We were regenerating only the cert of the first node
While at it speed up the check step
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit e444b3c140)
Conflicts:
roles/kubernetes/master/tasks/kubeadm-setup.yml
* add CI test for auto_renew_certificates
* change timer value
fix typo error in rotate cert script
(cherry picked from commit cce0940e1f)
Conflicts:
roles/kubernetes/master/templates/k8s-certs-renew.timer.j2
* Remove ignore_errors from drain tasks and enable retires
* Fix lint error by checking if stdout length is not 0, ie string is not empty.
(cherry picked from commit ccd3aeebbc)
`-%` causes `etcd-unsupported-arch: arm64` to print on COL 1 instead of
COL 6.
Signed-off-by: anthr76 <hello@anthonyrabbito.com>
(cherry picked from commit edfa3e9b14)
While at it remove force_certificate_regeneration
This boolean only forced the renewal of the apiserver certs
Either manually use k8s-certs-renew.sh or set auto_renew_certificates
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit efa180392b)
Conflicts:
roles/kubernetes/master/templates/k8s-certs-renew.service.j2
roles/kubernetes/master/templates/k8s-certs-renew.sh.j2
roles/kubernetes/master/templates/k8s-certs-renew.timer.j2
* Download Calico KDD CRDs
* Replace kustomize with lineinfile and use ansible assemble module
* Replace find+lineinfile by sed in shell module to avoid nested loop
* add condition on sed
* use block for kdd tasks + remove supernumerary kdd manifest apply in start "Start Calico resources"
(cherry picked from commit 1c62af0c95)
Conflicts:
roles/network_plugin/calico/tasks/install.yml
"The error was: 'proxy_disable_env' is undefined\n\nThe error appears to
be in '<censored>scale.yml': line 72, column 7"
Fixes 067db686f6
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 057e8b4358)
c9c0c01de0 only fix the problem for new clusters
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 14b63ede8c)
Conflicts:
roles/kubernetes/master/tasks/kubelet-fix-client-cert-rotation.yml
* Update ansible to v2.9.18
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
* Update jinja2 to v2.11.3
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
(cherry picked from commit b07c5966a6)
When privileged is enabled for a container, all the `/dev/*` block
devices from the host are mounted into the guest. The
`privileged_without_host_devices` flag prevents host devices from
being passed to privileged containers.
More information:
* https://github.com/containerd/cri/pull/1225
* 1d0f68156b
(cherry picked from commit dc5df57c26)
The important action in kubeadm-version.yml is the templating of the configuration,
not finding / setting the version
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit a9c97e5253)
Conflicts:
roles/kubernetes/master/tasks/kubeadm-version.yml
There are no reasons not to backup during upgrade
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 53e5ef6b4e)
Conflicts:
roles/kubernetes/master/tasks/kubeadm-backup.yml
roles/kubernetes/master/tasks/kubeadm-certificate.yml
kubeadm never rotates sa.key/sa.pub, so there is no need to delete tokens/restart pods
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 8800b5c01d)
kubeadm is the default for a long time now,
and admin.conf is created by it, so let kubeadm handle it
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 280036fad6)
apiserver.pem is not used since ddffdb63bf
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit fedd671d68)
Conflicts:
roles/kubernetes/master/tasks/kubeadm-cleanup-old-certs.yml
roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
Using `kubeadm init phase kubeconfig all` breaks kubelet client certificate rotation
as we are missing `kubeadm init phase kubelet-finalize all` to point to `kubelet-client-current.pem`
kubeconfig format is stable so let's just use lineinfile,
this will avoid other future breakage
This revert to the logic before 6fe2248314
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit c9c0c01de0)
On CentOS 8 they seem to be ignored by default, but better be extra safe
This also make it easy to exclude other network plugin interfaces
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit e442b1d2b9)
By default Ansible stat module compute checksum, list extended attributes and find mime type
To find all stat invocations that really use one of those:
git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)'
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit de1d9df787)
Conflicts:
roles/etcd/tasks/check_certs.yml