Commit graph

4608 commits

Author SHA1 Message Date
Yujun Zhang
aec5080a47 kubernetes/masters: fix task name in kubeadm setup (#5377) 2019-11-27 06:05:20 -08:00
Anton Fayzrahmanov
80418a44d5 CoreDNS deployment extra tolerations (#5364)
* Add extra tolerations for coredns

* dns_extra_tolerations option

* dns_extra_tolerations

* missing starting space in comment
2019-11-27 05:49:21 -08:00
Florian Ruynat
257c20f39e add 1.16.3 checksums and set new version as default (#5384) 2019-11-27 01:29:20 -08:00
Aaron Crickenberger
f1498d4b53 fix OWNERS file (#5359)
Initially this was to fix a mis-indented approvers key. However, it turns
out that 'oilbeater' is not a member of kubernetes-sigs nor
kubernetes-incubator (the org this repo was migrated from). Thus this
OWNERS file is failing prow's validation check.

As a workaround I've opted to move them to emeritus_approver, which
isn't valiated and can be used as a hint for other approvers in this
repo
2019-11-25 17:59:11 -08:00
Etienne Champetier
18d19d9ed4 containerd: update to 1.2.10 (#5341)
Lot's of bugs and security fixes:
https://github.com/containerd/containerd/releases/tag/v1.2.10
CVE-2019-16884 / CVE-2019-16276
https://github.com/containerd/containerd/releases/tag/v1.2.9
CVE-2019-9512 / CVE-2019-9514 / CVE-2019-9515
https://github.com/containerd/containerd/releases/tag/v1.2.8
CVE-2019-9512 / CVE-2019-9514
https://github.com/containerd/containerd/releases/tag/v1.2.7

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2019-11-22 00:09:29 -08:00
Michael Shen
6924c6e5a3 [FIX] fix match because trim removes leading/trailing whitespace (#5356) 2019-11-19 22:35:18 -08:00
Matthew Mosesohn
85c851f519 scale down coredns on each master during graceful upgrade (#5344)
This fixes the scenario where masters are upgraded one at a time
and coredns gets improperly scaled back up to 2 replicas.

Change-Id: I7cc9283f40efcfd61b5813c89a5805c95d901567
2019-11-18 00:13:41 -08:00
Matthew Mosesohn
8b67159239 Do not run kubeadm upgrade on first deploy (#5339)
Change-Id: I68a962a9dd28c83ef07eaeaf53eb98287f38bca9
2019-11-14 02:05:34 -08:00
LuciferInLove
4f70da2731 Added Amazon Linux 2 support for deploying with docker (#5301) 2019-11-11 07:05:41 -08:00
Matthew Mosesohn
db5040e6ea Set certs and files with kubeadm token to mode 0640 (#5325)
Change-Id: I298496e55a6889c158b2085fcadeda5e679a873e
2019-11-11 05:41:41 -08:00
Jacopo Secchiero
97764921ed Fix calico name resolution (#5291) 2019-11-11 04:01:41 -08:00
Bjoern Teipel
8c15db53b2 Fix helm for Kubernetes 1.16.2 (#5332)
Since upgrading k8s beyond 1.16.0 version, helm init does
no longer work with helm < 2.16.0 due to
https://github.com/helm/helm/issues/6374

This PR closes issue #5331
2019-11-11 03:53:41 -08:00
Julien Pervillé
0200138a5d Pass ingress_nginx_extra_args when deploying the nginx-ingress addon (#5321) 2019-11-11 03:51:40 -08:00
Florent Monbillard
14af98ebdc Respect cri-tool supported version matrix (#5241)
| Kubernetes Version | cri-tools Version |
|--------------------|-------------------|
| 1.16.x             | v1.16.0           |
| 1.15.X             | v1.15.0           |
| 1.14.X             | v1.14.0           |
| 1.13.X             | v1.13.0           |
| 1.12.X             | v1.12.0           |
| 1.11.X             | v1.11.1           |

- Upgrade to cri-tools 1.16.1
- Add checksums for cri-tools 1.16.1
2019-11-11 03:45:42 -08:00
YichenWong
8a5434419b fix useradd etcd (#5281) 2019-11-11 03:27:41 -08:00
Quentin Gliech
8a406be48a Fix indentation in cilium-ds.yml template (#5305) 2019-11-11 03:25:41 -08:00
Junho Suh
076f254a67 Add cilium_tunnel_mode variable to the cilium config (#5295) 2019-11-11 03:19:42 -08:00
Dmitry Chusovitin
45d151a69d containerd installation on Debian (#5326) 2019-11-11 02:41:41 -08:00
Matthew Mosesohn
bd014c409b Skip coredns image when evaluating kubeadm images (#5327)
It will be enabled correctly in downloads

Change-Id: Ief0b7aa2a8ee2ba6a6849820802f8542584b2c04
Related-story: PRODX-1171
2019-11-09 00:51:39 -08:00
Matthew Mosesohn
1c25ed669c Remove unnecessary and risky reload network for resolvconf propagation (#5322)
Change-Id: I54d706f7941b4b86c4c6cd45340295577155b884
2019-11-06 10:11:52 -08:00
Matthew Mosesohn
a005d19f6f Enable systemd-resolved DNS resolution mode (#5318)
Change-Id: If3e253a40782e03cde7fc4a91493517ae31fda17
2019-11-06 03:33:52 -08:00
Matthew Mosesohn
471589f1f4 Scale down coredns created by kubeadm upgrade to 0 replicas (#5308)
Change-Id: I128b0f9c1acbb956d9a6c4e5510b45a36e296af7
2019-11-05 03:34:38 -08:00
Ali Sanhaji
b0ee1f6cc6 Deploy Cinder CSI driver to provision volumes over OpenStack (#5184)
* Deploy Cinder CSI driver to provision volumes over OpenStack

* Deploy Cinder CSI StorageClass

* Cinder CSI doc
2019-11-01 00:59:24 -07:00
Matthew Mosesohn
186ec13579 Fix incorrect suggestion to enable old k8s apis (#5292)
Change-Id: If965cc6aa0daaca232dcf2ca0efd649aa097497f
2019-10-30 01:58:53 -07:00
Matthew Mosesohn
2c4e6b65d7 Raise delay and retry for rotate tokens (#5304)
Change-Id: I87844b43b9a18064e7a99567ce57c1ca1ffcc4a8
2019-10-30 01:56:52 -07:00
Matthew Mosesohn
94d4ce5a6f Retry cleaning up calico-node container (#5302)
Change-Id: Iad27b107860213759c7ae51f0891d7e5e7c6d96b
2019-10-28 05:11:25 -07:00
Matthew Mosesohn
81da231b1e Set cluster DNS in kubeadm config for kubelet dynamic config (#5293)
Change-Id: I23116efefe8626d361d1904fc6fb8448f66cf3c5
2019-10-25 02:23:40 -07:00
Matthew Mosesohn
a1fff30bd9 Generate TLS certs for calico typha (#5258)
* Generate TLS certs for calico typha

Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707

* Add group vars note

Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
2019-10-17 07:02:38 -07:00
Sergey
81d57fe658 set calico_datastore default value in role kubespray-default (#5259) 2019-10-17 05:58:38 -07:00
Sergey
3118437e10 check on all cluster node - kubelet_max_pods <= (2 ** (32 - kube_network_node_prefix | int)) - 2 (#5279) 2019-10-17 05:48:38 -07:00
Sergey
65e461a7c0 download container always been on download_delegate host (#5177)
* download container always been on download_delegate host

* fix also check pull required
2019-10-17 05:38:38 -07:00
Michael Oglesby
c672681ce5 Revert Pull Request #5084 (#5120)
Kubespray Pull Request #5084 (https://github.com/kubernetes-sigs/kubespray/pull/5084) caused more problems than it solved due to limitations with the synchronize module. See comments on Kubespray Issues #5059 (https://github.com/kubernetes-sigs/kubespray/issues/5059) and #5116 (https://github.com/kubernetes-sigs/kubespray/issues/5116). Details from Ansible documentation: "Currently, synchronize is limited to elevating permissions via passwordless sudo. This is because rsync itself is connecting to the remote machine and rsync doesn’t give us a way to pass sudo credentials in. ... Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been determined for those connection types. Note that the connection for these must not need a password as rsync itself is making the connection and rsync does not provide us a way to pass a password to the connection. ..." Thus, reverting Pull Request #5084.
2019-10-17 05:26:37 -07:00
yelhouti
d332a254ee install python3 instead of python2 for fedora >= 30 fixes 5056, fixes 4802 (#5111) 2019-10-17 05:04:38 -07:00
Matthew Rapa
3debb8aab5 add KUBELET_VOLUME_PLUGIN to kubelet.env (#5128) 2019-10-16 20:08:38 -07:00
YichenWong
aada6e7e40 Add etcd_data_dir variable to the kubeadm config (#5263) 2019-10-16 19:50:39 -07:00
Matthew Mosesohn
ac60786c6f Add support for restart handlers for control plane on crio/containerd (#5250)
* Add support for restart handlers for control plane on crio/containerd

Change-Id: I8343cc4e9df7f55b732628ed01cc6e7ea5dcee85

* Update main.yml
2019-10-16 18:58:39 -07:00
Hugo Blom
db33dc6938 Add support for Kubernetes 1.16.2 (#5272)
* Add support for Kubernetes 1.16.1

* Defaults to 1.16.1

* add 1.16.2 checksums and set new version as default

* correct 1.16.2 checksums and add 1.15.5 checksums
2019-10-16 18:34:38 -07:00
Hugo Blom
9dfb25cafd fix typo (#5275) 2019-10-16 18:26:38 -07:00
Maxime Guyot
df8d2285b6 Update ingress-nginx to v0.26.1 (#5268) 2019-10-16 18:22:39 -07:00
Matthew Mosesohn
af6456d1ea Fix selector for calico-typha deployment (#5253)
Change-Id: I79f43379cbe1c495cb416f0572e65f695d5ec2b8
2019-10-16 07:53:42 -07:00
Maxime Guyot
6f57f7dd2f Update nginx image to latest (#5270) 2019-10-16 04:37:42 -07:00
Xiaodu
bec23c8a41 Add k8s v1.15.4 hashes (#5235) 2019-10-16 04:33:41 -07:00
Robin Elfrink
faaff8bd72 Add RotateCertificates to kubelet config if kubelet_rotate_certificates is set. (#5152)
Signed-off-by: Robin Elfrink <robin.elfrink@eu.equinix.com>
2019-10-16 04:31:41 -07:00
andreyshestakov
8031c6c1e7 Update template for dashboard to support v2.x (#5187)
Secrets and ConfigMap should be created before dashboard pod run.
2019-10-16 04:29:41 -07:00
Erwan Miran
9d8fc8caad Fix getting nameserver and search for /etc/resolv.conf with comments (#5197) 2019-10-16 04:27:40 -07:00
Qingkun Li
a51b729817 add ignore_errors to the kube-proxy deletion task (#5236)
When using cluster.yml or scale.yml to add/scale nodes in the existing
k8s cluster, the `kubeadm init` wouldn't run. As a result, kube-proxy
wouldn't be created, and therefore the kube-proxy deletion task would
fail, e.g. in the case where kube-router is used and "kube_proxy_remove"
is set to true. As a workaround, add ignore_errors to the kube-proxy
deletion task.
2019-10-16 04:23:40 -07:00
Maxime Guyot
19bc79b1a6 Update cert-manager to v0.11.0 (#5269) 2019-10-16 04:21:40 -07:00
Sergey
932935ecc7 fix wrong path in include install_host.yml in etcd role (#5256) 2019-10-13 18:16:34 -07:00
BenoitBOULANGER
e01118d36d Fix issue in remove-node/post-remove task (#5185) (#5186) 2019-10-10 05:17:43 -07:00
Matthew Mosesohn
dea9304968 Enable openstack_cacert to be either file or base64 string (#5243) 2019-10-09 02:19:49 -07:00
Matthew Mosesohn
2864e13ff9 Reset between kubeadm secondary control plane join attempts (#5240)
Change-Id: Ic9425bf90552d7e3d42b02409af9773d99376384
2019-10-08 00:15:12 -07:00
Erwan Miran
0ba336b04e install helm client separately (#5212) 2019-10-04 05:14:02 -07:00
Matthew Mosesohn
89f1223f64 Fix selector workaround for helm install (#5237)
Change-Id: I826337b59814674c3feb4cd6a4904d9d53e01652
2019-10-03 23:41:56 -07:00
陈谭军
8bc0710073 clean up document (#5214) 2019-10-02 04:41:07 -07:00
Matthew Mosesohn
fb591bf232 Apply workaround for NetworkManager and calico (#5230)
Change-Id: I5cb2bdf1a57707c1b8da3e5ac0c80e5c353480a4
2019-10-02 04:37:07 -07:00
Matthew Mosesohn
a43e0d3f95 Switch to Kubernetes v1.16.0 (#5189)
* Switch to Kubernetes v1.16.0

Change-Id: I5d6a9528b2d443750fc5e031aff15ad3ffead158

* Fix download localhost cached file path

Change-Id: I65e79b70e3d1b37265ebc60f41b460cf4b0a0d47

* fix kubeadm etcd for v1.16

Change-Id: I6888a00fd48b530a38b0b31c4095492476af42d2

* disable tf packet jobs

Change-Id: I075c4666547fdea4c50ec04864f38e2cfaa79154

* Disable contiv packet jobs. Fix kube-router

Change-Id: I3170e8789e60711d4cee8faf65f2094480b79b8d

* bump sonobuoy version

Change-Id: Ib946905629c7c53ed88f08fb2f41c454457a0097
2019-10-02 02:21:07 -07:00
陈谭军
99dbc6d780 clean-up doc,spelling mistakes (#5206) 2019-09-26 04:25:08 -07:00
Richard Scott
75e4cc2fd9 Updated kubectl.sh (#5156)
The script is not usable unless you are in the '.vagrant/provisioners/ansible/inventory/artifacts' folder.
This update makes this usable from anywhere.
2019-09-26 04:23:07 -07:00
Etienne Champetier
81cb302399 MetalLB: fail if kube_proxy_strict_arp is false (#5180)
When using IPVS, kube_proxy_strict_arp = true is required
https://github.com/danderson/metallb/issues/153#issuecomment-518651132

Add kube_proxy_strict_arp to inventory/sample
2019-09-26 04:21:06 -07:00
陈谭军
3bcdf46937 fix-up some spelling mistakes (#5202) 2019-09-25 23:27:08 -07:00
Sergey
1cf6a99df4 generate kubeadm download image list with options useHyperKubeImage (#5203) 2019-09-25 18:03:06 -07:00
Erwan Miran
f18e77f1db Blocksize for calico default pool should be configurable (#5198) 2019-09-25 04:44:00 -07:00
陈谭军
2fc02ed456 fix-typo (#5199) 2019-09-25 04:04:00 -07:00
pando85
9db61c45ed Upgrade nodelocaldns to 1.15.5 (#5191) 2019-09-22 20:13:22 -07:00
Sergey
8cb54cd74d fix broken scale procedure: (#5193)
- do not run etcd role when etcd_kubeadm_enabled == true
- remove default value 'systemd' for cgroup driver in containerd role.
  this value override autodetect in kubelet_cgroup_driver_detected from docker info
2019-09-22 01:07:22 -07:00
Florent Monbillard
a3f1ce25f8 Add support for k8s v1.14.6 (#5182) 2019-09-18 02:53:30 -07:00
Qingkun Li
3c7f682e90 Parameterize gcr, quay, and docker image repo defines (#5146)
This allows to easily override the gcr, quay, and docker repos with the
mirror repos in countries like China, where the default accesses are
blocked or unstable.
2019-09-18 02:49:30 -07:00
Sergey
8984096f35 use hyperkubeimage to run controlplane containers (#5178) 2019-09-17 18:33:28 -07:00
Mario
1ce7831f6d Update main.yml (#5166) 2019-09-17 05:36:24 -07:00
Matthew Mosesohn
6fe2248314 Use more native way to update kubeconfigs using kubeadm (#5165)
Change-Id: I1076b418f85a26d9896be69910052128afc51cee
2019-09-13 03:40:29 -07:00
andreyshestakov
cb4f797d32 Fix macro on local_volume_provisioner (#5168)
mydict.keys() should be converted to list,
otherwise it causes errors in loop iteration.

Remove extra space after class name, which broke configmap.

Also allow set reclaimPolicy property.
2019-09-13 00:50:33 -07:00
Matthew Mosesohn
eb40ac163f Move cri_socket var to kubespray-defaults (#5149) 2019-09-10 12:30:55 -07:00
Matthew Mosesohn
27ec548b88 Add support for k8s v1.16.0-beta.2 (#5148)
Cleaned up deprecated APIs:
apps/v1beta1
apps/v1beta2
extensions/v1beta1 for ds,deploy,rs

Add workaround for deploying helm using incompatible
deployment manifest.
Change-Id: I78b36741348f47a999df3841ee63cf4e6f377830
2019-09-10 12:06:54 -07:00
Florent Monbillard
637f09f140 Fix ansible task titles (#5154)
* Fix ansible task titles for CRI connection tasks

* Fix Azure subscription ID check task title
2019-09-10 01:34:54 -07:00
Matthew Mosesohn
9b0f57a0a6 Adjust endpoints for kube-proxy,controller,scheduler to proper ip (#5150)
Change-Id: I5aa009358bee7035922b5a10327997e47c9ba434
2019-09-09 10:33:20 -07:00
Matthew Mosesohn
7f74906d33 Make haproxy/nginx client timeout configurable (#5140)
Change-Id: I61319a06eb33d9fc868e19941924f387088b856b
2019-09-05 00:32:51 -07:00
Richard Arends
4d95bb1421 Use python3-libselinux on RHEL8/Centos8 (#5127)
* Use python3-libselinux on RHEL8/Centos8

* The fact ansible_facts.distribution_major_version is not present on older Ansible version.
Default it to 0 in when not present and use libselinux-python as package to get current
default behaviour.
2019-08-28 02:33:15 -07:00
Matthew Mosesohn
184ac6a4e6 Parse calico nodes as json (#5114) 2019-08-27 10:16:42 -07:00
rptaylor
10e0fe86fb remove unimplemented custom_flags vars, document the extra_args vars (issue 4352) (#5108) 2019-08-23 01:21:18 -07:00
Matthew Mosesohn
7e1645845f Allow calico settings to be modified (#5101)
Previous logic used calicoctl.sh create --skip-exists, which
allowed setting initial values, but not permitting changes.
2019-08-23 00:01:19 -07:00
Neven Miculinic
f255ce3f02 Added CRI-O support for ubuntu (#4629)
* Added CRI-O support for ubuntu

* implemented feedback

* set crictl to fixed version

* Fix errors during rebasing

* Fix linting errors
2019-08-22 03:54:31 -07:00
Michael Oglesby
07ecef86e3 Replace fetch with synchronize due to memory error (#5084)
Fix for Kubespray Issue #5059 (https://github.com/kubernetes-sigs/kubespray/issues/5059). There is a known issue with the 'fetch' module that will sometimes lead to it failing with a memory error. See ansible/ansible#11702 (https://github.com/ansible/ansible/issues/11702). I encountered this issue with the "Copy kubectl binary to ansible host" task in kubespray/roles/kubernetes/client/tasks/main.yml, and it caused my entire deployment to error out (see "Output of ansible run" above). Replacing 'fetch' with 'synchronize' fixes this issue.
2019-08-22 02:40:32 -07:00
ewtang
3bc4b4c174 Use raw module for bootstrap-debian.yml (#5061)
Updated Openstack to terraform 0.12 (#5062)

* update openstack to terraform 0.12(.5)

* replace cluter.tf with cluster.tfvars

* update README.md to terraform 0.12

* update Openstack CI tests to use terraform 0.12

* specify terraform version in openstack README

* gitlab CI to copy cluster.tfvars in case of openstack provider

* The terraform/openstack dynamic inventory can read
tfstate v4 (generated by terraform 0.12) and convert them internally
ro v3 (as generated by terraform 0.11.x).

Additionally the script has been updated to Python 3.
2019-08-22 01:46:31 -07:00
Victor Morales
da089b5fca Update CRI-O in CentOS (#4582)
According to their compatibility matrix[1] the 1.11.5 version seems to
be deprecated. This change updates the CentOS repository reference.

[1] https://github.com/cri-o/cri-o#compatibility-matrix-cri-o---kubernetes-clusters
2019-08-22 01:16:32 -07:00
Sergey
494a6512b8 fix bug: run Copy image to ansible host cache on download_delegate host (#5094)
* run 'task download_container | Copy image to ansible host cache' with synchronize on download_delegate host

* try to run task copy file to ansible host on all inventory, not only on first random host
2019-08-21 23:38:30 -07:00
Tony Fouchard
f6a63d88a7 Allow to configure strict ARP on kube-proxy (#5092) 2019-08-20 18:21:17 -07:00
Andreas Krüger
86cc703c75 Upgrade to Kubernetes 1.15.3 (#5091) 2019-08-20 02:05:32 -07:00
Hugo Blom
4dba34bd02 add cinder max attached volumes (#5089) 2019-08-19 23:45:32 -07:00
Xiaodu
b0437516c1 Kube-router annotate.yml: Use group 'k8s-cluster' instead of 'all' (#5087) (#5088) 2019-08-19 04:53:29 -07:00
Ali Sanhaji
a1ff1de975 fix openstack_cacert conditional (#5078) 2019-08-15 05:50:34 -07:00
Zou Nengren
1bfbc5bbc4 remove resource-container default value for kube-proxy (#4994) 2019-08-15 05:30:33 -07:00
Bort Verwilst
c5b4d3ceaa upgrade Helm to 2.14.3 (#5075)
Signed-off-by: Bart Verwilst <bart@verwilst.be>
2019-08-15 04:34:33 -07:00
w33dw0r7d
8fc9c5d025 Upgrade ingress nginx to 0.25.1 (#5081) 2019-08-15 04:14:34 -07:00
刘旭
53bc80bb59 Ingress nginx (#5066)
* remove svc-default-backend

* update ingress-nginx clusterrole
2019-08-15 02:34:33 -07:00
Matthew Mosesohn
771ce96e6d Set initial kubeadm token if specified in kubeadm init (#5057)
Change-Id: I7fd94ec6d195af60d237b3cfe91668ca1f707d26
2019-08-15 02:26:33 -07:00
Oilbeater
fc456ff0cd move kube-ovn images to dockerhub (#5063) 2019-08-14 04:02:24 -07:00
Sergey Kolekonov
b4f70db878 Fix broken containerd pinning on Ubuntu (#5072) 2019-08-13 19:26:23 -07:00
Matthew Mosesohn
0a2f4edfc6 Always download coredns images with kubeadm (#5071)
Fixes situation when using manual mode because it
tries to download coredns v1.3.1 from the same
image repository where kubernetes images are
downloaded from.

Change-Id: Ibbec8a72c8162ce8befa74e2013a268737ea5f8a
2019-08-13 08:53:43 -07:00
Danilo Riecken P. de Morais
56fa46716e Add missing coredns tag. (#5054) 2019-08-09 02:29:27 -07:00
Simon Lelievre
62aecd1e4a multus | fix use last version (#5041) 2019-08-08 23:05:25 -07:00
Mario
973afef96e Fix variable for rbd_provisioner_user_secret (#5042)
* Update main.yml

* fix dead link 404
2019-08-08 20:03:25 -07:00
Bort Verwilst
a235605d2c go to k8s 1.15.2, update nodelocaldns to latest bugfix release (#5048) 2019-08-08 19:49:25 -07:00
Matthew Mosesohn
023108a733 Refactor calico route reflector to run in k8s cluster (#4975)
* Refactor calico-rr to run in k8s cluster with taint

Change-Id: I75a3169ff5b36ce8302fc7ef1c32d3eb697b5afa

* add preinstall checks

* rework calico/rr role

Change-Id: I2f0a7e6cb77cf91ad4a615923680760d2e5d9ca8

* add empty calico-rr group

Change-Id: I006c0a60db9b72d02245bf8fdfabcf982144a5ad
2019-08-08 07:37:22 -07:00
Matthew Mosesohn
75d1be8272 Fix check for removing etcd member (#5051)
Change-Id: Ib27d051ff111f813097a9b33a86465a2a30a6db0
2019-08-07 08:26:51 -07:00
Matthew Mosesohn
a44235d11b Refactor remove node to allow removing dead nodes and etcd members (#5009)
Change-Id: I1c59249f08f16d0f6fd60df6ab61f17a0a7df189
2019-08-07 04:46:50 -07:00
Matthew Mosesohn
7abf6a6958 Allow etcd member join by checking cluster health only on first etcd (#5032)
Change-Id: I9cc01cef3a437893225e2d9f58495826bbce7be9
2019-08-07 04:44:50 -07:00
Maxim Snezhkov
b710c72f04 Add ability to setup virtual ip for ingress-controller (#5044) 2019-08-06 19:24:50 -07:00
Holger Frydrych
bc6de32faf Upgrade Cilium network plugin to v1.5.5. (#5014)
* Needs an additional cilium-operator deployment.
  * Added option to enable hostPort mappings.
2019-08-06 01:37:55 -07:00
Matthew Mosesohn
7cf8ad4dc7 Optionally refresh kubeadm token every time (#5043)
Change-Id: I278cb14aa93abf20160cc001f69e2f472504e6d8
2019-08-06 00:59:53 -07:00
Remous-Aris Koutsiamanis
02ec72fa40 Fix commands for using experimental kubeadm control plane (#5006) 2019-08-05 07:31:50 -07:00
Johannes Scheuermann
d22634a597 Refactor containerd ubuntu setup and remove redundant tasks (#5015) 2019-08-05 07:29:48 -07:00
Mark Janssen
f3df0d5f4a Always create bash_completion.d folder (#5039) 2019-08-04 18:15:48 -07:00
w33dw0r7d
92bfcf0467 Add CoreDNS endpoint_pod_names option (#5012) 2019-07-31 11:26:15 -07:00
koriukiv
54b1fe83f3 Add an option to reserve resources for OS system daemons (#5007) 2019-07-31 11:24:15 -07:00
Oilbeater
1be788f785 add Kube-OVN cni to kubespray (#5020) 2019-07-30 20:10:20 -07:00
rptaylor
8afbf339f7 fix broken link (#5023) 2019-07-30 19:18:22 -07:00
Andreas Krüger
8c935dfb50 Update CoreDNS to 1.6.0 (#5021) 2019-07-30 18:58:21 -07:00
Johannes Scheuermann
66c5ed8406 Update critools to v1.15.0 (#5016) 2019-07-30 12:04:09 -07:00
Erwan Miran
4087e97505 Additional files and dirs to remove when running reset (#5000) 2019-07-30 12:02:08 -07:00
Jeff Bornemann
da50ed0936 move flexvolume plugin directory creation to preinstall (#4999)
* move flexvolume plugin directory creation to preinstall

* changes per pr feedback
2019-07-30 12:00:10 -07:00
okamototk
fbbfff3795 fix broken ubuntu containerd engine (#5002) 2019-07-30 11:58:11 -07:00
Aleksey Kasatkin
fb9103acd3 Update calico-typha deployment to address v3.7.x changes (#5003)
* Update calico-typha deployment to address v3.7.x changes

So that calico-typha works for Calico v3.7.x.

* Apply changes for v3.7.x only.
2019-07-24 09:12:16 -07:00
nico-netminded
49d921cf91 Restart canal after scale or upgrade. Just like PR#4531, but for canal (#4992) 2019-07-22 00:50:53 -07:00
刘旭
fe29c97ae8 add ansible_hostname and ansible_fqdn to apiserver_sans (#4990) 2019-07-22 00:48:53 -07:00
Hugo Blom
2abb6c8689 update to kubernetes 1.15.1 (#4989)
* update to kubernetes 1.15.1

* Revert to sonobuoy 0.15.0

* update test timeout from 3 to 5 minutes
2019-07-21 12:24:51 -07:00
Andreas Krüger
a3ca441998 Remove unused handlers from Flannel CNI (#4984)
* Only reload docker when is_atomic for Flannel

* Remove unused handlers from Flannel CNI
2019-07-21 00:16:54 -07:00
rptaylor
9cf503acb1 configure docker_options directly with template (#4912) 2019-07-21 00:12:53 -07:00
Matthew Mosesohn
1cbdd7ed5c Fixup etcdctl download for etcd kubeadm mode (#4991)
Change-Id: I8d8e59a97823390f40e8810905ca52430329f040
2019-07-21 00:08:53 -07:00
Sergey Kolekonov
428e52e0d1 Fix calico handler for containerd (#4985)
crictl tool must be used to delete containers in case of containerd
deployment
2019-07-16 08:35:24 -07:00
Matthew Mosesohn
70dc222719 Upgrade local volume provisioner to v2.3.2 (#4983) 2019-07-16 05:27:26 -07:00
Tilman Beitter
69f796f0c7 use the locally deployed kubectl binary within the kubectl.sh helper script (#4311) 2019-07-16 02:23:25 -07:00
Vincent Link
5826f0810c Check all apt config files for configured proxies (#4972) 2019-07-16 01:41:24 -07:00
刘旭
de9443a694 remove unused code (#4981) 2019-07-16 01:39:24 -07:00
Alex Barcelo
99c5f7e013 add k8s_external plugin to CoreDNS configuration (#4704) 2019-07-16 00:53:23 -07:00
Matthew Mosesohn
23ae6027ab remove support for calico v2.x (#4974)
* Remove support for calico below version v3.0.0

Change-Id: If8fe3036b9e054901a8b2c48516eff1e1271970f

* Update main.yml

* fixup node peering

Change-Id: Ifac4d363deba826f0c80e390ce80a28df9827323

* fixups

Change-Id: Ic35417330af6741962003b3930604393c90804d1

* fixups

Change-Id: I0ea82d634bb0c81d9b7dc50569c70988bc8d3a3b
2019-07-15 07:47:09 -07:00
Waret
781b5691c9 prep_kubeadm_images: parse repo and tag (#4976) (#4977) 2019-07-15 03:15:09 -07:00
Matthew Mosesohn
fd9bbcb157 Enable nodes to run calicoctl for calico kdd mode (#4956)
* Enable nodes to run calicoctl

per-node tasks require waiting for calico-node to be applied

Change-Id: Ibe1076b7334a2da0332f2dd766fde0c3f172d1f2

* cleanup tasks that should run on master

Change-Id: I43a837879ef41596f14657ecd7f813899b6865ae

* Switch run_once calico logic to just run on first master

Change-Id: I6893711e354f63c5e1eaf6ac2e23d9a6347a555d
2019-07-15 01:59:06 -07:00
Andreas Krüger
161a8f55fa Update CoreDNS to 1.5.2 (#4970) 2019-07-15 00:59:06 -07:00
Andreas Krüger
7481cc31e1 Update Weave CNI to 2.5.2 (#4969) 2019-07-15 00:57:06 -07:00
Matthew Mosesohn
b15b6e834f fix parsing refresh of kubeadm cert key (#4971)
* fix parsing refresh of kubeadm cert key

Change-Id: I4de2a1df6498790a80351b4bc7d88e6c9e470358

* Update kubeadm-secondary-experimental.yml
2019-07-15 00:45:06 -07:00
Hugo Blom
76640cf1a1 update docker-ce to 18.09.7 (#4973) 2019-07-14 22:59:04 -07:00
Sergey Kolekonov
46bef931e9 Fix images info logic for containerd (#4965)
As crictl tool is used to download images, it must be also used to gather
images info
2019-07-12 03:29:07 -07:00
Stanislav Makar
a36e9ae690 Add checksums for k8s 1.14.4 (#4959) 2019-07-11 23:19:05 -07:00
Jeff Bornemann
728155a2a1 Support for Oracle Linux (#3655)
Fixed Issue #1032

test case for OEL7 AIL with kubeadm

Add packet CI stuff for oracle 7
2019-07-11 23:17:05 -07:00
Matthew Mosesohn
cdf9a9f4fc Generate certificate key before kubeadm control plane config (#4964) 2019-07-11 05:30:54 -07:00
Matthew Mosesohn
29307740dd Enable containerd to deploy vanilla containerd package (#4951)
* Enable containerd to deploy vanilla containerd package

Fixes kubeadm references to CRI socket for containerd
Fixes download role cache feature to work with containerd

Change-Id: I2ab8f0031107e2f0d1a85c39b4beb66f08509a01

* use containerd for flannel-addons job

Change-Id: Ied375c7d65e64a625ffbd995ff16f2374067dee6

* add containerd vars

Change-Id: Ib9a8a04e501c481a86235413cbec63f3672baf91

* fixup vars

Change-Id: Ibea64e4b18405a578b52a13da100384582aa24c2

* more fixes

* fix rh repo

Change-Id: I00575a77cfb7b81d6095db5d918a52023c8f13ba

* Adjust helm host install for containerd
2019-07-10 23:46:54 -07:00
jlacoline
20c7e31ea3 Add calico 3.7.3 support (#4953)
* Add calico 3.7.3 support

* add calico_datastore variable to policy controller role

* add missing clusterrole rules for calico policy controller

* disable calico kube controller when kdd mode is used for versions < 3.6
2019-07-09 12:42:28 -07:00
Matthew Mosesohn
65065e7fdf Default kubeadm_images to empty dict instead of set_fact (#4957)
Change-Id: I9ef52232176fe8e2a99b4f09ae05e1451f7ad1ff
2019-07-09 12:07:30 -07:00
Matthew Mosesohn
352297cf8d
Fixup deploy of kubeadm etcd for Kubernetes v1.15.0 (#4952)
* Fixup deploy of kubeadm etcd for Kubernetes v1.15.0

Change-Id: If42c2c75c4d278ba9475ebf76c243f3e6ee4d02e

* undo renaming cloud config file

Change-Id: Iafbd27c3887d6a2a6d0819c711f150ecf70c515d
2019-07-09 15:41:59 +03:00
champtar
a67a50f9c0 nodelocaldns: allow to set health port, switch to 9254 by default (#4902)
8080 is a pretty common port, using nodelocaldns_ip:8080 still
prevents node processes or hostNetwork=true processes to bind to *:8080
so switch to 9254 by default (prometheus port is 9253)

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2019-07-09 00:52:01 -07:00
rptaylor
324bc41097 Add support for Docker plugins (#4934)
* Add support for Docker plugins

* support multiple Docker plugins using looped include

* fix yamllint error
2019-07-08 06:44:35 -07:00
andreyshestakov
c81b443d93 Fix order of names in /etc/hosts (#4940)
Configure fqdn properly
2019-07-08 06:08:34 -07:00
Julian Tabel
dc16ab92f4 fix for calico with kdd datastore (#4922)
* fix for calico with kdd datastore

* remove AS number from daemonset

* revert changes to canal

* additionnal fixes for kdd datastore in calico
2019-07-08 12:20:03 +03:00
Konrad Kurdej
d90a5f291b Using also uppercase proxy env variables (#4910) 2019-07-02 18:13:12 -07:00
Evans Tucker
3b7791501e Adding "-F /dev/null" to load null SSH config file. (#4933) 2019-07-02 01:53:08 -07:00
okamototk
f2b8a3614d Use K8s 1.15 (#4905)
* Use K8s 1.15

* Use Kubernetes 1.15 and use kubeadm.k8s.io/v1beta2 for
  InitConfiguration.
* bump to v1.15.0

* Remove k8s 1.13 checksums.

* Update README kubernetes version 1.15.0.

* Update metrics server 0.3.3 for k8s 1.15

* Remove less than k8s 1.14 related code

* Use kubeadm with --upload-certs instead of --experimental-upload-certs due to depricate

* Update dnsautoscaler 1.6.0

* Skip certificateKey if it's not defined

* Add kubeadm-conftolplane.v2beta2 for k8s 1.15 or later

* Support kubeadm control plane for k8s 1.15

* Update sonobuoy version 0.15.0 for k8s 1.15
2019-07-02 01:51:08 -07:00
Matthew Mosesohn
e89b47c7ee Add nginx stub metrics if health check enabled (#4938)
Change-Id: Iac90beef20e63fb4a539f91836231469c573f402
2019-07-01 13:38:37 -07:00
Matthew Mosesohn
2aa66eb12d Default to refreshing kubeadm etcd key (#4931)
Change-Id: Icc0176773b6d581c43647de433214079440d7321
2019-06-30 03:37:22 -07:00
okamototk
4c8b93e5b9 containerd support (#4664)
* Add limited containerd support

Containerd support for Ubuntu + Calico

* Added CRI-O support for ubuntu

* containerd support.

* Reset  containerd support.

* fix lint.

* implemented feedback

* Change task name cri xx instead of cri-o in reset task and timeout condition.

* set crictl to fixed version

* Use docker-ce's container.io package for containerd.

* Add check containerd is installable or not.

* Avoid stop docker when use containerd and optimize retry for reset.

* Add config.toml.

* Fixed containerd for kubelet.env.

* Merge PR #4629

* Remove unused ubuntu variable for containerd

* Polish code for containerd and cri-o

* Refactoring cri socket configuration.

* Configurable conmon.

* Remove unused crictl/runc download

* Now crictl and runc is downloaded by common crictl.yml.

* fixed yamllint error

* Fixed brokenfiles by conflict.

* Remove commented line in config.toml

* Remove readded v1.12.x version

* Fixed broken set_docker_image_facts

* Fix yamllint errors.

* Remove unused apt source

* Fix crictl could not be installed

* Add containerd config from skolekonov's PR #4601
2019-06-29 14:09:20 -07:00
Tony Fouchard
216631bf02 Repair kube_proxy_exclude_cidrs (#4909) 2019-06-28 00:39:37 -07:00
Erwan Miran
c7f3123e28 kubeadm_discovery_address should not contain proto (#4930) 2019-06-28 00:37:37 -07:00
Simon Lelievre
f599c2a691 add macvlan cni to kubespray (#4901)
* add macvlan cni to kubespray

* macvlan: lint yaml files and fix sample config file

* macvlan: add OWNERS file

* add macvlan to README

* macvlan : CI first shoot

* macvlan : CI add full masquerade

* delegate retrive pod cidr to master only

* macvlan: add config for CI

* macvlan: add netchecker deployment
2019-06-28 00:35:38 -07:00
Matthew Mosesohn
465dfd68bc Fix empty kube_override_hostname in apiserver_sans (#4916)
kubernetes/master role defines this value as an empty string
when using a cloud provider, not undefined. The check was updated
accordingly.

Change-Id: I58dc31ef4fd568a717a6753eb89ca687933018ae
2019-06-25 08:00:37 -07:00
Matthew Mosesohn
73f45fbe94
Revert "Filter undefined SANs for apiserver cert (#4913)" (#4914)
This reverts commit d270678bda.
2019-06-25 06:56:00 -07:00
Matthew Mosesohn
d270678bda Filter undefined SANs for apiserver cert (#4913)
Change-Id: I37442fb095fb4217f67f74744ad07c1d5d8229ea
2019-06-25 05:54:36 -07:00
Andreas Krüger
de028814e5 Upgrade to etcd version 3.3.10 per 1.14 release notes. (#4898)
* Upgrade to etcd version 3.3.10 per 1.14 release notes.

* Update etcd binary checksums
2019-06-24 01:27:55 -07:00
andreyshestakov
b5406b752d Add kube_override_hostname to kubeadm certs. (#4903) 2019-06-23 23:19:56 -07:00
Matthew Mosesohn
6025981ceb Allow skip kubeadm image prep but install kubeadm (#4904)
Change-Id: I744e9a192cd863a1ce22fbd16d217c5dfb16750c
2019-06-23 23:17:56 -07:00
Matthew Mosesohn
4348e78b24 Enable kubeadm etcd mode (#4818)
* Enable kubeadm etcd mode

Uses cert commands from kubeadm experimental control plane to
enable non-master nodes to obtain etcd certs.

Related story: PROD-29434

Change-Id: Idafa1d223e5c6ceadf819b6f9c06adf4c4f74178

* Add validation checks and exclude calico kdd mode

Change-Id: Ic234f5e71261d33191376e70d438f9f6d35f358c

* Move etcd mode test to ubuntu flannel HA job

Change-Id: I9af6fd80a1bbb1692ab10d6da095eb368f6bc732

* rename etcd_mode to etcd_kubeadm_enabled

Change-Id: Ib196d6c8a52f48cae370b026f7687ff9ca69c172
2019-06-20 11:12:51 -07:00
Tony Fouchard
f67a24499b Allow to specify feature_control in calico cni config (#4879)
* Allow to specify feature_control in calico cni config

* list length checking

* double check

* remove 2 conditions
2019-06-16 23:14:07 -07:00
Simon Lelievre
5c704552d8 multus | use last version (#4880) 2019-06-16 23:12:07 -07:00
Simon Lelievre
2849191e67 CNI plugins: use last version 0.8.1 (#4878)
* CNI plugins: bump version 0.8.1

* cni plugins : update checksums

* cni : update readme
2019-06-14 02:42:23 -07:00
刘旭
a3a7fe7c8e fix start CoreDNS when init secondary master (#4867) 2019-06-11 04:56:18 -07:00
Andreas Krüger
c8d95a1586 Remove dnsPolicy from PSP (#4864) 2019-06-10 23:34:16 -07:00
Neven Miculinic
27a99e0a3f Added configurable min memory assertions (#4307) 2019-06-10 23:22:15 -07:00
Andreas Krüger
3cc351dff9 Require min version of Kubernetes (#4860)
* Require minimum version of Kubernetes

* Remove checksums for kubernetes version 1.12

* Add kube_version to precheck output and add min required version to README

* Fix merge

* Fix defaults

* Fix typo in precheck
2019-06-10 23:18:15 -07:00
Johnny Halfmoon
23c9071c30 Added file and container image caching (#4828)
* File and container image downloads are now cached localy, so that repeated vagrant up/down runs do not trigger downloading of those files. This is especially useful on laptops with kubernetes runnig locally on vm's. The total size of the cache, after an ansible run, is currently around 800MB, so bandwidth (=time) savings can be quite significant.

* When download_run_once is false, the default is still not to cache, but setting download_force_cache will still enable caching.

* The local cache location can be set with download_cache_dir and defaults to /tmp/kubernetes_cache

* A local docker instance is no longer required to cache docker images; Images are cached to file. A local docker instance is still required, though, if you wish to download images on localhost.

* Fixed a FIXME, wher the argument was that delegate_to doesn't play nice with omit. That is a correct observation and the fix is to use default(inventory_host) instead of default(omit). See ansible/ansible#26009

* Removed "Register docker images info" task from download_container and set_docker_image_facts because it was faulty and unused.

* Removed redundant when:download.{container,enabled,run_once} conditions from {sync,download}_container.yml

* All features of commit d6fd0d2aca by Timoses <timosesu@gmail.com>, merged May 1st 2019, are included in this patch. Not all code was included verbatim, but each feature of that commit was checked to be working in this patch. One notable change: The actual downloading of the kubeadm images was moved to {download,sync)_container, to enable caching.

Note 1: I considered splitting this patch, but most changes that are not directly related to caching, are a pleasant by-product of implementing the caching code, so splitting would be impractical.

Note 2: I have my doubts about the usefulness of the upload, download and upgrade tags in the download role. Must they remain or can they be removed? If anybody knows, then please speak up.
2019-06-10 11:21:07 -07:00
rptaylor
5bec2edaf7 remove namespace from ClusterRole (#4856) 2019-06-10 11:15:12 -07:00
Matthew Mosesohn
f504d0ea99 Remove invalid field dnsPolicy from podSecurityPolicy (#4863)
Change-Id: I02864011bf5fda5dbd35c7513c73875769036f87
2019-06-10 07:11:10 -07:00
Matthew Mosesohn
3b7797b1a1 Ensure haproxy and nginx reload when config changes (#4862)
Change-Id: Ia9a41e7b1cfcb1e6acb2dbae6eecc541dce25a74
2019-06-10 05:59:08 -07:00
Sergey Nuzhdin
4d5c4a13cb Add missing checksums, update default k8s version to 1.14.3 (#4850)
This PR adds missing checksums for kubeadm and hyperkube and changes
default version to 1.14.3

Signed-off-by: Sergey Nuzhdin <ipaq.lw@gmail.com>
2019-06-09 11:49:05 -07:00
AlawnWong
69a8f91512 Update dns-autoscaler.yml.j2 (#4857)
Merge two tolerations.  because the latest tolerations will cover the first tolerations.
2019-06-09 11:39:04 -07:00
Frank Ritchie
ab6f0012cc Make local volume provisioner dir mode a variable (#4821)
* Make local volume provisioner dir mode a variable

I need to change this for Nagios monitoring. Others may
need to as well. Had to close previous commits, sorry for
the spam.

* Make local volume provisioner dir mode a variable

I need to change this for Nagios monitoring. Others may
need to as well. Had to close previous commits, sorry for
the spam.
2019-06-06 04:36:14 -07:00
Alberto Murillo
4afbf51d32 kube-router: Set ownership of /opt/cni/bin/* to kube (#4825)
Task "kube-roter | Set cni directory permissions"
sets ownership of /opt/cni/bin to "kube"

Task "kube-router | Copy cni plugins"
copies the binaries from the archive setting the ownership
back to "root"

Fix "kube-roter" typo

Signed-off-by: Alberto Murillo <albertomurillosilva@gmail.com>
2019-06-06 04:34:13 -07:00
Ivan Kukharchuk
d62684b617 Fixed missing meta for generic CNI network plugin (#4845) 2019-06-06 02:22:11 -07:00
mervynzhang
a8dfcbbfc7 Switch /root references to ansible_env.HOME (#4842)
* kube config dir for current/ansible become user

* remove extra /

* fix default value
2019-06-06 02:06:11 -07:00
Scott Charron
bbdc6210f5 use dpkg_selections module to hold docker-ce on Debian family hosts (#4820)
* use dpkg_selections module to hold docker-ce on Debian family hosts

* removed debian_docker.j2 template as it is no longer required
2019-06-06 01:16:13 -07:00
Andreas Krüger
818aa7aeb1 Set dnsPolicy to ClusterFirstWithHostNet when hostNetwork is true (#4843) 2019-06-05 03:17:55 -07:00
Dani Comnea
d540560619 Preinstall fails on checking etcd group length (#4839) 2019-06-05 01:37:53 -07:00
Andreas Krüger
797bfd85b0 Only create kubeadm compat cert dir link if it does not exist (#4840) 2019-06-05 01:27:53 -07:00
Sergey Nuzhdin
07cb8ebef7 Add support for arm images for hyperkube, kubeadm and cni_binary (#4261)
* Add support for arm images for hyperkube, kubeadm and cni_binary

* Add dummy etcd checksum for arm

This commit adds dummy etcd checksum for arm to avoid "no attribute" error
during setup.

* Add etcd host assert check

* Add 1.13.4 checksums of kubeadm and hyperkube for arm

* Update checksums of kubeadm and hyperkube for arm

* Add dummy checksums for calicoctl_binary_checksums dict

* disable gather_facts because it causes tests to fail

* Remove architecture check for etcd, due to unable to run tests
2019-06-05 00:05:55 -07:00
Toni Pokki
54416cabfd prefer_udp for upstream dns servers (#4810) 2019-06-04 23:27:55 -07:00
Matthew Mosesohn
3617ae31f6 Optionally skip predownload of kubeadm images (#4832) 2019-06-04 04:35:02 -07:00
Matthew Mosesohn
6347419233 Avoid duplicating nameservers (#4833) 2019-06-04 00:13:02 -07:00
Andreas Krüger
7423932510 Add ready plugin for CoreDNS (#4817) 2019-05-28 06:47:56 -07:00
Andreas Krüger
b41530ba5d Add missing extraArgs to kubeadm-config (#4814) 2019-05-28 03:57:52 -07:00
Maxime Guyot
b45f3f0004 Add tf-ovh_coreos CI job (#4763) 2019-05-28 01:51:53 -07:00
Dani Comnea
2a5721b4d4 Change CentOS CRI-O repo from developer repo to public one (#4807) 2019-05-27 05:33:51 -07:00
Vitaliy Dmitriev
333f1a4a40 kubeadm join path fixed for RH linux (#4798) 2019-05-27 01:49:51 -07:00
Andreas Krüger
1e470b0473 Fix certificate-key param for kubeadm init (#4789)
* Fix certificate-key param for kubeadm init

* Fix yamllint error
2019-05-22 02:06:11 -07:00
André R. de Miranda
0ef3a7914c Added pod psp in Rancher Local Path Provisioner (#4385)
* Added pod psp in Rancher Local Path Provisioner

Added pod security policy (psp) in Rancher Local Path Provisioner.

Signed-off-by: André R. de Miranda <andre@miranda.work>

* Apply psp for Rancher Local Path Provisioner only when local_path_provisioner_namespace is not kube-system and also reorganized the templates
2019-05-22 00:16:08 -07:00
bobahspb
a3fff1e438 cordon all deleted nodes before drain (#4756)
Kubespray waits exit of every drain before run other one.
Running drain every after each other seems better than parallel, because we should check resources availability every time.
But, this way, we have one additional problem: possible restart pods on the nodes that are killed little bit later.
Fast cordon before heavy drain seems like an easy solution.
2019-05-21 23:36:05 -07:00
André R. de Miranda
4bc204925a Error in nginx when starting registry-proxy (#4785)
Error starting nginx because in requiredDropCapabilities is dropped all capabilities.

The nginx requires the following capabilities:
- CHOWN
- SETGID
- SETUID

Signed-off-by: André R. de Miranda <andre@miranda.work>
2019-05-20 11:27:15 -07:00
Jacopo Secchiero
5d9946184a Add ignore_assert_errors to "kube-master, ... (#4779)
... kube-node or etcd is empty" task
As a assert must be ignored if ignore_assert_errors is true
2019-05-20 11:25:14 -07:00
Mateus Caruccio
8485136f9a var node_labels as string (#4764) 2019-05-19 12:31:10 -07:00
Maxime Guyot
ff1bc739f1 Change default for kubelet_flexvolumes_plugins_dir (#4752) 2019-05-19 12:29:10 -07:00
Florent Monbillard
8e28ba38d2 Add Load Balancer IP to API servers SANs (#4775)
- Add loadbalancer_apiserver.address to apiserver_sans
2019-05-16 01:23:42 -07:00
MarkusTeufelberger
73c2ff17dd Fix Ansible-lint error [E502] (#4743) 2019-05-16 00:27:43 -07:00
Timoses
13f225e6ae Only pull images for destined host groups (#4735)
Without this, pulls are considered for all
hosts groups, even if not targetted by the downloads
`groups` list. Hence, a download/sync is triggered
even though the host does not require the image.
2019-05-16 00:25:48 -07:00
Aleksey Kasatkin
14749df6f3 Fix "netchecker-server" ClusterRole (#4730)
* Add sha256 hashes for calicoctl v3.6.1

Hashes are added to calicoctl_binary_checksums for both adm and arm platforms.

* Add rules for "network-checker.ext" resource to "netchecker-server" ClusterRole

So that it could access the resource after it is created.

Corresponding issues:
https://github.com/Mirantis/k8s-netchecker-server/issues/125
https://github.com/kubernetes-sigs/kubespray/issues/3281
2019-05-09 01:30:49 -07:00
Sandro Modarelli
2db2898112 Fixed runc path in runtime for RedHat os family (#4731) 2019-05-09 01:28:48 -07:00
Andreas Krüger
044dcbaed0 Add Kubelet config, remove deprecated flags and fix minor bugs (#4724)
* Add kubelet config

* Change kubelet_authorization_mode_webhook to true

* Fix lint

* Sync env file

* Refactor the kubernetes node folder

* Remove deprecated flag and fix lint
2019-05-08 13:38:36 -07:00
Andreas Krüger
8a5eae94ea Minor cleanups of CoreDNS issues and CI job (#4719)
* Minor cleanups

* Add comment in docs that nodelocaldns cache is enabled by default
2019-05-07 13:20:36 -07:00
Andreas Krüger
bf3c6aeed1 Add kube anon auth settings to kubeadm config templates (#4713)
* Disable kube_api_anonymous_auth by default to secure the setup

* Disable metrics-server in addons. Health endpoint is slow and unstable

* Fix anonymous-auth missing in configuration

* Cleanup a bit

* Fix kube anon auth
2019-05-07 12:52:34 -07:00
Dmitri Rubinstein
03bded2b6b Fix adding output of kubeadm to the admin.conf downloaded to the artifacts directory (#4696)
Fixes issue https://github.com/kubernetes-sigs/kubespray/issues/4695
2019-05-06 03:29:36 -07:00
Manuel Cintron
d5c0829d61 Removing unnecessary httplib2 install (#4708) 2019-05-03 17:55:38 -07:00
Alex Barcelo
00369303de Fixing msg parameter for debug module (#4702)
According to [`debug` module documentation](https://docs.ansible.com/ansible/latest/modules/debug_module.html?highlight=msg), the correct parameter name is `msg`.

With the previous `message` parameter name I was getting FAILED messages while ansible was trying to debug previous FAILED tasks.
2019-05-03 12:21:42 -07:00
okamototk
1f1479c0a7 Update ingress nginx 0.24.1. (#4691) 2019-05-03 12:19:39 -07:00
MarkusTeufelberger
e67f848abc ansible-lint: add spaces around variables [E206] (#4699) 2019-05-02 14:24:21 -07:00
MarkusTeufelberger
560f50d3cd Add support for http(s)_proxy to CoreOS, Fedora and OpenSUSE (#4669)
* Add support for http(s)_proxy to CoreOS and Fedora

* fix opensuse proxy support

* Fix CoreOS proxy support

* update documentation
2019-05-02 12:28:22 -07:00
Stas
50bdaa573c Apply etcd_extra_vars to etcd-events.env as well. (#4219)
This change ensures that etcd_extra_vars variable applies
to events etcd as well.
2019-05-02 12:24:27 -07:00
Maxime Guyot
f29387316f Fix ansible-lint 602 (#4688) 2019-05-01 23:42:17 -07:00
Timoses
d6fd0d2aca Enable delegating all downloads (binaries, images, kubeadm images) (#4420)
* Download to delegate and sync files when download_run_once

* Fail on error after saving container image

* Do not set changed status when downloaded container was up to date

* Only sync containers when they are actually required

Previously, non-required images (pull_required=false as
image existed on target host) were synced to the target
hosts. This failed as the image was not downloaded to
the download_delegate and hence was not available for
syncing.

* Sync containers when only missing on some hosts

* Consider images with multiple repo tags

* Enable kubeadm images pull/syncing with download_delegate

* Use kubeadm images list to pull/sync

'kubeadm config images pull' is replaced by collecting the images
list with 'kubeadm config images list' and using the commonly
used method of pull/syncing the images.

* Ensure containers are downloaded and synced for all hosts

* Fix download/syncing when download_delegate is a kubernetes host
2019-05-01 01:10:56 -07:00
Christoffer Anselm
dcd9c9509b Add etcd role dependency on kube user to avoid etcd role failure when running scale.yml with a fresh node. (#3240) (#4479) 2019-04-30 04:01:36 -07:00
Matthew Mosesohn
15eb7db36d Fix k8s api endpoint for secondary nodes in control plane mode (#4675)
Change-Id: I1588458b54c52443ad8d0afbd266f77ac0afea67
2019-04-29 07:50:24 -07:00
Matthew Mosesohn
a5b46bfc8c Run dns_late preinstall tasks on all k8s nodes (#4672)
* Run dns_late preinstall tasks on all k8s nodes

Related issue: #4656

Change-Id: I63f8559ef1a497b7580ab084561e6603fe647834

* Fix ansible-lint

Change-Id: Ia5b33fa63dbc36d8c3e9557ef3f2ea02af2325a5

* Fix recover_control_plane lint issues

Change-Id: I16643a3193c11b6ba704e9698812cac7e4fd19a8
2019-04-29 05:12:21 -07:00
Youngchul Bang
fbba259933 ingress-nginx: enable --report-node-internal-ip-address flag (#4114)
Close #4113
2019-04-29 01:44:22 -07:00
Florent Monbillard
7b77e2d232 Remove docker-storage-setup dependency if not needed (#4077)
When docker_container_storage_setup is false,
docker service should not depend on docker-storage-setup service,
because it's not installed.

For example, when using overlay2 on recent RHEL 7/Centos 7 kernels,
you most likely don't need it.
2019-04-29 01:42:22 -07:00
qvicksilver
48a182844c Documentation and playbook for recovering control plane from node failure (#4146) 2019-04-29 01:40:20 -07:00
Andreas Krüger
38af93b60c Remove rkt support (#4671) 2019-04-29 01:14:20 -07:00
Matthew Mosesohn
741de6051c Fix nodeselectors for contiv and nginx-ingress (#4662)
* Fix nodeselectors for contiv and nginx-ingress

Change-Id: Ib3eb6bd87193c69a90ee944c9164a0b6792c79ba

* Set kube proxy mode to iptables for addons task

Change-Id: Iff71a71f672405c74b4708c71db15ddc4391a53a
2019-04-28 23:36:19 -07:00
Dmitry
b8f0de3074 Fixed etcd-servers-overrides in kubeadm config (#4668)
* kube-apiserver will fail if used comma as separator
2019-04-28 23:02:20 -07:00
MarkusTeufelberger
88d919337e ansible-lint: don't compare to empty string [E602] (#4665) 2019-04-28 23:00:20 -07:00
Matthew Mosesohn
338eb4ce65 Fix kubeadm upload certs with when condition (#4659)
* Fix kubeadm upload certs with when condition

Change-Id: I916dd2375b71eea2386047c7f185a2f8361f7a61

* Update kubeadm-secondary-experimental.yml
2019-04-27 01:14:20 -07:00
Andreas Krüger
3722acee85 Fix broken metrics-server deployment not starting (#4651)
* Fix metrics-server deployment

* Make metrics server work

* Fix sample inventory
2019-04-26 00:44:26 -07:00
grialeyur
82119ca923 Add support calico kubernetes datastore and typha. (#4498)
* Add support calico kubernetes datastore and typha.

* Add typha_enabled to kubespray-defaults.
2019-04-25 05:00:48 -07:00
gitareest
6ca2019002 Fix issue with etcd arm host installation case (#4589)
Use host_architecture variable.
2019-04-25 04:58:47 -07:00
Matthew Mosesohn
c9ed5f69d7 Prepend docker.io for all docker hub images (#4648)
Change-Id: I71dc793641bc168e40419e38f33f68f5325e77a9
2019-04-25 01:34:46 -07:00
Andreas Krüger
3fe66a1298 Update downloads role to download to correct group (#4638) 2019-04-24 10:48:03 -07:00
Sergey Kolekonov
4a10dca7d4 Add an ability to provide oidc cert in base64 (#4618) 2019-04-24 09:40:01 -07:00
Matthew Mosesohn
4d57ed314d Clean up check for setting kubeadm certificate key (#4634)
Change-Id: I2c97c4753089eb3ec2e6b01b2681a8be98ecbb57
2019-04-24 07:14:12 -07:00
iwankgb
4e81bcc147 Fixing Vagrant cluster provisioning (#4218)
* Pass ansible_ssh_user as host_var

Co-authored-by: Damian Darczuk <damian.darczuk@intel.com>
Co-authored-by: Paweł Pałucki <pawel.palucki@intel.com>

* Create a directory before downloading container images to ansible host

Co-authored-by: Damian Darczuk <damian.darczuk@intel.com>
Co-authored-by: Paweł Pałucki <pawel.palucki@intel.com>

* Set private key usuing synchronize task options

Co-authored-by: Damian Darczuk <damian.darczuk@intel.com>
Co-authored-by: Paweł Pałucki <pawel.palucki@intel.com>
2019-04-24 05:42:05 -07:00
Attilio Greco
6243467856 remove duble check for run this task just one time (#4613) 2019-04-24 05:38:01 -07:00
Vincent Gramer
f47a666227 support azure loadbalancer standard sku (#4150) (#4476)
add the support of the folling property in azure-credential-check.yml
  - azure_loadbalancer_sku: Sku of Load Balancer and Public IP. Candidate values are: basic and standard.
  - azure_exclude_master_from_standard_lb: excludes master nodes from standard load balancer.
  - azure_disable_outbound_snat: disables the outbound SNAT for public load balancer rules
  - useInstanceMetadata: Use instance metadata service where possible
  - azure_primary_availability_set: (Optional) The name of the availability set that should be used as the load balancer backend
2019-04-24 02:14:01 -07:00
Wilmar den Ouden
b708db4cd5 Update to v1.14.1 (#4481) 2019-04-24 02:08:01 -07:00
Matthew Mosesohn
fc072300ea Purge legacy cleanup tasks from older than 1 year (#4450)
We don't need to support upgrades from 2 year old installs,
just from the last major version.

Also changed most retried tasks to 1s delay instead of longer.
2019-04-24 00:08:05 -07:00
Chad Swenson
d25ecfe1c1 Update Docker defaults to 18.09.5 and drop deprecated (#4624)
As of kubernetes v1.14, docker 18.09 is [validated for use](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md#external-dependencies). Docker 1.11 and 1.12 were dropped.

This patch:
- Updates the default docker version to 18.09
- Updates Docker packages to the latest 18.09 patch (18.09.5)
- Removes options for Docker 1.11 and 1.12
2019-04-23 22:24:01 -07:00
MarkusTeufelberger
a65605b17a ansible-lint: Don't use bare variables (#4608)
Circumvented one false positive from ansible-lint
Moved a block of jinja magic into its own variable
2019-04-23 22:20:00 -07:00
MarkusTeufelberger
424e59805f ansible-lint: Fix commands that are also available as module (#4619) 2019-04-23 22:18:00 -07:00
MarkusTeufelberger
76db060afb Define and implement specs for bootstrap-os (#4455)
* Add README to bootstrap-os role

* Rework bootstrap-os once more

* Document workarounds for bugs/deficiencies in Ansible modules
* Unify and document role variables
* Remove installation of additional packages and repositories
* Merge Ubuntu and Debian tasks
* Remove pipelining setting from default playbooks
* Fix OpenSUSE not running its required tasks
2019-04-23 15:46:02 -07:00
Andreas Krüger
d588532c9b Update probe timeouts, delays etc. (#4612)
* Fix merge conflict

* Add check delay

* Add more liveness and readiness options to metrics-server
2019-04-23 14:46:02 -07:00
Matthew Mosesohn
d6d7458d68 Fix control plane setup without a hardcoded key (#4610) 2019-04-23 14:37:59 -07:00
Matthew Mosesohn
d89ecb8308 disable metrics server and fix terraform (#4617)
* disable metrics server in centos7-flannel-addons job

Change-Id: I1d87923547584896f64dda9ea8feb5581ad48cbe

* Fix tf facility->facilities syntax

Change-Id: I434bfe53f47e8e4a546890e0b62d24bde6e6d6a7

* Update Terraform CI for facilities

* Fix undefined variable error
2019-04-23 12:06:03 -07:00
Maxime Guyot
50751bb610 Revert "Optimize kube resources creation (#4572)" (#4621)
This reverts commit f8fdc0cd93.
2019-04-23 20:37:23 +03:00
andreyshestakov
f8fdc0cd93 Optimize kube resources creation (#4572) 2019-04-22 23:34:10 -07:00
Matthew Mosesohn
09fe95bc60 Avoid creating k8s cert dir on non-k8s nodes (#4602) 2019-04-21 15:27:43 -07:00
Victor Morales
ada5941a70 Unmask Docker service in ClearLinux (#4583)
The docker service provided by the containers-basic bundle is masked
in ClearLinux distribution. This is causing errors in the following
steps. This commit ensures that the unit is not masked.
2019-04-21 07:31:43 -07:00
Vedran Bartonicek
33ab615072 Wait longer for node to join the cluster (#4549) 2019-04-20 07:05:40 -07:00
Rabi Mishra
5a1cf19278 Install cri-tools on fedora (#4350) 2019-04-20 06:29:40 -07:00
Matthew Mosesohn
05dc2b3a09 Use K8s 1.14 and add kubeadm experimental control plane mode (#4514)
* Use K8s 1.14 and add kubeadm experimental control plane mode

This reverts commit d39c273d96.

* Cleanup kubeadm setup run on first master

* pin kubeadm_certificate_key in test

* Remove kubelet autolabel of kube-node, add symlink for pki dir

Change-Id: Id5e74dd667c60675dbfe4193b0bc9fb44380e1ca
2019-04-19 06:01:54 -07:00
Aleksey Kasatkin
d0e628911c Add sha256 hashes for calicoctl v3.6.1 (#4580)
Hashes are added to calicoctl_binary_checksums for both adm and arm platforms.
2019-04-19 05:45:55 -07:00
Andreas Krüger
656633f784 YAMLLint everything (#4576) 2019-04-18 23:59:54 -07:00
Victor Morales
f5aec8add4 Fix runc absolute path (#4542)
The BINDIR variable defined on the runc's Makefile[1] defines
installation path is on $(PREFIX)/sbin which used for most of the
Linux distributions. This change fixes the absolute path used for
non-ClearLinux distributions (CentOS, Ubuntu).

[1] https://github.com/opencontainers/runc/blob/master/Makefile#L10
2019-04-18 15:41:58 -07:00
Maxime Guyot
f92309bfd0 Fix ansible-lint for ceph package (#4568) 2019-04-18 13:45:25 -07:00
Victor Morales
c6586829de Ensure /etc/bash_completion.d/ folder exists (#4543)
The Stateless ClearLinux feature[1] requires the creation of folders
in /etc folder. This change ensure the existence of the
/etc/bash_completion.d/ folder for ClearLinux Distribution.

[1] https://clearlinux.org/features/stateless
2019-04-18 02:24:10 -07:00
Maxime Guyot
b218e17f44 ansible-lint: E403 Package installs should not use latest (#4500) 2019-04-18 01:34:08 -07:00
Maxime Guyot
a6dc50e7cb Add host information for canal readiness probe (#4548) 2019-04-17 10:22:02 -07:00
Maxime Guyot
37eac010c8 ansible-lint: Don’t compare to literal True/False (#4499) 2019-04-17 08:42:03 -07:00
Maxime Guyot
ec3daedf9e Revert "Fix for unknown 'kubernetes.io' or 'k8s.io' labels specified with --node-labels (#4320)" (#4553)
This reverts commit 586ad89d50.
2019-04-17 07:58:06 -07:00
Jugwan Eom
d83181a2be add RBD Provisioner Addon (#3667) (#3668)
Based on the CephFS Provisioner Addon, the following changes have been made:
 - Upstream v2.1.1-k8s1.11
 - Configurable Provisioner replicas
2019-04-16 23:14:02 -07:00
andreyshestakov
78f6f6b889 Mark "Calico | Set global as_num" as "unchanged" (#4539)
This command executes with "--skip-exists" parameter, so it is idempotent
and should not be marked as "changed".
2019-04-16 09:31:11 -07:00
Matthew Mosesohn
c5fb734098 Switch calicoctl from a container to a binary (#4524) 2019-04-15 04:24:04 -07:00
Matthew Mosesohn
d39c273d96 Revert "Use K8s 1.14 and add kubeadm experimental control plane mode (#4317)" (#4510)
This reverts commit 316508626d.
2019-04-11 12:52:43 -07:00
Matthew Mosesohn
316508626d Use K8s 1.14 and add kubeadm experimental control plane mode (#4317)
* Use Kubernetes 1.14 and experimental control plane support

* bump to v1.14.0
2019-04-11 05:30:13 -07:00
Maxime Guyot
46ba6a4154 ansible-lint: when lines should not include Jinja2 variables (#4496) 2019-04-11 03:06:10 -07:00
Andreas Krüger
4ff851b302 Enable nodelocaldns by default (#4461)
* Enable nodelocaldns by default

* Enable nodelocaldns by default

* nodelocaldns is now default

* Disable enable_nodelocaldns for the addons CI jobs

Disable enable_nodelocaldns for the addons CI jobs to make sure things still work without nodelocaldns
2019-04-11 00:24:08 -07:00
Qasim Sarfraz
3af90f8772 disable cloud-routes for non-cloud plugin (#4443) 2019-04-10 23:50:09 -07:00
Andreas Krüger
9032e271f1 Upgrade CoreDNS to 1.5.0 (#4494) 2019-04-10 13:40:08 -07:00
Andreas Krüger
15597aa493 Do not force TCP connections to upstreams. (#4492) 2019-04-10 12:40:09 -07:00
Sergey
3b9d13fda9 Return back bind API server node loadbalancer to 127.0.0.1 for security purposes. (#4489) 2019-04-10 12:20:08 -07:00
Andreas Krüger
5e0249ae7c Add HAProxy as internal loadbalancer (#4480) 2019-04-10 05:56:18 -07:00
Maxime Guyot
353afa7cb0 Fix ipip: false in calico v3 (#4473) 2019-04-10 05:50:15 -07:00
Neven Miculinic
a30ad1e5a5 Added generic CNI network plugin (#4322)
* Added generic CNI network plugin

* Added CNI network plugin documentation

* added necessary fix
2019-04-10 04:16:15 -07:00
Robert Neumann
586ad89d50 Fix for unknown 'kubernetes.io' or 'k8s.io' labels specified with --node-labels (#4320)
* Fix the file path for all.yml and k8s-cluster.yml

* Fix --node-labels namespace error "unknown labels specified"

* Update templates and configs kubelet node-labels
2019-04-10 04:14:12 -07:00
Sidharth Anupkrishnan
6caa639243 Update CoreDNS label as specified in the kubernetes coredns repository (#3920) 2019-04-10 04:12:13 -07:00
MarkusTeufelberger
d2a1ac3b0c Add Ansible-lint CI step (#4411)
* Add ansible-lint as gitlab-ci step

* Fix jinja2 syntax in include_tasks that breaks ansible-lint

* Use a block scalar to get around gitlab quoting/escaping rules

* Run ansible-lint in verbose mode in CI
2019-04-10 02:04:16 -07:00
André R. de Miranda
097806dfe8 Added tag kube-proxy (#4272)
Signed-off-by: André R. de Miranda <andre@miranda.work>
2019-04-09 05:25:06 -07:00
Abdulaziz AlMalki
7cdf1fd388 quote values for kube_oidc_groups_prefix and kube_oidc_username_prefix values to accept colon, e.g oidc: (#4305)
This will fix error: error converting YAML to JSON: yaml: line 36: mapping values are not allowed in this context

Signed-off-by: Abdulaziz AlMalki <almalki.a@gmail.com>
2019-04-09 05:23:06 -07:00
Andreas Krüger
aa162b0d5d Update kube-router to 0.2.5 (#4469) 2019-04-09 03:37:04 -07:00
Maxime Guyot
b15f3e182d add default routing to canal and disable bird checks (#4468)
Co-Author: Paweł Skrzyński
2019-04-09 02:45:07 -07:00
Andreas Krüger
4d39c1856e Fix jinja filters (#4470) 2019-04-09 02:19:06 -07:00
Maxime Guyot
913fed0089 kubeadmn init: add 'until' to make 'retries' effective (#4464)
an 'until' clause is required or 'retries' is ignored

(see note @ https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html#do-until-loops)
2019-04-09 00:21:04 -07:00
Markos Chandras
12c6b5c3eb openSUSE: Use Leap 15.0 instead of 42.3 (#4442)
* Vagrantfile: Bump openSUSE to Leap 15.0

* roles: container-engine: Add 'containerd' package for openSUSE

The 'containerd' package contains the docker-containerd and
docker-containerd-shim binaries. We also need to ensure that the latest
version is installed since an older version may already be present (eg GCE
images)

* Remove docker log-opts for opensuse

* roles: bootstrap-os: Use lowercase 'o' for openSUSE

OpenSUSE is not a valid family name. The correct one is openSUSE

* roles: bootstrap-os: Update zypper cache before first installation

The zypper cache may be outdated so ensure that it's fully updated
before we try and install the bootstrap packages.
2019-04-09 00:17:05 -07:00
rptaylor
f52584a715 robust handling of API server SANs (#4435)
* robust handling of API server SANs

* use apiserver_loadbalancer_domain_name if it is defined, according to PR 3977
2019-04-08 08:10:35 -07:00
Erwan Miran
09bbdadcee remove nodelocaldns iface on reset (#4460) 2019-04-08 02:26:25 -07:00
Xinghong Fang
d711a0c83f [nodelocaldns] expand tolerations on the daemonset (#4451) 2019-04-08 02:24:26 -07:00
Andreas Krüger
d18ad63e49 Update nginx to 1.15. Update manifest and performance optimize (#4458) 2019-04-08 02:02:29 -07:00
Maxime Guyot
8947614d97 Upgrade to etcd v3.2.26 (#4444) 2019-04-08 00:34:25 -07:00
Victor Morales
7e4f4a96fc Replace iteritems() to items() in Jinja2 templates (#4437)
The iteritems() dictionary's method has been removed in Python3. Using
this method in Jinja2 templates limits the execution to Python2 which
will be deprecated in 2020[1]. This change replaces that method for
the items() method as it's suggested in the official website[2].

[1] https://pythonclock.org/
[2] https://docs.ansible.com/ansible/latest/user_guide/playbooks_python_version.html#dict-iteritems
2019-04-08 00:32:26 -07:00
MarkusTeufelberger
301a371efe Update pypy3 on CoreOS to 7.0.0 (#4456) 2019-04-08 00:28:24 -07:00
Maxime Guyot
1a6df84c7a Upgrade to Helm 2.13.1 (#4445) 2019-04-07 07:04:25 -07:00
Maxime Guyot
8ad74404c9 Remove bash-completion (#4431) 2019-04-05 01:23:22 -07:00
Maxime Guyot
1ce2f04f47 allow Suse OS family (#4430) 2019-04-04 03:02:51 -07:00
Xavi
20b12751af add Cinder allowVolumeExpansion option (#4415) 2019-04-04 02:36:50 -07:00
Maxime Guyot
adca353fe9 Use docker.io for calico (#4253) 2019-04-04 01:20:49 -07:00
Andreas Krüger
7a72e567d5 Update CoreDNS to 1.4.0 (#4422)
* Update CoreDNS to 1.4.0

* Update readme to reflect CoreDNS update
2019-04-04 00:40:50 -07:00
Andreas Krüger
3c050be0b0 Update nodelocaldns cache settings (#4423) 2019-04-04 00:38:51 -07:00
Andreas Krüger
41e684eb5a Update DNS Autoscaler to 1.4.0 (#4425)
* Update DNS Autoscaler

* Update downloads too

* Fix yamllint

* Fix yamllint
2019-04-04 00:36:51 -07:00
Sergey
55890e1b82 keep compatibility as it was before (#4268) 2019-04-03 01:39:42 -07:00
Sergey
1e524c68d5 remove our config if docker start failed (#4260) 2019-04-03 01:37:44 -07:00
Sergey
740d8b0a26 enable kubelet client certificate rotation (#4081)
* enable kubelet client certificate rotation

* change to variable kubelet_rotate_certificates
2019-04-03 01:35:44 -07:00
Gautam Divgi
a8dd69cf17 Fixed cleanup-docker-orphans.sh to use docker-containerd-shim and containerd-shim (#4418) 2019-04-02 09:11:21 -07:00
Matthew Mosesohn
4fe2aa6bf7 Use install_cni init container for cni copy for calico/canal (#4416) 2019-04-02 03:32:36 -07:00
Chad Swenson
5d5c9cab19 Speed up old docker package removal (#4408)
Both the `yum` and `apt` modules support a list as input, this allows us avoid the slower `with_items` approach, which can take a long time with a large count of cluster nodes.
2019-04-01 15:08:35 -07:00
Matthew Mosesohn
5f12b7aedf Remove kubedns and dnsmasq. Move dns_late phase after apps (#4406)
Both kubedns and dnsmasq modes are long not maintained.
We should run dns_late steps at the end because sshd
makes DNS lookups during Ansible run and has 2s timeouts
for each failed lookup trying to connect to coredns before
it is ready.
2019-04-01 12:32:34 -07:00
Bort Verwilst
d71590bbd0 add 1.14.0 checksum, remove 1.11.* checksums (#4401) 2019-04-01 07:16:33 -07:00
ml
483f1d2ca0 Calico felix - Fix jinja2 boolean condition (#4348)
* Fix jinja2 boolean condition

* Convert all felix variable to booleans instead.
2019-03-29 16:07:09 -07:00
Dmitry Chepurovskiy
0440e45d65 Fix supplementary_addresses rendering error (#4403) 2019-03-29 00:26:13 -07:00
Stefan Prietl
2fb27c8521 Use static files in KubeDNS templating task (#4379)
This commit adapts the "Lay Down KubeDNS Template" task to use the static
files moved by pull request [1]

[1] https://github.com/kubernetes-sigs/kubespray/pull/4341
2019-03-28 06:26:43 -07:00
Qasim Sarfraz
f17f4ff963 Fix bootsrap-os role, failing to create remote_tmp (#4384)
* Fix bootsrap-os role, failing to create remote_tmp

* use ansible_remote_tmp hostvar
2019-03-28 06:24:43 -07:00
Sergey
e9c34fe038 Default values for variable dns_servers and dns_domain are set in two files: (#3999)
values from inventory in roles/kubespray-defaults/defaults/main.yml
hardcoded values in roles/container-engine/defaults/main.yml

dns_servers set empty in roles/container-engine/defaults/main.yml and skydns_server not set in docker_dns_servers variables
also set default value for manual_dns_serve

another variables in roles/container-engine/defaults not need to set
2019-03-28 06:22:44 -07:00
Dmitry Chepurovskiy
669ab10c17 Added livenessProbe for local nginx apiserver proxy liveness probe (#4222)
* Added configurable local apiserver proxy liveness probe

* Enable API LB healthcheck by default

* Fix template spacing and moved healthz location to nginx http section

* Fix healthcheck listen address to allow kubelet request healthcheck
2019-03-28 06:20:46 -07:00
Qasim Sarfraz
0a3cf1a087 Fix CA cert environment variable for ectd v3 (#4381) 2019-03-28 00:18:43 -07:00
Bart Verwilst
0efa3e6392
Upgrade to k8s 1.13.5 2019-03-27 11:16:21 +01:00
Matthew Mosesohn
6d7f3c4405 Reduce jinja2 filters in coredns templates (#4390) 2019-03-26 11:09:17 -07:00
Etienne
d0ae316934 Use proxy_env with kubeadm phase commands (#4325) 2019-03-26 03:03:19 -07:00
Matthew Mosesohn
b7fd462944 Fix support for ansible 2.7.9 (#4375) 2019-03-20 11:29:42 -07:00
Matthew Mosesohn
ec08303f82 Revert "Fix #4237: update kube cert path (#4354)" (#4369)
This reverts commit ea7a6f1cf1.

This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters.
2019-03-20 05:56:57 -07:00
Dmitry Chepurovskiy
ea7a6f1cf1 Fix #4237: update kube cert path (#4354) 2019-03-17 23:55:11 -07:00
Matthew Mosesohn
150a969cf4
Forcefully delete pods when necessary (#4328)
Pods on down/unresponsive nodes can't be deleted without
--force --grace-period=0.

Fixes #4314
2019-03-14 07:45:46 -07:00
Manuel Cintron
3c4cbf133e Adding ability to override dashboard replica count (#4344) 2019-03-13 13:58:25 -07:00
Matthew Mosesohn
fd2c47b56a Move most coredns templates to static files (#4341)
* Move most coredns templates to static files

This should speed up the task slightly

* yaml lint fixes
2019-03-12 21:17:31 -07:00
Bort Verwilst
33024731e4 Upgrade to k8s 1.13.4 (#4319) 2019-03-06 23:16:56 -08:00
chadswilson
d469282f1c add blockSize to IPPool spec for Calico >= v3.3.0 (#4224)
* add blockSize to IPPool spec for Calico >= v3.3.0

* fix "cidr" spec in Calico IPPool resource for my PR
2019-03-06 12:42:48 -08:00
Matthew Mosesohn
acbf3db233 Remove hard dependence on facts for all nodes (#4304)
* Remove hard dependence on facts for all nodes

* Update main.yaml

* Update main.yaml
2019-03-05 03:04:39 -08:00
Matthew Mosesohn
adf6a7121f Reenable set_facts task for dns_late (#4312) 2019-03-01 05:39:30 -08:00
Bort Verwilst
bbfd2dc2bd Add 1.12.6, sort arm64 descending (#4308)
* Add 1.12.6, sort arm64 descending

* remove 1.10.x checksums (EOL anyways)
2019-02-28 05:55:19 -08:00
Matthew Mosesohn
4fe61968cf Set default value for local_path_provisioner_enabled in role (#4309) 2019-02-28 05:36:08 -08:00
Anupam Basak
9e8e069b23 remove kube bridge on reset (#4250) 2019-02-26 00:32:00 -08:00
Peter Metz
26ca58419f feat(external-provisioner): adds support for local-path-provisioner (#4232)
* feat(external-provisioner/local-path-provisioner): adds support for local path provisioner

Helpful for local development but also in production workloads (once the
permission model is worked out) where you have redundancy built into the
software uses the PVCs (e.g. database cluster with synchronous
replication)

* feat(local-path-provisioner): adds debug flag, image tag group var

* fix(local-path-provisioner): moves image repo/tag to download role

* test(gce_centos7-flannel): enables local-path-provisioner in test case

* fix(addons): add image repo/tag to commented default values

* fix(local-path-provisioner): typo in jinja template for local path provisioner

* style(local-path-provisioner): debug flag condition re-formatted

* fix(local-path-provisioner): adds missing default value for debug flag

* fix(local-path-provisioner): syntax fix for debug if condition end

* fix(local-path-provisioner): jinja template syntax: if condition white space
2019-02-25 22:45:30 -08:00
hikoz
67832aada9 changed_when:false (#4189) 2019-02-25 20:09:30 -08:00
hikoz
3d25b4dfc1 30MiB for gpu-device-plugin (#4227)
* 30MiB for gpu-device-plugin

* use vars for easier configuration
2019-02-25 20:03:53 -08:00
Wong Hoi Sing Edison
1c12c19150 weave: Upgrade to 2.5.1 (#4248)
Upstream Changes:

  - weave 2.5.1 (https://github.com/weaveworks/weave/releases/tag/v2.5.1)

Our Changes:

  - Sync templates with upstream changes
2019-02-25 20:02:00 -08:00
Ryler Hockenbury
88249308a0 Add labels to vsphere cloud config (#4275) 2019-02-25 19:58:15 -08:00
Gabor Lekeny
b4aaa7b908 Speed up tasks (#4278)
* fact gathering should run only once per node
* eliminate ansible version check, it is at the beginning of each
  playbook
2019-02-25 19:56:23 -08:00
Vasilis Remmas
81801ce23b Add master toleration flag in dashboard deployment (#4290) 2019-02-25 19:34:47 -08:00
Etienne
7dfa39483f Make container storage repository configurable (#4284) 2019-02-25 19:29:32 -08:00
Matthew Mosesohn
b07641c3f3 Move kube_proxy_remove out of set_facts and set default (#4180) 2019-02-25 00:08:06 -08:00
Matthew Mosesohn
4638acfe81 Retry applying podsecurity policies (#4279) 2019-02-24 22:50:55 -08:00
Kaoet
aadef80404 Upgrade to latest version of ubuntu-nvidia-driver-installer. (#4296)
The lastest version of ubuntu-nvidia-driver-installer contains a fix for
https://github.com/GoogleCloudPlatform/container-engine-accelerators/issues/90
which causes the installer pod to crash when driver is already loaded.
2019-02-24 22:22:48 -08:00
Frank Ritchie
9805fb7a34 Add flexvolume plugin dir to kubeadm kubelet (#4168)
This was already approved in #4106 but there are CI issues
with that PR due to references to kubernetes incubator.

After upgrading to Kubespray 2.8.1 with Kubeadm enabled Rook
Ceph volume provision failed due to the flexvolume plugin dir not
being correct. Adding the var fixed the issue
2019-02-20 15:02:02 -08:00
Maxime Guyot
323d788f48 Add support for --enable-skip-login in Dashboard (#4265) 2019-02-19 23:24:29 -08:00
Abdulaziz AlMalki
eafab9636f fix wrong indent of oidc-username-prefix and oidc-groups-prefix in kubeadm config template (#4263) 2019-02-19 23:22:32 -08:00
Seungkyu Ahn
107bfb259a This PS is to fix the bug when Workers can't join the cluster (#4276)
because of etc-kubernetes-manifests not empty.
2019-02-19 22:13:59 -08:00
Rong Zhang
d4a36aa55b
Merge pull request #4027 from riverzhang/kube-proxy
Add update server field in kube-proxy kubeconfig
2019-02-20 13:41:06 +08:00
Manuel Cintron
07b2894080 Adding ability to maintain existing Encryption Secrets at Rest. (#4255)
* Adding ability to maintain existing Encryption Secrets at Rest.

If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token.

This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets.

* Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
2019-02-19 07:31:45 -08:00
Florent Monbillard
802ac377b8 Fix typo in task description (#4243) 2019-02-19 06:06:29 -08:00
Kaoet
23685b4537 Add image tag in "pause" container of nvidia driver installer. (#4247) 2019-02-17 21:02:30 -08:00
Chad Swenson
e552be76ce Docker apt repo name fix (again) (#4246)
For some reason 18.09 packages are now prefixed with `5:` in the download.docker.com apt repos
Followup to #4236
2019-02-14 10:19:19 -08:00
Ryler Hockenbury
eea22dfd40 Fix typo with docker-ce package versions (#4236) 2019-02-14 07:32:12 -08:00
Kaoet
192f4c4e96 Allow customizing container image path used in NVIDIA GPU addon. (#4229) 2019-02-14 03:51:38 -08:00
hikoz
e03588f431 use swapon -s (#4216) 2019-02-14 02:35:17 -08:00
Chad Swenson
8872b2e0c6 Fix calico when kube_override_hostname is set (#4235)
This fixes an issue where the `nodename` in calico's cni config json can fall out of sync with the k8s node name used by the calico pod if `kube_override_hostname` is set
2019-02-13 16:02:48 -08:00
Florent Monbillard
061f5a313b Explicitely set etcd endpoint in kubeadm-images.yaml (#4063)
Currently, the task `container_download | download images for kubeadm config images` fetches etcd image even though it's not required (etcd is bootstrapped by kubespray, not kubeadm).

`kubeadm-images.yaml` is only a subset of `kubeadm-config.yaml`, therefore ``kubeadm config images pull` will try to get all this list (including etcd)

```
# kubeadm config images list --config /etc/kubernetes/kubeadm-images.yaml
k8s.gcr.io/kube-apiserver:v1.13.2
k8s.gcr.io/kube-controller-manager:v1.13.2
k8s.gcr.io/kube-scheduler:v1.13.2
k8s.gcr.io/kube-proxy:v1.13.2
k8s.gcr.io/pause:3.1
k8s.gcr.io/etcd:3.2.24
k8s.gcr.io/coredns:1.2.6
```

When using the `kubeadm-config.yaml` though, it doesn't list etcd image:

```
# kubeadm config images list --config /etc/kubernetes/kubeadm-config.yaml
k8s.gcr.io/kube-apiserver:v1.13.2
k8s.gcr.io/kube-controller-manager:v1.13.2
k8s.gcr.io/kube-scheduler:v1.13.2
k8s.gcr.io/kube-proxy:v1.13.2
k8s.gcr.io/pause:3.1
k8s.gcr.io/coredns:1.2.6
```

This change just adds the etcd endpoints in the `kubeadm-images.yaml` to give a hint to kubeadm it doesn't need etcd image for its boostrapping as etcd is "external".
I confess it is a ugly hack, a better way would be to use a single `kubeadm-config.yaml` for both tasks, but they are triggered by different roles (`kubeadm-images.yaml` is used by download, `kubeadm-config.yaml` by kubernetes/master) at different steps and I didn't want to refactor too many things to prevent breakage. 

This is specially useful for offline installation where a whitelist of container images is mirrored on a local private container registry. `k8s.gcr.io/etcd` and `quay.io/coreos/etcd`  are two different repositories hosting the same images but using *different tags*! 
* coreos/etcd:v3.2.24   
* k8s.gcr.io/etcd:3.2.24 (note the missing 'v' in the tag name)
2019-02-13 12:44:12 -08:00
Chad Swenson
2e2ed3bd35 [SECURITY] Docker patches for CVE-2019-5736 (#4223)
This updates docker 18.06 and 18.09 with the two patches released
yesterday to address the new runc exploit. Details here:
https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/
2019-02-13 01:50:53 -08:00
Manuel Cintron
7697baf0da Omit does not work in the context of yum_repository proxy. The ansible documentation specifies to use _none_ to disable the global proxy setting. (#4225) 2019-02-12 16:46:32 -08:00
Sorin Sbarnea
22a5a00c49 Improve kubeadm join tasks (#4206)
Fix issue where `kubeadm join` could wait forever for joining.

Fix issue where `kubeadm join` were not reaching the user, making
impossible to find the cause of the failure.

New behaviour is to first attempt to join without bypassing the
verifications checks and to display them if needed.

If this fails it still attempts to join by ignoring the check in
order to make previous behavior.

A timeout of 60 seconds is allocated for a joining.

Related-bug: #3973
2019-02-12 13:42:56 -08:00
Maxime Guyot
6a33411d65 Add an option for helm init --wait (#4202) 2019-02-11 14:32:26 -08:00
hikoz
9a91ef8628 change permission after unarchive (#4191) 2019-02-11 14:21:38 -08:00
Sergey
fbce6349c4 check kube_pods_subnet and kube_service_addresses to valid ip network range, not single ip address (#4188) 2019-02-11 14:12:06 -08:00
MarkusTeufelberger
e2ad6aad5a bootstrap: rework role (#4045)
* bootstrap: rework role

* support being called from a non-root user
* run some commands in check mode
* unify spelling/task names

* bootstrap: fix wording of comments for check_mode: false

* bootstrap: remove setup-pipelining task
2019-02-11 14:04:27 -08:00
Chad Swenson
038a2eb862
Merge pull request #3949 from trogeat/patch-fix-missing-ca-cert-apiserver
kubespray: fix missing ca-certificate path in apiserver
2019-02-11 15:40:04 -06:00
Manuel Cintron
5d146e52fe If a centos or rhel node is not configured with the extras repo installation of required packages (python-httplib2 in particular) will fail later on. (#4213) 2019-02-11 13:27:02 -08:00
Jeff Bornemann
c41c1e771f OCI Cloud Provider Update (#4186)
* OCI subnet AD 2 is not required for CCM >= 0.7.0

Reorganize OCI provider to generate configuration, rather than pull

Add pull secret option to OCI cloud provider

* Updated oci example to document new parameters
2019-02-11 12:08:53 -08:00
Karl
85b77f7c22 Remove Ubuntu Bionic specific vars file - breaks multi-arch (#3974) 2019-02-11 00:04:27 -08:00
Maxime Guyot
6b3f7306a4 Add support for arm64 images for hyperkube, kubeadm and cni_binary (#4176) 2019-02-09 02:08:57 -08:00
joakimr-axis
01d70f2c7c Update flannel version to v0.11.0 (#4190)
Change-Id: I27d670803bea82a68d5eb0e49d4677f4afdce55f
2019-02-07 04:33:01 -08:00
Chad Swenson
6878c2af4e Fix kube_hostname_override inconsistencies (#4185) 2019-02-06 22:20:11 -08:00
Bort Verwilst
db2b76a22a update k8s to 1.13.3 (#4192)
* update k8s to 1.13.3

* update README as well
2019-02-06 10:48:05 -08:00
peerapach
69e5deeccc Fix newline issue of priorityClassName when enable tolerations (#4164) 2019-02-04 12:59:01 -08:00
Danny Kulchinsky
226d5ed7de [Calico] Define FELIX_KUBENODEPORTRANGES when kube-proxy in ipvs mode (#4173)
* Define FELIX_KUBENODEPORTRANGES when kube-proxy in ipvs mode

* ensure kube_apiserver_node_port_range is defined
2019-02-04 12:42:40 -08:00
Earl C. Ruby III
52e0aa7a80 Install the latest filesystem creation packages (#3904)
This PR ensures that the e2fsprogs and xfsprogs packages are
installed on all Kubernetes nodes and that the packages are
the latest versions. It also ensures that the nodes can
create XFS filesystems when necessary, since not all distros
install xfsprogs by default.

e2fsprogs - ext2/ext3/ext4 file system utilities
xfsprogs - Utilities for managing the XFS filesystem
2019-02-04 12:23:33 -08:00
peerapach
bd9474bafd fix kubeadm-setup when enable access_ip (#4145) 2019-02-01 20:10:34 -08:00
Sorin Sbarnea
316b73178d Add timeout to Get current version of calico cluster version (#4149)
Avoid waiting forever for this task that should be very quick.

Fixes: #4148
2019-02-01 20:09:04 -08:00
Manuel Cintron
143e2272ff Fixing an issue where trying to install docker-ce-18.09 on rhel7 nodes (or potentially centos 7) without an enabled extras repo the installation will fail because container-selinux >= 2.9 is required. The check for container-selinux upfront should obviate the need for adding an extras repo if the node is able to find it from another source. (#4161) 2019-01-31 16:19:48 -08:00
Vasilis Remmas
cd7924f8c9 Add oidc prefixes to kubeadm templates (#4159) 2019-01-31 15:31:43 -08:00
Erwan Miran
7f93a5a0f5 Fix deprecation warnings (#4130)
* use not deprecated ansible_play_hosts variable

* Using tests as filters is deprecated

* Fix deprecation warning about pkg list
2019-01-31 14:57:22 -08:00
Erwan Miran
f6d60a7e89 Calico: Ability to define the default IPPool CIDR (instead of kube_pods_subnet) (#4131)
* Calico: Ability to define the default IPPool CIDR (instead of kube_pods_subnet)

* Documentation for calico_pool_cidr (and calico_advertise_cluster_ips which has been forgotten...)
2019-01-31 13:39:13 -08:00
Thomas Nys
68fd7e39da Set cluster DNS correctly in case of nodelocal dns cache (#3879)
* Set cluster DNS correctly in case of nodelocal dns cache

* Pass in cluster_ip based on dns mode

* Disable nodelocaldns by default

* Fix syntax error

* Fix syntax issue

* Add nodelocadns ip to vars of node installation

* Change location of nodelocaldns_ip

* Try to remove newlines from jinja template

* Add debug for config file

* Move parameter logic outside of template

* Adapt templates after feedback

* Remove debugging
2019-01-28 23:39:27 -08:00
wangxf
a096761306 [PR-Calico]Support calico 3.4.0 (#4102)
* Suport calico 3.4.0

Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com>

* Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips

* scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
2019-01-28 11:03:49 -08:00
Florent Monbillard
2054a98cf7 Run kubeadm and hyperkube outside of local_release_dir (#4098)
Addressing the discussion started in #4064, this PR moves kubeadm and
hyperkube binaries to /usr/local/bin before running them on the master
nodes.

It is to address the case where local_release_dir points to /tmp
(kubespray default) and /tmp is mounted with noexec mode, preventing
any binaries to be run in that partition.

In role "node", we still move kubeadm to bin_dir only on the worker
nodes.
2019-01-28 02:00:49 -08:00
Sergey
ce8ba1f170 create artifacts_dir (#4079) 2019-01-28 01:59:15 -08:00
Danny Kulchinsky
595d6427ac [Nodelocal DNS cache] Mount host /run/xtables.lock in nodelocaldns container (#4074)
* Mount host /run/xtables.lock in nodelocaldns container

* fix typo in nodelocaldns daemonset manifest yml

* Add prometheus scrape annotation, updateStrategy and reduce termination grace period

* fix indentation

* actually fix it..

* Bump k8s-dns-node-cache tag to 1.15.1 (fixes https://github.com/kubernetes/dns/issues/282)
2019-01-28 01:57:40 -08:00
Danny Kulchinsky
96688269f8 Support both --address and --bind-address for scheduler and controller-manager (#4112) 2019-01-27 23:43:34 -08:00
Rong Zhang
55aa58ee2e
Merge pull request #4025 from riverzhang/download-images
Fix kubeadm config images pull
2019-01-28 15:41:15 +08:00
Erwan Miran
556a8d68bc Set IP env var to autodetect when calico_ip_auto_method is defined (#4105) 2019-01-27 23:09:18 -08:00
rongzhang
3ed5f89cf5 Add update server field in kube-proxy kubeconfig
I know this is a bit hack.
If you use cloud LB, you can use kubeadm's controlPlaneEndpoint to configure kube-proxy's server field.
But for nginx-proxy, it didn't start when kubeadm init.
2019-01-28 14:45:43 +08:00
rongzhang
8d0158ceeb Fix kubeadm config images pull
Supported by kubeadm v1.11
2019-01-28 14:42:55 +08:00
Douglas Hellinger
4479cc48fe Introduce calico_upgrade_url var for Calico upgrade tool.
So that binary can be sourced from anywhere - not only github.
2019-01-23 16:19:27 +08:00
Chad Swenson
881be9b741 Fix epel_enabled and RHEL support in bootstrap-os
Looks like `epel_enabled` was not configured for the epel install in `bootstrap-centos.yml`. Also, there were no conditionals that would trigger bootstrap for RHEL.
2019-01-22 16:40:02 -06:00
Chad Swenson
e2592f1ce2 Fix docker 18.09.1 systemd service
The `docker-ce` 18.09.1 packaging missed an `After` dependency on containerd in the systemd service. Upstream PR: https://github.com/docker/docker-ce-packaging/pull/290
2019-01-22 11:19:54 -06:00
Matthew Mosesohn
77d31e679a
fixup external kube-apiserver port (#4075) 2019-01-21 14:43:27 +03:00
Florent Monbillard
decbcdc423 Use external LB IP for external api endpoint (#4060)
* Use external LB IP for external api endpoint

Use loadbalancer_apiserver.address instead of apiserver_loadbalancer_domain_name for kudadm init --apiserver-advertise-address argument

https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/#options states apiserver-advertise-address needs to be a IPv4 or IPv6 address

* only use loadbalancer IP if it is defined
2019-01-21 12:27:42 +03:00
Chad Swenson
e3ffa21303
Merge pull request #4019 from chadswen/kubeadm-env
Fix PATH for kubeadm init
2019-01-18 11:27:57 -06:00
Chad Swenson
f2ecda6f0f
Merge pull request #4059 from chadswen/helm-version-bump
Update helm version for security and stablity fixes
2019-01-18 11:25:42 -06:00
Chad Swenson
26f6f1f62e
Merge pull request #4050 from chadswen/docker-18.09.1
Bump docker 18.09 to the latest patch
2019-01-18 11:23:44 -06:00
Bort Verwilst
f97cb4e761 Add 1.12.5 checksums (#4067) 2019-01-18 07:16:43 -08:00
Chad Swenson
405198acd0 Update helm version for security and stablity fixes
Helm v2.12.2 has fixes for a security vuln, and there have been several improvements since our last update.
2019-01-16 11:03:23 -06:00
Matthew Mosesohn
eecaba6b84
Generate external admin.conf with kubeadm (#4056)
* Generate external admin.conf with kubeadm

* Fix apiserver sans
2019-01-16 16:30:50 +03:00
Thomas Rogeat
83e11f9ef7 kubespray: fix missing ca-certificate path in apiserver 2019-01-16 11:48:24 +01:00
Chad Swenson
5a7ac7e5c1
Merge pull request #3984 from dannyk81/calico_xtables_lock
[calico/canal] mount host's xtables lock and enable calico locking for <v3.2.1
2019-01-15 23:13:02 -06:00
Chad Swenson
c15c933ce8 Bump docker 18.09 to the latest patch
Docker 18.09.1 is out and it includes some fixes that are quite critical for RHEL distros, details here: https://docs.docker.com/engine/release-notes/#18091
2019-01-15 13:54:58 -06:00
Chad Swenson
0697ab4b4f
Merge pull request #4048 from chadswen/readonly-writable-fix
Fix kubeadm config extra volumes
2019-01-15 13:02:04 -06:00
Chad Swenson
13e3e867ac Fix kubeadm config extra volumes
I found a potential use case where `writable` could be null and therfore
not treated like a boolean, so this adds an extra default statement to
avoid negating a non-boolean as boolean which would lead to undefined. refs #4020
2019-01-15 12:35:22 -06:00
Chad Swenson
cc30220f01
Merge pull request #4044 from chadswen/lvp-cm-fix
Fix local-volume-provisioner configmap template
2019-01-15 09:08:08 -06:00
Danny Kulchinsky
257019d424 Mount host's xtable lock and enable calico lokcing for <v3.2.1 2019-01-14 17:16:29 -05:00
Chad Swenson
4959bfc1b3
Merge pull request #3950 from elementyang/pr-registry
fix registry_storage_class equals empty string
2019-01-14 15:45:09 -06:00
Chad Swenson
301671ae19
Merge pull request #4026 from riverzhang/bind-address
Use --bind-address instead of --address
2019-01-14 15:35:00 -06:00
Chad Swenson
f10f7d0e84
Merge pull request #3975 from kskewes/arm64-urls
Update kubectl and etcd download urls for mult-arch
2019-01-14 15:04:29 -06:00
Chad Swenson
3ee5aa0d6b Fix local-volume-provisioner configmap template
Looks like the template is removing the trailing space between storage
class entries, and since CI only has one storage class we never hit this
issue. This change will prevent the yaml from printing on a single line
when multiple storage classes are defined.
2019-01-14 14:28:00 -06:00
Chad Swenson
fce8712bff
Merge pull request #4033 from MarkusTeufelberger/pypy_portable
Use Pypy portable on coreos
2019-01-14 12:30:47 -06:00
Markus Teufelberger
87c9a871b9 bootstrap-os: use the systemd module to stop and mask locksmithd 2019-01-12 15:06:01 +01:00
Markus Teufelberger
5e2c14e916 bootstrap-os: simplify pip3 installation on coreos 2019-01-12 15:05:33 +01:00
Markus Teufelberger
5b5546adf1 bootstrap-os: Install pypy3 portable 2019-01-12 15:04:33 +01:00
rongzhang
0b09c8154a Upgrade kubernetes to v1.13.2 2019-01-11 14:32:42 +08:00
rongzhang
bab2e5ed0d Use --bind-address instead of --address
--address deprecated
2019-01-11 12:22:47 +08:00
Chad Swenson
1d9c0c7d17 Fix readOnly flag in kubeadm-config.v1beta1.yaml.j2
In v1beta1 of `ClusterConfiguration` the extraVolumes `writable` field was changed to `readOnly` and its boolean value must be negated.

Also, the json field for `useHyperKubeImage` was incorrectly capitalized.
2019-01-09 20:43:35 -06:00
Chad Swenson
aa1d5b8970 Fix PATH for kubeadm init
Right now we're consistently getting warnings about kubelet not found in
path during `kubeadm init`. We fixed this for `kubeadm join` in #3342, and this brings the change to init
as well.
2019-01-09 18:38:02 -06:00
Chad Swenson
1d5a9464e2
Merge pull request #4009 from chadswen/lvp-fixup
Bugfixes for Local Volume Provisioner
2019-01-09 11:22:28 -06:00
Chad Swenson
e88b8f247a
Merge pull request #3996 from Bobonium/issue_3586_kube_router_with_external_loadbalancer_not_working
use api server loadbalancer ip if external loadbalancer is used (fixes kube-router deployment)
2019-01-09 11:20:38 -06:00
Manuel Cintron
7633e6d582 Added pass through parameters to enable basic auth for downloads 2019-01-08 19:36:13 -06:00
Chad Swenson
72802e4d8d Bugfixes for Local Volume Provisioner
- Fixed an issue where storage class host directories were looped
through excessive target hosts
- Fixes examples in the LVP `README.md` to use nested dicts instead of a
list of dicts
2019-01-08 17:45:20 -06:00
Wilmar den Ouden
4fb8adb9e4 More dynamic local-storage-provisioner approach (#3472)
* Makes local volume provisioner more dynamic

* Correct variable name in local storage provisioner defaults

* Updates external-provisioner readme

* Updates variable naming to be more clear, more documentation, fixes sample inventory

* Variable refactor, untangled some jinja2 loops

* Corrects variable name

* No variable substitution in dict keys, replaced with anchor

* Fixes default storage_classes dict, inline docs

* Fixes spelling in inline docs

* Addresses comments in review

* Updates all the defaults

* Fix failing CI task

* Fixes external provisioner daemonset
2019-01-08 12:36:44 -08:00
Chad Swenson
5c52a830d2 Update kubernetes dashboard to latest patch (#3995) 2019-01-08 09:46:20 -08:00
Andreas Holmsten
4d5b41b8db Allow override of bind addr for controller-manager and scheduler (#3968)
* allows to override the bind addresses for controller-manager and scheduler

Useful for Prometheus metrics monitoring

* Add bind addr override support in kubeadm/v1beta1

Adds support for override of bind addresses for controller-manager
and scheduler in kubeadm/v1beta1

* Move location of bind address vars

* Remove double declaration of schedulerExtraArgs
2019-01-07 20:41:54 -08:00
Bobonium
11d9c2e2c3 use api server loadbalancer ip if external loadbalancer is used - this fixes the broken kube-router deployment 2019-01-07 23:06:52 +01:00
Aivars Sterns
39d7503069
Merge pull request #3959 from elementyang/pr-ingress
fix ingress nodeSelector label
2019-01-04 08:58:16 +00:00
Karl Skewes
41434ce080 Update kubectl and etcd download urls for mult-arch 2019-01-04 21:44:57 +13:00
MarkusTeufelberger
f72ed13f3c remove os_family variable from bootstrap-os (#3962)
* remove os_family variable from bootstrap-os

* quote the conditions another time to fix the syntax error
2019-01-03 11:28:03 -08:00
okamototk
8216e821d3 Fix kubeadm v1beta1 configuration taint (#3928)
* Use master node taint same as kubeadm configuration v1alpha3 or before.
2019-01-03 03:42:23 -08:00
Anton Patsev
e25237455c Fix mixup http/https in bootstrap-debian.yml (#3963)
* Fix mixup http/https in bootstrap-debian.yml

* Update bootstrap-debian.yml
2019-01-03 00:18:09 -08:00
Andreas Holmsten
a34139e19e (Re)add line break for supplementary addr in SANs (#3952)
The change implemented in #3908 remove line breaks for supplementary
addresses in kubeadm SANs, causing errors in the config file and
failure to bring cluster up. This commit reimplement line breaks in
between supplementary addresses.
2019-01-03 00:12:00 -08:00
Chad Swenson
80379f6cab Fix kube-proxy configuration for kubeadm (#3958)
- Creates and defaults an ansible variable for every configuration option in the `kubeproxy.config.k8s.io/v1alpha1` type spec
  - Fixes vars that were orphaned by removing non-kubeadm
  - Fixes previously harcoded kubeadm values
- Introduces a `main` directory for role default files per component (requires ansible 2.6.0+)
  - Split out just `kube-proxy.yml` in this first effort
- Removes the kube-proxy server field patch task

We should continue to pull out other components from `main.yml` into their own defaults files as I did here for `defaults/main/kube-proxy.yml`. I hope for and will need others to join me in this refactoring across the project until each component config template has a matching role defaults file, with shared defaults in `kubespray-defaults` or `downloads`
2019-01-03 00:04:26 -08:00
MarkusTeufelberger
d58b338bd8 Update the version of pypy used on CoreOS bootstrap-os (#3922)
* Update the version of pypy used on CoreOS bootstrap-os

* update the pip installation process on CoreOS
2019-01-02 06:17:20 -08:00
elementyang
e1e13b68b3 fix ingress nodeSelector label 2018-12-29 14:41:23 +08:00
elementyang
90ee5df413 fix registry_storage_class equals empty string 2018-12-29 14:31:47 +08:00
Rong Zhang
5834e609a6 Add scale master features (#3946)
* Add scale master features

* Add certificate management with kubeadm

* Add kubeadm kubeconfig

* Fix ymalroles error

* fix upgrade cluster fialed

* force update cert and keys when you reconfigure cluster
2018-12-27 23:27:27 -08:00
elementyang
532e97c542 fix registry_storage_class equals empty string 2018-12-28 14:23:19 +08:00
Markos Chandras
d156449819 roles: docker: Update docker service for SUSE distributions (#3924)
The containerd service and socket files have been dropped from the
openSUSE docker package so we should not require them in the docker
service anymore. This makes the docker service file look similar to
the one shipped by the openSUSE package.

Signed-off-by: Markos Chandras <mchandras@suse.de>
2018-12-27 07:26:02 -08:00
Anton Patsev
d4bd08f82e Install python-pip from local yum repository (#3940)
Add support install python-pip from local yum repository if local yum repository exist.
2018-12-27 06:30:59 -08:00
Gautam Divgi
320f4d4d7f Added filters for integer conversion of kubelet_max_pods and kube_network_node_prefix (#3857) 2018-12-26 13:58:53 -08:00
Seongjin Cho
16715adfa0 Adds support for webhook token auth. (#3939)
Webhook token auth:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication

Fixes #3063.
2018-12-26 01:52:53 -08:00
Rong Zhang
ce63597e4a
Merge pull request #3941 from riverzhang/gpu
Fix GPU node Scheduling
2018-12-26 13:39:10 +08:00
Anton Patsev
5f117fb65e Add support http/https proxy for bootstrap-debian (#3932) 2018-12-25 10:46:53 -08:00
rongzhang
1bb1ba2274 Fix GPU node Scheduling 2018-12-25 21:37:10 +08:00
Zefool
6ebcaab2bb controlPlaneEndpoint set up through load balancer should be possible … (#3888)
* controlPlaneEndpoint set up through load balancer should be possible  even in single master setups

Enable load balancer for single-master setups
Fixes an issue where single-master setups are not reachable using the usual admin.conf from outside the cluster. 

controlPlaneEndpoint set up through load balancer should be possible  even in single master setups

* add fix to other api versions

* remove obsolete check completely

* remove check, pass 2

* removes checks in client configuration

* delete 'and'
2018-12-25 00:03:32 -08:00
Rong Zhang
cd42e649a7 Fix reconfigure and upgrade cluster (#3938) 2018-12-24 23:06:27 -08:00
Rong Zhang
8167e5b690 Fix kubeadm images templates (#3936)
download v1.12.3 kubernetes images failed
2018-12-23 06:35:06 -08:00
Bort Verwilst
de014422bf Add k8s 1.12.4 checksums (#3929) 2018-12-23 01:09:09 -08:00
Rong Zhang
2f5c0d10bb
Merge pull request #3934 from riverzhang/delete-kubeamd-client
Delete unused controlPlane for join node
2018-12-23 12:07:26 +08:00
rongzhang
dd4159fe65 Delete unused controlPlane for join node
it is used for join master or use --experimental-control-plane argments
2018-12-23 00:31:01 +08:00
rongzhang
62a8961d8f Fix installation using CRIO about download images failed 2018-12-23 00:20:39 +08:00
Seongjin Cho
e7b835eb4c Fix duplicate storage-backend (#3906) 2018-12-20 01:01:39 -08:00
Hedayat Vatankhah (هدایت)
fbe9e0ac1a Fix docker_options definition when docker_version is 'latest' rather than a number (#3919)
- NOTE: it assumes that the 'latest' version is newer than 17.05
2018-12-20 00:58:21 -08:00
Rong Zhang
40feb120e4
Merge pull request #3895 from riverzhang/v1.13.1
Upgrade kubernetes to v1.13.1
2018-12-20 16:53:31 +08:00
Rong Zhang
6362211860 Add images downloader to download roles (#3914)
* Add images downloader to download roles

* Use single jinja2 templates

* add kube_version to templates
2018-12-19 05:17:58 -08:00
Rong Zhang
925a820b56 Fix skip upgrade first master (#3915) 2018-12-19 05:16:14 -08:00
Matthew Mosesohn
50b884a32d Fixup line breaks for kubeadm SANs (#3908) 2018-12-19 02:47:31 -08:00
rongzhang
435ef14379 Upgrade kubernetes to v1.13.1 2018-12-19 15:13:43 +08:00
Matthew Mosesohn
3c44ffcf80 set kubespray-defaults kube_api_anonymous_auth to true (#3909) 2018-12-18 06:53:58 -08:00
Ganesh Maharaj Mahalingam
73aee004ac Enable ClearLinux as a distro in kubespray (#3855)
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
2018-12-18 01:39:25 -08:00
ihard
30a9149b52 add vars for cilium init container (#3893)
* add vars for cilium init container

* make yamllint happy

* add var cilium_init in downloads
2018-12-18 00:34:19 -08:00
Egor
dc8a8011be Load nf_conntrack module if nf_conntrack_ipv4 failed (#3764) 2018-12-12 05:33:54 -08:00
Maxim Snezhkov
5e84dabb46 Fix assertion for alone etcd nodes (#3847) 2018-12-12 05:21:54 -08:00
Ryler Hockenbury
3e8f4c1545 Use recommended defaults for dns autoscale (#3884) 2018-12-12 05:05:46 -08:00
Ganesh Maharaj Mahalingam
1a50a1a733 cri-o reset all containers and pods (#3856)
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
2018-12-12 01:59:55 -08:00
Maxim Snezhkov
951e4675c6 Fix error with ipvs on cluster reset task (#3848) 2018-12-12 01:43:16 -08:00
Ryler Hockenbury
c04e8b57b9 Metrics server resizer addon needs to target metrics server deployment (#3867)
* Metrics server resizer addon should target metrics server deployment

* Target metrics server deployment without version
2018-12-12 00:09:09 -08:00
gdoucet
32d47c836d Adding is_atomic in centos bootstrap-os (#3873)
Adding fact is_atomic in bootstrap-centos.yml.

Fix issue: #3538
2018-12-11 02:43:21 -08:00
Maxim Snezhkov
90a7941d56 Fix disabling swap on ubuntu systems (#3864) 2018-12-11 02:42:00 -08:00
Thomas Nys
3e3ee0aeb1 Add support for running a nodelocal dns cache (#3861)
* Add support for running a nodelocal dns cache

After encountering dns issues in a cluster I was recently working on I
noticed Kubernetes 1.13 introduced support for running a nodelocal dns
cache.

I believe this can usefull for more people.

73b548db06
https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/0030-nodelocal-dns-cache.md

* Add requested changes

* Add additional requested changes + documentation

* Add requested changes after review

* Replace incorrect variable
2018-12-10 17:28:03 -08:00
Anton Patsev
7b674e0607 Add proxy to /etc/apt/apt.conf for ubuntu (#3869) 2018-12-10 02:33:45 -08:00
Julien C
593a9a262d Add metrics service to kube-dns (#3852)
Metrics port is exposed through a service for CoreDNS but not for kube-dns.
2018-12-10 01:45:00 -08:00
Zohar Mamedov
456596710e kube-router manifest DSR adjustments (#3828) 2018-12-10 00:40:39 -08:00
Andrey Zhelnin
1712314fab Setting host_architecture var (#3846)
Setting host_architecture to allow etcd upgrade working through: ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd (on other case host_architecture is missing)
2018-12-07 05:41:30 -08:00
Egor
7da9880ff7 Move node-cidr-mask-size to ControllerManagerextraArgs (#3845) 2018-12-07 04:23:17 -08:00
Bjorn Skovlund Ryden
d42b37b77d Added RBAC rights for metrics_server. Fixes #3829 (#3843) 2018-12-07 03:11:35 -08:00
Rong Zhang
1550c05a7a Add docker 18.09 support (#3844) 2018-12-07 02:02:39 -08:00
pasqualet
ea833a4cd7 Fix apiServerCertSANs in kubeadm config file (#3839) 2018-12-07 00:11:08 -08:00
Tagir
2d8e04dca7 Added v1.10.11 v1.11.5 support (#3837) 2018-12-07 00:09:51 -08:00
Andreas Krüger
d5ce5874e8 Streamline path to certs dir (#3836)
* Streamline path to certs dir

* More fixes

* Set path to etcd certs in kubernetes defaults instead
2018-12-06 23:11:53 -08:00
Rong Zhang
225f765b56 Upgrade kubernetes to v1.13.0 (#3810)
* Upgrade kubernetes to v1.13.0

* Remove all precense of scheduler.alpha.kubernetes.io/critical-pod in templates

* Fix cert dir

* Use kubespray v2.8 as baseline for gitlab
2018-12-06 12:11:48 -08:00
Andreas Krüger
ddffdb63bf Remove non-kubeadm deployment (#3811)
* Remove non-kubeadm deployment

* More cleanup

* More cleanup

* More cleanup

* More cleanup

* Fix gitlab

* Try stop gce first before absent to make the delete process work

* More cleanup

* Fix bug with checking if kubeadm has already run

* Fix bug with checking if kubeadm has already run

* More fixes

* Fix test

* fix

* Fix gitlab checkout untill kubespray 2.8 is on quay

* Fixed

* Add upgrade path from non-kubeadm to kubeadm. Revert ssl path

* Readd secret checking

* Do gitlab checks from v2.7.0 test upgrade path to 2.8.0

* fix typo

* Fix CI jobs to kubeadm again. Fix broken hyperkube path

* Fix gitlab

* Fix rotate tokens

* More fixes

* More fixes

* Fix tokens
2018-12-06 02:33:38 -08:00
Erwan Miran
0d1be39a97 Reset: Check for kube-ipvs0 presence before remove it (#3816) 2018-12-04 19:18:50 -08:00
Erwan Miran
2c1dd69891 Reset tasks specific to Calico (#3813) 2018-12-04 11:37:45 -08:00
Chad Swenson
145687a48e Reduce log spam of verbose tasks (#3806)
Added a loop_control label to a few tasks that flood our logs.
2018-12-04 10:35:44 -08:00
Andreas Krüger
432f8e9841 Fix basic auth tokens for kubeadm deployment. (#3801)
* Fix basic auth tokens for kubeadm deployment.

* Tokens should be a dependancy on master, not nodes
2018-12-03 10:44:29 -08:00
Erwan Miran
19792cfae7 Remove iface kube-ipvs0 on reset when kube_proxy_mode is ipvs (#3802) 2018-12-03 10:38:51 -08:00
Andreas Krüger
9463b70edd Cleanup defaults file from kubernetes-apps and add dashboard to download role (#3800)
* Remove variables defined in download role. Fixes #3799

* Cleanup some more variables

* Fix bad templating

* Minor fix

* Add dashboard to download role. Fixes #3736
2018-12-03 10:29:42 -08:00
karbyshevds
b109f52dab Set configure-cloud-routes=false as default if no network plugin is used (#3788)
* Set configure-cloud-routes=false as default if no network plugin is used

As configure-cloud-routes default value is `true`, so it need to be set to `false` when not required to avoid error messages like:
"Couldn't reconcile node routes: error listing routes: unable to find route table for AWS cluster" 
on, for example, AWS installations that don't use cloud native routing.

* Update kube-controller-manager.manifest.j2

remove extra spaces
2018-12-03 05:04:03 -08:00
Rong Zhang
e0781483fa Use download binary instead of copying from the container (#3786) 2018-12-03 02:22:17 -08:00
Wong Hoi Sing Edison
deff6a82fa ingress-nginx: Upgrade to 0.21.0 (#3789)
Upstream Changes:

  - ingress-nginx 0.21.0 (https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.21.0)

Our Changes:

  - Sync templates with upstream changes
  - Remove --default-backend-service requirement. Use the flag only for custom default backends
2018-11-30 02:48:50 -08:00
Chad Swenson
487cfa5e6c Add options for configuring control plane component extra volumes (#3779)
This takes care of a few arbitrary use cases that may require custom mounts
inside of apiserver, controller manager, or scheduler.
2018-11-28 23:16:55 -08:00
Joost Cassee
f2635776cd Make Calico Felix log level configurable (#3781) 2018-11-28 00:55:01 -08:00
Chad Swenson
b59d5c35bc Fix kubeadm_controller_extra_args (#3778) 2018-11-27 19:30:43 -08:00
Michal Belica
8331f7b056 Add support for setting custom node taints (#3774)
Introduced variable node_taints which can be set in inventory for
specific hosts or in group_vars, which generates --register-with-taints
command line argument for kubelet.
2018-11-27 15:56:49 -08:00
Erwan Miran
551317f1cd Fix docker_options jinja syntax (#3770) 2018-11-27 07:13:15 -08:00
Rong Zhang
ddc19f43ba Add cloud provider config to kubeadm deployments (#3766) 2018-11-27 05:03:03 -08:00
Michal Belica
993b8e2791 Add support to set tolerations for ingress-nginx (#3742)
Introduced variable `ingress_nginx_tolerations` to set custom
tolerations for Ingress nginx daemonset, to be able to schedule
ingress-nginx on dedicated nodes with taints.
2018-11-27 03:30:16 -08:00
Egor
9a5438ce2f Fix kubeadm-config: add kube_network_node_prefix (#3761) 2018-11-27 00:12:16 -08:00
Erwan Miran
d33434647b Fix node selector for contiv etcd proxy (#3765) 2018-11-27 00:10:33 -08:00
Rong Zhang
02169e8f85 Upgrade kubernetes to 1.12.3 (#3767) 2018-11-26 23:22:15 -08:00
Aivars Sterns
b07e93e08b
Merge pull request #3754 from MiaoZhou/fix-aws-node-label-error
Fix AWS Node Labels Error
2018-11-27 09:09:54 +02:00
Andreas Krüger
bad886ca9b Update defaults to match k8s 1.12 suggestions (#3760)
* Update defaults to match k8s 1.12 suggestions

* Test if Netchecker works with node ip instead of localhost

* Update defaults to ipvs and coredns

* Update defaults for kube_apiserver_insecure_port

* Update main.yaml
2018-11-26 15:36:39 -08:00
okamototk
967a042321 Add flag to deploy container engine manually. (#3753)
This feature was removed by PR#3061. But change flag manage_docker to deploy_container_engine.
2018-11-26 07:26:40 -08:00
Miao Zhou
a585318b1a Fix Sync Container Permission (#3752)
When `ansible_user` is not root, using `-b` option.
And with `download_run_once` and `download_localhost` set `true`.

Ansible will executes `container_download | upload container images to nodes` task.

It uses rsync to upload images to `/tmp/release/container/`, but the
`container` directory owned by `root`.
2018-11-26 07:00:34 -08:00
Erwan Miran
b15e685a0b sysctl related PodSecurityPolicy spec since 1.12 (#3743) 2018-11-26 00:13:51 -08:00
Miao Zhou
885c6cff71 Fix AWS Node Labels Error
Now the `kubespray-aws-inventory.py` script always set a node_labels key
to ansible_host.

When AWS instance did not set property labels, it would be an empty
string.

The TASK `Write kubelet config file (kubeadm or non-kubeadm)` will
failed with a msg:

`AnsibleUndefinedVariable: 'unicode object' has no attribute 'items'`.
2018-11-23 17:37:41 +08:00
okamototk
c5e425b02b Support Metrics Server as addon (#3560). (#3563)
* Support Metrics Server as addon (#3560).

* Update metrics server v0.3.1.

* Add metrics server test.

* Replace metrics server manifests with kubernetes/cluster/addons's.

* Modify metrics server manifests for kubespray.

* Follow PR#3558 node label node-role.kubernetes.io/master change

* Fix metrics server parameters base_metrics_server_... to metrics_server_...

* Fix too hard corded metrics_server_memory_per_node

* Add configurable insecure tls for metrics-apiservice

* Downloadable addon-resizer and extract parameter as variables

* Remove metrics server version from deployment name

* Metrics Server work when all masters has node role

* Download metrics-server and add-resizer container only on master

* ServiceAccount and ConfigMap is separated and fix application name

* Remove old metrics server clusterrole template

* Fix addon-resizer image specify

* Make InternalIP default for metrics_server_kubelet_preferred_address_types

Make InternalIP default because multiple preferrred address types does not work.
2018-11-23 00:36:21 -08:00
Egor
3fa81bb86e Fix dns-autoscaler nodeAffinity: set to empty (#3747) 2018-11-22 05:29:09 -08:00
Egor
5daadc022d Fix: nodeAffinity for coredns-deployment and kubedns-deployment (#3746) 2018-11-22 05:27:25 -08:00
Rong Zhang
0cfcd39d55 Switch to kubeadm deployment mode (#3461)
* Switch to kubeadm deployment mode

Discuss:https://github.com/kubernetes-incubator/kubespray/issues/3301

* Add non-kubeadm upgrage to kubeadm cluster
2018-11-21 01:35:40 -08:00
Wong Hoi Sing Edison
edfec26988 cert-manager: Upgrade to 0.5.2 (#3741)
Upstream Changes:

-   cert-manager 0.5.2 (https://github.com/jetstack/cert-manager/releases/tag/v0.5.2)

Our Changes:

-   Templates sync with upstream manifests
2018-11-20 05:13:01 -08:00
Matthew Mosesohn
daa290100c Fix helper script to refer to admin.conf as relative path (#3738) 2018-11-19 18:28:51 -08:00
Rong Zhang
b4eb25197b
Merge pull request #3730 from elementyang/pr-docker-options
fix modify deprecated --graph flag
2018-11-20 10:23:16 +08:00
Matthew Mosesohn
ac00d23b80 Skip etcd upgrade steps in kubeadm because it is not used (#3737) 2018-11-19 06:29:58 -08:00
Danny Kulchinsky
9ae2eefb9a Add resource-container flag to kube-proxy manifest (#3519)
* Add resource-container flag to kube-proxy manifest

* add resourceContainer: "" to kubeadm kube-proxy configs
2018-11-19 00:39:29 -08:00
Andreas Krüger
8c18f053aa Fix DNS Autoscaler for coredns_dual deployment (#3726)
* Fix DNS Autoscaler for coredns_dual deployment

* Fix templating

* Fix templating again
2018-11-19 00:35:53 -08:00
Oleg Dolya
2aefa25448 fix args peer router ips and asns (#3644) 2018-11-19 00:34:05 -08:00
Andreas Krüger
6e01c1e377 Fix missing run_once (#3733) 2018-11-18 21:39:29 -08:00
rongzhang
0e2d3fb923 Fix OpenSuse set hostname 2018-11-17 20:41:07 +08:00
Zohar Mamedov
af5e05d08d etcd_log_package_levels for /etc/etcd.env (#3700) 2018-11-16 23:59:40 -08:00
marcstreeter
c83bfc9df6 fix dns_prevent_single_point_failure variable (#3728)
comparison that happens during `TASK [kubernetes-apps/ansible : Kubernetes Apps | Lay Down CoreDNS Template]` where the `dns-autoscaler` template is deployed causes coredns to fail deployment.  The error is caused by the variable `dns_prevent_single_point_failure` where an integer is being compared with a string. The resulting error:

```bash
'>' not supported between instances of 'int' and 'str'
```

prevents successful deployment of CoreDNS.  

The change makes the comparison happen between integers and allows CoreDNS to succeed.
2018-11-16 23:57:47 -08:00
elementyang
1ebb670141 fix modify deprecated --graph flag 2018-11-17 14:22:14 +08:00
Johnny Halfmoon
53bde23a5e fixed ansible include/import inheritance issue (#3716) 2018-11-16 04:33:23 -08:00
Erwan Miran
1540bc9759 Fix patch type in kubectl patch for hostnameOverride (#3725) 2018-11-16 02:35:02 -08:00
Johnny Halfmoon
618ab93b42 added rpm caching for to docker repo (#3718) 2018-11-16 02:33:23 -08:00
Erwan Miran
3e6d0a50e8 Addition of the missing patch file hostnameOverride-patch.json from PR#3708 (#3714) 2018-11-15 10:37:57 -08:00
Matthew Mosesohn
ff09141a14 Retry kubeadm proxy and secondary master init tasks (#3715)
Due to suboptimal external loadbalancer configs, the LoadBalancer
might point to a downed kube-apiserver that is not set up yet.
2018-11-15 10:03:23 -08:00
Arslanbekov Denis
d188876a91 Added feature-gates flags in kubelet.env (for kubeadm) (#3713) 2018-11-15 10:01:53 -08:00
Andreas Krüger
6f6274d0d9 Update CoreDNS, KubeDNS and Autoscaler to newest templates (#3711)
* Update DNS Autoscaler to latest

* Update CoreDNS to latest

* Update KubeDNS to latest

* Add KubeDNS config map

* Fix filename

* Add missing selector to DNS Autoscaler

* Add missing tolerations
2018-11-15 09:52:12 -08:00
Andreas Krüger
17f07e2613 Enable DNS AutoScaler for CoreDNS (#3707)
* Enable AutoScaler for CoreDNS

* Only use one template for dns autoscaler

* Rename a few variables for replicas and minimum pods

* Rename a few variables for replicas and minimum pods

* Remove replicas to make autoscale work

* Cleanup kubedns-autoscaler as it has been renamed
2018-11-15 01:28:03 -08:00
Wong Hoi Sing Edison
9ebdf0e3cf weave: Upgrade to 2.5.0 (#3660)
* weave: Upgrade to 2.5.0

Upstream Changes:

-   weave 2.5.0 (https://github.com/weaveworks/weave/releases/tag/v2.5.0)
-   Adds support for Kubernetes `hostPort` mapping
-   Adds support for Kubernetes `ipBlock` NetworkPolicy feature

Our Changes:

-   Templates sync with upstream manifests
-   Remove legacy nodePort fix

* BC for weave < 2.5.0
2018-11-14 23:38:51 -08:00
Andreas Krüger
730caa3d58 Add PriorityClasses on the last master. (#3706) 2018-11-14 15:59:20 -08:00
Mark Eisenblätter
7deb842030 calico-node: add prometheus annotations (#3645)
add prometheus annotations to calico-node if
calico_felix_prometheusmetricsenabled is enabled.

This will allow a kubernetes_sd to automaticly find the pods and start
scraping.
2018-11-14 15:01:35 -08:00
Andreas Krüger
931c76e58f Add DNS entries to node certs (#3710) 2018-11-14 13:58:17 -08:00
Erwan Miran
3fafa583d1 hostnameOverride on a per-node basis (#3708) 2018-11-14 09:37:53 -08:00
Ryler Hockenbury
d8e9b0f675 Netchecker version and namespace (#3705)
* Revert netchecker image and version

* Create namespace for netchecker

* Remove extra slashes
2018-11-14 09:27:45 -08:00
Dann
98d766c68e Moves apiserver port to bindPort when using controlPlaneEndpoint (#3449) 2018-11-14 00:23:30 -08:00
Bort Verwilst
d3ef41b603 Upgrade helm from 2.9 to 2.11 (#3638) 2018-11-13 11:24:29 -08:00
Arnaud MAZIN
633bfa7ebc Bring static tokens and user back to 1.12 (#3593) 2018-11-13 10:25:59 -08:00
Andreas Krüger
afc3f7dce4 Create certificates for each node too (#3698) 2018-11-13 07:10:59 -08:00
Ryler Hockenbury
e8901a2422 Apply linux node selector to coreDNS deployment (#3688)
* Apply linux node selector to coreDNS deployment

* Remove comment before linux node selector on manifests

* mend
2018-11-13 04:54:15 -08:00
Wilmar den Ouden
c888de8b38 fix: Coredns tag wasn't updated in #3619 (#3634) 2018-11-13 00:30:29 -08:00
Miao Zhou
fefa1670a6 fix calico_version wrong get (#3694)
the ':' makes wrong return of calico_version after the calicoctl downloaded && before the cluster is up
2018-11-12 07:35:21 -08:00
Antoine Legrand
3dcb914607 Remove Vault (#3684)
* Remove Vault

* Remove reference to 'kargo' in the doc

* change check order
2018-11-10 08:51:24 -08:00
Bily Zhang
b2b421840c Fix some typos (#3690)
Signed-off-by: mooncake <xcoder@tenxcloud.com>
2018-11-10 15:53:58 +01:00
Egor
5c7eef70b4 Fix kube-router annotations: add conditions (#3670) 2018-11-09 08:15:27 -08:00
RuriRyan
c2710899ed Fixes network restart for Ubuntu Bionic Beaver (#3600)
As Ubuntu Bionic Beaver uses systemd-networkd the step fails
if it tries to restart networking, as it is nonexistent.
2018-11-09 08:13:57 -08:00
Igor Ivanov
e5d07f3a3d use force umount when reset cluster (#3672)
reset role hang and can't umount PersistenceVolume (ceph cluster)
2018-11-09 02:30:55 -08:00
Giacomo Longo
9f7c2b08a5 Idempotency fixes to roles/pre-upgrade (#3497) 2018-11-07 16:31:29 -08:00
Erwan Miran
a6932b6b81 Install ipvsadm when kube_proxy_mode is ipvs (#3548) 2018-11-07 14:04:11 -08:00
Erwan Miran
77d705ca9f cluster_name is to be set in initConfiguration too (#3661) 2018-11-07 12:41:11 -08:00
Erwan Miran
1e22c83f0f kube_override_hostname must be in kubernetes/master role defaults (#3647) 2018-11-07 12:38:19 -08:00
Erwan Miran
1ad1e80ae3 Checking new CA key presence is not relevant to determine if kubeadm has already run (#3653) 2018-11-07 11:46:11 -08:00
Anton Patsev
dfdf530723 Fix work yum in Install packages requirements for bootstrap (#3630)
* Fix Failure talking to yum: Cannot find a valid baseurl for repo: base/7/x86_64 if Install packages in CentOS using proxy

* Add proxy to /etc/yum.conf if http_proxy is defined
2018-11-06 22:44:37 -08:00
Lear Li
33f33a7358 Fix docker-storage was not found issue (#3584) 2018-11-06 17:50:14 -08:00
Kuldip Madnani
113dd2146a Added some minor changes to the docker orphan clean up process. (#3657)
* Added changes to clean up orphan containers and reload docker & kubelet directories.

* Added new files for cleaning up orphans and docker & kubelet directories

* Added new lines at the end of these files

* removed the trailing whitespaces from main.yml and clean-up.yml

* Updated as per the review comments

* Updated as per the review comments

* Removed service_facts and package_facts because they are not supported in ansible 2.4.0

* Corrected yaml syntax errors

* Removed the use of json_query filter and utilized selectattr

* Removed trailing spaces

* Changed the default value of docker_clean_up to false

* Added Changes to only include cleanup-docker-orphans.sh

* Reverted back changes done inside handler.

* Removed trailing spaces and made default value of docker_orphan_clean_up as true

* Reverted the default value of docker_orphan_clean_up as false

* Made the docker clean up as drop in

* Made the docker clean up as drop in

* Reverted the value of boolean docker_orphan_clean_up to false

* Converted ExecStop to ExecSTartPost. Removed the live restore check from the orphan script
2018-11-06 16:50:19 -08:00
Erwan Miran
14c2df0418 Replace raw module with shell to avoid warning (#3652) 2018-11-06 11:07:11 -08:00
Wilmar den Ouden
b316518864 Bump coredns to 1.2.6 (#3641) 2018-11-06 05:58:20 -08:00
Bily Zhang
6c14f35f00 Fix some typos (#3636)
Signed-off-by: mooncake <xcoder@tenxcloud.com>
2018-11-05 15:22:16 -08:00
Louis Woods
bc9e14a762 Adds support for Multus (multiple interfaces) CNI plugin (#3166)
* Adds support for Multus (multiple interfaces) CNI plugin

Multus is a latin word for "Multi". As the name suggests, it acts as a
Multi plugin in Kubernetes and provides multiple network interface
support in a pod. Multus uses the concept of invoking delegates by
grouping multiple plugins into delegates and invoking them in the
sequential order of the CNI configuration file provided in json format.

* Change CNI version (0.1.0->0.3.1) of Contiv to be compatible with Multus
2018-11-04 01:07:38 -08:00
ankitcharolia
9c83551a0e add certificate authority file (#3433) 2018-11-02 08:27:53 -07:00
Rong Zhang
99c139dd5a
Merge pull request #3621 from elementyang/pr-check-docker-packages
fix modify the way of the command 'yum remove xxx', e.g. docker-selin…
2018-11-02 18:48:33 +08:00
Matthew Mosesohn
2ba4e9bda5 Skip most of kubernetes/preinstall role during late DNS config (#3627)
When using resolvconf_mode host_resolvconf, there is an early DNS
config stage where Kubernetes cluster DNS is not injected for host
DNS intially. Later, the cluster DNS is enabled, but we do not
need to run every task from the kubernetes/preinstall role.
2018-11-01 08:08:50 -07:00
Robert Liotta
2a00c931e4 Added the missing environment for proxy for get_url (#3603)
* Added the missing environment for proxy for get_url

* Update upgrade.yml

* Fixed spaces

* Fixed spaces

* Update upgrade.yml
2018-11-01 06:20:57 -07:00
Wong Hoi Sing Edison
1e6ad5acb6 Fixup #3595: coredns: Upgrade to v1.2.5 (#3619)
Upstream Changes:

   - coredns v1.2.5 (https://github.com/coredns/coredns/releases/tag/v1.2.5)

NOTE:

   - Switch image repo to https://hub.docker.com/r/coredns/coredns/ (https://github.com/kubernetes-incubator/kubespray/pull/3595#issuecomment-433962973)
2018-11-01 06:05:17 -07:00
Matthew Mosesohn
bc74a37696 Calculate etcd client cert serial for appropriate groups (#3605)
Standalone etcd nodes do not generate node-$hostname certs and do
not need this serial calculated.
2018-11-01 05:50:26 -07:00
Yumo Yang
5da18854a3 fix modify the way of the command 'yum remove xxx', e.g. docker-selinux and docker-engine-selinux packages 2018-10-31 17:16:35 +08:00
Dmitriy Zinin
d269e7f46c cilium v1.3.0 (#3564) 2018-10-31 00:42:56 -07:00
Anton Patsev
8c636f67af Added support proxy to 'Install pip for bootstrap' (#3609) 2018-10-31 00:35:57 -07:00
Louis
a84508d6b9 remove deprecated parameters of blockinfile module (#3581) 2018-10-30 05:56:58 -07:00
Rong Zhang
22c234040e
Merge pull request #3608 from xichengliudui/fix181030
Correct the wrong word
2018-10-30 20:52:02 +08:00
xichengliudui
306c61a968 Remove duplicate words 2018-10-30 04:51:36 -04:00
wilmardo
2149bfbc5b Revert "CoreDNS v1.2.5 (#3595)"
This reverts commit 8ba6b601b0.
2018-10-29 16:33:52 +01:00
Bart Laarhoven
0acb823d96 Distribute node etcd certificates like it's done in kubernetes/secrets (#3486)
* do it like in kubernetes/secrets

* fix indentation

* processed comments

* missed one, sorry

* trailing space fix
2018-10-29 11:45:32 +01:00
Dmitriy Zinin
8ba6b601b0 CoreDNS v1.2.5 (#3595) 2018-10-29 03:20:03 -07:00
Yumo Yang
8371beb915 fix bootstrap os_family error in multi-plantform (#3594) 2018-10-29 09:37:30 +01:00
Rong Zhang
b39b32a48c Fix set coreos hostname failed (#3599)
need set hostname by kubeadm
2018-10-29 00:59:25 -07:00
Rong Zhang
dbe99b59a7 Upgrade kubernetes to v1.12.2 (#3597) 2018-10-29 00:58:24 -07:00
Rong Zhang
7abd4eeafd
Merge pull request #3578 from LinuxGit/Louis/fix-typo
fix typo
2018-10-24 13:45:31 +08:00
Aivars Sterns
ce2a3a80db
Merge pull request #3577 from fritchie/master
Add bin_dir to kubectl version check
2018-10-24 08:33:03 +03:00
Erwan Miran
79bf74e90f Offline deployment: PyPi repo (#3542) 2018-10-23 22:22:09 -07:00
Erwan Miran
4f12ba00d1 Fix calico peering with router(s) (#3547) 2018-10-23 22:19:50 -07:00
Louis
93104d9224 fix typo 2018-10-24 11:39:15 +08:00
Frank Ritchie
b5f4a79365 Add bin_dir to kubectl version check 2018-10-23 15:51:17 -04:00
Matthew Mosesohn
7e84de2ae1 Purge /root/.kube/config when migrating to kubeadm (#3566) 2018-10-23 05:09:11 -07:00
Wong Hoi Sing Edison
06e1f81801 ingress-nginx: Upgrade to 0.20.0 (#3565)
Upstream Changes:

-   ingress-nginx 0.20.0 (https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.20.0)

Our Changes:

-   Sync templates with upstream changes
2018-10-23 05:08:03 -07:00
Egor
ccc3f89060 Add kube-router annotations (#3533) 2018-10-21 00:35:52 -07:00
Maxim Makarov
8a17de327e Not necessary run on Nginx proxy all cpu cores (#3559) 2018-10-20 13:56:53 -07:00
Erwan Miran
3b787123e3 Fix tasks to avoid ansible warning about raw module environment (#3545) 2018-10-20 07:13:54 -07:00
Matthew Mosesohn
127969d65f Align node-role value for kubeadm compatibility (#3558)
kubeadm sets node label node-role.kubernetes.io/master=''
and this is not configurable. We should use it everywhere.
2018-10-20 07:12:54 -07:00
Antoine Legrand
2a3aa591e0
Download role (#3553)
* codestyle tests

* Download destination can be different than local_release_dir
2018-10-20 13:56:55 +02:00
Matthew Mosesohn
4bdd0ce417 Allow kubeadm master untaint to fail (#3549) 2018-10-19 00:38:12 -07:00
JuanJo Ciarlante
66fddb2d52 [jjo] upgrade kube-router to v0.2.1 (#3535)
kube-router v0.2.1 highlights from changelog:
- IPv6 WIP but pretty close to full working functionality
- fully support network policy semantics with addition of support for
  ipblock and except
2018-10-18 00:09:42 -07:00
Erwan Miran
87193fd270 Fix ansible syntax to avoid ansible warnings (one more) (#3536)
* warning on meta flush_handlers

* avoid rm

* avoid "Module remote_tmp /root/.ansible/tmp did not exist and was created with a mode of 0700, this may cause issues when running as another user. To avoid this, create the remote_tmp dir with the correct permissions manually" warning on subsequent tasks using blockinfile

* is match
2018-10-17 12:27:11 -07:00
Samina Fu
5a5cf15c04 Add clear ipvs virtual server table when reset k8s (#3530) 2018-10-16 16:29:43 -07:00
Erwan Miran
4d2b6b71f2 Fix contiv api certificate generation (#3531) 2018-10-16 15:34:33 -07:00
Erwan Miran
7bec169d58 Fix ansible syntax to avoid ansible deprecation warnings (#3512)
* failed

* version_compare

* succeeded

* skipped

* success

* version_compare becomes version since ansible 2.5

* ansible minimal version updated in doc and spec

* last version_compare
2018-10-16 15:33:30 -07:00
Erwan Miran
bfd4ccbeaa Calico: Ability to define global peers (#3493) 2018-10-16 15:32:26 -07:00
Rong Zhang
76fe84fe93 Use imageRepository instead of the unifiedControlPlaneImage (#3484) 2018-10-16 07:26:04 -07:00
刘旭
cf4dd645a7 fix --etcd-servers-overrides invalid (#3470) 2018-10-16 07:25:03 -07:00
JuanJo Ciarlante
a5edd0d709 [jjo] add kube-router support (#3339)
* [jjo] add kube-router support

Fixes cloudnativelabs/kube-router#147.

* add kube-router as another network_plugin choice
* support most used kube-router flags via
  `kube_router_foo` vars as other plugins
* implement replacing kube-proxy (--run-service-proxy=true) via
  `kube_proxy_mode: none`, verified in a _non kubeadm_enabled_
  install, should also work for recent kubeadm releases via
  `skipKubeProxyInstall: true` config

* [jjo] address PR#3339 review from @woopstar

* add busybox image used by kube-router to downloads

* fix busybox download groups key

* rework kubeadm_enabled + kube_router_run_service_proxy

- verify it working ok w/the kubeadm_enabled and
  kube_router_run_service_proxy true or false

- introduce `kube_proxy_remove` fact, to decouple logic
  from kube_proxy_mode (which affects kubeadm configmap
  settings, thus no-good to ab-use it to 'none')

* improve kube-router.md re: kubeadm_enabled and kube_router_run_service_proxy

* address @woopstar latest review

* add inventory/sample/group_vars/k8s-cluster/k8s-net-kube-router.yml

* fix kube_router_run_service_proxy conditional for kube-proxy removal

* fix kube_proxy_remove fact (w/ |bool), add some needed kube-proxy tags on my and existing changes

* update kube-router tolerations for 1.12 compatibility

* add PriorityClass to kube-router DaemonSet
2018-10-16 07:15:05 -07:00
anarcat
c33e08c3fa show FQDN first in /etc/hosts (closes: #3521) (#3522)
The hosts(5) manpage clearly states that the first entry is the
"canonical name", or FQDN (Fully-Qualified Domain Name):

    IP_address canonical_hostname [aliases...]

By using the alias as a first entry, `hostname -f` does not return the
correct domain which breaks all sorts of unrelated functionality (it
has impact over email server configuration, for example).
2018-10-16 03:55:55 -07:00
Aivars Sterns
9b773185c3
Merge pull request #3184 from oracle/new_oci_controls
Add new OCI cloud controls
2018-10-16 11:29:13 +03:00
Erwan Miran
b4e2b85745 Replace shell with command in order to allow the task to fail when openssl x509 does return zero (#3516) 2018-10-15 23:48:12 -07:00
Erwan Miran
fcd8d850dc Fix ansible syntax to avoid ansible warnings (again) (#3509)
* Fix ansible syntax to avoid ansible warnings (again)

* warn: false on tar -cfz

* wrong placement of warn:false
2018-10-15 23:47:04 -07:00
Erwan Miran
6549b8f8ae Ability to define the asNumber on a per node basis when route reflectors are not used in order to peer directly with routers (#3492) 2018-10-15 23:44:49 -07:00
Rong Zhang
1ea7ec3189 Fix nginx_config_dir value not defined when use reset.yml (#3524) 2018-10-15 01:46:55 -07:00
JuanJo Ciarlante
4077934519 [jjo] add DIND support to contrib/ (#3468)
* [jjo] add DIND support to contrib/

- add contrib/dind with ansible playbook to
  create "node" containers, and setup them to mimic
  host nodes as much as possible (using Ubuntu images),
  see contrib/dind/README.md

- nodes' /etc/hosts editing via `blockinfile` and
  `lineinfile` need `unsafe_writes: yes` because /etc/hosts
  are mounted by docker, and thus can't be handled atomically
  (modify copy + rename)

* dind-host role: set node container hostname on creation

* add "Resulting deployment" section with some CLI outputs

* typo

* selectable node_distro: debian, ubuntu

* some fixes for node_distro: ubuntu

* cpu optimization: add early `pkill -STOP agetty`

* typo

* add centos dind support ;)

* add kubespray-dind.yaml, support fedora

- add kubespray-dind.yaml (former custom.yaml at README.md)
- rework README.md as per above
- use some YAML power to share distros' commonality
- add fedora support

* create unique /etc/machine-id and other updates

- create unique /etc/machine-id in each docker node,
  used as seed for e.g. weave mac addresses

- with above, now netchecker 100% passes WoHooOO!
  🎉 🎉 🎉

- updated README.md output from (1.12.1, verified
  netcheck)

* minor typos

* fix centos node creation, needs earlier udevadm removal to avoid flaky facts, also verified netcheck Ok \o/

* add Q&D test-distros.sh, back to manual /etc/machine-id hack

* run-test-distros.sh cosmetics and minor fixes

* run-test-distros.sh: $rc fix and minor formatting changes

* run-test-distros.sh output cosmetics
2018-10-15 09:44:02 +02:00
Kuldip Madnani
fd422a0646 Add Priority class for tiller and fix tiller override. (#3494)
* Added Priority class to tiller installation and also fixed tiller override implementation.

* Added changes to handle priority classes separately in tiller, instead of using the variable tiller_override
2018-10-12 11:46:39 -07:00
Kuldip Madnani
d7bb4d954a Handling docker clean up during docker upgrade and docker config changes. (#3321)
* Added changes to clean up orphan containers and reload docker & kubelet directories.

* Added new files for cleaning up orphans and docker & kubelet directories

* Added new lines at the end of these files

* removed the trailing whitespaces from main.yml and clean-up.yml

* Updated as per the review comments

* Updated as per the review comments

* Removed service_facts and package_facts because they are not supported in ansible 2.4.0

* Corrected yaml syntax errors

* Removed the use of json_query filter and utilized selectattr

* Removed trailing spaces

* Changed the default value of docker_clean_up to false

* Added Changes to only include cleanup-docker-orphans.sh

* Reverted back changes done inside handler.

* Removed trailing spaces and made default value of docker_orphan_clean_up as true

* Reverted the default value of docker_orphan_clean_up as false

* Made the docker clean up as drop in

* Made the docker clean up as drop in

* Reverted the value of boolean docker_orphan_clean_up to false
2018-10-12 10:29:51 -07:00
Loic Gouarin
36322901a6 fix kube-controller-manager config with openstack-cacert (#3435) 2018-10-12 06:39:58 -07:00
Anupam Basak
3ce933051a calico CALICO_IPV4POOL_IPIP overriding variable (#3507) 2018-10-12 00:09:36 -07:00
Johann Queuniet
1911fe5ca8 fix nginx proxy configuration conflicts (#3489)
* Allow configuration of nginx proxy config path

* Fix the internal nginx configuration location

Signed-off-by: Johann Queuniet <contact@lordran.net>
2018-10-11 06:33:18 -07:00
Andreas Krüger
2117e8167d Update pre-install verify settings with network checks and etc. (#3504)
* Update pre-install verify settings with network checks and etc.

* Remove upstream dns server check. It's bogus
2018-10-11 06:28:21 -07:00
Erwan Miran
dd5327ef9e Fix ansible syntax to avoid ansible warnings (#3499) 2018-10-11 00:45:00 -07:00
Andreas Krüger
cdce8c81da Update CoreDNS templates to newest version and fix kubedns-autoscaler (#3483)
* Update CoreDNS templates to newest version

* Add watch to ClusterRole. Fixes #3460
2018-10-11 00:12:58 -07:00
Giacomo Longo
3f786542d3 Automatically infer bootstrap_os (#3498)
* Automatically infer bootstrap_os

* Rename bootstrap os to os_family
2018-10-10 23:32:10 -07:00
pastushenko
b35a9fcb04 #3475 - make dnsmasq to send queries to all servers in upstream. Make… (#3481)
* #3475 - make dnsmasq to send queries to all servers in upstream. Make dnsmasq config file customizable.

* Code style fixes. Return current behaviour for dnsmasq strict-order flag.
2018-10-09 23:29:06 -07:00
Antoine Legrand
c27a91f7f0 Split deploy steps in separate playbooks: part1 (#3451)
* Fix bootstrap_os/ubuntu idempotency

* Update bastion role

* move container_engine in sub-roles

* requires ansible 2.5

* ubuntu18 as first CI job
2018-10-09 19:14:33 -07:00
Erwan Miran
2ab2f3a0a3 Ability to define SSL certificates duration and SSL key size (#3482)
* Ability to specify ssl certificate duration and ssl key size - etcd/secrets

* Ability to specify ssl certificate duration and ssl key size - helm/contiv + fix contiv missing copy certs generation script
2018-10-09 04:43:30 -07:00
okamototk
c825f4d180 Untaint master when it has node role (#3466) 2018-10-09 01:40:43 -07:00
Andreas Krüger
7e195b06a6 Fix DNS loop when resolvconf_mode is set to host_resolvconf (#3390)
* Fix DNS loop when resolvconf_mode is set to host_resolvconf

* Make sure upstream_dns_servers is defined when using resolvconf_mode == 'host_resolvconf'

* Only set upstream dns servers on KubeDNS and CoreDNS if they are defined

* Only set upstream dns servers on KubeDNS and CoreDNS if they are defined
2018-10-08 07:08:51 -07:00
Dylan
30132d8c35 Removed hostname truncation. (#3409) 2018-10-08 05:14:01 -07:00
Matthew Mosesohn
4b7d59224d Fix tag based deploy of apps by skipping kubeadm dns tasks (#3462) 2018-10-08 01:22:57 -07:00
Rong Zhang
4f51607145 Upgrade kubernetes to v1.12.1 (#3463)
https://github.com/kubernetes/kubernetes/issues/69214
2018-10-07 13:33:13 -07:00
Chad Swenson
6602760a48 Support multiple local volume provisioner StorageClasses (#3450)
- Local Volume StorageClass configuration is now manged by `local_volume_provisioner_storage_classes`, a list of maps that specifies local storage classes with `name` `host_dir` and `mount_dir` keys per entry
- Tasks and templates updated to loop through local volume storage classes
- Previous defaults for path/class names were not changed
- Fixed an issue where a `kubernetes/preinstall` was creating directories inconsistently with the `kubernetes-apps/external_provisioner/local_volume_provisioner` task
2018-10-05 05:52:25 -07:00
Erwan Miran
9232261665 serviceaccounts is required in resources list of cluster role (#3455) 2018-10-04 11:32:37 -07:00
Rong Zhang
af97febb04 Upgrade kubernetes to v1.12.0 (#3410)
* Upgrade kubernetes to v1.12.0

Use kubeadm v1alpha3 config

* Upgrade coredns and etcd

* Upgrage docker to 18.06
2018-10-04 02:05:55 -07:00
Tupin Laurent
05dabb7e7b Fix Bionic networking restart error #3430 (#3431) 2018-10-02 03:10:52 -07:00
okamototk
66e304c41b Fixed Ubuntu 18.04's docker version(fixes #3424). (#3425) 2018-10-01 04:26:51 -07:00
LiuDui
192f7967c9 Remove excess space (#3421) 2018-10-01 00:09:45 -07:00
Luke Seelenbinder
3cfbc1a79a Add Pod IP to Flannel manifest. (#3379) 2018-10-01 00:06:13 -07:00
rboyapat
d9f495d391 Fix the dic iteration method in the kubelet template (#3415)
* Fix the jinja expression for openstack_tenant_id

OS_PROJECT_ID is obsolete in keystone v3 and jinja expression
doesn't set openstack_tenant_id as expected because of
undefined env var. Fixed the expression.

* Fix the dic iteration method in the kubelet template

Kubelet template rendering errors when additional Node lables are
added and using Python3. Update the method to be compatible to both
python2/3

Node lables doesn't work
2018-09-30 05:10:12 -07:00
SataQiu
71f6c018ce fix typo: remove repeated words(is) (#3419) 2018-09-29 21:04:43 -07:00
LiuDui
0401f4afff remove the redundant space (#3420) 2018-09-29 21:03:27 -07:00
Mikael Berthe
b4989b5a2a Fix netcheck agent/server image variable names (#3417)
According to the documentation, container images are described
by vars like `foo_image_repo` and `foo_image_tag`.
The variables netcheck_{agent,server}_{img_repo,tag} do not
follow that convention.
2018-09-29 20:44:01 -07:00
Rong Zhang
0232e755f3 Upgrade kubedns and kubednsautoscaler (#3407) 2018-09-28 01:20:08 -07:00
sangwook
0536125f75 Better fix for openstack cinder zone issue using ignore-volume-az option (#2980)
* Better fix for openstack cinder zone issue[1][2]
using ignore-volume-az option[3].
[1]: https://github.com/kubernetes-incubator/kubespray/pull/2155
[2]: https://github.com/kubernetes-incubator/kubespray/pull/2346
[3]: https://github.com/kubernetes/kubernetes/pull/53523

* Remove kube-scheduler-policy.yaml
2018-09-27 22:15:47 -07:00
Cédric de Saint Martin
53d87e53c5 All CNIs: support ANY toleration. (#3391)
Before, Nodes tainted with NoExecute policy did not have calico/weave Pod.
Network pod should run on all nodes whatever happens on a specific node.

Also always set the Pods to be critical.
Also remove deprecated scheduler.alpha.kubernetes.io/tolerations annotations.
2018-09-27 05:28:54 -07:00
Erwan Miran
232020ef96 skip-exists is an flag for create command, not for calicoctl (#3401) 2018-09-27 04:57:02 -07:00
Shida Qiu
8b8e534769 remove the redundant space (#3400) 2018-09-27 03:32:26 -07:00
arzarif
6b71229d3f Resolve issues associated with Calico deployment in policy-only mode. (#3392) 2018-09-27 03:31:14 -07:00
刘旭
145e5c8943 use copy and slurp module (#3313) 2018-09-27 02:12:02 -07:00
Victor Palma
dced082e5f fixes roles/docker/vars/ubuntu-bionic.yml points to xenial (#3395)
* fixes: #3387
2018-09-27 01:08:39 -07:00
Tupin Laurent
408faac3c9 Pip is required for vault #3376 (#3378)
* Change execution order for pip

* Remove spaces
2018-09-26 00:28:54 -07:00
Tupin Laurent
cd4a606cb1 UI is required for vault #3376 (#3377) 2018-09-26 00:27:38 -07:00
Kuldip Madnani
36898a2c39 Adding pod priority for all the components. (#3361)
* Changes to assign pod priority to kube components.

* Removed the boolean flag pod_priority_assignment

* Created new priorityclass k8s-cluster-critical

* Created new priorityclass k8s-cluster-critical

* Fixed the trailing spaces

* Fixed the trailing spaces

* Added kube version check while creating Priority Class k8s-cluster-critical

* Moved k8s-cluster-critical.yml

* Moved k8s-cluster-critical.yml to kube_config_dir
2018-09-25 07:50:22 -07:00
Andreas Krüger
d6ebe8c3e7 Sync manifests with kubeadm (#3383) 2018-09-24 02:17:18 -07:00
Rui Cao
02de35cfc3 Fix some typos (#3382)
Signed-off-by: Rui Cao <ruicao@alauda.io>
2018-09-23 06:33:17 -07:00
Sergey Magidovich
2197330727 Add check that kube-master, kube-node and etcd groups are not empty. 2018-09-21 17:02:53 +03:00
Anatoly Rugalev
8f85ea89fa Added download_validate_certs option which allows to disables SSL validation for file downloads 2018-09-21 11:51:17 +02:00
k8s-ci-robot
51a5f54fc4
Merge pull request #3335 from AtzeDeVries/fix/ubuntu-xenial-resolv-conf
Fix/ubuntu xenial resolv conf
2018-09-20 23:16:11 -07:00
Chris Randles
a1d6078d46 remove /var/lib/cni directory 2018-09-20 15:36:25 -04:00
k8s-ci-robot
7fd87b95cf
Merge pull request #3368 from woopstar/fedora_fix_1
Fix CI issue (Fedora task introduce new lookup plugin)
2018-09-20 08:16:22 -07:00
Rajitha Perera
e3d562bcdb Support for AWS cloud-config (#1465)
* Support for AWS cloud-config

* Update docs

* Fix version incompatibilities

* Do not use shorthand `default`

* Add new cloud config variable, roleArn
2018-09-20 16:31:28 +02:00
Andreas Kruger
442e6e55b6 Fix CI issue with Fedora 2018-09-20 15:45:15 +02:00
rongzhang
4d1055f5d5 Remove some useless files 2018-09-20 20:24:06 +08:00
k8s-ci-robot
68acdd71f1
Merge pull request #3172 from Atoms/additional-proxy
Add additional no proxy parameter for more customization
2018-09-20 03:26:29 -07:00
k8s-ci-robot
62b1ea2b48
Merge pull request #3360 from gabibbo97/master
Support Fedora 28
2018-09-20 02:22:53 -07:00
Andreas Kruger
09b67c1ad5 Remove EFK from Kubespray 2018-09-20 10:44:17 +02:00
k8s-ci-robot
8512cc5cca
Merge pull request #3280 from wozniakjan/openstack/openstack_cacert
Check `openstack_cacert` for empty string
2018-09-19 22:42:37 -07:00
k8s-ci-robot
3a65c66a3e
Merge pull request #3355 from wwt/rr-v3
Uses etcdv3 for calico 3 rr_v4 resources
2018-09-19 22:35:02 -07:00
Giacomo Longo
492b3e525d Support Fedora 28 2018-09-19 20:11:07 +02:00
Kevin Schuck
639010b3df Uses environment vars for etcd cert paths 2018-09-19 12:32:16 -05:00
k8s-ci-robot
34d1f0bff2
Merge pull request #3351 from woopstar/kubeadm_token_basic_auth_fix
Mount basic auth or token auth dirs to support it on kubeadm deployments
2018-09-19 07:50:43 -07:00
Jan Wozniak
a330b281e8 Check openstack_cacert for empty string 2018-09-19 16:37:24 +02:00
Kevin Schuck
6f9f80acee Uses etcdv3 for calico 3 rr_v4 resources 2018-09-19 09:22:52 -05:00
k8s-ci-robot
a8a62afd74
Merge pull request #3304 from kubernetes-incubator/gpu2
Add support for GPU accelerator
2018-09-19 07:12:32 -07:00
k8s-ci-robot
7fa682bdd5
Merge pull request #3342 from okamototk/fix_path_for_kubeadm_join
Add kubelet path for kubeadm.
2018-09-19 06:17:47 -07:00
Aivars Sterns
34019291b8
Merge pull request #3143 from jbcraig/add_os_trust_id
add support for openstack trust to cloud provider config
2018-09-19 16:07:03 +03:00
Antoine Legrand
08179018d4
Merge branch 'master' into gpu2 2018-09-19 15:02:51 +02:00
k8s-ci-robot
b796226869
Merge pull request #3325 from firaxis/configurable_felix_healthhost
Make Felix healthhost configurable
2018-09-19 06:02:29 -07:00
k8s-ci-robot
39c567de47
Merge pull request #3307 from kaarolch/upgrade_docs
Calico version verification before cluster upgrade begin.
2018-09-19 05:15:55 -07:00
k8s-ci-robot
da4cc74498
Merge pull request #3340 from wwt/master
Fixes Calico 3.x BGPPeer resources
2018-09-19 04:43:35 -07:00
Andreas Kruger
cac485756b Mount basic auth or token auth dirs to support it on kubeadm deployments 2018-09-19 13:21:58 +02:00
Andreas Kruger
c058e7a5ec Remove audit again from Kubeadm 1.10.x. Write mounts not supported untill 1.11 2018-09-19 13:15:14 +02:00
Andreas Kruger
e0ddabc463 Add support for kubelet_node_custom_flags 2018-09-19 12:58:06 +02:00
Andreas Kruger
940d2fdbb1 Add missing enforce-node-allocatable to kubelet for kubeadm deployments 2018-09-19 11:54:34 +02:00
Andreas Kruger
1c999b2a61 Move kube_kubeadm_controller_extra_args to controllerManagerExtraArgs section. It was placed in controllerManagerExtraVolumes 2018-09-19 11:24:19 +02:00
Andreas Kruger
8e37841a2e Add audit support to v1alpha1 of Kubeadm 2018-09-19 11:01:30 +02:00
Andreas Kruger
8d1c0c469c Added missing enable-aggregator-routing option 2018-09-19 10:58:46 +02:00
Andreas Kruger
26d7380c2e Sync manifests from non-kubeadm to kubeadm deploy 2018-09-19 10:01:45 +02:00
Takashi Okamoto
95703fb6f2 Add kubelet path for kubeadm. 2018-09-19 03:04:03 +00:00
Karol Chrapek
0121bce9e5 Instead of doc update, change the verify step 2018-09-18 22:13:15 +02:00
Kevin Schuck
fb1678d425 Ensures BGPPeer resource names are unique 2018-09-18 10:48:30 -05:00
Alex Yakovenko
884053aaa7
Make Felix healthhost configurable 2018-09-18 15:48:29 +03:00
k8s-ci-robot
3d27007750
Merge pull request #3329 from riverzhang/checksum
Keep list of k8s checksums for hyperkube and kubeadm
2018-09-18 02:42:59 -07:00
AtzeDeVries
4cbd97667d Merge remote-tracking branch 'upstream/master' into fix/ubuntu-xenial-resolv-conf 2018-09-18 09:51:46 +02:00
k8s-ci-robot
2730c90dcd
Merge pull request #3320 from riverzhang/kubelet
Support dynamic kubelet config
2018-09-18 00:16:04 -07:00
rongzhang
09a1bcb30b Keep list of k8s checksums for hyperkube and kubeadm
Keep a list of checksums for kubeadm and hyperkube downloads.
Makes it easier to switch version
2018-09-18 15:05:17 +08:00
rongzhang
77e08ba204 Support dynamic kubelet config
https://kubernetes.io/blog/2018/07/11/dynamic-kubelet-configuration/
2018-09-18 08:44:39 +08:00
Kevin Schuck
d3adf09bde Fixes BGPPeer resource for calico >= 3.0.0 2018-09-17 15:22:28 -05:00
Erwan Miran
afa2a5f1c4 enhanced reset for contiv 2018-09-17 16:46:19 +02:00
Erwan Miran
bcaf2f9ea3 contiv 1.2.1 2018-09-17 16:45:05 +02:00
k8s-ci-robot
d16b562b18
Merge pull request #3316 from mattymo/tiller_override_fix
Fix tiller override command
2018-09-17 05:12:05 -07:00
k8s-ci-robot
0538f8a70d
Merge pull request #3290 from riverzhang/fix-upgrade
Fix upgrade k8s
2018-09-17 04:26:47 -07:00
k8s-ci-robot
1a426ada3c
Merge pull request #3324 from alvistack/cert-manager-v0.5.0
cert-manager: Upgrade to 0.5.0
2018-09-17 04:20:56 -07:00
Wong Hoi Sing Edison
a544e54578 weave: Upgrade to 2.4.1
Upstream Changes:

-   weave 2.4.1 (https://github.com/weaveworks/weave/releases/tag/v2.4.1)

Our Changes:

-   Templates sync with upstream manifests
2018-09-17 17:09:19 +08:00
Wong Hoi Sing Edison
f34a6699ef cert-manager: Upgrade to 0.5.0
Upstream Changes:

-   cert-manager 0.5.0 (https://github.com/jetstack/cert-manager/releases/tag/v0.5.0)

Our Changes:

-   Templates sync with upstream manifests
2018-09-17 16:58:04 +08:00
AtzeDeVries
482857611a added extra var for ubuntu 18 netplan resolv 2018-09-17 09:01:55 +02:00
AtzeDeVries
8d8bbc294a fix for resolvconf in ubuntu18 2018-09-17 09:00:55 +02:00
k8s-ci-robot
7f91f6e034
Merge pull request #3287 from Kami-no/coredns_metrics
Monitor CoreDNS over svc
2018-09-16 23:39:59 -07:00
rongzhang
84c4c7dc82 Use synchronize module 2018-09-16 20:36:44 +08:00
rongzhang
1d4aa7abcc Fix upgrade k8s 2018-09-16 10:35:12 +08:00
Matthew Mosesohn
fe35c32c62 Fix tiller override command 2018-09-15 16:35:19 +03:00
Rong Zhang
aa0da221e9
Merge pull request #2880 from hfinucane/rh7-paths
Fix #2261 by supporting Red Hat's limited PATH
2018-09-15 19:27:22 +08:00
k8s-ci-robot
f1403493df
Merge pull request #3296 from rabi/fix_cilium_crio
Add volume and volumeMount for crio-socket
2018-09-15 03:23:02 -07:00
k8s-ci-robot
36901d8394
Merge pull request #3309 from ant31/fix_download_file
Fix download file
2018-09-15 03:18:23 -07:00
k8s-ci-robot
e6a2e34dd1
Merge pull request #3315 from riverzhang/upgrade-kubedns
Upgrade kubedns to 1.14.11
2018-09-15 02:08:20 -07:00
rongzhang
934d92f09c Upgrade kubedns to 1.14.11 2018-09-15 15:22:38 +08:00
k8s-ci-robot
5e59541faa
Merge pull request #3258 from okamototk/fix_kubectl_path
absolute path for kubectl.
2018-09-13 14:38:20 -07:00
Antoine Legrand
d94b7fd57c Don't download binary if docker is selected 2018-09-13 22:06:51 +02:00
k8s-ci-robot
9964ba77ee
Merge pull request #3305 from mattymo/fixup_upgrade
Fixes for upgrade mode
2018-09-13 12:57:23 -07:00
k8s-ci-robot
153661cc47
Merge pull request #3284 from mattymo/more_calico_legacy
Put back legacy support for calico ippools and bgp settings
2018-09-13 09:25:26 -07:00
Matthew Mosesohn
8becd905b8 Fixes for upgrade mode
Uses correct flag for draining with a pod selector
Verifies minimum kubectl version for compatibility
2018-09-13 18:42:01 +03:00
Matthew Mosesohn
c83350e597 refactor to base on calico_version 2018-09-13 18:05:10 +03:00
k8s-ci-robot
ffbe9e7fd8
Merge pull request #1973 from guenhter/rsync-cmd-to-synchronize
Replace the raw rsync command with the synchronize module
2018-09-13 03:12:05 -07:00
AtzeDeVries
91b02c057e Add support for GPU accelerator 2018-09-13 11:53:11 +02:00
Matthew Mosesohn
55d76ea3d8
Update install.yml 2018-09-13 12:04:53 +03:00
rabi
1df0b67ec1 Add volume and volumeMount for crio-socket
This commit fixes #3295
2018-09-13 14:34:44 +05:30
k8s-ci-robot
218e527363
Merge pull request #3243 from mirwan/helm_binary_should_be_installed_on_all_masters
Install Helm client on all masters
2018-09-13 00:39:36 -07:00
k8s-ci-robot
27fc391f71
Merge pull request #3291 from mirwan/remove_insecure-bind-address_when_insecure_port_is_0
Remove --insecure-bind-address when insecure-port=0
2018-09-13 00:34:39 -07:00
Matthew Mosesohn
1091e82327
Update install.yml 2018-09-12 22:15:46 +03:00
k8s-ci-robot
a5cc8537f9
Merge pull request #3283 from mattymo/more_upgrade_options
Extra options for upgrade mode
2018-09-12 10:50:33 -07:00
Matthew Mosesohn
d692737a13 Extra options for upgrade mode
Optionally do not drain nodes by setting drain_nodes to false
Optionally set a labelselector to target which pods should be drained.
2018-09-12 17:05:41 +03:00
Matthew Mosesohn
cc79125d3e
Update install.yml 2018-09-12 17:03:55 +03:00
k8s-ci-robot
a801e02cea
Merge pull request #3261 from mattymo/etcd_ssl_dir_perms
Ensure etcd file permissions are correct when using vault
2018-09-12 01:10:26 -07:00
Zinin D.A
29c7775ea1 Monitor CoreDNS over svc 2018-09-12 10:24:15 +03:00
k8s-ci-robot
cbf099de4d
Merge pull request #3285 from mirwan/fix_netchecker_sa_when_psp
Fix wrong sa name in crb when psp is enabled
2018-09-12 00:20:38 -07:00
k8s-ci-robot
c8630f46fd
Merge pull request #3286 from fritchie/master
Change update strategy to RollingUpdate
2018-09-12 00:18:05 -07:00
Erwan Miran
af74d85b7d Remove --insecure-bind-address when insecure-port=0 2018-09-12 08:22:11 +02:00
Chad Swenson
97e5f28537
Revert "Remove insecure-port and insecure-bind-address when possible" 2018-09-11 17:42:12 -05:00
Frank Ritchie
f42e0a4711 Change update strategy to RollingUpdate.
When enable_network_policy is set to True with Calico 3 kubectl
apply fails with the error:

The Deployment "calico-kube-controllers" is invalid:
spec.strategy.rollingUpdate: Forbidden: may not be specified when
strategy type is 'Recreate'

See

https://github.com/kubernetes-incubator/kubespray/issues/3267

Changing the update strategy to RollingUpdate avoids this error.
2018-09-11 12:03:42 -04:00
Matthew Mosesohn
d91f9e14e6 Put back legacy support for calico ippools and bgp settings 2018-09-11 16:40:11 +03:00
Erwan Miran
e24b1220a0 Fix wrong sa name in crb when psp is enabled 2018-09-11 15:04:55 +02:00
k8s-ci-robot
0a720b35af
Merge pull request #3270 from riverzhang/fix-registry
Add insecure_registry config to docker options
2018-09-10 04:28:52 -07:00
rongzhang
f557b54489 Add docker_ to values 2018-09-10 18:05:49 +08:00
Erwan Miran
04852ad753 Install Helm on all masters 2018-09-10 11:39:26 +02:00
Matthew Mosesohn
aaa9a4efac Ensure vault file permissions are correct 2018-09-10 12:04:04 +03:00
rongzhang
0140cf71c8 Upgrade kubernetes to v1.11.3 2018-09-10 15:52:49 +08:00
rongzhang
51794e4c13 Deploying k8s clusters in a private environment 2018-09-09 11:06:00 +08:00
rongzhang
b249b06036 Move docker options to kubespray-defaults 2018-09-09 10:21:18 +08:00
rongzhang
20caaf9d1f Delete gitignore file 2018-09-09 02:09:02 +08:00
rongzhang
c41ca22a78 Planning the configuration of docker parameters 2018-09-09 00:59:59 +08:00
georgejdli
b891d77679 add option to secure helm tiller with tls 2018-09-07 10:29:31 -05:00
k8s-ci-robot
5c2e9a5376
Merge pull request #3252 from mirwan/remove_insecure-bind-address_when_insecure-bind-port_is_0
Remove insecure-port and insecure-bind-address when possible
2018-09-07 07:41:21 -07:00
k8s-ci-robot
b3a689658b
Merge pull request #3255 from mlushpenko/calico_check
Fix calico health checks
2018-09-07 07:39:20 -07:00
Takashi Okamoto
d182d4f979 absolute path for kubectl. 2018-09-07 09:33:43 -04:00
k8s-ci-robot
9c49e071d3
Merge pull request #3260 from riverzhang/discoverytimeout
Add discovery_timeout to join configuration
2018-09-07 05:20:19 -07:00
rongzhang
0f63924ed4 Add discovery_timeout to join configuration
https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha2#JoinConfiguration
2018-09-07 16:28:53 +08:00
mlushpenko
ea2c9d8f57 Fix yaml checks 2018-09-06 16:26:57 +02:00
mlushpenko
f958b32c83 Fix calico health checks 2018-09-06 15:57:21 +02:00
k8s-ci-robot
2faa8f1e37
Merge pull request #3254 from mattymo/calico_upgrade_tweaks
Fix backward compatibility with calico 2.6
2018-09-06 06:20:52 -07:00
k8s-ci-robot
ab462d92b8
Merge pull request #3249 from mattymo/fix_missing_var_kube_proxy_nodeport
Add missing variable kube_proxy_nodeport_addresses
2018-09-06 06:18:23 -07:00
k8s-ci-robot
27905bbddf
Merge pull request #3250 from mattymo/openstack_cacert
Fix openstack cacert task
2018-09-06 06:15:59 -07:00
Matthew Mosesohn
dc3e317d20 Fix backward compatibility with calico 2.6 2018-09-06 15:54:20 +03:00
Erwan Miran
a5509fc2ce Remove insecure-port and insecure-bind-address when possible 2018-09-06 13:46:09 +02:00
Matthew Mosesohn
b614a3504b Fix openstack cacert task 2018-09-06 14:06:06 +03:00
Matthew Mosesohn
cd8e469b9c Add missing variable kube_proxy_nodeport_addresses 2018-09-06 13:36:17 +03:00
Matthew Mosesohn
991b3dbe54 put back endif in kubelet rkt template 2018-09-06 13:21:22 +03:00
k8s-ci-robot
f5251f7d27
Merge pull request #3247 from mattymo/kubelet_rkt_Fix
remove broken endifs in kubelet rkt mode
2018-09-06 02:49:35 -07:00
Matthew Mosesohn
faedfb6307 remove broken endifs in kubelet rkt mode 2018-09-06 11:59:25 +03:00
k8s-ci-robot
1940495817
Merge pull request #3246 from riverzhang/pause
Upgrade pause image to 3.1
2018-09-06 00:48:05 -07:00
rongzhang
b979fb0116 Upgrade pause image to 3.1 2018-09-06 14:15:51 +08:00
Antoine Legrand
7e140e5f3c
Merge pull request #3122 from jbcraig/fix_cacert_feature
resolve issues with new cacert feature
2018-09-05 23:31:53 +02:00
rongzhang
435e098751 Fix feature-gates 2018-09-05 22:55:51 +08:00
Antoine Legrand
055e80f846
Merge pull request #3244 from ant31/calico31
Reverts calico update to 3.2.0, fixes #3223
2018-09-05 11:45:22 +02:00
Antoine Legrand
15363530ae Reverts calico update to 3.2.0, fixes #3223 2018-09-05 11:44:32 +02:00
Jeff Bornemann
83838b7fbc Add new OCI cloud controls 2018-09-04 14:03:17 -04:00
Luis Nunez
6569180654 remove capitalize filter 2018-09-04 14:56:53 +02:00
k8s-ci-robot
ad33f71ac2
Merge pull request #3228 from mirwan/credentials_dir
Introducing credentials_dir variable in order to be able to override it
2018-09-04 04:35:11 -07:00
k8s-ci-robot
50c6a98b15
Merge pull request #3229 from mirwan/docker_1806_ubuntu_under_bionic
Docker 18.06 for ubuntu versions before bionic
2018-09-03 11:37:13 -07:00
Erwan Miran
a644b7c267 Introducing credentials_dir in order to be able to override it 2018-09-03 18:04:50 +02:00
Atoms
8c9588ab59 Add additional no proxy parameter for more customization 2018-09-03 17:09:58 +03:00
Erwan Miran
c0ce875743 change edge to 18.06 for ubuntu 2018-09-03 14:11:25 +02:00
Erwan Miran
a22d28e1c1 docker 18.06 for ubuntu version before bionic 2018-09-03 14:10:51 +02:00
k8s-ci-robot
c32145057d
Merge pull request #3178 from gitphill/patch-1
Add azure-container-registry-config for Azure
2018-09-03 05:06:01 -07:00
rboyapat
fbb98b0070 Fix the jinja expression for openstack_tenant_id (#3151)
OS_PROJECT_ID is obsolete in keystone v3 and jinja expression
doesn't set openstack_tenant_id as expected because of
undefined env var. Fixed the expression.
2018-09-03 14:59:49 +03:00
k8s-ci-robot
db11394711
Merge pull request #3200 from pablodav/feature/k8s_win_v1.11
Required support to start working on windows node support
2018-09-03 04:51:23 -07:00
Matthew Mosesohn
fd57fde075 Always run helm init to allow for settings changes 2018-09-03 11:16:01 +03:00
Wong Hoi Sing Edison
9fc8f9a07d ingress-nginx: Upgrade to 0.19.0
Upstream Changes:

-   ingress-nginx 0.19.0 (https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.19.0)

Our Changes:

-   Sync templates with upstream changes
2018-09-03 08:00:08 +08:00
Pablo Estigarribia
7cbe3c2171 ensure there is pin priority for docker package to avoid upgrade of docker to incompatible version
ensure there is pin priority for docker package to avoid upgrade of docker to incompatible version

remove empty when line

ensure there is pin priority for docker package to avoid upgrade of docker to incompatible version

force kubeadm upgrade due to failure without --force flag

ensure there is pin priority for docker package to avoid upgrade of docker to incompatible version

added nodeSelector to have compatibility with hybrid cluster with win nodes, also fix for download with missing container type

fixes in syntax and LF for newline in files

fix on yamllint check

ensure there is pin priority for docker package to avoid upgrade of docker to incompatible version

some cleanup for innecesary lines

remove conditions for nodeselector
2018-09-02 12:47:06 -03:00
k8s-ci-robot
a47c9239e8
Merge pull request #3221 from alvistack/cephfs-provisioner-v2.1.0-k8s1.11
cephfs-provisioner: Upgrade to v2.1.0-k8s1.11
2018-09-02 04:16:17 -07:00
k8s-ci-robot
635ca1a0b8
Merge pull request #3220 from alvistack/coredns-1.2.2
coredns: Upgrade to v1.2.2
2018-09-02 04:13:53 -07:00
Wong Hoi Sing Edison
32fdfbcd5a cephfs-provisioner: Upgrade to v2.1.0-k8s1.11
Upstream Changes:

-   cephfs-provisioner v2.1.0-k8s1.11 (https://github.com/kubernetes-incubator/external-storage/releases/tag/cephfs-provisioner-v2.1.0-k8s1.11)

Our Changes:

-   Sync clusterrole and role with upstream changes
2018-09-02 11:51:28 +08:00
Wong Hoi Sing Edison
df8b27c03c coredns: Upgrade to v1.2.2
Upstream Changes:

-   coredns v1.2.2 (https://github.com/coredns/coredns/releases/tag/v1.2.2)

NOTE:

-   coredns image for 1.2.0 and 1.2.1 had been removed from https://console.cloud.google.com/gcr/images/google-containers/GLOBAL/coredns
2018-09-02 11:37:21 +08:00
mlushpenko
8e95974930 Fix ports for kubeadm client and master configs for ha setups 2018-09-01 18:02:52 +02:00
k8s-ci-robot
13dda0e36e
Merge pull request #3207 from mirwan/fix_3206
Fix target hosts generation when /etc/hosts does not contain 127.0.0.1 or ::1
2018-08-31 17:50:56 -07:00
k8s-ci-robot
6e7100f283
Merge pull request #3208 from mirwan/etcd_ha_doc_n_cleaning
Add documentation about having HA for etcd
2018-08-31 08:06:05 -07:00
Erwan Miran
059cd17b47 Fix target hosts generation when /etc/hosts does not contain 127.0.0.1 or ::1 2018-08-31 16:33:18 +02:00
k8s-ci-robot
fb7b3305dc
Merge pull request #3209 from mirwan/use_etcd_events_access_address
etcd_events_access_address should be used for peer_url and client_url
2018-08-31 07:26:25 -07:00
Erwan Miran
81c3f2c971 etcd_events_access_address should be used for peer_url and client_url 2018-08-31 15:03:07 +02:00
Erwan Miran
82a28d6bb3 Add documentation about having HA for etcd 2018-08-31 14:40:25 +02:00
Antoine Legrand
22f9114630 update calico to 3.2.0 2018-08-31 13:45:08 +02:00
Antoine Legrand
f2f0cdd0ff add arch vars for docker 2018-08-31 13:45:08 +02:00
Antoine Legrand
da06c8e5a9 etcd UNSUPPORTED for all arch 2018-08-31 13:45:08 +02:00
Antoine Legrand
2f1fe44762 update images to use arch 2018-08-31 13:45:08 +02:00
Antoine Legrand
19268ded23 Fix some arm64 errors 2018-08-31 13:45:08 +02:00
Antoine Legrand
f67933d2ac add ETCD_UNSUPPORTED_ARCH=arm64 flag 2018-08-31 13:45:08 +02:00
Antoine Legrand
247b9e83d8 etcd arch-image 2018-08-31 13:45:08 +02:00
Antoine Legrand
9c2098b8fa fix kubelet_max_pod assert 2018-08-31 13:45:08 +02:00
Antoine Legrand
48c0c8d854 Update dir list 2018-08-31 13:45:08 +02:00
rongzhang
2609ec0dc3 Fix copy etcd-ssl-ca failed 2018-08-31 15:06:03 +08:00
k8s-ci-robot
aafd034ab8
Merge pull request #3202 from riverzhang/fix-ipvs
Fix ipvs by kubeadm v1alpha1
2018-08-30 13:26:02 -07:00
k8s-ci-robot
d14394c691
Merge pull request #3185 from mirwan/helm_install_docker_insecureport_0
Mount /root/.kube to helm container
2018-08-30 08:11:33 -07:00
rongzhang
16fc22a207 Fix ipvs by kubeadm v1alpha1 2018-08-30 23:04:57 +08:00
k8s-ci-robot
d9ea937493
Merge pull request #3187 from mirwan/kubeadm-config_syntax
Fix kubeadm-config for audit-log-path and feature-gates
2018-08-30 06:55:43 -07:00
k8s-ci-robot
a96a0ee307
Merge pull request #3198 from riverzhang/fix-kubeadm-v1alpha1
Fix kubeadm v1alpha1 configure
2018-08-30 04:11:37 -07:00
k8s-ci-robot
f48468b83b
Merge pull request #3195 from mirwan/fix_psp_templates
Fix some addons when PodSecurityPolicy is enabled
2018-08-30 03:37:52 -07:00
rongzhang
35e5adaf0a Fix kubeadm v1alpha1 configure 2018-08-30 17:44:00 +08:00
k8s-ci-robot
a247c2c713
Merge pull request #3191 from fcgravalos/make-canal-mount-xtables-lock
canal should mount xtables.lock to share the lock with other processe…
2018-08-29 08:57:32 -07:00
k8s-ci-robot
4feb62f6bf
Merge pull request #3193 from riverzhang/fix-lb-kubeadm
Fix kubeadm lb
2018-08-29 04:22:40 -07:00
Fernando Crespo Grávalos
ac4ef719cc canal should mount xtables.lock to share the lock with other processes like kube-proxy 2018-08-29 13:08:51 +02:00
Erwan Miran
ceb97e5809 Fix wrong syntax for jinja sub list extraction and addition of missing role template 2018-08-29 12:58:10 +02:00
k8s-ci-robot
3bfda55fca
Merge pull request #3061 from okamototk/crio
cri-o support
2018-08-29 03:48:40 -07:00
rongzhang
9eade647e6 Fix kubeadm lb 2018-08-29 18:29:24 +08:00
Robin Elfrink
bbdd1c8f06 Add option to change the Tiller Deployment namespace. 2018-08-29 11:20:41 +02:00
k8s-ci-robot
f876c89081
Merge pull request #3189 from Arslanbekov/up-dashboard-version
Up dashboard version to 1.10.0
2018-08-29 02:08:40 -07:00
Phill Garrett
1babbcca85
Fix elif azure statement 2018-08-28 15:43:03 +01:00
Takashi Okamoto
c0dfa72707 Separate RedHat specific vars for cri-o. 2018-08-28 13:36:14 +00:00
Arslanbekov Denis
fe1e758856 Up dashboard version to 1.10.0 2018-08-28 14:10:19 +03:00
Phill Garrett
f325d13082 Add azure-container-registry-config for Azure
Seperated out KUBELET_CLOUDPROVIDER env var assignment when cloud_provider equals azure
Appended azure-container-registry-config parameter
2018-08-28 10:23:25 +00:00
Erwan Miran
52ab54eeea Fix missing quotes for audit-log-path and wrong placement of feature-gates 2018-08-28 09:05:57 +02:00
Takashi Okamoto
d407a590a6 container_manager variable to specify runtime. 2018-08-28 06:23:38 +00:00
Takashi Okamoto
5eb805f098 Change timeout for kubeadm 600s.
* kubeadm timeout is too short and it may interrupt by timeout.
2018-08-28 04:51:38 +00:00
Takashi Okamoto
dfdcb56784 Delete all cri-o containers when execute reset.yml. 2018-08-28 02:25:33 +00:00
Takashi Okamoto
236f066635 kubeadm cri-o support. 2018-08-28 02:24:45 +00:00
Takashi Okamoto
5ab8a712d9 Add download_container flag to avoid docker pull when use cri-o. 2018-08-28 01:24:26 +00:00
Takashi Okamoto
cf7b9cfeef Support crio in kubelet service. 2018-08-28 01:24:26 +00:00
Takashi Okamoto
6090af29e7 Add cri-o role. 2018-08-28 01:24:26 +00:00
Takashi Okamoto
359009bb05 Download etcd and hyperkube binary. 2018-08-28 01:24:26 +00:00
Takashi Okamoto
bdbfa4d403 Add ipvs support for kubeadm 1.10 or later. 2018-08-28 01:24:26 +00:00
Takashi Okamoto
6849788ebc Fix copy ca cert and ca key for kubeadm. 2018-08-28 01:24:25 +00:00
Takashi Okamoto
ac639b2a17 Change kubeadm config to run etcd by kubeadm. 2018-08-28 01:24:25 +00:00
Takashi Okamoto
b18ed5922b Add etcd default value in kubespray-default. 2018-08-28 01:24:25 +00:00
Erwan Miran
b395bb953f Fix wrong when condition that ends up with jinja error when the content of /etc/hosts contains parenthesis 2018-08-27 21:20:57 +02:00
Erwan Miran
b652792a93 /root/.kube must to mounted in order for helm to read kubeconfig and not fallback to localhost:8080 2018-08-27 18:17:26 +02:00
k8s-ci-robot
7efe287c74
Merge pull request #2474 from mirwan/localhost_in_etc_hosts
Localhost in hosts files should be updated (if necessary), not overriden
2018-08-27 06:25:43 -07:00
k8s-ci-robot
881b46f458
Merge pull request #3095 from mirwan/dnsmasq_template_rendering_filename
Dnsmasq manifests should not have j2 extension but templates should
2018-08-27 02:51:43 -07:00
k8s-ci-robot
d43cd9a24c
Merge pull request #3104 from maxbrunet/hotfix/replace-local_actions
Use delegate_to: localhost instead of local_action
2018-08-27 02:50:42 -07:00
guenhter
fff48d24ea Replace the raw rsync command with the synchronize module 2018-08-27 10:00:21 +02:00
k8s-ci-robot
f4feb17629
Merge pull request #2958 from elementyang/etcd-pr
change the way that getting etcd_member_name
2018-08-26 23:55:04 -07:00
Maxime Brunet
33135f2ada k8s/preinstall: Turn AND condition into a list 2018-08-25 14:33:31 -04:00
k8s-ci-robot
d6f4d10075
Merge pull request #3153 from alvistack/remove-image_tag-suffix
Remove *_image_tag suffix from ReplicaSet/Deployment
2018-08-25 04:42:19 -07:00
k8s-ci-robot
f97515352b
Merge pull request #3161 from nutellinoit/kube_proxy_nodeport_addresses
--nodeport-addresses added on kube-proxy.manifest.j2 and on k8s-cluster.yml
2018-08-25 02:00:19 -07:00
Aivars Sterns
f7f58bf070
Merge pull request #3173 from msimonin/fix-3164
Fix createhome directory for adduser role
2018-08-24 16:34:57 +03:00
Erwan Miran
1432e511a2 same work with less lines 2018-08-24 14:06:07 +02:00
Vasilis Remmas
b61eb7d7f3 Add ETCD_QUOTA_BACKEND_BYTES environment variable 2018-08-24 12:17:34 +02:00
Aivars Sterns
1567a977c3
Revert "gen_certs_script: refactor using stdin (Ansible 2.4+)" 2018-08-24 12:35:31 +03:00
Samuele Chiocca
cb8be37f72 fix on v1alpha1 2018-08-24 11:19:06 +02:00
Samuele Chiocca
e5dd4e1e70 added on v1alpha1 2018-08-24 10:59:06 +02:00
Antoine Legrand
6d74a3db7a
Merge pull request #3163 from kubernetes-incubator/fix-docker-ubuntu1804
Fix docker apt-repo for Ubuntu18
2018-08-24 00:51:59 +02:00
ant31
1da5926a94 Use xenial repo for ubuntu18 2018-08-23 22:34:44 +00:00
Antoine Legrand
4882531c29
Merge pull request #3115 from oracle/oracle_oci_controller
Cloud provider support for OCI (Oracle Cloud Infrastructure)
2018-08-23 18:22:45 +02:00
Antoine Legrand
f59b80b80b
Merge pull request #3147 from ishitatsuyuki/etcd-cleanup
gen_certs_script: refactor using stdin (Ansible 2.4+)
2018-08-23 18:19:28 +02:00
rongzhang
7b61a0eff0 Fix kubeadm LB configure
1. join node add LB discoveryTokenAPIServers
2. kubeadm_config_api_fqdn support ipddress and domain_name
2018-08-23 22:22:34 +08:00
Aivars Sterns
23fd3461bc calico upgrade to v3 (#3086)
* calico upgrade to v3

* update calico_rr version

* add missing file

* change contents of main.yml as it was left old version

* enable network policy by default

* remove unneeded task

* Fix kubelet calico settings

* fix when statement

* switch back to node-kubeconfig.yaml
2018-08-23 17:17:18 +03:00
msimonin
e22e15afda
Fix createhome directory for adduser role
A typo in the adduser role prevents the createhome
variable to be taken into account.

Fix #3164
2018-08-23 08:55:11 +02:00
Rong Zhang
f453567cce
Merge pull request #3144 from riverzhang/fix-audit-log
Fix install audit failed
2018-08-23 14:41:37 +08:00
Tatsuyuki Ishi
69786b2d16 gen_certs_script: refactor using stdin (Ansible 2.4+) 2018-08-23 11:19:17 +09:00
rongzhang
5a4352657d Fix install audit failed
1.fix audit log not write
2.fix Parameter not recognized
3.delete kubedm futuregates auditing and use apiServerExtraArgs
2018-08-23 01:47:15 +08:00
Samuele Chiocca
f13bc796d9 added nodePortAddresses on kubeadm conf v1alpha2 (not present on v1alpha1) 2018-08-22 18:43:03 +02:00
Erwan Miran
a6a14e7f77 create the service account and roles even if the rbac is not enabled. it will just be ignored 2018-08-22 18:17:11 +02:00
Erwan Miran
80cfeea957 psp, roles and rbs for PodSecurityPolicy when podsecuritypolicy_enabled is true 2018-08-22 18:16:13 +02:00
ant31
2c90208486 Fix docker apt-repo for Ubuntu18 2018-08-22 15:53:14 +00:00
Antoine Legrand
4eea7f7eb9
Merge pull request #3152 from johnzheng1975/cilium_1.2.0
new cilium stable version: 1.2.0
2018-08-22 17:11:42 +02:00
Samuele Chiocca
5d9908c2c3 --nodeport-addresses added on kube-proxy.manifest.j2
Changed author
2018-08-22 15:32:07 +02:00
Erwan Miran
a7b0c454db Localhost in hosts files should be updated (if necessary), not overriden 2018-08-22 12:10:49 +02:00
Wong Hoi Sing Edison
c3b3572025 Always create service account even rbac_enabled = false 2018-08-22 11:41:29 +08:00
Wong Hoi Sing Edison
f897596844 Remove *_image_tag suffix from ReplicaSet/Deployment 2018-08-22 11:02:56 +08:00
john
6df71956c4 new cilium stable version: 1.2.0 2018-08-22 10:52:24 +08:00
Jeff Bornemann
94df70be98 Cloud provider support for OCI (Oracle Cloud Infrastructure)
Signed-off-by: Jeff Bornemann <jeff.bornemann@oracle.com>
2018-08-21 17:36:42 -04:00
Mark Eisenblaetter
0c0a2138d9 allow '.' in hostnames
we use FQDN as inventory_hostname
2018-08-21 08:24:33 +02:00
Jonathan Craig
5bf152886b add support for openstack trust to cloud provider config 2018-08-20 12:51:25 -04:00
Andreas Krüger
497db69c9f
Merge pull request #3130 from riverzhang/add-control-plane
Add kubeadm controlplaneEndpoint
2018-08-20 10:43:50 +02:00
Andreas Krüger
c7de737551
Merge pull request #3133 from mirwan/auditlog_to_stdout_w_kubeadm
Audit log to stdout with kubeadm
2018-08-20 10:43:22 +02:00
Andreas Krüger
69749a5b7b
Merge pull request #3132 from mirwan/custom_audit_policy
Custom audit policy
2018-08-20 10:42:38 +02:00
Andreas Krüger
b3e32c1393
Merge pull request #3094 from hedayat/master
Add --dns-loop-detect to dnsmasq used in kube-dns
2018-08-20 09:27:15 +02:00
Erwan Miran
fc38b6d0ca Ability to define custom audit polcy rules 2018-08-20 07:04:56 +02:00
Erwan Miran
c34900e569 Define apiserver flags directly instead of relying on auditPolicy section in order to have the ability to redirect audit log to stdout with kubeadm 2018-08-20 07:00:53 +02:00
Rong Zhang
855f2a55cb
Merge pull request #3135 from ishitatsuyuki/patch-1
Add bad hostname preflight check
2018-08-20 12:08:02 +08:00
Wong Hoi Sing Edison
71fdc257bc cephfs-provisioner: Upgrade to v2.0.1-k8s1.11 2018-08-20 11:55:04 +08:00
Rong Zhang
fd16f77e20
Merge pull request #3017 from seungkyua/fix_kubeadm_client_conf
Fix kubeadm client conf
2018-08-20 10:51:02 +08:00
Tatsuyuki Ishi
3eef8dc8d0 Add bad hostname preflight check
Hostname must be a valid DNS name, which is checked as https://github.com/kubernetes/apimachinery/blob/master/pkg/util/validation/validation.go#L115

The situation I have encountered is that my hostname contained underscore which is disallowed and apiserver refused to start.
2018-08-20 09:09:00 +09:00
rongzhang
59176ebbb9 Add kubeadm controlplaneEndpoint
Nginx LB(default)
Other LB by kubeadm controlplane
2018-08-20 00:57:13 +08:00
rongzhang
b421d0ed5b Fix install nss 2018-08-20 00:07:31 +08:00
rongzhang
35efc387c4 Fix pull dns image error 2018-08-19 22:47:17 +08:00
Rong Zhang
fb309ca446
Merge pull request #3128 from riverzhang/delete-kubeadm
Remove unused configuration
2018-08-19 10:01:33 +08:00
Antoine Legrand
1d4f88eea8
Fix typo in image url 2018-08-19 01:30:54 +02:00
rongzhang
095ccef8bd Remove unused configuration 2018-08-19 01:23:20 +08:00
Rong Zhang
0df969ad19
Merge pull request #3117 from mirwan/audit_usecases
Audit support improvement
2018-08-19 01:13:22 +08:00
Antoine Legrand
3e5b6a5481
Merge pull request #3105 from mirwan/remove_cilium_device_at_reset_plus_move_network_to_network_plugin_roles
Move network_plugin specific reset tasks to its role directory
2018-08-17 22:27:16 +02:00
Antoine Legrand
c36744e96d
Merge pull request #3120 from alvistack/cephfs-provisioner-v2.0.0-k8s1.11
cephfs-provisioner: Upgrade to v2.0.0-k8s1.11
2018-08-17 22:11:15 +02:00
Antoine Legrand
e51c5dc0a6
Merge pull request #3123 from mathieuherbert/until-restart-etcd
add until option for etcd backup commands
2018-08-17 22:09:08 +02:00
Antoine Legrand
d297b82e82
Merge pull request #3126 from LuckySB/etcd_restart_on_update
add etcd version to etcd environment file to trigger a reload
2018-08-17 22:05:34 +02:00
Erwan Miran
98b818bbaf comply with ansible syntax consistency guideline 2018-08-17 16:37:33 +02:00
Antoine Legrand
26bf719a02
Merge branch 'master' into multi-arch-support 2018-08-17 16:35:50 +02:00
Antoine Legrand
7e37aa4aca
Merge pull request #2103 from xd007/docker_aarch64_pkg
Update docker package info for aarch64
2018-08-17 16:26:56 +02:00
Sergey Bondarev
ce6854e726 add version to environment file
Trigger reboot handler when version upgrade during update script
2018-08-17 17:25:35 +03:00
Antoine Legrand
ac49bbb336
Merge pull request #2168 from xd007/docker_arm64
fix docker opts incompatible running on aarch64 Redhat/Centos
2018-08-17 16:24:07 +02:00
Antoine Legrand
6c7eabb53b
Merge pull request #2001 from b0r1sp/patch-3
Quote false and yes, otherwise they'll be transformed to 'False', 'Yes'
2018-08-17 15:52:15 +02:00
Antoine Legrand
7a0f0126f7
Merge pull request #1295 from xuhuilong/master
fix curl get calico status error ( error in tls version, centos 7.3 1611)
2018-08-17 14:29:01 +02:00
Mathieu Herbert
59d89a37cc add until option for etcd backup commands 2018-08-17 11:05:57 +02:00
Wong Hoi Sing Edison
1a07c87af7 cephfs-provisioner: Upgrade to v2.0.0-k8s1.11
Upstream Changes:

-   cephfs-provisioner v2.0.0-k8s1.11 (https://github.com/kubernetes-incubator/external-storage/releases/tag/cephfs-provisioner-v2.0.0-k8s1.11)
-   Update ClusterRole

Our Changes:

-   Fix typo in defaults/main.yml (rs -> deploy)
-   Manifests cleanup
2018-08-17 12:41:56 +08:00
Seungkyu Ahn
29894293eb Fix kubeadm client conf
Fix DiscoveryTokenCACertHashes key to discoveryTokenCACertHashes in kubeadm-client.conf
2018-08-17 04:40:08 +00:00
Jonathan Craig
4d783fff0d resolve issues with new cacert feature 2018-08-16 23:31:21 -04:00
Erwan Miran
7f16b46ed5 Reset tasks specific to a network_plugin moved inside its role directory + Reset tasks specific to cilium 2018-08-16 17:34:33 +02:00
Antoine Legrand
58ee5f1cc9
Merge pull request #3089 from mattymo/cloudconfig
Remove erroneous cloud-config task
2018-08-16 16:17:01 +02:00
Antoine Legrand
253dc4f606
Merge pull request #3114 from woopstar/coredns-1.2.0
Update CoreDNS to 1.2.0
2018-08-16 16:14:13 +02:00
Erwan Miran
54548d3b95 kubeadm mounts the hostpaths itself 2018-08-16 13:17:30 +02:00
Erwan Miran
58d4d65fab minor variable fix and reuse + handle auditlog redirected to stdout 2018-08-16 12:51:09 +02:00
Rong Zhang
364ab2a6b7
Merge pull request #3113 from riverzhang/support-audit
Support audit
2018-08-16 15:33:43 +08:00
rongzhang
2ffc1afe40 Support audit 2018-08-16 14:38:07 +08:00
Wong Hoi Sing Edison
18612b3501 cert-manager: Upgrade to 0.4.1
Upstream Changes:

-   cert-manager 0.4.1 (https://github.com/jetstack/cert-manager/releases/tag/v0.4.1)

Our Changes:

-   Better templates sync with upstream manifests
-   Remove fancy resources requests/limits customization
2018-08-16 08:47:01 +08:00
Andreas Kruger
9da5d67728 Update CoreDNS to 1.2.0 2018-08-15 13:39:05 +02:00
Wong Hoi Sing Edison
bd413e36a3 ingress-nginx: Upgrade to 0.18.0
Upstream Changes:

-   ingress-nginx 0.18.0 (https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.18.0)
2018-08-15 11:40:42 +08:00
Chad Swenson
2c5781ace1
Merge pull request #2932 from wiremind/efk-fluentd-no-nodeselector
fluentd daemonset: do not set old nodeSelector.
2018-08-14 13:48:30 -05:00
JohnZheng
b50b3430be Disable locksmithd on CoreOS if coreos_auto_upgrade set to false (#3088)
* Disable locksmithd on CoreOS if coreos_auto_upgrade set to false

* change when format to support multiple-condition
2018-08-14 13:42:16 -05:00
Chad Swenson
0e3518f2ca
Merge pull request #2871 from fritchie/lptolerate
Local volume provisioner: tolerate NoSchedule
2018-08-14 13:39:57 -05:00
Chad Swenson
3a85a2f81c
Merge pull request #3080 from mirwan/netchecker_template_rendering_filename
Netchecker manifests should not have j2 extension
2018-08-14 13:24:16 -05:00
Chad Swenson
5dbfa0384e
Merge pull request #3101 from chenhonggc/uninstall_old_versions_of_docker
Uninstall old versions of Docker
2018-08-14 11:32:23 -05:00
rongzhang
48b6128814 Upgrade coredns to 1.1.3 2018-08-15 00:05:55 +08:00
Maxime Brunet
70b28288a3 Use delegate_to: localhost instead of local_action
Allow to use `ansible_become: true` (#2969)
And set it to `false` for `localhost` with an `host_var`
2018-08-14 10:08:43 -04:00
Rong Zhang
a11e1eba9e Upgrade kubernetes to V1.11.x (#3078)
Upgrade Kubernetes to V1.11.2
The kubeadm configuration file version has been upgraded from v1alpha1 to v1alpha2
Add bootstrap kubeadm-config.yaml with external etcd
2018-08-14 15:13:44 +03:00
Chen Hong
2dfa928c90 Uninstall old versions of Docker 2018-08-14 17:48:30 +08:00
Erwan Miran
d3c0fe1fcb Templates (even without actual templating inside) should have j2 extension but should not be rendered with j2 extension 2018-08-13 09:51:26 +02:00
Hedayat Vatankhah
c0221c2e72 Add --dns-loop-detect to dnsmasq used in kube-dns
It prevents DNS loops when host's DNS server is a localhost DNS server,
or when DNS server of cluster is also added as an upstream DNS server
2018-08-12 20:36:33 +04:30
mauromedda
9cef20187c Add the path to kubectl binary
The post-remove action fails during the kubectl delete node action because with rc: 2, command not found. The kubectl is not in the system PATH and the full path to the binary is required
2018-08-12 10:50:50 +02:00
Anton Fayzrahmanov
95f1e4634a local-volume-provisioner: use mountPropagation HostToContainer and version bump (#3081)
* Update local-volume-provisioner-ds.yml.j2

After v1.10.2 default mountPropagation is "None"

* local_volume_provisioner version bump

v2.1.0 uses the beta nodeAffinity API by default which is available starting 1.10

* Update local-volume-provisioner-ds.yml.j2

MY_NAMESPACE env

* Update README.md

Raw block devices docs.
2018-08-10 17:14:34 +03:00
Matthew Mosesohn
581a30fdec Remove erroneous cloud-config task 2018-08-10 15:59:18 +03:00
Andreas Krüger
d8e77600e2
Merge pull request #3066 from luisyonaldo/fix-conditional
fix bad conditional
2018-08-10 10:38:52 +02:00
Cédric de Saint Martin
e3dcd96301 kubedns & kubedns-autoscaler: Stick to master nodes. (#2909)
* kubedns & kubedns-autoscaler: Stick to master nodes.

 - Tolerate only master nodes and not any NoSchedule taint
 - Pods are on different nodes
 - Pods are required to be on a master node.

* kubedns: use soft nodeAffinity.

Prefer to be on a master node, don't require.

* coredns: Stick to (different) master nodes.

     - Pods are on different nodes
     - Pods are preferred to be on a master node.
2018-08-09 10:42:53 -05:00
Chad Swenson
001cae5894
Merge pull request #3028 from Kami-no/cilium
cilium v1.1.2
2018-08-09 10:35:29 -05:00
Erwan Miran
494ff9522b j2 extension should only be used for template filename, not target file on remote host 2018-08-09 11:29:45 +02:00
Luis Nuñez
fd380615a0 fix bad conditional 2018-08-09 10:20:45 +02:00
Rong Zhang
039180b2ca
Merge pull request #3022 from alvistack/weave-2.4.0
weave: Upgrade to 2.4.0
2018-08-09 15:01:05 +08:00
Zinin D.A
22b89edbbc cilium v1.1.2
Update all configs to current upstream state.
Add more resources (unable to pass tests now)...
2018-08-08 22:42:50 +03:00
Rong Zhang
94ae945bea
Merge pull request #2904 from mirwan/var_lib_kubelet_should_not_be_unmounted_when_having_its_own_partition
Only subdirectories in /var/lib/kubelet should be unmounted at reset time
2018-08-08 15:00:54 +08:00
Rong Zhang
5c039d87aa
Merge pull request #3054 from reverson/1.10-admission
Add support for admission controllers in 1.10 and above
2018-08-08 14:32:11 +08:00
Rong Zhang
08dfb7b59f
Merge pull request #3073 from riverzhang/delete-istio
Remove istio support
2018-08-08 13:00:57 +08:00
rongzhang
ea6af449a8 Remove istio support
Use helm install or support in future
2018-08-08 11:10:09 +08:00
Mathieu Herbert
d285565475 Add tags for coredns and kubedns 2018-08-07 20:55:38 +02:00
Robert Everson
4eadf3228e Only add admission plugins if defined 2018-08-07 11:25:03 -07:00
Robert Everson
99c5aa5a02 Use k8s default plugin list 2018-08-07 11:25:03 -07:00
Robert Everson
6ed65d762b Separate out plugins into 2 variables 2018-08-07 11:25:03 -07:00
Robert Everson
ac18f6cf8b Add support for admission controllers in 1.10 and above 2018-08-07 11:25:03 -07:00
Rong Zhang
e71f261935
Merge pull request #3068 from riverzhang/swap
Enable swap
2018-08-07 21:29:41 +08:00
rongzhang
b902602d16 Enable swap 2018-08-07 21:13:12 +08:00
Wong Hoi Sing Edison
538cb3b1bd weave: Upgrade to 2.4.0
Upstream Changes:

-   weave 2.4.0 (https://github.com/weaveworks/weave/releases/tag/v2.4.0)
-   Support `externalTrafficPolicy: Local` (https://github.com/weaveworks/weave/issues/2924)
-   Make the ipset list size bigger (https://github.com/weaveworks/weave/pull/3305)
-   Break out of kube rm-peers loop if nothing changes (https://github.com/weaveworks/weave/pull/3317)

Our Changes:

-   Revamp weave-net.yml.j2 with upstream changes
-   Add more variables for customization
-   Replace WEAVE_PASSWORD with k8s secret
-   Remove hard-corded seed mode support, in favor of variables customization
2018-08-07 18:34:51 +08:00
Wong Hoi Sing Edison
17e335c6a7 ingress-nginx: Upgrade to 0.17.1
Upstream Changes:

-   ingress-nginx 0.17.1 (https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.17.1)
-   Remove duplicated `securityContext` (https://github.com/kubernetes/ingress-nginx/pull/2705)
-   Remove --publish-service flag, in favor of DaemonSet + hostPort

Close #2998
Close #2999
2018-08-07 18:31:08 +08:00
Rong Zhang
280d6cac1a
Merge pull request #2997 from alvistack/cert-manager-0.4.0
cert-manager: Upgrade to 0.4.0
2018-08-07 18:00:46 +08:00
Rong Zhang
c288ffc55d
Merge pull request #2342 from southquist/add-ca-cert
allow for setting the cacert on openstack cloud provider
2018-08-07 17:46:01 +08:00
Rong Zhang
9075dbdd3c
Merge pull request #2875 from bradbeam/movault
Adding cluster_name to api cert alt name for vault
2018-08-07 17:36:04 +08:00
Rong Zhang
7850bce254
Merge pull request #2994 from DBLaci/master
dashboard_token_ttl option override possibility with default
2018-08-07 17:16:25 +08:00
Rong Zhang
3d19e03294
Merge pull request #3015 from podnov/kube_proxy_healthz_bind_address
Variablize kube_proxy_healthz_bind_address
2018-08-07 17:10:33 +08:00
Rong Zhang
b1f8bfdf7c
Merge pull request #3055 from reverson/17.09-docker
Add support for docker 17.09
2018-08-07 16:57:50 +08:00
Wong Hoi Sing Edison
0f400a113c cert-manager: Upgrade to 0.4.0
Upstream Changes:

-   cert-manager 0.4.0 (https://github.com/jetstack/cert-manager/releases/tag/v0.4.0)
2018-08-07 14:29:28 +08:00
Aleksey Shirokih
e8447e3d71
Service file binary place mismatch
According to cluster/binary.yml vault binary will be placed to `{{ bin_dir }}` and according to `inventory/sample/group_vars/all.yml` that is 
`inventory/sample/group_vars/all.yml`
2018-08-06 14:44:13 +03:00
rongzhang
ac644ed049 Fix yaml roles error 2018-08-05 18:48:07 +08:00
Rong Zhang
453fea1977
Merge pull request #3034 from cornelius-keller/library_fix
fix missing libraries on newer coreos versions
2018-08-05 12:54:03 +08:00
cornelius-keller
4b5cb1185f fix missing libraries on newer coreos versions 2018-08-03 15:29:05 +02:00
Robert Everson
275cdc1ce3 Add support for docker 17.09 2018-08-02 11:35:16 -07:00
DBLaci
d43f09081e
Merge pull request #1 from kubernetes-incubator/master
Follow upstream
2018-08-01 16:34:10 +02:00
woosley.xu
72074f283b set local for growpart part 2 2018-07-31 06:56:09 +08:00
woosley.xu
a5db3dbea9 set locale for growpart 2018-07-31 06:52:56 +08:00
Alexandre Ardhuin
9b349a9049 Fix label of registry in README 2018-07-27 11:42:21 +02:00
Seungkyu Ahn
0366600b45 Remove double slash
Even without this PR, the operation works well.
However, it is better to use a single slash rather than
a double slash in the path.
2018-07-20 07:34:33 +00:00
Evan Zeimet
6a4ce96b7d Variablize kube_proxy_healthz_bind_address
This fixes #3014
2018-07-19 14:19:09 -05:00
DBLaci
b61c64a8ea token-ttl default value is int in seconds 2018-07-19 12:15:47 +02:00
Takashi Okamoto
37ccf7e405 Fixed kubectl path. 2018-07-13 15:32:08 +00:00
DBLaci
cb91003cea dashboard_token_ttl option override possibility with default 2018-07-13 15:26:18 +02:00
Matthew Mosesohn
97e0de7e29
Fix vault file owner issues and k8s apiserver cert creation (#2985)
apiserver cert should be created only once
2018-07-11 14:58:02 +03:00
Rong Zhang
cf445fd4fe
Merge pull request #2930 from alvistack/ingress-nginx-0.16.1
ingress-nginx: Upgrade to 0.16.2
2018-07-10 14:42:37 +08:00
Aivars Sterns
72f053d9bb
Merge pull request #2972 from mattymo/force_cni_cp
Force copy cni files
2018-07-10 09:40:10 +03:00
Wong Hoi Sing Edison
a0defefb3f ingress-nginx: Upgrade to 0.16.2
ingress-nginx 0.16.2 (https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.16.2)

This patch simplify ingress-nginx deployment by default deploy on
master, with customizable options; on the other hand, remove the
additional Ansible group "kube-ingress" and its k8s node label
injection.

Reference to https://kubernetes.io/docs/concepts/services-networking/ingress/#prerequisites:

    GCE/Google Kubernetes Engine deploys an ingress controller on the master.

By changing `ingress_nginx_nodeselector` plus custom k8s node
label, user could customize the DaemonSet deployment target.

If `ingress_nginx_nodeselector` is empty, will deploy DaemonSet on
every k8s node.
2018-07-10 12:26:06 +08:00
Wong Hoi Sing Edison
62b1166911 cert-manager: Upgrade to 0.3.2
Upstream Changes:

-   cert-manager 0.3.2 (https://github.com/jetstack/cert-manager/releases/tag/v0.3.2)

Our Changes:

-   Remove legacy addon dir, manifests and namespace before upgrade
2018-07-10 08:48:44 +08:00
Rong Zhang
810596c6d8
Merge pull request #2974 from alvistack/cephfs-provisioner-1.1.0-k8s1.10
cephfs-provisioner: Upgrade to 1.1.0-k8s1.10
2018-07-09 13:53:07 +08:00
Rong Zhang
a488d55c2c
Merge pull request #2975 from daohoangson/remove_force_disable_kube_basic_auth
Remove step that disables `kube_basic_auth`.
2018-07-08 21:18:36 +08:00
Alexandru Bogdan Pica
e63bc65a9d Fix 2976
Fix failure when the container attribute is not set for a download
2018-07-08 13:36:47 +03:00
Dao Hoang Son
d306c9708c Remove step that force disable kube_basic_auth.
The referenced issue (https://github.com/kubernetes/kubeadm/issues/441) has already been fixed.
2018-07-08 16:57:43 +07:00
Wong Hoi Sing Edison
6a65345ef3 cephfs-provisioner: Upgrade to 1.1.0-k8s1.10
Upstream Changes:

-   Update CEPH_VERSION to mimic (https://github.com/kubernetes-incubator/external-storage/pull/841)

Our Changes:

-   Using image from official repo which contain latest changes (https://quay.io/repository/external_storage/cephfs-provisioner)
2018-07-08 00:37:08 +08:00
Matthew Mosesohn
1a3b9dd864 Force copy cni files 2018-07-06 16:39:42 +03:00
elementyang
8fee1ab102 change create to apply 2018-07-06 19:36:19 +08:00
Matthew Mosesohn
5c617c5a8b
Add tags to deploy components by --tags option (#2960)
* Add tags for cert serial tasks

This will help facilitate tag-based deployment of specific components.

* fixup kubernetes node
2018-07-06 09:12:13 +03:00
Matthew Mosesohn
0b939a495b
Improve vault etcd initialization check (#2959) 2018-07-05 12:27:45 +03:00
elementyang
5a4f07adca change the way of getting etcd_member_name 2018-07-05 00:06:37 +08:00
Aivars Sterns
4092f96dd8
Merge pull request #2946 from Miouge1/remove-pid-predicate
CheckNodePIDPressure is not supported in v1.10
2018-07-04 18:30:19 +03:00
elementyang
effd27a5f6 change the way that getting etcd_member_name 2018-07-03 22:02:44 +08:00
Rong Zhang
77c870b7d0
Merge pull request #2951 from alvistack/cephfs-provisioner-06fddbe2
cephfs-provisioner: Upgrade to 06fddbe2
2018-07-03 19:36:42 +08:00
Rong Zhang
32a6ca4fd6
Merge pull request #2948 from qeqar/remove-node-limit
move node selection from --limit to --extra-vars=node<nodename>"
2018-07-03 18:41:57 +08:00
Wong Hoi Sing Edison
728024e8ff cephfs-provisioner: Upgrade to 06fddbe2
-   cephfs-provisioner 06fddbe2 (https://github.com/kubernetes-incubator/external-storage/tree/06fddbe2/ceph/cephfs)

Noteable changes from upstream:

-   Added storage class parameters to specify a root path within the backing cephfs and, optionally, use deterministic directory and user names (https://github.com/kubernetes-incubator/external-storage/pull/696)
-   Support capacity (https://github.com/kubernetes-incubator/external-storage/pull/770)
-   Enable metrics server (https://github.com/kubernetes-incubator/external-storage/pull/797)

Other noteable changes:

-   Clean up legacy manifests file naming
-   Remove legacy manifests, namespace and storageclass before upgrade
-   `cephfs_provisioner_monitors` simplified as string
-   Default to new deterministic naming
-   Add `reclaimPolicy` support in StorageClass

With legacy non-deterministic naming style (where $UUID are generated ramdonly):

-   cephfs_provisioner_claim_root: /volumes/kubernetes
-   cephfs_provisioner_deterministic_names: false
-   Generated CephFS volume: /volumes/kubernetes/kubernetes-dynamic-pvc-$UUID
-   Generated CephFS user: kubernetes-dynamic-user-$UUID

With new default deterministic naming style (where $NAMESPACE and $PVC are predictable):

-   cephfs_provisioner_claim_root: /volumes
-   cephfs_provisioner_deterministic_names: true
-   Generated CephFS volume: /volumes/$NAMESPACE/$PVC
-   Generated CephFS user: k8s.$NAMESPACE.$PVC
2018-07-03 10:15:24 +08:00
Mark Eisenblaetter
b548f6f320 move node selection from --limit to --extra-vars=node<nodename>" 2018-07-02 20:04:36 +02:00
Nicolas Trangez
8bcad4f5ef Fix coreos_dual -> coredns_dual typo
See: e40368ae2b
2018-07-02 17:19:35 +02:00
Rong Zhang
31e6c44b07
Merge pull request #2924 from elementyang/make-ssl-etcd-pr
fix the time of ca files are changed in make-ssl-etcd
2018-07-02 20:44:20 +08:00
Matthew Mosesohn
77c910c1c3
Fixup vault etcd check (#2938)
* Fixup vault etcd

* Update main.yml
2018-07-02 15:37:37 +03:00
Matthew Mosesohn
c20196f9a0
Remove modprobe binary from kubelet rkt deployment (#2917) 2018-07-02 15:37:24 +03:00
Rong Zhang
f6a15b1829
Merge pull request #2918 from elementyang/fix-pr
fix add etcd_events_access_address
2018-06-30 11:55:38 +08:00
elementyang
7c22def422 add etcd_events_access_address 2018-06-30 07:32:29 +08:00
Rong Zhang
87e49f0055
Merge pull request #2921 from elementyang/index-out-of-range-pr
fix template index out of range for pull images
2018-06-30 00:53:53 +08:00
Matthew Mosesohn
a36e3fbec3
Add rkt gc task (#2945) 2018-06-29 19:53:21 +03:00
Miouge1
2a279e30b0 CheckNodePIDPressure is not supported in v1.10 2018-06-28 20:10:38 +02:00
southquist
c685dc493f allow for setting the cacert on openstack cloud provider 2018-06-28 16:00:13 +02:00
Andreas Krüger
e24f888bc4
Merge pull request #2923 from bradbeam/vaultrkt
Adding uuidfile for rkt based vault to properly cleanup after itself
2018-06-27 11:18:39 +02:00
Cédric de Saint Martin
a260412c7e fluentd daemonset: do not set arbitrary nodeSelector. 2018-06-25 15:19:56 +02:00
neith00
a643f72d93 No need to install rkt on CoreOS 2018-06-25 09:38:24 +02:00
Aivars Sterns
73a2a18006
Merge pull request #2795 from gfkse/baremetal-override-calico-hostname
Make Calico nodename overridable on bare metal
2018-06-25 08:45:09 +03:00
Rong Zhang
2ef05fb3b7
Merge pull request #2763 from ameukam/update_efk_stack
Update efk stack
2018-06-24 19:01:32 +08:00
Rong Zhang
e06d02365e
Merge pull request #2338 from southquist/template-openstack-storage-class
allow for configurable openstack storage class
2018-06-24 18:42:29 +08:00
elementyang
d6f2dbc723 fix the time of ca files are changed in make-ssl-etcd 2018-06-24 13:05:43 +08:00
Brad Beam
20dba8b388 Adding uuidfile for rkt based vault to properly cleanup after itself 2018-06-23 15:14:40 -05:00
Rong Zhang
f624ba47fb
Merge pull request #2922 from riverzhang/remove-node
Add run_once to remove-node
2018-06-23 15:09:16 +08:00
rongzhang
94aa062d51 Add run_once to remove-node 2018-06-23 07:05:24 +00:00
elementyang
c0935e161b fix template index out of range for pull images 2018-06-23 05:32:44 +08:00
elementyang
70fbc01cc1 fix etcd_events_access_addresses 2018-06-23 00:04:19 +08:00
Yumo Yang
6c2f169ea2 update test-pr2 (#2911) 2018-06-22 13:22:26 +03:00
Rong Zhang
1aee6ec371
Merge pull request #2903 from riverzhang/swap
Add manage swap on the worker node
2018-06-21 22:20:23 +08:00
Erwan Miran
d3fdfee211 Only subdirectories in /var/lib/kubelet should be unmounted 2018-06-21 11:50:02 +02:00
rongzhang
3232e2743e Add manage swap on the worker node 2018-06-21 08:15:01 +00:00
Andreas Krüger
cbb959151c
Merge pull request #2737 from Miouge1/update-scheduler
Update kube-scheduler policy
2018-06-19 14:53:22 +02:00
Andreas Krüger
c3d8b131db
Merge pull request #2801 from dvazar/bugfix/undefined__network_plugin__variable
Fixed "network_plugin" variable
2018-06-19 10:01:06 +02:00
Andreas Krüger
236d1a448d
Merge pull request #2898 from kubernetes-incubator/default_true_authtoken
Enable by default the kubelet token auth
2018-06-19 09:56:32 +02:00
Matthew Mosesohn
61e97251a5 Improve variable handling for disabling etcd events cluster 2018-06-18 16:58:29 +03:00
Antoine Legrand
c192a01b20 Enable by default the kubelet token auth 2018-06-18 14:20:05 +02:00
Henry Finucane
3ad9e9c5eb Fix #2261 by supporting Red Hat's limited PATH
Red Hat has this theory that binaries in sbin are too dangerous to be on
the default path, but we need them anyway.

RH7 has /sbin and /usr/sbin as symlinks, so that is no longer important.

I'm adding it to the `PATH` instead of making the path to `modinfo`
absolute because I am worried about breaking support for other
distributions.
2018-06-15 12:49:22 -07:00
Julien Mailleret
6aaaf4a272 Limit the maximum number of revisions saved per helm release (#2894)
* Limit the maximum number of revisions saved per helm release
2018-06-15 12:50:18 +02:00
Andreas Krüger
cd64f41524
Merge pull request #2844 from chechiachang/fix-inconsistent-variable-in-task-name-and-msg
Fix inconsistent variables in task name and task message
2018-06-15 09:19:31 +02:00
Andreas Krüger
df279b1ff6
Merge pull request #2890 from drekle/bugfix/dns-domain-incorrect-for-coredns
CoreDNS uses cluster_name instead of dns_domain
2018-06-15 09:06:11 +02:00
Andreas Krüger
6ac601fd2d
Merge pull request #2876 from neith00/docker_iptables
parametrized iptables options for docker daemon
2018-06-14 22:23:27 +02:00
Andreas Krüger
3a569c9dcb
Merge pull request #2750 from w-leads/feature/add-vmname-to-vcp-config
Add vm_name option to vsphere cloud provider config
2018-06-14 22:22:34 +02:00
neith00
f2f1e7f9d1 parametrized iptables options for docker daemon 2018-06-14 12:16:16 +02:00
Rong Zhang
0686b8452e
Merge pull request #2860 from alvistack/cert-manager-0.3.0
cert-manager: Upgrade to v0.3.0
2018-06-14 10:35:23 +08:00
Derek Lemon
1e98e8444e Using dns domain instead of cluster name for coredns, incase they differ 2018-06-13 18:52:35 +00:00
Wong Hoi Sing Edison
291dd1aca8 Fixup #2545, cephfs-provisioner: Individual Namespace for Add-on 2018-06-13 21:52:58 +08:00
Wong Hoi Sing Edison
38da0adead cert-manager: Upgrade to v0.3.0 2018-06-13 21:47:44 +08:00
Rong Zhang
81b3343796
Merge pull request #2857 from alvistack/ingress-nginx-0.15.0
ingress-nginx: Upgrade to 0.15.0
2018-06-13 21:16:17 +08:00
Brad Beam
3d819a6edd Adding cluster_name to api cert alt name for vault 2018-06-12 14:15:07 -05:00
rongzhang
20bd656975 Reconfigure kube-proxy to access kube-apiserver via the LB(kubeadm) 2018-06-12 12:53:50 +00:00
Frank Ritchie
cfe939ff08 Tolerate NoSchedule by default 2018-06-11 20:10:13 -04:00
Wong Hoi Sing Edison
9f245dd9b2 ingress-nginx: Upgrade to 0.15.0 2018-06-08 16:05:15 +08:00
Rong Zhang
10c9fe96b0
Merge pull request #2859 from riverzhang/nginx
Fix nginx-proxy HA when kubeadm enable
2018-06-08 01:10:01 +08:00
Rong Zhang
42b24616ac
Merge pull request #2856 from alvistack/kubernetes-1.10.4
Upgrade Kubernetes to 10.0.4 and etcd to 3.2.18
2018-06-07 23:54:03 +08:00
rongzhang
f9ccb93825 Fix nginx-proxy HA when kubeadm enable 2018-06-07 14:27:19 +00:00
Aivars Sterns
daeea75fbb
Merge pull request #2835 from oracle/bm_fix-apiserver-access-ip
roles/kubernetes/client: kubeconfig template should use access_ip
2018-06-07 11:50:57 +03:00
Wong Hoi Sing Edison
0ad0202e8f Upgrade Kubernetes to 10.0.4 and etcd to 3.2.18 2018-06-07 16:20:29 +08:00
Brad Beam
1f02cc70f1
Merge pull request #2825 from dshuvar/dshuvar/docker-options.conf
Changed /etc/systemd/system/docker.service.d/docker-options.conf file for successful parsing mount aguments
2018-06-06 12:56:18 -05:00
Brad Beam
fe010504aa
Merge pull request #2851 from bradbeam/vaultnotify
Adding wait for vault up handler in service restart
2018-06-06 12:49:03 -05:00
Brad Beam
63a458063b Adding missing rkt template for etcd-events 2018-06-06 10:43:30 -05:00
Brad Beam
a8715f9f0f Adding wait for vault up handler in service restart 2018-06-06 10:40:27 -05:00
Matthew Mosesohn
59be578842
Revert "wip pr for improved cert sync" (#2849) 2018-06-06 17:22:25 +03:00
Aivars Sterns
cb0a257349
Merge pull request #2819 from oleh-ozimok/fix-cidr-assert
Fix enough network address space assert
2018-06-06 07:32:16 +03:00
Di Xu
1081f620d2 add support for non-amd64 arch gcr.io images
Currently all the gcr.io images used in kubespray can only run on x86.
Also gcr.io has not fully support multi-arch docker images.

Add extra var "image_arch" (default is amd64) to support running other
platforms, like arm64.

Change-Id: I8e1c9af533c021cb96ade291a1ce58773b40e271
2018-06-05 17:29:02 +08:00
David Chang
e1cfe83825 Fix inconsistent variables in task name and task message 2018-06-05 16:45:02 +08:00
Di Xu
6019a84fb3 Update docker package info for aarch64
Missing corresponding package docker-engine on aarch64, use docker instead.

Change-Id: If5df58337746a81752b5d477e0473600eaee8381
2018-06-05 16:30:28 +08:00
Di Xu
f4d762bb95 fix docker opts incompatible running on aarch64 Redhat/Centos
On Aarch64, the default cgroup driver for docker is systemd
instead of cgroupfs. Should conform kubelet to use systemd
as cgroup driver as well to keep it consistent with docker.

Without this change, below exception will be raised.
/usr/bin/docker-current: Error response from daemon: shim
error: docker-runc not installed on system.

Change-Id: Id496ec9eaac6580e4da2f3ef1a386c9abc2a5129
2018-06-05 16:17:16 +08:00
Aivars Sterns
69ea28e187
Merge pull request #2827 from mattymo/testpr
wip pr for improved cert sync
2018-06-04 12:43:00 +03:00
Ben Meier
2f5a9e180c kubernetes/client: kubeconfig template should use the access_ip for the chosen master node 2018-06-04 09:51:05 +01:00
Dmitry
f912a4ece5 Fix compare AnsibleUnsafeText with int (#2828) 2018-06-04 11:34:10 +03:00
Rong Zhang
d1e66f9cc8 Add label to kubelet env for kubeadm deploy cluster (#2841) 2018-06-04 11:26:47 +03:00
Aivars Sterns
b67cf74c5e
Merge pull request #2823 from scality/dashboard_in_cluster_info
Dashboard in cluster info
2018-05-31 15:48:25 +03:00
Erwan Miran
11d87ecc37 removed surnumerary definition of contiv_etcd_init_image_* (already in download role) 2018-05-31 00:02:11 +02:00
Matthew Mosesohn
7433348aae wip pr for improved cert sync 2018-05-30 12:15:11 +03:00
Erwan Miran
3673ed6262 include contiv_etcd_init_image to downloads role 2018-05-29 17:05:33 +02:00
Dmitrii Shuvar
16f860bbc2
Update docker-options.conf.j2
Changed /etc/systemd/system/docker.service.d/docker-options.conf file for successful parsing mount aguments
try fix ci error previous commit
2018-05-29 12:40:33 +03:00
dshuvar
d973ecf5cc fix error message: '[/etc/systemd/system/docker.service.d/docker-options.conf:3] Failed to parse mount flag , ignoring.' 2018-05-28 18:23:15 +03:00
Julien Girardin
f88cd27686 Add dashboard url as part of kubectl cluster-info output 2018-05-28 11:46:11 +02:00
Erwan Miran
2a4fc70e1c contiv-etcd-init image as default instead hardcoded 2018-05-28 11:11:18 +02:00
Oleg Ozimok
38f7ba2584 Fix enough network address space assert 2018-05-27 18:01:17 +03:00
dvazar
b3f9cae820 fixed a check unknown networks (cilium & contiv) 2018-05-22 16:43:19 +07:00
Andreas Krüger
a67bdff28c
Merge pull request #2743 from mrostecki/opensuse-tumbleweed-openssl
opensuse: Fix OpenSSL package name
2018-05-22 11:21:04 +02:00
Andreas Krüger
e3c8b230a0
Merge pull request #2806 from Miouge1/no-kpm
Remove KPM support
2018-05-22 11:17:52 +02:00
Miouge1
095d33bc51 Remove KPM support 2018-05-21 22:28:08 +02:00
Mikhail Vasilenko
821966b319 Update Helm version to 2.9.1 2018-05-21 17:36:51 +03:00
dvazar
4b8daa22f6 Fixes #2800 2018-05-19 00:57:09 +07:00
Andreas Krüger
e60a63ea51
Merge pull request #2577 from woopstar/etcd-fix-4
Makeover of etcd- and etcd-cluster setup.
2018-05-16 20:49:54 +02:00
Andreas Krüger
a2a7bcd43d
Merge pull request #2786 from cruwe/cjr-assert-maximum-pods-on-node-cidr
assert that number of pods on node does not exceed CIDR address range
2018-05-16 19:57:43 +02:00
Christopher J. Ruwe
c1bc4615fe assert that number of pods on node does not exceed CIDR address range
The number of pods on a given node is determined by the  --max-pods=k
directive. When the address space is exhausted, no more pods can be
scheduled even if from the --max-pods-perspective, the node still has
capacity.

The special case that a pod is scheduled and uses the node IP in the
host network namespace is too "soft" to derive a guarantee.

Comparing kubelet_max_pods with kube_network_node_prefix when given
allows to assert that pod limits match the CIDR address space.
2018-05-16 11:55:46 +00:00
Aivars Sterns
eba486f229 add posibility to provide different yum repository directory (#2787) 2018-05-16 13:56:04 +03:00
Andreas Krüger
4ac79993e2
Merge pull request #2666 from AnatolyRugalev/master
Added MountFlags variable to docker options
2018-05-16 09:34:34 +02:00
Matthew Mosesohn
7c93e71801
Upgrade k8s to 1.10.2 (#2748)
* Upgrade k8s to 1.10.2

Bumped etcd version to 3.2.16 as recommended

* Add ipvs fix for v1.10

* change flannel addons test to ha
2018-05-15 16:00:29 +03:00
Andreas Krüger
1be399ab7b
Merge pull request #2772 from cruwe/cjr-correct-perms-on-kubeconfig
make admin.conf -> .kube/config non-executable
2018-05-15 13:26:33 +02:00
Anatoly Rugalev
eae4fa040a Added docker_mount_flags option (fixes #2624) 2018-05-15 11:57:18 +02:00
Christopher J. Ruwe
73800ef111 make certificates non-executable 2018-05-15 07:54:32 +00:00
rongzhang
742a8782dd Bump kube-dns to 1.14.10
Upgrade kube-dns to 1.14.10
https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/dns
2018-05-15 03:29:10 +00:00
Arnaud Meukam
cd7c58e8d3 correct some indentation issues in the fluentd daemonset. 2018-05-14 19:56:18 +02:00
Daniel Mohr
476b14b06e Make Calico nodename overridable on bare metal
Signed-off-by: Daniel Mohr <daniel.mohr@supercrunch.io>
2018-05-14 14:13:51 +02:00
Christopher J. Ruwe
49d106f615 make admin.conf -> .kube/config non-executable
Almost certainly, the .kube/config file (YAML) should not be executable.
2018-05-14 09:29:48 +00:00
Miouge1
ad48606e4e Restart scheduler when policy changes 2018-05-14 10:09:30 +02:00
Arnaud Meukam
c75da43f22 add missing field in fluentd 2018-05-13 21:39:27 +02:00
Arnaud Meukam
65f14f636d remove support of other CRI runtimes than Docker in the efk stack 2018-05-13 18:37:36 +02:00
Arnaud Meukam
363627d9f8 serviceName added in elasticsearch. Required when a Statefulset is used 2018-05-13 14:23:37 +02:00
Arnaud Meukam
7950a49e28 update fluentd deployment and configmap 2018-05-11 18:56:14 +02:00
Arnaud Meukam
698da78768 update kibana docker image 2018-05-11 18:36:50 +02:00
Arnaud Meukam
ba320e918d update elasticsearch image 2018-05-11 18:22:44 +02:00
Matthew Mosesohn
07cc981971
refactor vault role (#2733)
* Move front-proxy-client certs back to kube mount

We want the same CA for all k8s certs

* Refactor vault to use a third party module

The module adds idempotency and reduces some of the repetitive
logic in the vault role

Requires ansible-modules-hashivault on ansible node and hvac
on the vault hosts themselves

Add upgrade test scenario
Remove bootstrap-os tags from tasks

* fix upgrade issues

* improve unseal logic

* specify ca and fix etcd check

* Fix initialization check

bump machine size
2018-05-11 19:11:38 +03:00
woopstar
7df5edef52 Fix path for pip and python 2018-05-11 16:01:52 +02:00
Cédric de Saint Martin
7507031cb1 CoreOS bootstrap: set bin_dir and PATH for pip. 2018-05-08 22:20:58 +02:00
Ryo Nishikawa
51a9379d3c Add vm_name option to vsphere cloud provider config 2018-05-08 12:23:58 -07:00
Andreas Krüger
d73d60c9b0
Merge pull request #2600 from maximegaillard/master
Add Openstack tenant name
2018-05-08 12:03:01 +02:00
Andreas Krüger
004b4a0436
Merge pull request #2729 from Ashon/issues/fix-python-compat
Use 'items()' for python compatibility
2018-05-08 12:02:28 +02:00
Andreas Krüger
67ce8925e4
Merge pull request #2742 from woopstar/coredns-update
Update CoreDNS to version 1.1.2
2018-05-08 12:01:42 +02:00
Michal Rostecki
066016cd3e opensuse: Fix OpenSSL package name
OpenSSL 1.1 package in openSUSE Tumbleweed is named openssl-1_1,
not openssl-1_1_0.
2018-05-08 10:03:30 +02:00
Andreas Krüger
28d6eb6af1
Merge pull request #2644 from cp3hu/master
Fix apiserver manifest and kubelet for kube version < 1.9
2018-05-08 09:22:36 +02:00
woopstar
1a47a9b850 Update CoreDNS to version 1.1.2 2018-05-08 09:14:01 +02:00
Miouge1
70e0998a70 Update kube-scheduler policy 2018-05-03 21:56:51 +02:00
Chad Swenson
595e96ebf1
Merge pull request #2693 from romaindequidt/sync-certs-tasks-fix
sync certs tasks (fix #2596 #2667)
2018-05-02 12:17:23 -05:00
woopstar
4c81cd2a71 Merge branch 'master' of https://github.com/kubernetes-incubator/kubespray into etcd-fix-4 2018-05-02 14:45:58 +02:00
Andreas Kruger
32a8ea8094 Fix wrong var used 2018-05-02 12:44:05 +02:00
ashon
fb465f8b4b Use 'items()' for python compatibility 2018-05-01 16:55:50 +09:00
Wong Hoi Sing Edison
3501eb6916 ingress-nginx: Upgrade to 0.14.0 2018-05-01 15:42:07 +08:00
Maxime Gaillard
00db751646 Add Openstack tenant name 2018-05-01 09:21:37 +02:00
Tomasz Majchrowski
59789ae02a ISSUE-2706: Provide consistent usage of supplementary_addresses_in_ssl_keys across vault and script mode (#2707) 2018-04-30 14:48:17 +03:00
Andreas Krüger
414e420bd2
Merge pull request #2701 from desaintmartin/netchecker-update
Update netchecker to v1.2.2.
2018-04-30 10:55:18 +02:00
Andreas Krüger
03de4c0806
Merge pull request #2695 from suzutan/add-oidc-prefix-args
Add oidc-user-prefix and oidc-group-prefix args
2018-04-30 09:17:02 +02:00
Andreas Krüger
4fb8e6d455
Merge pull request #2653 from kidk/fixed-incorrect-mem-tag
Replaced 'mem' with 'memory/ in elasticsearch and kibana deployment
2018-04-30 09:14:15 +02:00
mirwan
06cdb260f6 labelvalue must be formatted to handle non string values (#2722) 2018-04-29 19:02:14 +03:00
mirwan
c3c5817af6 sysctl file should be in defaults so that it can be overriden (#2475)
* sysctl file should be in defaults so that it can be overriden

* Change sysctl_file_path to be consistent with roles/kubernetes/preinstall/defaults/main.yml
2018-04-27 18:50:58 +03:00
Markos Chandras
9168c71359 Revert "Revert "Add openSUSE support" (#2697)" (#2699)
This reverts commit 51f4e6585a.
2018-04-26 12:52:06 +03:00
Matthew Mosesohn
1a14f1ecc1
Fix vol format for local volume provisioner in rkt (#2698) 2018-04-24 20:32:08 +03:00
Cédric de Saint Martin
44cb126e7d Update netchecker to v1.2.2.
Using official image from mirantis at dockerhub.
2018-04-24 09:13:56 +02:00
Matthew Mosesohn
51f4e6585a
Revert "Add openSUSE support" (#2697) 2018-04-23 14:28:24 +03:00
Suzuka Asagiri
f81e6d2ccf
Add oidc-user-prefix and oidc-group-prefix args 2018-04-23 12:23:59 +09:00
Romain DEQUIDT
80dd230a65 sync certs tasks (fix #2596 #2667) 2018-04-22 10:00:31 +02:00
Paul Montero
75950344fb
run_once pre_upgrade tasks which are executing in localhost 2018-04-19 11:38:13 -05:00
Matthew Mosesohn
0945eb990a
Make it possible to skip docker role as a var (#2686) 2018-04-19 16:47:20 +03:00
Andreas Krüger
a498cc223b
Merge pull request #2673 from hswong3i/cephfs-provisioner-a71a49d4
cephfs-provisioner: Upgrade to a71a49d4
2018-04-19 11:39:10 +02:00
Andreas Krüger
9707aa8091
Merge pull request #2677 from woopstar/bootstrap-fix-1
Properly check need_pip, always run pip to check if needed
2018-04-19 09:23:26 +02:00
Spencer Smith
49c6bf8fa6 support custom env vars for etcd 2018-04-18 14:03:24 -04:00
Samuel Vandamme
296b92dbd4 Replaced 'mem' with 'memory/ in elasticsearch and kibana deployment 2018-04-18 11:25:29 +02:00
Andreas Krüger
b2756d148a
Merge pull request #2671 from hswong3i/cert-manager-0.2.4
cert-manager: Upgrade to v0.2.4
2018-04-18 10:17:39 +02:00
woopstar
756af57787 Properly check need_pip, always run pip to check if needed
pip was always being downloaded on subsequent runs, This PR always runs the pip command, and checks the rc of it before downloading pip

Fix in favor of #2582
2018-04-18 10:15:46 +02:00
Andreas Krüger
cb7096f2ec
Merge pull request #2672 from hswong3i/ingress-nginx-0.13.0
ingress-nginx: Upgrade to 0.13.0
2018-04-18 10:10:13 +02:00
Wong Hoi Sing Edison
d435e17681 cephfs-provisioner: Upgrade to a71a49d4 2018-04-17 13:41:34 +08:00
Wong Hoi Sing Edison
23e9737b85 ingress-nginx: Upgrade to 0.13.0 2018-04-17 12:19:44 +08:00
Wong Hoi Sing Edison
54beb27eaa cert-manager: Upgrade to v0.2.4 2018-04-17 12:08:10 +08:00
Wong Hoi Sing Edison
7968437a65 Weave: Upgrade to 2.3.0 2018-04-17 08:51:24 +08:00
Aivars Sterns
4b4786f75d
Merge pull request #2381 from vikas027/inventory_fixes
Replaced ansible_ssh_host with ansible_host in sample inventory file and fixed usage of bastion
2018-04-16 10:06:19 +03:00
Matthew Mosesohn
02cd5418c2
Weave limits (#2660)
* Raise limits for weave

* Adjust weave limits
2018-04-15 18:32:49 +03:00
Matthew Mosesohn
49e3665d96
Remove prometheus operator from Kubespray (#2658)
Kubespray should not install any helm charts. This is a task
that a user should do on his/her own through ansible or another
tool. It opens the door to wrapping installation of any helm
chart.
2018-04-13 18:53:39 +03:00
Matthew Mosesohn
e95ba800ea
Define local volume provisioner dirs in defaults (#2656) 2018-04-13 17:23:10 +03:00
Aivars Sterns
5d9bb300d7
Merge pull request #2646 from Atoms/fix-sync-container
move when condition to main.yml
2018-04-13 09:10:21 +03:00
Matthew Mosesohn
f73717ea35
Mount local volume provisioner dirs for containerized kubelet (#2648) 2018-04-12 22:55:13 +03:00
Aivars Sterns
1967963702
Merge pull request #2380 from hwoarang/add-opensuse-support
Add openSUSE support
2018-04-12 20:28:50 +03:00
Chad Swenson
d87b6fd9f3 Use dedicated front-proxy-ca for front-proxy-client 2018-04-12 11:03:22 -05:00
Chad Swenson
a6a47dbc96
Merge pull request #2617 from bradbeam/savaultcert
Adding missing service-account certificate for vault
2018-04-12 11:02:24 -05:00
Matthew Mosesohn
61791bbb3d Remove condition for docker pull when using download delegate 2018-04-12 19:01:13 +03:00
Aivars Sterns
298c6cb790
Merge pull request #2633 from grebois/patch-3
Enabling MutatingAdmissionWebhook for Istio Automatic sidecar injection
2018-04-12 11:53:58 +03:00
Matthew Mosesohn
3fa7468d54 Copy ca-key.pem to etcd and kube-masters accordingly 2018-04-12 10:17:54 +03:00
Markos Chandras
02bf742e15 roles: rkt: Add support for SUSE distributions
The RPM file that's provided by upstream can be used for SUSE
distributions as well. Moreover we simplify the playbook to use
the 'package' module to install packages across different distros.

Link: https://github.com/rkt/rkt/pull/3904
2018-04-11 20:55:20 +01:00
Markos Chandras
d07f75b389 roles: kubernetes: secrets: Add SUSE support
Add path for certificate location for SUSE distributions. Also make sure
the 'update-ca-certificates' command is executed on SUSE hosts as well.
2018-04-11 20:55:02 +01:00
Markos Chandras
2d34781259 roles: etcd: Add support for SUSE distributions
Add path for certificate location for SUSE distributions. Also make sure
the 'update-ca-certificates' command is executed on SUSE hosts as well.
2018-04-11 20:53:43 +01:00
Markos Chandras
cdb63a8c49 roles: docker: Ensure service is started if docker is already installed
If the 'docker' package is already installed, then the handlers will not
run and the service will not be (re-)started. As such, lets make sure
that the service is started even if the packages are already installed.
2018-04-11 17:46:14 +01:00
Markos Chandras
44a0626fc8 roles: docker: Add support for SUSE distributions
Add support for installing Docker on SUSE distributions. The Docker
repository at https://yum.dockerproject.org/repo/main/ does not support
recent openSUSE distributions so the only alternative is to use the
packages from the distro repositories. This however renders the
'docker_version' Ansible variable useless on SUSE.
2018-04-11 17:46:14 +01:00
Nirmoy Das
45eac53ec7 roles: kubernetes: preinstall: Install openssl-1.1.0 on Tumbleweed
The openssl package on Tumbleweed is actually a virtual package covering
openssl-1.0.0 and openssl-1.1.0 implementations. It defaults to 1.1.0 so
when trying to install it and openssl-1.0.0 is installed, zypper fails
with conflicts. As such, lets explicitly pull the package that we need
which also updates the virtual one.

Co-authored-by: Markos Chandras <mchandras@suse.de>
2018-04-11 17:46:14 +01:00
Markos Chandras
e42203a13e roles: kubernetes: preinstall: Add SUSE support
Add support for installing package dependencies and refreshing metadata
on SUSE distributions

Co-authored-by: Nirmoy Das <ndas@suse.de>
2018-04-11 17:46:14 +01:00
Nirmoy Das
4ba25326ed roles: bootstrap-os: Use 'hostname' command on Tumbleweed
openSUSE Tumbleweed is having the same problems with CoreOS when it
comes to using the hostname ansible module (#1588, #1600) so we need
to apply a similar workaround.

Co-authored-by: Markos Chandras <mchandras@suse.de>
Link: http://bugzilla.opensuse.org/show_bug.cgi?id=997614
2018-04-11 17:46:14 +01:00
Markos Chandras
dca4777347 roles: bootstrap-os: Add support for SUSE distributions
Install some required packages when running on SUSE distributions.
2018-04-11 17:46:14 +01:00
Atoms
6c954df636 move when condition to main.yml 2018-04-11 12:05:33 +03:00
Christian Phu
3535c29e59 Fix apiserver manifest for kube version < 1.9 2018-04-10 18:17:56 +02:00
Marcelo Grebois
88765f62e6
Updating order
https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use
2018-04-10 17:17:39 +02:00
Robin Skahjem-Eriksen
0f35e17e23 Fix new envvar for setting openstack_tenant_id (#2641)
Changed from OS_PROJECT_ID to OS_PROJECT_NAME.
2018-04-10 17:23:31 +03:00
Brad Beam
77b3f9bb97 Removing default for volume-plugins mountpoint (#2618)
All checks test if this is defined meaning there is no way to undefine it.
2018-04-10 17:19:25 +03:00
Matthew Mosesohn
45f15bf753
Revert "Fix new envvar for setting openstack_tenant_id" (#2640) 2018-04-10 14:37:24 +03:00
Aivars Sterns
913cc5a9af
Merge pull request #2639 from ironhouzi/openstack_tenant_id_fix
Fix new envvar for setting openstack_tenant_id
2018-04-10 14:35:28 +03:00
Aivars Sterns
a46acfcdd8
Merge pull request #2627 from mattymo/no_more_do_do
Remove jinja2 dependency of do
2018-04-10 14:32:29 +03:00
Robin Skahjem-Eriksen
0c0f6b755d Fix new envvar for setting openstack_tenant_id
Changed from OS_PROJECT_ID to OS_PROJECT_NAME.
2018-04-10 13:30:48 +02:00
Vikas Kumar
94eb18b3d9 Replaced ansible_ssh_host with ansible_host in sample inventory file as the former is deprecated since Ansible v2.0
Fixed the reference of ansible_user in kubespray-defaults role

References:
 - http://docs.ansible.com/ansible/latest/intro_inventory.html
2018-04-10 15:21:40 +10:00
Marcelo Grebois
4c12b273ac
Enabling MutatingAdmissionWebhook for Istio Automatic sidecar injection
https://istio.io/docs/setup/kubernetes/sidecar-injection.html#automatic-sidecar-injection
2018-04-09 12:49:05 +02:00
Atoms
b68854f79d fix kubectl download location and kubectl.sh helper owner/group remove 2018-04-09 13:19:26 +03:00
Matthew Mosesohn
f954bc0a5a Remove jinja2 dependency of do
While `do` looks cleaner, forcing this extra option in ansible.cfg
seems to be more invasive. It would be better to keep the traditional
approach of `set dummy = ` instead.
2018-04-09 12:27:53 +03:00
rongzhang
66b61866cd Fix check docker error for atomic
Fix issues #2611
2018-04-08 17:53:16 +08:00
Brad Beam
dfc46f02d7 Adding missing service-account certificate for vault
Missed in #2554
2018-04-06 15:29:52 -05:00
Daniel Hoherd
ca40d51bc6 Fix typos (no logic changes) 2018-04-05 15:54:58 -07:00
Chen Hong
973e7372b4 content: | 2018-04-04 23:05:27 +08:00
Chen Hong
b54e091886 Persist ip_vs modules 2018-04-04 18:18:51 +08:00
Andreas Krüger
6c220e4e4b
Merge pull request #2495 from holmsten/rotate-provisioner-token
Rotate local-volume-provisioner token
2018-04-04 10:21:12 +02:00
Andreas Krüger
2511e14289
Merge pull request #2346 from Miouge1/kube-scheduler-mode
Use legacy policy config to apply the scheduler policy
2018-04-04 10:20:51 +02:00
Andreas Krüger
0f5ea5474c
Merge pull request #2593 from vterdunov/fix-check-vsphere_cloud_provider
Properly check vsphere_cloud_provider.rc
2018-04-03 20:35:59 +02:00
Andreas Krüger
6567b8e012
Merge pull request #2590 from hswong3i/istio-download
istio: container download related things should defined in the download role
2018-04-03 13:57:43 +02:00
Wong Hoi Sing Edison
428a554ddb istio: container download related things should defined in the download role 2018-04-03 14:29:50 +08:00
Xiaoxi He
32f4194cf8 Bump ingress-nginx-controller to version 0.12.0 2018-04-03 10:39:17 +08:00
georgejdli
76bb5f8d75 check if dedicated service account token signing key exists 2018-04-02 10:57:24 -05:00
vterdunov
4b98537f79
Properly check vsphere_cloud_provider.rc 2018-04-02 18:45:42 +03:00
Andreas Krüger
cac2196ad5
Merge pull request #2575 from hswong3i/local-volume-provisioner-download
local-volume-provisioner: container download related things should defined in the download role
2018-04-02 10:32:43 +02:00
Andreas Krüger
ba24fe3226
Merge pull request #2570 from avoidik/transfer-cloud-configs
Move cloud config configurations to proper location
2018-04-02 10:31:38 +02:00
Matthew Mosesohn
3004791c64
Add pre-upgrade task for moving credentials file (#2394)
* Add pre-upgrade task for moving credentials file

This reverts commit 7ef9f4dfdd.

* add python interpreter workaround for localhost
2018-04-02 11:19:23 +03:00
Wong Hoi Sing Edison
b1a7889ff5 local-volume-provisioner: container download related things should defined in the download role 2018-04-02 13:50:11 +08:00
woopstar
86e3506ae6 Etcd cluster setup makeover
The current way to setup the etc cluster is messy and buggy.

- It checks for cluster is healthy before the cluster is even created.
- The unit files are started on handlers, not in the task, so you mess with "flush handlers".
- The join_member.yml is not used.
- etcd events cluster is not configured for kubeadm
- remove duplicate runs between running the role on etcd nodes and k8s nodes
2018-04-01 21:38:33 +02:00
Wong Hoi Sing Edison
4f714b07b8 cephfs-provisioner: container download related things should defined in the download role 2018-04-01 20:35:44 +08:00
Wong Hoi Sing Edison
4c0e9ba890 registry: container download related things should defined in the download role 2018-04-01 06:51:57 +08:00
Andreas Krüger
deac627dc7
Merge pull request #2571 from hswong3i/ingress-nginx-download
ingress-nginx: container download related things should defined in the download role
2018-03-31 20:51:50 +02:00
bobahspb
16961f69f2
Merge branch 'master' into master 2018-03-31 21:48:39 +03:00
Andreas Krüger
b9b028a735 Update etcd deployment to use correct cert and key (#2572)
* Update etcd deployment to use correct cert and key

* Update to use admin cert for etcdctl commands

* Update handler to use admin cert too
2018-03-31 14:06:09 -04:00
Wong Hoi Sing Edison
5fe144aa0f ingress-nginx: container download related things should defined in the download role 2018-04-01 00:22:33 +08:00
Andreas Krüger
5b0da4279f
Merge pull request #2543 from hswong3i/cert-manager-0.2.3
Integrate jetstack/cert-manager 0.2.3 to Kubespray
2018-03-31 18:15:25 +02:00
Andreas Krüger
1ac978b8fa
Merge pull request #2567 from mirwan/node_labels_doc_plus_kube_ingress_handling
node_labels documentation and kube-ingress label definition as role_node_label
2018-03-31 18:05:52 +02:00
Wong Hoi Sing Edison
195d6d791a Integrate jetstack/cert-manager 0.2.3 to Kubespray 2018-03-31 19:29:11 +08:00
avoidik
aa301c31d1 Move credential checks into proper folder 2018-03-31 13:29:00 +03:00
Andreas Krüger
d9418b1dc4
Merge pull request #2554 from georgejdli/fix-sa-token-signing
Fix kubespray's ServiceAccount token signing keys
2018-03-31 09:59:22 +02:00
Andreas Krüger
2c89a02db3 Only download container/file if host is in defined group (#2565)
* Only download container/file if host is in defined group

* Set correct when clause

* Fix last entries

* Update download groups
2018-03-30 22:40:01 -04:00
Chad Swenson
0ca08e03af
Merge pull request #2566 from woopstar/etcd-fix-2
Fix etcd from import task to include task
2018-03-30 20:53:32 -04:00
avoidik
15efdf0c16 Move credential checks 2018-03-31 03:26:37 +03:00
avoidik
ab8760cc83 Move credentials pre-check 2018-03-31 03:24:57 +03:00
avoidik
b6da596ec1 Move default configuration parameters for cloud-config 2018-03-31 03:18:23 +03:00
avoidik
3c12c6beb3 Move cloud config configurations to proper location 2018-03-31 02:59:59 +03:00
Erwan Miran
8ece922ef0 node_labels documentation + kube-ingress label handling as role_node_label 2018-03-31 00:36:11 +02:00
Andreas Krüger
887a468d32
Merge pull request #2562 from avoidik/fix-indexes-pr-2251
Fix kubecert_node.results indexes
2018-03-31 00:16:11 +02:00
woopstar
859a7f32fb Fix import task. Has to be include task to evalutate etcd_cluster_setup variable at run time 2018-03-31 00:06:34 +02:00
Andreas Krüger
1f28764ca1
Merge pull request #2512 from woopstar/hyperkube-fix-1
Switch hyperkube from CoreOS to Google
2018-03-30 21:58:03 +02:00
Andreas Krüger
76cb37d6b5
Merge pull request #2544 from woopstar/cert-fix-2
Update openssl.conf to count better and work with Jinja 2.9
2018-03-30 21:57:17 +02:00
Andreas Krüger
7ddd4cd38c
Merge pull request #2561 from rsmitty/no_proxy
only set no_proxy if other proxy vars are defined
2018-03-30 21:43:23 +02:00
Andreas Krüger
c1eb975545
Merge pull request #2557 from chenhonggc/vault_health_check_delay
Maybe vault health check needs delay
2018-03-30 21:39:15 +02:00
georgejdli
572ab650db copy dedicated service account token signing key for kubeadm migration 2018-03-30 13:03:32 -05:00
avoidik
72c2a8982b Fix kubecert_node.results indexes 2018-03-30 17:24:50 +03:00
Spencer Smith
13c57147eb only set no_proxy if other proxy vars are defined 2018-03-30 09:48:55 -04:00
Matthew Mosesohn
03bcfa7ff5
Stop templating kube-system namespace and creating it (#2545)
Kubernetes makes this namespace automatically, so there is
no need for kubespray to manage it.
2018-03-30 14:29:13 +03:00
Andreas Kruger
af5f376163 Revert 2018-03-30 11:42:20 +02:00
woopstar
004b0a3fcf Fix merge conflict 2018-03-30 11:38:59 +02:00
Andreas Kruger
4bb7d2b566 Merge branch 'master' of https://github.com/kubernetes-incubator/kubespray into cert-fix-2 2018-03-30 11:34:05 +02:00
Andreas Krüger
f619eb08b1
Merge pull request #2350 from whereismyjetpack/kubeadm-nodename
set nodeName to "{{ inventory_hostname }}" in kubeadm-config
2018-03-30 11:15:52 +02:00
Andreas Krüger
55195fe546
Merge pull request #2500 from gorazio/patch-1
Add prometheus annotations to spec in ingress
2018-03-30 11:02:31 +02:00
RongZhang
5711074c5a
Merge pull request #2290 from mirwan/node_labels_from_inventory
Node labels definition in kubelet params from inventory
2018-03-30 03:42:52 -05:00
Chen Hong
4a705b3fba May vault health check needs delay 2018-03-30 16:42:08 +08:00
陈宏
4d85e3765e remove redundancy code 2018-03-30 09:19:00 +08:00
Vladimir Vasilkin
f0a04b4d65 wait 5 * 4 secs until Tiller starts 2018-03-30 00:09:36 +03:00
Vladimir Vasilkin
760ca1c3a9 adding checking for prometheus_operator_enabled 2018-03-29 23:03:43 +03:00
Vladimir Vasilkin
23b3833806 running on the first master only. 2018-03-29 22:51:46 +03:00
Kuldip Madnani
daeeae1a91 Added retries in pre-upgrade.yml and retries while applying kube-dns.yml (#2553)
* Added retries in pre-upgrade.yml and retries while applying kube-dns.yml

* Removed trailing spaces
2018-03-29 11:37:32 -05:00
georgejdli
c8f857eae4 configure kubespray to sign service account tokens with a dedicated and stable key 2018-03-29 09:50:31 -05:00
Andreas Krüger
270d21f5c1
Merge pull request #2540 from mattymo/cloud_config_timing
Write cloud-config during kubelet configuration
2018-03-29 09:12:18 +02:00
Andreas Kruger
bf29198efd Fix merge conflict 2018-03-29 09:11:13 +02:00
Kuldip Madnani
9ebbf1c3cd Added a fix in openssl.conf template to check if IP of loadbalncer is available or not. 2018-03-28 16:34:26 -05:00
Chad Swenson
ef7f5edbb3
Remove old docker packages and other docker upgrade fixes (#2536)
* Remove old docker packages

This removes docker packages that are obsolete if docker-ce packages are to be installed, which fixes some package conflict issues that can occur during upgrades.

* Add support for setting obsoletes=0 when installing docker with yum
2018-03-28 15:10:39 -05:00
woopstar
0b5404b2b7 Fix 2018-03-28 20:28:04 +02:00
Vladimir Vasilkin
19e1b11d98 prometheus operator, metrics for k8s cluster
install using Helm:
- Prometheus Operator
- metrics for k8s cluster including: grafana dashboard, alertmanager, node exporters

base project:
https://github.com/coreos/prometheus-operator

the issue:
https://github.com/kubernetes-incubator/kubespray/issues/2042

Previous PR, raw ansible without Helm:
https://github.com/kubernetes-incubator/kubespray/pull/2499
2018-03-28 21:23:30 +03:00
woopstar
0df32b03ca Update openssl.conf to count better and work with Jinja 2.9 2018-03-28 17:48:56 +02:00
Matthew Mosesohn
72a4223884 Write cloud-config during kubelet configuration
This file should only be updated during kubelet upgrade so that
master components are not accidentally restarted first during
preinstall stage.
2018-03-28 16:26:36 +03:00
Andreas Krüger
03117d9572
Merge pull request #2488 from LuckySB/ingress-nginx-node-role
Dedicated node for ingress nginx controller
2018-03-28 14:07:40 +02:00
Wong Hoi Sing Edison
848fc323db Fixup for #2523:
- Rename template for /etc/cni/net.d/00-weave.conflist to 00-weave.conflist.j2
- Apply resources requests/limits to both container weave and weave-npc
2018-03-28 11:16:42 +08:00
Brad Beam
015ea62e92
Merge pull request #2262 from tmjd/calico-canal-v2-6-7
Update Calico and Canal
2018-03-27 21:07:28 -05:00
Andreas Krüger
2ca7087018
Merge pull request #2524 from avoidik/systemd_user_kubelet
Set exact user for Kubelet services
2018-03-27 16:41:10 +02:00
Andreas Krüger
d665f14682
Merge pull request #2526 from mzehrer/patch-1
Remove  kibana_base_url
2018-03-27 12:40:31 +02:00
avoidik
e375678674 Set exact user for Kubelet services 2018-03-27 11:13:52 +03:00
Sergey Bondarev
4f7479d94d add etc tunning options
https://coreos.com/etcd/docs/latest/tuning.html

etcd_snapshot_count
and
ionice priority
2018-03-26 17:25:51 +03:00
Michael Zehrer
b8d1652baf
Remove kibana_base_url
The default for kibana_base_url does not make sense an makes kibana unusable. The default path forces a 404 when you try to open kibana in the browser. Not setting kibana_base_url works just fine.
2018-03-25 16:08:07 +02:00
Andreas Krüger
f7dc73b830
Merge pull request #2521 from f84anton/patch-1
optional calico_ip_auto_method variable with IP_AUTODETECTION_METHOD
2018-03-24 18:37:03 +01:00
Dann Bohn
1d0415a6cf fixes typo in kube_override_hostname for kubeadm 2018-03-24 13:29:07 -04:00
Wong Hoi Sing Edison
3f5c60886b Upgrade Weave to 2.2.1
- Fix #2414, so namespace isolation should now works
- Update weave-net.yml.j2 as per latest https://cloud.weave.works/k8s/net
- Other minor fixup
2018-03-24 17:27:12 +08:00
Anton Fayzrahmanov
a75598b3f4
IP_AUTODETECTION_METHOD docs 2018-03-24 01:54:17 +03:00
Anton Fayzrahmanov
60a057cace
Update calico-node.yml.j2 2018-03-24 01:46:26 +03:00
Anton Fayzrahmanov
dd9d0c0530
optional calico_ip_auto_method variable with IP_AUTODETECTION_METHOD
can be set to one of
first-found
can-reach 
interface
2018-03-23 16:33:20 +03:00
Dann Bohn
9fa995ac9d only sets nodeName in kubeadm-config when kube_override_hostname is set 2018-03-23 08:33:25 -04:00
Wong Hoi Sing Edison
caec3de364 Updating to use calico-node v2.6.8 2018-03-22 12:33:04 -05:00
Erik Stidham
60bfc56e8e Update Calico and Canal
- Updating to use calico-node v2.6.7
- A few updates to their manifests too
2018-03-22 12:30:23 -05:00
Wong Hoi Sing Edison
206e24448b CephFS Provisioner Addon Fixup 2018-03-22 23:03:13 +08:00
Wong Hoi Sing Edison
bb1eb9fec8 Add labels for namespace 2018-03-22 21:33:32 +08:00
Keyvan Hedayati
b0d7115e9b hswong3i/kubespray#3: Use {{ cluster_name }} for valid FQDN in REGISTRY_HOST 2018-03-22 21:33:32 +08:00
Wong Hoi Sing Edison
f8ebd08e75 Registry Addon Fixup 2018-03-22 21:33:32 +08:00
Andreas Krüger
30e4b89837
Merge pull request #2504 from brtknr/patch-1
Update kube-apiserver.manifest.j2 and kubeadm-config.yaml.j2 to incorporate `endpoint-reconciler-type: lease`
2018-03-22 09:15:55 +01:00
Andreas Krüger
405c711edb
Remove v in tag 2018-03-22 09:07:28 +01:00
Chad Swenson
0e6b4e80f7
Merge pull request #2490 from woopstar/workaround-fix-1
Only apply roles from first master node to fix regression
2018-03-21 20:29:59 -05:00
Chad Swenson
9949782e96
Merge pull request #2489 from woopstar/token-fix-1
Only copy tokens if tokens_list contains any
2018-03-21 20:28:06 -05:00
Chad Swenson
bbb6e7b3da
Merge pull request #2508 from melkosoft/cilium
Cilium v.1.0.0-rc8
2018-03-21 20:25:43 -05:00
Chad Swenson
bc68188209
Merge pull request #2498 from zmsp/master
Upgraded kubernetes from 1.9.3 to 1.9.5
2018-03-21 20:25:05 -05:00
woopstar
d3780e181e Switch hyperkube from CoreOS to Google 2018-03-21 23:27:16 +01:00
Andreas Krüger
2e202051e3
Merge pull request #2364 from whereismyjetpack/default-download
set local_release_dir in downloads to match others
2018-03-21 23:16:48 +01:00
Chad Swenson
448c1d5faa
Merge pull request #2509 from chadswen/flannel-update
Update flannel version to v0.10.0
2018-03-21 12:15:09 -05:00
Andreas Krüger
ff2b8e5e60
Merge pull request #2503 from woopstar/kubelet-fix-1
Fix duplicate --proxy-client-cert-file and --proxy-client-key-file
2018-03-21 10:03:31 +01:00
Erwan Miran
8b71ef8ceb Labels from role (node-role.k8s.io/node) and labels from inventory are merged into node-labels parameter in kubelet 2018-03-21 09:19:05 +01:00
mirwan
ee8f678010 Addition of the .creds extension to the credentials files generated by password lookup in order for Ansible not to consider them as inventory files with inventory_ignore_extensions set accordingly (#2446) 2018-03-21 10:50:32 +03:00
Chad Swenson
a6b918c1a1
Merge pull request #2485 from LuckySB/flannel_iface_regexp
Add --iface-regex options to flannel
2018-03-20 21:18:01 -05:00
Chad Swenson
c025ab4eb4 Update flannel version to v0.10.0 2018-03-20 19:59:51 -05:00
melkosoft
ae30009fbc changed version to 1.0.0-rc8 2018-03-20 14:18:56 -07:00
melkosoft
158d775306 changed cilium to 1.0.0-rc7. Set CI to use coreos for cilium test 2018-03-20 12:43:26 -07:00
woopstar
9d540165c0 Set kube_api_aggregator_routing to default false as we use kube-proxy 2018-03-20 16:28:05 +01:00
Bharat Kunwar
13e47e73c8
Update kubeadm-config.yaml.j2
As requested
2018-03-20 13:33:36 +00:00
Bharat Kunwar
d2fd7b7462
Update kube-apiserver.manifest.j2 2018-03-20 12:19:53 +00:00
Bharat Kunwar
d9453f323b
Update kube-apiserver.manifest.j2 2018-03-20 12:16:35 +00:00
Bharat Kunwar
b787b76c6c
Update kube-apiserver.manifest.j2
Ensure that kube-apiserver will respond even if one of the nodes are down.
2018-03-20 12:06:34 +00:00
woopstar
a94a407a43 Fix duplicate --proxy-client-cert-file and --proxy-client-key-file 2018-03-20 12:08:36 +01:00
gorazio
96e46c4209
bump after CLA signing 2018-03-20 10:23:50 +03:00
gorazio
aa30fa8009
Add prometheus annotations to spec in ingress
Added annotations from metadata to spec.template.metadata. Without it, pod does not get any annotations, and Prometheus didn't see it
2018-03-20 08:47:36 +03:00
Zobair Shahadat
ebfee51aca Upgraded kubernetes from 1.9.3 to 1.9.5 2018-03-19 15:42:24 -04:00
Andreas Holmsten
14ac7d797b Rotate local-volume-provisioner token
When tokens need to rotate, include local-volume-provisioner
2018-03-19 13:04:18 +01:00
Andreas Krüger
f253691a68
Merge pull request #2347 from hswong3i/multiple_artifacts_dir
Support multiple artifacts under individual inventory directory
2018-03-19 12:45:55 +01:00
Sergey Bondarev
038da7255f check if group kube-ingress is not empty
fix spelling mistaker ingress_nginx_host_network
set default value for ingress_nginx_host_network: false
2018-03-19 12:59:38 +03:00
woopstar
f1d2f84043 Only apply roles from first master node to fix regression 2018-03-18 16:15:01 +01:00
woopstar
b9a949820a Only copy tokens if tokens_list contains any 2018-03-18 08:42:38 +01:00
Andreas Krüger
50e5f0d28b
Merge pull request #2468 from LuckySB/master
change expirations period for generated certificate from 10y to 100 years
2018-03-17 19:43:40 +01:00
Sergey Bondarev
1481f7d64b Dedicated node for ingress nginx controller
The ability to create dedicated node for ingress nginx controller
host type network for nginx controller

and add from example https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/static-ip/nginx-ingress-controller.yaml
terminationGracePeriodSeconds: 60
2018-03-17 02:54:46 +03:00
Chad Swenson
7d33650019
Merge pull request #2462 from woopstar/coredns-patch
Add CoreDNS support
2018-03-16 18:33:36 -05:00
woopstar
e40368ae2b Add CoreDNS support with various fixes
Added CoreDNS to downloads

Updated with labels. Should now work without RBAC too

Fix DNS settings on hosts

Rename CoreDNS service from kube-dns to coredns

Add rotate based on http://edgeofsanity.net/rant/2017/12/20/systemd-resolved-is-broken.html

Updated docs with CoreDNS info

Added labels and fixed minor settings from official yaml file: https://github.com/kubernetes/kubernetes/blob/release-1.9/cluster/addons/dns/coredns.yaml.sed

Added a secondary deployment and secondary service ip. This is to mitigate dns timeouts and create high resitency for failures. See discussion at 'https://github.com/coreos/coreos-kubernetes/issues/641#issuecomment-281174806'

Set dns list correct. Thanks to @whereismyjetpack

Only download KubeDNS or CoreDNS if selected

Move dns cleanup to its own file and import tasks based on dns mode

Fix install of KubeDNS when dnsmask_kubedns mode is selected

Add new dns option coredns_dual for dual stack deployment. Added variable to configure replicas deployed. Updated docs for dual stack deployment. Removed rotate option in resolv.conf.

Run DNS manifests for CoreDNS and KubeDNS

Set skydns servers on dual stack deployment

Use only one template for CoreDNS dual deployment

Set correct cluster ip for the dns server
2018-03-16 21:51:37 +01:00
Sergey Bondarev
b7e6dd0dd4 Add --iface-regex options to flannel
Flannel use interface for inter-host communication setted on --iface options
Defaults to the interface for the default route on the machine.

flannel config set via daemonset, and flannel config on all nodes is the same.
But different nodes can have different interface names for the inter-host communication network

The option --iface-regex allows the flannel to find the interface on which the address is set from the inter-host communication network
2018-03-16 21:44:36 +03:00
Qasim Sarfraz
8ee2091955
Merge pull request #3 from kubernetes-incubator/master
Sync Upstream
2018-03-16 17:21:54 +01:00
Sergey Bondarev
3fac550090 Merge remote-tracking branch 'upstream/master' 2018-03-16 14:09:54 +03:00
Andreas Krüger
d29a1db134
Merge pull request #2461 from woopstar/patch-11
Add support to kubeadm too
2018-03-16 08:24:31 +01:00
Andreas Krüger
653d97dda4
Merge pull request #2472 from woopstar/patch-12
Make sure output from extra args is strings
2018-03-16 08:23:50 +01:00
woopstar
40c0f3756b Encapsulate item instead of casting to string 2018-03-15 20:27:21 +01:00
Andreas Krüger
3d6fd49179 Added option for encrypting secrets to etcd v.2 (#2428)
* Added option for encrypting secrets to etcd

* Fix keylength to 32

* Forgot the default

* Rename secrets.yaml to secrets_encryption.yaml

* Fix static path for secrets file to use ansible variable

* Rename secrets.yaml.j2 to secrets_encryption.yaml.j2

* Base64 encode the token

* Fixed merge error

* Changed path to credentials dir

* Update path to secrets file which is now readable inside the apiserver container. Set better file permissions

* Add encryption option to k8s-cluster.yml
2018-03-15 22:20:05 +03:00
Oleg Vyukov
d843e3d562 Fix indent Custom ConfigMap ingress-nginx (#2447) 2018-03-15 22:18:18 +03:00
Andreas Krüger
788e41a315
Make sure output from extra args is strings
Setting the following:

```
kube_kubeadm_controller_extra_args:
  address: 0.0.0.0
  terminated-pod-gc-threshold: "100"
```

Results in `terminated-pod-gc-threshold: 100` in the kubeadm config file. But it has to be a string to work.
2018-03-14 19:23:43 +01:00
MQasimSarfraz
1bcc641dae Create vsphere clusterrole only if it doesnt exists 2018-03-14 11:29:35 +00:00
Sergey Bondarev
f8fed0f308 change expirations period for generated certificate from 10 years to 100 years 2018-03-14 13:33:36 +03:00
zhengchuan hu
d1e6632e6a Fix err in kubelet.kubeadm.env.j2
1. 404 link url
2. kubelet_authentication_token_webhook is not work
3. kube_reserved variable set twice
2018-03-14 17:25:21 +08:00
Aivars Sterns
710295bd2f
Merge pull request #2434 from protomech/feature/azure-vnet-resource-group
add support for azure vnetResourceGroup
2018-03-13 17:42:09 +02:00
RongZhang
3e2d68cd32
Merge pull request #2455 from whereismyjetpack/kube-limits
uses new kube_memory_reserved/kube_cpu_reserved variables in kubelt
2018-03-13 06:28:07 -05:00
Dann Bohn
f3788525ff fixes yamllint for docker defaults, and weave network plugin 2018-03-13 06:15:48 -04:00
Andreas Krüger
39d247a238
Add support to kubeadm too
Explicitly defines the --kubelet-preferred-address-types parameter #2418

Fixes #2453
2018-03-13 10:31:15 +01:00
rong.zhang
d264da8f08 Fix yamllint roles error for #2188 commit 2018-03-13 14:28:49 +08:00
MQasimSarfraz
9a4aa4288c Fix vsphere cloud_provider RBAC permissions 2018-03-12 18:07:08 +00:00
Dann Bohn
50e3ccfa2b uses new kube_memory_reserved/kube_cpu_reserved variables in kubelt 2018-03-12 12:46:14 -04:00
RongZhang
69a3c33ceb
Merge pull request #2429 from riverzhang/patch-6
Fix Docker exits prematurely
2018-03-12 06:16:25 -05:00
RongZhang
649b1ae868
Merge pull request #2452 from riverzhang/dockerproject
Fix issues #2451 Support docker-ce and docker-engine
2018-03-12 06:15:44 -05:00
Aivars Sterns
973cc12ca9
Merge pull request #2188 from cornelius-keller/fix_weave
fix nodePort for weave
2018-03-12 10:55:41 +02:00
Aivars Sterns
436de45dd4
Merge pull request #2295 from manics/supplementary-bugfix
Fix indexing of supplementary DNS in openssl.conf
2018-03-12 10:54:56 +02:00
Aivars Sterns
5f186a2835
Merge pull request #2418 from kubernetes-incubator/1439br
Explicitly defines the --kubelet-preferred-address-types parameter
2018-03-12 10:53:48 +02:00
RongZhang
ecec94ee7e Fix Docker exits prematurely
details:https://github.com/moby/moby/pull/31490/files
2018-03-12 14:44:47 +08:00
rong.zhang
196995a1a7 Fix issues#2451 Support docker-ce and docker-engine
Support docker-ce and docker-engine include redhat/centos ubuntu debian
2018-03-12 13:31:31 +08:00
Spencer Smith
3a714fd4ac
Merge pull request #2427 from hswong3i/local_volume_provisioner_default
FIXUP #2424: local_provisioner directory should be created only if enabled
2018-03-10 09:00:35 -05:00
Spencer Smith
c47fdc9aa0
Merge pull request #2445 from chadswen/kube-cert-directory-fix
Fix kubernetes cert permission sync
2018-03-09 15:10:35 -05:00
Spencer Smith
5c4cfb54ae
Merge pull request #2444 from chadswen/system-node-crb-name
Prefix system:node CRB
2018-03-09 15:09:01 -05:00
chadswen
cd153a1fb3 Fix kubernetes cert permission sync
Add `state: directory` to `file` task so that `recurse: yes` will actually take effect and ensure
certs/keys have the right file mode and owner
2018-03-09 00:11:10 -06:00
chadswen
b0ab92c921 Prefix system:node CRB
Change the name of `system:node` CRB to `kubespray:system:node` to avoid
conflicts with the auto-reconciled CRB also named `system:node`

Fixes #2121
2018-03-08 23:56:46 -06:00
RongZhang
5007a69eee
Merge pull request #2437 from huzhengchuan/fix/callo-routereflector
Fix always download calico_rr image
2018-03-08 23:22:48 -06:00
Chad Swenson
8a46e050e3
Merge pull request #2433 from octarinesec/eyeofthefrog/systemd_command_fix
Fix systemd version detection
2018-03-08 22:28:12 -06:00
zhengchuan hu
8e36ad09b4 clean http-proxy.conf 2018-03-08 23:16:02 +08:00
zhengchuan hu
96a92503cb Fix always download calico_rr image 2018-03-08 17:04:16 +08:00
RongZhang
5253153dbb
Merge pull request #2416 from riverzhang/delete-node
Remove nodes
2018-03-08 01:55:20 -06:00
rong.zhang
12c78e622b Remove nodes
Drain node except daemonsets resource
Use reset cluser for delete deploy data
Then delete node
2018-03-08 15:03:42 +08:00
RongZhang
216bf2e867
Merge pull request #2422 from riverzhang/patch-5
Enable OOM killing for etcd-events
2018-03-07 23:15:19 -06:00
Wong Hoi Sing Edison
a086686e9f Support multiple artifacts under individual inventory directory 2018-03-08 11:57:53 +08:00
Wong Hoi Sing Edison
6402004018 FIXUP #2424: local_provisioner directory should be created only if enabled 2018-03-08 11:57:46 +08:00
RongZhang
955f833120
Merge pull request #2430 from huzhengchuan/fix/kube-reserve
fix the name of some variable
2018-03-07 21:25:32 -06:00
Chris Mildebrandt
605738757d Fix systemd version detection
Change "command" to "shell" in order for the pipe to work correctly
2018-03-07 11:32:47 -08:00
Wong Hoi Sing Edison
3f96b2da7a Add Custom ConfigMap Support for ingress-nginx 2018-03-07 21:37:45 +08:00
RongZhang
dbf40bbbb8 docker-ce instead of docker-engine repo (#2423)
* Use docker-ce 17.03.2
* Docker-engine may be discarded
2018-03-07 15:11:20 +03:00
zhengchuan hu
646d473e8e fix the name of some variable 2018-03-07 18:30:34 +08:00
Aivars Sterns
6975cd1622
Merge pull request #2419 from hswong3i/ingress_nginx_labels
Add labels for ingress_nginx_namespace
2018-03-06 08:01:13 +02:00
Aivars Sterns
b7f9bf43c2
Merge pull request #2421 from ctlam/master
Adding ssh_private_key_file to ProxyCommand
2018-03-06 07:59:26 +02:00
RongZhang
388b627f72
Enable OOM killing for etcd-events
Enable OOM killing like docker run etcd
2018-03-05 20:46:39 -06:00
Dominic Lam
f9019ab116 Adding ssh_private_key_file to ProxyCommand
This is trying to match what the roles/bastion-ssh-config is trying to do. When the setup is going through bastion, we want to ssh private key to be used on the bastion instance.
2018-03-05 13:15:10 -08:00
Michael Beatty
07657aecf4 add support for azure vnetResourceGroup 2018-03-05 13:40:25 -06:00
Wong Hoi Sing Edison
e65904eee3 Add labels for ingress_nginx_namespace, also only setup serviceAccountName if rbac_enabled 2018-03-05 23:11:18 +08:00
Ayaz Ahmed Khan
89847d5684 Explicitly defines the --kubelet-preferred-address-types parameter
to the API server configuration.

This solves the problem where if you have non-resolvable node names,
and try to scale the server by adding new nodes, kubectl commands
start to fail for newly added nodes, giving a TCP timeout error when
trying to resolve the node hostname against a public DNS.
2018-03-05 15:25:14 +01:00
Jonas Kongslund
585303ad66 Start with three dashes for consistency 2018-03-03 10:05:05 +04:00
Jonas Kongslund
a800ed094b Added support for webhook authentication/authorization on the secure kubelet endpoint 2018-03-03 10:00:09 +04:00
Wong Hoi Sing Edison
fd46442188 Integrate kubernetes/ingress-nginx 0.11.0 to Kubespray 2018-03-02 23:33:19 +08:00
Matthew Mosesohn
9837b7926f
Use proper lookup of etcd host for calico (#2408)
Fixes #2397
2018-03-02 15:36:52 +03:00
Aivars Sterns
b75b6b513b
Merge pull request #2406 from riverzhang/fedora
Delete unused fedora docker repo
2018-03-02 09:33:57 +02:00
rong.zhang
2a3b48edaf Delete unused fedora docker repo 2018-03-02 14:39:13 +08:00
Antoine Legrand
5cc77eb6fd
Merge pull request #2294 from Nowaker/patch-1
Enable OOM killing
2018-03-01 14:56:26 +01:00
Aivars Sterns
8b21034b31
Merge pull request #2344 from hswong3i/local_volume_provisioner_fixup
Upgrade Local Volume Provisioner Addon to v2.0.0
2018-03-01 13:12:44 +02:00
RongZhang
67ffd8e923 Add etcd-events cluster for kube-apiserver (#2385)
Add etcd-events cluster for kube-apiserver
2018-03-01 11:39:14 +03:00
Chad Swenson
af7edf4dff
Merge pull request #2369 from eviln1/fix-insecure-apiserver-port
fix apiserver manifest when disabling insecure_port
2018-02-28 17:48:08 -06:00
Spencer Smith
0fd3b9f7af
Merge pull request #2391 from Miouge1/latest-helm
Install latest version of Helm
2018-02-28 15:04:41 -05:00
Matthew Mosesohn
7ef9f4dfdd
Revert "Add pre-upgrade task for moving credentials file" (#2393) 2018-02-28 22:41:52 +03:00
Brad Beam
6ce507f39f
Merge pull request #2345 from mattymo/credentials_upgrade_fix
Add pre-upgrade task for moving credentials file
2018-02-28 12:39:02 -06:00
Brad Beam
34cab91e86
Merge pull request #2366 from z1nkum/bump_dashboard_tag
Bump dashboard from 1.8.1 to 1.8.3 because of reload bug
2018-02-28 12:38:34 -06:00
Brad Beam
63de9bdba3
Merge pull request #2363 from whereismyjetpack/default-kube-proxy
default kube_proxy_mode in kubernetes-defaults
2018-02-28 12:37:46 -06:00
Brad Beam
afb6e7dfc3
Merge pull request #2362 from mattymo/calico_ignore_extra_pools_again
Use CNI to assign kube_pods_subnet for calico
2018-02-28 12:36:50 -06:00
Brad Beam
ad89d1c876 Update pre_upgrade.yml 2018-02-28 19:07:44 +03:00
Simon Li
6b80ac6500
Fix indexing of supplementary DNS in openssl.conf 2018-02-28 16:04:52 +00:00
Miouge1
2257dc9baa Install latest version of Helm 2018-02-28 16:29:38 +01:00
Dmitry Vlasov
977e7ae105 remove obsolete init image, bump dashboard version 1.8.1 -> 1.8.3 2018-02-28 12:52:59 +03:00
Matthew Mosesohn
bc0fc5df98
Use node cert for etcd tasks instead of delegating to first etcd (#2386)
For etcdctl commands, use admin cert instead of node because this file
doesn't exist on etcd only hosts.
2018-02-27 22:23:51 +03:00
Matthew Mosesohn
bb469005b2 Add pre-upgrade task for moving credentials file 2018-02-27 17:35:15 +03:00
Brad Beam
89ade65ad6 Fixing etcd certs for calico rr (#2374) 2018-02-27 17:34:07 +03:00
RongZhang
128d3ef94c Fix run kubectl error (#2199)
* Fix run kubectl error

Fix run kubectl error when first master doesn't work

* if access_ip is define use first_kube_master
else different master use a different ip

* Delete set first_kube_master and use kube_apiserver_access_address
2018-02-27 16:32:20 +03:00
RongZhang
b7e06085c7 Upgrade to Kubernetes v1.9.3 (#2323)
Upgrade to Kubernetes v1.9.3
2018-02-27 14:31:59 +03:00
Chad Swenson
9e85a023c1
Merge pull request #2360 from mattymo/reset_fixes
retry unmount kubelet dirs
2018-02-26 18:30:38 -06:00
Brad Beam
4b5f780ff0
Merge pull request #2357 from octarinesec/eyeofthefrog/set_TasksMax_infinity_for_ubuntu
Set TasksMax to infinity on any OS with systemd
2018-02-22 21:31:10 -06:00
Brad Beam
31659efe13 Fixing cert name in calico/canal for etcd check (#2358) 2018-02-22 17:37:07 +03:00
Nedim Haveric
2bd3776ddb fix apiserver manifest when disabling insecure_port 2018-02-22 14:00:32 +01:00
Brad Beam
c874f16c02 Fixing credential lookup for fe proxy and vault (#2361) 2018-02-22 15:09:26 +03:00
Maxim Krasilnikov
ba91304636 Fixed generate front proxy client certs with vault (#2359)
* Fixed generate front proxy client certs with vault

* fix vault cert management

* Distrebute etcd node certs to vault hosts
2018-02-22 15:08:50 +03:00
Andreas Krüger
42a0f46268 Add health check to kube proxy (#2356)
Adding health checking to kube proxy. Fixes #2308
2018-02-21 23:14:45 +03:00
Andreas Krüger
d84ff06f73 Set filemode to 0640 (#2315)
* Set filemode to 0640

weave-net.yml file is readable by all users on the host. It however contains the weave_password to encrypt all pod communication. It should only be readable by root.

* Set mode 0640 on users_file with basic auth
2018-02-21 23:13:46 +03:00
Matthew Mosesohn
87f33a4644 Use CNI to assign kube_pods_subnet for calico
Now calico can be deployed if there are other existing pools
and not confuse IPAM and end up with pods in the wrong pools.
2018-02-21 20:32:28 +03:00
Dann Bohn
2d69b05c77 set local_release_dir in downloads to match others 2018-02-21 11:35:34 -05:00
Dann Bohn
2eb57ee5cd default kube_proxy_mode in kubernetes-defaults 2018-02-21 11:33:25 -05:00
Chris Mildebrandt
85c69c2a4a Add check for atomic hosts in template 2018-02-21 08:26:18 -08:00
Matthew Mosesohn
c20f38b89c retry unmount kubelet dirs 2018-02-21 14:41:57 +03:00
Wong Hoi Sing Edison
d4c61d2628 Fixup for gce_centos7-flannel-addons 2018-02-21 13:41:25 +08:00
Wong Hoi Sing Edison
deef47c923 Upgrade Local Volume Provisioner Addon to v2.0.0 2018-02-21 13:41:25 +08:00
Chris Mildebrandt
c19d8994b9 Set TasksMax to infinity on any OS with systemd 2018-02-20 11:55:13 -08:00
Chad Swenson
2de6da25a8
Merge pull request #2312 from woopstar/patch-7
Added iptables lock fix and ajusted oom-score
2018-02-19 22:47:07 -06:00
melkosoft
f13e76d022 Added cilium support (#2236)
* Added cilium support

* Fix typo in debian test config

* Remove empty lines

* Changed cilium version from <latest> to <v1.0.0-rc3>

* Add missing changes for cilium

* Add cilium to CI pipeline

* Fix wrong file name

* Check kernel version for cilium

* fixed ci error

* fixed cilium-ds.j2 template

* added waiting for cilium pods to run

* Fixed missing EOF

* Fixed trailing spaces

* Fixed trailing spaces

* Fixed trailing spaces

* Fixed too many blank lines

* Updated tolerations,annotations in cilium DS template

* Set cilium_version to iptables-1.9 to see if bug is fixed in CI

* Update cilium image tag to v1.0.0-rc4

* Update Cilium test case CI vars filenames

* Add optional prometheus flag, adjust initial readiness delay

* Update README.md with cilium info
2018-02-16 21:37:47 -06:00
Dann Bohn
95e2bde15b set nodeName to "{{ inventory_hostname }}" in kubeadm-config 2018-02-16 16:20:08 -05:00
Miouge1
4c280e59d4 Use legacy policy config to apply the scheduler policy 2018-02-16 13:43:35 +01:00
Antoine Legrand
76a89039ad
Merge pull request #2285 from jasdeep-hundal/do_not_install_python_apt
Remove redundant python-apt install
2018-02-15 17:04:08 +01:00
Sebastian Söderqvist
ba2107ea8c is-default-class is case sensative so we must return a lowercase string 2018-02-15 10:51:42 +01:00
southquist
3f44a33738 allow for configurable openstack storage class 2018-02-14 11:32:56 +01:00
RongZhang
c0aad0a6d5 Fix install etcd by host service (#2297)
Fix bug issues #2289
2018-02-12 17:34:01 +01:00
Andreas Krüger
41ca67bf54
Added iptables lock fix and ajusted oom-score
xtables lock was missing. Added new option for oom-score to make sure it's not killed in an OOM situation before regular pods.
2018-02-12 10:21:38 +01:00
Virgil Chereches
d72232f15b Increased timeout values for k8s API server restart 2018-02-12 07:35:29 +00:00
Maxim Krasilnikov
03c61685fb
Added apiserver extra args variable for kubeadm config (#2291) 2018-02-12 10:29:46 +03:00
Antoine Legrand
46284198f8
Merge pull request #2298 from clkao/patch-2
Fix version comparison
2018-02-11 17:22:39 +01:00
RongZhang
bbb1da1a83
Fix default_resolver is undefined
fix issues #2265
2018-02-10 10:08:26 -06:00
Wong Hoi Sing Edison
07075add3d Add optional StorageClass name with cephfs_provisioner_storage_class 2018-02-10 20:31:34 +08:00
Chia-liang Kao
338238d086
Fix version comparison
`FAILED! => {"changed": false, "msg": "AnsibleFilterError: Version comparison: unorderable types: str() < int()"}`
2018-02-10 03:49:49 +08:00
Brad Beam
03bb729fea Making status and detection mo betta 2018-02-09 12:30:46 -06:00
Damian Nowak
f8a59446e8 Enable OOM killing
When etcd exceeds its memory limit, it becomes useless but keeps running.
We should let OOM killer kill etcd process in the container, so systemd can spot
the problem and restart etcd according to "Restart" setting in etcd.service unit file.
If OOME problem keep repeating, i.e. it happens every single restart,
systemd will eventually back off and stop restarting it anyway.

--restart=on-failure:5 in this file has no effect because memory allocation error
doesn't by itself cause the process to die

Related: https://github.com/kubernetes-incubator/kubespray/blob/master/roles/etcd/templates/etcd-docker.service.j2

This kind of reverts a change introduced in #1860.
2018-02-09 11:00:13 -06:00
mlushpenko
4e61fb9cd3 Refactored kubeadm join process and fixed uncrodonng for master nodes 2018-02-09 15:51:47 +01:00
mlushpenko
b472c2df98 Fix safe upgrade
Even though there it kubeadm_token_ttl=0 which means that kubeadm token never expires, it is not present in `kubeadm token list` after cluster is provisioned (at least after it is running for some time) and there is issue regarding this https://github.com/kubernetes/kubeadm/issues/335, so we need to create a new temporary token during the cluster upgrade.
2018-02-09 15:51:47 +01:00
mkrasilnikov
bc67deee78 Added missing cephfs_provisioner_enabled to kubespray-defaults vars 2018-02-09 17:03:38 +03:00
jasdeep-hundal
f57abae01e Remove redundant python-apt install
Ansible automatically installs the python-apt package when using
the 'apt' Ansible module, if python-apt is not present. This patch
removes the (unneeded) explicit installation in the Kubespray
'preinstall' role.
2018-02-08 18:59:37 -08:00
Antoine Legrand
275b1d6897
Merge pull request #2274 from mirwan/local_volume_provisioner_configmap_in_daemonset
Local volume provisioner fixes
2018-02-09 00:59:47 +01:00
Erwan Miran
e9a676951b storageClass name template as suggested by @eyeofthefrog 2018-02-09 00:11:07 +01:00
Antoine Legrand
b31d905704
Merge pull request #2230 from hswong3i/cephfs_provisioner
Add cephfs_provisioner Support for Kubespray
2018-02-08 16:52:15 +01:00
Aivars Sterns
c70c44b07b
Merge pull request #2257 from rzenker/tb/baremetal-tweaks
baremetal tweaks
2018-02-08 15:48:55 +00:00
Aivars Sterns
20583e3d15
Merge pull request #2067 from manics/sysctl-net-brfilter
Always set net.bridge.bridge-nf-call-* sysctl
2018-02-08 15:43:46 +00:00
Aivars Sterns
9f4588cd0c
Merge pull request #2266 from riverzhang/epel-release
Disalbe install epel-release rpm on Centos/Redhat
2018-02-08 15:42:28 +00:00
Wong Hoi Sing Edison
b25e0f82b1 Add cephfs_provisioner Support for Kubespray 2018-02-08 22:27:54 +08:00
Maxim Krasilnikov
cae1c683aa
Merge pull request #2271 from leseb/retry-get-token
kubernetes-apps: retry get default token name
2018-02-08 16:46:32 +03:00
Antoine Legrand
57e7a5a34a
Merge pull request #2233 from hswong3i/multiple_inventory_dir
Support multiple inventory files under individual inventory directory
2018-02-08 11:57:04 +01:00
Antoine Legrand
7bce70339f
Merge pull request #2251 from woopstar/metrics-server-patch-2
Adding metrics-server support for K8s version 1.9
2018-02-08 11:16:44 +01:00
Erwan Miran
e1aaef7d4d Removal of surnumerary slash 2018-02-08 09:06:17 +01:00
Wong Hoi Sing Edison
1a1d154e14 Support multiple inventory files under individual inventory directory 2018-02-08 08:08:15 +08:00
Brad Beam
384e5dd4c4
Merge pull request #2160 from kongslund/disable-read-only-port
Make the Kubelet read-only port configurable and disable it by default
2018-02-07 13:06:32 -06:00
Erwan Miran
abfb147292 MountDir in configmap and daemonset must be the same 2018-02-07 18:42:42 +01:00
Erwan Miran
44eb03f78a typo 2018-02-07 17:57:54 +01:00
Erwan Miran
857784747b local-provisioner:v1.0.1 still expects json configmap 2018-02-07 17:47:05 +01:00
Erwan Miran
7a2cb5e41c local-provisioner:v1.0.1 still uses VOLUME_CONFIG_NAME env to read ConfigMap 2018-02-07 17:01:19 +01:00
Antoine Legrand
712bdfc82f
Merge pull request #2260 from mirwan/local_volume_provisioner_fixes
local_volume_provisioner_enabled replacement
2018-02-07 13:42:00 +01:00
Sébastien Han
34bd47de79 kubernetes-apps: retry get default token name
In some installation, it can take up to 3sec to get the value. Retrying
for 5 sec will ensure the command won't return 1.

Signed-off-by: Sébastien Han <seb@redhat.com>
2018-02-07 12:09:51 +01:00
Antoine Legrand
fe57c13b51
Merge pull request #2172 from leseb/etcd-auth
etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH
2018-02-07 11:25:56 +01:00
woopstar
f9df692056 Issue front proxy certs for vault 2018-02-07 11:03:10 +01:00
woopstar
f193b12059 Kubeadm auto creates this 2018-02-07 10:50:34 +01:00
woopstar
2cd254954c Remove defaults of allowed names. Updated kubeadm 2018-02-07 10:07:55 +01:00
woopstar
4dab92ce69 Rename from aggregator-proxy-client to front-proxy-client to match kubeadm design. Added kubeadm support too. Changed to use variables set and not hardcode paths. Still missing cert generation for Vault 2018-02-07 09:50:19 +01:00
Erwan Miran
ca08614641 yamllint fix 2018-02-07 09:12:28 +01:00
rong.zhang
47adf4bce6 Disalbe install epel-release rpm on Centos/Redhat
1.Disalbe install epel-release rpm on Centos/Redhat
2.Use yum install epel-release
2018-02-07 14:58:50 +08:00
Brad Beam
7928cd20fb
Merge pull request #2037 from tiewei/contiv-etcd-split
Split contiv etcd and etcd-proxy into two daemonsets
2018-02-06 15:37:16 -06:00
Ryan Zenker
ad9049a49e baremetal tweaks
* allow installs to not have hostname overriden with fqdn from inventory
* calico-config no longer requires local as and will default to global
* when cloudprovider is not defined, use the inventory_hostname for cni-calico
* allow reset to not restart network (buggy nodes die with this cmd)
* default kube_override_hostname to inventory_hostname instead of ansible_hostname
2018-02-06 13:52:22 -05:00
Erwan Miran
b4e264251f JSON/YAML syntax fix 2018-02-06 17:17:10 +01:00
Erwan Miran
8006a6cd82 local_volumes_enabled replaced by local_volume_provisioner_enabled 2018-02-06 17:12:09 +01:00
Andreas Krüger
5cd6b0c753
Adding missing defaults for weave
The PR #2203 add's missing defaults for weave, but no signed CLA. So this PR fixes it.
2018-02-06 14:25:07 +01:00
Andreas Krüger
bb339265fc
Set default registry_enabled to false
In PR #2244 the `registry_enabled` is missing in defaults, causing a deployment to fail, if it is not set in k8s-cluster.yml
2018-02-06 14:17:06 +01:00
Antoine Legrand
bb4446e94c
Merge pull request #2226 from manics/supplemental-addresses
Enable additional addresses to be added to certificates
2018-02-06 13:51:54 +01:00
Antoine Legrand
d2102671cd
Merge pull request #2214 from woopstar/patch-3
Loadbalancer Apiserver Address is missing
2018-02-06 13:47:55 +01:00
Antoine Legrand
138e0c2301
Merge pull request #2250 from woopstar/weave-mtu-patch
Added option to set MTU on Weave
2018-02-06 12:13:54 +01:00
Antoine Legrand
37cfd289d8
Merge pull request #2248 from hswong3i/dashboard.yml.j2
Dashboard template should not suffix with .yml.j2
2018-02-06 11:25:02 +01:00
Antoine Legrand
9f3081580a
Merge pull request #2249 from hswong3i/kubedns-deploy.yml.j2
KubeDNS template should not suffix with .yml.j2
2018-02-06 11:24:19 +01:00
Antoine Legrand
a3248379db
Merge branch 'master' into local_volume_provisioner 2018-02-06 09:28:27 +01:00
Antoine Legrand
0774c8385c
Merge pull request #2244 from hswong3i/registry
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
2018-02-06 09:20:48 +01:00
woopstar
b2d30d68e7 Rename CN for aggreator back. Add flags to apiserver when version is >= 1.9 2018-02-05 20:37:14 +01:00
woopstar
82d10b882c Added fixes from whereismyjetpack 2018-02-05 20:07:12 +01:00
Maxim Krasilnikov
95b8ac5f62 Added optional controller and scheduler extra args to kubeadm config (#2205) 2018-02-05 16:49:13 +03:00
woopstar
0b4168cad4 WIP. Adding metrics-server support for K8s version 1.9 2018-02-05 10:37:41 +01:00
woopstar
3289472e31 Added option to set MTU on Weave 2018-02-05 10:23:48 +01:00
Wong Hoi Sing Edison
4ad53339f6 KubeDNS template should not suffix with .yml.j2 2018-02-05 16:26:54 +08:00
Wong Hoi Sing Edison
a4d3da6a8e Dashboard template should not suffix with .yml.j2 2018-02-05 16:18:21 +08:00
Wong Hoi Sing Edison
7954ea2525 Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray 2018-02-05 12:21:09 +08:00
Chad Swenson
bd1f0bcfd7
Merge pull request #2201 from riverzhang/ipvs
Support ipvs mode for kube-proxy
2018-02-01 22:29:52 -06:00
Wong Hoi Sing Edison
bc2e26d7ef update apiVersion 2018-02-01 14:16:32 +08:00
Wong Hoi Sing Edison
fd80013917 lint and cleanup local_volume_provisioner 2018-02-01 14:14:18 +08:00
Chad Swenson
f7d52564aa
Merge pull request #2084 from riverzhang/devicemapper
Fix can not use devicemapper driver
2018-01-31 20:52:22 -06:00
Spencer Smith
f7e8d1149a
Merge pull request #2229 from whereismyjetpack/etcd-quorum-read
--etcd-quorum-read is depricated in kube >= 1.9
2018-01-31 17:10:10 -05:00
Spencer Smith
bd091caaf9
Merge pull request #2200 from riverzhang/hyperkube
Upgrade to Kubernetes v1.9.2
2018-01-31 16:08:22 -05:00
Spencer Smith
b455a1bf76
Merge pull request #2212 from mattymo/missing_defaults
Add missing group var default values to kubespray-defaults
2018-01-31 16:07:53 -05:00
Spencer Smith
c0a3bcf9b3
Merge pull request #2221 from Xuxe/patch-vcp-v1.9.2
Updated vSphere cloud provider config for Kubernetes >= v1.9.2 and added resource pool deployment variable
2018-01-31 16:06:07 -05:00
Dann Bohn
dc6c703741 --etcd-quorum-read is depricated in kube >= 1.9 2018-01-31 15:49:52 -05:00
Matthew Mosesohn
16629d0b8e Vault should use cert auth for etcd 2018-01-31 20:37:14 +03:00
Julian Hübenthal
7f79210ed1 reworked vsphere-cloud-config template 2018-01-31 16:51:23 +01:00
Simon Li
27a1a697e7
supplementary_addresses_in_ssl_keys can be a hostname 2018-01-31 15:16:08 +00:00
Aivars Sterns
c1267004ef
Merge pull request #2130 from ArchiFleKs/simplify_os_provider
Simplify and update OpenStack cloud provider
2018-01-31 12:02:02 +02:00
Julian Hübenthal
9cdd2214f9 render vsphere_resource_pool only if defined 2018-01-31 09:56:43 +01:00
Julian Hübenthal
989e9174c2 Added vSphere cloud provider config update for Kubernetes >= 1.9.2 2018-01-31 09:15:46 +01:00
rong.zhang
3993e12335 Fix can not be used devicemapper driver
Fix can not be used devicemapper driver
2018-01-31 15:51:11 +08:00
Brad Beam
ac4d782937
Merge pull request #2074 from fangzhen/fix-domains-split
Make spliting system_search_domains more robust
2018-01-30 21:01:19 -06:00
rong.zhang
32d18ca992 remove trailing space 2018-01-31 09:50:41 +08:00
Matthew Mosesohn
2df4b6c5d2
Rename default_resolver to cloud_resolver (#2209)
Cloud resolvers are mandatory for hosts on GCE and OpenStack
clouds. The 8.8.8.8 alternative resolver was dropped because
there is already a default nameserver. The new var name
reflects the purpose better.

Also restart apiserver when modifying dns settings.
2018-01-31 00:26:07 +03:00
Andreas Krüger
088d36da09
Increase the idx counter
Fix the idx counter to increase too, or you will end up with two same indexes.
2018-01-30 21:48:13 +01:00
Andreas Krüger
6f36faa4f9
Loadbalancer Apiserver Address is missing
If you configure your external loadbalancer to do a simple tcp pass-through to the api servers, and you do not use a DNS FQDN but just the ip, then you need to add the ip adress to the certificates too.

Example config:

```
## External LB example config
apiserver_loadbalancer_domain_name: "10.50.63.10"
loadbalancer_apiserver:
  address: 10.50.63.10
  port: 8383
```
2018-01-30 17:33:00 +01:00
RongZhang
3846384d56 Bump kube-dns to 1.14.8 (#2204)
Bump kube-dns to 1.14.8
2018-01-30 19:23:37 +03:00
Dmitri Rubinstein
331f141f63 Fix DNS entries in etcd's openssl.conf by adding a newline. (#2208)
DNS entries generated from 'etcd_cert_alt_names' variable in etcd's
openssl.conf are not terminated by a newline.

This fixes issue #2207.
2018-01-30 16:26:58 +03:00
Matthew Mosesohn
62dd3d2a9d Add missing group var default values to kubespray-defaults 2018-01-30 16:04:00 +03:00
Sébastien Han
fa8a128e49 etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH
Some installation are failing to authenticate with peers due to
etcd picking up/resoling the wrong node.

By setting 'etcd_peer_client_auth' to "False" you can disable peer client cert
authentication.

Signed-off-by: Sébastien Han <seb@redhat.com>
2018-01-30 11:19:12 +01:00
rong.zhang
b10c308a5a Support ipvs mode for kube-proxy
Support ipvs mode for kube-proxy
2018-01-30 13:09:01 +08:00
rong.zhang
e22c70e431 Upgrade to Kubernetes v1.9.2 2018-01-30 13:04:38 +08:00
Chad Swenson
f4fe9e3421
Merge pull request #2171 from ArchiFleKs/kubeproxy-lvs
Add lib/modules to kube-proxy to enable LVS
2018-01-29 22:58:02 -06:00
Brad Beam
da173615e4
Merge pull request #2048 from xizhibei/master
Fix: always only one container got synced after download
2018-01-29 16:01:11 -06:00
Matthew Mosesohn
dc6a17e092
Use include/import tasks (#2192)
import_tasks will consume far less memory, so it should be
used whenever it is compatible.
2018-01-29 14:37:48 +03:00
Miouge1
240d4193ae Update information about network sizes 2018-01-26 15:23:21 +01:00
Matthew Mosesohn
ac66e98ae9
Upgrade to Kubernetes v1.9.1 (#2152)
Raise drain timeout to 5m
2018-01-25 18:44:44 +03:00
Matthew Mosesohn
d2935ffed0
Optionally ignore the presence of extra calico pools (#2190) 2018-01-25 18:44:20 +03:00
Chad Swenson
c6e0fcea31
Merge pull request #1948 from sgmitchell/secured-etcd
Enable etcd secure client to prevent etcdctl access without cert and key
2018-01-25 09:35:51 -06:00
Chad Swenson
5d014d986b
Merge pull request #1992 from manics/flannel-hairpin
Enable flannel hairpin mode
2018-01-24 21:20:03 -06:00
mirwan
714994cad8 iptables: flush nat table as well as filter table upon reset (#2174)
* iptables: flush nat table as well as filter table upon reset

* Indentation fix
2018-01-24 20:22:49 -06:00
Brad Beam
08fe61e058
Merge pull request #2071 from riverzhang/dashboard
Update dashboard version to v1.8.1
2018-01-24 20:10:05 -06:00
Brad Beam
0c8bed21ee
Merge pull request #2019 from chadswen/disable-api-insecure-port
Support for disabling apiserver insecure port (the sequel)
2018-01-24 19:58:53 -06:00
Brad Beam
98eb845f8c
Merge pull request #2173 from mirwan/hardcoded_dnsmasq-autoscaler_image
Dnsmasq autoscaler image should be a variable
2018-01-24 16:15:59 -06:00
Brad Beam
98300e3165
Merge pull request #2155 from brutus333/fix/pvc
Fix for Issue #2141
2018-01-24 16:15:33 -06:00
Cornelius Keller
e22759d8f0 fix nodePort for weave 2018-01-24 10:31:51 +01:00
Matthew Mosesohn
bf1411060e Add optional manual dns_mode (#2178) 2018-01-23 14:28:42 +01:00
Virgil Chereches
a4d142368b Renamed variable from disable_volume_zone_conflict to volume_cross_zone_attachment and removed cloud provider condition; fix identation 2018-01-23 13:14:00 +00:00
Brad Beam
eb80f9b606
Merge pull request #2154 from tdihp/proxy-conf-restart-docker
Restart docker when http-proxy.conf changed.
2018-01-22 08:39:05 -06:00
Stanislav Makar
ae47b617e3 Fix 'no such host' problem (#2148)
Fix 'no such host' problem reported by commands *kubectl logs* and *kubectl exec*
when cloud_provider is OpenStack

Closes: #2147
2018-01-22 16:08:24 +03:00
Erwan Miran
e5b4011aa4 move hardcoded dnsmasq autoscaler image to its own variable 2018-01-18 16:04:29 +01:00
Virgil Chereches
3125f93b3f Added disable_volume_zone_conflict variable 2018-01-18 10:55:23 +00:00
Spencer Smith
f19c8e8c1d
Merge pull request #2132 from PhilippeChepy/flex-volumes
Add support for flex volumes plugins.
2018-01-17 15:00:45 -05:00
ArchiFleKs
637604d08f Add lib/modules to kube-proxy to enable LVS
kube-proxy is complaining of missing modules at startup. There is a plan
to also support an LVS implementation of kube-proxy in additon to
userspace and iptables
2018-01-17 16:35:53 +01:00
Jonas Kongslund
11844c987c Make the Kubelet read-only port configurable and disable it by default. Fixes #2159. 2018-01-16 11:11:41 +04:00
Virgil Chereches
8c45c88d15 Fix for Issue #2141 - added policy file 2018-01-12 07:15:35 +00:00
Virgil Chereches
c87bb2f239 Fix for Issue #2141 2018-01-12 07:07:02 +00:00
heping
32eeb9a0e0 Restart docker when http-proxy.conf changed. 2018-01-12 10:56:25 +08:00
rong.zhang
df21fc8643 Remove initContainer 2018-01-10 12:17:17 +08:00
Spencer Smith
ccd9cc3dce
Merge pull request #2146 from abelgana/master
Manage deprecated kubelet option
2018-01-09 17:19:42 -05:00
Spencer Smith
81867402f6
Merge pull request #2145 from pslijkhuis/master
Add kubelet_custom_flags to kubelet.kubeadm.env.j2
2018-01-09 17:19:09 -05:00
Spencer Smith
4f5d61212b
Merge pull request #2144 from neith00/weave-2.1.3
updated weave to 2.1.3
2018-01-09 17:18:26 -05:00
Spencer Smith
ef96123482
Merge pull request #2068 from chadswen/remove-container-retries
Retry kube container removal during upgrade
2018-01-09 15:03:50 -05:00
Spencer Smith
ee27ab0052
Merge pull request #2124 from riverzhang/patch-3
Remove blank lines
2018-01-09 14:58:49 -05:00
Spencer Smith
57f87ba083
Merge pull request #2142 from trilogy-group/hotfix/fluentd-template
fix fluentd template
2018-01-09 14:44:50 -05:00
abelgana
a9bb72c6fd
require-kubeconfig is depricated since k8s v1.8 2018-01-09 14:35:42 -05:00
abelgana
9506c2e597
require-kubeconfig is deprecated since K8s v1.8 2018-01-09 14:33:05 -05:00
Peter Slijkhuis
32884357ff Add kubelet_custom_flags to kubelet.kubeadm.env.j2 2018-01-09 14:04:36 +01:00
neith00
88204642b7
updated weave to 2.1.3 2018-01-09 13:50:42 +01:00
Matthew Mosesohn
1401286910
Add support for cert alt names for etcd (#2139)
* Add support for cert alt names for etcd

* Update gen_certs_vault.yml
2018-01-09 14:37:34 +03:00
Lukasz Piatkowski
12eb242224 fix fluentd template 2018-01-08 13:40:47 +00:00
Philippe Chepy
df9faa1743 Add support for flex volumes plugins. 2018-01-05 17:56:36 +01:00
ArchiFleKs
ce85bcaee7 Simplify and update OpenStack cloud provider
Simplify the number of variables necessary to "just" enable OpenStack
cloud provider. Also add the new options available in K8s 1.9.
2018-01-05 12:05:24 +01:00
rong.zhang
6ed2a60978 fix run dashboard error 2018-01-04 13:13:36 +08:00
Bogdan Dobrelya
bac3bf1a5f
Fix auto-evaluated API access endpoint for bind IP (#2086)
Auto configure API access endpoint with a custom bind IP, if provided.
Fix HA docs' http URLs are https in fact, clarify the insecure vs secure
API access modes as well.

Closes: #issues/2051

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2018-01-03 17:40:21 +01:00
RongZhang
e3b684df21
Remove blank lines
Remove blank lines
2018-01-03 00:54:04 -06:00
Steve Mitchell
e45b30d033 Add etcd key and cert environment variables for use with client auth 2018-01-02 13:52:17 -05:00
Matthew Mosesohn
ad6fecefa8
Update Kubernetes to v1.9.0 (#2100)
Update checksum for kubeadm
Use v1.9.0 kubeadm params
Include hash of ca.crt for kubeadm join
Update tag for testing upgrades
Add workaround for testing upgrades
Remove scale CI scenarios because of slow inventory parsing
in ansible 2.4.x.

Change region for tests to us-central1 to
improve ansible performance
2017-12-25 08:57:45 +00:00
Jan Jungnickel
3fdb2ccf55 Revert back to using an empty var as default to exclude hostname (#2110) 2017-12-22 22:09:59 +00:00
Matthew Mosesohn
29f5b55d42
remove unwanted whitespace for kube_override_hostname (#2105) 2017-12-22 11:31:18 +00:00
rong.zhang
5aef52e8c0 fix dashboard certs secret 2017-12-22 11:17:05 +08:00
Matthew Mosesohn
6bb46e3ecb
Fix param names in preparation for Kubernetes v1.9.0 (#2098)
This does not update v1.9.0, but fixes two incompatibilities
when trying to deploy v1.9.0.
2017-12-20 10:48:09 +00:00
Matthew Mosesohn
127bc01857
Do not override kubelet hostname if cloud_provider is used (#2095)
Starting with Kubernetes v1.8.4, kubelet ignores the AWS cloud
provider string and uses the override hostname, which fails
Node admission checks.

Fixes #2094
2017-12-19 20:18:20 +00:00
Evan Zeimet
a6975c1850 Rename runtime docker_version (#2082)
Renaming runtime docker_version to prevent setting that
value on the command line from breaking the play run.

This fixes #2081
2017-12-19 14:47:54 +00:00
Stanislav Makar
b2cb0725ac Default OpenStack Cinder Storage Class (#2083)
Add possibility to create default OpenStack Cinder Storage Class

Closes: #1609
2017-12-19 14:47:00 +00:00
rong.zhang
b974b144a8 Add RBAC to binding Dahsboard UI 2017-12-18 23:07:19 +08:00
Matthew Mosesohn
bfb25fa47b
Change vault cert ttl to 8y (#2013) 2017-12-15 13:34:00 +00:00
Wei Tie
3bb505d43f Remove unrequired mounts 2017-12-14 14:59:40 -08:00
Matthew Mosesohn
b135bcb9d9 Split download container task for delegate and non-delegate modes (#2077)
Ansible cannot seem to handle omitting delegate_to since v2.4.0.0.

Possibly related: https://github.com/ansible/ansible/issues/30760
2017-12-14 16:45:54 +00:00
Wei Tie
4e97225424 Add quote for etcd endpoints 2017-12-13 18:35:12 -08:00
rong.zhang
0771cd8599 Remove dashboard_tls_key and dashboard_tls_cert 2017-12-13 15:42:20 +08:00
Fang Zhen
91d848f98a Make spliting system_search_domains more robust
The search line in /etc/resolv.conf could have
multiple spaces or tabs between domains.
split(' ') will give wrong results in some case,
use split() without argument instead.

e.g.
>>> 'domain.tld	cluster.tld '.split(' ')
['domain.tld\tcluster.tld', '']
>>> 'domain.tld cluster.tld '.split()
['domain.tld', 'cluster.tld']
2017-12-13 15:39:38 +08:00
rong.zhang
40edf8c6f5 Update dashboard version to v1.8.0
Update dependencies to be compatible with Kubernetes v1.8
2017-12-13 12:50:44 +08:00
Chad Swenson
e78562830f Retry kube container removal during upgrade
As we have seen with other containers, sometimes container removal fails on the first attempt due to some Docker bugs. Retrying typically corrects the issue.
2017-12-12 12:06:41 -06:00
Simon Li
bef259a6eb Always set net.bridge.bridge-nf-call-* sysctl 2017-12-12 17:11:35 +00:00
Brad Beam
39ce1bd8be
Merge pull request #2059 from bradbeam/vaultalt
Fixing alt_names for vault cert generation
2017-12-12 09:28:51 -06:00
Spencer Smith
6291881943
Merge pull request #2057 from rsmitty/master
set docker_version fact regardless of docker_dns in use
2017-12-12 10:28:14 -05:00
Brad Beam
802fd94dad
Merge pull request #2054 from ArchiFleKs/os-cloud-provider-domain-fix
Fix domain id for OpenStack provider
2017-12-11 21:06:16 -06:00
Xu Zhipei
66f38a1b31 fix: always only one docker image got synced after download 2017-12-12 09:51:03 +08:00
Brad Beam
d3850a4da5 Fixing alt_names for vault cert generation 2017-12-11 17:28:18 -06:00
Spencer Smith
53a4355e60 set docker_version fact regardless of docker_dns in use 2017-12-11 17:48:11 -05:00
Brad Beam
19def41fdf
Merge pull request #2047 from bradbeam/vaulttime
Adding retries for vault-temp to come online
2017-12-11 09:04:57 -06:00
ArchiFleKs
44b9dce134 Fix domain id for OpenStack provider
OpenStack authentication does not support using a mix of DomainID and
DomainName, only one or the other should be used.
2017-12-11 15:57:33 +01:00
Brad Beam
fa5a538fe5
Merge pull request #2050 from jbonachera/fix-vault-tls-validation
append newline char to vault generated certs
2017-12-11 08:41:34 -06:00
Brad Beam
9643c2c1e3 Fixes to reset (#2046)
- adding additional directories to cleanup (rkt/vault)
- targeting kubespray ansible groups instead of all
2017-12-11 12:49:21 +00:00
Brad Beam
93f3614382 Fixes #2039 - changing alt_names to be string instead of list (#2043) 2017-12-11 12:48:07 +00:00
Brad Beam
cbc8a7d679
Merge pull request #1995 from b0r1sp/patch-1
Update main.yml
2017-12-10 21:45:02 -06:00
Julien BONACHERA
290bc993a5
append newline char to vault generated certs 2017-12-10 13:06:28 +01:00
Brad Beam
3694657eb6 Adding retries for vault-init to come online 2017-12-09 17:40:44 -06:00
Thomas Sarboni
79417e07ca Fix systemd service unit for docker >= 17.03 (#1844) 2017-12-08 13:12:45 +00:00
Wei Tie
dad95c873b Remove templating for etcd members
Use a etcd-initer init container to generate etcd args, it determines
etcd name by comparing its ip and etcd cluster ips. This way will
make etcd configuration independent to the ansible templating so
that could be easier on adding master nodes.
2017-12-07 23:33:29 -08:00
Spencer Smith
626b35e1b0
Merge pull request #2005 from riverzhang/patch-1
Delete helm home
2017-12-07 11:23:30 -05:00
Wei Tie
5881ba43f8 Split contiv etcd and etcd-proxy into two daemonsets
Putting contiv etcd and etcd-proxy into the same daemonset and manage
the difference by a env file is not good for scaling (adding nodes).
This commit split them into two daemonsets so that when adding nodes,
k8s could automatically starting a etcd-proxy on new nodes without need
to run related play that putting env file.
2017-12-06 22:21:50 -08:00
Brad Beam
fed7b97dcb
Merge pull request #2030 from mattymo/removerbaccheck
Remove RBAC from boolean checks
2017-12-06 23:41:13 -06:00
Spencer Smith
c4458c9d9a
Merge pull request #1997 from mrbobbytables/feature-keepalived-cloud-provider
Add minimal keepalived-cloud-provider support
2017-12-06 23:28:27 -05:00
riverzhang
aeb3e647d4 Remove the network device created by the flannel (#2006)
* Remove the network device created by the flannel

Remove the network device created by the flannel

* Modify flannel.1 device path

Modify flannel.1 device path

* remove trailing spaces
2017-12-06 14:15:39 +00:00
Kuldip Madnani
fe036cbe77 Adding changes to handle updation of yum Management cache in rhel. (#2026)
* Adding changes to handle updation of yum cache in rhel.

* Removed the redundant spaces
2017-12-06 09:00:41 +00:00
Matthew Mosesohn
952ec65a40 Remove RBAC from boolean checks 2017-12-06 11:57:40 +03:00
Chad Swenson
b8788421d5 Support for disabling apiserver insecure port
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled).

Rework of #1937 with kubeadm support

Also, fixed an issue in `kubeadm-migrate-certs` where the old apiserver cert was copied as the kubeadm key
2017-12-05 09:13:45 -06:00
Brad Beam
c2347db934
Merge pull request #1953 from chadswen/dashboard-refactor
Kubernetes Dashboard v1.7.1 Refactor
2017-12-05 08:50:55 -06:00
Brad Beam
27ead5d4fa
Merge pull request #2003 from abelgana/master
Change altnames to alt_names
2017-12-05 08:48:32 -06:00
Stanislav Makar
6ade7c0a8d Update k8s version to 1.8.4 (#2015)
* Update k8s version to 1.8.4

* Update main.yml
2017-12-04 16:23:04 +00:00
Matthew Mosesohn
a0225507a0
Set helm deployment type to host (#2012) 2017-11-29 19:52:54 +00:00
Steven Hardy
d39a88d63f Allow setting --bind-address for apiserver hyperkube (#1985)
* Allow setting --bind-address for apiserver hyperkube

This is required if you wish to configure a loadbalancer (e.g haproxy)
running on the master nodes without choosing a different port for the
vip from that used by the API - in this case you need the API to bind to
a specific interface, then haproxy can bind the same port on the VIP:

root@overcloud-controller-0 ~]# netstat -taupen | grep 6443
tcp        0      0 192.168.24.6:6443       0.0.0.0:*               LISTEN      0          680613     134504/haproxy
tcp        0      0 192.168.24.16:6443      0.0.0.0:*               LISTEN      0          653329     131423/hyperkube
tcp        0      0 192.168.24.16:6443      192.168.24.16:58404     ESTABLISHED 0          652991     131423/hyperkube
tcp        0      0 192.168.24.16:58404     192.168.24.16:6443      ESTABLISHED 0          652986     131423/hyperkube

This can be achieved e.g via:

kube_apiserver_bind_address: 192.168.24.16

* Address code review feedback

* Update kube-apiserver.manifest.j2
2017-11-29 15:24:02 +00:00
unclejack
e5d353d0a7 contiv network support (#1914)
* Add Contiv support

Contiv is a network plugin for Kubernetes and Docker. It supports
vlan/vxlan/BGP/Cisco ACI technologies. It support firewall policies,
multiple networks and bridging pods onto physical networks.

* Update contiv version to 1.1.4

Update contiv version to 1.1.4 and added SVC_SUBNET in contiv-config.

* Load openvswitch module to workaround on CentOS7.4

* Set contiv cni version to 0.1.0

Correct contiv CNI version to 0.1.0.

* Use kube_apiserver_endpoint for K8S_API_SERVER

Use kube_apiserver_endpoint as K8S_API_SERVER to make contiv talks
to a available endpoint no matter if there's a loadbalancer or not.

* Make contiv use its own etcd

Before this commit, contiv is using a etcd proxy mode to k8s etcd,
this work fine when the etcd hosts are co-located with contiv etcd
proxy, however the k8s peering certs are only in etcd group, as a
result the etcd-proxy is not able to peering with the k8s etcd on
etcd group, plus the netplugin is always trying to find the etcd
endpoint on localhost, this will cause problem for all netplugins
not runnign on etcd group nodes.
This commit make contiv uses its own etcd, separate from k8s one.
on kube-master nodes (where net-master runs), it will run as leader
mode and on all rest nodes it will run as proxy mode.

* Use cp instead of rsync to copy cni binaries

Since rsync has been removed from hyperkube, this commit changes it
to use cp instead.

* Make contiv-etcd able to run on master nodes

* Add rbac_enabled flag for contiv pods

* Add contiv into CNI network plugin lists

* migrate contiv test to tests/files

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>

* Add required rules for contiv netplugin

* Better handling json return of fwdMode

* Make contiv etcd port configurable

* Use default var instead of templating

* roles/download/defaults/main.yml: use contiv 1.1.7

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
2017-11-29 14:24:16 +00:00
Di Xu
de422c822d update nginx tag to use multi-arch docker image (#2009) 2017-11-29 10:39:52 +00:00
Matthew Mosesohn
4d3326b542
Raise default vault lease TTL to 10y (#2008) 2017-11-29 10:38:59 +00:00
riverzhang
1b82138142 Delete helm home
Delete helm home
2017-11-29 13:27:09 +08:00
Christopher Randles
208ff8e350 Allow for more customization of the tiller deploy (#1946) 2017-11-28 18:33:57 +00:00
Matthew Mosesohn
ec54b36e05
add retries for calico/canal etcd commands (#2007) 2017-11-28 16:39:55 +00:00
Spencer Smith
38e8522cbf
Merge pull request #1983 from tomdee/bump-flannel-ver
Bump flannel version to v0.9.1
2017-11-28 11:38:55 -05:00
Spencer Smith
52f8687397
Merge pull request #1977 from mattymo/initializers
Disable initializers feature gate if istio is not used
2017-11-28 11:37:41 -05:00
Spencer Smith
43600ffcf8
Merge pull request #1972 from chadswen/master-static-pod-flush
Additional flush for static pod master upgrade
2017-11-28 11:36:38 -05:00
Christopher Randles
938d2d9e6e update helm/tiller to v2.7.2 -- security bugfix (#1986) 2017-11-28 14:52:42 +00:00
Kevin Lefevre
9368dbe0e7 update calico to 2.6.2 (#1874)
Move RS to deployment so no need to take care of the revision history
limits :
  - Delete the old RS
  - Make Calico manifest a deployment
  - move deployments to apps/v1beta2 API since Kubernetes 1.8
2017-11-28 12:01:30 +00:00
abelgana
fe3290601a
The variable altnames is used by this task.
Since the value will change on the default. It needs to change here also.
2017-11-27 06:57:16 -05:00
abelgana
e7173e1d62
Change altnames to alt_names
Hi,

Could you please check if it was a typo?

https://www.vaultproject.io/api/secret/pki/

Regards,
2017-11-25 17:29:21 -05:00
brx
2ffcfdcd25
Update main.yml 2017-11-24 20:13:38 +01:00
Bogdan Dobrelya
8aafe64397
Defaults for apiserver_loadbalancer_domain_name (#1993)
* Defaults for apiserver_loadbalancer_domain_name

When loadbalancer_apiserver is defined, use the
apiserver_loadbalancer_domain_name with a given default value.

Fix unconsistencies for checking if apiserver_loadbalancer_domain_name
is defined AND using it with a default value provided at once.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

* Define defaults for LB modes in common defaults

Adjust the defaults for apiserver_loadbalancer_domain_name and
loadbalancer_apiserver_localhost to come from a single source, which is
kubespray-defaults. Removes some confusion and simplefies the code.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-11-23 16:15:48 +00:00
Bob Killen
2140303fcc
add minimal keepalived-cloud-provider support 2017-11-23 08:43:36 -05:00
brx
b80ded63ca
Update main.yml
just a small spelling mistake
2017-11-21 22:37:52 +01:00
Simon Li
7be2521a31 Add flannel hairping mode 2017-11-21 10:43:50 +00:00
Tom Denham
15b9d54a32
Bump flannel version to v0.9.1 2017-11-16 12:52:18 -07:00
Spencer Smith
bc1a4e12ad fix broken variable in ansible 2.4.1.0 and ensure tasks for calico-rr (#1982) 2017-11-16 18:44:15 +00:00
Matthew Mosesohn
67419e8d0a
Run rotate_tokens role only once (#1970) 2017-11-15 18:50:23 +00:00
Chad Swenson
849aaf7435 Update to k8s 1.8.3 (#1971) 2017-11-15 17:43:22 +00:00
Chad Swenson
a89ee8c406 Add ability to use custom cert secret instead of init container provisioned self-signed certs 2017-11-15 10:05:52 -06:00
Chad Swenson
0c6f172e75 Kubernetes Dashboard v1.7.1 Refactor
This version required changing the previous access model for dashboard completely but it's a change for the better. Docs were updated.

* New login/auth options that use apiserver auth proxying by default
* Requires RBAC in `authorization_modes`
* Only serves over https
* No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL:
* Can access from https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login you will be prompted for credentials
* Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
* It is recommended to access dashboard from behind a gateway that enforces an authentication token, details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
2017-11-15 10:05:48 -06:00
Matthew Mosesohn
a67349b076 Disable initializers feature gate if istio is not used 2017-11-15 12:56:36 +00:00
Matthew Mosesohn
f9b68a5d17
Revert "Support for disabling apiserver insecure port" (#1974) 2017-11-14 13:41:28 +00:00
chenhonggc
c7910b51a1 --peers DEPRECATED - --endpoints should be used instead (#1943) 2017-11-14 11:28:35 +00:00
Chad Swenson
1f99710b21 Additional flush for static pod master upgrade
Thought this wasn't required at first but I forgot there's no auto flush at the end of these tasks since the `kubernetes/master` role is not the end of the play.
2017-11-13 18:11:57 -06:00
Aivars Sterns
5e558c361b update weave-net to 2.0.5 version (#1877) 2017-11-13 16:11:47 +00:00
neith00
5f39efcdfd adding mount for kubelet to enable rbd mounts (#1957)
* adding mount for kubelet to enable rbd mounts

* fix conditionnal variable name
2017-11-13 14:04:13 +00:00
Stanislav Makar
037edf1215 Fix failed task of setting up bash completion for helm (#1968)
Closes: #1967
2017-11-13 10:15:53 +00:00
Hyunsun Moon
37125866ca Make calico_node_ignorelooserpf have an effect (#1945) 2017-11-13 09:35:13 +00:00
Günther Grill
421e73b87c Add missing exclamation mark in shebang line (#1966) 2017-11-13 09:34:21 +00:00
Brad Beam
c115e5677e
Merge pull request #1828 from hzamani/patch-1
Use etcd_access_addresses for vault_etcd_url
2017-11-10 10:56:37 -05:00
Spencer Smith
09d85631dc
Merge pull request #1944 from chadswen/reload-master-pods
Master component and kubelet container upgrade fixes
2017-11-08 22:23:12 -05:00
Brad Beam
f25e4dc3ed
Merge pull request #1937 from chadswen/disable-api-insecure-port
Support for disabling apiserver insecure port
2017-11-08 18:13:49 -05:00
Spencer Smith
0126168472 provide environment for rkt trust and run with etcd 2017-11-08 12:57:22 -05:00
Chad Swenson
e9f795c5ce Master component and kubelet container upgrade fixes
* Fixes an issue where apiserver and friends (controller manager, scheduler) were prevented from restarting after manifests/secrets are changed. This occurred when a replaced kubelet doesn't reconcile new master manifests, which caused old master component versions to linger during deployment. In my case this was causing upgrades from k8s 1.6/1.7 -> k8s 1.8 to fail
* Improves transitions from kubelet container to host kubelet by preventing issues where kubelet container reappeared during the deployment
2017-11-08 01:40:33 -06:00
Chad Swenson
0c7e1889e4 Support for disabling apiserver insecure port
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to:

1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS)
2. Add apiserver client cert/key to the "Wait for apiserver up" checks
3. Update apiserver liveness probe to use HTTPS ports
4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately)
5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well.

Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check.

Options:

1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not.
2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port)
3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest)

Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
2017-11-06 14:01:10 -06:00
Günther Grill
0d55ed3600 Avoid that some read-only tasks cause an ansible-change (#1910) 2017-11-06 13:51:07 +00:00
Haiwei Liu
ad0cd6939a Add support cAdvisor (#1908)
Signed-off-by: Haiwei Liu <carllhw@gmail.com>
2017-11-06 13:50:28 +00:00
Stanislav Makar
33adb334cd Fix openstack tenant id variable name (#1932) 2017-11-05 08:40:41 +00:00
Spencer Smith
ef87a8a1f0
Merge pull request #1916 from vtomasr5/master
Fix bad handler directory name in kubeadm role
2017-11-03 18:14:48 -04:00
Spencer Smith
a595c84f7e
Merge pull request #1928 from chadswen/flannel-rbac-fix
Flannel RBAC Fix
2017-11-03 18:12:16 -04:00
Chad Swenson
b158dbcf79 Docker Version Update
Update default docker version to 17.03.1
2017-11-03 12:34:45 -05:00
Matthew Mosesohn
ab3832f3e7
Set host IP for kubelet always (#1924)
* Set host IP for kubelet always

Use ansible default IP if ip var is not set.

* Update main.yml
2017-11-03 10:19:37 +00:00
Kevin Lefevre
9bf415f749 update helm to v2.7.0 (#1875)
* update helm to v2.7.0

* Update main.yml
2017-11-03 07:15:00 +00:00
Günther Grill
a2bda9e5f1 Eliminate jinja2 template expression warning and rename coreos-python var (#1911)
* Change deprecated vagrant ansible flag 'sudo' to 'become'

* Emphasize, that the name of the pip_pyton_modules is only considered in coreos

* Remove useless unused variable

* Fix warning when jinja2 template-delimiters used in when statement

There is no need for jinja2 template-delimiters like {{ }} or {% %}
any more. They can just be omitted as described in https://github.com/ansible/ansible/issues/22397

* Fix broken link in getting-started guide
2017-11-03 07:11:36 +00:00
Günther Grill
0195725563 Workaround ansible bug where access var via dict doesn't get real value (#1912)
* Change deprecated vagrant ansible flag 'sudo' to 'become'

* Workaround ansible bug where access var via dict doesn't get real value

When accessing a variable via it's name "{{ foo }}" its value is
retrieved. But when the variable value is retrieved via the vars-dict
"{{ vars['foo'] }}" this doesn't resolve the expression of the variable
any more due to a bug. So e.g. a expression foo="{{ 1 == 1 }}" isn't
longer resolved but just returned as string "1 == 1".

* Make file yamllint complient
2017-11-03 07:11:14 +00:00
Spencer Smith
ec1170bd37 only mount volumes if local_volumes_enabled is true. fix mount flags in rkt. (#1923) 2017-11-03 07:10:37 +00:00
Matthew Mosesohn
66c67dbe73
Add optional helm deployment mode for host (#1920) 2017-11-03 07:09:24 +00:00
Chad Swenson
16ae2c1809 Flannel RBAC Fix
Fixes a bug that can occur if `cni-flannel-rbac.yml` was written but the playbook failed before it was applied. Uses the same approach as calico.
2017-11-02 23:20:23 -05:00
Spencer Smith
4771716ab2
Merge pull request #1907 from mattymo/disable_anon_auth
Block anonymous auth requests to kubelet
2017-11-02 12:01:39 -04:00
Spencer Smith
b156585739
Merge pull request #1917 from chadswen/docker-daemon-graph
Fix kubelet container with alternate Docker data paths
2017-11-02 11:58:55 -04:00
Matthew Mosesohn
520103df78 Change namespace for provisioner account 2017-11-02 10:16:08 +00:00
Matthew Mosesohn
3e3787de15 Fix local volume provisioner mount point for rkt 2017-11-02 09:45:26 +00:00
Chad Swenson
0c824d5ef1 Fix kubelet container with alternate Docker data paths
Some time ago I think the hardcoded `/var/lib/docker` was required, but kubelet running in a container has been aware of the Docker path since at least as far back as k8s 1.6.

Without this change, you see a large number of errors in the kubelet logs if you installed with a non-default `docker_daemon_graph`
2017-11-01 13:25:15 -05:00
Matthew Mosesohn
c0e989b17c
New addon: local_volume_provisioner (#1909) 2017-11-01 14:25:35 +00:00
Vicenç Juan Tomàs Montserrat
5218b3af82 Fix bad handler directory name in kubeadm role 2017-11-01 14:36:28 +01:00
Spencer Smith
ef0a91da27
Merge pull request #1891 from rsmitty/proxy-fixes
Improved proxy support
2017-10-31 14:32:12 -04:00
Spencer Smith
8412181746
Merge pull request #1899 from skyscooby/update_kube182
Update to Kubernetes 1.8.2
2017-10-31 14:30:56 -04:00
Spencer Smith
400ee2aa57
Merge pull request #1898 from skyscooby/update_kubedns
Update kubedns to 1.14.7 release
2017-10-31 14:30:36 -04:00
Spencer Smith
05b8466f87
Merge pull request #1890 from chadswen/apt-repo-params
Parameterize dockerproject apt repo endpoints
2017-10-31 14:29:19 -04:00
Spencer Smith
19962f6b6a fix indentation for master template (#1906) 2017-10-31 06:43:54 +00:00
Matthew Mosesohn
f7703dbca3 Block anonymous auth requests to kubelet 2017-10-30 19:06:54 +00:00
Spencer Smith
74a9eedb93 helm template check for http/https_proxy 2017-10-30 13:11:04 -04:00
Spencer Smith
6df104b275 don't check for no_proxy, only http/https_proxy. fix linting issues. 2017-10-30 11:42:14 -04:00