C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
2189 commits 17 branches 66 tags 141 MiB
Commit graph

599 commits

Author SHA1 Message Date
Maxim Krasilnikov
e16b57aa05 Store vault users passwords to credentials dir. Create vault and etcd roles after start vault cluster (#1632) 2017-09-07 23:30:16 +03:00
Chad Swenson
e26aec96b0 Consolidate kube-proxy module and sysctl loading (#1586) 
This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
 2017-09-06 15:11:51 +03:00
Brad Beam
a341adb7f3 Updating CN for node certs generated by vault (#1622) 
This allows the node authorization plugin to function correctly
 2017-09-06 10:55:08 +03:00
mkrasilnikov
957b7115fe Remove node name from kube-proxy and admin certificates 2017-09-05 14:40:26 +03:00
mkrasilnikov
bf0af1cd3d Vault role updates: 
* using separated vault roles for generate certs with different `O` (Organization) subject field;
  * configure vault roles for issuing certificates with different `CN` (Common name) subject field;
  * set `CN` and `O` to `kubernetes` and `etcd` certificates;
  * vault/defaults vars definition was simplified;
  * vault dirs variables defined in kubernetes-defaults foles for using
  shared tasks in etcd and kubernetes/secrets roles;
  * upgrade vault to 0.8.1;
  * generate random vault user password for each role by default;
  * fix `serial` file name for vault certs;
  * move vault auth request to issue_cert tasks;
  * enable `RBAC` in vault CI;
 2017-09-05 09:07:35 +03:00
Matthew Mosesohn
fc7905653e Add socat for CoreOS when using host deploy kubelet (#1575) 2017-09-04 11:30:18 +03:00
Matthew Mosesohn
77602dbb93 Move calico to daemonset (#1605) 
* Drop legacy calico logic

* add calico as a daemonset
 2017-09-04 11:29:51 +03:00
Brad Beam
8ae77e955e Adding in certificate serial numbers to manifests (#1392) 2017-09-01 09:02:23 +03:00
Brad Beam
7a98ad50b4 Fixing CA certificate locations for k8s components 2017-08-30 15:30:40 -05:00
Oliver Moser
576beaa6a6 Include /opt/bin in PATH for host deployed kubelet on CoreOS (#1591) 
* Include /opt/bin in PATH for host deployed kubelet on CoreOS

* Removing conditional check for CoreOS
 2017-08-30 16:50:33 +03:00
Maxim Krasilnikov
6eb22c5db2 Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) 
* Added update CA trust step for etcd and kube/secrets roles

* Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os.

* Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube.

* Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd.

* Fixed different certificates set for vault cert_managment

* Update doc/vault.md

* Fixed condition create vault CA, wrong group

* Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts

* Removed wrong when condition in create etcd role vault tasks.
 2017-08-30 16:03:22 +03:00
Matthew Mosesohn
13d08af054 Fix upgrade for canal and apiserver cert 
Fixes #1573
 2017-08-29 22:08:30 +01:00
Matthew Mosesohn
76b72338da Add CNI config for rkt kubelet (#1579) 2017-08-28 21:11:01 +03:00
Chad Swenson
a39e78d42d Initial version of Flannel using CNI (#1486) 
* Updates Controller Manager/Kubelet with Flannel's required configuration for CNI
* Removes old Flannel installation
* Install CNI enabled Flannel DaemonSet/ConfigMap/CNI bins and config (with portmap plugin) on host
* Uses RBAC if enabled
* Fixed an issue that could occur if br_netfilter is not a module and net.bridge.bridge-nf-call-iptables sysctl was not set
 2017-08-25 10:07:50 +03:00
Hassan Zamani
01ce09f343 Add feature_gates var for customizing Kubernetes feature gates (#1520) 2017-08-24 23:18:38 +03:00
Xavier Mehrenberger
3aabba7535 Remove discontinued option --reconcile-cidr if kube_network_plugin=="cloud" (#1568) 2017-08-24 17:01:30 +03:00
Brad Beam
8b151d12b9 Adding yamllinter to ci steps (#1556) 
* Adding yaml linter to ci check

* Minor linting fixes from yamllint

* Changing CI to install python pkgs from requirements.txt

- adding in a secondary requirements.txt for tests
- moving yamllint to tests requirements
 2017-08-24 12:09:52 +03:00
Ian Lewis
ecb6dc3679 Register standalone master w/ taints (#1426) 
If Kubernetes > 1.6 register standalone master nodes w/ a
node-role.kubernetes.io/master=:NoSchedule taint to allow
for more flexible scheduling rather than just marking unschedulable.
 2017-08-23 16:44:11 +03:00
Matthew Mosesohn
ca3050ec3d Update to Kubernetes v1.7.3 (#1549) 
Change kubelet deploy mode to host
Enable cri and qos per cgroup for kubelet
Update CoreOS images
Add upgrade hook for switching from kubelet deployment from docker to host.
Bump machine type for ubuntu-rkt-sep
 2017-08-21 10:53:49 +03:00
Vijay Katam
97031f9133 Make epel-release install configurable (#1497) 2017-08-20 14:03:10 +03:00
Kevin Lefevre
65a9772adf Add OpenStack LBaaS support (#1506) 2017-08-20 13:59:15 +03:00
Miad Abrin
3c710219a1 Fix Some Typos in kubernetes master role (#1547) 
* Fix Typo etc3 -> etcd3

* Fix typo in post-upgrade of master. stop -> start
 2017-08-20 13:54:28 +03:00
Maxim Krasilnikov
2ba285a544 Fixed deploy cluster with vault cert manager (#1548) 
* Added custom ips to etcd vault distributed certificates

* Added custom ips to kube-master vault distributed certificates

* Added comment about issue_cert_copy_ca var in vault/issue_cert role file

* Generate kube-proxy, controller-manager and scheduler certificates by vault

* Revert "Disable vault from CI (#1546)"

This reverts commit 781f31d2b8.

* Fixed upgrade cluster with vault cert manager

* Remove vault dir in reset playbook
 2017-08-20 13:53:58 +03:00
Antoine Legrand
72ae7638bc Merge pull request #1446 from matlockx/master 
add possibility to ignore the hostname override
 2017-08-18 17:03:40 +02:00
Matthew Mosesohn
df28db0066 Fix cert and netchecker upgrade issues (#1543) 
* Bump tag for upgrade CI, fix netchecker upgrade

netchecker-server was changed from pod to deployment, so
we need an upgrade hook for it.

CI now uses v2.1.1 as a basis for upgrade.

* Fix upgrades for certs from non-rbac to rbac
 2017-08-18 15:46:22 +03:00
Brad Beam
383d582b47 Merge pull request #1382 from jwfang/rbac 
basic rbac support
 2017-08-07 08:01:51 -05:00
Spencer Smith
43eda8d878 Merge pull request #1471 from whereismyjetpack/fix_1447 
add newline after expanding user information
 2017-07-31 09:03:04 -04:00
nico
cc9f3ea938 Fix enforce-node-allocatable option 
Closes #1228
pods is default enforcement

see https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/
add

update
 2017-07-31 10:06:53 +02:00
Anton
e0960f6288 FIX: Unneded (extra) cycles in some tasks (#1393) 2017-07-27 20:46:21 +03:00
Dann Bohn
c4894d6092 add newline after expanding user information 2017-07-25 12:59:10 -04:00
Spencer Smith
ee36763f9d Merge pull request #1464 from johnko/patch-4 
set loadbalancer_apiserver_localhost default true
 2017-07-25 10:00:56 -04:00
Spencer Smith
4a34514b21 Merge pull request #1447 from whereismyjetpack/template_known_users 
Template out known_users.csv, optionally add groups
 2017-07-25 08:55:08 -04:00
John Ko
018b5039e7 set loadbalancer_apiserver_localhost default true 
to match this https://github.com/kubernetes-incubator/kubespray/blob/master/roles/kubernetes/node/tasks/main.yml#L20
and the documented behaviour in HA docs 
related to #1456
@rsmitty
 2017-07-20 10:27:05 -04:00
jwfang
092bf07cbf basic rbac support 2017-07-17 19:29:59 +08:00
Dann Bohn
d1f58fed4c Template out known_users.csv, optionally add groups 2017-07-14 09:27:20 -04:00
Martin Joehren
12e918bd31 add possibility to ignore the hostname override 2017-07-13 14:04:39 +00:00
Brad Beam
e0bf8b2aab Adding recursive=true for rkt kubelet dir 
Fixes #1434
 2017-07-12 09:28:54 -05:00
Spencer Smith
c75b21a510 Merge pull request #1408 from amitkumarj441/patch-1 
Remove deprecated 'enable-cri' flag in kubernetes 1.7
 2017-07-11 08:56:14 -04:00
Spencer Smith
4b0af73dd2 Merge pull request #1332 from gstorme/kube_apiserver_insecure_port 
Use the kube_apiserver_insecure_port variable instead of static 8080
 2017-07-06 09:06:50 -04:00
Amit Kumar Jaiswal
319a0d65af Update kubelet.j2 
Updated with closing endif.
 2017-07-03 16:23:35 +05:30
Amit Kumar Jaiswal
3d2680a102 Update kubelet.j2 
Updated!
 2017-07-03 15:58:50 +05:30
Amit Kumar Jaiswal
c36fb5919a Update kubelet.j2 
Updated!!
 2017-07-03 15:55:04 +05:30
Amit Kumar Jaiswal
46d3f4369e Updated K8s version 
Signed-off-by: Amit Kumar Jaiswal <amitkumarj441@gmail.com>
 2017-07-03 04:06:42 +05:30
Martin Joehren
c2b3920b50 added flag for not populating inventory entries to etc hosts file 2017-06-30 16:41:03 +00:00
Brad Beam
5e1ac9ce87 Merge pull request #1354 from chadswen/kubedns-var-fix 
kubedns consistency fixes
 2017-06-27 22:26:46 -05:00
Chad Swenson
8467bce2a6 Fix inconsistent kubedns version and parameterize kubedns autoscaler image vars 2017-06-27 10:19:31 -05:00
Spencer Smith
8203383c03 rename almost all mentions of kargo 2017-06-16 13:25:46 -04:00
Brad Beam
b73786c6d5 Merge pull request #1335 from bradbeam/imagerepo 
Set default value for kube_hyperkube_image_repo
 2017-06-12 09:46:17 -05:00
Gregory Storme
266ca9318d Use the kube_apiserver_insecure_port variable instead of static 8080 2017-06-12 09:20:59 +02:00
Brad Beam
db3e8edacd Fixing up vault variables 2017-06-08 16:15:33 -05:00
Brad Beam
6e41634295 Set default value for kube_hyperkube_image_repo 
Fixes #1334
 2017-06-08 12:22:16 -05:00
Brad Beam
696fd690ae Merge pull request #1092 from bradbeam/rkt_docker 
Adding flag for docker container in kubelet w/ rkt
 2017-06-06 12:58:40 -05:00
Spencer Smith
01c0ab4f06 check if cloud_provider is defined 2017-05-31 08:24:24 -04:00
Spencer Smith
7e2aafcc76 add direct path for cert in AWS with RHEL family 2017-05-26 17:32:50 -04:00
Matthew Mosesohn
9e64267867 Merge pull request #1293 from mattymo/kubelet_host_mode 
Add host-based kubelet deployment
 2017-05-19 18:07:39 +03:00
Matthew Mosesohn
cc6e3d14ce Add host-based kubelet deployment 
Kubelet gets copied from hyperkube container and run locally.
 2017-05-19 16:54:07 +03:00
Brad Beam
b999ee60aa Fixing typo in kubelet cluster-dns and cluster-domain flags 2017-05-16 15:43:29 -05:00
Spencer Smith
c572760a66 Merge pull request #1254 from iJanki/cert_group 
Adding /O=system:masters to admin certificate
 2017-05-05 10:58:42 -04:00
Spencer Smith
0afbc19ffb ensure the /etc/os-release is mounted read only 2017-05-01 14:51:40 -04:00
Spencer Smith
ac9290f985 add for rkt as well 2017-04-28 17:45:10 -04:00
Spencer Smith
5657738f7e mount os-release to ensure the node's OS is what's seen in k8s api 2017-04-28 13:40:54 -04:00
Sergii Golovatiuk
674b71b535 Ansible 2.3 support 
- Fix when clauses in various places
- Update requirements.txt
- Fix README.md

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-04-26 15:22:10 +02:00
Spencer Smith
88b5065e7d fix stray 'in' and break into multiple lines for clarity 2017-04-20 09:53:01 -04:00
Spencer Smith
b690008192 allow for correct aws default resolver 2017-04-20 09:32:03 -04:00
Matthew Mosesohn
2d6bc9536c Merge pull request #1246 from holser/disable_dns_for_kube_services 
Change DNS policy for kubernetes components
 2017-04-20 16:12:52 +03:00
Sergii Golovatiuk
01dc6b2f0e Add aws to default_resolver 
When VPC is used, external DNS might not be available. This patch change
behavior to use metadata service instead of external DNS when
upstream_dns_servers is not specified.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-04-20 11:47:19 +02:00
Sergii Golovatiuk
d8aa2d0a9e Change DNS policy for kubernetes components 
According to code apiserver, scheduler, controller-manager, proxy don't
use resolution of objects they created. It's not harmful to change
policy to have external resolver.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-04-20 11:22:57 +02:00
Matthew Mosesohn
19bb97d24d Merge pull request #1238 from Starefossen/fix/namespace-template-file 
Move namespace file to template directory
 2017-04-20 12:19:55 +03:00
Matthew Mosesohn
9f4f168804 Merge pull request #1241 from bradbeam/rktcnidir 
Explicitly create cni bin dir
 2017-04-20 12:19:26 +03:00
Sergii Golovatiuk
e796cdbb27 Fix restart kube-controller (#1242) 
kubernetesUnitPrefix was changed to k8s_* in 1.5. This patch reflects
this change in kargo
 2017-04-20 11:26:01 +03:00
Brad Beam
b60a897265 Explicitly create cni bin dir 
If this path doesnt exist, it will cause kubelet to fail to start when
using rkt
 2017-04-19 16:00:44 +00:00
Hans Kristian Flaatten
d68cfeed6e
Move namespace file to template directory 2017-04-19 13:37:02 +02:00
Spencer Smith
c3c9e955e5 Merge pull request #1232 from rsmitty/custom-flags 
add ability for custom flags
 2017-04-17 14:01:32 -04:00
Spencer Smith
72d5db92a8 remove stray spaces in templating 2017-04-17 12:24:24 -04:00
Spencer Smith
3f302c8d47 ensure spacing on string of flags 2017-04-17 12:13:39 -04:00
Spencer Smith
04a769bb37 ensure spacing on string of flags 2017-04-17 11:11:10 -04:00
Spencer Smith
f9d4a1c1d8 update to safeguard against accidentally passing string instead of list 2017-04-17 11:09:34 -04:00
Matthew Mosesohn
3e7db46195 Merge pull request #1233 from gbolo/master 
allow admission control plug-ins to be easily customized
 2017-04-17 12:59:49 +03:00
gbolo
49be805001
allow admission control plug-ins to be easily customized 2017-04-16 22:03:45 -04:00
Spencer Smith
94596388f7 add ability for custom flags 2017-04-14 17:33:04 -04:00
Matthew Mosesohn
ae7f59e249 Skip vault cert task evaluation completely when using script cert generation 2017-04-13 19:29:07 +03:00
Matthew Mosesohn
1c45d37348 Update kubelet.j2 2017-04-06 22:59:18 +03:00
Matthew Mosesohn
b521255ec9 Unbreak 1.5 deployment with kubelet 
1.5 kubelet fails to start when using unknown params
 2017-04-06 21:07:48 +03:00
Matthew Mosesohn
75ea001bfe Merge pull request #1208 from mattymo/1.6-flannel 
Update to k8s 1.6 with flannel and centos fixes
 2017-04-06 13:04:02 +03:00
Matthew Mosesohn
ff2fb9196f Fix flannel for 1.6 and apply fixes to enable containerized kubelet 2017-04-06 10:06:21 +04:00
Matthew Mosesohn
acae0fe4a3 Merge pull request #1205 from holser/resolv_updates 
Refactoring resolv.conf
 2017-04-05 14:22:52 +03:00
Sergii Golovatiuk
2670eefcd4 Refactoring resolv.conf 
- Renaming templates for netchecker
- Add dnsPolicy: ClusterFirstWithHostNet to kube-proxy

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-04-05 09:28:01 +02:00
Matthew Mosesohn
c0cae9e8a0 Merge pull request #1204 from mattymo/resolvconf-nodes 
Restart kubelet when updating /etc/resolv.conf on all k8s nodes
 2017-04-04 22:03:44 +03:00
Matthew Mosesohn
f8cf6b4f7c Merge pull request #1186 from holser/resolv_conf 
Set ClusterFirstWithHostNet for Pods with hostnetwork: true
 2017-04-04 20:49:55 +03:00
Matthew Mosesohn
a29182a010 Restart kubelet when updating /etc/resolv.conf on all k8s nodes 2017-04-04 20:43:47 +03:00
Sergii Golovatiuk
1cfe0beac0 Set ClusterFirstWithHostNet for Pods with hostnetwork: true 
In kubernetes 1.6 ClusterFirstWithHostNet was added as an option. In
accordance to it kubelet will generate resolv.conf based on own
resolv.conf. However, this doesn't create 'options', thus the proper
solution requires some investigation.

This patch sets the same resolv.conf for kubelet as host

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-04-04 16:34:13 +02:00
Matthew Mosesohn
798f90c4d5 Merge pull request #1153 from mattymo/graceful_drain 
Move graceful upgrade test to Ubuntu canal HA, adjust drain
 2017-04-04 17:33:53 +03:00
Matthew Mosesohn
b4d06ff8dd Add /var/lib/cni to kubelet 
Necessary to persist this directory for host-local IPAM used by Canal
Add pre-upgrade task to copy /var/lib/cni out of old kubelet.
 2017-04-03 19:38:24 +03:00
Matthew Mosesohn
5a5707159a Fix multiline condition for k8s check certs 
Fixes #1190
 2017-04-03 17:44:55 +03:00
Matthew Mosesohn
80828a7c77 use etcd2 when upgrading unless forced 2017-04-03 15:07:42 +03:00
Matthew Mosesohn
d42e4f2344 Update .gitlab-ci.yml 2017-03-30 12:19:15 +04:00
Matthew Mosesohn
48beef25fa delete master containers forcefully 2017-03-27 19:08:22 +03:00
Matthew Mosesohn
a3f568fc64 restart scheduler and controller-manager too 2017-03-27 13:51:35 +03:00
Matthew Mosesohn
57ee304260 ensure post-upgrade purge ones only once 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
0794a866a7 switch debian8-canal-ha to ubuntu 2017-03-27 13:28:37 +03:00