Commit graph

884 commits

Author SHA1 Message Date
Matthew Mosesohn
0d06d1fb90 Merge pull request #910 from mattymo/escape_curly
Fix ansible 2.2.1 handling of registered vars
2017-01-18 11:13:01 +03:00
Greg Althaus
eb3a840622 Should only check for api-server running on the master.
If this runs on other nodes, it will fail the playbook.
2017-01-17 15:57:34 -06:00
Matthew Mosesohn
8369f5ebad Fix bash completion installation 2017-01-17 20:36:58 +03:00
Matthew Mosesohn
8302d38358 Work around escaping curly braces for docker inspect 2017-01-17 20:35:38 +03:00
Sergii Golovatiuk
f3a2e98b44 Flush handlers before etcd restart
systemctl daemon-reload should be run before when task modifies/creates
union for etcd. Otherwise etcd won't be able to start

Closes #892

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-01-17 15:04:25 +01:00
Matthew Mosesohn
49d7d15fe7 Merge pull request #909 from mattymo/docker-upgrade
Always trigger docker restart when docker package changes
2017-01-17 11:37:42 +03:00
Matthew Mosesohn
adf7faf93b Always trigger docker restart when docker package changes
Docker upgrade doesn't auto-restart docker, causing failures
when trying to start another container
2017-01-16 17:52:28 +03:00
Greg Althaus
113925afea Add a variable that defaults to kube_apiserver_port that defines
the which port the local nginx proxy should listen on for HA
local balancer configurations.
2017-01-14 23:38:07 -06:00
Greg Althaus
707e6a4642 This PR adds/or modifies a few tasks to allow for the playbook to
be run by limit on each node without regard for order.

The changes make sure that all of the directories needed to do
certificate management are on the master[0] or etcd[0] node regardless
of when the playbook gets run on each node.  This allows for separate
ansible playbook runs in parallel that don't have to be synchronized.
2017-01-14 23:24:34 -06:00
Greg Althaus
04fbe42aa6 If the inventory name of the host exceeds 63 characters,
the openssl tools will fail to create signing requests because
the CN is too long.  This is mainly a problem when FQDNs are used
in the inventory file.

THis will truncate the hostname for the CN field only at the
first dot.  This should handle the issue for most cases.
2017-01-13 10:02:23 -06:00
Matthew Mosesohn
3b562c494d Use only one certificate for all apiservers
https://github.com/kubernetes/kubernetes/issues/25063
2017-01-13 14:03:20 +03:00
Bogdan Dobrelya
9a07782016 Merge pull request #891 from galthaus/selinux-order
preinstall fails on AWS CentOS7 image
2017-01-13 11:51:18 +01:00
Alexander Block
cee3b01987 Don't try to delete kargo specific config from dhclient when file does not exist
Also remove the check for != "RedHat" when removing the dhclient hook,
as this had also to be done on other distros. Instead, check if the
dhclienthookfile is defined.
2017-01-13 10:56:10 +01:00
Greg Althaus
85efd263b3 When running on CentOS7 image in AWS with selinux on, the order of
the tasks fail because selinux prevents ip-forwarding setting.

Moving the tasks around addresses two issues.  Makes sure that
the correct python tools are in place before adjusting of selinux
and makes sure that ipforwarding is toggled after selinux adjustments.
2017-01-12 10:12:21 -06:00
Bogdan Dobrelya
808a50bc23 Merge pull request #830 from mattymo/k8sperhost
Generate individual certificates for k8s hosts
2017-01-12 12:42:14 +01:00
Alexander Block
d6c0d2785b Add tasks to undo changes to hosts /etc/resolv.conf and dhclient configs 2017-01-11 16:56:16 +01:00
Matthew Mosesohn
ed253e5c5a Generate individual certificates for k8s hosts 2017-01-11 12:58:07 +03:00
Matthew Mosesohn
c779bf8cd3 Merge pull request #878 from bradbeam/rkt-cni
Adding /opt/cni /etc/cni to rkt run kubelet
2017-01-11 12:22:04 +03:00
Bogdan Dobrelya
928de8d8bb Merge pull request #872 from mattymo/bug868
Bind nginx localhost proxy to localhost
2017-01-10 17:09:25 +01:00
Brad Beam
7420bf584c Adding /opt/cni /etc/cni to rkt run kubelet 2017-01-10 08:48:58 -06:00
Bogdan Dobrelya
fd53e2c670 Merge pull request #793 from kubernetes-incubator/fix_dhclientconf_path
Fix wrong path of dhclient on CentOS+Azure
2017-01-10 13:23:55 +01:00
Bogdan Dobrelya
9f74c02004 Merge pull request #858 from bradbeam/calicoctl-canal
Misc updates for canal
2017-01-10 12:24:59 +01:00
Matthew Mosesohn
ce84320462 Merge pull request #860 from adidenko/fix-calico-rr-certs
Fix etcd cert generation for calico-rr role
2017-01-09 18:34:02 +03:00
Bogdan Dobrelya
35ea6cef19 Merge pull request #871 from mattymo/fix_system_search_domains
Fix docker dns host scenario with no search domains
2017-01-09 15:52:12 +01:00
Matthew Mosesohn
e9d5aa0f07 Bind nginx localhost proxy to localhost
This proxy should only be listening for local connections, not 0.0.0.0.

Fixes #868
2017-01-09 17:19:54 +03:00
Matthew Mosesohn
846b96efa1 Fix docker dns host scenario with no search domains
Fixes scenario where docker-dns.conf tries to create an empty
search entry
2017-01-09 16:36:44 +03:00
Aleksandr Didenko
a47f2d611c Fix etcd cert generation for calico-rr role
"etcd_node_cert_data" variable is undefinded for "calico-rr" role.
This patch adds "calico-rr" nodes to task where "etcd_node_cert_data"
variable is registered.
2017-01-09 12:06:25 +01:00
Aleksandr Didenko
11e1bb64bd Set latest stable versions for Calico images
Change version for calico images to v1.0.0. Also bump versions for
CNI and policy controller.

Also removing images repo and tag duplication from netchecker role
2017-01-09 12:05:49 +01:00
Bogdan Dobrelya
d296284bfa Merge pull request #799 from kubernetes-incubator/docker_dns
Implement "dockerd --dns-xxx" based dns mode
2017-01-09 11:38:02 +01:00
Alexander Block
ad7ded59e9 Only use default resolver in dnsmasq when we are using host_resolvconf mode 2017-01-06 10:21:07 +01:00
Alexander Block
2b3dbae9d6 Introduce dns_mode and resolvconf_mode and implement docker_dns mode
Also update reset.yml to do more dns/network related cleanup.
2017-01-05 23:38:51 +01:00
Spencer Smith
bee6166b4c remove assertion for family not being CoreOS 2017-01-05 13:36:25 -05:00
Brad Beam
43adafe746 Create network policy directory for canal 2017-01-05 10:54:27 -06:00
Brad Beam
ff24f9712a Adding calicoctl to canal deployment 2017-01-05 10:54:27 -06:00
Bogdan Dobrelya
da9da08964 Better fix for different CoreOS os family facts
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-05 16:32:08 +01:00
Bogdan Dobrelya
68a6fa1146 Rename CoreOS fact
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-05 14:02:29 +01:00
Bogdan Dobrelya
8d9c4233e2 Merge branch 'master' into rkt 2017-01-05 10:34:18 +01:00
Brad Beam
9432a5cd73 Adding kubelet in rkt 2017-01-03 14:49:48 -06:00
Brad Beam
0f5a30ee8a Allowing etcd to run via rkt 2017-01-03 10:10:38 -06:00
Brad Beam
18715b2116 Adding initial rkt support 2017-01-03 10:08:43 -06:00
Bogdan Dobrelya
2fe58c361f Fix cert paths for flannel/calico policy apps
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-03 16:12:54 +01:00
Alexander Block
2538c958db Upgrade docker version and do some cleanups for unsupported distros/docker versions 2017-01-02 18:05:50 +01:00
Bogdan Dobrelya
130f0908ce Merge pull request #847 from bogdando/bug_769
Fix etc hosts for cluster nodes
2017-01-02 17:47:23 +01:00
Bogdan Dobrelya
62313afccc Fix etc hosts for cluster nodes
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-02 13:20:51 +01:00
Bogdan Dobrelya
f16a512aea Drop non systemd OS types support
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-02 12:14:03 +01:00
Matthew Mosesohn
bd0f787809 Fix etcd cert generation to support large deployments
Due to bash max args limits, we should pass all node filenames and
base64-encoded tar data through stdin/stdout instead.

Fixes #832
2016-12-30 12:55:26 +03:00
Bogdan Dobrelya
6e1c0cdd15 Systemd units, limits, and bin path fixes
* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
  systemd limits due to the lack of consensus in the kernel community
  requires out-of-tree kernel patches.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-28 15:49:42 +01:00
Matthew Mosesohn
2ac2a3ed93 Fix creation and sync of etcd certs
Admin certs only go to etcd nodes
Only generate cert-data for nodes that need sync
2016-12-28 14:21:17 +04:00
Matthew Mosesohn
612c5bb5f1 Merge pull request #818 from mattymo/calico-rr-certs
Fix calico-rr to use etcd certs instead of kube certs
2016-12-28 08:47:16 +03:00
Matthew Mosesohn
716b590f3b Fix calico-rr to use etcd certs instead of kube certs 2016-12-27 17:04:50 +03:00
Bogdan Dobrelya
9b29df183b Rework ignore_errors to report no reds
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2016-12-27 13:00:50 +01:00
Bogdan Dobrelya
222859601e Do not forward bogus domains for upstream resolvers
Also fix kube log level 4 to log dnsmasq queries.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-23 11:53:14 +01:00
Matthew Mosesohn
a2c38f5f5f Update etcd.j2 2016-12-22 22:29:24 +03:00
Matthew Mosesohn
e5374af95c Adjust etcd server certificates
ETCD doesn't need cert/key options set. It only requires peer
cert options.
2016-12-22 23:05:17 +04:00
Spencer Smith
f3f16e3676 Workaround etcdctl not yet being installed (#797)
workaround case for etcdctl not yet being installed, only allow for return code of 0 (no error)
2016-12-22 12:41:38 -05:00
Matthew Mosesohn
370ad3acba Merge pull request #760 from genti-t/issue-748-flannel-options
Fix Flannel network on CoreOS
2016-12-22 19:02:31 +03:00
Genti Topija
a42b458fdf Fix Flannel network on CoreOS
Resolves: #748
2016-12-22 16:50:04 +01:00
Matthew Mosesohn
5457799aa3 Individual etcd ssl certs
Includes hooks for triggering calico, kubelet, and kube-apiserver restarts
if etcd certs changed.
2016-12-22 13:31:11 +03:00
Bogdan Dobrelya
85f31a369e Merge pull request #786 from mattymo/bug777
Add wait for kube-apiserver to kubernetes-apps
2016-12-22 11:02:50 +01:00
Alexander Block
272d8e754b Fix wrong path of dhclient on CentOS+Azure
This was alredy fixed in #755 but had to be reverted. This PR should be
more intelligent about deciding which path to use.
2016-12-21 21:51:07 +01:00
Spencer Smith
3575f890fc create systemd drop-in path if not existent 2016-12-21 13:06:12 -05:00
Bogdan Dobrelya
b103799901 Revert "Do not forward private domains for upstream resolvers" 2016-12-21 15:24:17 +01:00
Matthew Mosesohn
b1eb852207 Add wait for kube-apiserver to kubernetes-apps
Fixes #777
2016-12-21 15:39:39 +03:00
Bogdan Dobrelya
f45872b558 Add download_always_pull check and sha256 for docker images
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-20 17:02:09 +01:00
Bogdan Dobrelya
763c1aff72 Merge pull request #722 from bogdando/dnsmasq_armors
Do not forward private domains for upstream resolvers
2016-12-20 14:25:17 +01:00
Bogdan Dobrelya
072c4e4669 Merge pull request #775 from kubernetes-incubator/register_master
Register master node as unschedulable
2016-12-20 14:17:55 +01:00
Bogdan Dobrelya
c147f710ab Merge pull request #774 from kubernetes-incubator/ant31-patch-2
check if calico_peer_rr is defined
2016-12-19 18:19:03 +01:00
Matthew Mosesohn
6a705aa0b5 Fix etcd to-SSL upgrade and task register vars 2016-12-19 15:05:49 +03:00
Bogdan Dobrelya
4d4b0adc03 Do not forward private domains for upstream resolvers
Also fix kube log level 4 to log dnsmasq queries.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
2016-12-19 11:01:41 +01:00
Alexander Block
c43615c765 Register master node as unschedulable
Also refactor generation of kubelet args to not repeat args.
2016-12-19 10:47:43 +01:00
Antoine Legrand
c250737b0a Update main.yml 2016-12-17 20:22:39 +01:00
Antoine Legrand
5c280ef54a Merge pull request #704 from vwfs/bastion_hosts
Add support for bastion hosts
2016-12-17 12:08:49 +01:00
Antoine Legrand
5d46f62718 Merge pull request #763 from bogdando/resolver_fallback
Fallback to default resolver if no nameservers
2016-12-17 12:03:41 +01:00
Antoine Legrand
b1841fda76 Merge pull request #766 from kubernetes-incubator/docker12point5
Update docker to 1.12.5
2016-12-17 11:55:06 +01:00
Bogdan Dobrelya
e7e0e82f43 Fallback to default resolver if no nameservers
Current design expects users to define at least one
nameserver in the nameservers var to backup host OS DNS config
when the K8s cluster DNS service IP is not available and hosts
still have to resolve external or intranet FQDNs.

Fix undefined nameservers to fallback to the default_resolver.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-16 14:51:34 +01:00
Bogdan Dobrelya
7fc0b552a0 Revert "Fix wrong path for dhclient.conf on RedHat/CentOS" 2016-12-16 14:49:26 +01:00
Matthew Mosesohn
42dc2351b1 Update docker to 1.12.5
Note the new ubuntu/debian version string change:
https://github.com/docker/docker/issues/29355
2016-12-16 16:30:46 +03:00
Bogdan Dobrelya
fc2f616f94 Merge pull request #745 from kubernetes-incubator/fix_weave_start
Fix weave restart after docker daemon restart
2016-12-16 14:06:48 +01:00
Matthew Mosesohn
76e7048f06 Fix weave restart after docker daemon restart 2016-12-16 14:15:22 +03:00
Antoine Legrand
3bf2c0f54f Merge pull request #757 from kubernetes-incubator/issue754
Add dns_domain for each host to /etc/hosts
2016-12-15 21:42:59 +01:00
Bogdan Dobrelya
290433b89f Merge pull request #755 from kubernetes-incubator/fix_dhclientconf_path
Fix wrong path for dhclient.conf on RedHat/CentOS
2016-12-15 19:08:31 +01:00
Bogdan Dobrelya
80a8193d74 Merge pull request #746 from kubernetes-incubator/etcd_ssl_upgrade_fix
Fix etcd member list when upgrading ETCD from an old version
2016-12-15 12:31:34 +01:00
Matthew Mosesohn
ab4eb809d4 Add dns_domain for each host to /etc/hosts
Fixes #754
2016-12-15 13:34:59 +04:00
Bogdan Dobrelya
c09db6cd54 Merge pull request #749 from kubernetes-incubator/azure_ip_forward
Set net.ipv4.ip_forward=1 on all systems, not only on GCE
2016-12-15 10:19:43 +01:00
Alexander Block
2624da6161 Fix wrong path for dhclient.conf on RedHat/CentOS
/etc/dhclient.conf is ignored on RedHat/CentOS
Correct location is /etc/dhcp/dhclient.conf
2016-12-15 10:11:16 +01:00
Matthew Mosesohn
3b14519208 Fix etcd member list when upgrading ETCD from an old version 2016-12-15 12:00:45 +04:00
Bogdan Dobrelya
f635d224ed Merge pull request #721 from adidenko/calico-add-rr
Add calico/routereflector support
2016-12-14 17:22:00 +01:00
Smaine Kahlouch
af76813bf4 Merge pull request #708 from vwfs/cloud_network
Add support for cloud-provider based networking
2016-12-14 16:23:20 +01:00
Alexander Block
cbcdc7d9a0 Set net.ipv4.ip_forward=1 on all systems, not only on GCE 2016-12-14 15:08:13 +01:00
Aleksandr Didenko
d5a9b34d9e Add calico/routereflector support
Add BGP route reflectors support in order to optimize BGP topology
for deployments with Calico network plugin.

Also bump version of calico/ctl for some bug fixes.
2016-12-14 13:44:10 +01:00
Alexander Block
586ad91300 Add --reconcile-cidr flag to kubelet to support cloud network plugin in 1.4 2016-12-13 17:30:10 +01:00
Alexander Block
6887948537 Add check for azure_route_table_name and add it to all.yml 2016-12-13 17:30:10 +01:00
Alexander Block
5b0034c420 Add pseudo network plugin called "cloud" to use cloud provider for network
Allow to let the cloud provider configure proper routing for nodes.
2016-12-13 17:30:10 +01:00
Alexander Block
433eb1dc53 Add support for bastion hosts 2016-12-13 17:29:47 +01:00
Antoine Legrand
e22e4c02db Merge branch 'master' into standalone_kubelet 2016-12-13 17:26:21 +01:00
Alexander Block
67cc40aefa Move kube_version to group_vars/all to allow easier changing of version
Also allows to perform version dependent logic in Ansible roles.
2016-12-13 17:21:00 +01:00
Alexander Block
f9807798f3 Pass --anonymous-auth to apiserver
Fixes #732
2016-12-13 17:06:53 +01:00
Bogdan Dobrelya
2d566e27a6 Merge pull request #731 from bogdando/fix_resolvconf
Fix resolvconf
2016-12-13 16:48:37 +01:00
Bogdan Dobrelya
272b506802 Address standalone kubelet config case
Also place in global vars and do not repeat the kube_*_config_dir
and kube_namespace vars for better code maintainability and UX.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-13 16:35:53 +01:00
Bogdan Dobrelya
bab6ec8477 Fix resolvconf
Do not repeat options and nameservers in the dhclient hooks.
Do not prepend nameservers for dhclient but supersede and fail back
to the upstream_dns_resolvers then default_resolver. Fixes order of
nameservers placement, which is cluster DNS ip goes always first.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-13 15:48:53 +01:00
Alexander Block
0f0858703b Fix reverse umount in reset role
The Jinja2 filter 'reverse' returned an iterator instead of a list,
resulting in the umount task to fail.

Intead of using the reverse filter, we use 'tac' to reverse the output
of the previous task.
2016-12-13 14:21:24 +01:00
Bogdan Dobrelya
38f5f4a8e3 Merge pull request #705 from vwfs/centos7-azure
Better support for CentOS 7 on Azure
2016-12-13 10:36:58 +01:00
Bogdan Dobrelya
659b482b62 Merge pull request #667 from bogdando/fix_dns
Rework DNS stack to meet hostnet pods needs
2016-12-12 21:38:13 +01:00
Bogdan Dobrelya
33f9f9b7ba Update main.yml 2016-12-12 21:37:16 +01:00
Bogdan Dobrelya
8679f10f71 Rework DNS stack to meet hostnet pods needs
* For Debian/RedHat OS families (with NetworkManager/dhclient/resolvconf
  optionally enabled) prepend /etc/resolv.conf with required nameservers,
  options, and supersede domain and search domains via the dhclient/resolvconf
  hooks.

* Drop (z)nodnsupdate dhclient hook and re-implement it to complement the
  resolvconf -u command, which is distro/cloud provider specific.
  Update docs as well.

* Enable network restart to apply and persist changes and simplify handlers
  to rely on network restart only. This fixes DNS resolve for hostnet K8s
  pods for Red Hat OS family. Skip network restart for canal/calico plugins,
  unless https://github.com/projectcalico/felix/issues/1185 fixed.

* Replace linefiles line plus with_items to block mode as it's faster.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
2016-12-12 17:43:47 +01:00
Alexander Block
9172de48fd Make growpart only run on Azure 2016-12-12 14:14:22 +01:00
Bogdan Dobrelya
5dd0caf1b5 Merge branch 'master' into tags_download 2016-12-12 11:44:00 +01:00
Matthew Mosesohn
1fe8dc2472 Merge pull request #707 from vwfs/reset_playbook
Add playbook and role to reset the cluster
2016-12-12 12:43:00 +03:00
Alexander Block
eb2890d245 Add growpart role to allow growing the root partition on CentOS
At least the OS images from Azure do not grow the root FS automatically.
2016-12-12 09:55:28 +01:00
Alexander Block
41a87fe305 Disable fastestmirror on CentOS
It actually slows down things dramatically when used in combination
with Ansible.
2016-12-12 09:54:39 +01:00
Alexander Block
a80cdcf867 Remove requiretty from sudoers to actually make pipelining work
Some systems (e.g. CentOS on Azure) have requiretty in sudoers which makes
pipelining fail.
2016-12-12 09:54:39 +01:00
Matthew Mosesohn
e731130f41 Merge pull request #713 from kubernetes-incubator/bump_kubedns
Bump kubedns version to 1.9
2016-12-10 11:08:42 +03:00
Bogdan Dobrelya
d2c369f3b7 Merge pull request #696 from bogdando/intranet_dns
Preconfigure dns stack early
2016-12-09 21:46:03 +01:00
Bogdan Dobrelya
aefe4a99d2 Preconfigure DNS stack and docker early
In order to enable offline/intranet installation cases:
* Move DNS/resolvconf configuration to preinstall role. Remove
  skip_dnsmasq_k8s var as not needed anymore.

* Preconfigure DNS stack early, which may be the case when downloading
  artifacts from intranet repositories. Do not configure
  K8s DNS resolvers for hosts /etc/resolv.conf yet early (as they may be
  not existing).

* Reconfigure K8s DNS resolvers for hosts only after kubedns/dnsmasq
  was set up and before K8s apps to be created.

* Move docker install task to early stage as well and unbind it from the
  etcd role's specific install path. Fix external flannel dependency on
  docker role handlers. Also fix the docker restart handlers' steps
  ordering to match the expected sequence (the socket then the service).

* Add default resolver fact, which is
  the cloud provider specific and remove hardcoded GCE resolver.

* Reduce default ndots for hosts /etc/resolv.conf to 2. Multiple search
  domains combined with high ndots values lead to poor performance of
  DNS stack and make ansible workers to fail very often with the
  "Timeout (12s) waiting for privilege escalation prompt:" error.

* Update docs.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-09 17:30:55 +01:00
Bogdan Dobrelya
10383c88ee More granular control for download/upload images/binaries
Add upload tag allow users to exclude distributing images across nodes
when running with the download tag set.
Add related tags and update docs as well.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-09 17:04:55 +01:00
Alexander Block
74c4355af8 Changes according to code review 2016-12-09 16:33:10 +01:00
Matthew Mosesohn
6dc79b45ea Bump kubedns version to 1.9
Version 1.9 has reduced verbosity for federation dns queries
which flood container logs.
2016-12-09 17:57:54 +03:00
Alexander Block
294d6ce221 Use proper style (spacing) for docker_storage_options 2016-12-09 13:56:56 +01:00
Alexander Block
14bd3e5d23 Allow to specify docker storage driver 2016-12-09 13:56:56 +01:00
Bogdan Dobrelya
c032d20962 Merge pull request #700 from bogdando/tags
Add tags
2016-12-09 13:23:56 +01:00
Bogdan Dobrelya
0b1ce03167 Add tags
Add tags to allow more granular tasks filtering.
Add generator script for MD formatted tags found.
Add docs for tags how-to.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-09 12:14:28 +01:00
Alexander Block
ddc399605a Add playbook and role to reset the cluster
This deletes everything related to the cluster and allows to start from
scratch.
2016-12-09 11:15:36 +01:00
Aleksandr Didenko
63b655cd7b Convert docker_versioned_pkg dict keys to string
This will allow to use '-e docker_version=1.12' in ansible playbook
execution. It's also backward-compatible and will work with floating
docker_version format in custom yaml files.

Closes #702
2016-12-09 09:17:36 +01:00
Matthew Mosesohn
be117265d9 Merge pull request #668 from bodepd/etcd_access_address
Use etcd host ip instead of hostname to build etcd_access_addresses
2016-12-09 07:54:12 +03:00
Bogdan Dobrelya
aee21136ce Merge pull request #691 from adidenko/calico-old-cni-fix
Fix possible problems with legacy calicoctl
2016-12-08 12:00:08 +01:00
Dan Bode
f7a7e064b5 Allow etcd_access_addresses to be more flexible
The variale etcd_access_addresses is used to determine
how to address communication from other roles to
the etcd cluster.

It was set to the address that ansible uses to
connect to instance ({{ item }})s and not the
the variable:
  ip_access
which had already been created and could already
be overridden through the access_ip variable.

This change allows ansible to connect to a machine using
a different address than the one used to access etcd.
2016-12-07 10:33:15 -08:00
Matthew Mosesohn
75782aa262 Force hardlink for calico/canal certs
Fixes: #669
2016-12-07 19:03:22 +03:00
Bogdan Dobrelya
1b17efee19 Merge pull request #692 from bogdando/gce_fixes
Change GCE sysctls placement and docs
2016-12-07 16:17:30 +01:00
Bogdan Dobrelya
965b27e48e Change GCE sysctls placement and docs
Override GCE sysctl in /etc/sysctl.d/99-sysctl.conf instead of
the /etc/sysctl.d/11-gce-network-security.conf. It is recreated
by GCE, f.e. if gcloud CLI invokes some security related changes,
thus losing customizations we want to be persistent.

Update cloud providers firewall requirements in calico docs.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-07 12:53:45 +01:00
Aleksandr Didenko
611038e306 Fix possible problems with legacy calicoctl
When running legacy calicoctl we do not specify calico hostname in
calico-node container thus we should not specify it in CNI config.

Also move 'legacy_calicoctl' set_fact task to the top.
2016-12-07 12:26:44 +01:00
fen4o
10ce760450 add cluster-signing to kube-controller-manager
kube-controller-manager's cluster signing cert and key points by default to not
existing `/etc/kubernetes/ca/ca.pem` and `/etc/kubernetes/ca/ca.key` [docs][1]

[1]: http://kubernetes.io/docs/admin/kube-controller-manager/#options
2016-12-07 11:20:18 +02:00
Bogdan Dobrelya
8e28cb8095 Merge pull request #584 from chadswen/docker-options-refactor
Docker Options Refactor
2016-12-07 07:57:53 +01:00
Bogdan Dobrelya
ae7769d832 Merge pull request #684 from adidenko/fix-calico-peering
Calico: fix peering with routers for new version
2016-12-06 22:42:02 +01:00
Spencer Smith
08fb5b6c01 Merge pull request #627 from kubernetes-incubator/issue-626
add restart flag for docker run kubelet
2016-12-06 08:47:18 -08:00
Aleksandr Didenko
992fcd1680 Calico: fix peering with routers for new version
In new `calicoctl` version nodes peering with routers is broken.
We need to use predictable node names for calico-node and the
same names in calico `bgpPeer` resources and CNI.
2016-12-06 17:17:39 +01:00
Bogdan Dobrelya
f63f99d774 Merge pull request #678 from adidenko/update-calico-unit
Update calico-node systemd unit
2016-12-06 13:51:37 +01:00
Aleksandr Didenko
f3231b40e7 Update calico-node systemd unit
New calicoctl does not support --detach=false option, so we should
use a recommended way to run calico-node service:
http://docs.projectcalico.org/v2.0/usage/configuration/as-service

Closes #674, #675
2016-12-06 11:34:12 +01:00
Bogdan Dobrelya
567f5ac4c6 Merge pull request #679 from kubernetes-incubator/kube-proxy-dbus
Add dbus socket dir to kube-proxy
2016-12-06 11:08:16 +01:00
Matthew Mosesohn
eeb3b9f7e1 Fix ipv4 forwarding on GCE
ipv4 forwarding gets broken when restarting networking, which
breaks all networking for all pods.
2016-12-06 11:57:57 +03:00
Matthew Mosesohn
224f5fae63 Add dbus socket dir to kube-proxy 2016-12-05 19:25:27 +03:00
Chad Swenson
b7959020c6 Docker Options Refactor 2016-12-02 15:07:51 -06:00
Bogdan Dobrelya
16a4b4f336 Merge pull request #672 from kubernetes-incubator/fail_all_on_error
Fail all nodes on error
2016-12-02 17:08:10 +01:00
Bogdan Dobrelya
220a375cb9 Merge pull request #656 from YorikSar/nginx-proxy-timeout
Set proxy_timeout to 10m in nginx.conf
2016-12-02 12:48:18 +01:00
ant31
e8e2c84ca4 Fail all nodes on error 2016-12-02 12:37:22 +01:00
Sebastian Melchior
254e02c69e add basic azure support for kargo 2016-11-29 10:20:28 +01:00
Yuriy Taraday
d92124561d Set proxy_timeout to 10m in nginx.conf
Fixes #655.

This is a teporary solution for long-polling idle connections to
apiserver. It will make Nginx not cut them for the duration of expected
timeout. It will also make Nginx extremely slow in realizing that there
is some issue with connectivity to apiserver as well, so it might not be
perfect permanent solution.
2016-11-28 20:27:47 +03:00
Antoine Legrand
f75e2c5119 Merge pull request #529 from bogdando/netcheck
Add a k8s app for advanced e2e netcheck for DNS
2016-11-28 15:26:30 +01:00
Bogdan Dobrelya
d5b21b34c2 Add advanced net check for DNS K8s app
* Add an option to deploy K8s app to test e2e network connectivity
  and cluster DNS resolve via Kubedns for nethost/simple pods
  (defaults to false).
* Parametrize existing k8s apps templates with kube_namespace and
  kube_config_dir instead of hardcode.
* For CoreOS, ensure nameservers from inventory to be put in the
  first place to allow hostnet pods connectivity via short names
  or FQDN and hostnet agents to pass as well, if netchecker
  deployed.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-28 13:23:25 +01:00
Bogdan Dobrelya
779d676414 Merge pull request #652 from kubernetes-incubator/debug_mode
Tune dnsmasq/kubedns limits, replicas, logging
2016-11-25 16:57:15 +01:00
Bogdan Dobrelya
c34c49d4d9 Tune dnsmasq/kubedns limits, replicas, logging
* Add dns_replicas, dns_memory/cpu_limit/requests vars for
dns related apps.
* When kube_log_level=4, log dnsmasq queries as well.
* Add log level control for skydns (part of kubedns app).
* Add limits/requests vars for dnsmasq (part of kubedns app) and
  dnsmasq daemon set.
* Drop string defaults for kube_log_level as it is int and
  is defined in the global vars as well.
* Add docs

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-25 12:49:17 +01:00
Aleksandr Didenko
0e49c5f240 Update calico/ctl image tag
We no longer need to use v0.22.0 for calicoctl since Kargo has
support for new calicoctl CLI format.

Also fixing condition logic for calico pool task.
2016-11-25 11:23:27 +01:00
Bogdan Dobrelya
09a1a1a963 Merge pull request #651 from bogdando/fix_docker_install
Fix download dnsmasq image dependency on docker
2016-11-24 18:44:12 +01:00
Bogdan Dobrelya
91cc141662 Merge pull request #648 from artem-panchenko/fix_calicoctl_node_run
Fix Calico jinja template (systemd)
2016-11-24 18:33:34 +01:00
Bogdan Dobrelya
417a931f78 Fix download dnsmasq image dependency on docker
When download_run_once with download_localhost is used, docker is
expected to be running on the delegate localhost. That may be not
the case for a non localhost delegate, which is the kube-master
otherwise. Then the dnsmasq role, had it been invoked early before
deployment starts, would fail because of the missing docker dependency.

* Fix that dependency on docker and do not pre download dnsmasq image
  for the dnsmasq role, if download_localhost is disabled.
* Remove become: false for docker CLI invocation because that's not
  the common pattern to allow users access docker CLI w/o sudo.
* Fix opt bin path hack for localhost delegate to ignore errors when
  it fails with "sudo password required" otherwise.
* Describe download_run_once with download_localhost use case in docs
  as well.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-24 18:31:26 +01:00
Bogdan Dobrelya
bbd57d5f5e Ensure /etc/resolv.conf content for CoreOS
Use cloud-init config to replace /etc/resolv.conf with the
content for kubelet to properly configure hostnet pods.

Do not use systemd-resolved yet, see
https://coreos.com/os/docs/latest/configuring-dns.html
"Only nss-aware applications can take advantage of the
systemd-resolved cache. Notably, this means that statically
linked Go programs and programs running within Docker/rkt
will use /etc/resolv.conf only, and will not use the
systemd-resolve cache."

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-23 16:51:49 +01:00
Artem Panchenko
0437f9584d Fix Calico jinja template (systemd) 2016-11-23 11:43:53 +02:00
Bogdan Dobrelya
a4d5a14791 Fix nginx container download for download_run_once mode
W/o this patch, the "Download containers" task may be skipped
when running on the delegate node due to wrong "when" confition.
Then it fails to upload nginx image to the nodes as well.

Fix download nginx dependency so it always can be pushed to
nodes when download_run_once is enabled.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-23 10:37:08 +01:00
Bogdan Dobrelya
bfa15cd8ea Merge pull request #642 from kubernetes-incubator/k8s_imgpull
Allow pre-downloaded images to be used effectively
2016-11-22 18:09:38 +01:00
Aleksandr Didenko
f0b1884104 Set defaults for ansible_ssh_user
When setting permission for containers download/upload dir we're
using `ansible_ssh_user`. But if playbook is executed without
user being explicitly set `ansible_ssh_user` may be undefined.
In such situations dir ownership will default to `ansible_user_id`

Closes: #644
2016-11-22 18:00:56 +01:00
Bogdan Dobrelya
1bd3d3a080 Allow pre-downloaded images to be used effectively
According to http://kubernetes.io/docs/user-guide/images/ :
By default, the kubelet will try to pull each image from the
specified registry. However, if the imagePullPolicy property
of the container is set to IfNotPresent or Never, then a local\
image is used (preferentially or exclusively, respectively).

Use IfNotPresent value to allow images prepared by the download
role dependencies to be effectively used by kubelet without pull
errors resulting apps to stay blocked in PullBackOff/Error state
even when there are images on the localhost exist.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-22 16:16:04 +01:00
Antoine Legrand
bca996bf0b Merge pull request #638 from pskrzyns/fix_setting_loadbalancer_apiserver_localhost
Fix conditional when setting loadbalancer_apiserver_localhost
2016-11-22 15:15:38 +01:00
Bogdan Dobrelya
539a47b0fa Merge pull request #621 from xenolog/calico_network_backend
Add ability to define network backend for Calico.
2016-11-22 14:55:47 +01:00
Antoine Legrand
0016ba1759 Merge pull request #635 from kubernetes-incubator/download_images
Download images as dependencies of roles
2016-11-22 14:53:12 +01:00
Bogdan Dobrelya
793cedc522 Download images as dependencies of roles
Pre download all required container images as roles' deps.
Drop unused flannel-server-helper images pre download.
Improve pods creation post-install test pre downloaded busybox.
Improve logs collection script with kubectl describe, fix sudo/etcd/weave
commands.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-22 11:13:57 +01:00
Paweł Skrzyński
67b61c5c42 Fix conditional when setting loadbalancer_apiserver_localhost 2016-11-21 19:36:05 +01:00
Bogdan Dobrelya
523c9d77df Add missing liveness probe for apiserver static pod
Fix unreliable waiting for the apiserver to become ready.
Remove logfile mount to align with the rest of static pods
and because containers shall write logs to stdout only.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-21 13:15:51 +01:00
Bogdan Dobrelya
b44479d911 Merge pull request #629 from kubernetes-incubator/fix-download-once
Fix download once
2016-11-21 10:55:54 +01:00
Bogdan Dobrelya
d2f9c11299 Merge pull request #633 from bodepd/etcd_fix
Ensure that etcd health checks always pass
2016-11-21 10:29:35 +01:00
Dan Bode
aad73ea90e Ensure that etcd health checks always pass
in the etcd handler, the reload etcd action
was called after ansible waits for etcd to be
up, this means that the health checks which are
called immediately after fail (resulting in the etcd
role always failing and never finishing)

This patch changes the order to move the 'wait for etcd
up' resource after the 'reload etcd resource', ensuring that
the service is up before the health check is called.
2016-11-18 14:15:00 -08:00
Spencer Smith
106dcc3898 updated all instances of restart always to restart on-failure with a max of 5 times 2016-11-18 14:33:22 -05:00
Bogdan Dobrelya
cf7c6ae859 Add download localhost and enable for CI
* Add download_localhost for the download_run_once mode, which is
  use the ansible host (a travis node for CI case) to store and
  distribute containers across cluster nodes in inventory.
  Defaults to false.
* Rework download_run_once logic to fix idempotency of uploading
  containers.
* For Travis CI, enable docker images caching and run Travis
  workers with sudo enabled as a dependency
* For Travis CI, deploy with download_localhost and download_run_once
  enabled to shourten dev path drastically.
* Add compression for saved container images. Defaults to 'best'.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Aleksandr Didenko <adidenko@mirantis.com>
2016-11-18 16:00:07 +01:00
Sergey Vasilenko
e73c86c6aa Add ability to define network backend for Calico.
This patch introduce `calico_network_backend` global variable,
which allow to describe alternative network backend.
Default behavior is unchanged.
2016-11-18 16:38:18 +03:00
Maciej Filipiak
8b270f8e2b Add service-node-port-range parameter for kube-apiserver 2016-11-18 14:09:38 +01:00
Aleksandr Didenko
85a306044f Fix download_run_once for containers
Add one more step (task) to containers download/upload sequence -
copy saved .tar containers to ansible host (delegate_to: localhost).

Then upload images to target nodes. It uses synchronize module so
if ansible host (localhost) is the same host as kube-master[0] then
new task causes no issues and the copy to localhost process is
basically skipped.
2016-11-18 12:47:35 +01:00
Spencer Smith
c9b07618dc remove the --rm b/c it conflicts with restart 2016-11-17 12:21:30 -05:00
Matthew Mosesohn
5ee4d2e6e5 Merge pull request #608 from sneumann/patch-1
Fix failure if image package index is outdated
2016-11-17 12:21:15 -05:00
Spencer Smith
a4376c9ddd add restart flag for docker run kubelet 2016-11-17 12:03:41 -05:00
sneumann
4a00f5005f updated bootstrap-ubuntu.yml
Moved the variable setting to the apt-get install part where it matters as requested in the review.
2016-11-16 12:11:54 +01:00
Aleksandr Didenko
512c5b8440 Move CNI config and add MTU support for calico-cni
- Move CNI configuration creation for Calico to appropriate
network_plugin role from kubernetes/node.
- Add support for MTU configuration in Calico.
2016-11-15 18:05:11 +01:00
sneumann
3a397ea9db Fix failure if image package index is outdated 2016-11-15 17:49:14 +01:00
Bogdan Dobrelya
c18ccb64fb Merge pull request #600 from adidenko/calico-cni-container-support
Replace calico-cni binaries with calico/cni container
2016-11-15 15:40:13 +01:00
Bogdan Dobrelya
8c2c5f383b Fix mountflags and kubelet config
Add missing --require-kubeconfig to the if..else stanza.
Make sure certs dirs mounted in RO.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-15 11:22:23 +01:00
Antoine Legrand
0f9c289281 Merge pull request #599 from kubernetes-incubator/bug_542
Fix kubelet deprecated options
2016-11-15 10:50:26 +01:00
Matthew Mosesohn
d98e8a4323 Merge pull request #602 from adidenko/fix-canal-ssl
Fix etcd ssl for canal
2016-11-15 12:43:22 +03:00
Matthew Mosesohn
9f4ebdd017 Merge pull request #598 from kubernetes-incubator/bug_376
Generate kubectl bash completion from kubectl instead of file
2016-11-15 12:28:51 +03:00
Matthew Mosesohn
3a8d9cb0bc Merge pull request #604 from kubernetes-incubator/k8s-upgrade-v1.4.6
upgrade k8s version to 1.4.6
2016-11-15 12:27:29 +03:00
Smana
b2d3ee2ae7 upgrade k8s version to 1.4.6 2016-11-14 21:40:05 +01:00
Matthew Mosesohn
a96f78f848 Fix kubelet deprecated options
--api-servers now just reads kubeconfig
--config is now --pod-manifest-path

Fixes #542
2016-11-14 22:13:44 +04:00
Aleksandr Didenko
2b751c7d77 Fix etcd ssl for canal
- Move CNI configuration from `kubernetes/node` role to
`network_plugin/canal`
- Create SSL dir for Canal and symlink etcd SSL files
- Add needed options to `canal-config` configmap
- Run flannel and calico-node containers with proper configuration
2016-11-14 14:49:17 +01:00
Matthew Mosesohn
9eef9afad1 Merge branch 'master' into calico-cni-container-support 2016-11-14 14:58:42 +03:00
Aleksandr Didenko
12b27f4ef0 Replace calico-cni binaries with calico/cni container
Calico CNI binaries are also released/shipped in calico/cni
container. This patch replaces download of calico CNI binaries with
calico/cni container.
2016-11-14 12:19:58 +01:00
Matthew Mosesohn
976f095ef6 Generate kubectl bash completion from kubectl instead of file 2016-11-14 14:54:59 +04:00
Bogdan Dobrelya
70f8780e38 Merge pull request #496 from kubernetes-incubator/idempotency_resolvconf
Ignore changes on check resolvconf task
2016-11-14 11:10:04 +01:00
Matthew Mosesohn
220ac0d281 Merge branch 'master' into hostname-alias 2016-11-14 09:32:35 +03:00
Matthew Mosesohn
0529bb0a58 Merge branch 'master' into idempotency_resolvconf 2016-11-14 09:30:22 +03:00
Matthew Mosesohn
b141c41fee Fix ca certificate loading on CoreOS 2016-11-14 08:47:09 +04:00
Matthew Mosesohn
bc75a4f12c Merge pull request #592 from artem-panchenko/support_golang_calicoctl
Support new version of 'calicoctl' (>=v1.0.0)
2016-11-11 13:55:24 +03:00
Bogdan Dobrelya
813dd47808 Merge pull request #593 from bogdando/label_apps
Label k8s apps, adjust collect info commands
2016-11-10 18:09:05 +01:00
Bogdan Dobrelya
3aee431750 Merge pull request #594 from adidenko/fix-calico-policy-controller
Fix policy controller
2016-11-10 16:15:36 +01:00
Artem Panchenko
9d0a79a777 Support new version of 'calicoctl' (>=v1.0.0)
Since version 'v1.0.0-beta' calicoctl is written
in Go and its API differs from old Python based
utility. Added support of both old and new version
of the utility.
2016-11-10 17:11:29 +02:00