C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
2138 commits 17 branches 66 tags 141 MiB
Commit graph

1262 commits

Author SHA1 Message Date
Chad Swenson
e26aec96b0 Consolidate kube-proxy module and sysctl loading (#1586) 
This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
 2017-09-06 15:11:51 +03:00
Sam Powers
c60d104056 Update checksums (etcd calico calico-cni weave) to fix uploads.yml (#1584) 
the uploads.yml playbook was broken with checksum mismatch errors in
various kubespray commits, for example, 3bfad5ca73
which updated the version from 3.0.6 to 3.0.17 without updating the
corresponding checksums.
 2017-09-06 15:11:13 +03:00
Oliver Moser
e6ff8c92a0 Using 'hostnamectl' to set unconfigured hostname on CoreOS (#1600) 2017-09-06 15:10:52 +03:00
Chad Swenson
cbaa2b5773 Retry Remove all Docker containers in reset (#1623) 
Due to various occasional docker bugs, removing a container will sometimes fail. This can often be mitigated by trying again.
 2017-09-06 14:23:16 +03:00
Matthieu
0453ed8235 Fix an error with Canal when RBAC are disabled (#1619) 
* Fix an error with Canal when RBAC are disabled

* Update using same rbac strategy used elsewhere
 2017-09-06 11:32:32 +03:00
Brad Beam
a341adb7f3 Updating CN for node certs generated by vault (#1622) 
This allows the node authorization plugin to function correctly
 2017-09-06 10:55:08 +03:00
mkrasilnikov
957b7115fe Remove node name from kube-proxy and admin certificates 2017-09-05 14:40:26 +03:00
mkrasilnikov
b930b0ef5a Place vault role credentials only to vault group hosts 2017-09-05 11:16:18 +03:00
mkrasilnikov
ad313c9d49 typo fix 2017-09-05 09:07:36 +03:00
mkrasilnikov
e1384f6618 Using issue cert result var instead hostvars 2017-09-05 09:07:36 +03:00
mkrasilnikov
3acb86805b Rename vault_address to vault_bind_address 2017-09-05 09:07:35 +03:00
mkrasilnikov
bf0af1cd3d Vault role updates: 
* using separated vault roles for generate certs with different `O` (Organization) subject field;
  * configure vault roles for issuing certificates with different `CN` (Common name) subject field;
  * set `CN` and `O` to `kubernetes` and `etcd` certificates;
  * vault/defaults vars definition was simplified;
  * vault dirs variables defined in kubernetes-defaults foles for using
  shared tasks in etcd and kubernetes/secrets roles;
  * upgrade vault to 0.8.1;
  * generate random vault user password for each role by default;
  * fix `serial` file name for vault certs;
  * move vault auth request to issue_cert tasks;
  * enable `RBAC` in vault CI;
 2017-09-05 09:07:35 +03:00
ArthurMa
c77d11f1c7 Bugfix (#1616) 
lost executable path
 2017-09-05 08:35:14 +03:00
Matthew Mosesohn
d279d145d5 Fix non-rbac deployment of resources as a list (#1613) 
* Use kubectl apply instead of create/replace

Disable checks for existing resources to speed up execution.

* Fix non-rbac deployment of resources as a list

* Fix autoscaler tolerations field

* set all kube resources to state=latest

* Update netchecker and weave
 2017-09-05 08:23:12 +03:00
Matthew Mosesohn
fc7905653e Add socat for CoreOS when using host deploy kubelet (#1575) 2017-09-04 11:30:18 +03:00
Matthew Mosesohn
660282e82f Make daemonsets upgradeable (#1606) 
Canal will be covered by a separate PR
 2017-09-04 11:30:01 +03:00
Matthew Mosesohn
77602dbb93 Move calico to daemonset (#1605) 
* Drop legacy calico logic

* add calico as a daemonset
 2017-09-04 11:29:51 +03:00
Matthew Mosesohn
a3e6896a43 Add RBAC support for canal (#1604) 
Refactored how rbac_enabled is set
Added RBAC to ubuntu-canal-ha CI job
Added rbac for calico policy controller
 2017-09-04 11:29:40 +03:00
Dann
702ce446df Apply ClusterRoleBinding to dnsmaq when rbac_enabled (#1592) 
* Add RBAC policies to dnsmasq

* fix merge conflict

* yamllint

* use .j2 extension for dnsmasq autoscaler
 2017-09-03 10:53:45 +03:00
Brad Beam
8ae77e955e Adding in certificate serial numbers to manifests (#1392) 2017-09-01 09:02:23 +03:00
sgmitchell
783924e671 Change backup handler to only run v2 data backup if snap directory exists (#1594) 2017-08-31 18:23:24 +03:00
Julian Poschmann
93304e5f58 Fix calico leaving service behind. (#1599) 2017-08-31 12:00:05 +03:00
Brad Beam
917373ee55 Merge pull request #1595 from bradbeam/cacerts 
Fixing CA certificate locations for k8s components
 2017-08-30 21:31:19 -05:00
Brad Beam
7a98ad50b4 Fixing CA certificate locations for k8s components 2017-08-30 15:30:40 -05:00
Brad Beam
982058cc19 Merge pull request #1514 from vijaykatam/docker_systemd 
Configurable docker yum repos, systemd fix
 2017-08-30 11:50:23 -05:00
Oliver Moser
576beaa6a6 Include /opt/bin in PATH for host deployed kubelet on CoreOS (#1591) 
* Include /opt/bin in PATH for host deployed kubelet on CoreOS

* Removing conditional check for CoreOS
 2017-08-30 16:50:33 +03:00
Maxim Krasilnikov
6eb22c5db2 Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) 
* Added update CA trust step for etcd and kube/secrets roles

* Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os.

* Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube.

* Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd.

* Fixed different certificates set for vault cert_managment

* Update doc/vault.md

* Fixed condition create vault CA, wrong group

* Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts

* Removed wrong when condition in create etcd role vault tasks.
 2017-08-30 16:03:22 +03:00
Brad Beam
72a0d78b3c Merge pull request #1585 from mattymo/canal_upgrade 
Fix upgrade for canal and apiserver cert
 2017-08-29 18:45:21 -05:00
Matthew Mosesohn
13d08af054 Fix upgrade for canal and apiserver cert 
Fixes #1573
 2017-08-29 22:08:30 +01:00
Eric Hoffmann
6c30a7b2eb update calico version 
update calico releases link
 2017-08-28 16:23:51 -07:00
Matthew Mosesohn
76b72338da Add CNI config for rkt kubelet (#1579) 2017-08-28 21:11:01 +03:00
Chad Swenson
a39e78d42d Initial version of Flannel using CNI (#1486) 
* Updates Controller Manager/Kubelet with Flannel's required configuration for CNI
* Removes old Flannel installation
* Install CNI enabled Flannel DaemonSet/ConfigMap/CNI bins and config (with portmap plugin) on host
* Uses RBAC if enabled
* Fixed an issue that could occur if br_netfilter is not a module and net.bridge.bridge-nf-call-iptables sysctl was not set
 2017-08-25 10:07:50 +03:00
Brad Beam
4550dccb84 Fixing reference to vault leader url (#1569) 2017-08-24 23:21:39 +03:00
Hassan Zamani
01ce09f343 Add feature_gates var for customizing Kubernetes feature gates (#1520) 2017-08-24 23:18:38 +03:00
Brad Beam
71dca67ca2 Merge pull request #1508 from tmjd/update-calico-2-4-0 
Update Calico to 2.4.1 release.
 2017-08-24 14:57:29 -05:00
Yuki KIRII
a98b866a66 Verify if br_netfilter module exists (#1492) 2017-08-24 17:47:32 +03:00
Xavier Mehrenberger
3aabba7535 Remove discontinued option --reconcile-cidr if kube_network_plugin=="cloud" (#1568) 2017-08-24 17:01:30 +03:00
Mohamed Mehany
c22cfa255b Added private key file to ssh bastion conf (#1563) 
* Added private key file to ssh bastion conf

* Used regular if condition insted of inline conditional
 2017-08-24 17:00:45 +03:00
Matthew Mosesohn
6bb3463e7c Enable scheduling of critical pods and network plugins on master 
Added toleration to DNS, netchecker, fluentd, canal, and
calico policy.

Also small fixes to make yamllint pass.
 2017-08-24 10:41:17 +01:00
Brad Beam
8b151d12b9 Adding yamllinter to ci steps (#1556) 
* Adding yaml linter to ci check

* Minor linting fixes from yamllint

* Changing CI to install python pkgs from requirements.txt

- adding in a secondary requirements.txt for tests
- moving yamllint to tests requirements
 2017-08-24 12:09:52 +03:00
Ian Lewis
ecb6dc3679 Register standalone master w/ taints (#1426) 
If Kubernetes > 1.6 register standalone master nodes w/ a
node-role.kubernetes.io/master=:NoSchedule taint to allow
for more flexible scheduling rather than just marking unschedulable.
 2017-08-23 16:44:11 +03:00
riverzhang
49a223a17d Update elrepo-release rpm version (#1554) 2017-08-23 09:54:51 +03:00
Brad Beam
e5cfdc648c Adding ability to override max ttl (#1559) 
Prior this would fail because we didnt set max ttl for vault temp
 2017-08-23 09:54:01 +03:00
Erik Stidham
9f9f70aade Update Calico to 2.4.1 release. 
- Switched Calico images to be pulled from quay.io
- Updated Canal too
 2017-08-21 09:33:12 -05:00
Matthew Mosesohn
ca3050ec3d Update to Kubernetes v1.7.3 (#1549) 
Change kubelet deploy mode to host
Enable cri and qos per cgroup for kubelet
Update CoreOS images
Add upgrade hook for switching from kubelet deployment from docker to host.
Bump machine type for ubuntu-rkt-sep
 2017-08-21 10:53:49 +03:00
Vijay Katam
97031f9133 Make epel-release install configurable (#1497) 2017-08-20 14:03:10 +03:00
Vijay Katam
c92506e2e7 Add calico variable that enables ignoring Kernel's RPF Setting (#1493) 2017-08-20 14:01:09 +03:00
Kevin Lefevre
65a9772adf Add OpenStack LBaaS support (#1506) 2017-08-20 13:59:15 +03:00
Anton
1e07ee6cc4 etcd_compaction_retention every 8 hour (#1527) 2017-08-20 13:55:48 +03:00
Miad Abrin
3c710219a1 Fix Some Typos in kubernetes master role (#1547) 
* Fix Typo etc3 -> etcd3

* Fix typo in post-upgrade of master. stop -> start
 2017-08-20 13:54:28 +03:00
Maxim Krasilnikov
2ba285a544 Fixed deploy cluster with vault cert manager (#1548) 
* Added custom ips to etcd vault distributed certificates

* Added custom ips to kube-master vault distributed certificates

* Added comment about issue_cert_copy_ca var in vault/issue_cert role file

* Generate kube-proxy, controller-manager and scheduler certificates by vault

* Revert "Disable vault from CI (#1546)"

This reverts commit 781f31d2b8.

* Fixed upgrade cluster with vault cert manager

* Remove vault dir in reset playbook
 2017-08-20 13:53:58 +03:00
Antoine Legrand
72ae7638bc Merge pull request #1446 from matlockx/master 
add possibility to ignore the hostname override
 2017-08-18 17:03:40 +02:00
Xavier Lange
3bfad5ca73 Bump etcd to 3.2.4 (#1468) 2017-08-18 17:12:33 +03:00
Matthew Mosesohn
df28db0066 Fix cert and netchecker upgrade issues (#1543) 
* Bump tag for upgrade CI, fix netchecker upgrade

netchecker-server was changed from pod to deployment, so
we need an upgrade hook for it.

CI now uses v2.1.1 as a basis for upgrade.

* Fix upgrades for certs from non-rbac to rbac
 2017-08-18 15:46:22 +03:00
Jan Jungnickel
20183f3860 Bump Calico CNI Plugin to 1.8.0 (#1458) 
This aligns calico component versions with Calico release 2.1.5 and
fixes an issue with nodes being unable to schedule existing workloads
as per [#349](https://github.com/projectcalico/cni-plugin/issues/349)
 2017-08-18 15:40:14 +03:00
Matthew Mosesohn
2645e88b0c Fix vault setup partially (#1531) 
This does not address per-node certs and scheduler/proxy/controller-manager
component certs which are now required. This should be handled in a
follow-up patch.
 2017-08-18 15:09:45 +03:00
Vijay Katam
55ba81fee5 Add changed_when: false to rpm query 2017-08-14 12:31:44 -07:00
Brad Beam
af007c7189 Fixing netchecker-server type - pod => deployment (#1509) 2017-08-14 18:43:56 +03:00
Seungkyu Ahn
b22bef5cfb Apply RBAC to efk and create fluentd.conf 
Making fluentd.conf as configmap to change configuration.
Change elasticsearch rc to deployment.
Having installed previous elastaicsearch as rc, first should delete that.
 2017-08-11 05:31:50 +00:00
Vijay Katam
7ad5523113 restrict rpm query to redhat 2017-08-10 13:49:14 -07:00
Brad Beam
1155008719 Merge pull request #1481 from magnon-bliex/fluentd-template-fix-typo 
fixed typo in fluentd-ds.yml.j2
 2017-08-10 08:19:59 -05:00
Vijay Katam
5efda3eda9 Configurable docker yum repos, systemd fix 
* Make yum repos used for installing docker rpms configurable
* TasksMax is only supported in systemd version >= 226
* Change to systemd file should restart docker
 2017-08-09 15:49:53 -07:00
Brad Beam
383d582b47 Merge pull request #1382 from jwfang/rbac 
basic rbac support
 2017-08-07 08:01:51 -05:00
Spencer Smith
6eacedc443 Merge pull request #1483 from delfer/patch-3 
Update flannel from 0.6.2 to 0.8.0
 2017-08-01 13:57:43 -04:00
Spencer Smith
e55f8a61cd Merge pull request #1482 from bradbeam/fix1393 
Removing run_once in these tasks so that etcd ca certs get propogated…
 2017-07-31 13:47:18 -04:00
Spencer Smith
cb6892d2ed Merge pull request #1469 from hzamani/etcd_metrics 
Add etcd metrics flag
 2017-07-31 09:04:07 -04:00
Spencer Smith
43eda8d878 Merge pull request #1471 from whereismyjetpack/fix_1447 
add newline after expanding user information
 2017-07-31 09:03:04 -04:00
nico
cc9f3ea938 Fix enforce-node-allocatable option 
Closes #1228
pods is default enforcement

see https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/
add

update
 2017-07-31 10:06:53 +02:00
Alexander Chumakov
8bc717a55c Update flannel from 0.6.2 to 0.8.0 2017-07-29 10:54:31 +03:00
Brad Beam
d09222c900 Removing run_once in these tasks so that etcd ca certs get propogated properly to worker nodes 
without this etcd ca certs dont exist on worker nodes causing calico to fail
 2017-07-28 14:34:47 -05:00
magnon-bliex
38eb1d548a fixed typo 2017-07-28 14:10:13 +09:00
Anton
e0960f6288 FIX: Unneded (extra) cycles in some tasks (#1393) 2017-07-27 20:46:21 +03:00
timtoum
3e457e4edf Enable weave seed mode for kubespray (#1414) 
* Enable weave seed mode for kubespray

* fix task Weave seed | Set peers if existing peers

* fix mac address variabilisation

* fix default values

* fix include seed condition

* change weave var to default values

* fix Set peers if existing peers
 2017-07-26 19:09:34 +03:00
Dann Bohn
c4894d6092 add newline after expanding user information 2017-07-25 12:59:10 -04:00
Hassan Zamani
3fb0383df4 Add etcd metrics flag 2017-07-25 20:00:30 +04:30
Spencer Smith
ee36763f9d Merge pull request #1464 from johnko/patch-4 
set loadbalancer_apiserver_localhost default true
 2017-07-25 10:00:56 -04:00
Spencer Smith
955c5549ae Merge pull request #1402 from Lendico/fix_failed_when 
"failed_when: false" and "|succeeded" checks for registered vars
 2017-07-25 09:33:43 -04:00
Spencer Smith
4a34514b21 Merge pull request #1447 from whereismyjetpack/template_known_users 
Template out known_users.csv, optionally add groups
 2017-07-25 08:55:08 -04:00
Brad Beam
20f29327e9 Merge pull request #1379 from gdmello/etcd_data_dir_fix 
Custom `etcd_data_dir` saves etcd data to host, not container
 2017-07-20 09:30:18 -05:00
John Ko
018b5039e7 set loadbalancer_apiserver_localhost default true 
to match this https://github.com/kubernetes-incubator/kubespray/blob/master/roles/kubernetes/node/tasks/main.yml#L20
and the documented behaviour in HA docs 
related to #1456
@rsmitty
 2017-07-20 10:27:05 -04:00
Spencer Smith
b5d3d4741f Merge pull request #1454 from Abdelsalam-Abbas/higher_drain_timeout 
higher the timeouts for draining nodes while upgrading kubernetes version
 2017-07-19 10:39:33 -04:00
Spencer Smith
85c747d444 Merge pull request #1441 from bradbeam/1434 
Adding recursive=true for rkt kubelet dir
 2017-07-19 10:38:06 -04:00
Spencer Smith
927e6d89d7 Merge pull request #1435 from delfer/master 
Kubernetes upgrade to 1.6.7
 2017-07-19 05:23:38 -07:00
jwfang
3d87f23bf5 uncomment unintended local changes 2017-07-19 12:11:47 +08:00
jwfang
789910d8eb remote unused netchecker-agent-hostnet-ds.j2 2017-07-17 19:29:59 +08:00
jwfang
a8e6a0763d run netchecker-server with list pods 2017-07-17 19:29:59 +08:00
jwfang
e1386ba604 only patch system:kube-dns role for old dns 2017-07-17 19:29:59 +08:00
jwfang
83deecb9e9 Revert "no need to patch system:kube-dns" 
This reverts commit c2ea8c588aa5c3879f402811d3599a7bb3ccab24.
 2017-07-17 19:29:59 +08:00
jwfang
d8dcb8f6e0 no need to patch system:kube-dns 2017-07-17 19:29:59 +08:00
jwfang
552b2f0635 change authorization_modes default value 2017-07-17 19:29:59 +08:00
jwfang
0b3badf3d8 revert calico-related changes 2017-07-17 19:29:59 +08:00
jwfang
cea3e224aa change authorization_modes default value 2017-07-17 19:29:59 +08:00
jwfang
1eaf0e1c63 rename task 2017-07-17 19:29:59 +08:00
jwfang
2cda982345 binding group system:nodes to clusterrole calico-role 2017-07-17 19:29:59 +08:00
jwfang
c9734b6d7b run calico-policy-controller with proper sa/role/rolebinding 2017-07-17 19:29:59 +08:00
jwfang
fd01377f12 remove more bins when reset 2017-07-17 19:29:59 +08:00
jwfang
092bf07cbf basic rbac support 2017-07-17 19:29:59 +08:00
Ubuntu
5145a8e8be higher draining timeouts 2017-07-16 20:52:13 +00:00
Dann Bohn
d1f58fed4c Template out known_users.csv, optionally add groups 2017-07-14 09:27:20 -04:00
Martin Joehren
12e918bd31 add possibility to ignore the hostname override 2017-07-13 14:04:39 +00:00