woopstar
4c81cd2a71
Merge branch 'master' of https://github.com/kubernetes-incubator/kubespray into etcd-fix-4
2018-05-02 14:45:58 +02:00
Andreas Kruger
32a8ea8094
Fix wrong var used
2018-05-02 12:44:05 +02:00
ashon
fb465f8b4b
Use 'items()' for python compatibility
2018-05-01 16:55:50 +09:00
Markos Chandras
9168c71359
Revert "Revert "Add openSUSE support" ( #2697 )" ( #2699 )
...
This reverts commit 51f4e6585a
.
2018-04-26 12:52:06 +03:00
Matthew Mosesohn
51f4e6585a
Revert "Add openSUSE support" ( #2697 )
2018-04-23 14:28:24 +03:00
Spencer Smith
49c6bf8fa6
support custom env vars for etcd
2018-04-18 14:03:24 -04:00
Markos Chandras
2d34781259
roles: etcd: Add support for SUSE distributions
...
Add path for certificate location for SUSE distributions. Also make sure
the 'update-ca-certificates' command is executed on SUSE hosts as well.
2018-04-11 20:53:43 +01:00
woopstar
86e3506ae6
Etcd cluster setup makeover
...
The current way to setup the etc cluster is messy and buggy.
- It checks for cluster is healthy before the cluster is even created.
- The unit files are started on handlers, not in the task, so you mess with "flush handlers".
- The join_member.yml is not used.
- etcd events cluster is not configured for kubeadm
- remove duplicate runs between running the role on etcd nodes and k8s nodes
2018-04-01 21:38:33 +02:00
Andreas Krüger
b9b028a735
Update etcd deployment to use correct cert and key ( #2572 )
...
* Update etcd deployment to use correct cert and key
* Update to use admin cert for etcdctl commands
* Update handler to use admin cert too
2018-03-31 14:06:09 -04:00
Wong Hoi Sing Edison
195d6d791a
Integrate jetstack/cert-manager 0.2.3 to Kubespray
2018-03-31 19:29:11 +08:00
woopstar
859a7f32fb
Fix import task. Has to be include task to evalutate etcd_cluster_setup variable at run time
2018-03-31 00:06:34 +02:00
Andreas Krüger
76cb37d6b5
Merge pull request #2544 from woopstar/cert-fix-2
...
Update openssl.conf to count better and work with Jinja 2.9
2018-03-30 21:57:17 +02:00
Matthew Mosesohn
03bcfa7ff5
Stop templating kube-system namespace and creating it ( #2545 )
...
Kubernetes makes this namespace automatically, so there is
no need for kubespray to manage it.
2018-03-30 14:29:13 +03:00
woopstar
0df32b03ca
Update openssl.conf to count better and work with Jinja 2.9
2018-03-28 17:48:56 +02:00
Sergey Bondarev
4f7479d94d
add etc tunning options
...
https://coreos.com/etcd/docs/latest/tuning.html
etcd_snapshot_count
and
ionice priority
2018-03-26 17:25:51 +03:00
Sergey Bondarev
f8fed0f308
change expirations period for generated certificate from 10 years to 100 years
2018-03-14 13:33:36 +03:00
RongZhang
388b627f72
Enable OOM killing for etcd-events
...
Enable OOM killing like docker run etcd
2018-03-05 20:46:39 -06:00
Antoine Legrand
5cc77eb6fd
Merge pull request #2294 from Nowaker/patch-1
...
Enable OOM killing
2018-03-01 14:56:26 +01:00
RongZhang
67ffd8e923
Add etcd-events cluster for kube-apiserver ( #2385 )
...
Add etcd-events cluster for kube-apiserver
2018-03-01 11:39:14 +03:00
Maxim Krasilnikov
ba91304636
Fixed generate front proxy client certs with vault ( #2359 )
...
* Fixed generate front proxy client certs with vault
* fix vault cert management
* Distrebute etcd node certs to vault hosts
2018-02-22 15:08:50 +03:00
RongZhang
c0aad0a6d5
Fix install etcd by host service ( #2297 )
...
Fix bug issues #2289
2018-02-12 17:34:01 +01:00
Damian Nowak
f8a59446e8
Enable OOM killing
...
When etcd exceeds its memory limit, it becomes useless but keeps running.
We should let OOM killer kill etcd process in the container, so systemd can spot
the problem and restart etcd according to "Restart" setting in etcd.service unit file.
If OOME problem keep repeating, i.e. it happens every single restart,
systemd will eventually back off and stop restarting it anyway.
--restart=on-failure:5 in this file has no effect because memory allocation error
doesn't by itself cause the process to die
Related: https://github.com/kubernetes-incubator/kubespray/blob/master/roles/etcd/templates/etcd-docker.service.j2
This kind of reverts a change introduced in #1860 .
2018-02-09 11:00:13 -06:00
Antoine Legrand
fe57c13b51
Merge pull request #2172 from leseb/etcd-auth
...
etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH
2018-02-07 11:25:56 +01:00
Dmitri Rubinstein
331f141f63
Fix DNS entries in etcd's openssl.conf by adding a newline. ( #2208 )
...
DNS entries generated from 'etcd_cert_alt_names' variable in etcd's
openssl.conf are not terminated by a newline.
This fixes issue #2207 .
2018-01-30 16:26:58 +03:00
Sébastien Han
fa8a128e49
etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH
...
Some installation are failing to authenticate with peers due to
etcd picking up/resoling the wrong node.
By setting 'etcd_peer_client_auth' to "False" you can disable peer client cert
authentication.
Signed-off-by: Sébastien Han <seb@redhat.com>
2018-01-30 11:19:12 +01:00
Matthew Mosesohn
dc6a17e092
Use include/import tasks ( #2192 )
...
import_tasks will consume far less memory, so it should be
used whenever it is compatible.
2018-01-29 14:37:48 +03:00
Chad Swenson
c6e0fcea31
Merge pull request #1948 from sgmitchell/secured-etcd
...
Enable etcd secure client to prevent etcdctl access without cert and key
2018-01-25 09:35:51 -06:00
Matthew Mosesohn
1401286910
Add support for cert alt names for etcd ( #2139 )
...
* Add support for cert alt names for etcd
* Update gen_certs_vault.yml
2018-01-09 14:37:34 +03:00
Steve Mitchell
e45b30d033
Add etcd key and cert environment variables for use with client auth
2018-01-02 13:52:17 -05:00
Bogdan Dobrelya
8aafe64397
Defaults for apiserver_loadbalancer_domain_name ( #1993 )
...
* Defaults for apiserver_loadbalancer_domain_name
When loadbalancer_apiserver is defined, use the
apiserver_loadbalancer_domain_name with a given default value.
Fix unconsistencies for checking if apiserver_loadbalancer_domain_name
is defined AND using it with a default value provided at once.
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
* Define defaults for LB modes in common defaults
Adjust the defaults for apiserver_loadbalancer_domain_name and
loadbalancer_apiserver_localhost to come from a single source, which is
kubespray-defaults. Removes some confusion and simplefies the code.
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-11-23 16:15:48 +00:00
chenhonggc
c7910b51a1
--peers DEPRECATED - --endpoints should be used instead ( #1943 )
2017-11-14 11:28:35 +00:00
Spencer Smith
0126168472
provide environment for rkt trust and run with etcd
2017-11-08 12:57:22 -05:00
Matthew Mosesohn
86fb669fd3
Idempotency fixes ( #1838 )
2017-10-25 21:19:40 +01:00
Matthew Mosesohn
acb63a57fa
Only limit etcd memory on small hosts ( #1860 )
...
Also disable oom killer on etcd
2017-10-25 10:25:15 +01:00
Matthew Mosesohn
0b4fcc83bd
Fix up warnings and deprecations ( #1848 )
2017-10-20 08:25:57 +01:00
Matthew Mosesohn
514359e556
Improve etcd scale up ( #1846 )
...
Now adding unjoined members to existing etcd cluster
occurs one at a time so that the cluster does not
lose quorum.
2017-10-20 08:02:31 +01:00
Matthew Mosesohn
fc9a65be2b
Refactor downloads to use download role directly ( #1824 )
...
* Refactor downloads to use download role directly
Also disable fact delegation so download delegate works acros OSes.
* clean up bools and ansible_os_family conditionals
2017-10-19 09:17:11 +01:00
Matthew Mosesohn
10dd049912
Revert "Security fixes for etcd ( #1778 )" ( #1786 )
...
This reverts commit 4209f1cbfd
.
2017-10-12 14:02:51 +01:00
Matthew Mosesohn
4209f1cbfd
Security fixes for etcd ( #1778 )
...
* Security fixes for etcd
* Use certs when querying etcd
2017-10-12 13:32:54 +01:00
Matthew Mosesohn
83be0735cd
Fix setting etcd client cert serial ( #1775 )
2017-10-11 19:47:11 +01:00
Spencer Smith
f2db15873d
Merge pull request #1754 from ArchiFleKs/rkt-kubelet-fix
...
add hosts to rkt kubelet
2017-10-10 10:37:36 -04:00
ArchiFleKs
7c663de6c9
add /etc/hosts volume to rkt templates
2017-10-09 16:41:51 +02:00
Aivars Sterns
9c86da1403
Normalize tags in all places to prepare for tag fixing in future ( #1739 )
2017-10-05 08:43:04 +01:00
Matthew Mosesohn
a56738324a
Move set_facts to kubespray-defaults defaults
...
These facts can be generated in defaults with a performance
boost.
Also cleaned up duplicate etcd var names.
2017-10-04 14:02:47 +01:00
Brad Beam
14c232e3c4
Merge pull request #1663 from foxyriver/fix-shell
...
use command module instead of shell module
2017-09-25 13:24:45 -05:00
Bogdan Dobrelya
bcddfb786d
Merge pull request #1692 from mattymo/old-etcd-logic
...
drop unused etcd logic
2017-09-25 17:44:33 +02:00
Hassan Zamani
b23d81f825
Add etcd_blkio_weight var ( #1690 )
2017-09-25 12:20:24 +01:00
Matthew Mosesohn
126f42de06
drop unused etcd logic
...
Fixes #1660
2017-09-25 07:52:55 +01:00
foxyriver
30b5493fd6
use command module instead of shell module
2017-09-22 15:47:03 +08:00
Brad Beam
ac281476c8
Prune unnecessary certs from vault setup ( #1652 )
...
* Cleaning up cert checks for vault
* Removing all unnecessary etcd certs from each node
* Removing all unnecessary kube certs from each node
2017-09-14 12:28:11 +01:00