C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
2368 commits 17 branches 66 tags 141 MiB
Commit graph

1447 commits

Author SHA1 Message Date
Josh Lothian 30cc7c847e Reconfigure docker restart behavior on atomic 
Before restarting docker, instruct it to kill running
containers when it restarts.

Needs a second docker restart after we restore the original
behavior, otherwise the next time docker is restarted by
an operator, it will unexpectedly bring down all running
containers.
 2017-05-17 14:31:49 -05:00
Josh Lothian a5bb24b886 Fix docker restart in atomic 
In atomic, containers are left running when docker is restarted.
When docker is restarted after the flannel config is put in place,
the docker0 interface isn't re-IPed because docker sees the running
containers and won't update the previous config.

This patch kills all the running containers after docker is stopped.
We can't simply `docker stop` the running containers, as they respawn
before we've got a chance to stop the docker daemon, so we need to
use runc to do this after dockerd is stopped.
 2017-05-17 14:31:49 -05:00
Brad Beam b999ee60aa Fixing typo in kubelet cluster-dns and cluster-domain flags 2017-05-16 15:43:29 -05:00
Brad Beam 85afd3ef14 Removing old sysv reference 2017-05-16 15:28:39 -05:00
Spencer Smith 1907030d89 issue raw yum command since we don't have facts in bootstrapping 2017-05-16 10:07:38 -04:00
Spencer Smith efa2dff681 remove conditional 2017-05-12 17:16:49 -04:00
Spencer Smith 31a7b7d24e default to kubedns and set nxdomain in kubedns deployment if that's the dns_mode 2017-05-12 15:57:24 -04:00
moss2k13 791ea89b88 Updated helm installation 
Added full path for helm
 2017-05-08 09:27:06 +02:00
Spencer Smith c572760a66 Merge pull request #1254 from iJanki/cert_group 
Adding /O=system:masters to admin certificate
 2017-05-05 10:58:42 -04:00
Brad Beam 69fc19f7e0 Merge pull request #1252 from adidenko/separate-tags-for-netcheck-containers 
Add support for different tags for netcheck containers
 2017-05-05 08:04:54 -05:00
Spencer Smith b939c24b3d Merge pull request #1250 from digitalrebar/master 
bootstrap task on centos missing packages
 2017-05-02 12:24:11 -04:00
Spencer Smith 3eb494dbe3 Merge pull request #1259 from bradbeam/calico214 
Updating calico to v2.1.4
 2017-05-02 12:20:47 -04:00
Spencer Smith 0afbc19ffb ensure the /etc/os-release is mounted read only 2017-05-01 14:51:40 -04:00
Spencer Smith ac9290f985 add for rkt as well 2017-04-28 17:45:10 -04:00
Brad Beam a133ba1998 Updating calico to v2.1.4 2017-04-28 14:04:25 -05:00
Spencer Smith 5657738f7e mount os-release to ensure the node's OS is what's seen in k8s api 2017-04-28 13:40:54 -04:00
Aleksandr Didenko 883ba7aa90 Add support for different tags for netcheck containers 
Replace 'netcheck_tag' with 'netcheck_version' and add additional
'netcheck_server_tag' and 'netcheck_agent_tag' config options to
provide ability to use different tags for server and agent
containers.
 2017-04-27 17:15:28 +02:00
Sergii Golovatiuk 674b71b535 Ansible 2.3 support 
- Fix when clauses in various places
- Update requirements.txt
- Fix README.md

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-04-26 15:22:10 +02:00
Aleksey Kasatkin 2638ab98ad add MY_NODE_NAME variable into netchecker-agent environment 2017-04-24 17:19:42 +03:00
Matthew Mosesohn bc3068c2f9 Merge pull request #1251 from FengyunPan/fix-helm-home 
Specify a dir and attach it to helm for HELM_HOME
 2017-04-24 15:17:28 +03:00
FengyunPan 2bde9bea1c Specify a dir and attach it to helm for HELM_HOME 2017-04-21 10:51:27 +08:00
Greg Althaus 041d4d666e Install required selinux-python bindings in bootstrap 
on centos.  The bootstrap tty fixup needs it.
 2017-04-20 11:17:01 -05:00
Spencer Smith 88b5065e7d fix stray 'in' and break into multiple lines for clarity 2017-04-20 09:53:01 -04:00
Spencer Smith b690008192 allow for correct aws default resolver 2017-04-20 09:32:03 -04:00
Matthew Mosesohn 2d6bc9536c Merge pull request #1246 from holser/disable_dns_for_kube_services 
Change DNS policy for kubernetes components
 2017-04-20 16:12:52 +03:00
Sergii Golovatiuk 01dc6b2f0e Add aws to default_resolver 
When VPC is used, external DNS might not be available. This patch change
behavior to use metadata service instead of external DNS when
upstream_dns_servers is not specified.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-04-20 11:47:19 +02:00
Sergii Golovatiuk d8aa2d0a9e Change DNS policy for kubernetes components 
According to code apiserver, scheduler, controller-manager, proxy don't
use resolution of objects they created. It's not harmful to change
policy to have external resolver.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-04-20 11:22:57 +02:00
Matthew Mosesohn 19bb97d24d Merge pull request #1238 from Starefossen/fix/namespace-template-file 
Move namespace file to template directory
 2017-04-20 12:19:55 +03:00
Matthew Mosesohn 9f4f168804 Merge pull request #1241 from bradbeam/rktcnidir 
Explicitly create cni bin dir
 2017-04-20 12:19:26 +03:00
Matthew Mosesohn cf3083d68e Merge pull request #1239 from mattymo/resettags 
Add tags to reset playbook and make iptables flush optional
 2017-04-20 11:35:08 +03:00
Sergii Golovatiuk e796cdbb27 Fix restart kube-controller (#1242) 
kubernetesUnitPrefix was changed to k8s_* in 1.5. This patch reflects
this change in kargo
 2017-04-20 11:26:01 +03:00
Matthew Mosesohn 2d44582f88 Add tags to reset playbook and make iptables flush optional 
Fixes #1229
 2017-04-19 19:32:18 +03:00
Brad Beam b60a897265 Explicitly create cni bin dir 
If this path doesnt exist, it will cause kubelet to fail to start when
using rkt
 2017-04-19 16:00:44 +00:00
Hans Kristian Flaatten d68cfeed6e
Move namespace file to template directory 2017-04-19 13:37:02 +02:00
Spencer Smith c3c9e955e5 Merge pull request #1232 from rsmitty/custom-flags 
add ability for custom flags
 2017-04-17 14:01:32 -04:00
Spencer Smith 72d5db92a8 remove stray spaces in templating 2017-04-17 12:24:24 -04:00
Spencer Smith 3f302c8d47 ensure spacing on string of flags 2017-04-17 12:13:39 -04:00
Spencer Smith 04a769bb37 ensure spacing on string of flags 2017-04-17 11:11:10 -04:00
Spencer Smith f9d4a1c1d8 update to safeguard against accidentally passing string instead of list 2017-04-17 11:09:34 -04:00
Matthew Mosesohn 3e7db46195 Merge pull request #1233 from gbolo/master 
allow admission control plug-ins to be easily customized
 2017-04-17 12:59:49 +03:00
Matthew Mosesohn e52aca4837 Merge pull request #1223 from mattymo/vault_cert_skip 
Skip vault cert task evaluation when using script certs
 2017-04-17 12:52:42 +03:00
Matthew Mosesohn 5ec503bd6f Merge pull request #1222 from bradbeam/calico 
Updating calico versions
 2017-04-17 12:52:20 +03:00
gbolo 49be805001
allow admission control plug-ins to be easily customized 2017-04-16 22:03:45 -04:00
Spencer Smith 94596388f7 add ability for custom flags 2017-04-14 17:33:04 -04:00
Spencer Smith 5c4980c6e0 Merge pull request #1231 from holser/fix_netchecker-server 
Reschedule netchecker-server in case of HW failure.
 2017-04-14 10:50:07 -04:00
Matthew Mosesohn d7b8fb3113 Update start_vault_temp.yml 2017-04-14 13:32:41 +03:00
Sergii Golovatiuk 45044c2d75 Reschedule netchecker-server in case of HW failure. 
Pod opbject is not reschedulable by kubernetes. It means that if node
with netchecker-server goes down, netchecker-server won't be scheduled
somewhere. This commit changes the type of netchecker-server to
Deployment, so netchecker-server will be scheduled on other nodes in
case of failures.
 2017-04-14 10:49:16 +02:00
Joe Duhamel a9f260d135 Update dnsmasq-autoscaler 
changed target to be a deployment rather than a replicationcontroller.
 2017-04-13 15:07:06 -04:00
Joe Duhamel 072b3b9d8c Update kubedns-autoscaler change target 
The target was a replicationcontroller but kubedns is currently a deployment
 2017-04-13 14:55:25 -04:00
Matthew Mosesohn ae7f59e249 Skip vault cert task evaluation completely when using script cert generation 2017-04-13 19:29:07 +03:00
Brad Beam bce1c62308 Updating calico versions 2017-04-11 20:52:04 -05:00
Spencer Smith 9b3aa3451e Merge pull request #1218 from bradbeam/efkidempotent 
Fixing resource type for kibana
 2017-04-11 19:04:13 -04:00
Spencer Smith 436c0b58db Merge pull request #1217 from bradbeam/helmcompletion 
Excluding bash completion for helm on CoreOS
 2017-04-11 17:34:11 -04:00
zouyee 0bcecae2a3 upgrade etcd version from v3.0.6 to v3.0.17 2017-04-11 10:42:35 +08:00
Brad Beam bd130315b6 Excluding bash completion for helm on CoreOS 2017-04-10 11:07:15 -05:00
Brad Beam 504711647e Fixing resource type for kibana 2017-04-10 11:01:12 -05:00
Antoine Legrand ab12b23e6f Merge pull request #1173 from bradbeam/dockerlogs 
Setting defaults for docker log rotation
 2017-04-09 11:50:01 +02:00
Matthew Mosesohn 1c45d37348 Update kubelet.j2 2017-04-06 22:59:18 +03:00
Matthew Mosesohn b521255ec9 Unbreak 1.5 deployment with kubelet 
1.5 kubelet fails to start when using unknown params
 2017-04-06 21:07:48 +03:00
Matthew Mosesohn 75ea001bfe Merge pull request #1208 from mattymo/1.6-flannel 
Update to k8s 1.6 with flannel and centos fixes
 2017-04-06 13:04:02 +03:00
Matthew Mosesohn ff2fb9196f Fix flannel for 1.6 and apply fixes to enable containerized kubelet 2017-04-06 10:06:21 +04:00
Matthew Mosesohn acae0fe4a3 Merge pull request #1205 from holser/resolv_updates 
Refactoring resolv.conf
 2017-04-05 14:22:52 +03:00
Matthew Mosesohn ccc11e5680 Upgrade to Kubernetes 1.6.1 2017-04-05 13:26:36 +03:00
Sergii Golovatiuk 2670eefcd4 Refactoring resolv.conf 
- Renaming templates for netchecker
- Add dnsPolicy: ClusterFirstWithHostNet to kube-proxy

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-04-05 09:28:01 +02:00
Matthew Mosesohn c0cae9e8a0 Merge pull request #1204 from mattymo/resolvconf-nodes 
Restart kubelet when updating /etc/resolv.conf on all k8s nodes
 2017-04-04 22:03:44 +03:00
Matthew Mosesohn f8cf6b4f7c Merge pull request #1186 from holser/resolv_conf 
Set ClusterFirstWithHostNet for Pods with hostnetwork: true
 2017-04-04 20:49:55 +03:00
Matthew Mosesohn a29182a010 Restart kubelet when updating /etc/resolv.conf on all k8s nodes 2017-04-04 20:43:47 +03:00
Sergii Golovatiuk 1cfe0beac0 Set ClusterFirstWithHostNet for Pods with hostnetwork: true 
In kubernetes 1.6 ClusterFirstWithHostNet was added as an option. In
accordance to it kubelet will generate resolv.conf based on own
resolv.conf. However, this doesn't create 'options', thus the proper
solution requires some investigation.

This patch sets the same resolv.conf for kubelet as host

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-04-04 16:34:13 +02:00
Matthew Mosesohn 798f90c4d5 Merge pull request #1153 from mattymo/graceful_drain 
Move graceful upgrade test to Ubuntu canal HA, adjust drain
 2017-04-04 17:33:53 +03:00
Matthew Mosesohn f8d44a8a88 Merge pull request #1200 from mattymo/issue1190 
Fix multiline condition for k8s check certs
 2017-04-04 15:48:05 +03:00
Matthew Mosesohn b4d06ff8dd Add /var/lib/cni to kubelet 
Necessary to persist this directory for host-local IPAM used by Canal
Add pre-upgrade task to copy /var/lib/cni out of old kubelet.
 2017-04-03 19:38:24 +03:00
Matthew Mosesohn 7581705007 Merge pull request #1185 from intelsdi-x/hostname 
Use hostname module to set hostname, and do it for all Os not only Co…
 2017-04-03 19:01:12 +03:00
Matthew Mosesohn 5a5707159a Fix multiline condition for k8s check certs 
Fixes #1190
 2017-04-03 17:44:55 +03:00
Matthew Mosesohn 742a1681ce Merge pull request #1166 from rogerwelin/master 
add iptables --flush to reset role
 2017-04-03 17:25:10 +03:00
Matthew Mosesohn fba9b9cb65 Merge pull request #1182 from artem-panchenko/bumpCalicoPolicyControllerVersion 
Bump calico policy controller version
 2017-04-03 17:21:52 +03:00
Paweł Skrzyński 61b2d7548a Use hostname module to set hostname, and do it for all Os not only CoreOS 2017-04-03 15:09:33 +02:00
Matthew Mosesohn 80828a7c77 use etcd2 when upgrading unless forced 2017-04-03 15:07:42 +03:00
Matthew Mosesohn f5af86c9d5 Merge pull request #1194 from adidenko/fix-sync_certs 
Fix multiline when condition in sync_certs task
 2017-03-31 17:39:40 +03:00
Aleksandr Didenko 58acbe7caf Fix multiline when condition in sync_certs task 
Folded style in multiline 'when' condition causes error with
unexpected ident. Changing it to literal style should fix
the issue.

Closes #1190
 2017-03-30 22:21:04 +02:00
Spencer Smith 355b92d7ba Merge pull request #1170 from jlothian/atomic-docker-network 
1169 - fix docker systemd unit
 2017-03-30 13:13:28 -07:00
Matthew Mosesohn d42e4f2344 Update .gitlab-ci.yml 2017-03-30 12:19:15 +04:00
Matthew Mosesohn fb467df47c fix etcd restart 2017-03-29 23:22:49 +04:00
Matthew Mosesohn 48beef25fa delete master containers forcefully 2017-03-27 19:08:22 +03:00
Matthew Mosesohn a3f568fc64 restart scheduler and controller-manager too 2017-03-27 13:51:35 +03:00
Matthew Mosesohn 57ee304260 ensure post-upgrade purge ones only once 2017-03-27 13:28:37 +03:00
Matthew Mosesohn 0794a866a7 switch debian8-canal-ha to ubuntu 2017-03-27 13:28:37 +03:00
Matthew Mosesohn 49e4d344da move network plugins out of grouped upgrades 2017-03-27 13:28:37 +03:00
Matthew Mosesohn 6e505c0c3f Fix delegate tasks for kubectl and etcdctl 2017-03-27 13:28:37 +03:00
Matthew Mosesohn e9a294fd9c Significantly reduce memory requirements 
Canal runs more pods and upgrades need a bit of extra
room to load new pods in and get the old ones out.
 2017-03-27 13:28:37 +03:00
Matthew Mosesohn 44d851d5bb Only cordon Ready nodes 2017-03-27 13:28:37 +03:00
Matthew Mosesohn c1b9660ec8 Move graceful upgrade test to debian canal HA, adjust drain 
Graceful upgrades require 3 nodes
Drain now has a command timeout of 40s
 2017-03-27 13:28:37 +03:00
Matthew Mosesohn c2c334d22f Merge pull request #1181 from holser/refactor_etcd 
Refactor etcd role
 2017-03-27 13:05:35 +03:00
Sergii Golovatiuk f144fd1ed3 Refactor etcd role 
- Run docker run from script rather than directly from systemd target
- Refactoring styling/templates

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-03-24 12:34:15 +01:00
Artem Panchenko e96557f410 Bump calico policy controller version 
Latest released version of kube-policy-controller
contains important bug fixes and should be used
by default.
 2017-03-24 12:13:09 +02:00
Matthew Mosesohn b2af19471e Merge pull request #1177 from rutsky/replace-nbsp 
replace non-breakable space with regular space
 2017-03-23 12:59:45 +03:00
Matthew Mosesohn 6805d0ff2b Merge pull request #1179 from kubernetes-incubator/missing_defaults 
Add missing defaults
 2017-03-23 12:16:13 +03:00
Antoine Legrand 6e1de9d820 Add missing defaults 2017-03-23 10:05:34 +01:00
Vladimir Rutsky c4e57477fb replace non-breakable space with regular space 
Non-brekable space is 0xc2 0xa0 byte sequence in UTF-8.

To find one:

    $ git grep -I -P '\xc2\xa0'

To replace with regular space:

    $ git grep -l -I -P '\xc2\xa0' | xargs sed -i 's/\xc2\xa0/ /g'

This commit doesn't include changes that will overlap with commit f1c59a91a1.
 2017-03-23 00:25:01 +03:00
Matthew Mosesohn 5f082bc0e5 Merge pull request #1172 from mattymo/dnsmasq_upgrade 
Use checksum of dnsmasq config to trigger updates of dnsmasq
 2017-03-22 18:00:10 +03:00
Matthew Mosesohn 0e3b7127b5 Merge pull request #1167 from mattymo/dnsmasq_when_deploying_master 
Change wait for dnsmasq to skip if there are no kube-nodes in play
 2017-03-22 17:59:56 +03:00
Brad Beam 5d3414a40b Setting defaults for docker log rotation 2017-03-22 09:40:10 -04:00
Roger Welin f4638c7580 add iptables --flush to reset role 2017-03-22 11:10:24 +01:00
Matthew Mosesohn 8b0b500c89 Use checksum of dnsmasq config to trigger updates of dnsmasq 
Allows config changes made by Ansible to restart dnsmasq deployment
 2017-03-22 13:03:55 +03:00
Josh Lothian 5e2f78424f 1169 - fix docker systemd unit 
The docker-network environment file masks the new values
put into /etc/systemd/system/docker.service.d/flannel-options.conf
to renumber the docker0 to work correctly with flannel.
 2017-03-21 15:22:14 -05:00
Matthew Mosesohn 1887e984a0 Change wait for dnsmasq to skip if there are no kube-nodes in play 
Also changed unnecessary delay to a max timeout (now defaulting to 1s sleep
between tries)

Also rename play_hosts to ansible_play_hosts
 2017-03-21 18:55:22 +03:00
Matthew Mosesohn cd429d3654 Merge pull request #1159 from holser/etcd_backup_restore 
Backup etcd
 2017-03-21 13:07:44 +03:00
Matthew Mosesohn 0f64f8db90 Merge pull request #1155 from mattymo/helm 
Add helm deployment
 2017-03-20 17:00:06 +03:00
Sergii Golovatiuk c04a6254b9 Backup etcd data before restarting etcd 
etcd is crucial part of kubernetes cluster. Ansible restarts etcd on
reconfiguration. Backup helps operator to restore cluster manually in
case of any issues.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-03-20 14:50:52 +01:00
Matthew Mosesohn 939c1def5d Merge pull request #1152 from mattymo/redhat_weave 
Fix weave on RHEL deployment
 2017-03-19 16:45:20 +03:00
Matthew Mosesohn b7ab80e8ea Merge pull request #1149 from mattymo/centos-retries 
Retry yum/apt/rpm download commands
 2017-03-18 11:12:36 +03:00
Matthew Mosesohn b69d4b0ecc Add helm deployment 2017-03-17 20:24:41 +03:00
Matthew Mosesohn 7760c3e4aa Retry yum/apt/rpm download commands, fix succeeded filter 2017-03-17 18:56:26 +03:00
Matthew Mosesohn 3cfb76e57f Merge pull request #1146 from mattymo/resolvconf_optimize 
Condense resolvconf sources before starting loop
 2017-03-17 18:42:32 +03:00
Matthew Mosesohn e1faeb0f6c Fix weave on RHEL deployment 
Reduce retry delay checking weave
Always load br_netfilter module
 2017-03-17 18:17:47 +03:00
Matthew Mosesohn 25bff851dd Merge pull request #1136 from adidenko/fix-calico-policy-order 
Move calico-policy-controller into separate role
 2017-03-17 17:32:14 +03:00
Aleksandr Didenko 3a39904011 Move calico-policy-controller into separate role 
By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132
 2017-03-17 11:21:52 +01:00
Matthew Mosesohn a52064184e Condense resolvconf sources before starting loop 2017-03-17 13:06:56 +03:00
Matthew Mosesohn 0b49eeeba3 Update calico to 1.1.0-rc8 
Fixes bug in CentOS/RHEL in felix related to overlayfs driver.
 2017-03-16 19:23:36 +03:00
Matthew Mosesohn b0830f0cd7 Merge pull request #1087 from bradbeam/openstack 
Adding openstack domain id
 2017-03-16 17:53:14 +03:00
Matthew Mosesohn 565d4a53b0 Merge pull request #1108 from idcrook/issue_1107-docker-versioning 
Adding Docker CE 'stable' and 'edge' version packages
 2017-03-16 16:32:13 +03:00
Matthew Mosesohn 8195957461 Merge branch 'master' into idempotency2 2017-03-16 09:29:43 +03:00
Matthew Mosesohn 02fed4a082 Merge pull request #1138 from mattymo/idempotency-fixes 
Idempotency fixes for etcd certs and resolvconf tasks
 2017-03-16 09:20:28 +03:00
Matthew Mosesohn a422ad0d50 More idempotency fixes 
Fixed sync_tokens fact
Fixed sync_certs for k8s tokens fact
Disabled register docker images changability
Fixed CNI dir permission
Fix idempotency for etcd pre upgrade checks
 2017-03-15 19:06:39 +03:00
Matthew Mosesohn 096d96e344 Merge pull request #1137 from holser/bug/1135 
Turn on iptables for flannel
 2017-03-15 17:06:42 +03:00
Matthew Mosesohn 4354162067 Merge pull request #1080 from VincentS/Granular_Auth_Control 
Granular authentication Control
 2017-03-15 13:12:51 +03:00
Matthew Mosesohn a62a444229 Merge pull request #1117 from mattymo/etcd3-upgrade 
Migrate k8s data to etcd3 api store
 2017-03-15 12:56:06 +03:00
Matthew Mosesohn f6b72fa830 Make resolvconf preinstall idempotent 2017-03-15 01:20:13 +04:00
Sergii Golovatiuk 9667e8615f Turn on iptables for flannel 
Closes: #1135
Closes: #1026
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-03-14 17:54:55 +01:00
Vincent Schwarzer 026da060f2 Granular authentication Control 
It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.

The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.
 2017-03-14 16:57:35 +01:00
Matthew Mosesohn 3feab1cb2d Merge pull request #1134 from mattymo/1.6-support 
Explicitly set cni-bin-dir
 2017-03-14 17:53:08 +03:00
Matthew Mosesohn 804e9a09c0 Migrate k8s data to etcd3 api store 
Default backend is now etcd3 (was etcd2).
The migration process consists of the following steps:
* check if migration is necessary
* stop etcd on first etcd server
* run migration script
* start etcd on first etcd server
* stop kube-apiserver until configuration is updated
* update kube-apiserver
* purge old etcdv2 data
 2017-03-14 17:50:20 +03:00
Matthew Mosesohn 4c6829513c Fix etcd idempotency 2017-03-14 17:23:29 +03:00
Matthew Mosesohn 4038954f96 Merge pull request #1078 from VincentS/oidc_support 
Added Support for OpenID Connect Authentication
 2017-03-14 12:07:21 +03:00
Matthew Mosesohn 52a6dd5427 Explicitly set cni-bin-dir 2017-03-13 20:13:21 +03:00
Matthew Mosesohn c301dd5d94 Merge pull request #1118 from mattymo/noderolelabels 
Add node labels in kubelet
 2017-03-13 19:04:21 +03:00
Cesarini, Daniele 69636d2453 Adding /O=system:masters to admin certificate 
Issue #1125. Make RBAC authorization plugin work out of the box.
"When bootstrapping, superuser credentials should include the system:masters group, for example by creating a client cert with /O=system:masters. This gives those credentials full access to the API and allows an admin to then set up bindings for other users."
 2017-03-08 14:42:25 +00:00
David Crook a52e1069ce updated debian and ubuntu package names based on testing 
docker-ce is not the .deb package until the repositories are switched over to new "downloads" docker webserver
 2017-03-06 16:54:39 -07:00
David Crook a8e5002aeb removed irrelevant comments 2017-03-06 16:02:53 -07:00
David Crook c515a351c6 Merge branch 'master' into issue_1107-docker-versioning 2017-03-06 16:00:31 -07:00
Brad Beam d04fbf3f78 Removing cloud_provider tag to fix scenario where cloud_provider is not defined 2017-03-06 10:52:38 -06:00
Matthew Mosesohn 54207877bd Add node labels in kubelet 
Related-issue: https://github.com/kubernetes/community/issues/300
Upgraded nodes do not obtain labels automatically.
See https://github.com/kubernetes/kubernetes/pull/29459 for more details.
 2017-03-06 17:18:42 +03:00
Vincent Schwarzer b075960e3b Added Support for OpenID Connect Authentication 
To use OpenID Connect Authentication beside deploying an OpenID Connect
Identity Provider it is necesarry to pass additional arguments to the Kube API Server.
These required arguments were added to the kube apiserver manifest.
 2017-03-06 12:40:35 +01:00
Antoine Legrand 85596c2610 Merge pull request #1045 from bradbeam/vsphere 
Adding vsphere cloud provider support
 2017-03-06 12:34:05 +01:00
Antoine Legrand ee5f009b95 Merge pull request #1112 from mattymo/skip_vault_if_disabled 
Disable vault role properly on ansible 2.2.0
 2017-03-06 11:27:53 +01:00
Matthew Mosesohn 45274560ec Disable vault role properly on ansible 2.2.0 
when condition does not seem to work correctly at playbook
level for ansible 2.2.0.
 2017-03-05 00:43:01 +04:00
Matthew Mosesohn 02a8e78902 Remove standalone etcd specific play, cleanup host mode 
Now etcd role can optionally disable etcd cluster setup for faster
deployment when it is combined with etcd role.
 2017-03-04 00:34:26 +04:00
Matthew Mosesohn 8f3d9e93ce Merge pull request #1111 from mattymo/use_find_for_certs 
Use find module for checking for certificates
 2017-03-03 20:08:33 +03:00
Matthew Mosesohn d176818c44 Use find module for checking for certificates 
Also generate certs only when absent on master (rather than
when absent on target node)
 2017-03-03 16:21:01 +03:00
Bogdan Dobrelya aeec0f9a71 Merge pull request #1071 from vijaykatam/atomic_host 
Add support for atomic host
 2017-03-03 13:03:59 +01:00
Matthew Mosesohn 08a02af833 Merge pull request #1075 from VincentS/loadbalancer_aws 
Possibility to add Loadbalancers without static IP (e.g. AWS ELB) #1074
 2017-03-03 14:07:22 +03:00
David Crook 3f4a375ac4 first pass at adding 'stable' and 'edge' version packages 
- Only have ubuntu to test on
  - fedora and redhat are placeholders/guesses
  - the "old" package repositories seem to have the "new" CE version which is `1.13.1` based
- `docker-ce` looks like it is named as a backported `docker-engine` package in some
  places

- Did not change the `defaults` version anywhere, so should work as before
- Did not point to new package repositories, as existing ones have the new packages.
 2017-03-02 13:48:09 -07:00
Matthew Mosesohn 5ebc9a380c Merge pull request #1060 from holser/etcdv3 
Allow to specify etcd backend for kube-api
 2017-03-02 17:24:09 +03:00
Matthew Mosesohn 6453650895 Merge pull request #1093 from mattymo/scaledns 
Add autoscalers for dnsmasq and kubedns
 2017-03-02 16:58:56 +03:00
Matthew Mosesohn 9cb12cf250 Add autoscalers for dnsmasq and kubedns 
By default kubedns and dnsmasq scale when installed.
Dnsmasq is no longer a daemonset. It is now a deployment.
Kubedns is no longer a replicationcluster. It is now a deployment.
Minimum replicas is two (to enable rolling updates).

Reduced memory erquirements for dnsmasq and kubedns
 2017-03-02 13:44:22 +03:00
Vincent Schwarzer 68e8d74545 Changes based on feedback (additional ansible checks) 2017-03-02 11:04:10 +01:00
Vincent Schwarzer fc054e21f6 Modified how adding LB for the Kube API is handled (AWS) 
Until now it was not possible to add an API Loadbalancer
without an static IP Address. But certain Loadbalancers
like AWS Elastic Loadbalanacer dontt have an fixed IP address.
With this commit it is possible to add these kind of Loadbalancers
to the Kargo deployment.
 2017-03-02 11:04:10 +01:00
Matthew Mosesohn efbb5b2db3 Merge pull request #1101 from retr0h/docker-1.13.1 
Use docker-engine 1.13.1
 2017-03-02 12:31:58 +03:00
John Dewey a43569c8a5
Use docker-engine 1.13.1 
The default version of Docker was switched to 1.13 in #1059.  This
change also bumped ubuntu from installing docker-engine 1.13.0 to
1.13.1.  This PR updates os families which had 1.13 defined, but
were using 1.13.0.

The impetus for this change is an issue running tiller 1.2.3 on
docker 1.13.0.  See discussion [1][2].

[1] https://github.com/kubernetes/helm/issues/1838
[2] https://github.com/kubernetes-incubator/kargo/pull/1100
 2017-03-01 12:53:39 -08:00
Matthew Mosesohn a5cd73d047 Merge pull request #959 from galthaus/host-mode-restart 
Restart kube-controller for host_resolvconf mode
 2017-03-01 20:54:21 +03:00
Vijay Katam a0b1eda1d0 Add support for atomic host 
Updates based on feedback

Simplify checks for file exists

remove invalid char

Review feedback. Use regular systemd file.

Add template for docker systemd atomic
 2017-03-01 09:38:19 -08:00
Antoine Legrand 77e5171679 Merge pull request #1076 from VincentS/etcd_openssl_count_fix 
Fixed counter in ETCD Openssl.conf
 2017-03-01 14:17:27 +01:00
Bogdan Dobrelya 0c66418dad Merge pull request #1090 from artem-panchenko/calicoAcceptHostEndpointConnections 
Allow connections from pods to local endpoints
 2017-03-01 13:37:05 +01:00
Artem Panchenko fa05d15093 Allow connections from pods to local endpoints 
By default Calico blocks traffic from endpoints
to the host itself by using an iptables DROP
action. It could lead to a situation when service
has one alive endpoint, but pods which run on
the same node can not access it. Changed the action
to RETURN.
 2017-03-01 09:21:02 +02:00
Matthew Mosesohn cbaa6abdd0 Merge pull request #1066 from bradbeam/rkt-kubelet-cloudprovider 
Adding KUBELET_CLOUDPROVIDER to kubelet.rkt.service
 2017-02-28 20:02:56 +03:00
Sergii Golovatiuk 295103adc0 Allow to specify etcd backend for kube-api 
Kubernetes project is about to set etcdv3 as default storage engine in
1.6. This patch allows to specify particular backend for
kube-apiserver. User may force the option to etcdv3 for new environment.
At the same time if the environment uses v2 it will continue uses it
until user decides to upgrade to v3.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-28 17:13:22 +01:00
Sergii Golovatiuk d31c040dc0 Change kube-api default port from 443 to 6443 
Operator can specify any port for kube-api (6443 default) This helps in
case where some pods such as Ingress require 443 exclusively.

Closes: 820
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-28 15:45:35 +01:00
Brad Beam 8a63b35f44 Adding flag for docker container in kubelet w/ rkt 2017-02-28 07:55:12 -06:00
Brad Beam bfff06d402 Adding KUBELET_CLOUDPROVIDER to kubelet.rkt.service 2017-02-28 06:29:35 -06:00
Matthew Mosesohn 21d3d75827 Merge pull request #1086 from bradbeam/lowermem 
Lower default memory requests
 2017-02-28 13:37:28 +03:00
Brad Beam 30a9899262 Making openstack domain name optional 2017-02-27 21:19:27 -06:00
Xavier Lange dd10b8a27c Bug fix: support kilo's keystone requirement for domain-name, extracts from ENV var 2017-02-27 21:18:30 -06:00
Brad Beam dbf13290f5 Updating vsphere cloud provider support 2017-02-27 15:08:04 -06:00
Sergii Golovatiuk f9ff93c606 Make etcd data dir configurable. 
Closes: #1073
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-27 21:35:51 +01:00
Jan Jungnickel df476b0088 Initial support for vsphere as cloud provider 2017-02-27 12:51:41 -06:00
Brad Beam 56664b34a6 Lower default memory requests 
This is to address out of memory issues on CI as well as help
fit deployments for people starting out with kargo on smaller
machines
 2017-02-27 10:53:43 -06:00
Vincent Schwarzer 0cbc3d8df6 Fixed counter in ETCD Openssl.conf 
When a apiserver_loadbalancer_domain_name is added to the Openssl.conf
the counter gets not increased correctly. This didnt seem to have an
effect at the current kargo version.
 2017-02-27 12:01:09 +01:00
Bogdan Dobrelya 27b4e61c9f Merge pull request #946 from neith00/master 
Using the command module instead of raw
 2017-02-27 10:59:53 +01:00
Bogdan Dobrelya 069606947c Merge pull request #1063 from bogdando/fix 
Align LB defaults with the HA docs
 2017-02-27 10:14:42 +01:00
Sergii Golovatiuk 00cfead9bb Increase SSL TTL to 3650 days 
In real scenarios 365 days is short period of time. 3650 days is good
enough for long running k8s environments
 2017-02-24 15:38:13 +01:00
Antoine Legrand c7d61af332 Comment all variables in group_vars 2017-02-23 14:02:57 +01:00
Antoine Legrand 5f7607412b Add default var role 2017-02-23 12:07:17 +01:00
Bogdan Dobrelya f2a4619c57 Align LB defaults with the HA docs 
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
 2017-02-23 10:32:44 +01:00
Bogdan Dobrelya 712872efba Rework inventory all by real groups' vars 
* Leave all.yml to keep only optional vars
* Store groups' specific vars by existing group names
* Fix optional vars casted as mandatory (add default())
* Fix missing defaults for an optional IP var
* Relink group_vars for terraform to reflect changes

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
 2017-02-23 09:43:42 +01:00
Matthew Mosesohn 8cbf3fe5f8 Merge pull request #1020 from mattymo/synthscale 
Add synthetic scale deployment mode
 2017-02-22 19:15:46 +03:00
Matthew Mosesohn 02137f8cee Merge pull request #1059 from holser/docker_iptables 
iptables switch for docker
 2017-02-22 08:23:58 +03:00
Ivan Shvedunov 0006e5ab45 Fix shell special vars 2017-02-21 22:22:40 +03:00
Matthew Mosesohn d821448e2f Merge branch 'master' into synthscale 2017-02-21 22:17:43 +03:00
Sergii Golovatiuk 3bd46f7ac8 Switch docker to 1.13 
- Remove variable dup for Ubuntu
- Update Docker to 1.13
 2017-02-21 19:10:34 +01:00
Matthew Mosesohn 0afadb9149 Merge pull request #1046 from skyscooby/pedantic-syntax-cleanup 
Cleanup legacy syntax, spacing, files all to yml
 2017-02-21 17:03:16 +03:00
Matthew Mosesohn d4f15ab402 Merge pull request #1055 from mattymo/etcd-preupgrade-speedup 
speed up etcd preupgrade check
 2017-02-21 12:51:42 +03:00
Matthew Mosesohn 527e030283 Merge pull request #1058 from holser/update_calico_cni 
Update calico-cni to 1.5.6
 2017-02-20 23:09:47 +03:00
Matthew Mosesohn 042d094ce7 Merge pull request #1034 from rutsky/fix-openssl-lb-index 
fix load balancer DNS name index evaluation in openssl.conf
 2017-02-20 20:23:26 +03:00
Matthew Mosesohn 3cc1491833 Merge branch 'master' into pedantic-syntax-cleanup 2017-02-20 20:19:38 +03:00
Matthew Mosesohn d19e6dec7a speed up etcd preupgrade check 2017-02-20 20:18:10 +03:00
Sergii Golovatiuk a2cbbc5c4f Update calico-cni to 1.5.6 
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-20 17:14:45 +01:00
Abel Lopez 0bfc2d0f2f
Safe disable SELinux 
Sometimes, a sysadmin might outright delete the SELinux rpms and
delete the configuration. This causes the selinux module to fail
with
```
IOError: [Errno 2] No such file or directory: '/etc/selinux/config'\n",
"module_stdout": "", "msg": "MODULE FAILURE"}
```

This simply checks that /etc/selinux/config exists before we try
to set it Permissive.

Update from feedback
 2017-02-18 11:54:25 -08:00
Matthew Mosesohn 475a42767a Suppress logging for download image 
This generates too much output and during upgrade scenarios
can bring us over the 4mb limit.
 2017-02-18 19:10:26 +04:00
Matthew Mosesohn a21eb036ee Add no_log to cert tar tasks 
This works around 4MB limit for gitlab CI runner.
 2017-02-18 14:09:57 +04:00
Matthew Mosesohn 9c1701f2aa Add synthetic scale deployment mode 
New deploy modes: scale, ha-scale, separate-scale
Creates 200 fake hosts for deployment with fake hostvars.

Useful for testing certificate generation and propagation to other
master nodes.

Updated test cases descriptions.
 2017-02-18 14:09:55 +04:00
Andrew Greenwood fd17c37feb Regex syntax changes in yml mode 2017-02-17 17:30:39 -05:00
Andrew Greenwood cde5451e79 Syntax Bugfix 2017-02-17 17:08:44 -05:00
Andrew Greenwood ca9ea097df Cleanup legacy syntax, spacing, files all to yml 
Migrate older inline= syntax to pure yml syntax for module args as to be consistant with most of the rest of the tasks
Cleanup some spacing in various files
Rename some files named yaml to yml for consistancy
 2017-02-17 16:22:34 -05:00
Antoine Legrand b84cc14694 Merge pull request #1029 from mattymo/graceful 
Add graceful upgrade process
 2017-02-17 21:24:32 +01:00
Antoine Legrand e16ebcad6e Merge pull request #1042 from holser/fix_facts 
Fix fact tags
 2017-02-17 17:56:29 +01:00
Sergii Golovatiuk e91e58aec9 Fix fact tags 
Ansible playbook fails when tags are limited to "facts,etcd" or to
"facts". This patch allows to run ansible-playbook to gather facts only
that don't require calico/flannel/weave components to be verified. This
allows to run ansible with 'facts,bootstrap-os' or just 'facts' to
gether facts that don't require specific components.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-17 12:32:33 +01:00
Antoine Legrand 3629b9051d Merge pull request #1038 from rutsky/kubelet-mount-var-log 
Mount host's /var/log into kubelet container
 2017-02-17 10:26:12 +01:00
Antoine Legrand 4545114408 Merge pull request #1037 from mattymo/coreos_fix 
Fix references to CoreOS and Container Linux by CoreOS
 2017-02-17 10:21:14 +01:00
Vladimir Rutsky bff955ff7e Mount host's /var/log into kubelet container 
Kubelet is responsible for creating symlinks from /var/lib/docker to /var/log
to make fluentd logging collector work.
However without using host's /var/log those links are invisible to fluentd.

This is done on rkt configuration too.
 2017-02-16 22:31:05 +03:00
Matthew Mosesohn 80c0e747a7 Fix references to CoreOS and Container Linux by CoreOS 
Fixes #967
 2017-02-16 19:25:17 +03:00
Matthew Mosesohn 617edda9ba Adjust weave daemonset for serial deployment 2017-02-16 18:24:30 +03:00
Vladimir Rutsky 7ab04b2e73 fix typo in "kibana_base_url" variable name 
This typo lead to kibana_base_url being undefined and Kibana used
default base URL ("/") which is incorrect with default proxy-based
access.
 2017-02-16 18:17:06 +03:00
Matthew Mosesohn 97ebbb9672 Add graceful upgrade process 
Based on #718 introduced by rsmitty.

Includes all roles and all options to support deployment of
new hosts in case they were added to inventory.

Main difference here is that master role is evaluated first
so that master components get upgraded first.

Fixes #694
 2017-02-16 17:18:38 +03:00
Vladimir Rutsky a1ec6f401c fix load balancer DNS name index evaluation in openssl.conf 
Looks like OpenSSL still properly handles it, even with duplicated
"DNS.X" items.
 2017-02-16 00:16:13 +03:00
Matthew Mosesohn d92d955aeb Merge pull request #985 from rutsky/check-mode-for-shell-commands 
set "check_mode: on" for read-only "shell" steps that registers result
 2017-02-15 17:53:41 +03:00
Spencer Smith fbaef7e60f specify grace period for draining 2017-02-14 18:51:13 +03:00
Spencer Smith 017a813621 first cut of an upgrade process 2017-02-14 18:51:13 +03:00
Brad Beam 4c891b8bb0 Adding support for proxy w/ rkt kubelet 2017-02-14 08:09:49 -06:00
Matthew Mosesohn 948d9bdadb Merge pull request #1019 from mattymo/issue1011 
Update calico to v1.0.2
 2017-02-14 14:01:25 +03:00
Matthew Mosesohn b7258ec3bb Merge pull request #1013 from mattymo/remove_masqerade_all 
Disable kube_proxy_masquerade_all
 2017-02-14 14:00:29 +03:00
Antoine Legrand f4f730bd8a Merge pull request #1025 from holser/bug/961 
Install pip on Ubuntu
 2017-02-14 10:31:42 +01:00
Matthew Mosesohn f5e27f1a21 Merge pull request #1021 from holser/remove_deprecated 
Replace always_run with check_mode
 2017-02-14 11:25:58 +03:00
Matthew Mosesohn bb6415ddc4 Merge pull request #1015 from holser/rkt_ssl_ca_dirs 
Set ssl_ca_dirs for rkt based on fact
 2017-02-14 11:25:17 +03:00
Sergii Golovatiuk 2b6179841b Install pip on Ubuntu 
- Refactor 'Check if bootstrap is needed' as ansible loop. This allows
  to add new elements easily without refactoring. Add pip to the list.
- Refactor 'Install python 2.x' task to run once if any of rc
  codes != 0. Actually, need_bootstrap is array of hashes, so map will
  allow to get single array of rc statuses. So if status is not zero it
  will be sorted and the last element will be get, converted to bool.

Closes: #961
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-13 19:35:13 +01:00
Antoine Legrand e877cd2874 Merge pull request #1024 from holser/bug/961 
Install pip on Ubuntu
 2017-02-13 17:53:57 +01:00
Vladimir Rutsky 09847567ae set "check_mode: no" for read-only "shell" steps that registers result 
"shell" step doesn't support check mode, which currently leads to failures,
when Ansible is being run in check mode (because Ansible doesn't run command,
assuming that command might have effect, and no "rc" or "output" is registered).

Setting "check_mode: no" allows to run those "shell" commands in check mode
(which is safe, because those shell commands doesn't have side effects).
 2017-02-13 18:53:41 +03:00
Sergii Golovatiuk 732ae69d22 Install pip on Ubuntu 
Closes: #961
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-13 16:27:09 +01:00
Greg Althaus 2b10376339 When resolv.conf changes during host_resolvconf mode, we need to 
restart the controller to get the new file configuration.
I'm not fond of this form and would like a better way, but this
seems to "work".
 2017-02-13 09:20:02 -06:00
Matthew Mosesohn b5be335db3 Clean up dnsmasq purge task 2017-02-13 17:30:15 +03:00
Sergii Golovatiuk 5f4cc3e1de Replace always_run with check_mode 
always_run was deprecated in Ansible 2.2 and will be removed in 2.4
ansible logs contain "[DEPRECATION WARNING]: always_run is deprecated.
Use check_mode = no instead". This patch fix deprecation.
 2017-02-13 15:00:56 +01:00
Matthew Mosesohn ec567bd53c Update calico to v1.0.2 
Also calico-cni to v1.5.6, calico-policy to v0.5.2

Fixes: #1011
 2017-02-13 15:39:25 +03:00
Sergii Golovatiuk aeadaa1184 Set ssl_ca_dirs for rkt based on fact 
Since systemd kubelet.service has {{ ssl_ca_dirs }}, fact should be
gathered before writing kubelet.service.

Closes: #1007
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-13 13:28:29 +01:00
Matthew Mosesohn 2f0f0006e3 Merge pull request #988 from mattymo/feat/rolling3 
Add CI cases for testing upgrade from v2.0.1 release
 2017-02-10 18:09:43 +03:00
Matthew Mosesohn de047a2b8c Merge pull request #983 from vwfs/centos_kernel_upgrade 
Add kernel upgrade for CentOS
 2017-02-10 14:40:27 +03:00
Antoine Legrand 86a35652bb Merge pull request #1009 from mattymo/dnsmasq_updates 
Enable reset of dnsmasq if manifest or config changes
 2017-02-10 11:43:09 +01:00
Matthew Mosesohn 6ae70e03cb fixup upgrades for canal and weave 2017-02-10 13:27:41 +03:00
Matthew Mosesohn 2c532cb74d Disable kube_proxy_masquerade_all 
Fixes #1012
 2017-02-10 13:16:39 +03:00
Bogdan Dobrelya 89ae9f1f88 Merge pull request #1002 from code0x9/master 
use ansible sysctl module for config ip forwarding
 2017-02-10 10:40:18 +01:00
Alexander Block d2e010cbe1 Add kernel upgrade for CentOS 2017-02-10 09:29:12 +01:00
Matthew Mosesohn a44a0990f5 Enable reset of dnsmasq if manifest or config changes 2017-02-10 10:40:07 +04:00
Matthew Mosesohn 2f88c9eefe Merge pull request #989 from holser/kubelet_remedy 
Kubernetes Reliability Improvements
 2017-02-10 09:29:29 +03:00
Matthew Mosesohn 60f1936a62 Merge pull request #1004 from galthaus/kubelet-load-modules 
Allow kubelet to load kernel modules
 2017-02-10 09:28:16 +03:00
Sergii Golovatiuk c07d60bc90 Kubernetes Reliability Improvements 
- Exclude kubelet CPU/RAM (kube-reserved) from cgroup. It decreases a
  chance of overcommitment
- Add a possibility to modify Kubelet node-status-update-frequency
- Add a posibility to configure node-monitor-grace-period,
  node-monitor-period, pod-eviction-timeout for Kubernetes controller
  manager
- Add Kubernetes Relaibility Documentation with recomendations for
  various scenarios.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-09 23:54:08 +01:00
Matthew Mosesohn 29fd957352 Enable weave upgrade from previous versions 
Raise readiness probe initial time to 60 (was 30)
 2017-02-09 21:39:31 +03:00
Matthew Mosesohn 0a7c6eb9dc Merge pull request #998 from mattymo/fix_upgrade_daemonsets 
Fix upgrade for all daemonset type resources
 2017-02-09 20:02:21 +03:00
Greg Althaus 3f0c13af8a Make kubelet_load_modules always present but false. 
Update code and docs for that assumption.
 2017-02-09 10:25:44 -06:00
Greg Althaus fcd78eb1f7 Due to the nsenter and other reworks, it appears that 
kubelet lost the ability to load kernel modules.  This
puts that back by adding the lib/modules mount to kubelet.

The new variable kubelet_load_modules can be set to true
to enable this item.  It is OFF by default.
 2017-02-09 10:02:26 -06:00
Matthew Mosesohn 17dfae6d4e Merge pull request #999 from holser/decrease_weave_ram_limits 
Lower weave RAM settings.
 2017-02-09 13:19:12 +03:00
Mark Lee e414c25fd7 follow sysctl.conf file symlink if linked 2017-02-09 18:16:52 +09:00
Mark Lee 34a71554ae use ansible sysctl module for config ip forwarding 2017-02-09 17:28:44 +09:00
Bogdan Dobrelya 3b1a196c75 Merge pull request #902 from insequent/master 
Adding vault role
 2017-02-09 09:24:52 +01:00
Bogdan Dobrelya 105dbf471e Merge pull request #993 from code0x9/master 
enable proxy support on docker repository
 2017-02-09 09:21:01 +01:00
Antoine Legrand 68df0d4909 Merge pull request #986 from vwfs/dnsmasq_system_nameservers 
Also add the system nameservers to upstream servers in dnsmasq
 2017-02-08 23:21:54 +01:00
Josh Conant 245e05ce61 Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00
Josh Conant f4ec2d18e5 Adding the Vault role 2017-02-08 21:31:28 +00:00
Sergii Golovatiuk 4124d84c00 Lower weave RAM settings. 
- Since Weave 1.8.x was rewritten in Golang we may decrease RAM settings
  to continue using g1-small for CI
 2017-02-08 18:50:36 +01:00
Matthew Mosesohn 3c713a3f53 Fix upgrade for all daemonset type resources 
Daemonsets cannot be simply upgraded through a single API call,
regardless of any kubectl documentation. The resource must be
purged and then recreated in order to make any changes.
 2017-02-08 18:16:00 +03:00
Alexander Block 89e570493a Also add the system nameservers to upstream servers in dnsmasq 
Also make no-resolv unconditional again. Otherwise, we may end up in
a resolver loop. The resolver loop was the cause for the piling up
parallel queries.
 2017-02-08 14:38:55 +01:00
Matthew Mosesohn 16674774c7 Merge pull request #994 from mattymo/docker_save 
Change docker save compress level to 1
 2017-02-08 15:13:15 +03:00
Matthew Mosesohn 0180ad7f38 Merge pull request #990 from mattymo/fix_cert_upgrade 
Fix check for node-NODEID certs existence
 2017-02-08 14:44:09 +03:00
Matthew Mosesohn bfd1ea1da1 Merge pull request #971 from bradbeam/efk 
Adding EFK logging stack
 2017-02-08 14:28:04 +03:00
Mark Lee 3eacd0c871 Update rh_docker.repo.j2 2017-02-08 20:03:51 +09:00
Matthew Mosesohn d587270293 Merge pull request #992 from vwfs/host_mount_dev 
Host mount /dev for kubelet
 2017-02-08 13:45:22 +03:00
Matthew Mosesohn 3eb13e83cf Change docker save compress level to 1 
Faster gzip improves CI deploy times by at least 2 mins.

Fixes #982
 2017-02-08 13:25:11 +03:00
Mark Lee df761713aa Merge branch 'master' of https://github.com/kubespray/kargo 2017-02-08 19:19:26 +09:00
Mark Lee de50f37fea enable proxy support on docker repository 2017-02-08 19:19:08 +09:00
Matthew Mosesohn bad6076905 Merge pull request #987 from mattymo/etcd-retune 
Re-tune ETCD performance params
 2017-02-08 13:00:25 +03:00
Bogdan Dobrelya c2bd76a22e Merge pull request #956 from adidenko/update-netchecker 
Update playbooks to support new netchecker
 2017-02-08 10:09:46 +01:00
Alexander Block 010fe30b53 Host mount /dev for kubelet 2017-02-08 09:55:51 +01:00
Matthew Mosesohn e5779ab786 Fix check for node-NODEID certs existence 
Fixes upgrade from pre-individual node cert envs.
 2017-02-07 21:06:48 +03:00
Matthew Mosesohn 71e14a13b4 Re-tune ETCD performance params 
Reduce election timeout to 5000ms (was 10000ms)
Raise heartbeat interval to 250ms (was 100ms)
Remove etcd cpu share (was 300)
Make etcd_cpu_limit and etcd_memory_limit optional.
 2017-02-07 20:15:14 +03:00
Matthew Mosesohn 491074aab1 Merge pull request #969 from mattymo/port_reserve 
Prevent dynamic port allocation in nodePort range
 2017-02-07 18:24:57 +03:00
Aleksandr Didenko 54af533b31 Update playbooks to support new netchecker 
Netchecker is rewritten in Go lang with some new args instead of
env variables. Also netchecker-server no longer requires kubectl
container. Updating playbooks accordingly.
 2017-02-07 15:20:34 +01:00
Matthew Mosesohn f3a0f73588 Prevent dynamic port allocation in nodePort range 
kube_apiserver_node_port_range should be accessible only
to kube-proxy and not be taken by a dynamic port allocation.

Potentially temporary if https://github.com/kubernetes/kubernetes/issues/40920
gets fixed.
 2017-02-06 20:01:16 +03:00
Sergii Golovatiuk 5122697f0b Improve Weave 
- Remove weave CPU limits from .gitlab-ci.yml. Closes: #975
- Fix weave version in documentation

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-06 13:24:40 +01:00
Antoine Legrand bd1c764a1a Merge pull request #963 from rutsky/bastion-ansible-host 
handle both 'ansible_host' and 'ansible_ssh_host' in bastion configration
 2017-02-04 15:42:39 -05:00
Brad Beam df3e11bdb8 Adding EFK logging stack 2017-02-03 16:27:08 -06:00
Bogdan Dobrelya 5a7a3f6d4a Merge pull request #949 from vmtyler/master 
Fixes Support for OpenStack v3 credentials
 2017-02-03 12:22:00 +01:00
Vladimir Rutsky b4327fdc99 handle both 'ansible_host' and 'ansible_ssh_host' in bastion configuration 
'absible_ssh_host' is deprecated in Ansible 2.0 and at least
'contrib/inventory_builder/inventory.py' uses 'ansible_host' instead.
 2017-02-02 18:34:53 +03:00
Matthew Mosesohn 10f924a617 Merge pull request #927 from holser/nsenter_fix 
Remove nsenter workaround
 2017-02-02 18:18:15 +03:00
Matthew Mosesohn 3dd6a01c8b Merge pull request #901 from galthaus/dns-tweak 
DHCP Hook protections
 2017-02-02 16:47:16 +03:00
Sergii Golovatiuk 585afef945 Remove nsenter workaround 
- Docker 1.12 and further don't need nsenter hack. This patch removes
  it.  Also, it bumps the minimal version to 1.12.

Closes #776

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-02 14:38:11 +01:00
Sergii Golovatiuk f2e4ffcac2 Fix weave-net after upgrade to 1.82 
- Set recommended CPU settings
- Cleans up upgrade to weave 1.82. The original WeaveWorks
daemonset definition uses weave-net name.
- Limit DS creation to master
- Combined 2 tasks into one with better condition
 2017-02-02 10:31:58 +01:00
Matthew Mosesohn ae66b6e648 Merge pull request #957 from mattymo/weave-net-naming 
Rename weave-kube to weave-net
 2017-02-02 10:18:02 +03:00
Greg Althaus 923057c1a8 This continues the DHCP hook checks. Also protect the create side 
if the system doesn't have any config files at all.
 2017-01-31 09:56:27 -06:00
Matthew Mosesohn 0f6e08d34f Merge pull request #951 from mattymo/k8s-certs-scale 
Fix cert distribution at scale
 2017-01-31 18:49:26 +03:00
Matthew Mosesohn 4889a3e2e1 Merge pull request #954 from artem-panchenko/improve_dnsmasq 
Explicitly set config path for DNSMasq
 2017-01-31 18:48:46 +03:00
Matthew Mosesohn 39d87a96aa Rename weave-kube to weave-net 
Cleans up upgrade to weave 1.82. The original WeaveWorks
daemonset definition uses weave-net name.
 2017-01-31 18:47:27 +03:00
Matthew Mosesohn 08822ec684 Fix cert distribution at scale 
Use stdin instead of bash args to pass node filenames and base64 data.
Use tempfile for master cert data
 2017-01-31 16:27:45 +03:00
Matthew Mosesohn 6463a01e04 Merge pull request #880 from bradbeam/weave-kube 
Weave kube
 2017-01-31 13:31:09 +03:00
Artem Panchenko 1418fb394b Explicitly set config path for DNSMasq 
When DNSMasq is configured to read its settings
from a folder ('-7' or '--conf-dir' option) it only
checks that the directory exists and doesn't fail if
it's empty. It could lead to a situation when DNSMasq
is running and handles requests, but not properly
configured, so some of queries can't be resolved.
 2017-01-31 12:14:57 +02:00
Matthew Mosesohn e4eda88ca9 Merge pull request #944 from tureus/skip-cloud-config-on-etcd 
Bugfix: skip cloud_config on etcd
 2017-01-30 20:12:36 +03:00
Brad Beam a11b9d28bd Upgrading weave to weave-kube 2017-01-27 17:05:25 -06:00
Brad Beam b54eb609bf Consolidating kube.py module 2017-01-27 11:28:11 -06:00
Tyler Britten f8ffa1601d Fixed for non-null output 2017-01-27 10:47:59 -05:00
Tyler Britten da01bc1fbb Updated OpenStack vars to check for tenant_id (v2) and project_id (v3) 2017-01-27 10:26:20 -05:00
neith00 bbc8c09753 Using the command module instead of raw 
Using the command module instead of raw.
Also fixed the syntax.
 2017-01-26 16:28:48 +01:00
Xavier Lange e5fdc63bdd Bugfix: skip cloud_config on etcd 2017-01-25 14:09:21 -08:00
Aleksandr Didenko 46c177b982 Switch to ansible_hostname in calico 
For consistancy with kubernetes services we should use the same
hostname for nodes, which is 'ansible_hostname'.

Also fixing missed 'kube-node' in templates, Calico is installed
on 'k8s-cluster' roles, not only 'kube-node'.
 2017-01-25 11:49:58 +01:00
Matthew Mosesohn f4b7474ade Merge pull request #926 from adidenko/fix-calico-rr-for-masters 
Fix calico-rr peering with k8s masters
 2017-01-24 12:38:52 +03:00
Alexander Block 9bf792ce0b Pin docker version on RedHat and CentOS to the desired version 2017-01-23 12:39:54 +01:00
Aleksandr Didenko f05aaeb329 Fix calico-rr peering with k8s masters 
Calico-rr is broken for deployments with separate k8s-master and
k8s-node roles. In order to fix it we should peer k8s-cluster
nodes with calico-rr, not just k8s-node. The same for peering
with routers.

Closes #925
 2017-01-23 10:19:09 +01:00
Matthew Mosesohn 8ce32eb3e1 Merge pull request #905 from galthaus/async-runs 
Add tasks to ensure that the first nodes have their directories for cert gen
 2017-01-19 18:32:27 +03:00
Matthew Mosesohn aae0314bda Merge pull request #904 from galthaus/nginx-port-config 
Add nginx local balancer port configuration variable
 2017-01-19 18:31:57 +03:00
Matthew Mosesohn 35d5248d41 Merge pull request #913 from galthaus/apps-master-only 
Ansible apps should only check for api-server running on the master.
 2017-01-19 18:30:58 +03:00
Matthew Mosesohn 0ccc2555d3 Merge pull request #917 from mattymo/rkt_resolvconf 
Fix setting resolvconf when using rkt deploy mode
 2017-01-19 18:30:21 +03:00
Matthew Mosesohn b26a711e96 Merge pull request #916 from mattymo/update_ansible 
Update Ansible to 2.2.1
 2017-01-19 18:13:45 +03:00
Matthew Mosesohn 2218a052b2 Merge pull request #921 from mattymo/docker113 
Add docker 1.13, update 1.12 to 1.12.6
 2017-01-19 18:13:21 +03:00
Matthew Mosesohn 33fbcc56d6 Add docker 1.13, update 1.12 to 1.12.6 
Fixes #903
 2017-01-19 13:58:36 +03:00
Sergii Golovatiuk 61d05dea58 Allow to specify number of concurrent DNS queries 
ndots creates overhead as every pod creates 5 concurrent connections
that are forwarded to sky dns. Under some circumstances dnsmasq may
prevent forwarding traffic with "Maximum number of concurrent DNS
queries reached" in the logs.

This patch allows to configure the number of concurrent forwarded DNS
queries "dns-forward-max" as well as "cache-size" leaving the default
values as they were before.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-01-19 11:47:37 +01:00
Matthew Mosesohn 8a821060a3 Update Ansible to 2.2.1 2017-01-19 13:46:46 +03:00
Greg Althaus 0d44599a63 Add explicit name printing in task names for deletgated task during 
cert creation
 2017-01-18 14:06:50 -06:00
Matthew Mosesohn b6c3e61603 Fix setting resolvconf when using rkt deploy mode 
rkt deploy mode doesn't create {{ bin_dir }}/kubelet, so
let's rely on kubelet.env file instad.
 2017-01-18 19:18:47 +03:00
Matthew Mosesohn 5420fa942e Merge pull request #897 from holser/flush_handlers_before_etcd 
Flush handlers before etcd restart
 2017-01-18 12:27:01 +03:00
Matthew Mosesohn 1ee33d3a8d Merge pull request #910 from mattymo/escape_curly 
Fix ansible 2.2.1 handling of registered vars
 2017-01-18 11:13:01 +03:00
Greg Althaus 61dab8dc0b Should only check for api-server running on the master. 
If this runs on other nodes, it will fail the playbook.
 2017-01-17 15:57:34 -06:00
Matthew Mosesohn b2a27ed089 Fix bash completion installation 2017-01-17 20:36:58 +03:00
Matthew Mosesohn d8ae50800a Work around escaping curly braces for docker inspect 2017-01-17 20:35:38 +03:00
Sergii Golovatiuk 43fa72b7b7 Flush handlers before etcd restart 
systemctl daemon-reload should be run before when task modifies/creates
union for etcd. Otherwise etcd won't be able to start

Closes #892

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-01-17 15:04:25 +01:00
Matthew Mosesohn 73204c868d Merge pull request #909 from mattymo/docker-upgrade 
Always trigger docker restart when docker package changes
 2017-01-17 11:37:42 +03:00
Matthew Mosesohn 74b78e75a1 Always trigger docker restart when docker package changes 
Docker upgrade doesn't auto-restart docker, causing failures
when trying to start another container
 2017-01-16 17:52:28 +03:00
Greg Althaus 6905edbeb6 Add a variable that defaults to kube_apiserver_port that defines 
the which port the local nginx proxy should listen on for HA
local balancer configurations.
 2017-01-14 23:38:07 -06:00
Greg Althaus 6c69da1573 This PR adds/or modifies a few tasks to allow for the playbook to 
be run by limit on each node without regard for order.

The changes make sure that all of the directories needed to do
certificate management are on the master[0] or etcd[0] node regardless
of when the playbook gets run on each node.  This allows for separate
ansible playbook runs in parallel that don't have to be synchronized.
 2017-01-14 23:24:34 -06:00
Greg Althaus 95bf380d07 If the inventory name of the host exceeds 63 characters, 
the openssl tools will fail to create signing requests because
the CN is too long.  This is mainly a problem when FQDNs are used
in the inventory file.

THis will truncate the hostname for the CN field only at the
first dot.  This should handle the issue for most cases.
 2017-01-13 10:02:23 -06:00
Matthew Mosesohn 80703010bd Use only one certificate for all apiservers 
https://github.com/kubernetes/kubernetes/issues/25063
 2017-01-13 14:03:20 +03:00
Bogdan Dobrelya e88c10670e Merge pull request #891 from galthaus/selinux-order 
preinstall fails on AWS CentOS7 image
 2017-01-13 11:51:18 +01:00
Alexander Block 1054f37765 Don't try to delete kargo specific config from dhclient when file does not exist 
Also remove the check for != "RedHat" when removing the dhclient hook,
as this had also to be done on other distros. Instead, check if the
dhclienthookfile is defined.
 2017-01-13 10:56:10 +01:00
Greg Althaus f77257cf79 When running on CentOS7 image in AWS with selinux on, the order of 
the tasks fail because selinux prevents ip-forwarding setting.

Moving the tasks around addresses two issues.  Makes sure that
the correct python tools are in place before adjusting of selinux
and makes sure that ipforwarding is toggled after selinux adjustments.
 2017-01-12 10:12:21 -06:00
Bogdan Dobrelya f004cc07df Merge pull request #830 from mattymo/k8sperhost 
Generate individual certificates for k8s hosts
 2017-01-12 12:42:14 +01:00
Alexander Block a7bf7867d7 Add tasks to undo changes to hosts /etc/resolv.conf and dhclient configs 2017-01-11 16:56:16 +01:00
Matthew Mosesohn 3f274115b0 Generate individual certificates for k8s hosts 2017-01-11 12:58:07 +03:00
Matthew Mosesohn 3b0918981e Merge pull request #878 from bradbeam/rkt-cni 
Adding /opt/cni /etc/cni to rkt run kubelet
 2017-01-11 12:22:04 +03:00
Bogdan Dobrelya d8cef34d6c Merge pull request #872 from mattymo/bug868 
Bind nginx localhost proxy to localhost
 2017-01-10 17:09:25 +01:00
Brad Beam db8173da28 Adding /opt/cni /etc/cni to rkt run kubelet 2017-01-10 08:48:58 -06:00
Bogdan Dobrelya bcdfb3cfb0 Merge pull request #793 from kubernetes-incubator/fix_dhclientconf_path 
Fix wrong path of dhclient on CentOS+Azure
 2017-01-10 13:23:55 +01:00
Bogdan Dobrelya 79aeb10431 Merge pull request #858 from bradbeam/calicoctl-canal 
Misc updates for canal
 2017-01-10 12:24:59 +01:00
Matthew Mosesohn 38338e848d Merge pull request #860 from adidenko/fix-calico-rr-certs 
Fix etcd cert generation for calico-rr role
 2017-01-09 18:34:02 +03:00
Bogdan Dobrelya 10dbd0afbd Merge pull request #871 from mattymo/fix_system_search_domains 
Fix docker dns host scenario with no search domains
 2017-01-09 15:52:12 +01:00
Matthew Mosesohn e22f938ae5 Bind nginx localhost proxy to localhost 
This proxy should only be listening for local connections, not 0.0.0.0.

Fixes #868
 2017-01-09 17:19:54 +03:00
Matthew Mosesohn 1dce56e2f8 Fix docker dns host scenario with no search domains 
Fixes scenario where docker-dns.conf tries to create an empty
search entry
 2017-01-09 16:36:44 +03:00
Aleksandr Didenko d9539e0f27 Fix etcd cert generation for calico-rr role 
"etcd_node_cert_data" variable is undefinded for "calico-rr" role.
This patch adds "calico-rr" nodes to task where "etcd_node_cert_data"
variable is registered.
 2017-01-09 12:06:25 +01:00
Aleksandr Didenko 0909368339 Set latest stable versions for Calico images 
Change version for calico images to v1.0.0. Also bump versions for
CNI and policy controller.

Also removing images repo and tag duplication from netchecker role
 2017-01-09 12:05:49 +01:00
Bogdan Dobrelya 091b634ea1 Merge pull request #799 from kubernetes-incubator/docker_dns 
Implement "dockerd --dns-xxx" based dns mode
 2017-01-09 11:38:02 +01:00
Alexander Block a8b5b856d1 Only use default resolver in dnsmasq when we are using host_resolvconf mode 2017-01-06 10:21:07 +01:00
Alexander Block 1d2a18b355 Introduce dns_mode and resolvconf_mode and implement docker_dns mode 
Also update reset.yml to do more dns/network related cleanup.
 2017-01-05 23:38:51 +01:00
Spencer Smith 4a59340182 remove assertion for family not being CoreOS 2017-01-05 13:36:25 -05:00
Brad Beam cf042b2a4c Create network policy directory for canal 2017-01-05 10:54:27 -06:00
Brad Beam 65c86377fc Adding calicoctl to canal deployment 2017-01-05 10:54:27 -06:00
Bogdan Dobrelya 5af2c42bde Better fix for different CoreOS os family facts 
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
 2017-01-05 16:32:08 +01:00
Bogdan Dobrelya f7447837c5 Rename CoreOS fact 
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
 2017-01-05 14:02:29 +01:00
Bogdan Dobrelya 6546869c42 Merge branch 'master' into rkt 2017-01-05 10:34:18 +01:00
Brad Beam 4b6f29d5e1 Adding kubelet in rkt 2017-01-03 14:49:48 -06:00
Brad Beam 8dc19374cc Allowing etcd to run via rkt 2017-01-03 10:10:38 -06:00
Brad Beam a8f2af0503 Adding initial rkt support 2017-01-03 10:08:43 -06:00
Bogdan Dobrelya d8a2941e9e Fix cert paths for flannel/calico policy apps 
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
 2017-01-03 16:12:54 +01:00
Alexander Block ab7df10a7d Upgrade docker version and do some cleanups for unsupported distros/docker versions 2017-01-02 18:05:50 +01:00
Bogdan Dobrelya 93663e987c Merge pull request #847 from bogdando/bug_769 
Fix etc hosts for cluster nodes
 2017-01-02 17:47:23 +01:00
Bogdan Dobrelya 97f96a6376 Fix etc hosts for cluster nodes 
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
 2017-01-02 13:20:51 +01:00
Bogdan Dobrelya 58062be2a3 Drop non systemd OS types support 
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
 2017-01-02 12:14:03 +01:00
Matthew Mosesohn 1f9f885379 Fix etcd cert generation to support large deployments 
Due to bash max args limits, we should pass all node filenames and
base64-encoded tar data through stdin/stdout instead.

Fixes #832
 2016-12-30 12:55:26 +03:00
Bogdan Dobrelya a56d9de502 Systemd units, limits, and bin path fixes 
* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
  systemd limits due to the lack of consensus in the kernel community
  requires out-of-tree kernel patches.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
 2016-12-28 15:49:42 +01:00
Matthew Mosesohn f0c0390646 Fix creation and sync of etcd certs 
Admin certs only go to etcd nodes
Only generate cert-data for nodes that need sync
 2016-12-28 14:21:17 +04:00
Matthew Mosesohn e7a1949d85 Merge pull request #818 from mattymo/calico-rr-certs 
Fix calico-rr to use etcd certs instead of kube certs
 2016-12-28 08:47:16 +03:00
Matthew Mosesohn 6d9cd2d720 Fix calico-rr to use etcd certs instead of kube certs 2016-12-27 17:04:50 +03:00
Bogdan Dobrelya 79996b557b Rework ignore_errors to report no reds 
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
 2016-12-27 13:00:50 +01:00
Bogdan Dobrelya bb0c3537cb Do not forward bogus domains for upstream resolvers 
Also fix kube log level 4 to log dnsmasq queries.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
 2016-12-23 11:53:14 +01:00
Matthew Mosesohn 385f7f6e75 Update etcd.j2 2016-12-22 22:29:24 +03:00
Matthew Mosesohn 9f1e3db906 Adjust etcd server certificates 
ETCD doesn't need cert/key options set. It only requires peer
cert options.
 2016-12-22 23:05:17 +04:00
Spencer Smith b63d900625 Workaround etcdctl not yet being installed (#797) 
workaround case for etcdctl not yet being installed, only allow for return code of 0 (no error)
 2016-12-22 12:41:38 -05:00
Matthew Mosesohn a4bce333a3 Merge pull request #760 from genti-t/issue-748-flannel-options 
Fix Flannel network on CoreOS
 2016-12-22 19:02:31 +03:00
Genti Topija 7c2785e083 Fix Flannel network on CoreOS 
Resolves: #748
 2016-12-22 16:50:04 +01:00
Matthew Mosesohn ad796d188d Individual etcd ssl certs 
Includes hooks for triggering calico, kubelet, and kube-apiserver restarts
if etcd certs changed.
 2016-12-22 13:31:11 +03:00
Bogdan Dobrelya de8cd5cd7f Merge pull request #786 from mattymo/bug777 
Add wait for kube-apiserver to kubernetes-apps
 2016-12-22 11:02:50 +01:00
Alexander Block 8e4e3998dd Fix wrong path of dhclient on CentOS+Azure 
This was alredy fixed in #755 but had to be reverted. This PR should be
more intelligent about deciding which path to use.
 2016-12-21 21:51:07 +01:00
Spencer Smith 8d9f207836 create systemd drop-in path if not existent 2016-12-21 13:06:12 -05:00
Bogdan Dobrelya f10d1327d4 Revert "Do not forward private domains for upstream resolvers" 2016-12-21 15:24:17 +01:00
Matthew Mosesohn d314174149 Add wait for kube-apiserver to kubernetes-apps 
Fixes #777
 2016-12-21 15:39:39 +03:00
Bogdan Dobrelya b8bc8eee41 Add download_always_pull check and sha256 for docker images 
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
 2016-12-20 17:02:09 +01:00
Bogdan Dobrelya 11380769cd Merge pull request #722 from bogdando/dnsmasq_armors 
Do not forward private domains for upstream resolvers
 2016-12-20 14:25:17 +01:00
Bogdan Dobrelya 843d439898 Merge pull request #775 from kubernetes-incubator/register_master 
Register master node as unschedulable
 2016-12-20 14:17:55 +01:00
Bogdan Dobrelya c1e4cef75b Merge pull request #774 from kubernetes-incubator/ant31-patch-2 
check if calico_peer_rr is defined
 2016-12-19 18:19:03 +01:00
Matthew Mosesohn 348fc5b109 Fix etcd to-SSL upgrade and task register vars 2016-12-19 15:05:49 +03:00
Bogdan Dobrelya 101864c050 Do not forward private domains for upstream resolvers 
Also fix kube log level 4 to log dnsmasq queries.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
 2016-12-19 11:01:41 +01:00
Alexander Block fe150d4e4d Register master node as unschedulable 
Also refactor generation of kubelet args to not repeat args.
 2016-12-19 10:47:43 +01:00
Antoine Legrand 048ac264a3 Update main.yml 2016-12-17 20:22:39 +01:00
Antoine Legrand 768fe05eea Merge pull request #704 from vwfs/bastion_hosts 
Add support for bastion hosts
 2016-12-17 12:08:49 +01:00
Antoine Legrand 1c48a001df Merge pull request #763 from bogdando/resolver_fallback 
Fallback to default resolver if no nameservers
 2016-12-17 12:03:41 +01:00
Antoine Legrand a7276901a3 Merge pull request #766 from kubernetes-incubator/docker12point5 
Update docker to 1.12.5
 2016-12-17 11:55:06 +01:00
Bogdan Dobrelya 1782d19e1f Fallback to default resolver if no nameservers 
Current design expects users to define at least one
nameserver in the nameservers var to backup host OS DNS config
when the K8s cluster DNS service IP is not available and hosts
still have to resolve external or intranet FQDNs.

Fix undefined nameservers to fallback to the default_resolver.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
 2016-12-16 14:51:34 +01:00
Bogdan Dobrelya e2476fbd0b Revert "Fix wrong path for dhclient.conf on RedHat/CentOS" 2016-12-16 14:49:26 +01:00
Matthew Mosesohn 07cd81ef58 Update docker to 1.12.5 
Note the new ubuntu/debian version string change:
https://github.com/docker/docker/issues/29355
 2016-12-16 16:30:46 +03:00
Bogdan Dobrelya 92f542938c Merge pull request #745 from kubernetes-incubator/fix_weave_start 
Fix weave restart after docker daemon restart
 2016-12-16 14:06:48 +01:00
Matthew Mosesohn 495d0b659a Fix weave restart after docker daemon restart 2016-12-16 14:15:22 +03:00
Antoine Legrand a2f8f17270 Merge pull request #757 from kubernetes-incubator/issue754 
Add dns_domain for each host to /etc/hosts
 2016-12-15 21:42:59 +01:00
Bogdan Dobrelya 0e2329b59e Merge pull request #755 from kubernetes-incubator/fix_dhclientconf_path 
Fix wrong path for dhclient.conf on RedHat/CentOS
 2016-12-15 19:08:31 +01:00
Bogdan Dobrelya 70143d87bf Merge pull request #746 from kubernetes-incubator/etcd_ssl_upgrade_fix 
Fix etcd member list when upgrading ETCD from an old version
 2016-12-15 12:31:34 +01:00
Matthew Mosesohn 68ad4ff4d9 Add dns_domain for each host to /etc/hosts 
Fixes #754
 2016-12-15 13:34:59 +04:00
Bogdan Dobrelya 725f9ea3bd Merge pull request #749 from kubernetes-incubator/azure_ip_forward 
Set net.ipv4.ip_forward=1 on all systems, not only on GCE
 2016-12-15 10:19:43 +01:00
Alexander Block a9684648ab Fix wrong path for dhclient.conf on RedHat/CentOS 
/etc/dhclient.conf is ignored on RedHat/CentOS
Correct location is /etc/dhcp/dhclient.conf
 2016-12-15 10:11:16 +01:00
Matthew Mosesohn 9cc73bdf08 Fix etcd member list when upgrading ETCD from an old version 2016-12-15 12:00:45 +04:00
Bogdan Dobrelya 114ab5e4e6 Merge pull request #721 from adidenko/calico-add-rr 
Add calico/routereflector support
 2016-12-14 17:22:00 +01:00
Smaine Kahlouch 29874baf8a Merge pull request #708 from vwfs/cloud_network 
Add support for cloud-provider based networking
 2016-12-14 16:23:20 +01:00
Alexander Block 81317505eb Set net.ipv4.ip_forward=1 on all systems, not only on GCE 2016-12-14 15:08:13 +01:00
Aleksandr Didenko d57c27ffcf Add calico/routereflector support 
Add BGP route reflectors support in order to optimize BGP topology
for deployments with Calico network plugin.

Also bump version of calico/ctl for some bug fixes.
 2016-12-14 13:44:10 +01:00
Alexander Block d50eb60827 Add --reconcile-cidr flag to kubelet to support cloud network plugin in 1.4 2016-12-13 17:30:10 +01:00
Alexander Block dbd9aaf1ea Add check for azure_route_table_name and add it to all.yml 2016-12-13 17:30:10 +01:00
Alexander Block d20d5e648f Add pseudo network plugin called "cloud" to use cloud provider for network 
Allow to let the cloud provider configure proper routing for nodes.
 2016-12-13 17:30:10 +01:00
Alexander Block 06584ee3aa Add support for bastion hosts 2016-12-13 17:29:47 +01:00
Antoine Legrand 26e3142c95 Merge branch 'master' into standalone_kubelet 2016-12-13 17:26:21 +01:00
Alexander Block 665ce82d71 Move kube_version to group_vars/all to allow easier changing of version 
Also allows to perform version dependent logic in Ansible roles.
 2016-12-13 17:21:00 +01:00
Alexander Block 444b1dafdc Pass --anonymous-auth to apiserver 
Fixes #732
 2016-12-13 17:06:53 +01:00
Bogdan Dobrelya d6174b22e9 Merge pull request #731 from bogdando/fix_resolvconf 
Fix resolvconf
 2016-12-13 16:48:37 +01:00
Bogdan Dobrelya c75f394707 Address standalone kubelet config case 
Also place in global vars and do not repeat the kube_*_config_dir
and kube_namespace vars for better code maintainability and UX.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
 2016-12-13 16:35:53 +01:00
Bogdan Dobrelya 0515814e0c Fix resolvconf 
Do not repeat options and nameservers in the dhclient hooks.
Do not prepend nameservers for dhclient but supersede and fail back
to the upstream_dns_resolvers then default_resolver. Fixes order of
nameservers placement, which is cluster DNS ip goes always first.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
 2016-12-13 15:48:53 +01:00
Alexander Block 1cfaf927c9 Fix reverse umount in reset role 
The Jinja2 filter 'reverse' returned an iterator instead of a list,
resulting in the umount task to fail.

Intead of using the reverse filter, we use 'tac' to reverse the output
of the previous task.
 2016-12-13 14:21:24 +01:00
Bogdan Dobrelya 45135ad3e4 Merge pull request #705 from vwfs/centos7-azure 
Better support for CentOS 7 on Azure
 2016-12-13 10:36:58 +01:00
Bogdan Dobrelya 4e721bfd9d Merge pull request #667 from bogdando/fix_dns 
Rework DNS stack to meet hostnet pods needs
 2016-12-12 21:38:13 +01:00
Bogdan Dobrelya f52ed9f91e Update main.yml 2016-12-12 21:37:16 +01:00
Bogdan Dobrelya 3117858dcd Rework DNS stack to meet hostnet pods needs 
* For Debian/RedHat OS families (with NetworkManager/dhclient/resolvconf
  optionally enabled) prepend /etc/resolv.conf with required nameservers,
  options, and supersede domain and search domains via the dhclient/resolvconf
  hooks.

* Drop (z)nodnsupdate dhclient hook and re-implement it to complement the
  resolvconf -u command, which is distro/cloud provider specific.
  Update docs as well.

* Enable network restart to apply and persist changes and simplify handlers
  to rely on network restart only. This fixes DNS resolve for hostnet K8s
  pods for Red Hat OS family. Skip network restart for canal/calico plugins,
  unless https://github.com/projectcalico/felix/issues/1185 fixed.

* Replace linefiles line plus with_items to block mode as it's faster.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
 2016-12-12 17:43:47 +01:00
Alexander Block 5176e5c968 Make growpart only run on Azure 2016-12-12 14:14:22 +01:00
Bogdan Dobrelya 774f4dbbf7 Merge branch 'master' into tags_download 2016-12-12 11:44:00 +01:00
Matthew Mosesohn b1e852a785 Merge pull request #707 from vwfs/reset_playbook 
Add playbook and role to reset the cluster
 2016-12-12 12:43:00 +03:00
Alexander Block 9fd14cb6ea Add growpart role to allow growing the root partition on CentOS 
At least the OS images from Azure do not grow the root FS automatically.
 2016-12-12 09:55:28 +01:00
Alexander Block 4e34803b1e Disable fastestmirror on CentOS 
It actually slows down things dramatically when used in combination
with Ansible.
 2016-12-12 09:54:39 +01:00
Alexander Block 7abcf6e0b9 Remove requiretty from sudoers to actually make pipelining work 
Some systems (e.g. CentOS on Azure) have requiretty in sudoers which makes
pipelining fail.
 2016-12-12 09:54:39 +01:00
Matthew Mosesohn e5ad0836bc Merge pull request #713 from kubernetes-incubator/bump_kubedns 
Bump kubedns version to 1.9
 2016-12-10 11:08:42 +03:00
Bogdan Dobrelya 2c50f20429 Merge pull request #696 from bogdando/intranet_dns 
Preconfigure dns stack early
 2016-12-09 21:46:03 +01:00
Bogdan Dobrelya a15d626771 Preconfigure DNS stack and docker early 
In order to enable offline/intranet installation cases:
* Move DNS/resolvconf configuration to preinstall role. Remove
  skip_dnsmasq_k8s var as not needed anymore.

* Preconfigure DNS stack early, which may be the case when downloading
  artifacts from intranet repositories. Do not configure
  K8s DNS resolvers for hosts /etc/resolv.conf yet early (as they may be
  not existing).

* Reconfigure K8s DNS resolvers for hosts only after kubedns/dnsmasq
  was set up and before K8s apps to be created.

* Move docker install task to early stage as well and unbind it from the
  etcd role's specific install path. Fix external flannel dependency on
  docker role handlers. Also fix the docker restart handlers' steps
  ordering to match the expected sequence (the socket then the service).

* Add default resolver fact, which is
  the cloud provider specific and remove hardcoded GCE resolver.

* Reduce default ndots for hosts /etc/resolv.conf to 2. Multiple search
  domains combined with high ndots values lead to poor performance of
  DNS stack and make ansible workers to fail very often with the
  "Timeout (12s) waiting for privilege escalation prompt:" error.

* Update docs.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
 2016-12-09 17:30:55 +01:00
Bogdan Dobrelya fd9b26675e More granular control for download/upload images/binaries 
Add upload tag allow users to exclude distributing images across nodes
when running with the download tag set.
Add related tags and update docs as well.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
 2016-12-09 17:04:55 +01:00
Alexander Block eb33f085b6 Changes according to code review 2016-12-09 16:33:10 +01:00
Matthew Mosesohn 459bee6d2c Bump kubedns version to 1.9 
Version 1.9 has reduced verbosity for federation dns queries
which flood container logs.
 2016-12-09 17:57:54 +03:00
Alexander Block 8a5ba6b20c Use proper style (spacing) for docker_storage_options 2016-12-09 13:56:56 +01:00
Alexander Block c3ec3ff902 Allow to specify docker storage driver 2016-12-09 13:56:56 +01:00
Bogdan Dobrelya 7897c34ba3 Merge pull request #700 from bogdando/tags 
Add tags
 2016-12-09 13:23:56 +01:00
Bogdan Dobrelya 8cc84e132a Add tags 
Add tags to allow more granular tasks filtering.
Add generator script for MD formatted tags found.
Add docs for tags how-to.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
 2016-12-09 12:14:28 +01:00
Alexander Block 00ad151186 Add playbook and role to reset the cluster 
This deletes everything related to the cluster and allows to start from
scratch.
 2016-12-09 11:15:36 +01:00
Aleksandr Didenko ee8d6ab4fc Convert docker_versioned_pkg dict keys to string 
This will allow to use '-e docker_version=1.12' in ansible playbook
execution. It's also backward-compatible and will work with floating
docker_version format in custom yaml files.

Closes #702
 2016-12-09 09:17:36 +01:00
Matthew Mosesohn a80745b5bd Merge pull request #668 from bodepd/etcd_access_address 
Use etcd host ip instead of hostname to build etcd_access_addresses
 2016-12-09 07:54:12 +03:00
Bogdan Dobrelya 710d5ae48e Merge pull request #691 from adidenko/calico-old-cni-fix 
Fix possible problems with legacy calicoctl
 2016-12-08 12:00:08 +01:00
Dan Bode eec2ed5809 Allow etcd_access_addresses to be more flexible 
The variale etcd_access_addresses is used to determine
how to address communication from other roles to
the etcd cluster.

It was set to the address that ansible uses to
connect to instance ({{ item }})s and not the
the variable:
  ip_access
which had already been created and could already
be overridden through the access_ip variable.

This change allows ansible to connect to a machine using
a different address than the one used to access etcd.
 2016-12-07 10:33:15 -08:00
Matthew Mosesohn bfc9bcb8c7 Force hardlink for calico/canal certs 
Fixes: #669
 2016-12-07 19:03:22 +03:00
Bogdan Dobrelya 8eb26c21be Merge pull request #692 from bogdando/gce_fixes 
Change GCE sysctls placement and docs
 2016-12-07 16:17:30 +01:00
Bogdan Dobrelya f0f2b81276 Change GCE sysctls placement and docs 
Override GCE sysctl in /etc/sysctl.d/99-sysctl.conf instead of
the /etc/sysctl.d/11-gce-network-security.conf. It is recreated
by GCE, f.e. if gcloud CLI invokes some security related changes,
thus losing customizations we want to be persistent.

Update cloud providers firewall requirements in calico docs.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
 2016-12-07 12:53:45 +01:00
Aleksandr Didenko c9290182be Fix possible problems with legacy calicoctl 
When running legacy calicoctl we do not specify calico hostname in
calico-node container thus we should not specify it in CNI config.

Also move 'legacy_calicoctl' set_fact task to the top.
 2016-12-07 12:26:44 +01:00
fen4o 246c8209c1 add cluster-signing to kube-controller-manager 
kube-controller-manager's cluster signing cert and key points by default to not
existing `/etc/kubernetes/ca/ca.pem` and `/etc/kubernetes/ca/ca.key` [docs][1]

[1]: http://kubernetes.io/docs/admin/kube-controller-manager/#options
 2016-12-07 11:20:18 +02:00
Bogdan Dobrelya 36fe2cb5ea Merge pull request #584 from chadswen/docker-options-refactor 
Docker Options Refactor
 2016-12-07 07:57:53 +01:00
Bogdan Dobrelya 9d6cc3a8d5 Merge pull request #684 from adidenko/fix-calico-peering 
Calico: fix peering with routers for new version
 2016-12-06 22:42:02 +01:00
Spencer Smith 8870178a2d Merge pull request #627 from kubernetes-incubator/issue-626 
add restart flag for docker run kubelet
 2016-12-06 08:47:18 -08:00
Aleksandr Didenko b0079ccd77 Calico: fix peering with routers for new version 
In new `calicoctl` version nodes peering with routers is broken.
We need to use predictable node names for calico-node and the
same names in calico `bgpPeer` resources and CNI.
 2016-12-06 17:17:39 +01:00
Bogdan Dobrelya 2c1db56213 Merge pull request #678 from adidenko/update-calico-unit 
Update calico-node systemd unit
 2016-12-06 13:51:37 +01:00
Aleksandr Didenko f1d7af11ee Update calico-node systemd unit 
New calicoctl does not support --detach=false option, so we should
use a recommended way to run calico-node service:
http://docs.projectcalico.org/v2.0/usage/configuration/as-service

Closes #674, #675
 2016-12-06 11:34:12 +01:00