C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
3184 commits 17 branches 66 tags 141 MiB
Commit graph

294 commits

Author SHA1 Message Date
Aivars Sterns
72f053d9bb
Merge pull request #2972 from mattymo/force_cni_cp 
Force copy cni files
 2018-07-10 09:40:10 +03:00
Dao Hoang Son
d306c9708c Remove step that force disable kube_basic_auth. 
The referenced issue (https://github.com/kubernetes/kubeadm/issues/441) has already been fixed.
 2018-07-08 16:57:43 +07:00
Matthew Mosesohn
1a3b9dd864 Force copy cni files 2018-07-06 16:39:42 +03:00
Miouge1
2a279e30b0 CheckNodePIDPressure is not supported in v1.10 2018-06-28 20:10:38 +02:00
Andreas Krüger
cbb959151c
Merge pull request #2737 from Miouge1/update-scheduler 
Update kube-scheduler policy
 2018-06-19 14:53:22 +02:00
Matthew Mosesohn
61e97251a5 Improve variable handling for disabling etcd events cluster 2018-06-18 16:58:29 +03:00
Andreas Krüger
e60a63ea51
Merge pull request #2577 from woopstar/etcd-fix-4 
Makeover of etcd- and etcd-cluster setup.
 2018-05-16 20:49:54 +02:00
Matthew Mosesohn
7c93e71801
Upgrade k8s to 1.10.2 (#2748) 
* Upgrade k8s to 1.10.2

Bumped etcd version to 3.2.16 as recommended

* Add ipvs fix for v1.10

* change flannel addons test to ha
 2018-05-15 16:00:29 +03:00
Christopher J. Ruwe
73800ef111 make certificates non-executable 2018-05-15 07:54:32 +00:00
Miouge1
ad48606e4e Restart scheduler when policy changes 2018-05-14 10:09:30 +02:00
Matthew Mosesohn
07cc981971
refactor vault role (#2733) 
* Move front-proxy-client certs back to kube mount

We want the same CA for all k8s certs

* Refactor vault to use a third party module

The module adds idempotency and reduces some of the repetitive
logic in the vault role

Requires ansible-modules-hashivault on ansible node and hvac
on the vault hosts themselves

Add upgrade test scenario
Remove bootstrap-os tags from tasks

* fix upgrade issues

* improve unseal logic

* specify ca and fix etcd check

* Fix initialization check

bump machine size
 2018-05-11 19:11:38 +03:00
Andreas Krüger
28d6eb6af1
Merge pull request #2644 from cp3hu/master 
Fix apiserver manifest and kubelet for kube version < 1.9
 2018-05-08 09:22:36 +02:00
Miouge1
70e0998a70 Update kube-scheduler policy 2018-05-03 21:56:51 +02:00
woopstar
4c81cd2a71 Merge branch 'master' of https://github.com/kubernetes-incubator/kubespray into etcd-fix-4 2018-05-02 14:45:58 +02:00
Suzuka Asagiri
f81e6d2ccf
Add oidc-user-prefix and oidc-group-prefix args 2018-04-23 12:23:59 +09:00
Chad Swenson
d87b6fd9f3 Use dedicated front-proxy-ca for front-proxy-client 2018-04-12 11:03:22 -05:00
Christian Phu
3535c29e59 Fix apiserver manifest for kube version < 1.9 2018-04-10 18:17:56 +02:00
Marcelo Grebois
88765f62e6
Updating order 
https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use
 2018-04-10 17:17:39 +02:00
Marcelo Grebois
4c12b273ac
Enabling MutatingAdmissionWebhook for Istio Automatic sidecar injection 
https://istio.io/docs/setup/kubernetes/sidecar-injection.html#automatic-sidecar-injection
 2018-04-09 12:49:05 +02:00
Andreas Krüger
2511e14289
Merge pull request #2346 from Miouge1/kube-scheduler-mode 
Use legacy policy config to apply the scheduler policy
 2018-04-04 10:20:51 +02:00
woopstar
86e3506ae6 Etcd cluster setup makeover 
The current way to setup the etc cluster is messy and buggy.

- It checks for cluster is healthy before the cluster is even created.
- The unit files are started on handlers, not in the task, so you mess with "flush handlers".
- The join_member.yml is not used.
- etcd events cluster is not configured for kubeadm
- remove duplicate runs between running the role on etcd nodes and k8s nodes
 2018-04-01 21:38:33 +02:00
Wong Hoi Sing Edison
195d6d791a Integrate jetstack/cert-manager 0.2.3 to Kubespray 2018-03-31 19:29:11 +08:00
Andreas Krüger
d9418b1dc4
Merge pull request #2554 from georgejdli/fix-sa-token-signing 
Fix kubespray's ServiceAccount token signing keys
 2018-03-31 09:59:22 +02:00
Andreas Krüger
76cb37d6b5
Merge pull request #2544 from woopstar/cert-fix-2 
Update openssl.conf to count better and work with Jinja 2.9
 2018-03-30 21:57:17 +02:00
georgejdli
572ab650db copy dedicated service account token signing key for kubeadm migration 2018-03-30 13:03:32 -05:00
Matthew Mosesohn
03bcfa7ff5
Stop templating kube-system namespace and creating it (#2545) 
Kubernetes makes this namespace automatically, so there is
no need for kubespray to manage it.
 2018-03-30 14:29:13 +03:00
Andreas Kruger
af5f376163 Revert 2018-03-30 11:42:20 +02:00
woopstar
004b0a3fcf Fix merge conflict 2018-03-30 11:38:59 +02:00
Andreas Krüger
f619eb08b1
Merge pull request #2350 from whereismyjetpack/kubeadm-nodename 
set nodeName to "{{ inventory_hostname }}" in kubeadm-config
 2018-03-30 11:15:52 +02:00
Kuldip Madnani
daeeae1a91 Added retries in pre-upgrade.yml and retries while applying kube-dns.yml (#2553) 
* Added retries in pre-upgrade.yml and retries while applying kube-dns.yml

* Removed trailing spaces
 2018-03-29 11:37:32 -05:00
georgejdli
c8f857eae4 configure kubespray to sign service account tokens with a dedicated and stable key 2018-03-29 09:50:31 -05:00
Dann Bohn
1d0415a6cf fixes typo in kube_override_hostname for kubeadm 2018-03-24 13:29:07 -04:00
Dann Bohn
9fa995ac9d only sets nodeName in kubeadm-config when kube_override_hostname is set 2018-03-23 08:33:25 -04:00
Andreas Krüger
30e4b89837
Merge pull request #2504 from brtknr/patch-1 
Update kube-apiserver.manifest.j2 and kubeadm-config.yaml.j2 to incorporate `endpoint-reconciler-type: lease`
 2018-03-22 09:15:55 +01:00
Andreas Krüger
ff2b8e5e60
Merge pull request #2503 from woopstar/kubelet-fix-1 
Fix duplicate --proxy-client-cert-file and --proxy-client-key-file
 2018-03-21 10:03:31 +01:00
mirwan
ee8f678010 Addition of the .creds extension to the credentials files generated by password lookup in order for Ansible not to consider them as inventory files with inventory_ignore_extensions set accordingly (#2446) 2018-03-21 10:50:32 +03:00
Bharat Kunwar
13e47e73c8
Update kubeadm-config.yaml.j2 
As requested
 2018-03-20 13:33:36 +00:00
Bharat Kunwar
d2fd7b7462
Update kube-apiserver.manifest.j2 2018-03-20 12:19:53 +00:00
Bharat Kunwar
d9453f323b
Update kube-apiserver.manifest.j2 2018-03-20 12:16:35 +00:00
Bharat Kunwar
b787b76c6c
Update kube-apiserver.manifest.j2 
Ensure that kube-apiserver will respond even if one of the nodes are down.
 2018-03-20 12:06:34 +00:00
woopstar
a94a407a43 Fix duplicate --proxy-client-cert-file and --proxy-client-key-file 2018-03-20 12:08:36 +01:00
Andreas Krüger
d29a1db134
Merge pull request #2461 from woopstar/patch-11 
Add support to kubeadm too
 2018-03-16 08:24:31 +01:00
Andreas Krüger
653d97dda4
Merge pull request #2472 from woopstar/patch-12 
Make sure output from extra args is strings
 2018-03-16 08:23:50 +01:00
woopstar
40c0f3756b Encapsulate item instead of casting to string 2018-03-15 20:27:21 +01:00
Andreas Krüger
3d6fd49179 Added option for encrypting secrets to etcd v.2 (#2428) 
* Added option for encrypting secrets to etcd

* Fix keylength to 32

* Forgot the default

* Rename secrets.yaml to secrets_encryption.yaml

* Fix static path for secrets file to use ansible variable

* Rename secrets.yaml.j2 to secrets_encryption.yaml.j2

* Base64 encode the token

* Fixed merge error

* Changed path to credentials dir

* Update path to secrets file which is now readable inside the apiserver container. Set better file permissions

* Add encryption option to k8s-cluster.yml
 2018-03-15 22:20:05 +03:00
Andreas Krüger
788e41a315
Make sure output from extra args is strings 
Setting the following:

```
kube_kubeadm_controller_extra_args:
  address: 0.0.0.0
  terminated-pod-gc-threshold: "100"
```

Results in `terminated-pod-gc-threshold: 100` in the kubeadm config file. But it has to be a string to work.
 2018-03-14 19:23:43 +01:00
Andreas Krüger
39d247a238
Add support to kubeadm too 
Explicitly defines the --kubelet-preferred-address-types parameter #2418

Fixes #2453
 2018-03-13 10:31:15 +01:00
Ayaz Ahmed Khan
89847d5684 Explicitly defines the --kubelet-preferred-address-types parameter 
to the API server configuration.

This solves the problem where if you have non-resolvable node names,
and try to scale the server by adding new nodes, kubectl commands
start to fail for newly added nodes, giving a TCP timeout error when
trying to resolve the node hostname against a public DNS.
 2018-03-05 15:25:14 +01:00
RongZhang
67ffd8e923 Add etcd-events cluster for kube-apiserver (#2385) 
Add etcd-events cluster for kube-apiserver
 2018-03-01 11:39:14 +03:00
Nedim Haveric
2bd3776ddb fix apiserver manifest when disabling insecure_port 2018-02-22 14:00:32 +01:00