Matthew Mosesohn
514359e556
Improve etcd scale up ( #1846 )
...
Now adding unjoined members to existing etcd cluster
occurs one at a time so that the cluster does not
lose quorum.
2017-10-20 08:02:31 +01:00
Matthew Mosesohn
fc9a65be2b
Refactor downloads to use download role directly ( #1824 )
...
* Refactor downloads to use download role directly
Also disable fact delegation so download delegate works acros OSes.
* clean up bools and ansible_os_family conditionals
2017-10-19 09:17:11 +01:00
Jan Jungnickel
49dff97d9c
Relabel controler-manager to kube-controller-manager ( #1830 )
...
Fixes #1129
2017-10-18 17:29:18 +01:00
Matthew Mosesohn
4efb0b78fa
Move CI vars out of gitlab and into var files ( #1808 )
2017-10-18 17:28:54 +01:00
Hassan Zamani
c9fe8fde59
Use fail-swap-on flag only for kube_version >= 1.8 ( #1829 )
2017-10-18 16:32:38 +01:00
Matthew Mosesohn
16462292e1
Properly skip extra SANs when not specified for kubeadm ( #1831 )
2017-10-18 12:04:13 +01:00
pmontanari
20d80311f0
Update main.yml ( #1822 )
...
* Update main.yml
Needs to set up resolv.conf before updating Yum cache otherwise no name resolution available (resolv.conf empty).
* Update main.yml
Removing trailing spaces
2017-10-18 11:42:00 +01:00
Hassan Zamani
3acc42c5b3
Use etcd_access_addresses for vault_etcd_url
2017-10-17 19:27:36 +03:30
Tennis Smith
54320c5b09
set to 3 digit version number ( #1817 )
2017-10-17 11:14:29 +01:00
Seungkyu Ahn
291b71ea3b
Changing default value string to boolean. ( #1669 )
...
When downloading containers or files, use boolean
as a default value.
2017-10-17 11:14:12 +01:00
Rémi de Passmoilesel
356515222a
Add possibility to insert more ip adresses in certificates ( #1678 )
...
* Add possibility to insert more ip adresses in certificates
* Add newline at end of files
* Move supp ip parameters to k8s-cluster group file
* Add supplementary addresses in kubeadm master role
* Improve openssl indexes
2017-10-17 11:06:07 +01:00
Aivars Sterns
688e589e0c
fix #1788 lock dashboard version to 1.6.3 version while 1.7.x is not working ( #1805 )
2017-10-17 11:04:55 +01:00
刘旭
6c98201aa4
remove kube-dns versions and images in kubernetes-apps/ansible/defaults/main.yaml ( #1807 )
2017-10-17 11:03:53 +01:00
Matthew Mosesohn
d4b10eb9f5
Fix path for calico get node names ( #1816 )
2017-10-17 10:54:48 +01:00
Jiří Stránský
728d56e74d
Only write bastion ssh config when needed ( #1810 )
...
This will allow running Kubespray when the user who runs it doesn't
have write permissions to the Kubespray dir, at least when not using
bastion.
2017-10-17 10:28:45 +01:00
neith00
77f1d4b0f1
Revert "Update roadmap" ( #1809 )
...
* Revert "Debian jessie docs (#1806 )"
This reverts commit d78577c810
.
* Revert "[contrib/network-storage/glusterfs] adds service for glusterfs endpoint (#1800 )"
This reverts commit 5fb6b2eaf7
.
* Revert "[contrib/network-storage/glusterfs] bootstrap for glusterfs nodes (#1799 )"
This reverts commit 404caa111a
.
* Revert "Fixed kubelet standard log environment (#1780 )"
This reverts commit b838468500
.
* Revert "Add support for fedora atomic host (#1779 )"
This reverts commit f2235be1d3
.
* Revert "Update network-plugins to use portmap plugin (#1763 )"
This reverts commit 6ec45b10f1
.
* Revert "Update roadmap (#1795 )"
This reverts commit d9879d8026
.
2017-10-16 14:09:24 +01:00
Seungkyu Ahn
b838468500
Fixed kubelet standard log environment ( #1780 )
...
Change KUBE_LOGGING to KUBE_LOGTOSTDERR, when installing kubelet
as host type.
2017-10-16 08:22:54 +01:00
Jason Brooks
f2235be1d3
Add support for fedora atomic host ( #1779 )
...
* don't try to install this rpm on fedora atomic
* add docker 1.13.1 for fedora
* built-in docker unit file is sufficient, as tested on both fedora and centos atomic
2017-10-16 08:03:33 +01:00
Kevin Lefevre
6ec45b10f1
Update network-plugins to use portmap plugin ( #1763 )
...
Portmap allow to use hostPort with CNI plugins. Should fix #1675
2017-10-16 07:11:38 +01:00
Matthew Mosesohn
d9879d8026
Update roadmap ( #1795 )
2017-10-16 07:06:06 +01:00
Matthew Mosesohn
d487b2f927
Security best practice fixes ( #1783 )
...
* Disable basic and token auth by default
* Add recommended security params
* allow basic auth to fail in tests
* Enable TLS authentication for kubelet
2017-10-15 20:41:17 +01:00
Julian Poschmann
66e5e14bac
Restart kubelet on update in deployment-type host on update ( #1759 )
...
* Restart kubelet on update in deployment-type host on update
* Update install_host.yml
* Update install_host.yml
* Update install_host.yml
2017-10-15 20:22:17 +01:00
Matthew Mosesohn
7e4668859b
Change file used to check kubeadm upgrade method ( #1784 )
...
* Change file used to check kubeadm upgrade method
Test for ca.crt instead of admin.conf because admin.conf
is created during normal deployment.
* more fixes for upgrade
2017-10-15 10:33:22 +01:00
Matthew Mosesohn
92d038062e
Fix node authorization for cloudprovider installs ( #1794 )
...
In 1.8, the Node authorization mode should be listed first to
allow kubelet to access secrets. This seems to only impact
environments with cloudprovider enabled.
2017-10-14 11:28:46 +01:00
abelgana
2972bceb90
Changre raw execution to use yum module ( #1785 )
...
* Changre raw execution to use yum module
Changed raw exection to use yum module provided by Ansible.
* Replace ansible_ssh_* by ansible_*
Ansible 2.0 has deprecated the “ssh” from ansible_ssh_user, ansible_ssh_host, and ansible_ssh_port to become ansible_user, ansible_host, and ansible_port. If you are using a version of Ansible prior to 2.0, you should continue using the older style variables (ansible_ssh_*). These shorter variables are ignored, without warning, in older versions of Ansible.
I am not sure about the broader impact of this change. But I have seen on the requirements the version required is ansible>=2.4.0.
http://docs.ansible.com/ansible/latest/intro_inventory.html
2017-10-14 09:52:40 +01:00
刘旭
cb0a60a0fe
calico v2.5.0 should use calico/routereflector:v0.4.0 ( #1792 )
2017-10-14 09:51:48 +01:00
Matthew Mosesohn
3ee91e15ff
Use commas in no_proxy ( #1782 )
2017-10-13 15:43:10 +01:00
Matthew Mosesohn
ef47a73382
Add new addon Istio ( #1744 )
...
* add istio addon
* add addons to a ci job
2017-10-13 15:42:54 +01:00
Matthew Mosesohn
dc515e5ac5
Remove kernel-upgrade role ( #1798 )
...
This role only support Red Hat type distros and is not maintained
or used by many users. It should be removed because it creates
feature disparity between supported OSes and is not maintained.
2017-10-13 15:36:21 +01:00
Julian Poschmann
56763d4288
Persist br_netfilter module loading ( #1760 )
2017-10-13 10:50:29 +01:00
Matthew Mosesohn
10dd049912
Revert "Security fixes for etcd ( #1778 )" ( #1786 )
...
This reverts commit 4209f1cbfd
.
2017-10-12 14:02:51 +01:00
Matthew Mosesohn
4209f1cbfd
Security fixes for etcd ( #1778 )
...
* Security fixes for etcd
* Use certs when querying etcd
2017-10-12 13:32:54 +01:00
Matthew Mosesohn
ee83e874a8
Clear admin kubeconfig when rotating certs ( #1772 )
...
* Clear admin kubeconfig when rotating certs
* Update main.yml
2017-10-12 09:55:46 +01:00
Vijay Katam
27ed73e3e3
Rename dns_server, add var for selinux. ( #1572 )
...
* Rename dns_server to dnsmasq_dns_server so that it includes role prefix
as the var name is generic and conflicts when integrating with existing ansible automation.
* Enable selinux state to be configurable with new var preinstall_selinux_state
2017-10-11 20:40:21 +01:00
Aivars Sterns
e41c0532e3
add possibility to disable fail with swap ( #1773 )
2017-10-11 19:49:31 +01:00
Matthew Mosesohn
eeb7274d65
Adjust memory reservation for master nodes ( #1769 )
2017-10-11 19:47:42 +01:00
Matthew Mosesohn
eb0dcf6063
Improve proxy ( #1771 )
...
* Set no_proxy to all local ips
* Use proxy settings on all necessary tasks
2017-10-11 19:47:27 +01:00
Matthew Mosesohn
83be0735cd
Fix setting etcd client cert serial ( #1775 )
2017-10-11 19:47:11 +01:00
Matthew Mosesohn
fe4ba51d1a
Set node IP correctly ( #1770 )
...
Fixes #1741
2017-10-11 15:28:42 +01:00
Hyunsun Moon
adf575b75e
Set default value for disable_shared_pid ( #1710 )
...
PID namespace sharing is disabled only in Kubernetes 1.7.
Explicitily enabling it by default could help reduce unexpected
results when upgrading to or downgrading from 1.7.
2017-10-11 14:55:51 +01:00
Spencer Smith
e5426f74a8
Merge pull request #1762 from manics/bindir-helm
...
Include bin_dir when patching helm tiller with kubectl
2017-10-10 10:40:47 -04:00
Spencer Smith
f5212d3b79
Merge pull request #1752 from pmontanari/patch-1
...
Force synchronize to use ssh_args so it works when using bastion
2017-10-10 10:40:01 -04:00
Spencer Smith
3d09c4be75
Merge pull request #1756 from kubernetes-incubator/fix_bool_assert
...
Fix bool check assert
2017-10-10 10:38:53 -04:00
Spencer Smith
f2db15873d
Merge pull request #1754 from ArchiFleKs/rkt-kubelet-fix
...
add hosts to rkt kubelet
2017-10-10 10:37:36 -04:00
ArchiFleKs
7c663de6c9
add /etc/hosts volume to rkt templates
2017-10-09 16:41:51 +02:00
Simon Li
c14bbcdbf2
Include bin_dir when patching helm tiller with kubectl
2017-10-09 15:17:52 +01:00
ant31
1be4c1935a
Fix bool check assert
2017-10-06 17:02:38 +00:00
pmontanari
764b1aa5f8
Force synchronize to use ssh_args so it works when using bastion
...
In case ssh.config is set to use bastion, synchronize needs to use it too.
2017-10-06 00:21:54 +02:00
Spencer Smith
d13b07ba59
Merge pull request #1751 from bradbeam/calicoprometheus
...
Adding calico/node env vars for prometheus configuration
2017-10-05 17:29:12 -04:00
Brad Beam
55dfae2a52
Followup fix for CVE-2017-14491
2017-10-05 11:31:04 -05:00
Brad Beam
b81c0d869c
Adding calico/node env vars for prometheus configuration
2017-10-05 08:46:01 -05:00
Matthew Mosesohn
f14f04c5ea
Upgrade to kubernetes v1.8.0 ( #1730 )
...
* Upgrade to kubernetes v1.8.0
hyperkube no longer contains rsync, so now use cp
* Enable node authorization mode
* change kube-proxy cert group name
2017-10-05 10:51:21 +01:00
Aivars Sterns
9c86da1403
Normalize tags in all places to prepare for tag fixing in future ( #1739 )
2017-10-05 08:43:04 +01:00
Spencer Smith
cb611b5ed0
Merge pull request #1742 from mattymo/facts_as_vars
...
Move set_facts to kubespray-defaults defaults
2017-10-04 15:46:39 -04:00
Spencer Smith
ab171a1d6d
don't delegate cert slurp
2017-10-04 13:06:51 -04:00
Matthew Mosesohn
a56738324a
Move set_facts to kubespray-defaults defaults
...
These facts can be generated in defaults with a performance
boost.
Also cleaned up duplicate etcd var names.
2017-10-04 14:02:47 +01:00
Matthew Mosesohn
e42cb43ca5
add bootstrap for debian ( #1726 )
2017-10-03 08:30:45 +01:00
Brad Beam
ca541c7e4a
Ensuring vault service is stopped in reset tasks ( #1736 )
2017-10-03 08:30:28 +01:00
Brad Beam
96e14424f0
Adding kubedns update for CVE-2017-14491 ( #1735 )
2017-10-03 08:30:14 +01:00
Matthew Mosesohn
dae9f6d3c2
Test if tokens are expired from host instead of inside container ( #1727 )
...
* Test if tokens are expired from host instead of inside container
* Update main.yml
2017-10-02 13:14:50 +01:00
Julian Poschmann
8e1210f96e
Fix cluster-network w/ prefix > 25 not possible with CNI ( #1713 )
2017-10-01 10:43:00 +01:00
Brad Beam
1b9a6d7ad8
Merge pull request #1672 from manics/bastion-proxycommand-newline
...
Insert a newline in bastion ssh config after ProxyCommand conditional
2017-09-29 11:37:47 -05:00
Peter Slijkhuis
371fa51e82
Make installation of EPEL optional ( #1721 )
2017-09-29 13:44:29 +01:00
Matthew Mosesohn
a55675acf8
Enable RBAC with kubeadm always ( #1711 )
2017-09-29 09:18:24 +01:00
Matthew Mosesohn
25dd3d476a
Fix error for azure+calico assert ( #1717 )
...
Fixes #1716
2017-09-29 08:17:18 +01:00
Matthew Mosesohn
3ff5f40bdb
fix graceful upgrade ( #1704 )
...
Fix system namespace creation
Only rotate tokens when necessary
2017-09-27 14:49:20 +01:00
Matthew Mosesohn
689ded0413
Enable kubeadm upgrades to any version ( #1709 )
2017-09-27 14:48:18 +01:00
Matthew Mosesohn
327ed157ef
Verify valid settings before deploy ( #1705 )
...
Also fix yaml lint issues
Fixes #1703
2017-09-27 14:47:47 +01:00
tanshanshan
477afa8711
when and run_once are reduplicative ( #1694 )
2017-09-26 14:48:05 +01:00
Matthew Mosesohn
bd272e0b3c
Upgrade to kubeadm ( #1667 )
...
* Enable upgrade to kubeadm
* fix kubedns upgrade
* try upgrade route
* use init/upgrade strategy for kubeadm and ignore kubedns svc
* Use bin_dir for kubeadm
* delete more secrets
* fix waiting for terminating pods
* Manually enforce kube-proxy for kubeadm deploy
* remove proxy. update to kubeadm 1.8.0rc1
2017-09-26 10:38:58 +01:00
Brad Beam
14c232e3c4
Merge pull request #1663 from foxyriver/fix-shell
...
use command module instead of shell module
2017-09-25 13:24:45 -05:00
Brad Beam
57f5fb1f4f
Merge pull request #1661 from neith00/master
...
upgrading from weave version 2.0.1 to 2.0.4
2017-09-25 13:23:57 -05:00
Bogdan Dobrelya
bcddfb786d
Merge pull request #1692 from mattymo/old-etcd-logic
...
drop unused etcd logic
2017-09-25 17:44:33 +02:00
Martin Uddén
20db1738fa
feature: install project atomic CSS on RedHat family ( #1499 )
...
* feature: install project atomic CSS on RedHat family
* missing patch for this feature
* sub-role refactor
* Yamllint fix
2017-09-25 12:29:17 +01:00
Hassan Zamani
b23d81f825
Add etcd_blkio_weight var ( #1690 )
2017-09-25 12:20:24 +01:00
Matthew Mosesohn
a1cde03b20
Correct master manifest cleanup logic ( #1693 )
...
Fixes #1666
2017-09-25 12:19:04 +01:00
Bogdan Dobrelya
cfce23950a
Merge pull request #1687 from jistr/cgroup-driver-kubeadm
...
Set correct kubelet cgroup-driver also for kubeadm deployments
2017-09-25 11:16:40 +02:00
Deni Bertovic
64740249ab
Adds tags for asserts ( #1639 )
2017-09-25 08:41:03 +01:00
Matthew Mosesohn
126f42de06
drop unused etcd logic
...
Fixes #1660
2017-09-25 07:52:55 +01:00
Matthew Mosesohn
d94e3a81eb
Use api lookup for kubelet hostname when using cloudprovider ( #1686 )
...
The value cannot be determined properly via local facts, so
checking k8s api is the most reliable way to look up what hostname
is used when using a cloudprovider.
2017-09-24 09:22:15 +01:00
Jiri Stransky
70d0235770
Set correct kubelet cgroup-driver also for kubeadm deployments
...
This follows pull request #1677 , adding the cgroup-driver
autodetection also for kubeadm way of deploying.
Info about this and the possibility to override is added to the docs.
2017-09-22 13:19:04 +02:00
foxyriver
30b5493fd6
use command module instead of shell module
2017-09-22 15:47:03 +08:00
Jiri Stransky
dbbe9419e5
Allow setting cgroup driver for kubelet
...
Red Hat family platforms run docker daemon with `--exec-opt
native.cgroupdriver=systemd`. When kubespray tried to start kubelet
service, it failed with:
Error: failed to run Kubelet: failed to create kubelet: misconfiguration: kubelet cgroup driver: "cgroupfs" is different from docker cgroup driver: "systemd"
Setting kubelet's cgroup driver to the correct value for the platform
fixes this issue. The code utilizes autodetection of docker's cgroup
driver, as different RPMs for the same distro may vary in that regard.
2017-09-21 11:58:11 +02:00
Matthew Mosesohn
188bae142b
Fix wait for hosts in CI ( #1679 )
...
Also fix usage of failed_when and handling exit code.
2017-09-20 14:30:09 +01:00
Simon Li
7c2b12ebd7
Insert a newline in bastion after ProxyCommand conditional
2017-09-18 16:29:12 +01:00
Matthew Mosesohn
ef8e35e39b
Create admin credential kubeconfig ( #1647 )
...
New files: /etc/kubernetes/admin.conf
/root/.kube/config
$GITDIR/artifacts/{kubectl,admin.conf}
Optional method to download kubectl and admin.conf if
kubeconfig_lcoalhost is set to true (default false)
2017-09-18 13:30:57 +01:00
Brad Beam
aaa27d0a34
Adding quotes around parameters in cloud_config ( #1664 )
...
This is to help support escapes and special characters
2017-09-16 08:43:47 +01:00
Kevin Lefevre
9302ce0036
Enhanced OpenStack cloud provider ( #1627 )
...
- Enable Cinder API version for block storage
- Enable floating IP for LBaaS
2017-09-16 08:43:24 +01:00
Matthew Mosesohn
8e731337ba
Enable HA deploy of kubeadm ( #1658 )
...
* Enable HA deploy of kubeadm
* raise delay to 60s for starting gce hosts
2017-09-15 22:28:15 +01:00
Matthew Mosesohn
b294db5aed
fix apply for netchecker upgrade ( #1659 )
...
* fix apply for netchecker upgrade and graceful upgrade
* Speed up daemonset upgrades. Make check wait for ds upgrades.
2017-09-15 13:19:37 +01:00
Brad Beam
f2ae16e71d
Merge pull request #1651 from bradbeam/vaultnocontent
...
Fixing condition where vault CA already exists
2017-09-14 17:04:15 -05:00
Brad Beam
ac281476c8
Prune unnecessary certs from vault setup ( #1652 )
...
* Cleaning up cert checks for vault
* Removing all unnecessary etcd certs from each node
* Removing all unnecessary kube certs from each node
2017-09-14 12:28:11 +01:00
neith00
1b1c8d31a9
upgrading from weave version 2.0.1 to 2.0.4
...
This upgrade has been testing offline on a 1.7.5 cluster
2017-09-14 10:29:28 +02:00
Brad Beam
4b587aaf99
Adding ability to specify altnames for vault cert ( #1640 )
2017-09-14 07:19:44 +01:00
Kyle Bai
016301508e
Update to Kubernetes v1.7.5 ( #1649 )
2017-09-14 07:18:03 +01:00
Matthew Mosesohn
6744726089
kubeadm support ( #1631 )
...
* kubeadm support
* move k8s master to a subtask
* disable k8s secrets when using kubeadm
* fix etcd cert serial var
* move simple auth users to master role
* make a kubeadm-specific env file for kubelet
* add non-ha CI job
* change ci boolean vars to json format
* fixup
* Update create-gce.yml
* Update create-gce.yml
* Update create-gce.yml
2017-09-13 19:00:51 +01:00
Brad Beam
0a89f88b89
Fixing condition where CA already exists
2017-09-13 03:40:46 +00:00
Brad Beam
69fac8ea58
Merge pull request #1634 from bradbeam/calico_cni
...
fix for calico cni plugin node name
2017-09-11 22:18:06 -05:00
Seungkyu Ahn
e8bde03a50
Setting kubectl bin directory ( #1635 )
2017-09-09 23:54:13 +03:00
Matthew Mosesohn
75b13caf0b
Fix kube-apiserver status checks when changing insecure bind addr ( #1633 )
2017-09-09 23:41:48 +03:00
Matthew Mosesohn
5d99fa0940
Purge old upgrade hooks and unused tasks ( #1641 )
2017-09-09 23:41:20 +03:00
Matthew Mosesohn
649388188b
Fix netchecker update side effect ( #1644 )
...
* Fix netchecker update side effect
kubectl apply should only be used on resources created
with kubectl apply. To workaround this, we should apply
the old manifest before upgrading it.
* Update 030_check-network.yml
2017-09-09 23:38:38 +03:00
Matthew Mosesohn
9fa1873a65
Add kube dashboard, enabled by default ( #1643 )
...
* Add kube dashboard, enabled by default
Also add rbac role for kube user
* Update main.yml
2017-09-09 23:38:03 +03:00
Matthew Mosesohn
f2057dd43d
Refactor downloads ( #1642 )
...
* Refactor downloads
Add prefixes to tasks (file vs container)
Remove some delegates
Clean up some conditions
* Update ansible.cfg
2017-09-09 23:32:12 +03:00
Brad Beam
eeffbbb43c
Updating calicocni.hostname to calicocni.nodename
2017-09-08 12:47:40 +00:00
Brad Beam
aaa0105f75
Flexing calicocni.hostname based on cloud provider
2017-09-08 12:47:40 +00:00
Matthew Mosesohn
079d317ade
Default is_atomic to false ( #1637 )
2017-09-08 15:00:57 +03:00
Maxim Krasilnikov
e16b57aa05
Store vault users passwords to credentials dir. Create vault and etcd roles after start vault cluster ( #1632 )
2017-09-07 23:30:16 +03:00
Matthew Mosesohn
7117614ee5
Use a generated password for kube user ( #1624 )
...
Removed unnecessary root user
2017-09-06 20:20:25 +03:00
Chad Swenson
e26aec96b0
Consolidate kube-proxy module and sysctl loading ( #1586 )
...
This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
2017-09-06 15:11:51 +03:00
Sam Powers
c60d104056
Update checksums (etcd calico calico-cni weave) to fix uploads.yml ( #1584 )
...
the uploads.yml playbook was broken with checksum mismatch errors in
various kubespray commits, for example, 3bfad5ca73
which updated the version from 3.0.6 to 3.0.17 without updating the
corresponding checksums.
2017-09-06 15:11:13 +03:00
Oliver Moser
e6ff8c92a0
Using 'hostnamectl' to set unconfigured hostname on CoreOS ( #1600 )
2017-09-06 15:10:52 +03:00
Chad Swenson
cbaa2b5773
Retry Remove all Docker containers in reset ( #1623 )
...
Due to various occasional docker bugs, removing a container will sometimes fail. This can often be mitigated by trying again.
2017-09-06 14:23:16 +03:00
Matthieu
0453ed8235
Fix an error with Canal when RBAC are disabled ( #1619 )
...
* Fix an error with Canal when RBAC are disabled
* Update using same rbac strategy used elsewhere
2017-09-06 11:32:32 +03:00
Brad Beam
a341adb7f3
Updating CN for node certs generated by vault ( #1622 )
...
This allows the node authorization plugin to function correctly
2017-09-06 10:55:08 +03:00
mkrasilnikov
957b7115fe
Remove node name from kube-proxy and admin certificates
2017-09-05 14:40:26 +03:00
mkrasilnikov
b930b0ef5a
Place vault role credentials only to vault group hosts
2017-09-05 11:16:18 +03:00
mkrasilnikov
ad313c9d49
typo fix
2017-09-05 09:07:36 +03:00
mkrasilnikov
e1384f6618
Using issue cert result var instead hostvars
2017-09-05 09:07:36 +03:00
mkrasilnikov
3acb86805b
Rename vault_address to vault_bind_address
2017-09-05 09:07:35 +03:00
mkrasilnikov
bf0af1cd3d
Vault role updates:
...
* using separated vault roles for generate certs with different `O` (Organization) subject field;
* configure vault roles for issuing certificates with different `CN` (Common name) subject field;
* set `CN` and `O` to `kubernetes` and `etcd` certificates;
* vault/defaults vars definition was simplified;
* vault dirs variables defined in kubernetes-defaults foles for using
shared tasks in etcd and kubernetes/secrets roles;
* upgrade vault to 0.8.1;
* generate random vault user password for each role by default;
* fix `serial` file name for vault certs;
* move vault auth request to issue_cert tasks;
* enable `RBAC` in vault CI;
2017-09-05 09:07:35 +03:00
ArthurMa
c77d11f1c7
Bugfix ( #1616 )
...
lost executable path
2017-09-05 08:35:14 +03:00
Matthew Mosesohn
d279d145d5
Fix non-rbac deployment of resources as a list ( #1613 )
...
* Use kubectl apply instead of create/replace
Disable checks for existing resources to speed up execution.
* Fix non-rbac deployment of resources as a list
* Fix autoscaler tolerations field
* set all kube resources to state=latest
* Update netchecker and weave
2017-09-05 08:23:12 +03:00
Matthew Mosesohn
fc7905653e
Add socat for CoreOS when using host deploy kubelet ( #1575 )
2017-09-04 11:30:18 +03:00
Matthew Mosesohn
660282e82f
Make daemonsets upgradeable ( #1606 )
...
Canal will be covered by a separate PR
2017-09-04 11:30:01 +03:00
Matthew Mosesohn
77602dbb93
Move calico to daemonset ( #1605 )
...
* Drop legacy calico logic
* add calico as a daemonset
2017-09-04 11:29:51 +03:00
Matthew Mosesohn
a3e6896a43
Add RBAC support for canal ( #1604 )
...
Refactored how rbac_enabled is set
Added RBAC to ubuntu-canal-ha CI job
Added rbac for calico policy controller
2017-09-04 11:29:40 +03:00
Dann
702ce446df
Apply ClusterRoleBinding to dnsmaq when rbac_enabled ( #1592 )
...
* Add RBAC policies to dnsmasq
* fix merge conflict
* yamllint
* use .j2 extension for dnsmasq autoscaler
2017-09-03 10:53:45 +03:00
Brad Beam
8ae77e955e
Adding in certificate serial numbers to manifests ( #1392 )
2017-09-01 09:02:23 +03:00
sgmitchell
783924e671
Change backup handler to only run v2 data backup if snap directory exists ( #1594 )
2017-08-31 18:23:24 +03:00
Julian Poschmann
93304e5f58
Fix calico leaving service behind. ( #1599 )
2017-08-31 12:00:05 +03:00
Brad Beam
917373ee55
Merge pull request #1595 from bradbeam/cacerts
...
Fixing CA certificate locations for k8s components
2017-08-30 21:31:19 -05:00
Brad Beam
7a98ad50b4
Fixing CA certificate locations for k8s components
2017-08-30 15:30:40 -05:00
Brad Beam
982058cc19
Merge pull request #1514 from vijaykatam/docker_systemd
...
Configurable docker yum repos, systemd fix
2017-08-30 11:50:23 -05:00
Oliver Moser
576beaa6a6
Include /opt/bin in PATH for host deployed kubelet on CoreOS ( #1591 )
...
* Include /opt/bin in PATH for host deployed kubelet on CoreOS
* Removing conditional check for CoreOS
2017-08-30 16:50:33 +03:00
Maxim Krasilnikov
6eb22c5db2
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s ( #1552 )
...
* Added update CA trust step for etcd and kube/secrets roles
* Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os.
* Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube.
* Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd.
* Fixed different certificates set for vault cert_managment
* Update doc/vault.md
* Fixed condition create vault CA, wrong group
* Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts
* Removed wrong when condition in create etcd role vault tasks.
2017-08-30 16:03:22 +03:00
Brad Beam
72a0d78b3c
Merge pull request #1585 from mattymo/canal_upgrade
...
Fix upgrade for canal and apiserver cert
2017-08-29 18:45:21 -05:00
Matthew Mosesohn
13d08af054
Fix upgrade for canal and apiserver cert
...
Fixes #1573
2017-08-29 22:08:30 +01:00
Eric Hoffmann
6c30a7b2eb
update calico version
...
update calico releases link
2017-08-28 16:23:51 -07:00
Matthew Mosesohn
76b72338da
Add CNI config for rkt kubelet ( #1579 )
2017-08-28 21:11:01 +03:00
Chad Swenson
a39e78d42d
Initial version of Flannel using CNI ( #1486 )
...
* Updates Controller Manager/Kubelet with Flannel's required configuration for CNI
* Removes old Flannel installation
* Install CNI enabled Flannel DaemonSet/ConfigMap/CNI bins and config (with portmap plugin) on host
* Uses RBAC if enabled
* Fixed an issue that could occur if br_netfilter is not a module and net.bridge.bridge-nf-call-iptables sysctl was not set
2017-08-25 10:07:50 +03:00
Brad Beam
4550dccb84
Fixing reference to vault leader url ( #1569 )
2017-08-24 23:21:39 +03:00
Hassan Zamani
01ce09f343
Add feature_gates var for customizing Kubernetes feature gates ( #1520 )
2017-08-24 23:18:38 +03:00
Brad Beam
71dca67ca2
Merge pull request #1508 from tmjd/update-calico-2-4-0
...
Update Calico to 2.4.1 release.
2017-08-24 14:57:29 -05:00
Yuki KIRII
a98b866a66
Verify if br_netfilter module exists ( #1492 )
2017-08-24 17:47:32 +03:00
Xavier Mehrenberger
3aabba7535
Remove discontinued option --reconcile-cidr if kube_network_plugin=="cloud" ( #1568 )
2017-08-24 17:01:30 +03:00
Mohamed Mehany
c22cfa255b
Added private key file to ssh bastion conf ( #1563 )
...
* Added private key file to ssh bastion conf
* Used regular if condition insted of inline conditional
2017-08-24 17:00:45 +03:00
Matthew Mosesohn
6bb3463e7c
Enable scheduling of critical pods and network plugins on master
...
Added toleration to DNS, netchecker, fluentd, canal, and
calico policy.
Also small fixes to make yamllint pass.
2017-08-24 10:41:17 +01:00
Brad Beam
8b151d12b9
Adding yamllinter to ci steps ( #1556 )
...
* Adding yaml linter to ci check
* Minor linting fixes from yamllint
* Changing CI to install python pkgs from requirements.txt
- adding in a secondary requirements.txt for tests
- moving yamllint to tests requirements
2017-08-24 12:09:52 +03:00
Ian Lewis
ecb6dc3679
Register standalone master w/ taints ( #1426 )
...
If Kubernetes > 1.6 register standalone master nodes w/ a
node-role.kubernetes.io/master=:NoSchedule taint to allow
for more flexible scheduling rather than just marking unschedulable.
2017-08-23 16:44:11 +03:00