Commit graph

1011 commits

Author SHA1 Message Date
Matthew Mosesohn
eab686bd56 ensure post-upgrade purge ones only once 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
f953303722 switch debian8-canal-ha to ubuntu 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
a7bedd30ab move network plugins out of grouped upgrades 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
1a96970918 Fix delegate tasks for kubectl and etcdctl 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
bf3425322f Significantly reduce memory requirements
Canal runs more pods and upgrades need a bit of extra
room to load new pods in and get the old ones out.
2017-03-27 13:28:37 +03:00
Matthew Mosesohn
f1f58166e5 Only cordon Ready nodes 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
68a1faaaa0 Move graceful upgrade test to debian canal HA, adjust drain
Graceful upgrades require 3 nodes
Drain now has a command timeout of 40s
2017-03-27 13:28:37 +03:00
Matthew Mosesohn
986a89be66 Merge pull request #1181 from holser/refactor_etcd
Refactor etcd role
2017-03-27 13:05:35 +03:00
Sergii Golovatiuk
77671dbd05 Refactor etcd role
- Run docker run from script rather than directly from systemd target
- Refactoring styling/templates

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-03-24 12:34:15 +01:00
Artem Panchenko
bc0db79c86 Bump calico policy controller version
Latest released version of kube-policy-controller
contains important bug fixes and should be used
by default.
2017-03-24 12:13:09 +02:00
Matthew Mosesohn
503dc26f11 Merge pull request #1177 from rutsky/replace-nbsp
replace non-breakable space with regular space
2017-03-23 12:59:45 +03:00
Matthew Mosesohn
5879d62869 Merge pull request #1179 from kubernetes-incubator/missing_defaults
Add missing defaults
2017-03-23 12:16:13 +03:00
Antoine Legrand
9f1ca9377f Add missing defaults 2017-03-23 10:05:34 +01:00
Vladimir Rutsky
bc30ea7582 replace non-breakable space with regular space
Non-brekable space is 0xc2 0xa0 byte sequence in UTF-8.

To find one:

    $ git grep -I -P '\xc2\xa0'

To replace with regular space:

    $ git grep -l -I -P '\xc2\xa0' | xargs sed -i 's/\xc2\xa0/ /g'

This commit doesn't include changes that will overlap with commit f1c59a91a1.
2017-03-23 00:25:01 +03:00
Matthew Mosesohn
daf88282cc Merge pull request #1172 from mattymo/dnsmasq_upgrade
Use checksum of dnsmasq config to trigger updates of dnsmasq
2017-03-22 18:00:10 +03:00
Matthew Mosesohn
8098b77e41 Merge pull request #1167 from mattymo/dnsmasq_when_deploying_master
Change wait for dnsmasq to skip if there are no kube-nodes in play
2017-03-22 17:59:56 +03:00
Brad Beam
388469c70a Setting defaults for docker log rotation 2017-03-22 09:40:10 -04:00
Roger Welin
da26c560b2 add iptables --flush to reset role 2017-03-22 11:10:24 +01:00
Matthew Mosesohn
e020457d1d Use checksum of dnsmasq config to trigger updates of dnsmasq
Allows config changes made by Ansible to restart dnsmasq deployment
2017-03-22 13:03:55 +03:00
Josh Lothian
18404db076 1169 - fix docker systemd unit
The docker-network environment file masks the new values
put into /etc/systemd/system/docker.service.d/flannel-options.conf
to renumber the docker0 to work correctly with flannel.
2017-03-21 15:22:14 -05:00
Matthew Mosesohn
51985ab9de Change wait for dnsmasq to skip if there are no kube-nodes in play
Also changed unnecessary delay to a max timeout (now defaulting to 1s sleep
between tries)

Also rename play_hosts to ansible_play_hosts
2017-03-21 18:55:22 +03:00
Matthew Mosesohn
df09b8dc36 Merge pull request #1159 from holser/etcd_backup_restore
Backup etcd
2017-03-21 13:07:44 +03:00
Matthew Mosesohn
b68e545bad Merge pull request #1155 from mattymo/helm
Add helm deployment
2017-03-20 17:00:06 +03:00
Sergii Golovatiuk
e635fecc01 Backup etcd data before restarting etcd
etcd is crucial part of kubernetes cluster. Ansible restarts etcd on
reconfiguration. Backup helps operator to restore cluster manually in
case of any issues.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-03-20 14:50:52 +01:00
Matthew Mosesohn
f9ef55c796 Merge pull request #1152 from mattymo/redhat_weave
Fix weave on RHEL deployment
2017-03-19 16:45:20 +03:00
Matthew Mosesohn
182a2e682f Merge pull request #1149 from mattymo/centos-retries
Retry yum/apt/rpm download commands
2017-03-18 11:12:36 +03:00
Matthew Mosesohn
579a6299c0 Add helm deployment 2017-03-17 20:24:41 +03:00
Matthew Mosesohn
dd56342361 Retry yum/apt/rpm download commands, fix succeeded filter 2017-03-17 18:56:26 +03:00
Matthew Mosesohn
b060d3279c Merge pull request #1146 from mattymo/resolvconf_optimize
Condense resolvconf sources before starting loop
2017-03-17 18:42:32 +03:00
Matthew Mosesohn
446a4bbdc8 Fix weave on RHEL deployment
Reduce retry delay checking weave
Always load br_netfilter module
2017-03-17 18:17:47 +03:00
Matthew Mosesohn
a5876a1ac8 Merge pull request #1136 from adidenko/fix-calico-policy-order
Move calico-policy-controller into separate role
2017-03-17 17:32:14 +03:00
Aleksandr Didenko
1adf231512 Move calico-policy-controller into separate role
By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132
2017-03-17 11:21:52 +01:00
Matthew Mosesohn
2586d01345 Condense resolvconf sources before starting loop 2017-03-17 13:06:56 +03:00
Matthew Mosesohn
3ee77a08cd Update calico to 1.1.0-rc8
Fixes bug in CentOS/RHEL in felix related to overlayfs driver.
2017-03-16 19:23:36 +03:00
Matthew Mosesohn
bf5bf13003 Merge pull request #1087 from bradbeam/openstack
Adding openstack domain id
2017-03-16 17:53:14 +03:00
Matthew Mosesohn
7e13e17d9f Merge pull request #1108 from idcrook/issue_1107-docker-versioning
Adding Docker CE 'stable' and 'edge' version packages
2017-03-16 16:32:13 +03:00
Matthew Mosesohn
ad03f3ac84 Merge branch 'master' into idempotency2 2017-03-16 09:29:43 +03:00
Matthew Mosesohn
261aeb6112 Merge pull request #1138 from mattymo/idempotency-fixes
Idempotency fixes for etcd certs and resolvconf tasks
2017-03-16 09:20:28 +03:00
Matthew Mosesohn
fad22bae97 More idempotency fixes
Fixed sync_tokens fact
Fixed sync_certs for k8s tokens fact
Disabled register docker images changability
Fixed CNI dir permission
Fix idempotency for etcd pre upgrade checks
2017-03-15 19:06:39 +03:00
Matthew Mosesohn
7b5d6c7a06 Merge pull request #1137 from holser/bug/1135
Turn on iptables for flannel
2017-03-15 17:06:42 +03:00
Matthew Mosesohn
20247b9c0a Merge pull request #1080 from VincentS/Granular_Auth_Control
Granular authentication Control
2017-03-15 13:12:51 +03:00
Matthew Mosesohn
210d9503f3 Merge pull request #1117 from mattymo/etcd3-upgrade
Migrate k8s data to etcd3 api store
2017-03-15 12:56:06 +03:00
Matthew Mosesohn
4287993811 Make resolvconf preinstall idempotent 2017-03-15 01:20:13 +04:00
Sergii Golovatiuk
97a7f1c4a5 Turn on iptables for flannel
Closes: #1135
Closes: #1026
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-03-14 17:54:55 +01:00
Vincent Schwarzer
ea1f072c7e Granular authentication Control
It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.

The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.
2017-03-14 16:57:35 +01:00
Matthew Mosesohn
8450ff00cc Merge pull request #1134 from mattymo/1.6-support
Explicitly set cni-bin-dir
2017-03-14 17:53:08 +03:00
Matthew Mosesohn
25b366dd98 Migrate k8s data to etcd3 api store
Default backend is now etcd3 (was etcd2).
The migration process consists of the following steps:
* check if migration is necessary
* stop etcd on first etcd server
* run migration script
* start etcd on first etcd server
* stop kube-apiserver until configuration is updated
* update kube-apiserver
* purge old etcdv2 data
2017-03-14 17:50:20 +03:00
Matthew Mosesohn
bb66bb19e8 Fix etcd idempotency 2017-03-14 17:23:29 +03:00
Matthew Mosesohn
e486dabc42 Merge pull request #1078 from VincentS/oidc_support
Added Support for OpenID Connect Authentication
2017-03-14 12:07:21 +03:00
Matthew Mosesohn
944fa9d975 Explicitly set cni-bin-dir 2017-03-13 20:13:21 +03:00
Matthew Mosesohn
f2900d65e1 Merge pull request #1118 from mattymo/noderolelabels
Add node labels in kubelet
2017-03-13 19:04:21 +03:00
David Crook
9e6983a11f updated debian and ubuntu package names based on testing
docker-ce is not the .deb package until the repositories are switched over to new "downloads" docker webserver
2017-03-06 16:54:39 -07:00
David Crook
32d1edf0b9 removed irrelevant comments 2017-03-06 16:02:53 -07:00
David Crook
b1d701ae47 Merge branch 'master' into issue_1107-docker-versioning 2017-03-06 16:00:31 -07:00
Brad Beam
0c96b5d3fc Removing cloud_provider tag to fix scenario where cloud_provider is not defined 2017-03-06 10:52:38 -06:00
Matthew Mosesohn
8065a2355c Add node labels in kubelet
Related-issue: https://github.com/kubernetes/community/issues/300
Upgraded nodes do not obtain labels automatically.
See https://github.com/kubernetes/kubernetes/pull/29459 for more details.
2017-03-06 17:18:42 +03:00
Vincent Schwarzer
ea6bf9143f Added Support for OpenID Connect Authentication
To use OpenID Connect Authentication beside deploying an OpenID Connect
Identity Provider it is necesarry to pass additional arguments to the Kube API Server.
These required arguments were added to the kube apiserver manifest.
2017-03-06 12:40:35 +01:00
Antoine Legrand
bfe58a7750 Merge pull request #1045 from bradbeam/vsphere
Adding vsphere cloud provider support
2017-03-06 12:34:05 +01:00
Antoine Legrand
8595bf50cd Merge pull request #1112 from mattymo/skip_vault_if_disabled
Disable vault role properly on ansible 2.2.0
2017-03-06 11:27:53 +01:00
Matthew Mosesohn
7a3956173a Disable vault role properly on ansible 2.2.0
when condition does not seem to work correctly at playbook
level for ansible 2.2.0.
2017-03-05 00:43:01 +04:00
Matthew Mosesohn
f247a75afd Remove standalone etcd specific play, cleanup host mode
Now etcd role can optionally disable etcd cluster setup for faster
deployment when it is combined with etcd role.
2017-03-04 00:34:26 +04:00
Matthew Mosesohn
cd3c402454 Merge pull request #1111 from mattymo/use_find_for_certs
Use find module for checking for certificates
2017-03-03 20:08:33 +03:00
Matthew Mosesohn
7e1aa3b43b Use find module for checking for certificates
Also generate certs only when absent on master (rather than
when absent on target node)
2017-03-03 16:21:01 +03:00
Bogdan Dobrelya
1cca1909c9 Merge pull request #1071 from vijaykatam/atomic_host
Add support for atomic host
2017-03-03 13:03:59 +01:00
Matthew Mosesohn
4b50274b33 Merge pull request #1075 from VincentS/loadbalancer_aws
Possibility to add Loadbalancers without static IP (e.g. AWS ELB) #1074
2017-03-03 14:07:22 +03:00
David Crook
8eb0957fe0 first pass at adding 'stable' and 'edge' version packages
- Only have ubuntu to test on
  - fedora and redhat are placeholders/guesses
  - the "old" package repositories seem to have the "new" CE version which is `1.13.1` based
- `docker-ce` looks like it is named as a backported `docker-engine` package in some
  places

- Did not change the `defaults` version anywhere, so should work as before
- Did not point to new package repositories, as existing ones have the new packages.
2017-03-02 13:48:09 -07:00
Matthew Mosesohn
d1299f358b Merge pull request #1060 from holser/etcdv3
Allow to specify etcd backend for kube-api
2017-03-02 17:24:09 +03:00
Matthew Mosesohn
09c3a4f8d1 Merge pull request #1093 from mattymo/scaledns
Add autoscalers for dnsmasq and kubedns
2017-03-02 16:58:56 +03:00
Matthew Mosesohn
576ffe83c7 Add autoscalers for dnsmasq and kubedns
By default kubedns and dnsmasq scale when installed.
Dnsmasq is no longer a daemonset. It is now a deployment.
Kubedns is no longer a replicationcluster. It is now a deployment.
Minimum replicas is two (to enable rolling updates).

Reduced memory erquirements for dnsmasq and kubedns
2017-03-02 13:44:22 +03:00
Vincent Schwarzer
9164b9cdcf Changes based on feedback (additional ansible checks) 2017-03-02 11:04:10 +01:00
Vincent Schwarzer
3ef7365cae Modified how adding LB for the Kube API is handled (AWS)
Until now it was not possible to add an API Loadbalancer
without an static IP Address. But certain Loadbalancers
like AWS Elastic Loadbalanacer dontt have an fixed IP address.
With this commit it is possible to add these kind of Loadbalancers
to the Kargo deployment.
2017-03-02 11:04:10 +01:00
Matthew Mosesohn
b9cd6d4e4d Merge pull request #1101 from retr0h/docker-1.13.1
Use docker-engine 1.13.1
2017-03-02 12:31:58 +03:00
John Dewey
e19bd9b543 Use docker-engine 1.13.1
The default version of Docker was switched to 1.13 in #1059.  This
change also bumped ubuntu from installing docker-engine 1.13.0 to
1.13.1.  This PR updates os families which had 1.13 defined, but
were using 1.13.0.

The impetus for this change is an issue running tiller 1.2.3 on
docker 1.13.0.  See discussion [1][2].

[1] https://github.com/kubernetes/helm/issues/1838
[2] https://github.com/kubernetes-incubator/kargo/pull/1100
2017-03-01 12:53:39 -08:00
Matthew Mosesohn
b6861ebed0 Merge pull request #959 from galthaus/host-mode-restart
Restart kube-controller for host_resolvconf mode
2017-03-01 20:54:21 +03:00
Vijay Katam
8fc5a844b3 Add support for atomic host
Updates based on feedback

Simplify checks for file exists

remove invalid char

Review feedback. Use regular systemd file.

Add template for docker systemd atomic
2017-03-01 09:38:19 -08:00
Antoine Legrand
f7c3a8efe2 Merge pull request #1076 from VincentS/etcd_openssl_count_fix
Fixed counter in ETCD Openssl.conf
2017-03-01 14:17:27 +01:00
Bogdan Dobrelya
7f1a1c3123 Merge pull request #1090 from artem-panchenko/calicoAcceptHostEndpointConnections
Allow connections from pods to local endpoints
2017-03-01 13:37:05 +01:00
Artem Panchenko
05c8061c24 Allow connections from pods to local endpoints
By default Calico blocks traffic from endpoints
to the host itself by using an iptables DROP
action. It could lead to a situation when service
has one alive endpoint, but pods which run on
the same node can not access it. Changed the action
to RETURN.
2017-03-01 09:21:02 +02:00
Matthew Mosesohn
2f86520ce7 Merge pull request #1066 from bradbeam/rkt-kubelet-cloudprovider
Adding KUBELET_CLOUDPROVIDER to kubelet.rkt.service
2017-02-28 20:02:56 +03:00
Sergii Golovatiuk
d9f67a343c Allow to specify etcd backend for kube-api
Kubernetes project is about to set etcdv3 as default storage engine in
1.6. This patch allows to specify particular backend for
kube-apiserver. User may force the option to etcdv3 for new environment.
At the same time if the environment uses v2 it will continue uses it
until user decides to upgrade to v3.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-28 17:13:22 +01:00
Sergii Golovatiuk
2a88210f78 Change kube-api default port from 443 to 6443
Operator can specify any port for kube-api (6443 default) This helps in
case where some pods such as Ingress require 443 exclusively.

Closes: 820
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-28 15:45:35 +01:00
Brad Beam
a939c53d86 Adding KUBELET_CLOUDPROVIDER to kubelet.rkt.service 2017-02-28 06:29:35 -06:00
Matthew Mosesohn
015f1305eb Merge pull request #1086 from bradbeam/lowermem
Lower default memory requests
2017-02-28 13:37:28 +03:00
Brad Beam
607fb7c89d Making openstack domain name optional 2017-02-27 21:19:27 -06:00
Xavier Lange
60af40af27 Bug fix: support kilo's keystone requirement for domain-name, extracts from ENV var 2017-02-27 21:18:30 -06:00
Brad Beam
6a144213c9 Updating vsphere cloud provider support 2017-02-27 15:08:04 -06:00
Sergii Golovatiuk
a011677697 Make etcd data dir configurable.
Closes: #1073
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-27 21:35:51 +01:00
Jan Jungnickel
c11f981692 Initial support for vsphere as cloud provider 2017-02-27 12:51:41 -06:00
Brad Beam
c50bb7d252 Lower default memory requests
This is to address out of memory issues on CI as well as help
fit deployments for people starting out with kargo on smaller
machines
2017-02-27 10:53:43 -06:00
Vincent Schwarzer
9073d92a61 Fixed counter in ETCD Openssl.conf
When a apiserver_loadbalancer_domain_name is added to the Openssl.conf
the counter gets not increased correctly. This didnt seem to have an
effect at the current kargo version.
2017-02-27 12:01:09 +01:00
Bogdan Dobrelya
87a100ae00 Merge pull request #946 from neith00/master
Using the command module instead of raw
2017-02-27 10:59:53 +01:00
Bogdan Dobrelya
543dafa900 Merge pull request #1063 from bogdando/fix
Align LB defaults with the HA docs
2017-02-27 10:14:42 +01:00
Sergii Golovatiuk
802503458d Increase SSL TTL to 3650 days
In real scenarios 365 days is short period of time. 3650 days is good
enough for long running k8s environments
2017-02-24 15:38:13 +01:00
Antoine Legrand
7d67dfa30c Comment all variables in group_vars 2017-02-23 14:02:57 +01:00
Antoine Legrand
2aff3df697 Add default var role 2017-02-23 12:07:17 +01:00
Bogdan Dobrelya
18cb160be6 Align LB defaults with the HA docs
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-02-23 10:32:44 +01:00
Bogdan Dobrelya
dacfbde0b0 Rework inventory all by real groups' vars
* Leave all.yml to keep only optional vars
* Store groups' specific vars by existing group names
* Fix optional vars casted as mandatory (add default())
* Fix missing defaults for an optional IP var
* Relink group_vars for terraform to reflect changes

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-02-23 09:43:42 +01:00
Matthew Mosesohn
9a1774dfd7 Merge pull request #1020 from mattymo/synthscale
Add synthetic scale deployment mode
2017-02-22 19:15:46 +03:00
Matthew Mosesohn
8ee3957b51 Merge pull request #1059 from holser/docker_iptables
iptables switch for docker
2017-02-22 08:23:58 +03:00
Ivan Shvedunov
836a6a953a Fix shell special vars 2017-02-21 22:22:40 +03:00