C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
2313 commits 17 branches 66 tags 141 MiB
Commit graph

1399 commits

Author SHA1 Message Date
Spencer Smith f0317ae70b
Merge pull request #1876 from ArchiFleKs/update_flannel 
update flannel
 2017-10-27 15:22:54 -04:00
Spencer Smith 591941bd39
Merge pull request #1884 from abelgana/master 
Sysctl reload if needed after IP forward enabling
 2017-10-27 15:12:08 -04:00
Spencer Smith e90769c869
Merge pull request #1888 from chapsuk/issue_1885 
Disable swap in vagrant vms
 2017-10-27 15:10:16 -04:00
Chad Swenson 256bbb1a8a Parameterize apt repo endpoints 
This allows overriding of apt repo endpoints when internet sources are not accessible. Additionally, switch to using the dockerproject.org gpg key url for apt instead of keyservers.net
 2017-10-27 13:48:11 -05:00
mkrasilnikov 2c7c956be9 Disable swap in vagrant vms 2017-10-27 19:57:54 +03:00
Matthew Mosesohn fe81bba08d Force kubelet certificates to be generated as lowercase (#1886) 
All nodes get converted to lowercase, so certs should set
CN with lowercase as well.
 2017-10-27 15:58:25 +01:00
Matthew Mosesohn 564de07963 fix indentation for network policy option 2017-10-27 14:56:22 +01:00
Aivars Sterns 84cf6fbe83 change ssh_args/bastion configuration (#1883) 2017-10-27 12:18:39 +01:00
abelgana d9160f19c0 Sysctl reload if needed after IP forward enabling 
Add reload yes to reload sysctl if the value of net.ipv4.ip_forward changes.

- name: Enable ip forwarding
  sysctl:
    sysctl_file: "{{sysctl_file_path}}"
    name: net.ipv4.ip_forward
    value: 1
    state: present
    reload: yes
  tags:
    - bootstrap-os
 2017-10-26 13:06:21 -04:00
Brad Beam ba0a03a8ba Merge pull request #1880 from mattymo/node_auth_fixes2 
Move cluster roles and system namespace to new role
 2017-10-26 10:02:24 -05:00
Matthew Mosesohn b0f04d925a Update network policy setting for Kubernetes 1.8 (#1879) 
It is now enabled by default in 1.8 with the api changed
to networking.k8s.io/v1 instead of extensions/v1beta1.
 2017-10-26 15:35:26 +01:00
Matthew Mosesohn ec53b8b66a Move cluster roles and system namespace to new role 
This should be done after kubeconfig is set for admin and
before network plugins are up.
 2017-10-26 14:36:05 +01:00
ArchiFleKs 6e949bf951 update flannel 2017-10-26 11:18:06 +02:00
Matthew Mosesohn 86fb669fd3 Idempotency fixes (#1838) 2017-10-25 21:19:40 +01:00
Matthew Mosesohn 7123956ecd update checksum for kubeadm (#1869) 2017-10-25 21:15:16 +01:00
Spencer Smith 46cf6b77cf Merge pull request #1857 from pmontanari/patch-1 
Use same kubedns_version: 1.14.5 in downloads  and kubernetes-apps/ansible roles
 2017-10-25 10:05:43 -04:00
Matthew Mosesohn a52bc44f5a Fix broken CI jobs (#1854) 
* Fix broken CI jobs

Adjust image and image_family scenarios for debian.
Checkout CI file for upgrades

* add debugging to file download

* Fix download for alternate playbooks

* Update ansible ssh args to force ssh user

* Update sync_container.yml
 2017-10-25 11:45:54 +01:00
Matthew Mosesohn acb63a57fa Only limit etcd memory on small hosts (#1860) 
Also disable oom killer on etcd
 2017-10-25 10:25:15 +01:00
Flavio Percoco Premoli 5b08277ce4 Access dict item's value keys using .value (#1865) 2017-10-24 20:49:36 +01:00
Chiang Fong Lee 5dc56df64e Fix ordering of kube-apiserver admission control plug-ins (#1841) 2017-10-24 17:28:07 +01:00
Matthew Mosesohn 33c4d64b62 Make ClusterRoleBinding to admit all nodes with right cert (#1861) 
This is to work around #1856 which can occur when kubelet
hostname and resolvable hostname (or cloud instance name)
do not match.
 2017-10-24 17:05:58 +01:00
Matthew Mosesohn 25de6825df Update Kubernetes to v1.8.1 (#1858) 2017-10-24 17:05:45 +01:00
Peter Lee 0b60201a1e fix etcd health check bug (#1480) 2017-10-24 16:10:56 +01:00
Haiwei Liu cfea99c4ee Fix scale.yml to supoort kubeadm (#1863) 
Signed-off-by: Haiwei Liu <carllhw@gmail.com>
 2017-10-24 16:08:48 +01:00
Matthew Mosesohn cea41a544e Use include instead of import tasks to support v2.3 (#1855) 
Eventually 2.3 support will be dropped, so this is
a temporary change.
 2017-10-23 13:56:03 +01:00
pmontanari 8371a060a0 Update main.yml 
Match kubedns_version with roles/download/defaults/main.yml:kubedns_version: 1.14.5
 2017-10-22 23:48:51 +02:00
Matthew Mosesohn 7ed140cea7 Update refs to kubernetes version to v1.8.0 (#1845) 2017-10-20 08:29:28 +01:00
Matthew Mosesohn 0b4fcc83bd Fix up warnings and deprecations (#1848) 2017-10-20 08:25:57 +01:00
Matthew Mosesohn 514359e556 Improve etcd scale up (#1846) 
Now adding unjoined members to existing etcd cluster
occurs one at a time so that the cluster does not
lose quorum.
 2017-10-20 08:02:31 +01:00
Matthew Mosesohn fc9a65be2b Refactor downloads to use download role directly (#1824) 
* Refactor downloads to use download role directly

Also disable fact delegation so download delegate works acros OSes.

* clean up bools and ansible_os_family conditionals
 2017-10-19 09:17:11 +01:00
Jan Jungnickel 49dff97d9c Relabel controler-manager to kube-controller-manager (#1830) 
Fixes #1129
 2017-10-18 17:29:18 +01:00
Matthew Mosesohn 4efb0b78fa Move CI vars out of gitlab and into var files (#1808) 2017-10-18 17:28:54 +01:00
Hassan Zamani c9fe8fde59 Use fail-swap-on flag only for kube_version >= 1.8 (#1829) 2017-10-18 16:32:38 +01:00
Matthew Mosesohn 16462292e1 Properly skip extra SANs when not specified for kubeadm (#1831) 2017-10-18 12:04:13 +01:00
pmontanari 20d80311f0 Update main.yml (#1822) 
* Update main.yml

Needs to set up resolv.conf before updating Yum cache otherwise no name resolution available (resolv.conf empty).

* Update main.yml

Removing trailing spaces
 2017-10-18 11:42:00 +01:00
Hassan Zamani 3acc42c5b3 Use etcd_access_addresses for vault_etcd_url 2017-10-17 19:27:36 +03:30
Tennis Smith 54320c5b09 set to 3 digit version number (#1817) 2017-10-17 11:14:29 +01:00
Seungkyu Ahn 291b71ea3b Changing default value string to boolean. (#1669) 
When downloading containers or files, use boolean
as a default value.
 2017-10-17 11:14:12 +01:00
Rémi de Passmoilesel 356515222a Add possibility to insert more ip adresses in certificates (#1678) 
* Add possibility to insert more ip adresses in certificates

* Add newline at end of files

* Move supp ip parameters to k8s-cluster group file

* Add supplementary addresses in kubeadm master role

* Improve openssl indexes
 2017-10-17 11:06:07 +01:00
Aivars Sterns 688e589e0c fix #1788 lock dashboard version to 1.6.3 version while 1.7.x is not working (#1805) 2017-10-17 11:04:55 +01:00
刘旭 6c98201aa4 remove kube-dns versions and images in kubernetes-apps/ansible/defaults/main.yaml (#1807) 2017-10-17 11:03:53 +01:00
Matthew Mosesohn d4b10eb9f5 Fix path for calico get node names (#1816) 2017-10-17 10:54:48 +01:00
Jiří Stránský 728d56e74d Only write bastion ssh config when needed (#1810) 
This will allow running Kubespray when the user who runs it doesn't
have write permissions to the Kubespray dir, at least when not using
bastion.
 2017-10-17 10:28:45 +01:00
neith00 77f1d4b0f1 Revert "Update roadmap" (#1809) 
* Revert "Debian jessie docs (#1806)"

This reverts commit d78577c810.

* Revert "[contrib/network-storage/glusterfs] adds service for glusterfs endpoint (#1800)"

This reverts commit 5fb6b2eaf7.

* Revert "[contrib/network-storage/glusterfs] bootstrap for glusterfs nodes (#1799)"

This reverts commit 404caa111a.

* Revert "Fixed kubelet standard log environment (#1780)"

This reverts commit b838468500.

* Revert "Add support for fedora atomic host (#1779)"

This reverts commit f2235be1d3.

* Revert "Update network-plugins to use portmap plugin (#1763)"

This reverts commit 6ec45b10f1.

* Revert "Update roadmap (#1795)"

This reverts commit d9879d8026.
 2017-10-16 14:09:24 +01:00
Seungkyu Ahn b838468500 Fixed kubelet standard log environment (#1780) 
Change KUBE_LOGGING to KUBE_LOGTOSTDERR, when installing kubelet
as host type.
 2017-10-16 08:22:54 +01:00
Jason Brooks f2235be1d3 Add support for fedora atomic host (#1779) 
* don't try to install this rpm on fedora atomic

* add docker 1.13.1 for fedora

* built-in docker unit file is sufficient, as tested on both fedora and centos atomic
 2017-10-16 08:03:33 +01:00
Kevin Lefevre 6ec45b10f1 Update network-plugins to use portmap plugin (#1763) 
Portmap allow to use hostPort with CNI plugins. Should fix #1675
 2017-10-16 07:11:38 +01:00
Matthew Mosesohn d9879d8026 Update roadmap (#1795) 2017-10-16 07:06:06 +01:00
Matthew Mosesohn d487b2f927 Security best practice fixes (#1783) 
* Disable basic and token auth by default

* Add recommended security params

* allow basic auth to fail in tests

* Enable TLS authentication for kubelet
 2017-10-15 20:41:17 +01:00
Julian Poschmann 66e5e14bac Restart kubelet on update in deployment-type host on update (#1759) 
* Restart kubelet on update in deployment-type host on update

* Update install_host.yml

* Update install_host.yml

* Update install_host.yml
 2017-10-15 20:22:17 +01:00
Matthew Mosesohn 7e4668859b Change file used to check kubeadm upgrade method (#1784) 
* Change file used to check kubeadm upgrade method

Test for ca.crt instead of admin.conf because admin.conf
is created during normal deployment.

* more fixes for upgrade
 2017-10-15 10:33:22 +01:00
Matthew Mosesohn 92d038062e Fix node authorization for cloudprovider installs (#1794) 
In 1.8, the Node authorization mode should be listed first to
allow kubelet to access secrets. This seems to only impact
environments with cloudprovider enabled.
 2017-10-14 11:28:46 +01:00
abelgana 2972bceb90 Changre raw execution to use yum module (#1785) 
* Changre raw execution to use yum module

Changed raw exection to use yum module provided by Ansible.

* Replace ansible_ssh_* by ansible_*

Ansible 2.0 has deprecated the “ssh” from ansible_ssh_user, ansible_ssh_host, and ansible_ssh_port to become ansible_user, ansible_host, and ansible_port. If you are using a version of Ansible prior to 2.0, you should continue using the older style variables (ansible_ssh_*). These shorter variables are ignored, without warning, in older versions of Ansible.

I am not sure about the broader impact of this change. But I have seen on the requirements the version required is ansible>=2.4.0.

http://docs.ansible.com/ansible/latest/intro_inventory.html
 2017-10-14 09:52:40 +01:00
刘旭 cb0a60a0fe calico v2.5.0 should use calico/routereflector:v0.4.0 (#1792) 2017-10-14 09:51:48 +01:00
Matthew Mosesohn 3ee91e15ff Use commas in no_proxy (#1782) 2017-10-13 15:43:10 +01:00
Matthew Mosesohn ef47a73382 Add new addon Istio (#1744) 
* add istio addon

* add addons to a ci job
 2017-10-13 15:42:54 +01:00
Matthew Mosesohn dc515e5ac5 Remove kernel-upgrade role (#1798) 
This role only support Red Hat type distros and is not maintained
or used by many users. It should be removed because it creates
feature disparity between supported OSes and is not maintained.
 2017-10-13 15:36:21 +01:00
Julian Poschmann 56763d4288 Persist br_netfilter module loading (#1760) 2017-10-13 10:50:29 +01:00
Matthew Mosesohn 10dd049912 Revert "Security fixes for etcd (#1778)" (#1786) 
This reverts commit 4209f1cbfd.
 2017-10-12 14:02:51 +01:00
Matthew Mosesohn 4209f1cbfd Security fixes for etcd (#1778) 
* Security fixes for etcd

* Use certs when querying etcd
 2017-10-12 13:32:54 +01:00
Matthew Mosesohn ee83e874a8 Clear admin kubeconfig when rotating certs (#1772) 
* Clear admin kubeconfig when rotating certs

* Update main.yml
 2017-10-12 09:55:46 +01:00
Vijay Katam 27ed73e3e3 Rename dns_server, add var for selinux. (#1572) 
* Rename dns_server to dnsmasq_dns_server so that it includes role prefix
as the var name is generic and conflicts when integrating with existing ansible automation.
*  Enable selinux state to be configurable with new var preinstall_selinux_state
 2017-10-11 20:40:21 +01:00
Aivars Sterns e41c0532e3 add possibility to disable fail with swap (#1773) 2017-10-11 19:49:31 +01:00
Matthew Mosesohn eeb7274d65 Adjust memory reservation for master nodes (#1769) 2017-10-11 19:47:42 +01:00
Matthew Mosesohn eb0dcf6063 Improve proxy (#1771) 
* Set no_proxy to all local ips

* Use proxy settings on all necessary tasks
 2017-10-11 19:47:27 +01:00
Matthew Mosesohn 83be0735cd Fix setting etcd client cert serial (#1775) 2017-10-11 19:47:11 +01:00
Matthew Mosesohn fe4ba51d1a Set node IP correctly (#1770) 
Fixes #1741
 2017-10-11 15:28:42 +01:00
Hyunsun Moon adf575b75e Set default value for disable_shared_pid (#1710) 
PID namespace sharing is disabled only in Kubernetes 1.7.
Explicitily enabling it by default could help reduce unexpected
results when upgrading to or downgrading from 1.7.
 2017-10-11 14:55:51 +01:00
Spencer Smith e5426f74a8 Merge pull request #1762 from manics/bindir-helm 
Include bin_dir when patching helm tiller with kubectl
 2017-10-10 10:40:47 -04:00
Spencer Smith f5212d3b79 Merge pull request #1752 from pmontanari/patch-1 
Force synchronize to use ssh_args so it works when using bastion
 2017-10-10 10:40:01 -04:00
Spencer Smith 3d09c4be75 Merge pull request #1756 from kubernetes-incubator/fix_bool_assert 
Fix bool check assert
 2017-10-10 10:38:53 -04:00
Spencer Smith f2db15873d Merge pull request #1754 from ArchiFleKs/rkt-kubelet-fix 
add hosts to rkt kubelet
 2017-10-10 10:37:36 -04:00
ArchiFleKs 7c663de6c9 add /etc/hosts volume to rkt templates 2017-10-09 16:41:51 +02:00
Simon Li c14bbcdbf2 Include bin_dir when patching helm tiller with kubectl 2017-10-09 15:17:52 +01:00
ant31 1be4c1935a Fix bool check assert 2017-10-06 17:02:38 +00:00
pmontanari 764b1aa5f8 Force synchronize to use ssh_args so it works when using bastion 
In case ssh.config is set to use bastion, synchronize needs to use it too.
 2017-10-06 00:21:54 +02:00
Spencer Smith d13b07ba59 Merge pull request #1751 from bradbeam/calicoprometheus 
Adding calico/node env vars for prometheus configuration
 2017-10-05 17:29:12 -04:00
Brad Beam 55dfae2a52 Followup fix for CVE-2017-14491 2017-10-05 11:31:04 -05:00
Brad Beam b81c0d869c Adding calico/node env vars for prometheus configuration 2017-10-05 08:46:01 -05:00
Matthew Mosesohn f14f04c5ea Upgrade to kubernetes v1.8.0 (#1730) 
* Upgrade to kubernetes v1.8.0

hyperkube no longer contains rsync, so now use cp

* Enable node authorization mode

* change kube-proxy cert group name
 2017-10-05 10:51:21 +01:00
Aivars Sterns 9c86da1403 Normalize tags in all places to prepare for tag fixing in future (#1739) 2017-10-05 08:43:04 +01:00
Spencer Smith cb611b5ed0 Merge pull request #1742 from mattymo/facts_as_vars 
Move set_facts to kubespray-defaults defaults
 2017-10-04 15:46:39 -04:00
Spencer Smith ab171a1d6d don't delegate cert slurp 2017-10-04 13:06:51 -04:00
Matthew Mosesohn a56738324a Move set_facts to kubespray-defaults defaults 
These facts can be generated in defaults with a performance
boost.

Also cleaned up duplicate etcd var names.
 2017-10-04 14:02:47 +01:00
Matthew Mosesohn e42cb43ca5 add bootstrap for debian (#1726) 2017-10-03 08:30:45 +01:00
Brad Beam ca541c7e4a Ensuring vault service is stopped in reset tasks (#1736) 2017-10-03 08:30:28 +01:00
Brad Beam 96e14424f0 Adding kubedns update for CVE-2017-14491 (#1735) 2017-10-03 08:30:14 +01:00
Matthew Mosesohn dae9f6d3c2 Test if tokens are expired from host instead of inside container (#1727) 
* Test if tokens are expired from host instead of inside container

* Update main.yml
 2017-10-02 13:14:50 +01:00
Julian Poschmann 8e1210f96e Fix cluster-network w/ prefix > 25 not possible with CNI (#1713) 2017-10-01 10:43:00 +01:00
Brad Beam 1b9a6d7ad8 Merge pull request #1672 from manics/bastion-proxycommand-newline 
Insert a newline in bastion ssh config after ProxyCommand conditional
 2017-09-29 11:37:47 -05:00
Peter Slijkhuis 371fa51e82 Make installation of EPEL optional (#1721) 2017-09-29 13:44:29 +01:00
Matthew Mosesohn a55675acf8 Enable RBAC with kubeadm always (#1711) 2017-09-29 09:18:24 +01:00
Matthew Mosesohn 25dd3d476a Fix error for azure+calico assert (#1717) 
Fixes #1716
 2017-09-29 08:17:18 +01:00
Matthew Mosesohn 3ff5f40bdb fix graceful upgrade (#1704) 
Fix system namespace creation
Only rotate tokens when necessary
 2017-09-27 14:49:20 +01:00
Matthew Mosesohn 689ded0413 Enable kubeadm upgrades to any version (#1709) 2017-09-27 14:48:18 +01:00
Matthew Mosesohn 327ed157ef Verify valid settings before deploy (#1705) 
Also fix yaml lint issues

Fixes #1703
 2017-09-27 14:47:47 +01:00
tanshanshan 477afa8711 when and run_once are reduplicative (#1694) 2017-09-26 14:48:05 +01:00
Matthew Mosesohn bd272e0b3c Upgrade to kubeadm (#1667) 
* Enable upgrade to kubeadm

* fix kubedns upgrade

* try upgrade route

* use init/upgrade strategy for kubeadm and ignore kubedns svc

* Use bin_dir for kubeadm

* delete more secrets

* fix waiting for terminating pods

* Manually enforce kube-proxy for kubeadm deploy

* remove proxy. update to kubeadm 1.8.0rc1
 2017-09-26 10:38:58 +01:00
Brad Beam 14c232e3c4 Merge pull request #1663 from foxyriver/fix-shell 
use command module instead of shell module
 2017-09-25 13:24:45 -05:00
Brad Beam 57f5fb1f4f Merge pull request #1661 from neith00/master 
upgrading from weave version 2.0.1 to 2.0.4
 2017-09-25 13:23:57 -05:00