Brad Beam
eeffbbb43c
Updating calicocni.hostname to calicocni.nodename
2017-09-08 12:47:40 +00:00
Brad Beam
aaa0105f75
Flexing calicocni.hostname based on cloud provider
2017-09-08 12:47:40 +00:00
Matthew Mosesohn
079d317ade
Default is_atomic to false ( #1637 )
2017-09-08 15:00:57 +03:00
Maxim Krasilnikov
e16b57aa05
Store vault users passwords to credentials dir. Create vault and etcd roles after start vault cluster ( #1632 )
2017-09-07 23:30:16 +03:00
Matthew Mosesohn
7117614ee5
Use a generated password for kube user ( #1624 )
...
Removed unnecessary root user
2017-09-06 20:20:25 +03:00
Chad Swenson
e26aec96b0
Consolidate kube-proxy module and sysctl loading ( #1586 )
...
This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
2017-09-06 15:11:51 +03:00
Sam Powers
c60d104056
Update checksums (etcd calico calico-cni weave) to fix uploads.yml ( #1584 )
...
the uploads.yml playbook was broken with checksum mismatch errors in
various kubespray commits, for example, 3bfad5ca73
which updated the version from 3.0.6 to 3.0.17 without updating the
corresponding checksums.
2017-09-06 15:11:13 +03:00
Oliver Moser
e6ff8c92a0
Using 'hostnamectl' to set unconfigured hostname on CoreOS ( #1600 )
2017-09-06 15:10:52 +03:00
Chad Swenson
cbaa2b5773
Retry Remove all Docker containers in reset ( #1623 )
...
Due to various occasional docker bugs, removing a container will sometimes fail. This can often be mitigated by trying again.
2017-09-06 14:23:16 +03:00
Matthieu
0453ed8235
Fix an error with Canal when RBAC are disabled ( #1619 )
...
* Fix an error with Canal when RBAC are disabled
* Update using same rbac strategy used elsewhere
2017-09-06 11:32:32 +03:00
Brad Beam
a341adb7f3
Updating CN for node certs generated by vault ( #1622 )
...
This allows the node authorization plugin to function correctly
2017-09-06 10:55:08 +03:00
mkrasilnikov
957b7115fe
Remove node name from kube-proxy and admin certificates
2017-09-05 14:40:26 +03:00
mkrasilnikov
b930b0ef5a
Place vault role credentials only to vault group hosts
2017-09-05 11:16:18 +03:00
mkrasilnikov
ad313c9d49
typo fix
2017-09-05 09:07:36 +03:00
mkrasilnikov
e1384f6618
Using issue cert result var instead hostvars
2017-09-05 09:07:36 +03:00
mkrasilnikov
3acb86805b
Rename vault_address to vault_bind_address
2017-09-05 09:07:35 +03:00
mkrasilnikov
bf0af1cd3d
Vault role updates:
...
* using separated vault roles for generate certs with different `O` (Organization) subject field;
* configure vault roles for issuing certificates with different `CN` (Common name) subject field;
* set `CN` and `O` to `kubernetes` and `etcd` certificates;
* vault/defaults vars definition was simplified;
* vault dirs variables defined in kubernetes-defaults foles for using
shared tasks in etcd and kubernetes/secrets roles;
* upgrade vault to 0.8.1;
* generate random vault user password for each role by default;
* fix `serial` file name for vault certs;
* move vault auth request to issue_cert tasks;
* enable `RBAC` in vault CI;
2017-09-05 09:07:35 +03:00
ArthurMa
c77d11f1c7
Bugfix ( #1616 )
...
lost executable path
2017-09-05 08:35:14 +03:00
Matthew Mosesohn
d279d145d5
Fix non-rbac deployment of resources as a list ( #1613 )
...
* Use kubectl apply instead of create/replace
Disable checks for existing resources to speed up execution.
* Fix non-rbac deployment of resources as a list
* Fix autoscaler tolerations field
* set all kube resources to state=latest
* Update netchecker and weave
2017-09-05 08:23:12 +03:00
Matthew Mosesohn
fc7905653e
Add socat for CoreOS when using host deploy kubelet ( #1575 )
2017-09-04 11:30:18 +03:00
Matthew Mosesohn
660282e82f
Make daemonsets upgradeable ( #1606 )
...
Canal will be covered by a separate PR
2017-09-04 11:30:01 +03:00
Matthew Mosesohn
77602dbb93
Move calico to daemonset ( #1605 )
...
* Drop legacy calico logic
* add calico as a daemonset
2017-09-04 11:29:51 +03:00
Matthew Mosesohn
a3e6896a43
Add RBAC support for canal ( #1604 )
...
Refactored how rbac_enabled is set
Added RBAC to ubuntu-canal-ha CI job
Added rbac for calico policy controller
2017-09-04 11:29:40 +03:00
Dann
702ce446df
Apply ClusterRoleBinding to dnsmaq when rbac_enabled ( #1592 )
...
* Add RBAC policies to dnsmasq
* fix merge conflict
* yamllint
* use .j2 extension for dnsmasq autoscaler
2017-09-03 10:53:45 +03:00
Brad Beam
8ae77e955e
Adding in certificate serial numbers to manifests ( #1392 )
2017-09-01 09:02:23 +03:00
sgmitchell
783924e671
Change backup handler to only run v2 data backup if snap directory exists ( #1594 )
2017-08-31 18:23:24 +03:00
Julian Poschmann
93304e5f58
Fix calico leaving service behind. ( #1599 )
2017-08-31 12:00:05 +03:00
Brad Beam
917373ee55
Merge pull request #1595 from bradbeam/cacerts
...
Fixing CA certificate locations for k8s components
2017-08-30 21:31:19 -05:00
Brad Beam
7a98ad50b4
Fixing CA certificate locations for k8s components
2017-08-30 15:30:40 -05:00
Brad Beam
982058cc19
Merge pull request #1514 from vijaykatam/docker_systemd
...
Configurable docker yum repos, systemd fix
2017-08-30 11:50:23 -05:00
Oliver Moser
576beaa6a6
Include /opt/bin in PATH for host deployed kubelet on CoreOS ( #1591 )
...
* Include /opt/bin in PATH for host deployed kubelet on CoreOS
* Removing conditional check for CoreOS
2017-08-30 16:50:33 +03:00
Maxim Krasilnikov
6eb22c5db2
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s ( #1552 )
...
* Added update CA trust step for etcd and kube/secrets roles
* Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os.
* Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube.
* Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd.
* Fixed different certificates set for vault cert_managment
* Update doc/vault.md
* Fixed condition create vault CA, wrong group
* Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts
* Removed wrong when condition in create etcd role vault tasks.
2017-08-30 16:03:22 +03:00
Brad Beam
72a0d78b3c
Merge pull request #1585 from mattymo/canal_upgrade
...
Fix upgrade for canal and apiserver cert
2017-08-29 18:45:21 -05:00
Matthew Mosesohn
13d08af054
Fix upgrade for canal and apiserver cert
...
Fixes #1573
2017-08-29 22:08:30 +01:00
Eric Hoffmann
6c30a7b2eb
update calico version
...
update calico releases link
2017-08-28 16:23:51 -07:00
Matthew Mosesohn
76b72338da
Add CNI config for rkt kubelet ( #1579 )
2017-08-28 21:11:01 +03:00
Chad Swenson
a39e78d42d
Initial version of Flannel using CNI ( #1486 )
...
* Updates Controller Manager/Kubelet with Flannel's required configuration for CNI
* Removes old Flannel installation
* Install CNI enabled Flannel DaemonSet/ConfigMap/CNI bins and config (with portmap plugin) on host
* Uses RBAC if enabled
* Fixed an issue that could occur if br_netfilter is not a module and net.bridge.bridge-nf-call-iptables sysctl was not set
2017-08-25 10:07:50 +03:00
Brad Beam
4550dccb84
Fixing reference to vault leader url ( #1569 )
2017-08-24 23:21:39 +03:00
Hassan Zamani
01ce09f343
Add feature_gates var for customizing Kubernetes feature gates ( #1520 )
2017-08-24 23:18:38 +03:00
Brad Beam
71dca67ca2
Merge pull request #1508 from tmjd/update-calico-2-4-0
...
Update Calico to 2.4.1 release.
2017-08-24 14:57:29 -05:00
Yuki KIRII
a98b866a66
Verify if br_netfilter module exists ( #1492 )
2017-08-24 17:47:32 +03:00
Xavier Mehrenberger
3aabba7535
Remove discontinued option --reconcile-cidr if kube_network_plugin=="cloud" ( #1568 )
2017-08-24 17:01:30 +03:00
Mohamed Mehany
c22cfa255b
Added private key file to ssh bastion conf ( #1563 )
...
* Added private key file to ssh bastion conf
* Used regular if condition insted of inline conditional
2017-08-24 17:00:45 +03:00
Matthew Mosesohn
6bb3463e7c
Enable scheduling of critical pods and network plugins on master
...
Added toleration to DNS, netchecker, fluentd, canal, and
calico policy.
Also small fixes to make yamllint pass.
2017-08-24 10:41:17 +01:00
Brad Beam
8b151d12b9
Adding yamllinter to ci steps ( #1556 )
...
* Adding yaml linter to ci check
* Minor linting fixes from yamllint
* Changing CI to install python pkgs from requirements.txt
- adding in a secondary requirements.txt for tests
- moving yamllint to tests requirements
2017-08-24 12:09:52 +03:00
Ian Lewis
ecb6dc3679
Register standalone master w/ taints ( #1426 )
...
If Kubernetes > 1.6 register standalone master nodes w/ a
node-role.kubernetes.io/master=:NoSchedule taint to allow
for more flexible scheduling rather than just marking unschedulable.
2017-08-23 16:44:11 +03:00
riverzhang
49a223a17d
Update elrepo-release rpm version ( #1554 )
2017-08-23 09:54:51 +03:00
Brad Beam
e5cfdc648c
Adding ability to override max ttl ( #1559 )
...
Prior this would fail because we didnt set max ttl for vault temp
2017-08-23 09:54:01 +03:00
Erik Stidham
9f9f70aade
Update Calico to 2.4.1 release.
...
- Switched Calico images to be pulled from quay.io
- Updated Canal too
2017-08-21 09:33:12 -05:00
Matthew Mosesohn
ca3050ec3d
Update to Kubernetes v1.7.3 ( #1549 )
...
Change kubelet deploy mode to host
Enable cri and qos per cgroup for kubelet
Update CoreOS images
Add upgrade hook for switching from kubelet deployment from docker to host.
Bump machine type for ubuntu-rkt-sep
2017-08-21 10:53:49 +03:00
Vijay Katam
97031f9133
Make epel-release install configurable ( #1497 )
2017-08-20 14:03:10 +03:00
Vijay Katam
c92506e2e7
Add calico variable that enables ignoring Kernel's RPF Setting ( #1493 )
2017-08-20 14:01:09 +03:00
Kevin Lefevre
65a9772adf
Add OpenStack LBaaS support ( #1506 )
2017-08-20 13:59:15 +03:00
Anton
1e07ee6cc4
etcd_compaction_retention every 8 hour ( #1527 )
2017-08-20 13:55:48 +03:00
Miad Abrin
3c710219a1
Fix Some Typos in kubernetes master role ( #1547 )
...
* Fix Typo etc3 -> etcd3
* Fix typo in post-upgrade of master. stop -> start
2017-08-20 13:54:28 +03:00
Maxim Krasilnikov
2ba285a544
Fixed deploy cluster with vault cert manager ( #1548 )
...
* Added custom ips to etcd vault distributed certificates
* Added custom ips to kube-master vault distributed certificates
* Added comment about issue_cert_copy_ca var in vault/issue_cert role file
* Generate kube-proxy, controller-manager and scheduler certificates by vault
* Revert "Disable vault from CI (#1546 )"
This reverts commit 781f31d2b8
.
* Fixed upgrade cluster with vault cert manager
* Remove vault dir in reset playbook
2017-08-20 13:53:58 +03:00
Antoine Legrand
72ae7638bc
Merge pull request #1446 from matlockx/master
...
add possibility to ignore the hostname override
2017-08-18 17:03:40 +02:00
Xavier Lange
3bfad5ca73
Bump etcd to 3.2.4 ( #1468 )
2017-08-18 17:12:33 +03:00
Matthew Mosesohn
df28db0066
Fix cert and netchecker upgrade issues ( #1543 )
...
* Bump tag for upgrade CI, fix netchecker upgrade
netchecker-server was changed from pod to deployment, so
we need an upgrade hook for it.
CI now uses v2.1.1 as a basis for upgrade.
* Fix upgrades for certs from non-rbac to rbac
2017-08-18 15:46:22 +03:00
Jan Jungnickel
20183f3860
Bump Calico CNI Plugin to 1.8.0 ( #1458 )
...
This aligns calico component versions with Calico release 2.1.5 and
fixes an issue with nodes being unable to schedule existing workloads
as per [#349 ](https://github.com/projectcalico/cni-plugin/issues/349 )
2017-08-18 15:40:14 +03:00
Matthew Mosesohn
2645e88b0c
Fix vault setup partially ( #1531 )
...
This does not address per-node certs and scheduler/proxy/controller-manager
component certs which are now required. This should be handled in a
follow-up patch.
2017-08-18 15:09:45 +03:00
Vijay Katam
55ba81fee5
Add changed_when: false to rpm query
2017-08-14 12:31:44 -07:00
Brad Beam
af007c7189
Fixing netchecker-server type - pod => deployment ( #1509 )
2017-08-14 18:43:56 +03:00
Seungkyu Ahn
b22bef5cfb
Apply RBAC to efk and create fluentd.conf
...
Making fluentd.conf as configmap to change configuration.
Change elasticsearch rc to deployment.
Having installed previous elastaicsearch as rc, first should delete that.
2017-08-11 05:31:50 +00:00
Vijay Katam
7ad5523113
restrict rpm query to redhat
2017-08-10 13:49:14 -07:00
Brad Beam
1155008719
Merge pull request #1481 from magnon-bliex/fluentd-template-fix-typo
...
fixed typo in fluentd-ds.yml.j2
2017-08-10 08:19:59 -05:00
Vijay Katam
5efda3eda9
Configurable docker yum repos, systemd fix
...
* Make yum repos used for installing docker rpms configurable
* TasksMax is only supported in systemd version >= 226
* Change to systemd file should restart docker
2017-08-09 15:49:53 -07:00
Brad Beam
383d582b47
Merge pull request #1382 from jwfang/rbac
...
basic rbac support
2017-08-07 08:01:51 -05:00
Spencer Smith
6eacedc443
Merge pull request #1483 from delfer/patch-3
...
Update flannel from 0.6.2 to 0.8.0
2017-08-01 13:57:43 -04:00
Spencer Smith
e55f8a61cd
Merge pull request #1482 from bradbeam/fix1393
...
Removing run_once in these tasks so that etcd ca certs get propogated…
2017-07-31 13:47:18 -04:00
Spencer Smith
cb6892d2ed
Merge pull request #1469 from hzamani/etcd_metrics
...
Add etcd metrics flag
2017-07-31 09:04:07 -04:00
Spencer Smith
43eda8d878
Merge pull request #1471 from whereismyjetpack/fix_1447
...
add newline after expanding user information
2017-07-31 09:03:04 -04:00
nico
cc9f3ea938
Fix enforce-node-allocatable option
...
Closes #1228
pods is default enforcement
see https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/
add
update
2017-07-31 10:06:53 +02:00
Alexander Chumakov
8bc717a55c
Update flannel from 0.6.2 to 0.8.0
2017-07-29 10:54:31 +03:00
Brad Beam
d09222c900
Removing run_once in these tasks so that etcd ca certs get propogated properly to worker nodes
...
without this etcd ca certs dont exist on worker nodes causing calico to fail
2017-07-28 14:34:47 -05:00
magnon-bliex
38eb1d548a
fixed typo
2017-07-28 14:10:13 +09:00
Anton
e0960f6288
FIX: Unneded (extra) cycles in some tasks ( #1393 )
2017-07-27 20:46:21 +03:00
timtoum
3e457e4edf
Enable weave seed mode for kubespray ( #1414 )
...
* Enable weave seed mode for kubespray
* fix task Weave seed | Set peers if existing peers
* fix mac address variabilisation
* fix default values
* fix include seed condition
* change weave var to default values
* fix Set peers if existing peers
2017-07-26 19:09:34 +03:00
Dann Bohn
c4894d6092
add newline after expanding user information
2017-07-25 12:59:10 -04:00
Hassan Zamani
3fb0383df4
Add etcd metrics flag
2017-07-25 20:00:30 +04:30
Spencer Smith
ee36763f9d
Merge pull request #1464 from johnko/patch-4
...
set loadbalancer_apiserver_localhost default true
2017-07-25 10:00:56 -04:00
Spencer Smith
955c5549ae
Merge pull request #1402 from Lendico/fix_failed_when
...
"failed_when: false" and "|succeeded" checks for registered vars
2017-07-25 09:33:43 -04:00
Spencer Smith
4a34514b21
Merge pull request #1447 from whereismyjetpack/template_known_users
...
Template out known_users.csv, optionally add groups
2017-07-25 08:55:08 -04:00
Brad Beam
20f29327e9
Merge pull request #1379 from gdmello/etcd_data_dir_fix
...
Custom `etcd_data_dir` saves etcd data to host, not container
2017-07-20 09:30:18 -05:00
John Ko
018b5039e7
set loadbalancer_apiserver_localhost default true
...
to match this https://github.com/kubernetes-incubator/kubespray/blob/master/roles/kubernetes/node/tasks/main.yml#L20
and the documented behaviour in HA docs
related to #1456
@rsmitty
2017-07-20 10:27:05 -04:00
Spencer Smith
b5d3d4741f
Merge pull request #1454 from Abdelsalam-Abbas/higher_drain_timeout
...
higher the timeouts for draining nodes while upgrading kubernetes version
2017-07-19 10:39:33 -04:00
Spencer Smith
85c747d444
Merge pull request #1441 from bradbeam/1434
...
Adding recursive=true for rkt kubelet dir
2017-07-19 10:38:06 -04:00
Spencer Smith
927e6d89d7
Merge pull request #1435 from delfer/master
...
Kubernetes upgrade to 1.6.7
2017-07-19 05:23:38 -07:00
jwfang
3d87f23bf5
uncomment unintended local changes
2017-07-19 12:11:47 +08:00
jwfang
789910d8eb
remote unused netchecker-agent-hostnet-ds.j2
2017-07-17 19:29:59 +08:00
jwfang
a8e6a0763d
run netchecker-server with list pods
2017-07-17 19:29:59 +08:00
jwfang
e1386ba604
only patch system:kube-dns role for old dns
2017-07-17 19:29:59 +08:00
jwfang
83deecb9e9
Revert "no need to patch system:kube-dns"
...
This reverts commit c2ea8c588aa5c3879f402811d3599a7bb3ccab24.
2017-07-17 19:29:59 +08:00
jwfang
d8dcb8f6e0
no need to patch system:kube-dns
2017-07-17 19:29:59 +08:00
jwfang
552b2f0635
change authorization_modes default value
2017-07-17 19:29:59 +08:00
jwfang
0b3badf3d8
revert calico-related changes
2017-07-17 19:29:59 +08:00
jwfang
cea3e224aa
change authorization_modes default value
2017-07-17 19:29:59 +08:00
jwfang
1eaf0e1c63
rename task
2017-07-17 19:29:59 +08:00
jwfang
2cda982345
binding group system:nodes to clusterrole calico-role
2017-07-17 19:29:59 +08:00
jwfang
c9734b6d7b
run calico-policy-controller with proper sa/role/rolebinding
2017-07-17 19:29:59 +08:00
jwfang
fd01377f12
remove more bins when reset
2017-07-17 19:29:59 +08:00
jwfang
092bf07cbf
basic rbac support
2017-07-17 19:29:59 +08:00
Ubuntu
5145a8e8be
higher draining timeouts
2017-07-16 20:52:13 +00:00
Dann Bohn
d1f58fed4c
Template out known_users.csv, optionally add groups
2017-07-14 09:27:20 -04:00
Martin Joehren
12e918bd31
add possibility to ignore the hostname override
2017-07-13 14:04:39 +00:00
Brad Beam
637f445c3f
Merge pull request #1365 from AtzeDeVries/master
...
Give more control over IPIP, but with same default behaviour
2017-07-12 10:17:17 -05:00
Brad Beam
e0bf8b2aab
Adding recursive=true for rkt kubelet dir
...
Fixes #1434
2017-07-12 09:28:54 -05:00
Spencer Smith
c75b21a510
Merge pull request #1408 from amitkumarj441/patch-1
...
Remove deprecated 'enable-cri' flag in kubernetes 1.7
2017-07-11 08:56:14 -04:00
Delfer
9f45eba6f6
Kubernetes upgrade to 1.6.7
2017-07-11 09:11:55 +00:00
AtzeDeVries
e160018826
Fixed conflicts, ipip:true as defualt and added ipip_mode
2017-07-08 14:36:44 +02:00
Spencer Smith
d1a02bd3e9
match kubespray-defaults dns mode with k8s-cluster setting
2017-07-07 13:13:12 -04:00
Brad Beam
992023288f
Merge pull request #1319 from fieryvova/private-dns-server
...
Add private dns server for a specific zone
2017-07-06 15:02:54 -05:00
Spencer Smith
3ab90db6ee
Merge pull request #1411 from kevinjqiu/allow-calico-ipip-subnet-mode
...
Allow calico ipPool to be created with mode "cross-subnet"
2017-07-06 14:04:03 -04:00
Vladimir Kozyrev
e26be9cb8a
add private dns server for a specific zone
2017-07-06 16:30:47 +03:00
Spencer Smith
bba555bb08
Merge pull request #1346 from Starefossen/patch-1
...
Set kubedns minimum replicas to 2
2017-07-06 09:14:11 -04:00
Spencer Smith
4b0af73dd2
Merge pull request #1332 from gstorme/kube_apiserver_insecure_port
...
Use the kube_apiserver_insecure_port variable instead of static 8080
2017-07-06 09:06:50 -04:00
Spencer Smith
da72b8c385
Merge pull request #1391 from Abdelsalam-Abbas/master
...
Uncodron Masters which have scheduling Enabled
2017-07-06 09:06:02 -04:00
Spencer Smith
44079b7176
Merge pull request #1401 from Lendico/better_task_naming
...
Better naming for recurrent tasks
2017-07-06 09:01:07 -04:00
Kevin Jing Qiu
a742d10c54
Allow calico ipPool to be created with mode "cross-subnet"
2017-07-04 19:05:16 -04:00
Hans Kristian Flaatten
38f5d1b18e
Set kubedns minimum replicas to 2
2017-07-04 16:58:16 +02:00
Abdelsalam Abbas
5f75d4c099
Uncodron Masters which have scheduling Enabled
2017-07-03 15:30:21 +02:00
Amit Kumar Jaiswal
319a0d65af
Update kubelet.j2
...
Updated with closing endif.
2017-07-03 16:23:35 +05:30
Amit Kumar Jaiswal
3d2680a102
Update kubelet.j2
...
Updated!
2017-07-03 15:58:50 +05:30
Amit Kumar Jaiswal
c36fb5919a
Update kubelet.j2
...
Updated!!
2017-07-03 15:55:04 +05:30
Amit Kumar Jaiswal
46d3f4369e
Updated K8s version
...
Signed-off-by: Amit Kumar Jaiswal <amitkumarj441@gmail.com>
2017-07-03 04:06:42 +05:30
Martin Joehren
c2b3920b50
added flag for not populating inventory entries to etc hosts file
2017-06-30 16:41:03 +00:00
Spencer Smith
6e7323e3e8
Merge pull request #1398 from tanshanshan/fix-reset
...
clean files in reset roles
2017-06-30 07:59:44 -04:00
Spencer Smith
f085419055
Merge pull request #1388 from vgkowski/master
...
add six package to bootstrap role
2017-06-30 07:30:36 -04:00
Anton Nerozya
1fedbded62
ignore_errors instead of failed_when: false
2017-06-29 20:15:14 +02:00
Anton Nerozya
c8258171ca
Better naming for recurrent tasks
2017-06-29 19:50:09 +02:00
tanshanshan
007ee0da8e
fix reset
2017-06-29 14:45:15 +08:00
Brad Beam
5e1ac9ce87
Merge pull request #1354 from chadswen/kubedns-var-fix
...
kubedns consistency fixes
2017-06-27 22:26:46 -05:00
Brad Beam
a7cd08603e
Merge pull request #1384 from gdmello/etcd_backup_dir_fix
...
Make etcd_backup_prefix configurable.
2017-06-27 22:25:53 -05:00
Brad Beam
854cd1a517
Merge pull request #1380 from jwfang/max-dns
...
docker_dns_servers_strict to control docker_dns_servers rtrim
2017-06-27 21:15:12 -05:00
Spencer Smith
23565ebe62
Merge pull request #1356 from rsmitty/rename
...
Rename project to kubespray
2017-06-27 11:40:03 -04:00
Chad Swenson
8467bce2a6
Fix inconsistent kubedns version and parameterize kubedns autoscaler image vars
2017-06-27 10:19:31 -05:00
gdmelloatpoints
649654207f
mount the etcd data directory in the container with the same path as on the host.
2017-06-27 09:29:47 -04:00
gdmelloatpoints
3123502f4c
move etcd_backup_prefix
to new home.
2017-06-27 09:12:34 -04:00
vincent gromakowski
17d54cffbb
add six package to bootstrap role
2017-06-27 10:08:57 +02:00
Seungkyu Ahn
d5516a4ca9
Make kubedns up to date
...
Update kube-dns version to 1.14.2
https://github.com/kubernetes/kubernetes/pull/45684
2017-06-27 00:57:29 +00:00
gdmelloatpoints
4ba237c5d8
Make etcd_backup_prefix configurable. Ensures that backups can be stored on a different location other than ${HOST}/var/backups, say an EBS volume on AWS.
2017-06-26 09:42:30 -04:00
jwfang
ec2255764a
docker_dns_servers_strict to control docker_dns_servers rtrim
2017-06-26 17:29:12 +08:00
Abdelsalam Abbas
1a8e92c922
Fixing cordoning condition that cause fail for upgrading the cluster
2017-06-23 20:41:47 +02:00
gdmelloatpoints
5c1891ec9f
In the etcd container, the etcd data directory is always /var/lib/etcd. Reverting to this value, since etcd_data_dir
on the host maps to /var/lib/etcd
in the container.
2017-06-23 13:49:31 -04:00
Spencer Smith
bae5ce0bfa
Merge branch 'master' into rename
2017-06-23 12:23:51 -04:00
AtzeDeVries
61b74f9a5b
updated to direct control over ipip
2017-06-23 09:16:05 +02:00
AtzeDeVries
7332679678
Give more control over IPIP, but with same default behaviour
2017-06-20 14:50:08 +02:00
Seungkyu Ahn
91dff61008
Fixed helm bash complete
2017-06-19 15:33:50 +09:00
Spencer Smith
8203383c03
rename almost all mentions of kargo
2017-06-16 13:25:46 -04:00
Gregory Storme
fff0aec720
add configurable parameter for etcd_auto_compaction_retention
2017-06-14 10:39:38 +02:00
Brad Beam
b73786c6d5
Merge pull request #1335 from bradbeam/imagerepo
...
Set default value for kube_hyperkube_image_repo
2017-06-12 09:46:17 -05:00
Gregory Storme
266ca9318d
Use the kube_apiserver_insecure_port variable instead of static 8080
2017-06-12 09:20:59 +02:00
Brad Beam
db3e8edacd
Fixing up vault variables
2017-06-08 16:15:33 -05:00
Brad Beam
6e41634295
Set default value for kube_hyperkube_image_repo
...
Fixes #1334
2017-06-08 12:22:16 -05:00
Brad Beam
780308c194
Merge pull request #1174 from jlothian/atomic-docker-restart
...
Fix docker restart in atomic
2017-06-07 12:05:32 -05:00
Brad Beam
696fd690ae
Merge pull request #1092 from bradbeam/rkt_docker
...
Adding flag for docker container in kubelet w/ rkt
2017-06-06 12:58:40 -05:00
Spencer Smith
01c0ab4f06
check if cloud_provider is defined
2017-05-31 08:24:24 -04:00
Spencer Smith
7220b09ff9
Merge pull request #1315 from rsmitty/hostnames-upgrade
...
Resolve upgrade issues
2017-05-30 11:40:19 -04:00
Spencer Smith
56b86bbfca
inventory hostname for cordoning/uncordoning
2017-05-26 17:47:25 -04:00
Spencer Smith
7e2aafcc76
add direct path for cert in AWS with RHEL family
2017-05-26 17:32:50 -04:00
Justin Hunthrop
af55e179c7
adding --skip-exists flag for peer_with_router
2017-05-25 14:29:18 -05:00
zoues
43408634bb
Merge branch 'master' into master
2017-05-23 09:32:28 +08:00
zouyee
d47fce6ce7
upgrade k8s version to 1.6.4
2017-05-23 09:30:03 +08:00
Matthew Mosesohn
9e64267867
Merge pull request #1293 from mattymo/kubelet_host_mode
...
Add host-based kubelet deployment
2017-05-19 18:07:39 +03:00
Josh Lothian
7ae5785447
Removed the other unused handler
...
With live-restore: true, we don't need a special docker restart
2017-05-19 09:50:10 -05:00
Josh Lothian
ef8d3f684f
Remove unused handler
...
Previous patch removed the step that sets live-restore
back to false, so don't try to notify that handler any more
2017-05-19 09:45:46 -05:00
Matthew Mosesohn
cc6e3d14ce
Add host-based kubelet deployment
...
Kubelet gets copied from hyperkube container and run locally.
2017-05-19 16:54:07 +03:00
Spencer Smith
005b01bd9a
Merge pull request #1299 from bradbeam/kubelet
...
Minor kubelet updates
2017-05-18 12:52:43 -04:00
Josh Lothian
6f67367b57
Leave 'live-restore' false
...
Leave live-restore false to updates always pick
up new network configuration
2017-05-17 14:31:49 -05:00
Josh Lothian
9ee0600a7f
Update handler names and explanation
2017-05-17 14:31:49 -05:00
Josh Lothian
30cc7c847e
Reconfigure docker restart behavior on atomic
...
Before restarting docker, instruct it to kill running
containers when it restarts.
Needs a second docker restart after we restore the original
behavior, otherwise the next time docker is restarted by
an operator, it will unexpectedly bring down all running
containers.
2017-05-17 14:31:49 -05:00
Josh Lothian
a5bb24b886
Fix docker restart in atomic
...
In atomic, containers are left running when docker is restarted.
When docker is restarted after the flannel config is put in place,
the docker0 interface isn't re-IPed because docker sees the running
containers and won't update the previous config.
This patch kills all the running containers after docker is stopped.
We can't simply `docker stop` the running containers, as they respawn
before we've got a chance to stop the docker daemon, so we need to
use runc to do this after dockerd is stopped.
2017-05-17 14:31:49 -05:00
Brad Beam
b999ee60aa
Fixing typo in kubelet cluster-dns and cluster-domain flags
2017-05-16 15:43:29 -05:00
Brad Beam
85afd3ef14
Removing old sysv reference
2017-05-16 15:28:39 -05:00
Spencer Smith
1907030d89
issue raw yum command since we don't have facts in bootstrapping
2017-05-16 10:07:38 -04:00
Spencer Smith
efa2dff681
remove conditional
2017-05-12 17:16:49 -04:00
Spencer Smith
31a7b7d24e
default to kubedns and set nxdomain in kubedns deployment if that's the dns_mode
2017-05-12 15:57:24 -04:00
moss2k13
791ea89b88
Updated helm installation
...
Added full path for helm
2017-05-08 09:27:06 +02:00
Spencer Smith
c572760a66
Merge pull request #1254 from iJanki/cert_group
...
Adding /O=system:masters to admin certificate
2017-05-05 10:58:42 -04:00
Brad Beam
69fc19f7e0
Merge pull request #1252 from adidenko/separate-tags-for-netcheck-containers
...
Add support for different tags for netcheck containers
2017-05-05 08:04:54 -05:00
Spencer Smith
b939c24b3d
Merge pull request #1250 from digitalrebar/master
...
bootstrap task on centos missing packages
2017-05-02 12:24:11 -04:00
Spencer Smith
3eb494dbe3
Merge pull request #1259 from bradbeam/calico214
...
Updating calico to v2.1.4
2017-05-02 12:20:47 -04:00
Spencer Smith
0afbc19ffb
ensure the /etc/os-release is mounted read only
2017-05-01 14:51:40 -04:00
Spencer Smith
ac9290f985
add for rkt as well
2017-04-28 17:45:10 -04:00
Brad Beam
a133ba1998
Updating calico to v2.1.4
2017-04-28 14:04:25 -05:00
Spencer Smith
5657738f7e
mount os-release to ensure the node's OS is what's seen in k8s api
2017-04-28 13:40:54 -04:00
Aleksandr Didenko
883ba7aa90
Add support for different tags for netcheck containers
...
Replace 'netcheck_tag' with 'netcheck_version' and add additional
'netcheck_server_tag' and 'netcheck_agent_tag' config options to
provide ability to use different tags for server and agent
containers.
2017-04-27 17:15:28 +02:00
Sergii Golovatiuk
674b71b535
Ansible 2.3 support
...
- Fix when clauses in various places
- Update requirements.txt
- Fix README.md
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-26 15:22:10 +02:00
Aleksey Kasatkin
2638ab98ad
add MY_NODE_NAME variable into netchecker-agent environment
2017-04-24 17:19:42 +03:00
Matthew Mosesohn
bc3068c2f9
Merge pull request #1251 from FengyunPan/fix-helm-home
...
Specify a dir and attach it to helm for HELM_HOME
2017-04-24 15:17:28 +03:00
FengyunPan
2bde9bea1c
Specify a dir and attach it to helm for HELM_HOME
2017-04-21 10:51:27 +08:00
Greg Althaus
041d4d666e
Install required selinux-python bindings in bootstrap
...
on centos. The bootstrap tty fixup needs it.
2017-04-20 11:17:01 -05:00
Spencer Smith
88b5065e7d
fix stray 'in' and break into multiple lines for clarity
2017-04-20 09:53:01 -04:00
Spencer Smith
b690008192
allow for correct aws default resolver
2017-04-20 09:32:03 -04:00
Matthew Mosesohn
2d6bc9536c
Merge pull request #1246 from holser/disable_dns_for_kube_services
...
Change DNS policy for kubernetes components
2017-04-20 16:12:52 +03:00
Sergii Golovatiuk
01dc6b2f0e
Add aws to default_resolver
...
When VPC is used, external DNS might not be available. This patch change
behavior to use metadata service instead of external DNS when
upstream_dns_servers is not specified.
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-20 11:47:19 +02:00
Sergii Golovatiuk
d8aa2d0a9e
Change DNS policy for kubernetes components
...
According to code apiserver, scheduler, controller-manager, proxy don't
use resolution of objects they created. It's not harmful to change
policy to have external resolver.
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-20 11:22:57 +02:00
Matthew Mosesohn
19bb97d24d
Merge pull request #1238 from Starefossen/fix/namespace-template-file
...
Move namespace file to template directory
2017-04-20 12:19:55 +03:00
Matthew Mosesohn
9f4f168804
Merge pull request #1241 from bradbeam/rktcnidir
...
Explicitly create cni bin dir
2017-04-20 12:19:26 +03:00
Matthew Mosesohn
cf3083d68e
Merge pull request #1239 from mattymo/resettags
...
Add tags to reset playbook and make iptables flush optional
2017-04-20 11:35:08 +03:00
Sergii Golovatiuk
e796cdbb27
Fix restart kube-controller ( #1242 )
...
kubernetesUnitPrefix was changed to k8s_* in 1.5. This patch reflects
this change in kargo
2017-04-20 11:26:01 +03:00
Matthew Mosesohn
2d44582f88
Add tags to reset playbook and make iptables flush optional
...
Fixes #1229
2017-04-19 19:32:18 +03:00
Brad Beam
b60a897265
Explicitly create cni bin dir
...
If this path doesnt exist, it will cause kubelet to fail to start when
using rkt
2017-04-19 16:00:44 +00:00
Hans Kristian Flaatten
d68cfeed6e
Move namespace file to template directory
2017-04-19 13:37:02 +02:00
Spencer Smith
c3c9e955e5
Merge pull request #1232 from rsmitty/custom-flags
...
add ability for custom flags
2017-04-17 14:01:32 -04:00
Spencer Smith
72d5db92a8
remove stray spaces in templating
2017-04-17 12:24:24 -04:00
Spencer Smith
3f302c8d47
ensure spacing on string of flags
2017-04-17 12:13:39 -04:00
Spencer Smith
04a769bb37
ensure spacing on string of flags
2017-04-17 11:11:10 -04:00
Spencer Smith
f9d4a1c1d8
update to safeguard against accidentally passing string instead of list
2017-04-17 11:09:34 -04:00
Matthew Mosesohn
3e7db46195
Merge pull request #1233 from gbolo/master
...
allow admission control plug-ins to be easily customized
2017-04-17 12:59:49 +03:00
Matthew Mosesohn
e52aca4837
Merge pull request #1223 from mattymo/vault_cert_skip
...
Skip vault cert task evaluation when using script certs
2017-04-17 12:52:42 +03:00
Matthew Mosesohn
5ec503bd6f
Merge pull request #1222 from bradbeam/calico
...
Updating calico versions
2017-04-17 12:52:20 +03:00
gbolo
49be805001
allow admission control plug-ins to be easily customized
2017-04-16 22:03:45 -04:00
Spencer Smith
94596388f7
add ability for custom flags
2017-04-14 17:33:04 -04:00
Spencer Smith
5c4980c6e0
Merge pull request #1231 from holser/fix_netchecker-server
...
Reschedule netchecker-server in case of HW failure.
2017-04-14 10:50:07 -04:00
Matthew Mosesohn
d7b8fb3113
Update start_vault_temp.yml
2017-04-14 13:32:41 +03:00
Sergii Golovatiuk
45044c2d75
Reschedule netchecker-server in case of HW failure.
...
Pod opbject is not reschedulable by kubernetes. It means that if node
with netchecker-server goes down, netchecker-server won't be scheduled
somewhere. This commit changes the type of netchecker-server to
Deployment, so netchecker-server will be scheduled on other nodes in
case of failures.
2017-04-14 10:49:16 +02:00
Joe Duhamel
a9f260d135
Update dnsmasq-autoscaler
...
changed target to be a deployment rather than a replicationcontroller.
2017-04-13 15:07:06 -04:00
Joe Duhamel
072b3b9d8c
Update kubedns-autoscaler change target
...
The target was a replicationcontroller but kubedns is currently a deployment
2017-04-13 14:55:25 -04:00
Matthew Mosesohn
ae7f59e249
Skip vault cert task evaluation completely when using script cert generation
2017-04-13 19:29:07 +03:00
Brad Beam
bce1c62308
Updating calico versions
2017-04-11 20:52:04 -05:00
Spencer Smith
9b3aa3451e
Merge pull request #1218 from bradbeam/efkidempotent
...
Fixing resource type for kibana
2017-04-11 19:04:13 -04:00
Spencer Smith
436c0b58db
Merge pull request #1217 from bradbeam/helmcompletion
...
Excluding bash completion for helm on CoreOS
2017-04-11 17:34:11 -04:00
zouyee
0bcecae2a3
upgrade etcd version from v3.0.6 to v3.0.17
2017-04-11 10:42:35 +08:00
Brad Beam
bd130315b6
Excluding bash completion for helm on CoreOS
2017-04-10 11:07:15 -05:00
Brad Beam
504711647e
Fixing resource type for kibana
2017-04-10 11:01:12 -05:00
Antoine Legrand
ab12b23e6f
Merge pull request #1173 from bradbeam/dockerlogs
...
Setting defaults for docker log rotation
2017-04-09 11:50:01 +02:00
Matthew Mosesohn
1c45d37348
Update kubelet.j2
2017-04-06 22:59:18 +03:00
Matthew Mosesohn
b521255ec9
Unbreak 1.5 deployment with kubelet
...
1.5 kubelet fails to start when using unknown params
2017-04-06 21:07:48 +03:00
Matthew Mosesohn
75ea001bfe
Merge pull request #1208 from mattymo/1.6-flannel
...
Update to k8s 1.6 with flannel and centos fixes
2017-04-06 13:04:02 +03:00
Matthew Mosesohn
ff2fb9196f
Fix flannel for 1.6 and apply fixes to enable containerized kubelet
2017-04-06 10:06:21 +04:00
Matthew Mosesohn
acae0fe4a3
Merge pull request #1205 from holser/resolv_updates
...
Refactoring resolv.conf
2017-04-05 14:22:52 +03:00
Matthew Mosesohn
ccc11e5680
Upgrade to Kubernetes 1.6.1
2017-04-05 13:26:36 +03:00
Sergii Golovatiuk
2670eefcd4
Refactoring resolv.conf
...
- Renaming templates for netchecker
- Add dnsPolicy: ClusterFirstWithHostNet to kube-proxy
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-05 09:28:01 +02:00
Matthew Mosesohn
c0cae9e8a0
Merge pull request #1204 from mattymo/resolvconf-nodes
...
Restart kubelet when updating /etc/resolv.conf on all k8s nodes
2017-04-04 22:03:44 +03:00
Matthew Mosesohn
f8cf6b4f7c
Merge pull request #1186 from holser/resolv_conf
...
Set ClusterFirstWithHostNet for Pods with hostnetwork: true
2017-04-04 20:49:55 +03:00
Matthew Mosesohn
a29182a010
Restart kubelet when updating /etc/resolv.conf on all k8s nodes
2017-04-04 20:43:47 +03:00
Sergii Golovatiuk
1cfe0beac0
Set ClusterFirstWithHostNet for Pods with hostnetwork: true
...
In kubernetes 1.6 ClusterFirstWithHostNet was added as an option. In
accordance to it kubelet will generate resolv.conf based on own
resolv.conf. However, this doesn't create 'options', thus the proper
solution requires some investigation.
This patch sets the same resolv.conf for kubelet as host
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-04 16:34:13 +02:00
Matthew Mosesohn
798f90c4d5
Merge pull request #1153 from mattymo/graceful_drain
...
Move graceful upgrade test to Ubuntu canal HA, adjust drain
2017-04-04 17:33:53 +03:00
Matthew Mosesohn
f8d44a8a88
Merge pull request #1200 from mattymo/issue1190
...
Fix multiline condition for k8s check certs
2017-04-04 15:48:05 +03:00
Matthew Mosesohn
b4d06ff8dd
Add /var/lib/cni to kubelet
...
Necessary to persist this directory for host-local IPAM used by Canal
Add pre-upgrade task to copy /var/lib/cni out of old kubelet.
2017-04-03 19:38:24 +03:00
Matthew Mosesohn
7581705007
Merge pull request #1185 from intelsdi-x/hostname
...
Use hostname module to set hostname, and do it for all Os not only Co…
2017-04-03 19:01:12 +03:00
Matthew Mosesohn
5a5707159a
Fix multiline condition for k8s check certs
...
Fixes #1190
2017-04-03 17:44:55 +03:00
Matthew Mosesohn
742a1681ce
Merge pull request #1166 from rogerwelin/master
...
add iptables --flush to reset role
2017-04-03 17:25:10 +03:00
Matthew Mosesohn
fba9b9cb65
Merge pull request #1182 from artem-panchenko/bumpCalicoPolicyControllerVersion
...
Bump calico policy controller version
2017-04-03 17:21:52 +03:00
Paweł Skrzyński
61b2d7548a
Use hostname module to set hostname, and do it for all Os not only CoreOS
2017-04-03 15:09:33 +02:00
Matthew Mosesohn
80828a7c77
use etcd2 when upgrading unless forced
2017-04-03 15:07:42 +03:00
Matthew Mosesohn
f5af86c9d5
Merge pull request #1194 from adidenko/fix-sync_certs
...
Fix multiline when condition in sync_certs task
2017-03-31 17:39:40 +03:00
Aleksandr Didenko
58acbe7caf
Fix multiline when condition in sync_certs task
...
Folded style in multiline 'when' condition causes error with
unexpected ident. Changing it to literal style should fix
the issue.
Closes #1190
2017-03-30 22:21:04 +02:00
Spencer Smith
355b92d7ba
Merge pull request #1170 from jlothian/atomic-docker-network
...
1169 - fix docker systemd unit
2017-03-30 13:13:28 -07:00
Matthew Mosesohn
d42e4f2344
Update .gitlab-ci.yml
2017-03-30 12:19:15 +04:00
Matthew Mosesohn
fb467df47c
fix etcd restart
2017-03-29 23:22:49 +04:00
Matthew Mosesohn
48beef25fa
delete master containers forcefully
2017-03-27 19:08:22 +03:00
Matthew Mosesohn
a3f568fc64
restart scheduler and controller-manager too
2017-03-27 13:51:35 +03:00
Matthew Mosesohn
57ee304260
ensure post-upgrade purge ones only once
2017-03-27 13:28:37 +03:00
Matthew Mosesohn
0794a866a7
switch debian8-canal-ha to ubuntu
2017-03-27 13:28:37 +03:00
Matthew Mosesohn
49e4d344da
move network plugins out of grouped upgrades
2017-03-27 13:28:37 +03:00
Matthew Mosesohn
6e505c0c3f
Fix delegate tasks for kubectl and etcdctl
2017-03-27 13:28:37 +03:00
Matthew Mosesohn
e9a294fd9c
Significantly reduce memory requirements
...
Canal runs more pods and upgrades need a bit of extra
room to load new pods in and get the old ones out.
2017-03-27 13:28:37 +03:00
Matthew Mosesohn
44d851d5bb
Only cordon Ready nodes
2017-03-27 13:28:37 +03:00
Matthew Mosesohn
c1b9660ec8
Move graceful upgrade test to debian canal HA, adjust drain
...
Graceful upgrades require 3 nodes
Drain now has a command timeout of 40s
2017-03-27 13:28:37 +03:00
Matthew Mosesohn
c2c334d22f
Merge pull request #1181 from holser/refactor_etcd
...
Refactor etcd role
2017-03-27 13:05:35 +03:00
Sergii Golovatiuk
f144fd1ed3
Refactor etcd role
...
- Run docker run from script rather than directly from systemd target
- Refactoring styling/templates
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-03-24 12:34:15 +01:00
Artem Panchenko
e96557f410
Bump calico policy controller version
...
Latest released version of kube-policy-controller
contains important bug fixes and should be used
by default.
2017-03-24 12:13:09 +02:00
Matthew Mosesohn
b2af19471e
Merge pull request #1177 from rutsky/replace-nbsp
...
replace non-breakable space with regular space
2017-03-23 12:59:45 +03:00
Matthew Mosesohn
6805d0ff2b
Merge pull request #1179 from kubernetes-incubator/missing_defaults
...
Add missing defaults
2017-03-23 12:16:13 +03:00
Antoine Legrand
6e1de9d820
Add missing defaults
2017-03-23 10:05:34 +01:00
Vladimir Rutsky
c4e57477fb
replace non-breakable space with regular space
...
Non-brekable space is 0xc2 0xa0 byte sequence in UTF-8.
To find one:
$ git grep -I -P '\xc2\xa0'
To replace with regular space:
$ git grep -l -I -P '\xc2\xa0' | xargs sed -i 's/\xc2\xa0/ /g'
This commit doesn't include changes that will overlap with commit f1c59a91a1
.
2017-03-23 00:25:01 +03:00
Matthew Mosesohn
5f082bc0e5
Merge pull request #1172 from mattymo/dnsmasq_upgrade
...
Use checksum of dnsmasq config to trigger updates of dnsmasq
2017-03-22 18:00:10 +03:00
Matthew Mosesohn
0e3b7127b5
Merge pull request #1167 from mattymo/dnsmasq_when_deploying_master
...
Change wait for dnsmasq to skip if there are no kube-nodes in play
2017-03-22 17:59:56 +03:00
Brad Beam
5d3414a40b
Setting defaults for docker log rotation
2017-03-22 09:40:10 -04:00
Roger Welin
f4638c7580
add iptables --flush to reset role
2017-03-22 11:10:24 +01:00
Matthew Mosesohn
8b0b500c89
Use checksum of dnsmasq config to trigger updates of dnsmasq
...
Allows config changes made by Ansible to restart dnsmasq deployment
2017-03-22 13:03:55 +03:00
Josh Lothian
5e2f78424f
1169 - fix docker systemd unit
...
The docker-network environment file masks the new values
put into /etc/systemd/system/docker.service.d/flannel-options.conf
to renumber the docker0 to work correctly with flannel.
2017-03-21 15:22:14 -05:00
Matthew Mosesohn
1887e984a0
Change wait for dnsmasq to skip if there are no kube-nodes in play
...
Also changed unnecessary delay to a max timeout (now defaulting to 1s sleep
between tries)
Also rename play_hosts to ansible_play_hosts
2017-03-21 18:55:22 +03:00
Matthew Mosesohn
cd429d3654
Merge pull request #1159 from holser/etcd_backup_restore
...
Backup etcd
2017-03-21 13:07:44 +03:00
Matthew Mosesohn
0f64f8db90
Merge pull request #1155 from mattymo/helm
...
Add helm deployment
2017-03-20 17:00:06 +03:00
Sergii Golovatiuk
c04a6254b9
Backup etcd data before restarting etcd
...
etcd is crucial part of kubernetes cluster. Ansible restarts etcd on
reconfiguration. Backup helps operator to restore cluster manually in
case of any issues.
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-03-20 14:50:52 +01:00
Matthew Mosesohn
939c1def5d
Merge pull request #1152 from mattymo/redhat_weave
...
Fix weave on RHEL deployment
2017-03-19 16:45:20 +03:00
Matthew Mosesohn
b7ab80e8ea
Merge pull request #1149 from mattymo/centos-retries
...
Retry yum/apt/rpm download commands
2017-03-18 11:12:36 +03:00
Matthew Mosesohn
b69d4b0ecc
Add helm deployment
2017-03-17 20:24:41 +03:00
Matthew Mosesohn
7760c3e4aa
Retry yum/apt/rpm download commands, fix succeeded filter
2017-03-17 18:56:26 +03:00
Matthew Mosesohn
3cfb76e57f
Merge pull request #1146 from mattymo/resolvconf_optimize
...
Condense resolvconf sources before starting loop
2017-03-17 18:42:32 +03:00
Matthew Mosesohn
e1faeb0f6c
Fix weave on RHEL deployment
...
Reduce retry delay checking weave
Always load br_netfilter module
2017-03-17 18:17:47 +03:00
Matthew Mosesohn
25bff851dd
Merge pull request #1136 from adidenko/fix-calico-policy-order
...
Move calico-policy-controller into separate role
2017-03-17 17:32:14 +03:00
Aleksandr Didenko
3a39904011
Move calico-policy-controller into separate role
...
By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.
K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.
This patch also fixes kube-api port in calico-policy-controller
yaml template.
Closes #1132
2017-03-17 11:21:52 +01:00
Matthew Mosesohn
a52064184e
Condense resolvconf sources before starting loop
2017-03-17 13:06:56 +03:00
Matthew Mosesohn
0b49eeeba3
Update calico to 1.1.0-rc8
...
Fixes bug in CentOS/RHEL in felix related to overlayfs driver.
2017-03-16 19:23:36 +03:00
Matthew Mosesohn
b0830f0cd7
Merge pull request #1087 from bradbeam/openstack
...
Adding openstack domain id
2017-03-16 17:53:14 +03:00
Matthew Mosesohn
565d4a53b0
Merge pull request #1108 from idcrook/issue_1107-docker-versioning
...
Adding Docker CE 'stable' and 'edge' version packages
2017-03-16 16:32:13 +03:00
Matthew Mosesohn
8195957461
Merge branch 'master' into idempotency2
2017-03-16 09:29:43 +03:00
Matthew Mosesohn
02fed4a082
Merge pull request #1138 from mattymo/idempotency-fixes
...
Idempotency fixes for etcd certs and resolvconf tasks
2017-03-16 09:20:28 +03:00
Matthew Mosesohn
a422ad0d50
More idempotency fixes
...
Fixed sync_tokens fact
Fixed sync_certs for k8s tokens fact
Disabled register docker images changability
Fixed CNI dir permission
Fix idempotency for etcd pre upgrade checks
2017-03-15 19:06:39 +03:00
Matthew Mosesohn
096d96e344
Merge pull request #1137 from holser/bug/1135
...
Turn on iptables for flannel
2017-03-15 17:06:42 +03:00
Matthew Mosesohn
4354162067
Merge pull request #1080 from VincentS/Granular_Auth_Control
...
Granular authentication Control
2017-03-15 13:12:51 +03:00
Matthew Mosesohn
a62a444229
Merge pull request #1117 from mattymo/etcd3-upgrade
...
Migrate k8s data to etcd3 api store
2017-03-15 12:56:06 +03:00
Matthew Mosesohn
f6b72fa830
Make resolvconf preinstall idempotent
2017-03-15 01:20:13 +04:00
Sergii Golovatiuk
9667e8615f
Turn on iptables for flannel
...
Closes : #1135
Closes : #1026
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-03-14 17:54:55 +01:00
Vincent Schwarzer
026da060f2
Granular authentication Control
...
It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.
The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.
2017-03-14 16:57:35 +01:00
Matthew Mosesohn
3feab1cb2d
Merge pull request #1134 from mattymo/1.6-support
...
Explicitly set cni-bin-dir
2017-03-14 17:53:08 +03:00
Matthew Mosesohn
804e9a09c0
Migrate k8s data to etcd3 api store
...
Default backend is now etcd3 (was etcd2).
The migration process consists of the following steps:
* check if migration is necessary
* stop etcd on first etcd server
* run migration script
* start etcd on first etcd server
* stop kube-apiserver until configuration is updated
* update kube-apiserver
* purge old etcdv2 data
2017-03-14 17:50:20 +03:00
Matthew Mosesohn
4c6829513c
Fix etcd idempotency
2017-03-14 17:23:29 +03:00
Matthew Mosesohn
4038954f96
Merge pull request #1078 from VincentS/oidc_support
...
Added Support for OpenID Connect Authentication
2017-03-14 12:07:21 +03:00
Matthew Mosesohn
52a6dd5427
Explicitly set cni-bin-dir
2017-03-13 20:13:21 +03:00
Matthew Mosesohn
c301dd5d94
Merge pull request #1118 from mattymo/noderolelabels
...
Add node labels in kubelet
2017-03-13 19:04:21 +03:00
Cesarini, Daniele
69636d2453
Adding /O=system:masters to admin certificate
...
Issue #1125 . Make RBAC authorization plugin work out of the box.
"When bootstrapping, superuser credentials should include the system:masters group, for example by creating a client cert with /O=system:masters. This gives those credentials full access to the API and allows an admin to then set up bindings for other users."
2017-03-08 14:42:25 +00:00
David Crook
a52e1069ce
updated debian and ubuntu package names based on testing
...
docker-ce is not the .deb package until the repositories are switched over to new "downloads" docker webserver
2017-03-06 16:54:39 -07:00
David Crook
a8e5002aeb
removed irrelevant comments
2017-03-06 16:02:53 -07:00
David Crook
c515a351c6
Merge branch 'master' into issue_1107-docker-versioning
2017-03-06 16:00:31 -07:00
Brad Beam
d04fbf3f78
Removing cloud_provider tag to fix scenario where cloud_provider is not defined
2017-03-06 10:52:38 -06:00
Matthew Mosesohn
54207877bd
Add node labels in kubelet
...
Related-issue: https://github.com/kubernetes/community/issues/300
Upgraded nodes do not obtain labels automatically.
See https://github.com/kubernetes/kubernetes/pull/29459 for more details.
2017-03-06 17:18:42 +03:00
Vincent Schwarzer
b075960e3b
Added Support for OpenID Connect Authentication
...
To use OpenID Connect Authentication beside deploying an OpenID Connect
Identity Provider it is necesarry to pass additional arguments to the Kube API Server.
These required arguments were added to the kube apiserver manifest.
2017-03-06 12:40:35 +01:00
Antoine Legrand
85596c2610
Merge pull request #1045 from bradbeam/vsphere
...
Adding vsphere cloud provider support
2017-03-06 12:34:05 +01:00
Antoine Legrand
ee5f009b95
Merge pull request #1112 from mattymo/skip_vault_if_disabled
...
Disable vault role properly on ansible 2.2.0
2017-03-06 11:27:53 +01:00
Matthew Mosesohn
45274560ec
Disable vault role properly on ansible 2.2.0
...
when condition does not seem to work correctly at playbook
level for ansible 2.2.0.
2017-03-05 00:43:01 +04:00
Matthew Mosesohn
02a8e78902
Remove standalone etcd specific play, cleanup host mode
...
Now etcd role can optionally disable etcd cluster setup for faster
deployment when it is combined with etcd role.
2017-03-04 00:34:26 +04:00
Matthew Mosesohn
8f3d9e93ce
Merge pull request #1111 from mattymo/use_find_for_certs
...
Use find module for checking for certificates
2017-03-03 20:08:33 +03:00
Matthew Mosesohn
d176818c44
Use find module for checking for certificates
...
Also generate certs only when absent on master (rather than
when absent on target node)
2017-03-03 16:21:01 +03:00
Bogdan Dobrelya
aeec0f9a71
Merge pull request #1071 from vijaykatam/atomic_host
...
Add support for atomic host
2017-03-03 13:03:59 +01:00
Matthew Mosesohn
08a02af833
Merge pull request #1075 from VincentS/loadbalancer_aws
...
Possibility to add Loadbalancers without static IP (e.g. AWS ELB) #1074
2017-03-03 14:07:22 +03:00
David Crook
3f4a375ac4
first pass at adding 'stable' and 'edge' version packages
...
- Only have ubuntu to test on
- fedora and redhat are placeholders/guesses
- the "old" package repositories seem to have the "new" CE version which is `1.13.1` based
- `docker-ce` looks like it is named as a backported `docker-engine` package in some
places
- Did not change the `defaults` version anywhere, so should work as before
- Did not point to new package repositories, as existing ones have the new packages.
2017-03-02 13:48:09 -07:00
Matthew Mosesohn
5ebc9a380c
Merge pull request #1060 from holser/etcdv3
...
Allow to specify etcd backend for kube-api
2017-03-02 17:24:09 +03:00
Matthew Mosesohn
6453650895
Merge pull request #1093 from mattymo/scaledns
...
Add autoscalers for dnsmasq and kubedns
2017-03-02 16:58:56 +03:00
Matthew Mosesohn
9cb12cf250
Add autoscalers for dnsmasq and kubedns
...
By default kubedns and dnsmasq scale when installed.
Dnsmasq is no longer a daemonset. It is now a deployment.
Kubedns is no longer a replicationcluster. It is now a deployment.
Minimum replicas is two (to enable rolling updates).
Reduced memory erquirements for dnsmasq and kubedns
2017-03-02 13:44:22 +03:00
Vincent Schwarzer
68e8d74545
Changes based on feedback (additional ansible checks)
2017-03-02 11:04:10 +01:00
Vincent Schwarzer
fc054e21f6
Modified how adding LB for the Kube API is handled (AWS)
...
Until now it was not possible to add an API Loadbalancer
without an static IP Address. But certain Loadbalancers
like AWS Elastic Loadbalanacer dontt have an fixed IP address.
With this commit it is possible to add these kind of Loadbalancers
to the Kargo deployment.
2017-03-02 11:04:10 +01:00
Matthew Mosesohn
efbb5b2db3
Merge pull request #1101 from retr0h/docker-1.13.1
...
Use docker-engine 1.13.1
2017-03-02 12:31:58 +03:00
John Dewey
a43569c8a5
Use docker-engine 1.13.1
...
The default version of Docker was switched to 1.13 in #1059 . This
change also bumped ubuntu from installing docker-engine 1.13.0 to
1.13.1. This PR updates os families which had 1.13 defined, but
were using 1.13.0.
The impetus for this change is an issue running tiller 1.2.3 on
docker 1.13.0. See discussion [1][2].
[1] https://github.com/kubernetes/helm/issues/1838
[2] https://github.com/kubernetes-incubator/kargo/pull/1100
2017-03-01 12:53:39 -08:00
Matthew Mosesohn
a5cd73d047
Merge pull request #959 from galthaus/host-mode-restart
...
Restart kube-controller for host_resolvconf mode
2017-03-01 20:54:21 +03:00
Vijay Katam
a0b1eda1d0
Add support for atomic host
...
Updates based on feedback
Simplify checks for file exists
remove invalid char
Review feedback. Use regular systemd file.
Add template for docker systemd atomic
2017-03-01 09:38:19 -08:00
Antoine Legrand
77e5171679
Merge pull request #1076 from VincentS/etcd_openssl_count_fix
...
Fixed counter in ETCD Openssl.conf
2017-03-01 14:17:27 +01:00
Bogdan Dobrelya
0c66418dad
Merge pull request #1090 from artem-panchenko/calicoAcceptHostEndpointConnections
...
Allow connections from pods to local endpoints
2017-03-01 13:37:05 +01:00
Artem Panchenko
fa05d15093
Allow connections from pods to local endpoints
...
By default Calico blocks traffic from endpoints
to the host itself by using an iptables DROP
action. It could lead to a situation when service
has one alive endpoint, but pods which run on
the same node can not access it. Changed the action
to RETURN.
2017-03-01 09:21:02 +02:00
Matthew Mosesohn
cbaa6abdd0
Merge pull request #1066 from bradbeam/rkt-kubelet-cloudprovider
...
Adding KUBELET_CLOUDPROVIDER to kubelet.rkt.service
2017-02-28 20:02:56 +03:00
Sergii Golovatiuk
295103adc0
Allow to specify etcd backend for kube-api
...
Kubernetes project is about to set etcdv3 as default storage engine in
1.6. This patch allows to specify particular backend for
kube-apiserver. User may force the option to etcdv3 for new environment.
At the same time if the environment uses v2 it will continue uses it
until user decides to upgrade to v3.
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-28 17:13:22 +01:00
Sergii Golovatiuk
d31c040dc0
Change kube-api default port from 443 to 6443
...
Operator can specify any port for kube-api (6443 default) This helps in
case where some pods such as Ingress require 443 exclusively.
Closes: 820
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-28 15:45:35 +01:00
Brad Beam
8a63b35f44
Adding flag for docker container in kubelet w/ rkt
2017-02-28 07:55:12 -06:00
Brad Beam
bfff06d402
Adding KUBELET_CLOUDPROVIDER to kubelet.rkt.service
2017-02-28 06:29:35 -06:00
Matthew Mosesohn
21d3d75827
Merge pull request #1086 from bradbeam/lowermem
...
Lower default memory requests
2017-02-28 13:37:28 +03:00
Brad Beam
30a9899262
Making openstack domain name optional
2017-02-27 21:19:27 -06:00
Xavier Lange
dd10b8a27c
Bug fix: support kilo's keystone requirement for domain-name, extracts from ENV var
2017-02-27 21:18:30 -06:00
Brad Beam
dbf13290f5
Updating vsphere cloud provider support
2017-02-27 15:08:04 -06:00
Sergii Golovatiuk
f9ff93c606
Make etcd data dir configurable.
...
Closes : #1073
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-27 21:35:51 +01:00
Jan Jungnickel
df476b0088
Initial support for vsphere as cloud provider
2017-02-27 12:51:41 -06:00
Brad Beam
56664b34a6
Lower default memory requests
...
This is to address out of memory issues on CI as well as help
fit deployments for people starting out with kargo on smaller
machines
2017-02-27 10:53:43 -06:00
Vincent Schwarzer
0cbc3d8df6
Fixed counter in ETCD Openssl.conf
...
When a apiserver_loadbalancer_domain_name is added to the Openssl.conf
the counter gets not increased correctly. This didnt seem to have an
effect at the current kargo version.
2017-02-27 12:01:09 +01:00
Bogdan Dobrelya
27b4e61c9f
Merge pull request #946 from neith00/master
...
Using the command module instead of raw
2017-02-27 10:59:53 +01:00
Bogdan Dobrelya
069606947c
Merge pull request #1063 from bogdando/fix
...
Align LB defaults with the HA docs
2017-02-27 10:14:42 +01:00
Sergii Golovatiuk
00cfead9bb
Increase SSL TTL to 3650 days
...
In real scenarios 365 days is short period of time. 3650 days is good
enough for long running k8s environments
2017-02-24 15:38:13 +01:00
Antoine Legrand
c7d61af332
Comment all variables in group_vars
2017-02-23 14:02:57 +01:00
Antoine Legrand
5f7607412b
Add default var role
2017-02-23 12:07:17 +01:00
Bogdan Dobrelya
f2a4619c57
Align LB defaults with the HA docs
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-02-23 10:32:44 +01:00
Bogdan Dobrelya
712872efba
Rework inventory all by real groups' vars
...
* Leave all.yml to keep only optional vars
* Store groups' specific vars by existing group names
* Fix optional vars casted as mandatory (add default())
* Fix missing defaults for an optional IP var
* Relink group_vars for terraform to reflect changes
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-02-23 09:43:42 +01:00
Matthew Mosesohn
8cbf3fe5f8
Merge pull request #1020 from mattymo/synthscale
...
Add synthetic scale deployment mode
2017-02-22 19:15:46 +03:00
Matthew Mosesohn
02137f8cee
Merge pull request #1059 from holser/docker_iptables
...
iptables switch for docker
2017-02-22 08:23:58 +03:00
Ivan Shvedunov
0006e5ab45
Fix shell special vars
2017-02-21 22:22:40 +03:00
Matthew Mosesohn
d821448e2f
Merge branch 'master' into synthscale
2017-02-21 22:17:43 +03:00
Sergii Golovatiuk
3bd46f7ac8
Switch docker to 1.13
...
- Remove variable dup for Ubuntu
- Update Docker to 1.13
2017-02-21 19:10:34 +01:00
Matthew Mosesohn
0afadb9149
Merge pull request #1046 from skyscooby/pedantic-syntax-cleanup
...
Cleanup legacy syntax, spacing, files all to yml
2017-02-21 17:03:16 +03:00
Matthew Mosesohn
d4f15ab402
Merge pull request #1055 from mattymo/etcd-preupgrade-speedup
...
speed up etcd preupgrade check
2017-02-21 12:51:42 +03:00
Matthew Mosesohn
527e030283
Merge pull request #1058 from holser/update_calico_cni
...
Update calico-cni to 1.5.6
2017-02-20 23:09:47 +03:00
Matthew Mosesohn
042d094ce7
Merge pull request #1034 from rutsky/fix-openssl-lb-index
...
fix load balancer DNS name index evaluation in openssl.conf
2017-02-20 20:23:26 +03:00
Matthew Mosesohn
3cc1491833
Merge branch 'master' into pedantic-syntax-cleanup
2017-02-20 20:19:38 +03:00
Matthew Mosesohn
d19e6dec7a
speed up etcd preupgrade check
2017-02-20 20:18:10 +03:00
Sergii Golovatiuk
a2cbbc5c4f
Update calico-cni to 1.5.6
...
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-20 17:14:45 +01:00
Abel Lopez
0bfc2d0f2f
Safe disable SELinux
...
Sometimes, a sysadmin might outright delete the SELinux rpms and
delete the configuration. This causes the selinux module to fail
with
```
IOError: [Errno 2] No such file or directory: '/etc/selinux/config'\n",
"module_stdout": "", "msg": "MODULE FAILURE"}
```
This simply checks that /etc/selinux/config exists before we try
to set it Permissive.
Update from feedback
2017-02-18 11:54:25 -08:00
Matthew Mosesohn
475a42767a
Suppress logging for download image
...
This generates too much output and during upgrade scenarios
can bring us over the 4mb limit.
2017-02-18 19:10:26 +04:00
Matthew Mosesohn
a21eb036ee
Add no_log to cert tar tasks
...
This works around 4MB limit for gitlab CI runner.
2017-02-18 14:09:57 +04:00
Matthew Mosesohn
9c1701f2aa
Add synthetic scale deployment mode
...
New deploy modes: scale, ha-scale, separate-scale
Creates 200 fake hosts for deployment with fake hostvars.
Useful for testing certificate generation and propagation to other
master nodes.
Updated test cases descriptions.
2017-02-18 14:09:55 +04:00
Andrew Greenwood
fd17c37feb
Regex syntax changes in yml mode
2017-02-17 17:30:39 -05:00
Andrew Greenwood
cde5451e79
Syntax Bugfix
2017-02-17 17:08:44 -05:00
Andrew Greenwood
ca9ea097df
Cleanup legacy syntax, spacing, files all to yml
...
Migrate older inline= syntax to pure yml syntax for module args as to be consistant with most of the rest of the tasks
Cleanup some spacing in various files
Rename some files named yaml to yml for consistancy
2017-02-17 16:22:34 -05:00
Antoine Legrand
b84cc14694
Merge pull request #1029 from mattymo/graceful
...
Add graceful upgrade process
2017-02-17 21:24:32 +01:00
Antoine Legrand
e16ebcad6e
Merge pull request #1042 from holser/fix_facts
...
Fix fact tags
2017-02-17 17:56:29 +01:00
Sergii Golovatiuk
e91e58aec9
Fix fact tags
...
Ansible playbook fails when tags are limited to "facts,etcd" or to
"facts". This patch allows to run ansible-playbook to gather facts only
that don't require calico/flannel/weave components to be verified. This
allows to run ansible with 'facts,bootstrap-os' or just 'facts' to
gether facts that don't require specific components.
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-17 12:32:33 +01:00
Antoine Legrand
3629b9051d
Merge pull request #1038 from rutsky/kubelet-mount-var-log
...
Mount host's /var/log into kubelet container
2017-02-17 10:26:12 +01:00
Antoine Legrand
4545114408
Merge pull request #1037 from mattymo/coreos_fix
...
Fix references to CoreOS and Container Linux by CoreOS
2017-02-17 10:21:14 +01:00
Vladimir Rutsky
bff955ff7e
Mount host's /var/log into kubelet container
...
Kubelet is responsible for creating symlinks from /var/lib/docker to /var/log
to make fluentd logging collector work.
However without using host's /var/log those links are invisible to fluentd.
This is done on rkt configuration too.
2017-02-16 22:31:05 +03:00
Matthew Mosesohn
80c0e747a7
Fix references to CoreOS and Container Linux by CoreOS
...
Fixes #967
2017-02-16 19:25:17 +03:00
Matthew Mosesohn
617edda9ba
Adjust weave daemonset for serial deployment
2017-02-16 18:24:30 +03:00
Vladimir Rutsky
7ab04b2e73
fix typo in "kibana_base_url" variable name
...
This typo lead to kibana_base_url being undefined and Kibana used
default base URL ("/") which is incorrect with default proxy-based
access.
2017-02-16 18:17:06 +03:00
Matthew Mosesohn
97ebbb9672
Add graceful upgrade process
...
Based on #718 introduced by rsmitty.
Includes all roles and all options to support deployment of
new hosts in case they were added to inventory.
Main difference here is that master role is evaluated first
so that master components get upgraded first.
Fixes #694
2017-02-16 17:18:38 +03:00
Vladimir Rutsky
a1ec6f401c
fix load balancer DNS name index evaluation in openssl.conf
...
Looks like OpenSSL still properly handles it, even with duplicated
"DNS.X" items.
2017-02-16 00:16:13 +03:00
Matthew Mosesohn
d92d955aeb
Merge pull request #985 from rutsky/check-mode-for-shell-commands
...
set "check_mode: on" for read-only "shell" steps that registers result
2017-02-15 17:53:41 +03:00
Spencer Smith
fbaef7e60f
specify grace period for draining
2017-02-14 18:51:13 +03:00
Spencer Smith
017a813621
first cut of an upgrade process
2017-02-14 18:51:13 +03:00
Brad Beam
4c891b8bb0
Adding support for proxy w/ rkt kubelet
2017-02-14 08:09:49 -06:00
Matthew Mosesohn
948d9bdadb
Merge pull request #1019 from mattymo/issue1011
...
Update calico to v1.0.2
2017-02-14 14:01:25 +03:00
Matthew Mosesohn
b7258ec3bb
Merge pull request #1013 from mattymo/remove_masqerade_all
...
Disable kube_proxy_masquerade_all
2017-02-14 14:00:29 +03:00
Antoine Legrand
f4f730bd8a
Merge pull request #1025 from holser/bug/961
...
Install pip on Ubuntu
2017-02-14 10:31:42 +01:00
Matthew Mosesohn
f5e27f1a21
Merge pull request #1021 from holser/remove_deprecated
...
Replace always_run with check_mode
2017-02-14 11:25:58 +03:00
Matthew Mosesohn
bb6415ddc4
Merge pull request #1015 from holser/rkt_ssl_ca_dirs
...
Set ssl_ca_dirs for rkt based on fact
2017-02-14 11:25:17 +03:00
Sergii Golovatiuk
2b6179841b
Install pip on Ubuntu
...
- Refactor 'Check if bootstrap is needed' as ansible loop. This allows
to add new elements easily without refactoring. Add pip to the list.
- Refactor 'Install python 2.x' task to run once if any of rc
codes != 0. Actually, need_bootstrap is array of hashes, so map will
allow to get single array of rc statuses. So if status is not zero it
will be sorted and the last element will be get, converted to bool.
Closes : #961
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-13 19:35:13 +01:00
Antoine Legrand
e877cd2874
Merge pull request #1024 from holser/bug/961
...
Install pip on Ubuntu
2017-02-13 17:53:57 +01:00
Vladimir Rutsky
09847567ae
set "check_mode: no" for read-only "shell" steps that registers result
...
"shell" step doesn't support check mode, which currently leads to failures,
when Ansible is being run in check mode (because Ansible doesn't run command,
assuming that command might have effect, and no "rc" or "output" is registered).
Setting "check_mode: no" allows to run those "shell" commands in check mode
(which is safe, because those shell commands doesn't have side effects).
2017-02-13 18:53:41 +03:00
Sergii Golovatiuk
732ae69d22
Install pip on Ubuntu
...
Closes : #961
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-13 16:27:09 +01:00
Greg Althaus
2b10376339
When resolv.conf changes during host_resolvconf mode, we need to
...
restart the controller to get the new file configuration.
I'm not fond of this form and would like a better way, but this
seems to "work".
2017-02-13 09:20:02 -06:00
Matthew Mosesohn
b5be335db3
Clean up dnsmasq purge task
2017-02-13 17:30:15 +03:00
Sergii Golovatiuk
5f4cc3e1de
Replace always_run with check_mode
...
always_run was deprecated in Ansible 2.2 and will be removed in 2.4
ansible logs contain "[DEPRECATION WARNING]: always_run is deprecated.
Use check_mode = no instead". This patch fix deprecation.
2017-02-13 15:00:56 +01:00
Matthew Mosesohn
ec567bd53c
Update calico to v1.0.2
...
Also calico-cni to v1.5.6, calico-policy to v0.5.2
Fixes : #1011
2017-02-13 15:39:25 +03:00
Sergii Golovatiuk
aeadaa1184
Set ssl_ca_dirs for rkt based on fact
...
Since systemd kubelet.service has {{ ssl_ca_dirs }}, fact should be
gathered before writing kubelet.service.
Closes : #1007
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-13 13:28:29 +01:00
Matthew Mosesohn
2f0f0006e3
Merge pull request #988 from mattymo/feat/rolling3
...
Add CI cases for testing upgrade from v2.0.1 release
2017-02-10 18:09:43 +03:00
Matthew Mosesohn
de047a2b8c
Merge pull request #983 from vwfs/centos_kernel_upgrade
...
Add kernel upgrade for CentOS
2017-02-10 14:40:27 +03:00
Antoine Legrand
86a35652bb
Merge pull request #1009 from mattymo/dnsmasq_updates
...
Enable reset of dnsmasq if manifest or config changes
2017-02-10 11:43:09 +01:00
Matthew Mosesohn
6ae70e03cb
fixup upgrades for canal and weave
2017-02-10 13:27:41 +03:00
Matthew Mosesohn
2c532cb74d
Disable kube_proxy_masquerade_all
...
Fixes #1012
2017-02-10 13:16:39 +03:00
Bogdan Dobrelya
89ae9f1f88
Merge pull request #1002 from code0x9/master
...
use ansible sysctl module for config ip forwarding
2017-02-10 10:40:18 +01:00
Alexander Block
d2e010cbe1
Add kernel upgrade for CentOS
2017-02-10 09:29:12 +01:00
Matthew Mosesohn
a44a0990f5
Enable reset of dnsmasq if manifest or config changes
2017-02-10 10:40:07 +04:00
Matthew Mosesohn
2f88c9eefe
Merge pull request #989 from holser/kubelet_remedy
...
Kubernetes Reliability Improvements
2017-02-10 09:29:29 +03:00
Matthew Mosesohn
60f1936a62
Merge pull request #1004 from galthaus/kubelet-load-modules
...
Allow kubelet to load kernel modules
2017-02-10 09:28:16 +03:00
Sergii Golovatiuk
c07d60bc90
Kubernetes Reliability Improvements
...
- Exclude kubelet CPU/RAM (kube-reserved) from cgroup. It decreases a
chance of overcommitment
- Add a possibility to modify Kubelet node-status-update-frequency
- Add a posibility to configure node-monitor-grace-period,
node-monitor-period, pod-eviction-timeout for Kubernetes controller
manager
- Add Kubernetes Relaibility Documentation with recomendations for
various scenarios.
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-09 23:54:08 +01:00
Matthew Mosesohn
29fd957352
Enable weave upgrade from previous versions
...
Raise readiness probe initial time to 60 (was 30)
2017-02-09 21:39:31 +03:00
Matthew Mosesohn
0a7c6eb9dc
Merge pull request #998 from mattymo/fix_upgrade_daemonsets
...
Fix upgrade for all daemonset type resources
2017-02-09 20:02:21 +03:00
Greg Althaus
3f0c13af8a
Make kubelet_load_modules always present but false.
...
Update code and docs for that assumption.
2017-02-09 10:25:44 -06:00
Greg Althaus
fcd78eb1f7
Due to the nsenter and other reworks, it appears that
...
kubelet lost the ability to load kernel modules. This
puts that back by adding the lib/modules mount to kubelet.
The new variable kubelet_load_modules can be set to true
to enable this item. It is OFF by default.
2017-02-09 10:02:26 -06:00
Matthew Mosesohn
17dfae6d4e
Merge pull request #999 from holser/decrease_weave_ram_limits
...
Lower weave RAM settings.
2017-02-09 13:19:12 +03:00
Mark Lee
e414c25fd7
follow sysctl.conf file symlink if linked
2017-02-09 18:16:52 +09:00
Mark Lee
34a71554ae
use ansible sysctl module for config ip forwarding
2017-02-09 17:28:44 +09:00
Bogdan Dobrelya
3b1a196c75
Merge pull request #902 from insequent/master
...
Adding vault role
2017-02-09 09:24:52 +01:00
Bogdan Dobrelya
105dbf471e
Merge pull request #993 from code0x9/master
...
enable proxy support on docker repository
2017-02-09 09:21:01 +01:00
Antoine Legrand
68df0d4909
Merge pull request #986 from vwfs/dnsmasq_system_nameservers
...
Also add the system nameservers to upstream servers in dnsmasq
2017-02-08 23:21:54 +01:00
Josh Conant
245e05ce61
Vault security hardening and role isolation
2017-02-08 21:41:36 +00:00
Josh Conant
f4ec2d18e5
Adding the Vault role
2017-02-08 21:31:28 +00:00
Sergii Golovatiuk
4124d84c00
Lower weave RAM settings.
...
- Since Weave 1.8.x was rewritten in Golang we may decrease RAM settings
to continue using g1-small for CI
2017-02-08 18:50:36 +01:00
Matthew Mosesohn
3c713a3f53
Fix upgrade for all daemonset type resources
...
Daemonsets cannot be simply upgraded through a single API call,
regardless of any kubectl documentation. The resource must be
purged and then recreated in order to make any changes.
2017-02-08 18:16:00 +03:00
Alexander Block
89e570493a
Also add the system nameservers to upstream servers in dnsmasq
...
Also make no-resolv unconditional again. Otherwise, we may end up in
a resolver loop. The resolver loop was the cause for the piling up
parallel queries.
2017-02-08 14:38:55 +01:00
Matthew Mosesohn
16674774c7
Merge pull request #994 from mattymo/docker_save
...
Change docker save compress level to 1
2017-02-08 15:13:15 +03:00
Matthew Mosesohn
0180ad7f38
Merge pull request #990 from mattymo/fix_cert_upgrade
...
Fix check for node-NODEID certs existence
2017-02-08 14:44:09 +03:00
Matthew Mosesohn
bfd1ea1da1
Merge pull request #971 from bradbeam/efk
...
Adding EFK logging stack
2017-02-08 14:28:04 +03:00
Mark Lee
3eacd0c871
Update rh_docker.repo.j2
2017-02-08 20:03:51 +09:00
Matthew Mosesohn
d587270293
Merge pull request #992 from vwfs/host_mount_dev
...
Host mount /dev for kubelet
2017-02-08 13:45:22 +03:00
Matthew Mosesohn
3eb13e83cf
Change docker save compress level to 1
...
Faster gzip improves CI deploy times by at least 2 mins.
Fixes #982
2017-02-08 13:25:11 +03:00
Mark Lee
df761713aa
Merge branch 'master' of https://github.com/kubespray/kargo
2017-02-08 19:19:26 +09:00
Mark Lee
de50f37fea
enable proxy support on docker repository
2017-02-08 19:19:08 +09:00
Matthew Mosesohn
bad6076905
Merge pull request #987 from mattymo/etcd-retune
...
Re-tune ETCD performance params
2017-02-08 13:00:25 +03:00
Bogdan Dobrelya
c2bd76a22e
Merge pull request #956 from adidenko/update-netchecker
...
Update playbooks to support new netchecker
2017-02-08 10:09:46 +01:00
Alexander Block
010fe30b53
Host mount /dev for kubelet
2017-02-08 09:55:51 +01:00
Matthew Mosesohn
e5779ab786
Fix check for node-NODEID certs existence
...
Fixes upgrade from pre-individual node cert envs.
2017-02-07 21:06:48 +03:00
Matthew Mosesohn
71e14a13b4
Re-tune ETCD performance params
...
Reduce election timeout to 5000ms (was 10000ms)
Raise heartbeat interval to 250ms (was 100ms)
Remove etcd cpu share (was 300)
Make etcd_cpu_limit and etcd_memory_limit optional.
2017-02-07 20:15:14 +03:00
Matthew Mosesohn
491074aab1
Merge pull request #969 from mattymo/port_reserve
...
Prevent dynamic port allocation in nodePort range
2017-02-07 18:24:57 +03:00
Aleksandr Didenko
54af533b31
Update playbooks to support new netchecker
...
Netchecker is rewritten in Go lang with some new args instead of
env variables. Also netchecker-server no longer requires kubectl
container. Updating playbooks accordingly.
2017-02-07 15:20:34 +01:00
Matthew Mosesohn
f3a0f73588
Prevent dynamic port allocation in nodePort range
...
kube_apiserver_node_port_range should be accessible only
to kube-proxy and not be taken by a dynamic port allocation.
Potentially temporary if https://github.com/kubernetes/kubernetes/issues/40920
gets fixed.
2017-02-06 20:01:16 +03:00
Sergii Golovatiuk
5122697f0b
Improve Weave
...
- Remove weave CPU limits from .gitlab-ci.yml. Closes : #975
- Fix weave version in documentation
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-06 13:24:40 +01:00
Antoine Legrand
bd1c764a1a
Merge pull request #963 from rutsky/bastion-ansible-host
...
handle both 'ansible_host' and 'ansible_ssh_host' in bastion configration
2017-02-04 15:42:39 -05:00
Brad Beam
df3e11bdb8
Adding EFK logging stack
2017-02-03 16:27:08 -06:00
Bogdan Dobrelya
5a7a3f6d4a
Merge pull request #949 from vmtyler/master
...
Fixes Support for OpenStack v3 credentials
2017-02-03 12:22:00 +01:00
Vladimir Rutsky
b4327fdc99
handle both 'ansible_host' and 'ansible_ssh_host' in bastion configuration
...
'absible_ssh_host' is deprecated in Ansible 2.0 and at least
'contrib/inventory_builder/inventory.py' uses 'ansible_host' instead.
2017-02-02 18:34:53 +03:00
Matthew Mosesohn
10f924a617
Merge pull request #927 from holser/nsenter_fix
...
Remove nsenter workaround
2017-02-02 18:18:15 +03:00
Matthew Mosesohn
3dd6a01c8b
Merge pull request #901 from galthaus/dns-tweak
...
DHCP Hook protections
2017-02-02 16:47:16 +03:00
Sergii Golovatiuk
585afef945
Remove nsenter workaround
...
- Docker 1.12 and further don't need nsenter hack. This patch removes
it. Also, it bumps the minimal version to 1.12.
Closes #776
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-02 14:38:11 +01:00
Sergii Golovatiuk
f2e4ffcac2
Fix weave-net after upgrade to 1.82
...
- Set recommended CPU settings
- Cleans up upgrade to weave 1.82. The original WeaveWorks
daemonset definition uses weave-net name.
- Limit DS creation to master
- Combined 2 tasks into one with better condition
2017-02-02 10:31:58 +01:00
Matthew Mosesohn
ae66b6e648
Merge pull request #957 from mattymo/weave-net-naming
...
Rename weave-kube to weave-net
2017-02-02 10:18:02 +03:00
Greg Althaus
923057c1a8
This continues the DHCP hook checks. Also protect the create side
...
if the system doesn't have any config files at all.
2017-01-31 09:56:27 -06:00
Matthew Mosesohn
0f6e08d34f
Merge pull request #951 from mattymo/k8s-certs-scale
...
Fix cert distribution at scale
2017-01-31 18:49:26 +03:00
Matthew Mosesohn
4889a3e2e1
Merge pull request #954 from artem-panchenko/improve_dnsmasq
...
Explicitly set config path for DNSMasq
2017-01-31 18:48:46 +03:00
Matthew Mosesohn
39d87a96aa
Rename weave-kube to weave-net
...
Cleans up upgrade to weave 1.82. The original WeaveWorks
daemonset definition uses weave-net name.
2017-01-31 18:47:27 +03:00
Matthew Mosesohn
08822ec684
Fix cert distribution at scale
...
Use stdin instead of bash args to pass node filenames and base64 data.
Use tempfile for master cert data
2017-01-31 16:27:45 +03:00
Matthew Mosesohn
6463a01e04
Merge pull request #880 from bradbeam/weave-kube
...
Weave kube
2017-01-31 13:31:09 +03:00
Artem Panchenko
1418fb394b
Explicitly set config path for DNSMasq
...
When DNSMasq is configured to read its settings
from a folder ('-7' or '--conf-dir' option) it only
checks that the directory exists and doesn't fail if
it's empty. It could lead to a situation when DNSMasq
is running and handles requests, but not properly
configured, so some of queries can't be resolved.
2017-01-31 12:14:57 +02:00
Matthew Mosesohn
e4eda88ca9
Merge pull request #944 from tureus/skip-cloud-config-on-etcd
...
Bugfix: skip cloud_config on etcd
2017-01-30 20:12:36 +03:00
Brad Beam
a11b9d28bd
Upgrading weave to weave-kube
2017-01-27 17:05:25 -06:00
Brad Beam
b54eb609bf
Consolidating kube.py module
2017-01-27 11:28:11 -06:00
Tyler Britten
f8ffa1601d
Fixed for non-null output
2017-01-27 10:47:59 -05:00
Tyler Britten
da01bc1fbb
Updated OpenStack vars to check for tenant_id (v2) and project_id (v3)
2017-01-27 10:26:20 -05:00
neith00
bbc8c09753
Using the command module instead of raw
...
Using the command module instead of raw.
Also fixed the syntax.
2017-01-26 16:28:48 +01:00
Xavier Lange
e5fdc63bdd
Bugfix: skip cloud_config on etcd
2017-01-25 14:09:21 -08:00
Aleksandr Didenko
46c177b982
Switch to ansible_hostname in calico
...
For consistancy with kubernetes services we should use the same
hostname for nodes, which is 'ansible_hostname'.
Also fixing missed 'kube-node' in templates, Calico is installed
on 'k8s-cluster' roles, not only 'kube-node'.
2017-01-25 11:49:58 +01:00
Matthew Mosesohn
f4b7474ade
Merge pull request #926 from adidenko/fix-calico-rr-for-masters
...
Fix calico-rr peering with k8s masters
2017-01-24 12:38:52 +03:00
Alexander Block
9bf792ce0b
Pin docker version on RedHat and CentOS to the desired version
2017-01-23 12:39:54 +01:00
Aleksandr Didenko
f05aaeb329
Fix calico-rr peering with k8s masters
...
Calico-rr is broken for deployments with separate k8s-master and
k8s-node roles. In order to fix it we should peer k8s-cluster
nodes with calico-rr, not just k8s-node. The same for peering
with routers.
Closes #925
2017-01-23 10:19:09 +01:00
Matthew Mosesohn
8ce32eb3e1
Merge pull request #905 from galthaus/async-runs
...
Add tasks to ensure that the first nodes have their directories for cert gen
2017-01-19 18:32:27 +03:00
Matthew Mosesohn
aae0314bda
Merge pull request #904 from galthaus/nginx-port-config
...
Add nginx local balancer port configuration variable
2017-01-19 18:31:57 +03:00
Matthew Mosesohn
35d5248d41
Merge pull request #913 from galthaus/apps-master-only
...
Ansible apps should only check for api-server running on the master.
2017-01-19 18:30:58 +03:00
Matthew Mosesohn
0ccc2555d3
Merge pull request #917 from mattymo/rkt_resolvconf
...
Fix setting resolvconf when using rkt deploy mode
2017-01-19 18:30:21 +03:00
Matthew Mosesohn
b26a711e96
Merge pull request #916 from mattymo/update_ansible
...
Update Ansible to 2.2.1
2017-01-19 18:13:45 +03:00
Matthew Mosesohn
2218a052b2
Merge pull request #921 from mattymo/docker113
...
Add docker 1.13, update 1.12 to 1.12.6
2017-01-19 18:13:21 +03:00
Matthew Mosesohn
33fbcc56d6
Add docker 1.13, update 1.12 to 1.12.6
...
Fixes #903
2017-01-19 13:58:36 +03:00
Sergii Golovatiuk
61d05dea58
Allow to specify number of concurrent DNS queries
...
ndots creates overhead as every pod creates 5 concurrent connections
that are forwarded to sky dns. Under some circumstances dnsmasq may
prevent forwarding traffic with "Maximum number of concurrent DNS
queries reached" in the logs.
This patch allows to configure the number of concurrent forwarded DNS
queries "dns-forward-max" as well as "cache-size" leaving the default
values as they were before.
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-01-19 11:47:37 +01:00
Matthew Mosesohn
8a821060a3
Update Ansible to 2.2.1
2017-01-19 13:46:46 +03:00
Greg Althaus
0d44599a63
Add explicit name printing in task names for deletgated task during
...
cert creation
2017-01-18 14:06:50 -06:00
Matthew Mosesohn
b6c3e61603
Fix setting resolvconf when using rkt deploy mode
...
rkt deploy mode doesn't create {{ bin_dir }}/kubelet, so
let's rely on kubelet.env file instad.
2017-01-18 19:18:47 +03:00
Matthew Mosesohn
5420fa942e
Merge pull request #897 from holser/flush_handlers_before_etcd
...
Flush handlers before etcd restart
2017-01-18 12:27:01 +03:00
Matthew Mosesohn
1ee33d3a8d
Merge pull request #910 from mattymo/escape_curly
...
Fix ansible 2.2.1 handling of registered vars
2017-01-18 11:13:01 +03:00
Greg Althaus
61dab8dc0b
Should only check for api-server running on the master.
...
If this runs on other nodes, it will fail the playbook.
2017-01-17 15:57:34 -06:00
Matthew Mosesohn
b2a27ed089
Fix bash completion installation
2017-01-17 20:36:58 +03:00
Matthew Mosesohn
d8ae50800a
Work around escaping curly braces for docker inspect
2017-01-17 20:35:38 +03:00
Sergii Golovatiuk
43fa72b7b7
Flush handlers before etcd restart
...
systemctl daemon-reload should be run before when task modifies/creates
union for etcd. Otherwise etcd won't be able to start
Closes #892
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-01-17 15:04:25 +01:00
Matthew Mosesohn
73204c868d
Merge pull request #909 from mattymo/docker-upgrade
...
Always trigger docker restart when docker package changes
2017-01-17 11:37:42 +03:00
Matthew Mosesohn
74b78e75a1
Always trigger docker restart when docker package changes
...
Docker upgrade doesn't auto-restart docker, causing failures
when trying to start another container
2017-01-16 17:52:28 +03:00
Greg Althaus
6905edbeb6
Add a variable that defaults to kube_apiserver_port that defines
...
the which port the local nginx proxy should listen on for HA
local balancer configurations.
2017-01-14 23:38:07 -06:00
Greg Althaus
6c69da1573
This PR adds/or modifies a few tasks to allow for the playbook to
...
be run by limit on each node without regard for order.
The changes make sure that all of the directories needed to do
certificate management are on the master[0] or etcd[0] node regardless
of when the playbook gets run on each node. This allows for separate
ansible playbook runs in parallel that don't have to be synchronized.
2017-01-14 23:24:34 -06:00
Greg Althaus
95bf380d07
If the inventory name of the host exceeds 63 characters,
...
the openssl tools will fail to create signing requests because
the CN is too long. This is mainly a problem when FQDNs are used
in the inventory file.
THis will truncate the hostname for the CN field only at the
first dot. This should handle the issue for most cases.
2017-01-13 10:02:23 -06:00
Matthew Mosesohn
80703010bd
Use only one certificate for all apiservers
...
https://github.com/kubernetes/kubernetes/issues/25063
2017-01-13 14:03:20 +03:00
Bogdan Dobrelya
e88c10670e
Merge pull request #891 from galthaus/selinux-order
...
preinstall fails on AWS CentOS7 image
2017-01-13 11:51:18 +01:00
Alexander Block
1054f37765
Don't try to delete kargo specific config from dhclient when file does not exist
...
Also remove the check for != "RedHat" when removing the dhclient hook,
as this had also to be done on other distros. Instead, check if the
dhclienthookfile is defined.
2017-01-13 10:56:10 +01:00
Greg Althaus
f77257cf79
When running on CentOS7 image in AWS with selinux on, the order of
...
the tasks fail because selinux prevents ip-forwarding setting.
Moving the tasks around addresses two issues. Makes sure that
the correct python tools are in place before adjusting of selinux
and makes sure that ipforwarding is toggled after selinux adjustments.
2017-01-12 10:12:21 -06:00
Bogdan Dobrelya
f004cc07df
Merge pull request #830 from mattymo/k8sperhost
...
Generate individual certificates for k8s hosts
2017-01-12 12:42:14 +01:00
Alexander Block
a7bf7867d7
Add tasks to undo changes to hosts /etc/resolv.conf and dhclient configs
2017-01-11 16:56:16 +01:00
Matthew Mosesohn
3f274115b0
Generate individual certificates for k8s hosts
2017-01-11 12:58:07 +03:00
Matthew Mosesohn
3b0918981e
Merge pull request #878 from bradbeam/rkt-cni
...
Adding /opt/cni /etc/cni to rkt run kubelet
2017-01-11 12:22:04 +03:00
Bogdan Dobrelya
d8cef34d6c
Merge pull request #872 from mattymo/bug868
...
Bind nginx localhost proxy to localhost
2017-01-10 17:09:25 +01:00
Brad Beam
db8173da28
Adding /opt/cni /etc/cni to rkt run kubelet
2017-01-10 08:48:58 -06:00
Bogdan Dobrelya
bcdfb3cfb0
Merge pull request #793 from kubernetes-incubator/fix_dhclientconf_path
...
Fix wrong path of dhclient on CentOS+Azure
2017-01-10 13:23:55 +01:00
Bogdan Dobrelya
79aeb10431
Merge pull request #858 from bradbeam/calicoctl-canal
...
Misc updates for canal
2017-01-10 12:24:59 +01:00
Matthew Mosesohn
38338e848d
Merge pull request #860 from adidenko/fix-calico-rr-certs
...
Fix etcd cert generation for calico-rr role
2017-01-09 18:34:02 +03:00
Bogdan Dobrelya
10dbd0afbd
Merge pull request #871 from mattymo/fix_system_search_domains
...
Fix docker dns host scenario with no search domains
2017-01-09 15:52:12 +01:00
Matthew Mosesohn
e22f938ae5
Bind nginx localhost proxy to localhost
...
This proxy should only be listening for local connections, not 0.0.0.0.
Fixes #868
2017-01-09 17:19:54 +03:00
Matthew Mosesohn
1dce56e2f8
Fix docker dns host scenario with no search domains
...
Fixes scenario where docker-dns.conf tries to create an empty
search entry
2017-01-09 16:36:44 +03:00
Aleksandr Didenko
d9539e0f27
Fix etcd cert generation for calico-rr role
...
"etcd_node_cert_data" variable is undefinded for "calico-rr" role.
This patch adds "calico-rr" nodes to task where "etcd_node_cert_data"
variable is registered.
2017-01-09 12:06:25 +01:00
Aleksandr Didenko
0909368339
Set latest stable versions for Calico images
...
Change version for calico images to v1.0.0. Also bump versions for
CNI and policy controller.
Also removing images repo and tag duplication from netchecker role
2017-01-09 12:05:49 +01:00
Bogdan Dobrelya
091b634ea1
Merge pull request #799 from kubernetes-incubator/docker_dns
...
Implement "dockerd --dns-xxx" based dns mode
2017-01-09 11:38:02 +01:00
Alexander Block
a8b5b856d1
Only use default resolver in dnsmasq when we are using host_resolvconf mode
2017-01-06 10:21:07 +01:00
Alexander Block
1d2a18b355
Introduce dns_mode and resolvconf_mode and implement docker_dns mode
...
Also update reset.yml to do more dns/network related cleanup.
2017-01-05 23:38:51 +01:00
Spencer Smith
4a59340182
remove assertion for family not being CoreOS
2017-01-05 13:36:25 -05:00
Brad Beam
cf042b2a4c
Create network policy directory for canal
2017-01-05 10:54:27 -06:00
Brad Beam
65c86377fc
Adding calicoctl to canal deployment
2017-01-05 10:54:27 -06:00
Bogdan Dobrelya
5af2c42bde
Better fix for different CoreOS os family facts
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-05 16:32:08 +01:00
Bogdan Dobrelya
f7447837c5
Rename CoreOS fact
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-05 14:02:29 +01:00
Bogdan Dobrelya
6546869c42
Merge branch 'master' into rkt
2017-01-05 10:34:18 +01:00
Brad Beam
4b6f29d5e1
Adding kubelet in rkt
2017-01-03 14:49:48 -06:00
Brad Beam
8dc19374cc
Allowing etcd to run via rkt
2017-01-03 10:10:38 -06:00
Brad Beam
a8f2af0503
Adding initial rkt support
2017-01-03 10:08:43 -06:00
Bogdan Dobrelya
d8a2941e9e
Fix cert paths for flannel/calico policy apps
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-03 16:12:54 +01:00
Alexander Block
ab7df10a7d
Upgrade docker version and do some cleanups for unsupported distros/docker versions
2017-01-02 18:05:50 +01:00
Bogdan Dobrelya
93663e987c
Merge pull request #847 from bogdando/bug_769
...
Fix etc hosts for cluster nodes
2017-01-02 17:47:23 +01:00
Bogdan Dobrelya
97f96a6376
Fix etc hosts for cluster nodes
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-02 13:20:51 +01:00
Bogdan Dobrelya
58062be2a3
Drop non systemd OS types support
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-02 12:14:03 +01:00
Matthew Mosesohn
1f9f885379
Fix etcd cert generation to support large deployments
...
Due to bash max args limits, we should pass all node filenames and
base64-encoded tar data through stdin/stdout instead.
Fixes #832
2016-12-30 12:55:26 +03:00
Bogdan Dobrelya
a56d9de502
Systemd units, limits, and bin path fixes
...
* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
systemd limits due to the lack of consensus in the kernel community
requires out-of-tree kernel patches.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-28 15:49:42 +01:00
Matthew Mosesohn
f0c0390646
Fix creation and sync of etcd certs
...
Admin certs only go to etcd nodes
Only generate cert-data for nodes that need sync
2016-12-28 14:21:17 +04:00
Matthew Mosesohn
e7a1949d85
Merge pull request #818 from mattymo/calico-rr-certs
...
Fix calico-rr to use etcd certs instead of kube certs
2016-12-28 08:47:16 +03:00
Matthew Mosesohn
6d9cd2d720
Fix calico-rr to use etcd certs instead of kube certs
2016-12-27 17:04:50 +03:00
Bogdan Dobrelya
79996b557b
Rework ignore_errors to report no reds
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2016-12-27 13:00:50 +01:00
Bogdan Dobrelya
bb0c3537cb
Do not forward bogus domains for upstream resolvers
...
Also fix kube log level 4 to log dnsmasq queries.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-23 11:53:14 +01:00
Matthew Mosesohn
385f7f6e75
Update etcd.j2
2016-12-22 22:29:24 +03:00
Matthew Mosesohn
9f1e3db906
Adjust etcd server certificates
...
ETCD doesn't need cert/key options set. It only requires peer
cert options.
2016-12-22 23:05:17 +04:00
Spencer Smith
b63d900625
Workaround etcdctl not yet being installed ( #797 )
...
workaround case for etcdctl not yet being installed, only allow for return code of 0 (no error)
2016-12-22 12:41:38 -05:00
Matthew Mosesohn
a4bce333a3
Merge pull request #760 from genti-t/issue-748-flannel-options
...
Fix Flannel network on CoreOS
2016-12-22 19:02:31 +03:00
Genti Topija
7c2785e083
Fix Flannel network on CoreOS
...
Resolves : #748
2016-12-22 16:50:04 +01:00
Matthew Mosesohn
ad796d188d
Individual etcd ssl certs
...
Includes hooks for triggering calico, kubelet, and kube-apiserver restarts
if etcd certs changed.
2016-12-22 13:31:11 +03:00
Bogdan Dobrelya
de8cd5cd7f
Merge pull request #786 from mattymo/bug777
...
Add wait for kube-apiserver to kubernetes-apps
2016-12-22 11:02:50 +01:00
Alexander Block
8e4e3998dd
Fix wrong path of dhclient on CentOS+Azure
...
This was alredy fixed in #755 but had to be reverted. This PR should be
more intelligent about deciding which path to use.
2016-12-21 21:51:07 +01:00
Spencer Smith
8d9f207836
create systemd drop-in path if not existent
2016-12-21 13:06:12 -05:00
Bogdan Dobrelya
f10d1327d4
Revert "Do not forward private domains for upstream resolvers"
2016-12-21 15:24:17 +01:00
Matthew Mosesohn
d314174149
Add wait for kube-apiserver to kubernetes-apps
...
Fixes #777
2016-12-21 15:39:39 +03:00
Bogdan Dobrelya
b8bc8eee41
Add download_always_pull check and sha256 for docker images
...
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-20 17:02:09 +01:00
Bogdan Dobrelya
11380769cd
Merge pull request #722 from bogdando/dnsmasq_armors
...
Do not forward private domains for upstream resolvers
2016-12-20 14:25:17 +01:00
Bogdan Dobrelya
843d439898
Merge pull request #775 from kubernetes-incubator/register_master
...
Register master node as unschedulable
2016-12-20 14:17:55 +01:00
Bogdan Dobrelya
c1e4cef75b
Merge pull request #774 from kubernetes-incubator/ant31-patch-2
...
check if calico_peer_rr is defined
2016-12-19 18:19:03 +01:00
Matthew Mosesohn
348fc5b109
Fix etcd to-SSL upgrade and task register vars
2016-12-19 15:05:49 +03:00
Bogdan Dobrelya
101864c050
Do not forward private domains for upstream resolvers
...
Also fix kube log level 4 to log dnsmasq queries.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
2016-12-19 11:01:41 +01:00
Alexander Block
fe150d4e4d
Register master node as unschedulable
...
Also refactor generation of kubelet args to not repeat args.
2016-12-19 10:47:43 +01:00
Antoine Legrand
048ac264a3
Update main.yml
2016-12-17 20:22:39 +01:00
Antoine Legrand
768fe05eea
Merge pull request #704 from vwfs/bastion_hosts
...
Add support for bastion hosts
2016-12-17 12:08:49 +01:00
Antoine Legrand
1c48a001df
Merge pull request #763 from bogdando/resolver_fallback
...
Fallback to default resolver if no nameservers
2016-12-17 12:03:41 +01:00
Antoine Legrand
a7276901a3
Merge pull request #766 from kubernetes-incubator/docker12point5
...
Update docker to 1.12.5
2016-12-17 11:55:06 +01:00
Bogdan Dobrelya
1782d19e1f
Fallback to default resolver if no nameservers
...
Current design expects users to define at least one
nameserver in the nameservers var to backup host OS DNS config
when the K8s cluster DNS service IP is not available and hosts
still have to resolve external or intranet FQDNs.
Fix undefined nameservers to fallback to the default_resolver.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-16 14:51:34 +01:00
Bogdan Dobrelya
e2476fbd0b
Revert "Fix wrong path for dhclient.conf on RedHat/CentOS"
2016-12-16 14:49:26 +01:00
Matthew Mosesohn
07cd81ef58
Update docker to 1.12.5
...
Note the new ubuntu/debian version string change:
https://github.com/docker/docker/issues/29355
2016-12-16 16:30:46 +03:00
Bogdan Dobrelya
92f542938c
Merge pull request #745 from kubernetes-incubator/fix_weave_start
...
Fix weave restart after docker daemon restart
2016-12-16 14:06:48 +01:00
Matthew Mosesohn
495d0b659a
Fix weave restart after docker daemon restart
2016-12-16 14:15:22 +03:00
Antoine Legrand
a2f8f17270
Merge pull request #757 from kubernetes-incubator/issue754
...
Add dns_domain for each host to /etc/hosts
2016-12-15 21:42:59 +01:00
Bogdan Dobrelya
0e2329b59e
Merge pull request #755 from kubernetes-incubator/fix_dhclientconf_path
...
Fix wrong path for dhclient.conf on RedHat/CentOS
2016-12-15 19:08:31 +01:00
Bogdan Dobrelya
70143d87bf
Merge pull request #746 from kubernetes-incubator/etcd_ssl_upgrade_fix
...
Fix etcd member list when upgrading ETCD from an old version
2016-12-15 12:31:34 +01:00
Matthew Mosesohn
68ad4ff4d9
Add dns_domain for each host to /etc/hosts
...
Fixes #754
2016-12-15 13:34:59 +04:00
Bogdan Dobrelya
725f9ea3bd
Merge pull request #749 from kubernetes-incubator/azure_ip_forward
...
Set net.ipv4.ip_forward=1 on all systems, not only on GCE
2016-12-15 10:19:43 +01:00
Alexander Block
a9684648ab
Fix wrong path for dhclient.conf on RedHat/CentOS
...
/etc/dhclient.conf is ignored on RedHat/CentOS
Correct location is /etc/dhcp/dhclient.conf
2016-12-15 10:11:16 +01:00
Matthew Mosesohn
9cc73bdf08
Fix etcd member list when upgrading ETCD from an old version
2016-12-15 12:00:45 +04:00
Bogdan Dobrelya
114ab5e4e6
Merge pull request #721 from adidenko/calico-add-rr
...
Add calico/routereflector support
2016-12-14 17:22:00 +01:00
Smaine Kahlouch
29874baf8a
Merge pull request #708 from vwfs/cloud_network
...
Add support for cloud-provider based networking
2016-12-14 16:23:20 +01:00
Alexander Block
81317505eb
Set net.ipv4.ip_forward=1 on all systems, not only on GCE
2016-12-14 15:08:13 +01:00
Aleksandr Didenko
d57c27ffcf
Add calico/routereflector support
...
Add BGP route reflectors support in order to optimize BGP topology
for deployments with Calico network plugin.
Also bump version of calico/ctl for some bug fixes.
2016-12-14 13:44:10 +01:00
Alexander Block
d50eb60827
Add --reconcile-cidr flag to kubelet to support cloud network plugin in 1.4
2016-12-13 17:30:10 +01:00
Alexander Block
dbd9aaf1ea
Add check for azure_route_table_name and add it to all.yml
2016-12-13 17:30:10 +01:00
Alexander Block
d20d5e648f
Add pseudo network plugin called "cloud" to use cloud provider for network
...
Allow to let the cloud provider configure proper routing for nodes.
2016-12-13 17:30:10 +01:00
Alexander Block
06584ee3aa
Add support for bastion hosts
2016-12-13 17:29:47 +01:00
Antoine Legrand
26e3142c95
Merge branch 'master' into standalone_kubelet
2016-12-13 17:26:21 +01:00
Alexander Block
665ce82d71
Move kube_version to group_vars/all to allow easier changing of version
...
Also allows to perform version dependent logic in Ansible roles.
2016-12-13 17:21:00 +01:00
Alexander Block
444b1dafdc
Pass --anonymous-auth to apiserver
...
Fixes #732
2016-12-13 17:06:53 +01:00
Bogdan Dobrelya
d6174b22e9
Merge pull request #731 from bogdando/fix_resolvconf
...
Fix resolvconf
2016-12-13 16:48:37 +01:00
Bogdan Dobrelya
c75f394707
Address standalone kubelet config case
...
Also place in global vars and do not repeat the kube_*_config_dir
and kube_namespace vars for better code maintainability and UX.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-13 16:35:53 +01:00
Bogdan Dobrelya
0515814e0c
Fix resolvconf
...
Do not repeat options and nameservers in the dhclient hooks.
Do not prepend nameservers for dhclient but supersede and fail back
to the upstream_dns_resolvers then default_resolver. Fixes order of
nameservers placement, which is cluster DNS ip goes always first.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-13 15:48:53 +01:00
Alexander Block
1cfaf927c9
Fix reverse umount in reset role
...
The Jinja2 filter 'reverse' returned an iterator instead of a list,
resulting in the umount task to fail.
Intead of using the reverse filter, we use 'tac' to reverse the output
of the previous task.
2016-12-13 14:21:24 +01:00
Bogdan Dobrelya
45135ad3e4
Merge pull request #705 from vwfs/centos7-azure
...
Better support for CentOS 7 on Azure
2016-12-13 10:36:58 +01:00
Bogdan Dobrelya
4e721bfd9d
Merge pull request #667 from bogdando/fix_dns
...
Rework DNS stack to meet hostnet pods needs
2016-12-12 21:38:13 +01:00
Bogdan Dobrelya
f52ed9f91e
Update main.yml
2016-12-12 21:37:16 +01:00
Bogdan Dobrelya
3117858dcd
Rework DNS stack to meet hostnet pods needs
...
* For Debian/RedHat OS families (with NetworkManager/dhclient/resolvconf
optionally enabled) prepend /etc/resolv.conf with required nameservers,
options, and supersede domain and search domains via the dhclient/resolvconf
hooks.
* Drop (z)nodnsupdate dhclient hook and re-implement it to complement the
resolvconf -u command, which is distro/cloud provider specific.
Update docs as well.
* Enable network restart to apply and persist changes and simplify handlers
to rely on network restart only. This fixes DNS resolve for hostnet K8s
pods for Red Hat OS family. Skip network restart for canal/calico plugins,
unless https://github.com/projectcalico/felix/issues/1185 fixed.
* Replace linefiles line plus with_items to block mode as it's faster.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
2016-12-12 17:43:47 +01:00
Alexander Block
5176e5c968
Make growpart only run on Azure
2016-12-12 14:14:22 +01:00
Bogdan Dobrelya
774f4dbbf7
Merge branch 'master' into tags_download
2016-12-12 11:44:00 +01:00
Matthew Mosesohn
b1e852a785
Merge pull request #707 from vwfs/reset_playbook
...
Add playbook and role to reset the cluster
2016-12-12 12:43:00 +03:00
Alexander Block
9fd14cb6ea
Add growpart role to allow growing the root partition on CentOS
...
At least the OS images from Azure do not grow the root FS automatically.
2016-12-12 09:55:28 +01:00
Alexander Block
4e34803b1e
Disable fastestmirror on CentOS
...
It actually slows down things dramatically when used in combination
with Ansible.
2016-12-12 09:54:39 +01:00
Alexander Block
7abcf6e0b9
Remove requiretty from sudoers to actually make pipelining work
...
Some systems (e.g. CentOS on Azure) have requiretty in sudoers which makes
pipelining fail.
2016-12-12 09:54:39 +01:00
Matthew Mosesohn
e5ad0836bc
Merge pull request #713 from kubernetes-incubator/bump_kubedns
...
Bump kubedns version to 1.9
2016-12-10 11:08:42 +03:00
Bogdan Dobrelya
2c50f20429
Merge pull request #696 from bogdando/intranet_dns
...
Preconfigure dns stack early
2016-12-09 21:46:03 +01:00
Bogdan Dobrelya
a15d626771
Preconfigure DNS stack and docker early
...
In order to enable offline/intranet installation cases:
* Move DNS/resolvconf configuration to preinstall role. Remove
skip_dnsmasq_k8s var as not needed anymore.
* Preconfigure DNS stack early, which may be the case when downloading
artifacts from intranet repositories. Do not configure
K8s DNS resolvers for hosts /etc/resolv.conf yet early (as they may be
not existing).
* Reconfigure K8s DNS resolvers for hosts only after kubedns/dnsmasq
was set up and before K8s apps to be created.
* Move docker install task to early stage as well and unbind it from the
etcd role's specific install path. Fix external flannel dependency on
docker role handlers. Also fix the docker restart handlers' steps
ordering to match the expected sequence (the socket then the service).
* Add default resolver fact, which is
the cloud provider specific and remove hardcoded GCE resolver.
* Reduce default ndots for hosts /etc/resolv.conf to 2. Multiple search
domains combined with high ndots values lead to poor performance of
DNS stack and make ansible workers to fail very often with the
"Timeout (12s) waiting for privilege escalation prompt:" error.
* Update docs.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-09 17:30:55 +01:00
Bogdan Dobrelya
fd9b26675e
More granular control for download/upload images/binaries
...
Add upload tag allow users to exclude distributing images across nodes
when running with the download tag set.
Add related tags and update docs as well.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-09 17:04:55 +01:00
Alexander Block
eb33f085b6
Changes according to code review
2016-12-09 16:33:10 +01:00
Matthew Mosesohn
459bee6d2c
Bump kubedns version to 1.9
...
Version 1.9 has reduced verbosity for federation dns queries
which flood container logs.
2016-12-09 17:57:54 +03:00