Commit graph

510 commits

Author SHA1 Message Date
Matthew Mosesohn
a0225507a0
Set helm deployment type to host (#2012) 2017-11-29 19:52:54 +00:00
unclejack
e5d353d0a7 contiv network support (#1914)
* Add Contiv support

Contiv is a network plugin for Kubernetes and Docker. It supports
vlan/vxlan/BGP/Cisco ACI technologies. It support firewall policies,
multiple networks and bridging pods onto physical networks.

* Update contiv version to 1.1.4

Update contiv version to 1.1.4 and added SVC_SUBNET in contiv-config.

* Load openvswitch module to workaround on CentOS7.4

* Set contiv cni version to 0.1.0

Correct contiv CNI version to 0.1.0.

* Use kube_apiserver_endpoint for K8S_API_SERVER

Use kube_apiserver_endpoint as K8S_API_SERVER to make contiv talks
to a available endpoint no matter if there's a loadbalancer or not.

* Make contiv use its own etcd

Before this commit, contiv is using a etcd proxy mode to k8s etcd,
this work fine when the etcd hosts are co-located with contiv etcd
proxy, however the k8s peering certs are only in etcd group, as a
result the etcd-proxy is not able to peering with the k8s etcd on
etcd group, plus the netplugin is always trying to find the etcd
endpoint on localhost, this will cause problem for all netplugins
not runnign on etcd group nodes.
This commit make contiv uses its own etcd, separate from k8s one.
on kube-master nodes (where net-master runs), it will run as leader
mode and on all rest nodes it will run as proxy mode.

* Use cp instead of rsync to copy cni binaries

Since rsync has been removed from hyperkube, this commit changes it
to use cp instead.

* Make contiv-etcd able to run on master nodes

* Add rbac_enabled flag for contiv pods

* Add contiv into CNI network plugin lists

* migrate contiv test to tests/files

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>

* Add required rules for contiv netplugin

* Better handling json return of fwdMode

* Make contiv etcd port configurable

* Use default var instead of templating

* roles/download/defaults/main.yml: use contiv 1.1.7

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
2017-11-29 14:24:16 +00:00
Bob Killen
2140303fcc
add minimal keepalived-cloud-provider support 2017-11-23 08:43:36 -05:00
Chad Swenson
849aaf7435 Update to k8s 1.8.3 (#1971) 2017-11-15 17:43:22 +00:00
Chad Swenson
0c6f172e75 Kubernetes Dashboard v1.7.1 Refactor
This version required changing the previous access model for dashboard completely but it's a change for the better. Docs were updated.

* New login/auth options that use apiserver auth proxying by default
* Requires RBAC in `authorization_modes`
* Only serves over https
* No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL:
* Can access from https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login you will be prompted for credentials
* Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
* It is recommended to access dashboard from behind a gateway that enforces an authentication token, details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
2017-11-15 10:05:48 -06:00
Matthew Mosesohn
f9b68a5d17
Revert "Support for disabling apiserver insecure port" (#1974) 2017-11-14 13:41:28 +00:00
Chad Swenson
0c7e1889e4 Support for disabling apiserver insecure port
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to:

1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS)
2. Add apiserver client cert/key to the "Wait for apiserver up" checks
3. Update apiserver liveness probe to use HTTPS ports
4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately)
5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well.

Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check.

Options:

1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not.
2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port)
3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest)

Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
2017-11-06 14:01:10 -06:00
Matthew Mosesohn
66c67dbe73
Add optional helm deployment mode for host (#1920) 2017-11-03 07:09:24 +00:00
Matthew Mosesohn
c0e989b17c
New addon: local_volume_provisioner (#1909) 2017-11-01 14:25:35 +00:00
Andrew Greenwood
e196adb98c
Update kubernetes 1.8.2 2017-10-29 22:09:22 -04:00
Matthew Mosesohn
25de6825df Update Kubernetes to v1.8.1 (#1858) 2017-10-24 17:05:45 +01:00
Rémi de Passmoilesel
356515222a Add possibility to insert more ip adresses in certificates (#1678)
* Add possibility to insert more ip adresses in certificates

* Add newline at end of files

* Move supp ip parameters to k8s-cluster group file

* Add supplementary addresses in kubeadm master role

* Improve openssl indexes
2017-10-17 11:06:07 +01:00
Matthew Mosesohn
d487b2f927 Security best practice fixes (#1783)
* Disable basic and token auth by default

* Add recommended security params

* allow basic auth to fail in tests

* Enable TLS authentication for kubelet
2017-10-15 20:41:17 +01:00
Matthew Mosesohn
ef47a73382 Add new addon Istio (#1744)
* add istio addon

* add addons to a ci job
2017-10-13 15:42:54 +01:00
Matthew Mosesohn
dc515e5ac5 Remove kernel-upgrade role (#1798)
This role only support Red Hat type distros and is not maintained
or used by many users. It should be removed because it creates
feature disparity between supported OSes and is not maintained.
2017-10-13 15:36:21 +01:00
Maxim Krasilnikov
ad9fa73301 Remove cert_managment var definition from k8s-cluster group vars (#1790) 2017-10-13 10:21:39 +01:00
Vijay Katam
27ed73e3e3 Rename dns_server, add var for selinux. (#1572)
* Rename dns_server to dnsmasq_dns_server so that it includes role prefix
as the var name is generic and conflicts when integrating with existing ansible automation.
*  Enable selinux state to be configurable with new var preinstall_selinux_state
2017-10-11 20:40:21 +01:00
Matthew Mosesohn
eb0dcf6063 Improve proxy (#1771)
* Set no_proxy to all local ips

* Use proxy settings on all necessary tasks
2017-10-11 19:47:27 +01:00
Matthew Mosesohn
f14f04c5ea Upgrade to kubernetes v1.8.0 (#1730)
* Upgrade to kubernetes v1.8.0

hyperkube no longer contains rsync, so now use cp

* Enable node authorization mode

* change kube-proxy cert group name
2017-10-05 10:51:21 +01:00
Matthew Mosesohn
327ed157ef Verify valid settings before deploy (#1705)
Also fix yaml lint issues

Fixes #1703
2017-09-27 14:47:47 +01:00
Maxim Krasilnikov
1067595b5c Change used chars for kubeadm tokens (#1701) 2017-09-26 05:56:08 +01:00
Matthew Mosesohn
ef8e35e39b Create admin credential kubeconfig (#1647)
New files: /etc/kubernetes/admin.conf
           /root/.kube/config
           $GITDIR/artifacts/{kubectl,admin.conf}

Optional method to download kubectl and admin.conf if
kubeconfig_lcoalhost is set to true (default false)
2017-09-18 13:30:57 +01:00
Kevin Lefevre
9302ce0036 Enhanced OpenStack cloud provider (#1627)
- Enable Cinder API version for block storage
- Enable floating IP for LBaaS
2017-09-16 08:43:24 +01:00
Kyle Bai
016301508e Update to Kubernetes v1.7.5 (#1649) 2017-09-14 07:18:03 +01:00
Matthew Mosesohn
6744726089 kubeadm support (#1631)
* kubeadm support

* move k8s master to a subtask
* disable k8s secrets when using kubeadm
* fix etcd cert serial var
* move simple auth users to master role
* make a kubeadm-specific env file for kubelet
* add non-ha CI job

* change ci boolean vars to json format

* fixup

* Update create-gce.yml

* Update create-gce.yml

* Update create-gce.yml
2017-09-13 19:00:51 +01:00
Matthew Mosesohn
9fa1873a65 Add kube dashboard, enabled by default (#1643)
* Add kube dashboard, enabled by default

Also add rbac role for kube user

* Update main.yml
2017-09-09 23:38:03 +03:00
Matthew Mosesohn
f29a42721f Clean up debug in check apiserver test (#1638)
* Clean up debug in check apiserver test

* Change password generation for kube_user

Special characters are not allowed in known_users.csv file
2017-09-08 15:47:13 +03:00
Matthew Mosesohn
7117614ee5 Use a generated password for kube user (#1624)
Removed unnecessary root user
2017-09-06 20:20:25 +03:00
Maxim Krasilnikov
9bce364b3c Update auth enabled methods in group_vars example (#1625) 2017-09-06 15:10:18 +03:00
Matthew Mosesohn
ca3050ec3d Update to Kubernetes v1.7.3 (#1549)
Change kubelet deploy mode to host
Enable cri and qos per cgroup for kubelet
Update CoreOS images
Add upgrade hook for switching from kubelet deployment from docker to host.
Bump machine type for ubuntu-rkt-sep
2017-08-21 10:53:49 +03:00
Kevin Lefevre
65a9772adf Add OpenStack LBaaS support (#1506) 2017-08-20 13:59:15 +03:00
Brad Beam
460b5824c3 Merge pull request #1448 from lancomsystems/log-rotataion-example
Add logging options to default docker options
2017-08-10 08:30:23 -05:00
Spencer Smith
cb6892d2ed Merge pull request #1469 from hzamani/etcd_metrics
Add etcd metrics flag
2017-07-31 09:04:07 -04:00
nico
cc9f3ea938 Fix enforce-node-allocatable option
Closes #1228
pods is default enforcement

see https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/
add

update
2017-07-31 10:06:53 +02:00
timtoum
3e457e4edf Enable weave seed mode for kubespray (#1414)
* Enable weave seed mode for kubespray

* fix task Weave seed | Set peers if existing peers

* fix mac address variabilisation

* fix default values

* fix include seed condition

* change weave var to default values

* fix Set peers if existing peers
2017-07-26 19:09:34 +03:00
Hassan Zamani
3fb0383df4 Add etcd metrics flag 2017-07-25 20:00:30 +04:30
Spencer Smith
4a34514b21 Merge pull request #1447 from whereismyjetpack/template_known_users
Template out known_users.csv, optionally add groups
2017-07-25 08:55:08 -04:00
Spencer Smith
927e6d89d7 Merge pull request #1435 from delfer/master
Kubernetes upgrade to 1.6.7
2017-07-19 05:23:38 -07:00
Dann Bohn
d1f58fed4c Template out known_users.csv, optionally add groups 2017-07-14 09:27:20 -04:00
Brad Beam
637f445c3f Merge pull request #1365 from AtzeDeVries/master
Give more control over IPIP, but with same default behaviour
2017-07-12 10:17:17 -05:00
Delfer
9f45eba6f6 Kubernetes upgrade to 1.6.7 2017-07-11 09:11:55 +00:00
AtzeDeVries
e160018826 Fixed conflicts, ipip:true as defualt and added ipip_mode 2017-07-08 14:36:44 +02:00
Julian Poschmann
380fb986b6 Add logging options to default docker options 2017-07-07 12:39:42 +02:00
Vladimir Kozyrev
e26be9cb8a add private dns server for a specific zone 2017-07-06 16:30:47 +03:00
jwfang
ec2255764a docker_dns_servers_strict to control docker_dns_servers rtrim 2017-06-26 17:29:12 +08:00
AtzeDeVries
61b74f9a5b updated to direct control over ipip 2017-06-23 09:16:05 +02:00
AtzeDeVries
7332679678 Give more control over IPIP, but with same default behaviour 2017-06-20 14:50:08 +02:00
Gregory Storme
fff0aec720 add configurable parameter for etcd_auto_compaction_retention 2017-06-14 10:39:38 +02:00
zoues
43408634bb Merge branch 'master' into master 2017-05-23 09:32:28 +08:00
zouyee
d47fce6ce7 upgrade k8s version to 1.6.4 2017-05-23 09:30:03 +08:00
Spencer Smith
31a7b7d24e default to kubedns and set nxdomain in kubedns deployment if that's the dns_mode 2017-05-12 15:57:24 -04:00
Vincent Schwarzer
7f0c0a0922 Fix for etcd variable issue 2017-04-12 12:59:49 +02:00
Matthew Mosesohn
ccc11e5680 Upgrade to Kubernetes 1.6.1 2017-04-05 13:26:36 +03:00
Matthew Mosesohn
0f64f8db90 Merge pull request #1155 from mattymo/helm
Add helm deployment
2017-03-20 17:00:06 +03:00
Matthew Mosesohn
b69d4b0ecc Add helm deployment 2017-03-17 20:24:41 +03:00
Aleksandr Didenko
3a39904011 Move calico-policy-controller into separate role
By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132
2017-03-17 11:21:52 +01:00
Matthew Mosesohn
096d96e344 Merge pull request #1137 from holser/bug/1135
Turn on iptables for flannel
2017-03-15 17:06:42 +03:00
Sergii Golovatiuk
9667e8615f Turn on iptables for flannel
Closes: #1135
Closes: #1026
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-03-14 17:54:55 +01:00
Vincent Schwarzer
026da060f2 Granular authentication Control
It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.

The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.
2017-03-14 16:57:35 +01:00
Vincent Schwarzer
b075960e3b Added Support for OpenID Connect Authentication
To use OpenID Connect Authentication beside deploying an OpenID Connect
Identity Provider it is necesarry to pass additional arguments to the Kube API Server.
These required arguments were added to the kube apiserver manifest.
2017-03-06 12:40:35 +01:00
Antoine Legrand
85596c2610 Merge pull request #1045 from bradbeam/vsphere
Adding vsphere cloud provider support
2017-03-06 12:34:05 +01:00
Sergii Golovatiuk
d31c040dc0 Change kube-api default port from 443 to 6443
Operator can specify any port for kube-api (6443 default) This helps in
case where some pods such as Ingress require 443 exclusively.

Closes: 820
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-28 15:45:35 +01:00
Sergii Golovatiuk
f9ff93c606 Make etcd data dir configurable.
Closes: #1073
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-27 21:35:51 +01:00
Jan Jungnickel
df476b0088 Initial support for vsphere as cloud provider 2017-02-27 12:51:41 -06:00
Sergii Golovatiuk
a098a32f7d Uncomment one key/value in all.yml
all.yaml shouldn't be empty otherwise ansible won't be able to merge 2
dicts.

Related bug: ansible/issues/21889
2017-02-24 12:25:45 +01:00
Antoine Legrand
eb904668b2 Uncommented group_vars variables 2017-02-24 10:54:25 +01:00
Antoine Legrand
c7d61af332 Comment all variables in group_vars 2017-02-23 14:02:57 +01:00
Antoine Legrand
5f7607412b Add default var role 2017-02-23 12:07:17 +01:00
Bogdan Dobrelya
712872efba Rework inventory all by real groups' vars
* Leave all.yml to keep only optional vars
* Store groups' specific vars by existing group names
* Fix optional vars casted as mandatory (add default())
* Fix missing defaults for an optional IP var
* Relink group_vars for terraform to reflect changes

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-02-23 09:43:42 +01:00
Sergii Golovatiuk
ebf9daf73e Statically disable iptables management for docker
Docker 1.13 changes the behaviour of iptables defaults from allow
to drop. This patch disables docker's iptables management as it was
in Docker 1.12 [1]

[1] https://github.com/docker/docker/pull/28257

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-21 19:10:34 +01:00
Matthew Mosesohn
10173525d8 Update Kubernetes to v1.5.3 2017-02-20 18:14:56 +03:00
Matthew Mosesohn
2d65554cb9 Change default network plugin to Calico 2017-02-15 16:15:22 +03:00
Hung Nguyen Viet
d0757ccc5e Fix typo 2017-02-14 17:18:22 +07:00
Alexander Block
d2e010cbe1 Add kernel upgrade for CentOS 2017-02-10 09:29:12 +01:00
Matthew Mosesohn
60f1936a62 Merge pull request #1004 from galthaus/kubelet-load-modules
Allow kubelet to load kernel modules
2017-02-10 09:28:16 +03:00
Vladimir Rutsky
f0269b28f4 fix kube_apiserver_ip/kube_apiserver_port description 2017-02-09 21:47:36 +04:00
Greg Althaus
3f0c13af8a Make kubelet_load_modules always present but false.
Update code and docs for that assumption.
2017-02-09 10:25:44 -06:00
Greg Althaus
fcd78eb1f7 Due to the nsenter and other reworks, it appears that
kubelet lost the ability to load kernel modules.  This
puts that back by adding the lib/modules mount to kubelet.

The new variable kubelet_load_modules can be set to true
to enable this item.  It is OFF by default.
2017-02-09 10:02:26 -06:00
Bogdan Dobrelya
3b1a196c75 Merge pull request #902 from insequent/master
Adding vault role
2017-02-09 09:24:52 +01:00
Antoine Legrand
9c572fe54b Merge pull request #984 from rutsky/patch-2
fix typo: "explicetely"
2017-02-08 23:19:01 +01:00
Josh Conant
245e05ce61 Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00
Josh Conant
f4ec2d18e5 Adding the Vault role 2017-02-08 21:31:28 +00:00
Vladimir Rutsky
6a5df4d999 fix typo: "pubilcally" 2017-02-06 21:35:02 +04:00
Vladimir Rutsky
d41602088b fix typo: "explicetely" 2017-02-06 21:29:11 +04:00
Matthew Mosesohn
fd30131dc2 Revert "Drop linux capabilities and rework users/groups" 2017-02-06 15:58:54 +03:00
Bogdan Dobrelya
cae2982d81 Merge pull request #911 from bogdando/DROP_CAPS
Drop linux capabilities and rework users/groups
2017-02-06 12:05:51 +01:00
Brad Beam
df3e11bdb8 Adding EFK logging stack 2017-02-03 16:27:08 -06:00
David Kirstein
6e35895b44 also use kube_api_pwd for root account
This makes it a bit more secure. Also the password can now be changed with a (inventory) variable (no need to edit all.yml).
2017-01-23 19:09:30 +01:00
Bogdan Dobrelya
cb2e5ac776 Drop linux capabilities and rework users/groups
* Drop linux capabilities for unprivileged containerized
  worlkoads Kargo configures for deployments.
* Configure required securityContext/user/group/groups for kube
  components' static manifests, etcd, calico-rr and k8s apps,
  like dnsmasq daemonset.
* Rework cloud-init (etcd) users creation for CoreOS.
* Fix nologin paths, adjust defaults for addusers role and ensure
  supplementary groups membership added for users.
* Add netplug user for network plugins (yet unused by privileged
  networking containers though).
* Grant the kube and netplug users read access for etcd certs via
  the etcd certs group.
* Grant group read access to kube certs via the kube cert group.
* Remove priveleged mode for calico-rr and run it under its uid/gid
  and supplementary etcd_cert group.
* Adjust docs.
* Align cpu/memory limits and dropped caps with added rkt support
  for control plane.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-20 08:50:42 +01:00
Greg Althaus
6905edbeb6 Add a variable that defaults to kube_apiserver_port that defines
the which port the local nginx proxy should listen on for HA
local balancer configurations.
2017-01-14 23:38:07 -06:00
Bogdan Dobrelya
caab0cdf27 Docs updates
Fix mismatching inventory examples.
Add command examples.
Clarify groups use cases.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-11 15:39:35 +01:00
Alexander Block
1d2a18b355 Introduce dns_mode and resolvconf_mode and implement docker_dns mode
Also update reset.yml to do more dns/network related cleanup.
2017-01-05 23:38:51 +01:00
Bogdan Dobrelya
fb7899aa06 Minor fix to rkt version in group vars
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-05 11:11:03 +01:00
Brad Beam
8dc19374cc Allowing etcd to run via rkt 2017-01-03 10:10:38 -06:00
Brad Beam
a8f2af0503 Adding initial rkt support 2017-01-03 10:08:43 -06:00
Bogdan Dobrelya
58062be2a3 Drop non systemd OS types support
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-02 12:14:03 +01:00
Bogdan Dobrelya
a56d9de502 Systemd units, limits, and bin path fixes
* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
  systemd limits due to the lack of consensus in the kernel community
  requires out-of-tree kernel patches.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-28 15:49:42 +01:00
Antoine Legrand
768fe05eea Merge pull request #704 from vwfs/bastion_hosts
Add support for bastion hosts
2016-12-17 12:08:49 +01:00
Matthew Mosesohn
9df2306ee9 Bump kube_version to v1.5.1 2016-12-16 15:53:25 +03:00
Smaine Kahlouch
29874baf8a Merge pull request #708 from vwfs/cloud_network
Add support for cloud-provider based networking
2016-12-14 16:23:20 +01:00
Alexander Block
b4c87c669b Fix kube_version to include 'v' again
https://github.com/kubernetes-incubator/kargo/pull/736 missed this
2016-12-13 21:43:25 +01:00
Alexander Block
dbd9aaf1ea Add check for azure_route_table_name and add it to all.yml 2016-12-13 17:30:10 +01:00
Alexander Block
d20d5e648f Add pseudo network plugin called "cloud" to use cloud provider for network
Allow to let the cloud provider configure proper routing for nodes.
2016-12-13 17:30:10 +01:00
Alexander Block
3e007df97c Add documentation about bastion hosts 2016-12-13 17:29:47 +01:00
Alexander Block
06584ee3aa Add support for bastion hosts 2016-12-13 17:29:47 +01:00
Antoine Legrand
26e3142c95 Merge branch 'master' into standalone_kubelet 2016-12-13 17:26:21 +01:00
Alexander Block
665ce82d71 Move kube_version to group_vars/all to allow easier changing of version
Also allows to perform version dependent logic in Ansible roles.
2016-12-13 17:21:00 +01:00
Alexander Block
444b1dafdc Pass --anonymous-auth to apiserver
Fixes #732
2016-12-13 17:06:53 +01:00
Bogdan Dobrelya
c75f394707 Address standalone kubelet config case
Also place in global vars and do not repeat the kube_*_config_dir
and kube_namespace vars for better code maintainability and UX.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-13 16:35:53 +01:00
Alexander Block
4e34803b1e Disable fastestmirror on CentOS
It actually slows down things dramatically when used in combination
with Ansible.
2016-12-12 09:54:39 +01:00
Bogdan Dobrelya
2c50f20429 Merge pull request #696 from bogdando/intranet_dns
Preconfigure dns stack early
2016-12-09 21:46:03 +01:00
Bogdan Dobrelya
a15d626771 Preconfigure DNS stack and docker early
In order to enable offline/intranet installation cases:
* Move DNS/resolvconf configuration to preinstall role. Remove
  skip_dnsmasq_k8s var as not needed anymore.

* Preconfigure DNS stack early, which may be the case when downloading
  artifacts from intranet repositories. Do not configure
  K8s DNS resolvers for hosts /etc/resolv.conf yet early (as they may be
  not existing).

* Reconfigure K8s DNS resolvers for hosts only after kubedns/dnsmasq
  was set up and before K8s apps to be created.

* Move docker install task to early stage as well and unbind it from the
  etcd role's specific install path. Fix external flannel dependency on
  docker role handlers. Also fix the docker restart handlers' steps
  ordering to match the expected sequence (the socket then the service).

* Add default resolver fact, which is
  the cloud provider specific and remove hardcoded GCE resolver.

* Reduce default ndots for hosts /etc/resolv.conf to 2. Multiple search
  domains combined with high ndots values lead to poor performance of
  DNS stack and make ansible workers to fail very often with the
  "Timeout (12s) waiting for privilege escalation prompt:" error.

* Update docs.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-09 17:30:55 +01:00
Alexander Block
c3ec3ff902 Allow to specify docker storage driver 2016-12-09 13:56:56 +01:00
Chad Swenson
8b5b27bb51 Docker Options Refactor 2016-12-02 15:07:51 -06:00
Sebastian Melchior
bb55f68f95 add basic azure support for kargo 2016-11-29 10:20:28 +01:00
Bogdan Dobrelya
b7692fad09 Add advanced net check for DNS K8s app
* Add an option to deploy K8s app to test e2e network connectivity
  and cluster DNS resolve via Kubedns for nethost/simple pods
  (defaults to false).
* Parametrize existing k8s apps templates with kube_namespace and
  kube_config_dir instead of hardcode.
* For CoreOS, ensure nameservers from inventory to be put in the
  first place to allow hostnet pods connectivity via short names
  or FQDN and hostnet agents to pass as well, if netchecker
  deployed.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-28 13:23:25 +01:00
Bogdan Dobrelya
dff78f616e Allow pre-downloaded images to be used effectively
According to http://kubernetes.io/docs/user-guide/images/ :
By default, the kubelet will try to pull each image from the
specified registry. However, if the imagePullPolicy property
of the container is set to IfNotPresent or Never, then a local\
image is used (preferentially or exclusively, respectively).

Use IfNotPresent value to allow images prepared by the download
role dependencies to be effectively used by kubelet without pull
errors resulting apps to stay blocked in PullBackOff/Error state
even when there are images on the localhost exist.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-22 16:16:04 +01:00
ant31
9872ed4bb2 Merge branch 'master' of github.com:kubespray/kargo 2016-11-17 14:32:14 +01:00
Spencer Smith
cb47bbf753 update comment with valid options for bootstrap_os 2016-11-14 16:31:15 -05:00
Matthew Mosesohn
95b460ae94 Remove etcd-proxy from all nodes and use etcd multiaccess 2016-11-09 13:31:12 +03:00
ant31
5aa8df163e Merge branch 'master' of github.com:kubespray/kargo 2016-11-07 12:05:36 +01:00
ant31
881dc8172c update example 2016-11-07 12:03:55 +01:00
Smana
056f4b6c00 upgrade to kubernetes version 1.4.0
test to change the machine type

Revert "test to change the machine type"

This reverts commit 7a91f1b5405a39bee6cb91940b09a0b0f9d3aee1.

use google dns server when no upstream dns are defined

comment upstream_dns_servers

update documentation

remove deprecated kubelet flags

Revert "remove deprecated kubelet flags"

This reverts commit 21e3b893c896d0291c36a07d0414f4cb88b8d8ac.
2016-10-10 22:44:47 +02:00
Matthew Mosesohn
84052ff0b6 use nginx proxy on non-master nodes to proxy apiserver traffic
Also adds all masters by hostname and localhost/127.0.0.1 to
apiserver SSL certificate.

Includes documentation update on how localhost loadbalancer works.
2016-10-05 20:09:10 +03:00
Bogdan Dobrelya
5fd43b7cf0 Allow subdomains of dns_domain and fix kubelet restarts
* Add a var for ndots (default 5) and put it hosts' /etc/resolv.conf.
* Poke kube dns container image to v1.7
* In order to apply changes to kubelet, notify it to
be restarted on changes made to /etc/resolv.conf. Ignore errors as the kubelet
may yet to be present up to the moment of the notification being processed.
* Remove unnecessary kubelet restart for master role as the node role ensures
it is up and running. Notify master static pods waiters for apiserver,
scheduler, controller-manager instead.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-09-27 14:32:49 +02:00
Bogdan Dobrelya
82ee60fe8b Make dnsmasq daemon set optional
Change additional dnsmasq opts:
- Adjust caching size and TTL
- Disable resolve conf to not create loops
- Change dnsPolicy to default (similarly to kubedns's dnsmasq). The
  ClusterFirst should not be used to not create loops
- Disable negative NXDOMAIN replies to be cached
- Make its very installation as optional step (enabled by default).
  If you don't want more than 3 DNS servers, including 1 for K8s, disable
  it.
- Add docs and a drawing to clarify DNS setup.
- Fix stdout logs for dnsmasq/kubedns app configs
- Add missed notifies to resolvconf -u handler
- Fix idempotency of resolvconf head file changes

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-09-23 12:59:06 +02:00
Bogdan Dobrelya
390764c2b4 Add retry_stagger var for failed download/pushes.
* Add the retry_stagger var to tweak push and retry time strategies.
* Add large deployments related docs.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-09-15 16:43:58 +02:00
Antoine Legrand
2e386dfbdc Merge pull request #465 from kubespray/freeze_kpm_version
Multiple app deploy tools
2016-09-08 22:01:52 +02:00
Antoine Legrand
ccbb2ee3ae App deployer plugins 2016-09-08 15:01:57 +02:00
Brandon B. Jozsa
2606e8e1c8 combine bootstrap options, add xenial support 2016-09-06 10:04:41 -04:00
Bogdan Dobrelya
731d32afda Add HA/LB endpoints for kube-apiserver
* Add HA docs for API server.
* Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver
vars and usecases.
* Use facts for kube_apiserver to not repeat code and enable LB endpoints use.
* Use /healthz check for the wait-for apiserver.
* Use the single endpoint for kubelet instead of the list of apiservers
* Specify kube_apiserver_count to for HA layout

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-07-25 17:25:45 +02:00
Matthew Mosesohn
7f212ca9cb Revert "Add HA/LB endpoints for kube-apiserver"
This reverts commit a70c3b661e.
2016-07-22 13:54:38 +03:00
Bogdan Dobrelya
a70c3b661e Add HA/LB endpoints for kube-apiserver
* Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver
vars and usecases.
* Add loadbalancer_apiserver_localhost (default false). If enabled, override
the external LB and expect localhost:443/8080 to be new internal only frontends.
* Add kube_apiserver_multiaccess to ignore loadbalancers, and make clients
to access the apiservers as a comma-separated list of access_ip/ip/ansible ip
(a default mode). When disabled, allow clients to use the given loadbalancers.
* Define connections security mode for kube controllers, schedulers, proxies.
It is insecure be default, which is the current deployment choice.
* Rework the groups['kube-master'][0] hardcode defining the apiserver
endpoints.
* Improve grouping of vars and add facts for kube_apiserver.
* Define kube_apiserver_insecure_bind_address as a fact, add more
facts for ease of use.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-07-21 11:05:03 +02:00
Bogdan Dobrelya
32cd6e99b2 Add etcd proxy support
* Enforce a etcd-proxy role to a k8s-cluster group members. This
provides an HA layout for all of the k8s cluster internal clients.
* Proxies to be run on each node in the group as a separate etcd
instances with a readwrite proxy mode and listen the given endpoint,
which is either the access_ip:2379 or the localhost:2379.
* A notion for the 'kube_etcd_multiaccess' is: ignore endpoints and
loadbalancers and use the etcd members IPs as a comma-separated
list. Otherwise, clients shall use the local endpoint provided by a
etcd-proxy instances on each etcd node. A Netwroking plugins always
use that access mode.
* Fix apiserver's etcd servers args to use the etcd_access_endpoint.
* Fix networking plugins flannel/calico to use the etcd_endpoint.
* Fix name env var for non masters to be set as well.
* Fix etcd_client_url was not used anywhere and other etcd_* facts
evaluation was duplicated in a few places.
* Define proxy modes only in the env file, if not a master. Del
an automatic proxy mode decisions for etcd nodes in init/unit scripts.
* Use Wants= instead of Requires= as "This is the recommended way to
hook start-up of one unit to the start-up of another unit"
* Make apiserver/calico Wants= etcd-proxy to keep it always up

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
2016-07-19 14:09:40 +02:00
ant31
eb6025a184 Add kubedns as default package to install 2016-06-12 18:08:53 +02:00
Paul Czarkowski
67147cf435 example env allow insecure-registry
Many use cases of k8s involve running a local
registry, chances are the person running this
will learn the hard way that they need to allow
insecure registry on the `kube_service_addresses`
network.

We should just default to settings this in
`inventory/group_vars/all.yml` to help reduce
potential friction for first time users.
2016-05-28 11:56:16 -05:00
Spencer Smith
87757d4fcf provides initial docker options support 2016-05-25 12:56:45 -04:00
David Reuss
0984b23f0e Use correct google ns for dns upstream 2016-05-17 13:19:13 +02:00
Spencer Smith
adceaf60e1 support proxies with docker on rhel 2016-05-10 15:49:27 -07:00
Paul Czarkowski
8f4e879ca7 Add native Vagrant support
This allows you to simply run `vagrant up` to get a 3 node HA cluster.

* Creates a dynamic inventory and uses the inventory/group_vars/all.yml
* commented lines in inventory.example so that ansible doesn't try to use it.
* added requirements.txt to give easy way to install ansible/ipaddr
* added gitignore files to stop attempts to save unwated files
* changed `Check if kube-system exists` to `failed_when: false` instead of
`ignore_errors`
2016-05-08 10:17:11 -05:00
Smana
bd6c12d686 fix api auth issue for ci tests 2016-05-05 09:00:02 +02:00
Smana
59d71740b1 use a variable for api's 'root' password 2016-05-04 16:49:25 +02:00
teuto.net Netzdienste GmbH
9f8da6c225 Implemented cloud-provider integration for OpenStack.
Currently kubespray does not install kubernetes in a way that allows cinder volumes to be used. This commit provides the necessary cloud configuration file and configures kubelet and kube-apiserver to use it.
2016-03-29 15:17:22 +02:00
Smaine Kahlouch
68fafd030d choose between gce and aws cloud providers 2016-03-23 17:27:06 +01:00
ant31
6297e5ea93 Use dnsmasq inside pods 2016-03-19 23:41:27 +01:00
Smana
cd38ecc378 redirecting to new doc page 2016-03-07 16:15:40 +01:00
Smana
fca384e24c first version of CoreOS on GCE
Please enter the commit message for your changes. Lines starting
2016-02-21 00:06:36 +01:00
Smana
793d665db4 specify weave version 2016-02-10 18:19:03 +01:00
Smaine Kahlouch
4f92417a5d split network plugins into distinct roles 2016-02-09 11:42:00 +01:00
Greg Althaus
bedcca922c Add variables and defaults for multiple types of ip addresses.
Each node can have 3 IPs.
1. ansible_default_ip4 - whatever ansible things is the first IPv4 address
   usually with the default gw.
2. ip - An address to use on the local node to bind listeners and do local
   communication.  For example, Vagrant boxes have a first address that is the
   NAT bridge and is common for all nodes.  The second address/interface should
   be used.
3. access_ip - An address to use for node-to-node access.  This is assumed to
   be used by other nodes to access the node and may not be actually assigned
   on the node.  For example, AWS public ip that is not assigned to node.

This updates the places addresses are used to use either ip or access_ip and walk
up the list to find an address.
2016-01-27 16:05:39 -06:00
Smaine Kahlouch
5edc81c627 moving kube-cert group into group_vars 2016-01-22 17:18:45 +01:00
Antoine Legrand
078b67c50f Remove downloader host 2016-01-22 09:59:39 +01:00
ant31
9a03249446 Add travis tests 2016-01-05 12:31:49 +01:00
Smaine Kahlouch
2a08f7bc0a inventory example, localhost for downloader 2016-01-04 14:54:30 +01:00
Smaine Kahlouch
392570f4ff distinct local hostname 2015-12-31 14:54:51 +01:00
Smaine Kahlouch
98fe2c02b2 review local tasks 2015-12-31 10:28:47 +01:00
Smaine Kahlouch
4388cab8d6 Use second ip address in order to avoid any ip range problem 2015-12-24 13:58:04 +01:00
Smaine Kahlouch
03d402e226 using hostnames in the inventory is more readable 2015-12-18 16:13:42 +01:00
Smaine Kahlouch
0a238d9853 Specify etcd servers for the etcd cluster 2015-12-18 14:31:51 +01:00
Antoine Legrand
a003d91576 simplify inventory path 2015-12-17 21:32:06 +01:00