Commit graph

917 commits

Author SHA1 Message Date
Sergii Golovatiuk
5494d608e5 Set ssl_ca_dirs for rkt based on fact
Since systemd kubelet.service has {{ ssl_ca_dirs }}, fact should be
gathered before writing kubelet.service.

Closes: #1007
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-13 13:28:29 +01:00
Matthew Mosesohn
896307b692 Merge pull request #988 from mattymo/feat/rolling3
Add CI cases for testing upgrade from v2.0.1 release
2017-02-10 18:09:43 +03:00
Matthew Mosesohn
543848c41e Merge pull request #983 from vwfs/centos_kernel_upgrade
Add kernel upgrade for CentOS
2017-02-10 14:40:27 +03:00
Antoine Legrand
6bd180eadf Merge pull request #1009 from mattymo/dnsmasq_updates
Enable reset of dnsmasq if manifest or config changes
2017-02-10 11:43:09 +01:00
Matthew Mosesohn
ccd865c564 fixup upgrades for canal and weave 2017-02-10 13:27:41 +03:00
Matthew Mosesohn
21d648ad36 Disable kube_proxy_masquerade_all
Fixes #1012
2017-02-10 13:16:39 +03:00
Bogdan Dobrelya
0ddcc74412 Merge pull request #1002 from code0x9/master
use ansible sysctl module for config ip forwarding
2017-02-10 10:40:18 +01:00
Alexander Block
aeb12fdc10 Add kernel upgrade for CentOS 2017-02-10 09:29:12 +01:00
Matthew Mosesohn
cfe50795e2 Enable reset of dnsmasq if manifest or config changes 2017-02-10 10:40:07 +04:00
Matthew Mosesohn
14e10988fc Merge pull request #989 from holser/kubelet_remedy
Kubernetes Reliability Improvements
2017-02-10 09:29:29 +03:00
Matthew Mosesohn
729bf56910 Merge pull request #1004 from galthaus/kubelet-load-modules
Allow kubelet to load kernel modules
2017-02-10 09:28:16 +03:00
Sergii Golovatiuk
c0d2cca45d Kubernetes Reliability Improvements
- Exclude kubelet CPU/RAM (kube-reserved) from cgroup. It decreases a
  chance of overcommitment
- Add a possibility to modify Kubelet node-status-update-frequency
- Add a posibility to configure node-monitor-grace-period,
  node-monitor-period, pod-eviction-timeout for Kubernetes controller
  manager
- Add Kubernetes Relaibility Documentation with recomendations for
  various scenarios.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-09 23:54:08 +01:00
Matthew Mosesohn
e0cfea02bf Enable weave upgrade from previous versions
Raise readiness probe initial time to 60 (was 30)
2017-02-09 21:39:31 +03:00
Matthew Mosesohn
b68afe7efa Merge pull request #998 from mattymo/fix_upgrade_daemonsets
Fix upgrade for all daemonset type resources
2017-02-09 20:02:21 +03:00
Greg Althaus
d6f1f0c88b Make kubelet_load_modules always present but false.
Update code and docs for that assumption.
2017-02-09 10:25:44 -06:00
Greg Althaus
8f00a07bf6 Due to the nsenter and other reworks, it appears that
kubelet lost the ability to load kernel modules.  This
puts that back by adding the lib/modules mount to kubelet.

The new variable kubelet_load_modules can be set to true
to enable this item.  It is OFF by default.
2017-02-09 10:02:26 -06:00
Matthew Mosesohn
b5cfeca474 Merge pull request #999 from holser/decrease_weave_ram_limits
Lower weave RAM settings.
2017-02-09 13:19:12 +03:00
Mark Lee
331957c9a8 follow sysctl.conf file symlink if linked 2017-02-09 18:16:52 +09:00
Mark Lee
224e6acb3a use ansible sysctl module for config ip forwarding 2017-02-09 17:28:44 +09:00
Bogdan Dobrelya
93c562b1bb Merge pull request #902 from insequent/master
Adding vault role
2017-02-09 09:24:52 +01:00
Bogdan Dobrelya
d0f4ab3129 Merge pull request #993 from code0x9/master
enable proxy support on docker repository
2017-02-09 09:21:01 +01:00
Antoine Legrand
35a7ad55d0 Merge pull request #986 from vwfs/dnsmasq_system_nameservers
Also add the system nameservers to upstream servers in dnsmasq
2017-02-08 23:21:54 +01:00
Josh Conant
764ad6e099 Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00
Josh Conant
1025d489ad Adding the Vault role 2017-02-08 21:31:28 +00:00
Sergii Golovatiuk
bde4d11a4a Lower weave RAM settings.
- Since Weave 1.8.x was rewritten in Golang we may decrease RAM settings
  to continue using g1-small for CI
2017-02-08 18:50:36 +01:00
Matthew Mosesohn
2d1109e09e Fix upgrade for all daemonset type resources
Daemonsets cannot be simply upgraded through a single API call,
regardless of any kubectl documentation. The resource must be
purged and then recreated in order to make any changes.
2017-02-08 18:16:00 +03:00
Alexander Block
94d9f03ddb Also add the system nameservers to upstream servers in dnsmasq
Also make no-resolv unconditional again. Otherwise, we may end up in
a resolver loop. The resolver loop was the cause for the piling up
parallel queries.
2017-02-08 14:38:55 +01:00
Matthew Mosesohn
0ea7f94b0c Merge pull request #994 from mattymo/docker_save
Change docker save compress level to 1
2017-02-08 15:13:15 +03:00
Matthew Mosesohn
ce3bee4eb8 Merge pull request #990 from mattymo/fix_cert_upgrade
Fix check for node-NODEID certs existence
2017-02-08 14:44:09 +03:00
Matthew Mosesohn
94407f86ff Merge pull request #971 from bradbeam/efk
Adding EFK logging stack
2017-02-08 14:28:04 +03:00
Mark Lee
3cc9693895 Update rh_docker.repo.j2 2017-02-08 20:03:51 +09:00
Matthew Mosesohn
3c7952d7f1 Merge pull request #992 from vwfs/host_mount_dev
Host mount /dev for kubelet
2017-02-08 13:45:22 +03:00
Matthew Mosesohn
a4caceedef Change docker save compress level to 1
Faster gzip improves CI deploy times by at least 2 mins.

Fixes #982
2017-02-08 13:25:11 +03:00
Mark Lee
5a2de36a55 Merge branch 'master' of https://github.com/kubespray/kargo 2017-02-08 19:19:26 +09:00
Mark Lee
8783cef044 enable proxy support on docker repository 2017-02-08 19:19:08 +09:00
Matthew Mosesohn
0de857a18a Merge pull request #987 from mattymo/etcd-retune
Re-tune ETCD performance params
2017-02-08 13:00:25 +03:00
Bogdan Dobrelya
320d03c01c Merge pull request #956 from adidenko/update-netchecker
Update playbooks to support new netchecker
2017-02-08 10:09:46 +01:00
Alexander Block
08367f4abb Host mount /dev for kubelet 2017-02-08 09:55:51 +01:00
Matthew Mosesohn
012bc49404 Fix check for node-NODEID certs existence
Fixes upgrade from pre-individual node cert envs.
2017-02-07 21:06:48 +03:00
Matthew Mosesohn
ad2e1e10bf Re-tune ETCD performance params
Reduce election timeout to 5000ms (was 10000ms)
Raise heartbeat interval to 250ms (was 100ms)
Remove etcd cpu share (was 300)
Make etcd_cpu_limit and etcd_memory_limit optional.
2017-02-07 20:15:14 +03:00
Matthew Mosesohn
7bfade0fbb Merge pull request #969 from mattymo/port_reserve
Prevent dynamic port allocation in nodePort range
2017-02-07 18:24:57 +03:00
Aleksandr Didenko
3b816ee660 Update playbooks to support new netchecker
Netchecker is rewritten in Go lang with some new args instead of
env variables. Also netchecker-server no longer requires kubectl
container. Updating playbooks accordingly.
2017-02-07 15:20:34 +01:00
Matthew Mosesohn
7a9161d462 Prevent dynamic port allocation in nodePort range
kube_apiserver_node_port_range should be accessible only
to kube-proxy and not be taken by a dynamic port allocation.

Potentially temporary if https://github.com/kubernetes/kubernetes/issues/40920
gets fixed.
2017-02-06 20:01:16 +03:00
Sergii Golovatiuk
8503a5afea Improve Weave
- Remove weave CPU limits from .gitlab-ci.yml. Closes: #975
- Fix weave version in documentation

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-06 13:24:40 +01:00
Antoine Legrand
edcd91f7f6 Merge pull request #963 from rutsky/bastion-ansible-host
handle both 'ansible_host' and 'ansible_ssh_host' in bastion configration
2017-02-04 15:42:39 -05:00
Brad Beam
8218b9970f Adding EFK logging stack 2017-02-03 16:27:08 -06:00
Bogdan Dobrelya
e53d3fe9c8 Merge pull request #949 from vmtyler/master
Fixes Support for OpenStack v3 credentials
2017-02-03 12:22:00 +01:00
Vladimir Rutsky
1711530cd4 handle both 'ansible_host' and 'ansible_ssh_host' in bastion configuration
'absible_ssh_host' is deprecated in Ansible 2.0 and at least
'contrib/inventory_builder/inventory.py' uses 'ansible_host' instead.
2017-02-02 18:34:53 +03:00
Matthew Mosesohn
b7cbd5b9c5 Merge pull request #927 from holser/nsenter_fix
Remove nsenter workaround
2017-02-02 18:18:15 +03:00
Matthew Mosesohn
b9869b7708 Merge pull request #901 from galthaus/dns-tweak
DHCP Hook protections
2017-02-02 16:47:16 +03:00
Sergii Golovatiuk
b610c1627e Remove nsenter workaround
- Docker 1.12 and further don't need nsenter hack. This patch removes
  it.  Also, it bumps the minimal version to 1.12.

Closes #776

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-02 14:38:11 +01:00
Sergii Golovatiuk
83a90861ba Fix weave-net after upgrade to 1.82
- Set recommended CPU settings
- Cleans up upgrade to weave 1.82. The original WeaveWorks
daemonset definition uses weave-net name.
- Limit DS creation to master
- Combined 2 tasks into one with better condition
2017-02-02 10:31:58 +01:00
Matthew Mosesohn
776e48e898 Merge pull request #957 from mattymo/weave-net-naming
Rename weave-kube to weave-net
2017-02-02 10:18:02 +03:00
Greg Althaus
0037d0e6b2 This continues the DHCP hook checks. Also protect the create side
if the system doesn't have any config files at all.
2017-01-31 09:56:27 -06:00
Matthew Mosesohn
82619b99ba Merge pull request #951 from mattymo/k8s-certs-scale
Fix cert distribution at scale
2017-01-31 18:49:26 +03:00
Matthew Mosesohn
a0e50a12a6 Merge pull request #954 from artem-panchenko/improve_dnsmasq
Explicitly set config path for DNSMasq
2017-01-31 18:48:46 +03:00
Matthew Mosesohn
f85dbfffe9 Rename weave-kube to weave-net
Cleans up upgrade to weave 1.82. The original WeaveWorks
daemonset definition uses weave-net name.
2017-01-31 18:47:27 +03:00
Matthew Mosesohn
1011e416a7 Fix cert distribution at scale
Use stdin instead of bash args to pass node filenames and base64 data.
Use tempfile for master cert data
2017-01-31 16:27:45 +03:00
Matthew Mosesohn
14331d938c Merge pull request #880 from bradbeam/weave-kube
Weave kube
2017-01-31 13:31:09 +03:00
Artem Panchenko
5ed8f686b3 Explicitly set config path for DNSMasq
When DNSMasq is configured to read its settings
from a folder ('-7' or '--conf-dir' option) it only
checks that the directory exists and doesn't fail if
it's empty. It could lead to a situation when DNSMasq
is running and handles requests, but not properly
configured, so some of queries can't be resolved.
2017-01-31 12:14:57 +02:00
Matthew Mosesohn
688cd1ffcc Merge pull request #944 from tureus/skip-cloud-config-on-etcd
Bugfix: skip cloud_config on etcd
2017-01-30 20:12:36 +03:00
Brad Beam
5562432999 Upgrading weave to weave-kube 2017-01-27 17:05:25 -06:00
Brad Beam
789a08ad47 Consolidating kube.py module 2017-01-27 11:28:11 -06:00
Tyler Britten
6b29c6c702 Fixed for non-null output 2017-01-27 10:47:59 -05:00
Tyler Britten
ec1c47bc5a Updated OpenStack vars to check for tenant_id (v2) and project_id (v3) 2017-01-27 10:26:20 -05:00
neith00
fb5d1a2ab8 Using the command module instead of raw
Using the command module instead of raw.
Also fixed the syntax.
2017-01-26 16:28:48 +01:00
Xavier Lange
eb07363ddb Bugfix: skip cloud_config on etcd 2017-01-25 14:09:21 -08:00
Aleksandr Didenko
d30c52d53d Switch to ansible_hostname in calico
For consistancy with kubernetes services we should use the same
hostname for nodes, which is 'ansible_hostname'.

Also fixing missed 'kube-node' in templates, Calico is installed
on 'k8s-cluster' roles, not only 'kube-node'.
2017-01-25 11:49:58 +01:00
Matthew Mosesohn
2967aa2c96 Merge pull request #926 from adidenko/fix-calico-rr-for-masters
Fix calico-rr peering with k8s masters
2017-01-24 12:38:52 +03:00
Alexander Block
0b27d015d1 Pin docker version on RedHat and CentOS to the desired version 2017-01-23 12:39:54 +01:00
Aleksandr Didenko
13ae324569 Fix calico-rr peering with k8s masters
Calico-rr is broken for deployments with separate k8s-master and
k8s-node roles. In order to fix it we should peer k8s-cluster
nodes with calico-rr, not just k8s-node. The same for peering
with routers.

Closes #925
2017-01-23 10:19:09 +01:00
Matthew Mosesohn
979b01a145 Merge pull request #905 from galthaus/async-runs
Add tasks to ensure that the first nodes have their directories for cert gen
2017-01-19 18:32:27 +03:00
Matthew Mosesohn
77eeacb315 Merge pull request #904 from galthaus/nginx-port-config
Add nginx local balancer port configuration variable
2017-01-19 18:31:57 +03:00
Matthew Mosesohn
b47e76afdb Merge pull request #913 from galthaus/apps-master-only
Ansible apps should only check for api-server running on the master.
2017-01-19 18:30:58 +03:00
Matthew Mosesohn
9d2d08404d Merge pull request #917 from mattymo/rkt_resolvconf
Fix setting resolvconf when using rkt deploy mode
2017-01-19 18:30:21 +03:00
Matthew Mosesohn
59a0f17a4e Merge pull request #916 from mattymo/update_ansible
Update Ansible to 2.2.1
2017-01-19 18:13:45 +03:00
Matthew Mosesohn
879a21bf9c Merge pull request #921 from mattymo/docker113
Add docker 1.13, update 1.12 to 1.12.6
2017-01-19 18:13:21 +03:00
Matthew Mosesohn
c1ef75a005 Add docker 1.13, update 1.12 to 1.12.6
Fixes #903
2017-01-19 13:58:36 +03:00
Sergii Golovatiuk
eed32f9838 Allow to specify number of concurrent DNS queries
ndots creates overhead as every pod creates 5 concurrent connections
that are forwarded to sky dns. Under some circumstances dnsmasq may
prevent forwarding traffic with "Maximum number of concurrent DNS
queries reached" in the logs.

This patch allows to configure the number of concurrent forwarded DNS
queries "dns-forward-max" as well as "cache-size" leaving the default
values as they were before.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-01-19 11:47:37 +01:00
Matthew Mosesohn
aec85d8f42 Update Ansible to 2.2.1 2017-01-19 13:46:46 +03:00
Greg Althaus
d9fb51b046 Add explicit name printing in task names for deletgated task during
cert creation
2017-01-18 14:06:50 -06:00
Matthew Mosesohn
67719c162e Fix setting resolvconf when using rkt deploy mode
rkt deploy mode doesn't create {{ bin_dir }}/kubelet, so
let's rely on kubelet.env file instad.
2017-01-18 19:18:47 +03:00
Matthew Mosesohn
d4c9d9f7f5 Merge pull request #897 from holser/flush_handlers_before_etcd
Flush handlers before etcd restart
2017-01-18 12:27:01 +03:00
Matthew Mosesohn
0d06d1fb90 Merge pull request #910 from mattymo/escape_curly
Fix ansible 2.2.1 handling of registered vars
2017-01-18 11:13:01 +03:00
Greg Althaus
eb3a840622 Should only check for api-server running on the master.
If this runs on other nodes, it will fail the playbook.
2017-01-17 15:57:34 -06:00
Matthew Mosesohn
8369f5ebad Fix bash completion installation 2017-01-17 20:36:58 +03:00
Matthew Mosesohn
8302d38358 Work around escaping curly braces for docker inspect 2017-01-17 20:35:38 +03:00
Sergii Golovatiuk
f3a2e98b44 Flush handlers before etcd restart
systemctl daemon-reload should be run before when task modifies/creates
union for etcd. Otherwise etcd won't be able to start

Closes #892

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-01-17 15:04:25 +01:00
Matthew Mosesohn
49d7d15fe7 Merge pull request #909 from mattymo/docker-upgrade
Always trigger docker restart when docker package changes
2017-01-17 11:37:42 +03:00
Matthew Mosesohn
adf7faf93b Always trigger docker restart when docker package changes
Docker upgrade doesn't auto-restart docker, causing failures
when trying to start another container
2017-01-16 17:52:28 +03:00
Greg Althaus
113925afea Add a variable that defaults to kube_apiserver_port that defines
the which port the local nginx proxy should listen on for HA
local balancer configurations.
2017-01-14 23:38:07 -06:00
Greg Althaus
707e6a4642 This PR adds/or modifies a few tasks to allow for the playbook to
be run by limit on each node without regard for order.

The changes make sure that all of the directories needed to do
certificate management are on the master[0] or etcd[0] node regardless
of when the playbook gets run on each node.  This allows for separate
ansible playbook runs in parallel that don't have to be synchronized.
2017-01-14 23:24:34 -06:00
Greg Althaus
04fbe42aa6 If the inventory name of the host exceeds 63 characters,
the openssl tools will fail to create signing requests because
the CN is too long.  This is mainly a problem when FQDNs are used
in the inventory file.

THis will truncate the hostname for the CN field only at the
first dot.  This should handle the issue for most cases.
2017-01-13 10:02:23 -06:00
Matthew Mosesohn
3b562c494d Use only one certificate for all apiservers
https://github.com/kubernetes/kubernetes/issues/25063
2017-01-13 14:03:20 +03:00
Bogdan Dobrelya
9a07782016 Merge pull request #891 from galthaus/selinux-order
preinstall fails on AWS CentOS7 image
2017-01-13 11:51:18 +01:00
Alexander Block
cee3b01987 Don't try to delete kargo specific config from dhclient when file does not exist
Also remove the check for != "RedHat" when removing the dhclient hook,
as this had also to be done on other distros. Instead, check if the
dhclienthookfile is defined.
2017-01-13 10:56:10 +01:00
Greg Althaus
85efd263b3 When running on CentOS7 image in AWS with selinux on, the order of
the tasks fail because selinux prevents ip-forwarding setting.

Moving the tasks around addresses two issues.  Makes sure that
the correct python tools are in place before adjusting of selinux
and makes sure that ipforwarding is toggled after selinux adjustments.
2017-01-12 10:12:21 -06:00
Bogdan Dobrelya
808a50bc23 Merge pull request #830 from mattymo/k8sperhost
Generate individual certificates for k8s hosts
2017-01-12 12:42:14 +01:00
Alexander Block
d6c0d2785b Add tasks to undo changes to hosts /etc/resolv.conf and dhclient configs 2017-01-11 16:56:16 +01:00
Matthew Mosesohn
ed253e5c5a Generate individual certificates for k8s hosts 2017-01-11 12:58:07 +03:00
Matthew Mosesohn
c779bf8cd3 Merge pull request #878 from bradbeam/rkt-cni
Adding /opt/cni /etc/cni to rkt run kubelet
2017-01-11 12:22:04 +03:00
Bogdan Dobrelya
928de8d8bb Merge pull request #872 from mattymo/bug868
Bind nginx localhost proxy to localhost
2017-01-10 17:09:25 +01:00
Brad Beam
7420bf584c Adding /opt/cni /etc/cni to rkt run kubelet 2017-01-10 08:48:58 -06:00
Bogdan Dobrelya
fd53e2c670 Merge pull request #793 from kubernetes-incubator/fix_dhclientconf_path
Fix wrong path of dhclient on CentOS+Azure
2017-01-10 13:23:55 +01:00
Bogdan Dobrelya
9f74c02004 Merge pull request #858 from bradbeam/calicoctl-canal
Misc updates for canal
2017-01-10 12:24:59 +01:00
Matthew Mosesohn
ce84320462 Merge pull request #860 from adidenko/fix-calico-rr-certs
Fix etcd cert generation for calico-rr role
2017-01-09 18:34:02 +03:00
Bogdan Dobrelya
35ea6cef19 Merge pull request #871 from mattymo/fix_system_search_domains
Fix docker dns host scenario with no search domains
2017-01-09 15:52:12 +01:00
Matthew Mosesohn
e9d5aa0f07 Bind nginx localhost proxy to localhost
This proxy should only be listening for local connections, not 0.0.0.0.

Fixes #868
2017-01-09 17:19:54 +03:00
Matthew Mosesohn
846b96efa1 Fix docker dns host scenario with no search domains
Fixes scenario where docker-dns.conf tries to create an empty
search entry
2017-01-09 16:36:44 +03:00
Aleksandr Didenko
a47f2d611c Fix etcd cert generation for calico-rr role
"etcd_node_cert_data" variable is undefinded for "calico-rr" role.
This patch adds "calico-rr" nodes to task where "etcd_node_cert_data"
variable is registered.
2017-01-09 12:06:25 +01:00
Aleksandr Didenko
11e1bb64bd Set latest stable versions for Calico images
Change version for calico images to v1.0.0. Also bump versions for
CNI and policy controller.

Also removing images repo and tag duplication from netchecker role
2017-01-09 12:05:49 +01:00
Bogdan Dobrelya
d296284bfa Merge pull request #799 from kubernetes-incubator/docker_dns
Implement "dockerd --dns-xxx" based dns mode
2017-01-09 11:38:02 +01:00
Alexander Block
ad7ded59e9 Only use default resolver in dnsmasq when we are using host_resolvconf mode 2017-01-06 10:21:07 +01:00
Alexander Block
2b3dbae9d6 Introduce dns_mode and resolvconf_mode and implement docker_dns mode
Also update reset.yml to do more dns/network related cleanup.
2017-01-05 23:38:51 +01:00
Spencer Smith
bee6166b4c remove assertion for family not being CoreOS 2017-01-05 13:36:25 -05:00
Brad Beam
43adafe746 Create network policy directory for canal 2017-01-05 10:54:27 -06:00
Brad Beam
ff24f9712a Adding calicoctl to canal deployment 2017-01-05 10:54:27 -06:00
Bogdan Dobrelya
da9da08964 Better fix for different CoreOS os family facts
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-05 16:32:08 +01:00
Bogdan Dobrelya
68a6fa1146 Rename CoreOS fact
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-05 14:02:29 +01:00
Bogdan Dobrelya
8d9c4233e2 Merge branch 'master' into rkt 2017-01-05 10:34:18 +01:00
Brad Beam
9432a5cd73 Adding kubelet in rkt 2017-01-03 14:49:48 -06:00
Brad Beam
0f5a30ee8a Allowing etcd to run via rkt 2017-01-03 10:10:38 -06:00
Brad Beam
18715b2116 Adding initial rkt support 2017-01-03 10:08:43 -06:00
Bogdan Dobrelya
2fe58c361f Fix cert paths for flannel/calico policy apps
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-03 16:12:54 +01:00
Alexander Block
2538c958db Upgrade docker version and do some cleanups for unsupported distros/docker versions 2017-01-02 18:05:50 +01:00
Bogdan Dobrelya
130f0908ce Merge pull request #847 from bogdando/bug_769
Fix etc hosts for cluster nodes
2017-01-02 17:47:23 +01:00
Bogdan Dobrelya
62313afccc Fix etc hosts for cluster nodes
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-02 13:20:51 +01:00
Bogdan Dobrelya
f16a512aea Drop non systemd OS types support
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-02 12:14:03 +01:00
Matthew Mosesohn
bd0f787809 Fix etcd cert generation to support large deployments
Due to bash max args limits, we should pass all node filenames and
base64-encoded tar data through stdin/stdout instead.

Fixes #832
2016-12-30 12:55:26 +03:00
Bogdan Dobrelya
6e1c0cdd15 Systemd units, limits, and bin path fixes
* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
  systemd limits due to the lack of consensus in the kernel community
  requires out-of-tree kernel patches.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-28 15:49:42 +01:00
Matthew Mosesohn
2ac2a3ed93 Fix creation and sync of etcd certs
Admin certs only go to etcd nodes
Only generate cert-data for nodes that need sync
2016-12-28 14:21:17 +04:00
Matthew Mosesohn
612c5bb5f1 Merge pull request #818 from mattymo/calico-rr-certs
Fix calico-rr to use etcd certs instead of kube certs
2016-12-28 08:47:16 +03:00
Matthew Mosesohn
716b590f3b Fix calico-rr to use etcd certs instead of kube certs 2016-12-27 17:04:50 +03:00
Bogdan Dobrelya
9b29df183b Rework ignore_errors to report no reds
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2016-12-27 13:00:50 +01:00
Bogdan Dobrelya
222859601e Do not forward bogus domains for upstream resolvers
Also fix kube log level 4 to log dnsmasq queries.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-23 11:53:14 +01:00
Matthew Mosesohn
a2c38f5f5f Update etcd.j2 2016-12-22 22:29:24 +03:00
Matthew Mosesohn
e5374af95c Adjust etcd server certificates
ETCD doesn't need cert/key options set. It only requires peer
cert options.
2016-12-22 23:05:17 +04:00
Spencer Smith
f3f16e3676 Workaround etcdctl not yet being installed (#797)
workaround case for etcdctl not yet being installed, only allow for return code of 0 (no error)
2016-12-22 12:41:38 -05:00
Matthew Mosesohn
370ad3acba Merge pull request #760 from genti-t/issue-748-flannel-options
Fix Flannel network on CoreOS
2016-12-22 19:02:31 +03:00
Genti Topija
a42b458fdf Fix Flannel network on CoreOS
Resolves: #748
2016-12-22 16:50:04 +01:00
Matthew Mosesohn
5457799aa3 Individual etcd ssl certs
Includes hooks for triggering calico, kubelet, and kube-apiserver restarts
if etcd certs changed.
2016-12-22 13:31:11 +03:00
Bogdan Dobrelya
85f31a369e Merge pull request #786 from mattymo/bug777
Add wait for kube-apiserver to kubernetes-apps
2016-12-22 11:02:50 +01:00
Alexander Block
272d8e754b Fix wrong path of dhclient on CentOS+Azure
This was alredy fixed in #755 but had to be reverted. This PR should be
more intelligent about deciding which path to use.
2016-12-21 21:51:07 +01:00
Spencer Smith
3575f890fc create systemd drop-in path if not existent 2016-12-21 13:06:12 -05:00
Bogdan Dobrelya
b103799901 Revert "Do not forward private domains for upstream resolvers" 2016-12-21 15:24:17 +01:00
Matthew Mosesohn
b1eb852207 Add wait for kube-apiserver to kubernetes-apps
Fixes #777
2016-12-21 15:39:39 +03:00
Bogdan Dobrelya
f45872b558 Add download_always_pull check and sha256 for docker images
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-20 17:02:09 +01:00
Bogdan Dobrelya
763c1aff72 Merge pull request #722 from bogdando/dnsmasq_armors
Do not forward private domains for upstream resolvers
2016-12-20 14:25:17 +01:00
Bogdan Dobrelya
072c4e4669 Merge pull request #775 from kubernetes-incubator/register_master
Register master node as unschedulable
2016-12-20 14:17:55 +01:00
Bogdan Dobrelya
c147f710ab Merge pull request #774 from kubernetes-incubator/ant31-patch-2
check if calico_peer_rr is defined
2016-12-19 18:19:03 +01:00