventory_hostname == groups['kube-master'][0] - inventory_hostname == groups['kube-master'][0]
- not item|skipped - not item|skipped
tags: dnsmasq tags:
- dnsmasq
- name: Kubernetes Apps | Netchecker - name: Kubernetes Apps | Netchecker
include: tasks/netchecker.yml include: tasks/netchecker.yml
when: deploy_netchecker when: deploy_netchecker
tags: netchecker tags:
- netchecker
- name: Kubernetes Apps | Dashboard - name: Kubernetes Apps | Dashboard
include: tasks/dashboard.yml include: tasks/dashboard.yml
when: dashboard_enabled when: dashboard_enabled
tags: dashboard tags:
- dashboard

7
roles/kubernetes-apps/ansible/tasks/netchecker.yml
View file

@ -4,7 +4,9 @@
stat: stat:
path: "{{ kube_config_dir }}/netchecker-server-deployment.yml.j2" path: "{{ kube_config_dir }}/netchecker-server-deployment.yml.j2"
register: netchecker_server_manifest register: netchecker_server_manifest
tags: ['facts', 'upgrade'] tags:
- facts
- upgrade
- name: Kubernetes Apps | Apply netchecker-server manifest to update annotations - name: Kubernetes Apps | Apply netchecker-server manifest to update annotations
kube: kube:
@ -15,7 +17,8 @@
resource: "deploy" resource: "deploy"
state: latest state: latest
when: inventory_hostname == groups['kube-master'][0] and netchecker_server_manifest.stat.exists when: inventory_hostname == groups['kube-master'][0] and netchecker_server_manifest.stat.exists
tags: upgrade tags:
- upgrade
- name: Kubernetes Apps | Lay Down Netchecker Template - name: Kubernetes Apps | Lay Down Netchecker Template
template: template:

30
roles/kubernetes-apps/meta/main.yml
View file

@ -3,16 +3,34 @@ dependencies:
- role: download - role: download
file: "{{ downloads.netcheck_server }}" file: "{{ downloads.netcheck_server }}"
when: deploy_netchecker when: deploy_netchecker
tags: [download, netchecker] tags:
- download
- netchecker
- role: download - role: download
file: "{{ downloads.netcheck_agent }}" file: "{{ downloads.netcheck_agent }}"
when: deploy_netchecker when: deploy_netchecker
tags: [download, netchecker] tags:
- {role: kubernetes-apps/ansible, tags: apps} - download
- {role: kubernetes-apps/kpm, tags: [apps, kpm]} - netchecker
- role: kubernetes-apps/ansible
tags:
- apps
- role: kubernetes-apps/kpm
tags:
- apps
- kpm
- role: kubernetes-apps/efk - role: kubernetes-apps/efk
when: efk_enabled when: efk_enabled
tags: [ apps, efk ] tags:
- apps
- efk
- role: kubernetes-apps/helm - role: kubernetes-apps/helm
when: helm_enabled when: helm_enabled
tags: [ apps, helm ] tags:
- apps
- helm

15
roles/kubernetes-apps/network_plugin/meta/main.yml
View file

@ -2,13 +2,20 @@
dependencies: dependencies:
- role: kubernetes-apps/network_plugin/calico - role: kubernetes-apps/network_plugin/calico
when: kube_network_plugin == 'calico' when: kube_network_plugin == 'calico'
tags: calico tags:
- calico
- role: kubernetes-apps/network_plugin/canal - role: kubernetes-apps/network_plugin/canal
when: kube_network_plugin == 'canal' when: kube_network_plugin == 'canal'
tags: canal tags:
- canal
- role: kubernetes-apps/network_plugin/flannel - role: kubernetes-apps/network_plugin/flannel
when: kube_network_plugin == 'flannel' when: kube_network_plugin == 'flannel'
tags: flannel tags:
- flannel
- role: kubernetes-apps/network_plugin/weave - role: kubernetes-apps/network_plugin/weave
when: kube_network_plugin == 'weave' when: kube_network_plugin == 'weave'
tags: weave tags:
- weave

4
roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
View file

@ -3,7 +3,9 @@
set_fact: set_fact:
calico_cert_dir: "{{ canal_cert_dir }}" calico_cert_dir: "{{ canal_cert_dir }}"
when: kube_network_plugin == 'canal' when: kube_network_plugin == 'canal'
tags: [facts, canal] tags:
- facts
- canal
- name: Get calico-policy-controller version if running - name: Get calico-policy-controller version if running
shell: "{{ bin_dir }}/kubectl -n {{ system_namespace }} get rs calico-policy-controller -o=jsonpath='{$.spec.template.spec.containers[:1].image}' | cut -d':' -f2" shell: "{{ bin_dir }}/kubectl -n {{ system_namespace }} get rs calico-policy-controller -o=jsonpath='{$.spec.template.spec.containers[:1].image}' | cut -d':' -f2"

26
roles/kubernetes-apps/policy_controller/meta/main.yml
View file

@ -2,13 +2,23 @@
dependencies: dependencies:
- role: download - role: download
file: "{{ downloads.calico_policy }}" file: "{{ downloads.calico_policy }}"
when: enable_network_policy and when:
kube_network_plugin in ['calico', 'canal'] - enable_network_policy
tags: [download, canal, policy-controller] - kube_network_plugin in ['calico', 'canal']
tags:
- download
- canal
- policy-controller
- role: policy_controller/calico - role: policy_controller/calico
when: kube_network_plugin == 'calico' and when:
enable_network_policy - kube_network_plugin == 'calico'
tags: policy-controller - enable_network_policy
tags:
- policy-controller
- role: policy_controller/calico - role: policy_controller/calico
when: kube_network_plugin == 'canal' when:
tags: policy-controller - kube_network_plugin == 'canal'
tags:
- policy-controller

3
roles/kubernetes/client/tasks/main.yml
View file

@ -11,7 +11,8 @@
{%- else -%} {%- else -%}
https://{{ first_kube_master }}:{{ kube_apiserver_port }} https://{{ first_kube_master }}:{{ kube_apiserver_port }}
{%- endif -%} {%- endif -%}
tags: facts tags:
- facts
- name: Gather certs for admin kubeconfig - name: Gather certs for admin kubeconfig
slurp: slurp:

3
roles/kubernetes/kubeadm/tasks/main.yml
View file

@ -8,7 +8,8 @@
{{ kube_apiserver_endpoint }} {{ kube_apiserver_endpoint }}
{%- endif %} {%- endif %}
when: not is_kube_master when: not is_kube_master
tags: facts tags:
- facts
- name: Check if kubelet.conf exists - name: Check if kubelet.conf exists
stat: stat:

4
roles/kubernetes/master/meta/main.yml
View file

@ -2,4 +2,6 @@
dependencies: dependencies:
- role: download - role: download
file: "{{ downloads.hyperkube }}" file: "{{ downloads.hyperkube }}"
tags: [download, hyperkube] tags:
- download
- hyperkube

3
roles/kubernetes/master/tasks/kubeadm-setup.yml
View file

@ -48,7 +48,8 @@
{%- if hostvars[host]['access_ip'] is defined %}{{ hostvars[host]['access_ip'] }}{% endif %} {%- if hostvars[host]['access_ip'] is defined %}{{ hostvars[host]['access_ip'] }}{% endif %}
{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }} {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
{%- endfor %} {%- endfor %}
tags: facts tags:
- facts
- name: kubeadm | Copy etcd cert dir under k8s cert dir - name: kubeadm | Copy etcd cert dir under k8s cert dir
command: "cp -TR {{ etcd_cert_dir }} {{ kube_config_dir }}/ssl/etcd" command: "cp -TR {{ etcd_cert_dir }} {{ kube_config_dir }}/ssl/etcd"

15
roles/kubernetes/master/tasks/main.yml
View file

@ -1,6 +1,7 @@
--- ---
- include: pre-upgrade.yml - include: pre-upgrade.yml
tags: k8s-pre-upgrade tags:
- k8s-pre-upgrade
# upstream bug: https://github.com/kubernetes/kubeadm/issues/441 # upstream bug: https://github.com/kubernetes/kubeadm/issues/441
- name: Disable kube_basic_auth until kubeadm/441 is fixed - name: Disable kube_basic_auth until kubeadm/441 is fixed
@ -18,12 +19,16 @@
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
changed_when: false changed_when: false
tags: [hyperkube, kubectl, upgrade] tags:
- hyperkube
- kubectl
- upgrade
- name: Install kubectl bash completion - name: Install kubectl bash completion
shell: "{{ bin_dir }}/kubectl completion bash >/etc/bash_completion.d/kubectl.sh" shell: "{{ bin_dir }}/kubectl completion bash >/etc/bash_completion.d/kubectl.sh"
when: ansible_os_family in ["Debian","RedHat"] when: ansible_os_family in ["Debian","RedHat"]
tags: kubectl tags:
- kubectl
- name: Set kubectl bash completion file - name: Set kubectl bash completion file
file: file:
@ -32,7 +37,9 @@
group: root group: root
mode: 0755 mode: 0755
when: ansible_os_family in ["Debian","RedHat"] when: ansible_os_family in ["Debian","RedHat"]
tags: [kubectl, upgrade] tags:
- kubectl
- upgrade
- task: Include kubeadm setup if enabled - task: Include kubeadm setup if enabled
include: kubeadm-setup.yml include: kubeadm-setup.yml

24
roles/kubernetes/master/tasks/static-pod-setup.yml
View file

@ -4,7 +4,8 @@
src: manifests/kube-apiserver.manifest.j2 src: manifests/kube-apiserver.manifest.j2
dest: "{{ kube_manifest_dir }}/kube-apiserver.manifest" dest: "{{ kube_manifest_dir }}/kube-apiserver.manifest"
notify: Master | wait for the apiserver to be running notify: Master | wait for the apiserver to be running
tags: kube-apiserver tags:
- kube-apiserver
- meta: flush_handlers - meta: flush_handlers
@ -13,7 +14,8 @@
src: namespace.j2 src: namespace.j2
dest: "{{kube_config_dir}}/{{system_namespace}}-ns.yml" dest: "{{kube_config_dir}}/{{system_namespace}}-ns.yml"
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]
tags: apps tags:
- apps
- name: Check if kube system namespace exists - name: Check if kube system namespace exists
command: "{{ bin_dir }}/kubectl get ns {{system_namespace}}" command: "{{ bin_dir }}/kubectl get ns {{system_namespace}}"
@ -21,7 +23,8 @@
changed_when: False changed_when: False
failed_when: False failed_when: False
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]
tags: apps tags:
- apps
- name: Create kube system namespace - name: Create kube system namespace
command: "{{ bin_dir }}/kubectl create -f {{kube_config_dir}}/{{system_namespace}}-ns.yml" command: "{{ bin_dir }}/kubectl create -f {{kube_config_dir}}/{{system_namespace}}-ns.yml"
@ -31,30 +34,35 @@
until: create_system_ns.rc == 0 until: create_system_ns.rc == 0
changed_when: False changed_when: False
when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0 when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0
tags: apps tags:
- apps
- name: Write kube-scheduler kubeconfig - name: Write kube-scheduler kubeconfig
template: template:
src: kube-scheduler-kubeconfig.yaml.j2 src: kube-scheduler-kubeconfig.yaml.j2
dest: "{{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml" dest: "{{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml"
tags: kube-scheduler tags:
- kube-scheduler
- name: Write kube-scheduler manifest - name: Write kube-scheduler manifest
template: template:
src: manifests/kube-scheduler.manifest.j2 src: manifests/kube-scheduler.manifest.j2
dest: "{{ kube_manifest_dir }}/kube-scheduler.manifest" dest: "{{ kube_manifest_dir }}/kube-scheduler.manifest"
notify: Master | wait for kube-scheduler notify: Master | wait for kube-scheduler
tags: kube-scheduler tags:
- kube-scheduler
- name: Write kube-controller-manager kubeconfig - name: Write kube-controller-manager kubeconfig
template: template:
src: kube-controller-manager-kubeconfig.yaml.j2 src: kube-controller-manager-kubeconfig.yaml.j2
dest: "{{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml" dest: "{{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml"
tags: kube-controller-manager tags:
- kube-controller-manager
- name: Write kube-controller-manager manifest - name: Write kube-controller-manager manifest
template: template:
src: manifests/kube-controller-manager.manifest.j2 src: manifests/kube-controller-manager.manifest.j2
dest: "{{ kube_manifest_dir }}/kube-controller-manager.manifest" dest: "{{ kube_manifest_dir }}/kube-controller-manager.manifest"
notify: Master | wait for kube-controller-manager notify: Master | wait for kube-controller-manager
tags: kube-controller-manager tags:
- kube-controller-manager

72
roles/kubernetes/node/meta/main.yml
View file

@ -2,44 +2,90 @@
dependencies: dependencies:
- role: download - role: download
file: "{{ downloads.hyperkube }}" file: "{{ downloads.hyperkube }}"
tags: [download, hyperkube, kubelet, network, canal, calico, weave, kube-controller-manager, kube-scheduler, kube-apiserver, kube-proxy, kubectl] tags:
- download
- hyperkube
- kubelet
- network
- canal
- calico
- weave
- kube-controller-manager
- kube-scheduler
- kube-apiserver
- kube-proxy
- kubectl
- role: download - role: download
file: "{{ downloads.pod_infra }}" file: "{{ downloads.pod_infra }}"
tags: [download, kubelet] tags:
- download
- kubelet
- role: download - role: download
file: "{{ downloads.install_socat }}" file: "{{ downloads.install_socat }}"
tags: [download, kubelet]
when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
tags:
- download
- kubelet
- role: download - role: download
file: "{{ downloads.kubeadm }}" file: "{{ downloads.kubeadm }}"
tags: [download, kubelet, kubeadm]
when: kubeadm_enabled when: kubeadm_enabled
tags:
- download
- kubelet
- kubeadm
- role: kubernetes/secrets - role: kubernetes/secrets
when: not kubeadm_enabled when: not kubeadm_enabled
tags: k8s-secrets tags:
- k8s-secrets
- role: download - role: download
file: "{{ downloads.nginx }}" file: "{{ downloads.nginx }}"
tags: [download, nginx] tags:
- download
- nginx
- role: download - role: download
file: "{{ downloads.testbox }}" file: "{{ downloads.testbox }}"
tags: download tags:
- download
- role: download - role: download
file: "{{ downloads.netcheck_server }}" file: "{{ downloads.netcheck_server }}"
when: deploy_netchecker when: deploy_netchecker
tags: [download, netchecker] tags:
- download
- netchecker
- role: download - role: download
file: "{{ downloads.netcheck_agent }}" file: "{{ downloads.netcheck_agent }}"
when: deploy_netchecker when: deploy_netchecker
tags: [download, netchecker] tags:
- download
- netchecker
- role: download - role: download
file: "{{ downloads.kubedns }}" file: "{{ downloads.kubedns }}"
tags: [download, dnsmasq] tags:
- download
- dnsmasq
- role: download - role: download
file: "{{ downloads.dnsmasq_nanny }}" file: "{{ downloads.dnsmasq_nanny }}"
tags: [download, dnsmasq] tags:
- download
- dnsmasq
- role: download - role: download
file: "{{ downloads.dnsmasq_sidecar }}" file: "{{ downloads.dnsmasq_sidecar }}"
tags: [download, dnsmasq] tags:
- download
- dnsmasq
- role: download - role: download
file: "{{ downloads.kubednsautoscaler }}" file: "{{ downloads.kubednsautoscaler }}"
tags: [download, dnsmasq] tags:
- download
- dnsmasq

12
roles/kubernetes/node/tasks/install.yml
View file

@ -11,19 +11,22 @@
'/usr/share/ca-certificates', '/usr/share/ca-certificates',
{% endif -%} {% endif -%}
]" ]"
tags: facts tags:
- facts
- name: Set kubelet deployment to host if kubeadm is enabled - name: Set kubelet deployment to host if kubeadm is enabled
set_fact: set_fact:
kubelet_deployment_type: host kubelet_deployment_type: host
when: kubeadm_enabled when: kubeadm_enabled
tags: kubeadm tags:
- kubeadm
- name: install | Copy kubeadm binary from download dir - name: install | Copy kubeadm binary from download dir
command: rsync -piu "{{ local_release_dir }}/kubeadm" "{{ bin_dir }}/kubeadm" command: rsync -piu "{{ local_release_dir }}/kubeadm" "{{ bin_dir }}/kubeadm"
changed_when: false changed_when: false
when: kubeadm_enabled when: kubeadm_enabled
tags: kubeadm tags:
- kubeadm
- name: install | Set kubeadm binary permissions - name: install | Set kubeadm binary permissions
file: file:
@ -31,7 +34,8 @@
mode: "0755" mode: "0755"
state: file state: file
when: kubeadm_enabled when: kubeadm_enabled
tags: kubeadm tags:
- kubeadm
- include: "install_{{ kubelet_deployment_type }}.yml" - include: "install_{{ kubelet_deployment_type }}.yml"

4
roles/kubernetes/node/tasks/install_host.yml
View file

@ -6,7 +6,9 @@
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
changed_when: false changed_when: false
tags: [hyperkube, upgrade] tags:
- hyperkube
- upgrade
notify: restart kubelet notify: restart kubelet
- name: install | Copy socat wrapper for Container Linux - name: install | Copy socat wrapper for Container Linux

34
roles/kubernetes/node/tasks/main.yml
View file

@ -1,9 +1,11 @@
--- ---
- include: facts.yml - include: facts.yml
tags: facts tags:
- facts
- include: pre_upgrade.yml - include: pre_upgrade.yml
tags: kubelet tags:
- kubelet
- name: Ensure /var/lib/cni exists - name: Ensure /var/lib/cni exists
file: file:
@ -12,11 +14,13 @@
mode: 0755 mode: 0755
- include: install.yml - include: install.yml
tags: kubelet tags:
- kubelet
- include: nginx-proxy.yml - include: nginx-proxy.yml
when: is_kube_master == false and loadbalancer_apiserver_localhost|default(true) when: is_kube_master == false and loadbalancer_apiserver_localhost|default(true)
tags: nginx tags:
- nginx
- name: Write kubelet config file (non-kubeadm) - name: Write kubelet config file (non-kubeadm)
template: template:
@ -25,7 +29,8 @@
backup: yes backup: yes
when: not kubeadm_enabled when: not kubeadm_enabled
notify: restart kubelet notify: restart kubelet
tags: kubelet tags:
- kubelet
- name: Write kubelet config file (kubeadm) - name: Write kubelet config file (kubeadm)
template: template:
@ -34,7 +39,9 @@
backup: yes backup: yes
when: kubeadm_enabled when: kubeadm_enabled
notify: restart kubelet notify: restart kubelet
tags: ['kubelet', 'kubeadm'] tags:
- kubelet
- kubeadm
- name: write the kubecfg (auth) file for kubelet - name: write the kubecfg (auth) file for kubelet
template: template:
@ -46,7 +53,8 @@
- kube-proxy - kube-proxy
when: not kubeadm_enabled when: not kubeadm_enabled
notify: restart kubelet notify: restart kubelet
tags: kubelet tags:
- kubelet
- name: Ensure nodePort range is reserved - name: Ensure nodePort range is reserved
sysctl: sysctl:
@ -56,7 +64,8 @@
state: present state: present
reload: yes reload: yes
when: kube_apiserver_node_port_range is defined when: kube_apiserver_node_port_range is defined
tags: kube-proxy tags:
- kube-proxy
- name: Verify if br_netfilter module exists - name: Verify if br_netfilter module exists
shell: "modinfo br_netfilter" shell: "modinfo br_netfilter"
@ -94,14 +103,16 @@
src: manifests/kube-proxy.manifest.j2 src: manifests/kube-proxy.manifest.j2
dest: "{{ kube_manifest_dir }}/kube-proxy.manifest" dest: "{{ kube_manifest_dir }}/kube-proxy.manifest"
when: not kubeadm_enabled when: not kubeadm_enabled
tags: kube-proxy tags:
- kube-proxy
- name: Purge proxy manifest for kubeadm - name: Purge proxy manifest for kubeadm
file: file:
path: "{{ kube_manifest_dir }}/kube-proxy.manifest" path: "{{ kube_manifest_dir }}/kube-proxy.manifest"
state: absent state: absent
when: kubeadm_enabled when: kubeadm_enabled
tags: kube-proxy tags:
- kube-proxy
# reload-systemd # reload-systemd
- meta: flush_handlers - meta: flush_handlers
@ -111,4 +122,5 @@
name: kubelet name: kubelet
enabled: yes enabled: yes
state: started state: started
tags: kubelet tags:
- kubelet

2
roles/kubernetes/node/tasks/pre_upgrade.yml
View file

@ -8,4 +8,4 @@
- name: "Pre-upgrade | ensure kubelet container is stopped if using host deployment" - name: "Pre-upgrade | ensure kubelet container is stopped if using host deployment"
command: docker stop kubelet command: docker stop kubelet
failed_when: false failed_when: false
when: kubelet_deployment_type == "host" when: kubelet_deployment_type == 'host'

5
roles/kubernetes/preinstall/meta/main.yml
View file

@ -2,5 +2,6 @@
dependencies: dependencies:
- role: adduser - role: adduser
user: "{{ addusers.kube }}" user: "{{ addusers.kube }}"
tags: kubelet when: not is_atomic
when: not is_atomic tags:
- kubelet

99
roles/kubernetes/preinstall/tasks/main.yml
View file

@ -1,12 +1,14 @@
--- ---
- include: verify-settings.yml - include: verify-settings.yml
tags: asserts tags:
- asserts
- name: Force binaries directory for Container Linux by CoreOS - name: Force binaries directory for Container Linux by CoreOS
set_fact: set_fact:
bin_dir: "/opt/bin" bin_dir: "/opt/bin"
when: ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] when: ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
tags: facts tags:
- facts
- name: check bin dir exists - name: check bin dir exists
file: file:
@ -14,10 +16,12 @@
state: directory state: directory
owner: root owner: root
become: true become: true
tags: bootstrap-os tags:
- bootstrap-os
- include: set_facts.yml - include: set_facts.yml
tags: facts tags:
- facts
- name: gather os specific variables - name: gather os specific variables
include_vars: "{{ item }}" include_vars: "{{ item }}"
@ -32,7 +36,8 @@
paths: paths:
- ../vars - ../vars
skip: true skip: true
tags: facts tags:
- facts
- name: Create kubernetes directories - name: Create kubernetes directories
file: file:
@ -40,7 +45,16 @@
state: directory state: directory
owner: kube owner: kube
when: inventory_hostname in groups['k8s-cluster'] when: inventory_hostname in groups['k8s-cluster']
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node] tags:
- kubelet
- k8s-secrets
- kube-controller-manager
- kube-apiserver
- bootstrap-os
- apps
- network
- master
- node
with_items: with_items:
- "{{ kube_config_dir }}" - "{{ kube_config_dir }}"
- "{{ kube_config_dir }}/ssl" - "{{ kube_config_dir }}/ssl"
@ -53,13 +67,17 @@
when: when:
- cloud_provider is defined - cloud_provider is defined
- cloud_provider not in ['generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere'] - cloud_provider not in ['generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere']
tags: [cloud-provider, facts] tags:
- cloud-provider
- facts
- include: "{{ cloud_provider }}-credential-check.yml" - include: "{{ cloud_provider }}-credential-check.yml"
when: when:
- cloud_provider is defined - cloud_provider is defined
- cloud_provider in [ 'openstack', 'azure', 'vsphere' ] - cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
tags: [cloud-provider, facts] tags:
- cloud-provider
- facts
- name: Create cni directories - name: Create cni directories
file: file:
@ -72,7 +90,12 @@
when: when:
- kube_network_plugin in ["calico", "weave", "canal", "flannel"] - kube_network_plugin in ["calico", "weave", "canal", "flannel"]
- inventory_hostname in groups['k8s-cluster'] - inventory_hostname in groups['k8s-cluster']
tags: [network, calico, weave, canal, bootstrap-os] tags:
- network
- calico
- weave
- canal
- bootstrap-os
- name: Update package management cache (YUM) - name: Update package management cache (YUM)
yum: yum:
@ -85,7 +108,8 @@
when: when:
- ansible_pkg_mgr == 'yum' - ansible_pkg_mgr == 'yum'
- not is_atomic - not is_atomic
tags: bootstrap-os tags:
- bootstrap-os
- name: Install latest version of python-apt for Debian distribs - name: Install latest version of python-apt for Debian distribs
apt: apt:
@ -94,7 +118,8 @@
update_cache: yes update_cache: yes
cache_valid_time: 3600 cache_valid_time: 3600
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
tags: bootstrap-os tags:
- bootstrap-os
- name: Install python-dnf for latest RedHat versions - name: Install python-dnf for latest RedHat versions
command: dnf install -y python-dnf yum command: dnf install -y python-dnf yum
@ -106,7 +131,8 @@
- ansible_distribution == "Fedora" - ansible_distribution == "Fedora"
- ansible_distribution_major_version > 21 - ansible_distribution_major_version > 21
changed_when: False changed_when: False
tags: bootstrap-os tags:
- bootstrap-os
- name: Install epel-release on RedHat/CentOS - name: Install epel-release on RedHat/CentOS
shell: rpm -qa | grep epel-release || rpm -ivh {{ epel_rpm_download_url }} shell: rpm -qa | grep epel-release || rpm -ivh {{ epel_rpm_download_url }}
@ -121,7 +147,8 @@
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
changed_when: False changed_when: False
check_mode: no check_mode: no
tags: bootstrap-os tags:
- bootstrap-os
- name: Install packages requirements - name: Install packages requirements
action: action:
@ -134,7 +161,8 @@
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}" with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}"
when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic)
tags: bootstrap-os tags:
- bootstrap-os
# Todo : selinux configuration # Todo : selinux configuration
- name: Confirm selinux deployed - name: Confirm selinux deployed
@ -151,7 +179,8 @@
- ansible_os_family == "RedHat" - ansible_os_family == "RedHat"
- slc.stat.exists == True - slc.stat.exists == True
changed_when: False changed_when: False
tags: bootstrap-os tags:
- bootstrap-os
- name: Disable IPv6 DNS lookup - name: Disable IPv6 DNS lookup
lineinfile: lineinfile:
@ -162,18 +191,21 @@
when: when:
- disable_ipv6_dns - disable_ipv6_dns
- not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] - not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
tags: bootstrap-os tags:
- bootstrap-os
- name: set default sysctl file path - name: set default sysctl file path
set_fact: set_fact:
sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf" sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
tags: bootstrap-os tags:
- bootstrap-os
- name: Stat sysctl file configuration - name: Stat sysctl file configuration
stat: stat:
path: "{{sysctl_file_path}}" path: "{{sysctl_file_path}}"
register: sysctl_file_stat register: sysctl_file_stat
tags: bootstrap-os tags:
- bootstrap-os
- name: Change sysctl file path to link source if linked - name: Change sysctl file path to link source if linked
set_fact: set_fact:
@ -181,7 +213,8 @@
when: when:
- sysctl_file_stat.stat.islnk is defined - sysctl_file_stat.stat.islnk is defined
- sysctl_file_stat.stat.islnk - sysctl_file_stat.stat.islnk
tags: bootstrap-os tags:
- bootstrap-os
- name: Enable ip forwarding - name: Enable ip forwarding
sysctl: sysctl:
@ -189,7 +222,8 @@
name: net.ipv4.ip_forward name: net.ipv4.ip_forward
value: 1 value: 1
state: present state: present
tags: bootstrap-os tags:
- bootstrap-os
- name: Write cloud-config - name: Write cloud-config
template: template:
@ -201,39 +235,50 @@
- inventory_hostname in groups['k8s-cluster'] - inventory_hostname in groups['k8s-cluster']
- cloud_provider is defined - cloud_provider is defined
- cloud_provider in [ 'openstack', 'azure', 'vsphere' ] - cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
tags: [cloud-provider] tags:
- cloud-provider
- include: etchosts.yml - include: etchosts.yml
tags: [bootstrap-os, etchosts] tags:
- bootstrap-os
- etchosts
- include: resolvconf.yml - include: resolvconf.yml
when: when:
- dns_mode != 'none' - dns_mode != 'none'
- resolvconf_mode == 'host_resolvconf' - resolvconf_mode == 'host_resolvconf'
tags: [bootstrap-os, resolvconf] tags:
- bootstrap-os
- resolvconf
- include: dhclient-hooks.yml - include: dhclient-hooks.yml
when: when:
- dns_mode != 'none' - dns_mode != 'none'
- resolvconf_mode == 'host_resolvconf' - resolvconf_mode == 'host_resolvconf'
- not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] - not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
tags: [bootstrap-os, resolvconf] tags:
- bootstrap-os
- resolvconf
- include: dhclient-hooks-undo.yml - include: dhclient-hooks-undo.yml
when: when:
- dns_mode != 'none' - dns_mode != 'none'
- resolvconf_mode != 'host_resolvconf' - resolvconf_mode != 'host_resolvconf'
- not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] - not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
tags: [bootstrap-os, resolvconf] tags:
- bootstrap-os
- resolvconf
- name: Check if we are running inside a Azure VM - name: Check if we are running inside a Azure VM
stat: stat:
path: /var/lib/waagent/ path: /var/lib/waagent/
register: azure_check register: azure_check
tags: bootstrap-os tags:
- bootstrap-os
- include: growpart-azure-centos-7.yml - include: growpart-azure-centos-7.yml
when: when:
- azure_check.stat.exists - azure_check.stat.exists
- ansible_distribution in ["CentOS","RedHat"] - ansible_distribution in ["CentOS","RedHat"]
tags: bootstrap-os tags:
- bootstrap-os

5
roles/kubernetes/preinstall/tasks/set_facts.yml
View file

@ -12,4 +12,7 @@
when: is_atomic when: is_atomic
- include: set_resolv_facts.yml - include: set_resolv_facts.yml
tags: [bootstrap-os, resolvconf, facts] tags:
- bootstrap-os
- resolvconf
- facts

18
roles/kubernetes/secrets/tasks/gen_certs_script.yml
View file

@ -6,8 +6,17 @@
owner: kube owner: kube
run_once: yes run_once: yes
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
when: gen_certs|default(false) when: gen_certs|default(false)
tags:
- kubelet
- k8s-secrets
- kube-controller-manager
- kube-apiserver
- bootstrap-os
- apps
- network
- master
- node
- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})" - name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
file: file:
@ -16,8 +25,10 @@
owner: kube owner: kube
run_once: yes run_once: yes
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
tags: [k8s-secrets, bootstrap-os]
when: gen_certs|default(false) when: gen_certs|default(false)
tags:
- k8s-secrets
- bootstrap-os
- name: Gen_certs | write openssl config - name: Gen_certs | write openssl config
template: template:
@ -87,7 +98,8 @@
'node-{{ inventory_hostname }}-key.pem', 'node-{{ inventory_hostname }}-key.pem',
'kube-proxy-{{ inventory_hostname }}.pem', 'kube-proxy-{{ inventory_hostname }}.pem',
'kube-proxy-{{ inventory_hostname }}-key.pem'] 'kube-proxy-{{ inventory_hostname }}-key.pem']
tags: facts tags:
- facts
- name: Gen_certs | Gather master certs - name: Gen_certs | Gather master certs
shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0" shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"

32
roles/kubernetes/secrets/tasks/main.yml
View file

@ -1,9 +1,13 @@
--- ---
- include: check-certs.yml - include: check-certs.yml
tags: [k8s-secrets, facts] tags:
- k8s-secrets
- facts
- include: check-tokens.yml - include: check-tokens.yml
tags: [k8s-secrets, facts] tags:
- k8s-secrets
- facts
- name: Make sure the certificate directory exits - name: Make sure the certificate directory exits
file: file:
@ -31,8 +35,17 @@
owner: kube owner: kube
run_once: yes run_once: yes
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
when: gen_certs|default(false) or gen_tokens|default(false) when: gen_certs|default(false) or gen_tokens|default(false)
tags:
- kubelet
- k8s-secrets
- kube-controller-manager
- kube-apiserver
- bootstrap-os
- apps
- network
- master
- node
- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})" - name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
file: file:
@ -41,8 +54,10 @@
owner: kube owner: kube
run_once: yes run_once: yes
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
tags: [k8s-secrets, bootstrap-os]
when: gen_certs|default(false) or gen_tokens|default(false) when: gen_certs|default(false) or gen_tokens|default(false)
tags:
- k8s-secrets
- bootstrap-os
- name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})" - name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})"
file: file:
@ -55,10 +70,12 @@
when: gen_tokens|default(false) when: gen_tokens|default(false)
- include: "gen_certs_{{ cert_management }}.yml" - include: "gen_certs_{{ cert_management }}.yml"
tags: k8s-secrets tags:
- k8s-secrets
- include: upd_ca_trust.yml - include: upd_ca_trust.yml
tags: k8s-secrets tags:
- k8s-secrets
- name: "Gen_certs | Get certificate serials on kube masters" - name: "Gen_certs | Get certificate serials on kube masters"
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2" shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@ -93,4 +110,5 @@
when: inventory_hostname in groups['k8s-cluster'] when: inventory_hostname in groups['k8s-cluster']
- include: gen_tokens.yml - include: gen_tokens.yml
tags: k8s-secrets tags:
- k8s-secrets

3
roles/kubernetes/secrets/tasks/upd_ca_trust.yml
View file

@ -9,7 +9,8 @@
{%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%} {%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
/etc/ssl/certs/kube-ca.pem /etc/ssl/certs/kube-ca.pem
{%- endif %} {%- endif %}
tags: facts tags:
- facts
- name: Gen_certs | add CA to trusted CA dir - name: Gen_certs | add CA to trusted CA dir
copy: copy:

15
roles/network_plugin/calico/meta/main.yml
View file

@ -2,13 +2,20 @@
dependencies: dependencies:
- role: download - role: download
file: "{{ downloads.calico_cni }}" file: "{{ downloads.calico_cni }}"
tags: download tags:
- download
- role: download - role: download
file: "{{ downloads.calico_node }}" file: "{{ downloads.calico_node }}"
tags: download tags:
- download
- role: download - role: download
file: "{{ downloads.calicoctl }}" file: "{{ downloads.calicoctl }}"
tags: download tags:
- download
- role: download - role: download
file: "{{ downloads.hyperkube }}" file: "{{ downloads.hyperkube }}"
tags: download tags:
- download

8
roles/network_plugin/calico/tasks/main.yml
View file

@ -54,7 +54,9 @@
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
changed_when: false changed_when: false
tags: [hyperkube, upgrade] tags:
- hyperkube
- upgrade
- name: Calico | Copy cni plugins from calico/cni container - name: Calico | Copy cni plugins from calico/cni container
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'" command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'"
@ -64,7 +66,9 @@
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
changed_when: false changed_when: false
when: overwrite_hyperkube_cni|bool when: overwrite_hyperkube_cni|bool
tags: [hyperkube, upgrade] tags:
- hyperkube
- upgrade
- name: Calico | Set cni directory permissions - name: Calico | Set cni directory permissions
file: file:

19
roles/network_plugin/canal/meta/main.yml
View file

@ -2,16 +2,25 @@
dependencies: dependencies:
- role: download - role: download
file: "{{ downloads.flannel }}" file: "{{ downloads.flannel }}"
tags: download tags:
- download
- role: download - role: download
file: "{{ downloads.calico_node }}" file: "{{ downloads.calico_node }}"
tags: download tags:
- download
- role: download - role: download
file: "{{ downloads.calicoctl }}" file: "{{ downloads.calicoctl }}"
tags: download tags:
- download
- role: download - role: download
file: "{{ downloads.calico_cni }}" file: "{{ downloads.calico_cni }}"
tags: download tags:
- download
- role: download - role: download
file: "{{ downloads.calico_policy }}" file: "{{ downloads.calico_policy }}"
tags: download tags:
- download

8
roles/network_plugin/canal/tasks/main.yml
View file

@ -56,7 +56,9 @@
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
changed_when: false changed_when: false
tags: [hyperkube, upgrade] tags:
- hyperkube
- upgrade
- name: Canal | Copy cni plugins from calico/cni - name: Canal | Copy cni plugins from calico/cni
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'" command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'"
@ -65,7 +67,9 @@
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
changed_when: false changed_when: false
tags: [hyperkube, upgrade] tags:
- hyperkube
- upgrade
- name: Canal | Set cni directory permissions - name: Canal | Set cni directory permissions
file: file:

7
roles/network_plugin/flannel/meta/main.yml
View file

@ -2,7 +2,10 @@
dependencies: dependencies:
- role: download - role: download
file: "{{ downloads.flannel }}" file: "{{ downloads.flannel }}"
tags: download tags:
- download
- role: download - role: download
file: "{{ downloads.flannel_cni }}" file: "{{ downloads.flannel_cni }}"
tags: download tags:
- download

16
roles/network_plugin/meta/main.yml
View file

@ -2,15 +2,23 @@
dependencies: dependencies:
- role: network_plugin/calico - role: network_plugin/calico
when: kube_network_plugin == 'calico' when: kube_network_plugin == 'calico'
tags: calico tags:
- calico
- role: network_plugin/flannel - role: network_plugin/flannel
when: kube_network_plugin == 'flannel' when: kube_network_plugin == 'flannel'
tags: flannel tags:
- flannel
- role: network_plugin/weave - role: network_plugin/weave
when: kube_network_plugin == 'weave' when: kube_network_plugin == 'weave'
tags: weave tags:
- weave
- role: network_plugin/canal - role: network_plugin/canal
when: kube_network_plugin == 'canal' when: kube_network_plugin == 'canal'
tags: canal tags:
- canal
- role: network_plugin/cloud - role: network_plugin/cloud
when: kube_network_plugin == 'cloud' when: kube_network_plugin == 'cloud'

7
roles/network_plugin/weave/meta/main.yml
View file

@ -2,7 +2,10 @@
dependencies: dependencies:
- role: download - role: download
file: "{{ downloads.weave_kube }}" file: "{{ downloads.weave_kube }}"
tags: download tags:
- download
- role: download - role: download
file: "{{ downloads.weave_npc }}" file: "{{ downloads.weave_npc }}"
tags: download tags:
- download

4
roles/network_plugin/weave/tasks/main.yml
View file

@ -9,7 +9,9 @@
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
changed_when: false changed_when: false
tags: [hyperkube, upgrade] tags:
- hyperkube
- upgrade
- name: Weave | Create weave-net manifest - name: Weave | Create weave-net manifest
template: template:

18
roles/network_plugin/weave/tasks/seed.yml
View file

@ -4,28 +4,32 @@
seed: '{% for host in groups["k8s-cluster"] %}{{ hostvars[host]["ansible_default_ipv4"]["macaddress"] }}{% if not loop.last %},{% endif %}{% endfor %}' seed: '{% for host in groups["k8s-cluster"] %}{{ hostvars[host]["ansible_default_ipv4"]["macaddress"] }}{% if not loop.last %},{% endif %}{% endfor %}'
when: "weave_seed == 'uninitialized'" when: "weave_seed == 'uninitialized'"
run_once: true run_once: true
tags: confweave tags:
- confweave
- name: Weave seed | Set seed if not first time - name: Weave seed | Set seed if not first time
set_fact: set_fact:
seed: '{{ weave_seed }}' seed: '{{ weave_seed }}'
when: "weave_seed != 'uninitialized'" when: "weave_seed != 'uninitialized'"
run_once: true run_once: true
tags: confweave tags:
- confweave
- name: Weave seed | Set peers if fist time - name: Weave seed | Set peers if fist time
set_fact: set_fact:
peers: '{{ weave_ip_current_cluster }}' peers: '{{ weave_ip_current_cluster }}'
when: "weave_peers == 'uninitialized'" when: "weave_peers == 'uninitialized'"
run_once: true run_once: true
tags: confweave tags:
- confweave
- name: Weave seed | Set peers if existing peers - name: Weave seed | Set peers if existing peers
set_fact: set_fact:
peers: '{{ weave_peers }}{% for ip in weave_ip_current_cluster.split(" ") %}{% if ip not in weave_peers.split(" ") %} {{ ip }}{% endif %}{% endfor %}' peers: '{{ weave_peers }}{% for ip in weave_ip_current_cluster.split(" ") %}{% if ip not in weave_peers.split(" ") %} {{ ip }}{% endif %}{% endfor %}'
when: "weave_peers != 'uninitialized'" when: "weave_peers != 'uninitialized'"
run_once: true run_once: true
tags: confweave tags:
- confweave
- name: Weave seed | Save seed - name: Weave seed | Save seed
lineinfile: lineinfile:
@ -36,7 +40,8 @@
become: no become: no
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
run_once: true run_once: true
tags: confweave tags:
- confweave
- name: Weave seed | Save peers - name: Weave seed | Save peers
lineinfile: lineinfile:
@ -47,4 +52,5 @@
become: no become: no
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
run_once: true run_once: true
tags: confweave tags:
- confweave

39
roles/reset/tasks/main.yml
View file

@ -9,7 +9,8 @@
- vault - vault
- etcd - etcd
failed_when: false failed_when: false
tags: ['services'] tags:
- services
- name: reset | remove services - name: reset | remove services
file: file:
@ -21,7 +22,8 @@
- vault - vault
- calico-node - calico-node
register: services_removed register: services_removed
tags: ['services'] tags:
- services
- name: reset | remove docker dropins - name: reset | remove docker dropins
file: file:
@ -31,7 +33,8 @@
- docker-dns.conf - docker-dns.conf
- docker-options.conf - docker-options.conf
register: docker_dropins_removed register: docker_dropins_removed
tags: ['docker'] tags:
- docker
- name: reset | systemctl daemon-reload - name: reset | systemctl daemon-reload
command: systemctl daemon-reload command: systemctl daemon-reload
@ -43,31 +46,36 @@
retries: 4 retries: 4
until: remove_all_containers.rc == 0 until: remove_all_containers.rc == 0
delay: 5 delay: 5
tags: ['docker'] tags:
- docker
- name: reset | restart docker if needed - name: reset | restart docker if needed
service: service:
name: docker name: docker
state: restarted state: restarted
when: docker_dropins_removed.changed when: docker_dropins_removed.changed
tags: ['docker'] tags:
- docker
- name: reset | gather mounted kubelet dirs - name: reset | gather mounted kubelet dirs
shell: mount | grep /var/lib/kubelet | awk '{print $3}' | tac shell: mount | grep /var/lib/kubelet | awk '{print $3}' | tac
check_mode: no check_mode: no
register: mounted_dirs register: mounted_dirs
tags: ['mounts'] tags:
- mounts
- name: reset | unmount kubelet dirs - name: reset | unmount kubelet dirs
command: umount {{item}} command: umount {{item}}
with_items: '{{ mounted_dirs.stdout_lines }}' with_items: '{{ mounted_dirs.stdout_lines }}'
tags: ['mounts'] tags:
- mounts
- name: flush iptables - name: flush iptables
iptables: iptables:
flush: yes flush: yes
when: flush_iptables|bool when: flush_iptables|bool
tags: ['iptables'] tags:
- iptables
- name: reset | delete some files and directories - name: reset | delete some files and directories
file: file:
@ -115,7 +123,8 @@
- "{{ bin_dir }}/helm" - "{{ bin_dir }}/helm"
- "{{ bin_dir }}/calicoctl" - "{{ bin_dir }}/calicoctl"
- "{{ bin_dir }}/weave" - "{{ bin_dir }}/weave"
tags: ['files'] tags:
- files
- name: reset | remove dns settings from dhclient.conf - name: reset | remove dns settings from dhclient.conf
blockinfile: blockinfile:
@ -127,7 +136,9 @@
with_items: with_items:
- /etc/dhclient.conf - /etc/dhclient.conf
- /etc/dhcp/dhclient.conf - /etc/dhcp/dhclient.conf
tags: ['files', 'dns'] tags:
- files
- dns
- name: reset | remove host entries from /etc/hosts - name: reset | remove host entries from /etc/hosts
blockinfile: blockinfile:
@ -135,7 +146,9 @@
state: absent state: absent
follow: yes follow: yes
marker: "# Ansible inventory hosts {mark}" marker: "# Ansible inventory hosts {mark}"
tags: ['files', 'dns'] tags:
- files
- dns
- name: reset | Restart network - name: reset | Restart network
service: service:
@ -147,4 +160,6 @@
{%- endif %} {%- endif %}
state: restarted state: restarted
when: ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"] when: ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"]
tags: ['services', 'network'] tags:
- services
- network

3
roles/rkt/tasks/install.yml
View file

@ -12,7 +12,8 @@
paths: paths:
- ../vars - ../vars
skip: true skip: true
tags: facts tags:
- facts
- name: install rkt pkg on ubuntu - name: install rkt pkg on ubuntu
apt: apt:

4
roles/vault/meta/main.yml
View file

@ -3,6 +3,8 @@
dependencies: dependencies:
- role: adduser - role: adduser
user: "{{ vault_adduser_vars }}" user: "{{ vault_adduser_vars }}"
- role: download - role: download
file: "{{ vault_download_vars }}" file: "{{ vault_download_vars }}"
tags: download tags:
- download