Refactor downloads to use download role directly (#1824)

* Refactor downloads to use download role directly Also disable fact delegation so download delegate works acros OSes. * clean up bools and ansible_os_family conditionals
2017-10-19 09:17:11 +01:00 · 2017-10-19 09:17:11 +01:00 · fc9a65be2b
commit fc9a65be2b
parent 49dff97d9c
28 changed files with 312 additions and 472 deletions
--- a/cluster.yml
+++ b/cluster.yml
@ -31,6 +31,7 @@
    - role: rkt
      tags: rkt
      when: "'rkt' in [etcd_deployment_type, kubelet_deployment_type, vault_deployment_type]"
    - { role: download, tags: download, skip_downloads: false }
 - hosts: etcd:k8s-cluster:vault
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
--- a/roles/dnsmasq/meta/main.yml
+++ b/roles/dnsmasq/meta/main.yml
@ -1,8 +0,0 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.dnsmasq }}"
    when: dns_mode == 'dnsmasq_kubedns' and download_localhost|default(false)
    tags:
      - download
      - dnsmasq
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@ -1,6 +1,9 @@
 ---
 local_release_dir: /tmp
 # Used to only evaluate vars from download role
 skip_downloads: false
 # if this is set to true will only download files once. Doesn't work
 # on Container Linux by CoreOS unless the download_localhost is true and localhost
 # is running another OS type. Default compress level is 1 (fastest).
@ -17,6 +20,9 @@ download_localhost: False
 # Always pull images if set to True. Otherwise check by the repo's tag/digest.
 download_always_pull: False
 # Use the first kube-master if download_localhost is not set
 download_delegate: "{% if download_localhost %}localhost{% else %}{{groups['kube-master'][0]}}{% endif %}"
 # Versions
 kube_version: v1.8.0
 kubeadm_version: "{{ kube_version }}"
@ -44,6 +50,13 @@ istio_version: "0.2.6"
 istioctl_download_url: "https://storage.googleapis.com/istio-release/releases/{{ istio_version }}/istioctl/istioctl-linux"
 istioctl_checksum: fd703063c540b8c0ab943f478c05ab257d88ae27224c746a27d0526ddbf7c370
 vault_version: 0.8.1
 vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
 vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
 vault_image_repo: "vault"
 vault_image_tag: "{{ vault_version }}"
 # Containers
 etcd_image_repo: "quay.io/coreos/etcd"
 etcd_image_tag: "{{ etcd_version }}"
@ -113,23 +126,26 @@ tiller_image_tag: "{{ tiller_version }}"
 downloads:
  netcheck_server:
    enabled: "{{ deploy_netchecker }}"
    container: true
    repo: "{{ netcheck_server_img_repo }}"
    tag: "{{ netcheck_server_tag }}"
    sha256: "{{ netcheck_server_digest_checksum|default(None) }}"
    enabled: "{{ deploy_netchecker|bool }}"
  netcheck_agent:
    enabled: "{{ deploy_netchecker }}"
    container: true
    repo: "{{ netcheck_agent_img_repo }}"
    tag: "{{ netcheck_agent_tag }}"
    sha256: "{{ netcheck_agent_digest_checksum|default(None) }}"
    enabled: "{{ deploy_netchecker|bool }}"
  etcd:
    enabled: true
    container: true
    repo: "{{ etcd_image_repo }}"
    tag: "{{ etcd_image_tag }}"
    sha256: "{{ etcd_digest_checksum|default(None) }}"
  kubeadm:
    enabled: "{{ kubeadm_enabled }}"
    file: true
    version: "{{ kubeadm_version }}"
    dest: "kubeadm"
    sha256: "{{ kubeadm_checksum }}"
@ -139,6 +155,8 @@ downloads:
    owner: "root"
    mode: "0755"
  istioctl:
    enabled: "{{ istio_enabled }}"
    file: true
    version: "{{ istio_version }}"
    dest: "istio/istioctl"
    sha256: "{{ istioctl_checksum }}"
@ -148,145 +166,173 @@ downloads:
    owner: "root"
    mode: "0755"
  hyperkube:
    enabled: true
    container: true
    repo: "{{ hyperkube_image_repo }}"
    tag: "{{ hyperkube_image_tag }}"
    sha256: "{{ hyperkube_digest_checksum|default(None) }}"
  flannel:
    enabled: "{{ kube_network_plugin == 'flannel' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ flannel_image_repo }}"
    tag: "{{ flannel_image_tag }}"
    sha256: "{{ flannel_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'flannel' or kube_network_plugin == 'canal' }}"
  flannel_cni:
    enabled: "{{ kube_network_plugin == 'flannel' }}"
    container: true
    repo: "{{ flannel_cni_image_repo }}"
    tag: "{{ flannel_cni_image_tag }}"
    sha256: "{{ flannel_cni_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'flannel' }}"
  calicoctl:
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calicoctl_image_repo }}"
    tag: "{{ calicoctl_image_tag }}"
    sha256: "{{ calicoctl_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
  calico_node:
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calico_node_image_repo }}"
    tag: "{{ calico_node_image_tag }}"
    sha256: "{{ calico_node_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
  calico_cni:
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calico_cni_image_repo }}"
    tag: "{{ calico_cni_image_tag }}"
    sha256: "{{ calico_cni_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
  calico_policy:
    enabled: "{{ enable_network_policy or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calico_policy_image_repo }}"
    tag: "{{ calico_policy_image_tag }}"
    sha256: "{{ calico_policy_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'canal' }}"
  calico_rr:
    enabled: "{{ peer_with_calico_rr is defined and peer_with_calico_rr}} and kube_network_plugin == 'calico'"
    container: true
    repo: "{{ calico_rr_image_repo }}"
    tag: "{{ calico_rr_image_tag }}"
    sha256: "{{ calico_rr_digest_checksum|default(None) }}"
    enabled: "{{ peer_with_calico_rr is defined and peer_with_calico_rr}} and kube_network_plugin == 'calico'"
  weave_kube:
    enabled: "{{ kube_network_plugin == 'weave' }}"
    container: true
    repo: "{{ weave_kube_image_repo }}"
    tag: "{{ weave_kube_image_tag }}"
    sha256: "{{ weave_kube_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'weave' }}"
  weave_npc:
    enabled: "{{ kube_network_plugin == 'weave' }}"
    container: true
    repo: "{{ weave_npc_image_repo }}"
    tag: "{{ weave_npc_image_tag }}"
    sha256: "{{ weave_npc_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'weave' }}"
  pod_infra:
    enabled: true
    container: true
    repo: "{{ pod_infra_image_repo }}"
    tag: "{{ pod_infra_image_tag }}"
    sha256: "{{ pod_infra_digest_checksum|default(None) }}"
  install_socat:
    enabled: "{{ ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] }}"
    container: true
    repo: "{{ install_socat_image_repo }}"
    tag: "{{ install_socat_image_tag }}"
    sha256: "{{ install_socat_digest_checksum|default(None) }}"
  nginx:
    enabled: true
    container: true
    repo: "{{ nginx_image_repo }}"
    tag: "{{ nginx_image_tag }}"
    sha256: "{{ nginx_digest_checksum|default(None) }}"
  dnsmasq:
    enabled: "{{ dns_mode == 'dnsmasq_kubedns' }}"
    container: true
    repo: "{{ dnsmasq_image_repo }}"
    tag: "{{ dnsmasq_image_tag }}"
    sha256: "{{ dnsmasq_digest_checksum|default(None) }}"
  kubedns:
    enabled: true
    container: true
    repo: "{{ kubedns_image_repo }}"
    tag: "{{ kubedns_image_tag }}"
    sha256: "{{ kubedns_digest_checksum|default(None) }}"
  dnsmasq_nanny:
    enabled: true
    container: true
    repo: "{{ dnsmasq_nanny_image_repo }}"
    tag: "{{ dnsmasq_nanny_image_tag }}"
    sha256: "{{ dnsmasq_nanny_digest_checksum|default(None) }}"
  dnsmasq_sidecar:
    enabled: true
    container: true
    repo: "{{ dnsmasq_sidecar_image_repo }}"
    tag: "{{ dnsmasq_sidecar_image_tag }}"
    sha256: "{{ dnsmasq_sidecar_digest_checksum|default(None) }}"
  kubednsautoscaler:
    enabled: true
    container: true
    repo: "{{ kubednsautoscaler_image_repo }}"
    tag: "{{ kubednsautoscaler_image_tag }}"
    sha256: "{{ kubednsautoscaler_digest_checksum|default(None) }}"
  testbox:
    enabled: true
    container: true
    repo: "{{ test_image_repo }}"
    tag: "{{ test_image_tag }}"
    sha256: "{{ testbox_digest_checksum|default(None) }}"
  elasticsearch:
    enabled: "{{ efk_enabled }}"
    container: true
    repo: "{{ elasticsearch_image_repo }}"
    tag: "{{ elasticsearch_image_tag }}"
    sha256: "{{ elasticsearch_digest_checksum|default(None) }}"
  fluentd:
    enabled: "{{ efk_enabled }}"
    container: true
    repo: "{{ fluentd_image_repo }}"
    tag: "{{ fluentd_image_tag }}"
    sha256: "{{ fluentd_digest_checksum|default(None) }}"
  kibana:
    enabled: "{{ efk_enabled }}"
    container: true
    repo: "{{ kibana_image_repo }}"
    tag: "{{ kibana_image_tag }}"
    sha256: "{{ kibana_digest_checksum|default(None) }}"
  helm:
    enabled: "{{ helm_enabled }}"
    container: true
    repo: "{{ helm_image_repo }}"
    tag: "{{ helm_image_tag }}"
    sha256: "{{ helm_digest_checksum|default(None) }}"
  tiller:
    enabled: "{{ helm_enabled }}"
    container: true
    repo: "{{ tiller_image_repo }}"
    tag: "{{ tiller_image_tag }}"
    sha256: "{{ tiller_digest_checksum|default(None) }}"
  vault:
    enabled: "{{ cert_management == 'vault' }}"
    container: "{{ vault_deployment_type != 'host' }}"
    file: "{{ vault_deployment_type == 'host' }}"
    dest: "vault/vault_{{ vault_version }}_linux_amd64.zip"
    mode: "0755"
    owner: "vault"
    repo: "{{ vault_image_repo }}"
    sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
    source_url: "{{ vault_download_url }}"
    tag: "{{ vault_image_tag }}"
    unarchive: true
    url: "{{ vault_download_url }}"
    version: "{{ vault_version }}"
-download:
+download_defaults:
-  container: "{{ file.container|default(false) }}"
+  container: false
-  repo: "{{ file.repo|default(None) }}"
+  file: false
-  tag: "{{ file.tag|default(None) }}"
+  repo: None
-  enabled: "{{ file.enabled|default(true) }}"
+  tag: None
-  dest: "{{ file.dest|default(None) }}"
+  enabled: false
-  version: "{{ file.version|default(None) }}"
+  dest: None
-  sha256: "{{ file.sha256|default(None) }}"
+  version: None
-  source_url: "{{ file.source_url|default(None) }}"
+  url: None
-  url: "{{ file.url|default(None) }}"
+  unarchive: false
-  unarchive: "{{ file.unarchive|default(false) }}"
+  owner: kube
-  owner: "{{ file.owner|default('kube') }}"
+  mode: None
  mode: "{{ file.mode|default(None) }}"
--- a/roles/download/meta/main.yml
+++ b/roles/download/meta/main.yml
@ -0,0 +1,2 @@
 ---
 allow_duplicates: true
--- a/roles/download/tasks/download_container.yml
+++ b/roles/download/tasks/download_container.yml
@ -0,0 +1,26 @@
 ---
 - name: container_download | Make download decision if pull is required by tag or sha256
  include: set_docker_image_facts.yml
  delegate_to: "{{ download_delegate if download_run_once or omit }}"
  delegate_facts: no
  run_once: "{{ download_run_once }}"
  when:
    - download.enabled
    - download.container
  tags:
    - facts
 - name: container_download | Download containers if pull is required or told to always pull
  command: "{{ docker_bin_dir }}/docker pull {{ pull_args }}"
  register: pull_task_result
  until: pull_task_result|succeeded
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  environment: "{{ proxy_env }}"
  when:
    - download.enabled
    - download.container
    - pull_required|default(download_always_pull)
  delegate_to: "{{ download_delegate if download_run_once or omit }}"
  delegate_facts: no
  run_once: "{{ download_run_once }}"
--- a/roles/download/tasks/download_file.yml
+++ b/roles/download/tasks/download_file.yml
@ -0,0 +1,37 @@
 ---
 - name: file_download | Create dest directory
  file:
    path: "{{local_release_dir}}/{{download.dest|dirname}}"
    state: directory
    recurse: yes
  when:
    - download.enabled
    - download.file
 - name: file_download | Download item
  get_url:
    url: "{{download.url}}"
    dest: "{{local_release_dir}}/{{download.dest}}"
    sha256sum: "{{download.sha256 | default(omit)}}"
    owner: "{{ download.owner|default(omit) }}"
    mode: "{{ download.mode|default(omit) }}"
  register: get_url_result
  until: "'OK' in get_url_result.msg or 'file already exists' in get_url_result.msg"
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  environment: "{{ proxy_env }}"
  when:
    - download.enabled
    - download.file
 - name: file_download | Extract archives
  unarchive:
    src: "{{ local_release_dir }}/{{download.dest}}"
    dest: "{{ local_release_dir }}/{{download.dest|dirname}}"
    owner: "{{ download.owner|default(omit) }}"
    mode: "{{ download.mode|default(omit) }}"
    copy: no
  when:
    - download.enabled
    - download.file
    - download.unarchive|default(False)
--- a/roles/download/tasks/download_prep.yml
+++ b/roles/download/tasks/download_prep.yml
@ -0,0 +1,32 @@
 ---
 - name: Register docker images info
  raw: >-
    {{ docker_bin_dir }}/docker images -q | xargs {{ docker_bin_dir }}/docker inspect -f "{{ '{{' }} (index .RepoTags 0) {{ '}}' }},{{ '{{' }} (index .RepoDigests 0) {{ '}}' }}" | tr '\n' ','
  no_log: true
  register: docker_images
  failed_when: false
  changed_when: false
  check_mode: no
 - name: container_download | Create dest directory for saved/loaded container images
  file:
    path: "{{local_release_dir}}/containers"
    state: directory
    recurse: yes
    mode: 0755
    owner: "{{ansible_ssh_user|default(ansible_user_id)}}"
 - name: container_download | create local directory for saved/loaded container images
  file:
    path: "{{local_release_dir}}/containers"
    state: directory
    recurse: yes
  delegate_to: localhost
  delegate_facts: false
  become: false
  run_once: true
  when:
    - download_run_once
    - download_delegate == 'localhost'
  tags:
    - localhost
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@ -1,218 +1,24 @@
 ---
- name: file_download | Create dest directories
+- import_tasks: download_prep.yml
  file:
    path: "{{local_release_dir}}/{{download.dest|dirname}}"
    state: directory
    recurse: yes
  when:
-    - download.enabled|bool
+    - not skip_downloads|default(false)
    - not download.container|bool
  tags:
    - bootstrap-os
- name: file_download | Download item
+- name: "Download items"
-  get_url:
+  include: "download_{% if download.container %}container{% else %}file{% endif %}.yml"
-    url: "{{download.url}}"
+  vars:
-    dest: "{{local_release_dir}}/{{download.dest}}"
+    download: "{{ download_defaults | combine(item.value) }}"
-    sha256sum: "{{download.sha256 | default(omit)}}"
+  with_dict: "{{ downloads }}"
    owner: "{{ download.owner|default(omit) }}"
    mode: "{{ download.mode|default(omit) }}"
  register: get_url_result
  until: "'OK' in get_url_result.msg or 'file already exists' in get_url_result.msg"
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  environment: "{{ proxy_env }}"
  when:
-    - download.enabled|bool
+    - not skip_downloads|default(false)
-    - not download.container|bool
+    - item.enabled
- name: file_download | Extract archives
+- name: "Sync container"
-  unarchive:
+  include: sync_container.yml
-    src: "{{ local_release_dir }}/{{download.dest}}"
+  vars:
-    dest: "{{ local_release_dir }}/{{download.dest|dirname}}"
+    download: "{{ download_defaults | combine(item.value) }}"
-    owner: "{{ download.owner|default(omit) }}"
+  with_dict: "{{ downloads }}"
    mode: "{{ download.mode|default(omit) }}"
    copy: no
  when:
-    - download.enabled|bool
+    - not skip_downloads|default(false)
-    - not download.container|bool
+    - item.enabled
-    - download.unarchive|default(False)
+    - item.container
-
+    - download_run_once
 - name: file_download | Fix permissions
  file:
    state: file
    path: "{{local_release_dir}}/{{download.dest}}"
    owner: "{{ download.owner|default(omit) }}"
    mode: "{{ download.mode|default(omit) }}"
  when:
    - download.enabled|bool
    - not download.container|bool
    - (download.unarchive is not defined or download.unarchive == False)
 - set_fact:
    download_delegate: "{% if download_localhost|bool %}localhost{% else %}{{groups['kube-master'][0]}}{% endif %}"
  run_once: true
  tags:
    - facts
 - name: container_download | Create dest directory for saved/loaded container images
  file:
    path: "{{local_release_dir}}/containers"
    state: directory
    recurse: yes
    mode: 0755
    owner: "{{ansible_ssh_user|default(ansible_user_id)}}"
  when:
    - download.enabled|bool
    - download.container|bool
  tags:
    - bootstrap-os
 # This is required for the download_localhost delegate to work smooth with Container Linux by CoreOS cluster nodes
 - name: container_download | Hack python binary path for localhost
  raw: sh -c "mkdir -p /opt/bin; ln -sf /usr/bin/python /opt/bin/python"
  delegate_to: localhost
  when: download_delegate == 'localhost'
  failed_when: false
  tags:
    - localhost
 - name: container_download | create local directory for saved/loaded container images
  file:
    path: "{{local_release_dir}}/containers"
    state: directory
    recurse: yes
  delegate_to: localhost
  become: false
  run_once: true
  when:
    - download_run_once|bool
    - download.enabled|bool
    - download.container|bool
    - download_delegate == 'localhost'
  tags:
    - localhost
 - name: container_download | Make download decision if pull is required by tag or sha256
  include: set_docker_image_facts.yml
  when:
    - download.enabled|bool
    - download.container|bool
  delegate_to: "{{ download_delegate if download_run_once|bool or omit }}"
  run_once: "{{ download_run_once|bool }}"
  tags:
    - facts
 - name: container_download | Download containers if pull is required or told to always pull
  command: "{{ docker_bin_dir }}/docker pull {{ pull_args }}"
  register: pull_task_result
  until: pull_task_result|succeeded
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  environment: "{{ proxy_env }}"
  when:
    - download.enabled|bool
    - download.container|bool
    - pull_required|bool|default(download_always_pull)
  delegate_to: "{{ download_delegate if download_run_once|bool or omit }}"
  run_once: "{{ download_run_once|bool }}"
 - set_fact:
    fname: "{{local_release_dir}}/containers/{{download.repo|regex_replace('/|\0|:', '_')}}:{{download.tag|default(download.sha256)|regex_replace('/|\0|:', '_')}}.tar"
  run_once: true
  tags:
    - facts
 - name: "container_download | Set default value for 'container_changed' to false"
  set_fact:
    container_changed: "{{pull_required|default(false)|bool}}"
 - name: "container_download | Update the 'container_changed' fact"
  set_fact:
    container_changed: "{{ pull_required|bool|default(false) or not 'up to date' in pull_task_result.stdout }}"
  when:
    - download.enabled|bool
    - download.container|bool
    - pull_required|bool|default(download_always_pull)
  run_once: "{{ download_run_once|bool }}"
  tags:
    - facts
 - name: container_download | Stat saved container image
  stat:
    path: "{{fname}}"
  register: img
  changed_when: false
  when:
    - download.enabled|bool
    - download.container|bool
    - download_run_once|bool
  delegate_to: "{{ download_delegate }}"
  become: false
  run_once: true
  tags:
    - facts
 - name: container_download | save container images
  shell: "{{ docker_bin_dir }}/docker save {{ pull_args }} | gzip -{{ download_compress }} > {{ fname }}"
  delegate_to: "{{ download_delegate }}"
  register: saved
  run_once: true
  when:
    - (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or download_delegate == "localhost")
    - download_run_once|bool
    - download.enabled|bool
    - download.container|bool
    - (container_changed|bool or not img.stat.exists)
 - name: container_download | copy container images to ansible host
  synchronize:
    src: "{{ fname }}"
    dest: "{{ fname }}"
    use_ssh_args: yes
    mode: pull
  delegate_to: localhost
  become: false
  when:
    - not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
    - inventory_hostname == groups['kube-master'][0]
    - download_delegate != "localhost"
    - download_run_once|bool
    - download.enabled|bool
    - download.container|bool
    - saved.changed
 - name: container_download | upload container images to nodes
  synchronize:
    src: "{{ fname }}"
    dest: "{{ fname }}"
    use_ssh_args: yes
    mode: push
  delegate_to: localhost
  become: false
  register: get_task
  until: get_task|succeeded
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  when:
    - (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] and
      inventory_hostname != groups['kube-master'][0] or
      download_delegate == "localhost")
    - download_run_once|bool
    - download.enabled|bool
    - download.container|bool
  tags:
    - upload
    - upgrade
 - name: container_download | load container images
  shell: "{{ docker_bin_dir }}/docker load < {{ fname }}"
  when:
    - (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] and
      inventory_hostname != groups['kube-master'][0] or download_delegate == "localhost")
    - download_run_once|bool
    - download.enabled|bool
    - download.container|bool
  tags:
    - upload
    - upgrade
--- a/roles/download/tasks/set_docker_image_facts.yml
+++ b/roles/download/tasks/set_docker_image_facts.yml
@ -5,7 +5,7 @@
 - set_fact:
    pull_args: >-
-      {%- if pull_by_digest|bool %}{{download.repo}}@sha256:{{download.sha256}}{%- else -%}{{download.repo}}:{{download.tag}}{%- endif -%}
+      {%- if pull_by_digest %}{{download.repo}}@sha256:{{download.sha256}}{%- else -%}{{download.repo}}:{{download.tag}}{%- endif -%}
 - name: Register docker images info
  raw: >-
@ -15,16 +15,16 @@
  failed_when: false
  changed_when: false
  check_mode: no
-  when: not download_always_pull|bool
+  when: not download_always_pull
 - set_fact:
    pull_required: >-
      {%- if pull_args in docker_images.stdout.split(',') %}false{%- else -%}true{%- endif -%}
-  when: not download_always_pull|bool
+  when: not download_always_pull
 - name: Check the local digest sha256 corresponds to the given image tag
  assert:
    that: "{{download.repo}}:{{download.tag}} in docker_images.stdout.split(',')"
-  when: not download_always_pull|bool and not pull_required|bool and pull_by_digest|bool
+  when: not download_always_pull and not pull_required and pull_by_digest
  tags:
    - asserts
--- a/roles/download/tasks/sync_container.yml
+++ b/roles/download/tasks/sync_container.yml
@ -0,0 +1,114 @@
 ---
 - set_fact:
    fname: "{{local_release_dir}}/containers/{{download.repo|regex_replace('/|\0|:', '_')}}:{{download.tag|default(download.sha256)|regex_replace('/|\0|:', '_')}}.tar"
  run_once: true
  when:
    - download.enabled
    - download.container
    - download_run_once
  tags:
    - facts
 - name: "container_download | Set default value for 'container_changed' to false"
  set_fact:
    container_changed: "{{pull_required|default(false)}}"
  when:
    - download.enabled
    - download.container
    - download_run_once
 - name: "container_download | Update the 'container_changed' fact"
  set_fact:
    container_changed: "{{ pull_required|default(false) or not 'up to date' in pull_task_result.stdout }}"
  when:
    - download.enabled
    - download.container
    - download_run_once
    - pull_required|default(download_always_pull)
  run_once: "{{ download_run_once }}"
  tags:
    - facts
 - name: container_download | Stat saved container image
  stat:
    path: "{{fname}}"
  register: img
  changed_when: false
  delegate_to: "{{ download_delegate }}"
  delegate_facts: no
  become: false
  run_once: true
  when:
    - download.enabled
    - download.container
    - download_run_once
  tags:
    - facts
 - name: container_download | save container images
  shell: "{{ docker_bin_dir }}/docker save {{ pull_args }} | gzip -{{ download_compress }} > {{ fname }}"
  delegate_to: "{{ download_delegate }}"
  delegate_facts: no
  register: saved
  run_once: true
  when:
    - download.enabled
    - download.container
    - download_run_once
    - (ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"] or download_delegate == "localhost")
    - (container_changed or not img.stat.exists)
 - name: container_download | copy container images to ansible host
  synchronize:
    src: "{{ fname }}"
    dest: "{{ fname }}"
    use_ssh_args: yes
    mode: pull
  delegate_to: localhost
  delegate_facts: no
  run_once: true
  become: false
  when:
    - download.enabled
    - download.container
    - download_run_once
    - ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"]
    - inventory_hostname == download_delegate
    - download_delegate != "localhost"
    - saved.changed
 - name: container_download | upload container images to nodes
  synchronize:
    src: "{{ fname }}"
    dest: "{{ fname }}"
    use_ssh_args: yes
    mode: push
  delegate_to: localhost
  delegate_facts: no
  become: false
  register: get_task
  until: get_task|succeeded
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  when:
    - download.enabled
    - download.container
    - download_run_once
    - (ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"] and
      inventory_hostname != download_delegate or
      download_delegate == "localhost")
  tags:
    - upload
    - upgrade
 - name: container_download | load container images
  shell: "{{ docker_bin_dir }}/docker load < {{ fname }}"
  when:
    - download.enabled
    - download.container
    - download_run_once
    - (ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"] and
      inventory_hostname != download_delegate or download_delegate == "localhost")
  tags:
    - upload
    - upgrade
--- a/roles/etcd/meta/main.yml
+++ b/roles/etcd/meta/main.yml
@ -4,9 +4,4 @@ dependencies:
    user: "{{ addusers.etcd }}"
    when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic)
  - role: download
    file: "{{ downloads.etcd }}"
    tags:
      - download
 # NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"
--- a/roles/kubernetes-apps/efk/elasticsearch/meta/main.yml
+++ b/roles/kubernetes-apps/efk/elasticsearch/meta/main.yml
@ -1,7 +1,4 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.elasticsearch }}"
 # TODO: bradbeam add in curator
 #       https://github.com/Skillshare/kubernetes-efk/blob/master/configs/elasticsearch.yml#L94
 #  - role: download
--- a/roles/kubernetes-apps/efk/fluentd/meta/main.yml
+++ b/roles/kubernetes-apps/efk/fluentd/meta/main.yml
@ -1,4 +0,0 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.fluentd }}"
--- a/roles/kubernetes-apps/efk/kibana/meta/main.yml
+++ b/roles/kubernetes-apps/efk/kibana/meta/main.yml
@ -1,4 +0,0 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.kibana }}"
--- a/roles/kubernetes-apps/helm/meta/main.yml
+++ b/roles/kubernetes-apps/helm/meta/main.yml
@ -1,6 +0,0 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.helm }}"
  - role: download
    file: "{{ downloads.tiller }}"
--- a/roles/kubernetes-apps/istio/meta/main.yml
+++ b/roles/kubernetes-apps/istio/meta/main.yml
@ -1,4 +0,0 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.istioctl }}"
--- a/roles/kubernetes-apps/meta/main.yml
+++ b/roles/kubernetes-apps/meta/main.yml
@ -1,19 +1,5 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.netcheck_server }}"
    when: deploy_netchecker
    tags:
      - download
      - netchecker
  - role: download
    file: "{{ downloads.netcheck_agent }}"
    when: deploy_netchecker
    tags:
      - download
      - netchecker
  - role: kubernetes-apps/ansible
    tags:
      - apps
--- a/roles/kubernetes-apps/policy_controller/meta/main.yml
+++ b/roles/kubernetes-apps/policy_controller/meta/main.yml
@ -1,15 +1,5 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.calico_policy }}"
    when:
      - enable_network_policy
      - kube_network_plugin in ['calico', 'canal']
    tags:
      - download
      - canal
      - policy-controller
  - role: policy_controller/calico
    when:
      - kube_network_plugin == 'calico'
--- a/roles/kubernetes/master/meta/main.yml
+++ b/roles/kubernetes/master/meta/main.yml
@ -1,7 +0,0 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.hyperkube }}"
    tags:
      - download
      - hyperkube
--- a/roles/kubernetes/node/meta/main.yml
+++ b/roles/kubernetes/node/meta/main.yml
@ -1,91 +1,6 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.hyperkube }}"
    tags:
      - download
      - hyperkube
      - kubelet
      - network
      - canal
      - calico
      - weave
      - kube-controller-manager
      - kube-scheduler
      - kube-apiserver
      - kube-proxy
      - kubectl
  - role: download
    file: "{{ downloads.pod_infra }}"
    tags:
      - download
      - kubelet
  - role: download
    file: "{{ downloads.install_socat }}"
    when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
    tags:
      - download
      - kubelet
  - role: download
    file: "{{ downloads.kubeadm }}"
    when: kubeadm_enabled
    tags:
      - download
      - kubelet
      - kubeadm
  - role: kubernetes/secrets
    when: not kubeadm_enabled
    tags:
      - k8s-secrets
  - role: download
    file: "{{ downloads.nginx }}"
    tags:
      - download
      - nginx
  - role: download
    file: "{{ downloads.testbox }}"
    tags:
      - download
  - role: download
    file: "{{ downloads.netcheck_server }}"
    when: deploy_netchecker
    tags:
      - download
      - netchecker
  - role: download
    file: "{{ downloads.netcheck_agent }}"
    when: deploy_netchecker
    tags:
      - download
      - netchecker
  - role: download
    file: "{{ downloads.kubedns }}"
    tags:
      - download
      - dnsmasq
  - role: download
    file: "{{ downloads.dnsmasq_nanny }}"
    tags:
      - download
      - dnsmasq
  - role: download
    file: "{{ downloads.dnsmasq_sidecar }}"
    tags:
      - download
      - dnsmasq
  - role: download
    file: "{{ downloads.kubednsautoscaler }}"
    tags:
      - download
      - dnsmasq
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@ -132,6 +132,8 @@ kubectl_localhost: false
 # K8s image pull policy (imagePullPolicy)
 k8s_image_pull_policy: IfNotPresent
 efk_enabled: false
 helm_enabled: false
 istio_enabled: false
 enable_network_policy: false
 ## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (https://github.com/kubernetes/kubernetes/issues/50461)
--- a/roles/kubespray-defaults/meta/main.yml
+++ b/roles/kubespray-defaults/meta/main.yml
@ -0,0 +1,6 @@
 ---
 dependencies:
  - role: download
    skip_downloads: true
    tags:
      - facts
--- a/roles/network_plugin/calico/meta/main.yml
+++ b/roles/network_plugin/calico/meta/main.yml
@ -1,21 +0,0 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.calico_cni }}"
    tags:
      - download
  - role: download
    file: "{{ downloads.calico_node }}"
    tags:
      - download
  - role: download
    file: "{{ downloads.calicoctl }}"
    tags:
      - download
  - role: download
    file: "{{ downloads.hyperkube }}"
    tags:
      - download
--- a/roles/network_plugin/calico/rr/meta/main.yml
+++ b/roles/network_plugin/calico/rr/meta/main.yml
@ -1,7 +0,0 @@
 ---
 dependencies:
  - role: etcd
  - role: docker
    when: not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
  - role: download
    file: "{{ downloads.calico_rr }}"
--- a/roles/network_plugin/canal/meta/main.yml
+++ b/roles/network_plugin/canal/meta/main.yml
@ -1,26 +0,0 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.flannel }}"
    tags:
      - download
  - role: download
    file: "{{ downloads.calico_node }}"
    tags:
      - download
  - role: download
    file: "{{ downloads.calicoctl }}"
    tags:
      - download
  - role: download
    file: "{{ downloads.calico_cni }}"
    tags:
      - download
  - role: download
    file: "{{ downloads.calico_policy }}"
    tags:
      - download
--- a/roles/network_plugin/flannel/meta/main.yml
+++ b/roles/network_plugin/flannel/meta/main.yml
@ -1,11 +0,0 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.flannel }}"
    tags:
      - download
  - role: download
    file: "{{ downloads.flannel_cni }}"
    tags:
      - download
--- a/roles/network_plugin/weave/meta/main.yml
+++ b/roles/network_plugin/weave/meta/main.yml
@ -1,11 +0,0 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.weave_kube }}"
    tags:
      - download
  - role: download
    file: "{{ downloads.weave_npc }}"
    tags:
      - download
--- a/roles/vault/meta/main.yml
+++ b/roles/vault/meta/main.yml
@ -1,10 +1,4 @@
 ---
 dependencies:
  - role: adduser
    user: "{{ vault_adduser_vars }}"
  - role: download
    file: "{{ vault_download_vars }}"
    tags:
      - download