Improve proxy (#1771)

* Set no_proxy to all local ips

* Use proxy settings on all necessary tasks

docs/vars.md

@@ -101,7 +101,8 @@ Stack](https://github.com/kubernetes-incubator/kubespray/blob/master/docs/dns-st
 * *docker_options* - Commonly used to set
   ``--insecure-registry=myregistry.mydomain:5000``
 * *http_proxy/https_proxy/no_proxy* - Proxy variables for deploying behind a
-  proxy
+  proxy. Note that no_proxy defaults to all internal cluster IPs and hostnames
+  that correspond to each node.
 * *kubelet_deployment_type* - Controls which platform to deploy kubelet on. 
   Available options are ``host``, ``rkt``, and ``docker``. ``docker`` mode
   is unlikely to work on newer releases. Starting with Kubernetes v1.7 

inventory/group_vars/all.yml

@@ -91,9 +91,10 @@ bin_dir: /usr/local/bin
 #kubeadm_token_second: "{{ lookup('password', 'credentials/kubeadm_token_second length=16 chars=ascii_lowercase,digits') }}"
 #kubeadm_token: "{{ kubeadm_token_first }}.{{ kubeadm_token_second }}"
 #
-## Set these proxy values in order to update docker daemon to use proxies
+## Set these proxy values in order to update package manager and docker daemon to use proxies
 #http_proxy: ""
 #https_proxy: ""
+## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
 #no_proxy: ""
 
 ## Uncomment this if you want to force overlay/overlay2 as docker storage driver

roles/docker/tasks/main.yml

@@ -40,6 +40,7 @@
   until: keyserver_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   with_items: "{{ docker_repo_key_info.repo_keys }}"
   when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic)
 
@@ -67,6 +68,7 @@
   until: docker_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   with_items: "{{ docker_package_info.pkgs }}"
   notify: restart docker
   when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0)

roles/docker/tasks/systemd.yml

@@ -8,7 +8,7 @@
   template:
     src: http-proxy.conf.j2
     dest: /etc/systemd/system/docker.service.d/http-proxy.conf
-  when: http_proxy is defined or https_proxy is defined or no_proxy is defined
+  when: http_proxy is defined or https_proxy is defined
 
 - name: get systemd version
   command: rpm -q --qf '%{V}\n' systemd

roles/docker/templates/http-proxy.conf.j2

@@ -1,2 +1,2 @@
 [Service]
-Environment={% if http_proxy %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy %}"NO_PROXY={{ no_proxy }}"{% endif %}
+Environment={% if http_proxy is defined %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy is defined %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy is defined %}"NO_PROXY={{ no_proxy }}"{% endif %}

roles/download/tasks/main.yml

@@ -21,6 +21,7 @@
   until: "'OK' in get_url_result.msg or 'file already exists' in get_url_result.msg"
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when:
     - download.enabled|bool
     - not download.container|bool
@@ -108,6 +109,7 @@
   until: pull_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when:
     - download.enabled|bool
     - download.container|bool

roles/kubernetes/node/tasks/install_rkt.yml

@@ -28,5 +28,5 @@
   template:
     src: http-proxy.conf.j2
     dest: /etc/systemd/system/kubelet.service.d/http-proxy.conf
-  when: http_proxy is defined or https_proxy is defined or no_proxy is defined
+  when: http_proxy is defined or https_proxy is defined
   notify: restart kubelet

roles/kubernetes/preinstall/tasks/main.yml

@@ -105,6 +105,7 @@
   until: yum_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when:
     - ansible_pkg_mgr == 'yum'
     - not is_atomic
@@ -117,6 +118,7 @@
     state: latest
     update_cache: yes
     cache_valid_time: 3600
+  environment: "{{ proxy_env }}"
   when: ansible_os_family == "Debian"
   tags:
     - bootstrap-os
@@ -127,6 +129,7 @@
   until: dnf_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when:
     - ansible_distribution == "Fedora"
     - ansible_distribution_major_version > 21
@@ -136,16 +139,17 @@
 
 - name: Install epel-release on RedHat/CentOS
   shell: rpm -qa | grep epel-release || rpm -ivh {{ epel_rpm_download_url }}
+  register: epel_task_result
+  until: epel_task_result|succeeded
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
+  changed_when: False
   when:
     - ansible_distribution in ["CentOS","RedHat"]
     - not is_atomic
     - epel_rpm_download_url != ''
     - epel_enabled|bool
-  register: epel_task_result
-  until: epel_task_result|succeeded
-  retries: 4
-  delay: "{{ retry_stagger | random + 3 }}"
-  changed_when: False
   check_mode: no
   tags:
     - bootstrap-os
@@ -159,6 +163,7 @@
   until: pkgs_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}"
   when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic)
   tags:

roles/kubespray-defaults/defaults/main.yaml

@@ -162,6 +162,28 @@ vault_config_dir: "{{ vault_base_dir }}/config"
 vault_roles_dir: "{{ vault_base_dir }}/roles"
 vault_secrets_dir: "{{ vault_base_dir }}/secrets"
 
+## Set no_proxy to all assigned cluster IPs and hostnames
+no_proxy: >-
+  127.0.0.1
+  localhost
+  {% if loadbalancer_apiserver is defined %}
+    {{ apiserver_loadbalancer_domain_name| default('') }}
+    {{ loadbalancer_apiserver.address | default('') }}
+  {% endif %}
+  {% for item in (groups['k8s-cluster'] + groups['etcd'] + groups['calico-rr']|default([]))|unique -%}
+    {{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(hostvars[item]['ansible_default_ipv4']['address'])) }}
+    {% if (item != hostvars[item]['ansible_hostname']) %} {{ hostvars[item]['ansible_hostname'] }}
+      {{ hostvars[item]['ansible_hostname'] }}.{{ dns_domain }}
+    {% endif %}
+    {{ item }}
+    {{ item }}.{{ dns_domain }}
+  {% endfor %}
+
+proxy_env:
+  http_proxy: "{{ http_proxy| default ('') }}"
+  https_proxy: "{{ https_proxy| default ('') }}"
+  no_proxy: "{{ no_proxy }}"
+
 # Vars for pointing to kubernetes api endpoints
 is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}"
 kube_apiserver_count: "{{ groups['kube-master'] | length }}"

roles/rkt/tasks/install.yml

@@ -23,6 +23,7 @@
   until: rkt_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when: ansible_os_family == "Debian"
 
 - name: install rkt pkg on centos
@@ -33,4 +34,5 @@
   until: rkt_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when: ansible_os_family == "RedHat"