Commit graph

5616 commits

Author SHA1 Message Date
Victor Morales
01e527abf1 Add privileged_without_host_devices support (#7343)
When privileged is enabled for a container, all the `/dev/*` block
devices from the host are mounted into the guest. The
`privileged_without_host_devices` flag prevents host devices from
being passed to privileged containers.

More information:
* https://github.com/containerd/cri/pull/1225
* 1d0f68156b

(cherry picked from commit dc5df57c26)
2021-03-15 07:07:05 -07:00
Etienne Champetier
704a054064 Delete misnammed kubeadm-version.yml
The important action in kubeadm-version.yml is the templating of the configuration,
not finding / setting the version

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit a9c97e5253)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-version.yml
2021-03-15 07:07:05 -07:00
Etienne Champetier
8c693e8739 Always backup both certs and kubeconfig
There are no reasons not to backup during upgrade

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 53e5ef6b4e)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-backup.yml
	roles/kubernetes/master/tasks/kubeadm-certificate.yml
2021-03-15 07:07:05 -07:00
Etienne Champetier
9ecbf75cb4 Remove rotate_tokens logic
kubeadm never rotates sa.key/sa.pub, so there is no need to delete tokens/restart pods

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 8800b5c01d)
2021-03-15 07:07:05 -07:00
Etienne Champetier
591a51aa75 Remove admin.conf removal
kubeadm is the default for a long time now,
and admin.conf is created by it, so let kubeadm handle it

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 280036fad6)
2021-03-15 07:07:05 -07:00
Etienne Champetier
76a1697cf1 Remove useless call to 'kubeadm version'
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit a6e1f5ece9)
2021-03-15 07:07:05 -07:00
Etienne Champetier
1216a0d52d Remove pre kubeadm cert migration tasks
apiserver.pem is not used since ddffdb63bf

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit fedd671d68)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-cleanup-old-certs.yml
	roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
2021-03-15 07:07:05 -07:00
Du9L.com
f4d3a4a5ad kubeadm-config.v1beta2.yaml.j2: etcd log level arg (#7339)
According to [etcd's docs](https://etcd.io/docs/v3.4.0/op-guide/configuration/#--log-package-levels), argument 'log-package-levels' should not contain underscores.

(cherry picked from commit b7c22659e3)
2021-03-15 07:07:05 -07:00
Etienne Champetier
3c8ad073cd Stop using kubeadm to update server in kubeconfigs (#7338)
Using `kubeadm init phase kubeconfig all` breaks kubelet client certificate rotation
as we are missing `kubeadm init phase kubelet-finalize all` to point to `kubelet-client-current.pem`

kubeconfig format is stable so let's just use lineinfile,
this will avoid other future breakage

This revert to the logic before 6fe2248314

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit c9c0c01de0)
2021-03-15 07:07:05 -07:00
Etienne Champetier
53b9388b82 Add kube-ipvs0/nodelocaldns to NetworkManager unmanaged-devices (#7315)
On CentOS 8 they seem to be ignored by default, but better be extra safe
This also make it easy to exclude other network plugin interfaces

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit e442b1d2b9)
2021-03-15 07:07:05 -07:00
Etienne Champetier
f26cc9f75b Only use stat get_checksum: yes when needed (#7270)
By default Ansible stat module compute checksum, list extended attributes and find mime type
To find all stat invocations that really use one of those:
git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)'

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit de1d9df787)

Conflicts:
	roles/etcd/tasks/check_certs.yml
2021-03-15 07:07:05 -07:00
stress-t
5563ed8084 Fix: added string to bool conversion for use_localhost_as_kube api load balancer (#7324)
(cherry picked from commit 15f1b19136)
2021-03-02 08:33:19 -08:00
stress-t
a02e9206fe Improving PR 6473 (#7259)
(cherry picked from commit 796d3fb975)
2021-03-02 08:33:19 -08:00
Florian Ruynat
e7cc686beb Fix recover-control-plane undefined 'proxy_disable_env' variable (#7326)
(cherry picked from commit 05adeed1fa)

Conflicts:
	recover-control-plane.yml
2021-03-02 08:33:19 -08:00
wangxf
5d4fcbc5a1 fix: the filename </etc/vault> is Duplicate in the reset role. (#7313)
(cherry picked from commit 154fa45422)
2021-03-02 08:33:19 -08:00
Florian Ruynat
ba348c9a00 Move centos7-crio CI job to centos8 (#7327)
(cherry picked from commit e35becebf8)
2021-03-02 08:33:19 -08:00
Kenichi Omichi
b0f2471f0e Update Ansible to v2.9.17 (#7291)
This updates Ansible version to the latest stable version 2.9.17.

(cherry picked from commit 0ddf915027)
2021-03-02 08:33:19 -08:00
Etienne Champetier
fbdc2b3e20 Fix proxy usage when *_PROXY are present in environment (#7309)
Since a790935d02 all proxy users
should be properly configured

Now when you have *_PROXY vars in your environment it can leads to failure
if NO_PROXY is not correct, or to persistent configuration changes
as seen with kubeadm in 1c5391dda7

Instead of playing constant whack-a-bug, inject empty *_PROXY vars everywhere
at the play level, and override at the task level when needed

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 067db686f6)
2021-03-02 08:33:19 -08:00
Etienne Champetier
557139a8cf Fix reset when using containerd (#7308)
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit ed2b4b805e)
2021-03-02 08:33:19 -08:00
Etienne Champetier
daea9f3d21 Set Kubernetes default version to 1.19.8
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
2021-03-02 08:33:19 -08:00
Florian Ruynat
ac23d89a1a Add hashes for Kubernetes 1.18.16/1.19.8/1.20.4
(cherry picked from commit 86ce8aac85)
2021-03-02 08:33:19 -08:00
Etienne Champetier
3292887cae Fix "api is up" check (#7295)
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 662a37ab4f)
2021-03-02 08:33:19 -08:00
Etienne Champetier
c7658c0256 Remove calico-upgrade leftovers (#7282)
This is dead code since 28073c76ac

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 3749729d5a)
2021-02-22 06:01:43 -08:00
Etienne Champetier
716a66e5d3 facts.yaml: reduce the number of setup calls by ~7x (#7286)
Before this commit, we were gathering:
1 !all
7 network
7 hardware

After we are gathering:
1 !all
1 network
1 hardware

ansible_distribution_major_version is gathered by '!all'

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit fb8b075110)
2021-02-22 06:01:43 -08:00
Matt Calvert
efd138e752 Ensure we gather IPv6 facts
(cherry picked from commit 366cbb3e6f)
2021-02-22 06:01:43 -08:00
Etienne Champetier
40857b9859 Ensure kubeadm doesn't use proxy (#7275)
* Move proxy_env to kubespray-defaults/defaults

There is no reasons to use set_facts here

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

* Ensure kubeadm doesn't use proxy

*_proxy variables might be present in the environment (/etc/environment, bash profile, ...)
When this is the case we end up with those proxy configuration in /etc/kubernetes/manifests/kube-*.yaml manifests

We cannot unset env variables, but kubeadm is nice enough to ignore empty vars
93d288e2a4/cmd/kubeadm/app/util/env.go (L27)

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 1c5391dda7)
2021-02-22 06:01:43 -08:00
Etienne Champetier
176df83e02 Fixup cri-o metacopy mount options (#7287)
Ubuntu 18.04 crio package ships with 'mountopt = "nodev,metacopy=on"'
even if GA kernel is 4.15 (HWE Kernel can be more recent)

Fedora package ships without metacopy=on

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 5c04bdd52b)
2021-02-22 06:01:43 -08:00
Etienne Champetier
60b405a7b7 bootstrap-os: match on os-release ID / VARIANT_ID (#7269)
This fixes deployment with CentOS 8 Streams and make detection more reliable

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 95b329b64d)

Conflicts:
  roles/bootstrap-os/tasks/main.yml
2021-02-22 06:01:43 -08:00
Cristian Calin
d48a4bbc85 add containerd.io to dpkg_selection (#7273)
`containerd.io` is the companion package of `docker-ce` and is the
proper package name. This is needed to avoid apt upgrade/dist-upgrade
from breaking kubernetes.

(cherry picked from commit 6450207713)
2021-02-22 06:01:43 -08:00
Takashi IIGUNI
10b08d8840 fix: Restart network doesn't work on Fedora CoreOS (#7271)
Running remove-node.yml tasks for clean up cluster on Fedora CoreOS.
The task failed to restart network daemon (task name: "reset | Restart network").
Fedora CoreOS is essentially using NetworkManager, but this task returns network.

Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
(cherry picked from commit bcaa31ae33)
2021-02-22 06:01:43 -08:00
David Louks
189ce380bd Remove deletion of coredns deployment. (#7211)
* Add unique annotation on coredns deployment and only remove existing deployment if annotation is missing.

* Ignore errors when gathering coredns deployment details to handle case where it doesn't exist yet

* Remove run_once, deletegate_to and add to when statement

(cherry picked from commit 0cc1726781)
2021-02-22 06:01:43 -08:00
Geonju Kim
5f06864582 Change the owner of /etc/crictl.yaml to root (#7254)
(cherry picked from commit 1a91792e7c)
2021-02-22 06:01:43 -08:00
Mathieu Parent
3ad248b007 Update Helm version to 3.5.2 (#7248)
Helm v3.5.2 is a security (patch) release. Users are strongly
recommended to update to this release. It fixes two security issues in
upstream dependencies and one security issue in the Helm codebase.

See https://github.com/helm/helm/releases/tag/v3.5.2

(cherry picked from commit 670c37b428)
2021-02-22 06:01:43 -08:00
petruha
754a54adfc Run containerd related tasks on OracleLinux. (#7250)
(cherry picked from commit fc8551bcba)
2021-02-22 06:01:43 -08:00
forselli-stratio
960844d87b Fix ansible calico route reflector tasks in calico role (#7224)
* Fix calico-rr tasks

* revert stdin only when it's already a string

(cherry picked from commit 88bee6c68e)
2021-02-22 06:01:43 -08:00
Sander Cornelissen
6bde4e3fb3 Ensure when use_oracle_public_repo is set to false the public Oracle Linux yum repos are not set (#7228)
(cherry picked from commit b70d986bfa)
2021-02-22 06:01:43 -08:00
Felix Breuer
3725c80a71 FIX: Bastion undefined variable (#7227)
Fixes the following error when using Bastion Node with the sample config.
```
fatal: [bastion]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'bastion'\n\nThe error appears to be in '/home/felix/inovex/kubespray/roles/bastion-ssh-config/tasks/main.yml': line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: set bastion host IP\n  ^ here\n"}
```

(cherry picked from commit 973628fc1b)
2021-02-22 06:01:43 -08:00
Robin Elfrink
d94f32c160 Fix unintended SIGPIPEs. (#7214)
(cherry picked from commit 91fea7c956)
2021-02-22 06:01:43 -08:00
Jorik Jonker
6b184905e6 calico: fix NetworkManager check (#7169)
Previous check for presence of NM assumed "systemctl show
NetworkManager" would exit with a nonzero status code, which seems not
the case anymore with recent Flatcar Container Linux.

This new check also checks the activeness of network manager, as
`is-active` implies presence.

Signed-off-by Jorik Jonker <jorik@kippendief.biz>

(cherry picked from commit bba55faae8)
2021-02-22 06:01:43 -08:00
takmori_tech
782c3dc1c4 Update main.yml (#7175)
Fix issue #7129. Calico image tags support multiarch on quay.io.

(cherry picked from commit 2525d7aff8)
2021-02-22 06:01:43 -08:00
Florian Ruynat
f6b806e971 Update bunch of dependencies (#7187)
(cherry picked from commit 9ef62194c3)
2021-02-22 06:01:43 -08:00
Sergey
dee0594d74 Adding other masters sequentially, not in parallel (#7166)
(cherry picked from commit b2995e4ec4)
2021-02-22 06:01:43 -08:00
Arian van Putten
f8b15a714c
roles/docker: Make repokey fingerprint overrideable (#7263)
This makes the docker role work the same as the containerd role.
Being able to override this is needed when you have your own debian
repository. E.g. when performing an airgapped installation
2021-02-15 20:47:05 -08:00
Ryler Hockenbury
d8ab76aa04
Update azure cloud config (#7208) (#7221)
* Allow configureable vni and port for flannel overlay

* additional options for azure cloud config
2021-01-27 03:47:40 -08:00
Rick Haan
8a5139e54c
Check kube-apiserver up on all masters before upgrade (#7193) (#7217)
Only checking the kubernetes api on the first master when upgrading is not enough.
Each master needs to be checked before it's upgrade.

Signed-off-by: Rick Haan <rickhaan94@gmail.com>
2021-01-26 07:20:35 -08:00
Etienne Champetier
1727b3501f containerd,docker: stop installing extras repo on CentOS/RHEL
This was introduced in 143e2272ff
Extra repo is enabled by default in CentOS, and is not the right repo for EL8
Instead of adding a CentOS repo to RHEL, enable the needed RHEL repos with rhsm_repository

For RHEL 7, we need the "extras" repo for container-selinux
For RHEL 8, we need the "appstream" repo for container-selinux, ipvsadm and socat

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 8f2b0772f9)
2021-01-25 23:48:34 -08:00
Etienne Champetier
4ed05cf655 Calico: fixup check when ipipMode / vxlanMode is not present
calicoctl.sh get ipPool default-pool -o json
{
  "kind": "IPPool",
  "apiVersion": "projectcalico.org/v3",
  "metadata": {
    "name": "default-pool",
...
  },
  "spec": {
    "cidr": "10.233.64.0/18",
    "ipipMode": "Always",
    "natOutgoing": true,
    "blockSize": 24,
    "nodeSelector": "all()"
  }
}

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit f1576eabb1)
2021-01-25 23:48:34 -08:00
Etienne Champetier
8105cd7fbe preinstall: etcd group might not exists
fixes 8c1821228d

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 49c4345c9a)
2021-01-25 23:48:34 -08:00
Etienne Champetier
cf84a6bd3b containerd: ensure containerd is really started and enabled
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit a5d2137ed9)
2021-01-25 23:48:34 -08:00
Etienne Champetier
b80f612d29 containerd,docker: use apt_repository instead of action
yum_repository expect really different params, so nothing to factor here
Ubuntu is not an ansible_os_family, the OS family for Ubuntu is Debian
Check for ansible_pkg_mgr == apt

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit a8e51e686e)
2021-01-25 23:48:34 -08:00