Mark Lee
224e6acb3a
use ansible sysctl module for config ip forwarding
2017-02-09 17:28:44 +09:00
Bogdan Dobrelya
93c562b1bb
Merge pull request #902 from insequent/master
...
Adding vault role
2017-02-09 09:24:52 +01:00
Bogdan Dobrelya
d0f4ab3129
Merge pull request #993 from code0x9/master
...
enable proxy support on docker repository
2017-02-09 09:21:01 +01:00
Antoine Legrand
35a7ad55d0
Merge pull request #986 from vwfs/dnsmasq_system_nameservers
...
Also add the system nameservers to upstream servers in dnsmasq
2017-02-08 23:21:54 +01:00
Josh Conant
764ad6e099
Vault security hardening and role isolation
2017-02-08 21:41:36 +00:00
Josh Conant
1025d489ad
Adding the Vault role
2017-02-08 21:31:28 +00:00
Sergii Golovatiuk
bde4d11a4a
Lower weave RAM settings.
...
- Since Weave 1.8.x was rewritten in Golang we may decrease RAM settings
to continue using g1-small for CI
2017-02-08 18:50:36 +01:00
Matthew Mosesohn
2d1109e09e
Fix upgrade for all daemonset type resources
...
Daemonsets cannot be simply upgraded through a single API call,
regardless of any kubectl documentation. The resource must be
purged and then recreated in order to make any changes.
2017-02-08 18:16:00 +03:00
Alexander Block
94d9f03ddb
Also add the system nameservers to upstream servers in dnsmasq
...
Also make no-resolv unconditional again. Otherwise, we may end up in
a resolver loop. The resolver loop was the cause for the piling up
parallel queries.
2017-02-08 14:38:55 +01:00
Matthew Mosesohn
0ea7f94b0c
Merge pull request #994 from mattymo/docker_save
...
Change docker save compress level to 1
2017-02-08 15:13:15 +03:00
Matthew Mosesohn
ce3bee4eb8
Merge pull request #990 from mattymo/fix_cert_upgrade
...
Fix check for node-NODEID certs existence
2017-02-08 14:44:09 +03:00
Matthew Mosesohn
94407f86ff
Merge pull request #971 from bradbeam/efk
...
Adding EFK logging stack
2017-02-08 14:28:04 +03:00
Mark Lee
3cc9693895
Update rh_docker.repo.j2
2017-02-08 20:03:51 +09:00
Matthew Mosesohn
3c7952d7f1
Merge pull request #992 from vwfs/host_mount_dev
...
Host mount /dev for kubelet
2017-02-08 13:45:22 +03:00
Matthew Mosesohn
a4caceedef
Change docker save compress level to 1
...
Faster gzip improves CI deploy times by at least 2 mins.
Fixes #982
2017-02-08 13:25:11 +03:00
Mark Lee
5a2de36a55
Merge branch 'master' of https://github.com/kubespray/kargo
2017-02-08 19:19:26 +09:00
Mark Lee
8783cef044
enable proxy support on docker repository
2017-02-08 19:19:08 +09:00
Matthew Mosesohn
0de857a18a
Merge pull request #987 from mattymo/etcd-retune
...
Re-tune ETCD performance params
2017-02-08 13:00:25 +03:00
Bogdan Dobrelya
320d03c01c
Merge pull request #956 from adidenko/update-netchecker
...
Update playbooks to support new netchecker
2017-02-08 10:09:46 +01:00
Alexander Block
08367f4abb
Host mount /dev for kubelet
2017-02-08 09:55:51 +01:00
Matthew Mosesohn
012bc49404
Fix check for node-NODEID certs existence
...
Fixes upgrade from pre-individual node cert envs.
2017-02-07 21:06:48 +03:00
Matthew Mosesohn
ad2e1e10bf
Re-tune ETCD performance params
...
Reduce election timeout to 5000ms (was 10000ms)
Raise heartbeat interval to 250ms (was 100ms)
Remove etcd cpu share (was 300)
Make etcd_cpu_limit and etcd_memory_limit optional.
2017-02-07 20:15:14 +03:00
Matthew Mosesohn
7bfade0fbb
Merge pull request #969 from mattymo/port_reserve
...
Prevent dynamic port allocation in nodePort range
2017-02-07 18:24:57 +03:00
Aleksandr Didenko
3b816ee660
Update playbooks to support new netchecker
...
Netchecker is rewritten in Go lang with some new args instead of
env variables. Also netchecker-server no longer requires kubectl
container. Updating playbooks accordingly.
2017-02-07 15:20:34 +01:00
Matthew Mosesohn
7a9161d462
Prevent dynamic port allocation in nodePort range
...
kube_apiserver_node_port_range should be accessible only
to kube-proxy and not be taken by a dynamic port allocation.
Potentially temporary if https://github.com/kubernetes/kubernetes/issues/40920
gets fixed.
2017-02-06 20:01:16 +03:00
Sergii Golovatiuk
8503a5afea
Improve Weave
...
- Remove weave CPU limits from .gitlab-ci.yml. Closes : #975
- Fix weave version in documentation
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-06 13:24:40 +01:00
Antoine Legrand
edcd91f7f6
Merge pull request #963 from rutsky/bastion-ansible-host
...
handle both 'ansible_host' and 'ansible_ssh_host' in bastion configration
2017-02-04 15:42:39 -05:00
Brad Beam
8218b9970f
Adding EFK logging stack
2017-02-03 16:27:08 -06:00
Bogdan Dobrelya
e53d3fe9c8
Merge pull request #949 from vmtyler/master
...
Fixes Support for OpenStack v3 credentials
2017-02-03 12:22:00 +01:00
Vladimir Rutsky
1711530cd4
handle both 'ansible_host' and 'ansible_ssh_host' in bastion configuration
...
'absible_ssh_host' is deprecated in Ansible 2.0 and at least
'contrib/inventory_builder/inventory.py' uses 'ansible_host' instead.
2017-02-02 18:34:53 +03:00
Matthew Mosesohn
b7cbd5b9c5
Merge pull request #927 from holser/nsenter_fix
...
Remove nsenter workaround
2017-02-02 18:18:15 +03:00
Matthew Mosesohn
b9869b7708
Merge pull request #901 from galthaus/dns-tweak
...
DHCP Hook protections
2017-02-02 16:47:16 +03:00
Sergii Golovatiuk
b610c1627e
Remove nsenter workaround
...
- Docker 1.12 and further don't need nsenter hack. This patch removes
it. Also, it bumps the minimal version to 1.12.
Closes #776
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-02 14:38:11 +01:00
Sergii Golovatiuk
83a90861ba
Fix weave-net after upgrade to 1.82
...
- Set recommended CPU settings
- Cleans up upgrade to weave 1.82. The original WeaveWorks
daemonset definition uses weave-net name.
- Limit DS creation to master
- Combined 2 tasks into one with better condition
2017-02-02 10:31:58 +01:00
Matthew Mosesohn
776e48e898
Merge pull request #957 from mattymo/weave-net-naming
...
Rename weave-kube to weave-net
2017-02-02 10:18:02 +03:00
Greg Althaus
0037d0e6b2
This continues the DHCP hook checks. Also protect the create side
...
if the system doesn't have any config files at all.
2017-01-31 09:56:27 -06:00
Matthew Mosesohn
82619b99ba
Merge pull request #951 from mattymo/k8s-certs-scale
...
Fix cert distribution at scale
2017-01-31 18:49:26 +03:00
Matthew Mosesohn
a0e50a12a6
Merge pull request #954 from artem-panchenko/improve_dnsmasq
...
Explicitly set config path for DNSMasq
2017-01-31 18:48:46 +03:00
Matthew Mosesohn
f85dbfffe9
Rename weave-kube to weave-net
...
Cleans up upgrade to weave 1.82. The original WeaveWorks
daemonset definition uses weave-net name.
2017-01-31 18:47:27 +03:00
Matthew Mosesohn
1011e416a7
Fix cert distribution at scale
...
Use stdin instead of bash args to pass node filenames and base64 data.
Use tempfile for master cert data
2017-01-31 16:27:45 +03:00
Matthew Mosesohn
14331d938c
Merge pull request #880 from bradbeam/weave-kube
...
Weave kube
2017-01-31 13:31:09 +03:00
Artem Panchenko
5ed8f686b3
Explicitly set config path for DNSMasq
...
When DNSMasq is configured to read its settings
from a folder ('-7' or '--conf-dir' option) it only
checks that the directory exists and doesn't fail if
it's empty. It could lead to a situation when DNSMasq
is running and handles requests, but not properly
configured, so some of queries can't be resolved.
2017-01-31 12:14:57 +02:00
Matthew Mosesohn
688cd1ffcc
Merge pull request #944 from tureus/skip-cloud-config-on-etcd
...
Bugfix: skip cloud_config on etcd
2017-01-30 20:12:36 +03:00
Brad Beam
5562432999
Upgrading weave to weave-kube
2017-01-27 17:05:25 -06:00
Brad Beam
789a08ad47
Consolidating kube.py module
2017-01-27 11:28:11 -06:00
Tyler Britten
6b29c6c702
Fixed for non-null output
2017-01-27 10:47:59 -05:00
Tyler Britten
ec1c47bc5a
Updated OpenStack vars to check for tenant_id (v2) and project_id (v3)
2017-01-27 10:26:20 -05:00
neith00
fb5d1a2ab8
Using the command module instead of raw
...
Using the command module instead of raw.
Also fixed the syntax.
2017-01-26 16:28:48 +01:00
Xavier Lange
eb07363ddb
Bugfix: skip cloud_config on etcd
2017-01-25 14:09:21 -08:00
Aleksandr Didenko
d30c52d53d
Switch to ansible_hostname in calico
...
For consistancy with kubernetes services we should use the same
hostname for nodes, which is 'ansible_hostname'.
Also fixing missed 'kube-node' in templates, Calico is installed
on 'k8s-cluster' roles, not only 'kube-node'.
2017-01-25 11:49:58 +01:00
Matthew Mosesohn
2967aa2c96
Merge pull request #926 from adidenko/fix-calico-rr-for-masters
...
Fix calico-rr peering with k8s masters
2017-01-24 12:38:52 +03:00
Alexander Block
0b27d015d1
Pin docker version on RedHat and CentOS to the desired version
2017-01-23 12:39:54 +01:00
Aleksandr Didenko
13ae324569
Fix calico-rr peering with k8s masters
...
Calico-rr is broken for deployments with separate k8s-master and
k8s-node roles. In order to fix it we should peer k8s-cluster
nodes with calico-rr, not just k8s-node. The same for peering
with routers.
Closes #925
2017-01-23 10:19:09 +01:00
Matthew Mosesohn
979b01a145
Merge pull request #905 from galthaus/async-runs
...
Add tasks to ensure that the first nodes have their directories for cert gen
2017-01-19 18:32:27 +03:00
Matthew Mosesohn
77eeacb315
Merge pull request #904 from galthaus/nginx-port-config
...
Add nginx local balancer port configuration variable
2017-01-19 18:31:57 +03:00
Matthew Mosesohn
b47e76afdb
Merge pull request #913 from galthaus/apps-master-only
...
Ansible apps should only check for api-server running on the master.
2017-01-19 18:30:58 +03:00
Matthew Mosesohn
9d2d08404d
Merge pull request #917 from mattymo/rkt_resolvconf
...
Fix setting resolvconf when using rkt deploy mode
2017-01-19 18:30:21 +03:00
Matthew Mosesohn
59a0f17a4e
Merge pull request #916 from mattymo/update_ansible
...
Update Ansible to 2.2.1
2017-01-19 18:13:45 +03:00
Matthew Mosesohn
879a21bf9c
Merge pull request #921 from mattymo/docker113
...
Add docker 1.13, update 1.12 to 1.12.6
2017-01-19 18:13:21 +03:00
Matthew Mosesohn
c1ef75a005
Add docker 1.13, update 1.12 to 1.12.6
...
Fixes #903
2017-01-19 13:58:36 +03:00
Sergii Golovatiuk
eed32f9838
Allow to specify number of concurrent DNS queries
...
ndots creates overhead as every pod creates 5 concurrent connections
that are forwarded to sky dns. Under some circumstances dnsmasq may
prevent forwarding traffic with "Maximum number of concurrent DNS
queries reached" in the logs.
This patch allows to configure the number of concurrent forwarded DNS
queries "dns-forward-max" as well as "cache-size" leaving the default
values as they were before.
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-01-19 11:47:37 +01:00
Matthew Mosesohn
aec85d8f42
Update Ansible to 2.2.1
2017-01-19 13:46:46 +03:00
Greg Althaus
d9fb51b046
Add explicit name printing in task names for deletgated task during
...
cert creation
2017-01-18 14:06:50 -06:00
Matthew Mosesohn
67719c162e
Fix setting resolvconf when using rkt deploy mode
...
rkt deploy mode doesn't create {{ bin_dir }}/kubelet, so
let's rely on kubelet.env file instad.
2017-01-18 19:18:47 +03:00
Matthew Mosesohn
d4c9d9f7f5
Merge pull request #897 from holser/flush_handlers_before_etcd
...
Flush handlers before etcd restart
2017-01-18 12:27:01 +03:00
Matthew Mosesohn
0d06d1fb90
Merge pull request #910 from mattymo/escape_curly
...
Fix ansible 2.2.1 handling of registered vars
2017-01-18 11:13:01 +03:00
Greg Althaus
eb3a840622
Should only check for api-server running on the master.
...
If this runs on other nodes, it will fail the playbook.
2017-01-17 15:57:34 -06:00
Matthew Mosesohn
8369f5ebad
Fix bash completion installation
2017-01-17 20:36:58 +03:00
Matthew Mosesohn
8302d38358
Work around escaping curly braces for docker inspect
2017-01-17 20:35:38 +03:00
Sergii Golovatiuk
f3a2e98b44
Flush handlers before etcd restart
...
systemctl daemon-reload should be run before when task modifies/creates
union for etcd. Otherwise etcd won't be able to start
Closes #892
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-01-17 15:04:25 +01:00
Matthew Mosesohn
49d7d15fe7
Merge pull request #909 from mattymo/docker-upgrade
...
Always trigger docker restart when docker package changes
2017-01-17 11:37:42 +03:00
Matthew Mosesohn
adf7faf93b
Always trigger docker restart when docker package changes
...
Docker upgrade doesn't auto-restart docker, causing failures
when trying to start another container
2017-01-16 17:52:28 +03:00
Greg Althaus
113925afea
Add a variable that defaults to kube_apiserver_port that defines
...
the which port the local nginx proxy should listen on for HA
local balancer configurations.
2017-01-14 23:38:07 -06:00
Greg Althaus
707e6a4642
This PR adds/or modifies a few tasks to allow for the playbook to
...
be run by limit on each node without regard for order.
The changes make sure that all of the directories needed to do
certificate management are on the master[0] or etcd[0] node regardless
of when the playbook gets run on each node. This allows for separate
ansible playbook runs in parallel that don't have to be synchronized.
2017-01-14 23:24:34 -06:00
Greg Althaus
04fbe42aa6
If the inventory name of the host exceeds 63 characters,
...
the openssl tools will fail to create signing requests because
the CN is too long. This is mainly a problem when FQDNs are used
in the inventory file.
THis will truncate the hostname for the CN field only at the
first dot. This should handle the issue for most cases.
2017-01-13 10:02:23 -06:00
Matthew Mosesohn
3b562c494d
Use only one certificate for all apiservers
...
https://github.com/kubernetes/kubernetes/issues/25063
2017-01-13 14:03:20 +03:00
Bogdan Dobrelya
9a07782016
Merge pull request #891 from galthaus/selinux-order
...
preinstall fails on AWS CentOS7 image
2017-01-13 11:51:18 +01:00
Alexander Block
cee3b01987
Don't try to delete kargo specific config from dhclient when file does not exist
...
Also remove the check for != "RedHat" when removing the dhclient hook,
as this had also to be done on other distros. Instead, check if the
dhclienthookfile is defined.
2017-01-13 10:56:10 +01:00
Greg Althaus
85efd263b3
When running on CentOS7 image in AWS with selinux on, the order of
...
the tasks fail because selinux prevents ip-forwarding setting.
Moving the tasks around addresses two issues. Makes sure that
the correct python tools are in place before adjusting of selinux
and makes sure that ipforwarding is toggled after selinux adjustments.
2017-01-12 10:12:21 -06:00
Bogdan Dobrelya
808a50bc23
Merge pull request #830 from mattymo/k8sperhost
...
Generate individual certificates for k8s hosts
2017-01-12 12:42:14 +01:00
Alexander Block
d6c0d2785b
Add tasks to undo changes to hosts /etc/resolv.conf and dhclient configs
2017-01-11 16:56:16 +01:00
Matthew Mosesohn
ed253e5c5a
Generate individual certificates for k8s hosts
2017-01-11 12:58:07 +03:00
Matthew Mosesohn
c779bf8cd3
Merge pull request #878 from bradbeam/rkt-cni
...
Adding /opt/cni /etc/cni to rkt run kubelet
2017-01-11 12:22:04 +03:00
Bogdan Dobrelya
928de8d8bb
Merge pull request #872 from mattymo/bug868
...
Bind nginx localhost proxy to localhost
2017-01-10 17:09:25 +01:00
Brad Beam
7420bf584c
Adding /opt/cni /etc/cni to rkt run kubelet
2017-01-10 08:48:58 -06:00
Bogdan Dobrelya
fd53e2c670
Merge pull request #793 from kubernetes-incubator/fix_dhclientconf_path
...
Fix wrong path of dhclient on CentOS+Azure
2017-01-10 13:23:55 +01:00
Bogdan Dobrelya
9f74c02004
Merge pull request #858 from bradbeam/calicoctl-canal
...
Misc updates for canal
2017-01-10 12:24:59 +01:00
Matthew Mosesohn
ce84320462
Merge pull request #860 from adidenko/fix-calico-rr-certs
...
Fix etcd cert generation for calico-rr role
2017-01-09 18:34:02 +03:00
Bogdan Dobrelya
35ea6cef19
Merge pull request #871 from mattymo/fix_system_search_domains
...
Fix docker dns host scenario with no search domains
2017-01-09 15:52:12 +01:00
Matthew Mosesohn
e9d5aa0f07
Bind nginx localhost proxy to localhost
...
This proxy should only be listening for local connections, not 0.0.0.0.
Fixes #868
2017-01-09 17:19:54 +03:00
Matthew Mosesohn
846b96efa1
Fix docker dns host scenario with no search domains
...
Fixes scenario where docker-dns.conf tries to create an empty
search entry
2017-01-09 16:36:44 +03:00
Aleksandr Didenko
a47f2d611c
Fix etcd cert generation for calico-rr role
...
"etcd_node_cert_data" variable is undefinded for "calico-rr" role.
This patch adds "calico-rr" nodes to task where "etcd_node_cert_data"
variable is registered.
2017-01-09 12:06:25 +01:00
Aleksandr Didenko
11e1bb64bd
Set latest stable versions for Calico images
...
Change version for calico images to v1.0.0. Also bump versions for
CNI and policy controller.
Also removing images repo and tag duplication from netchecker role
2017-01-09 12:05:49 +01:00
Bogdan Dobrelya
d296284bfa
Merge pull request #799 from kubernetes-incubator/docker_dns
...
Implement "dockerd --dns-xxx" based dns mode
2017-01-09 11:38:02 +01:00
Alexander Block
ad7ded59e9
Only use default resolver in dnsmasq when we are using host_resolvconf mode
2017-01-06 10:21:07 +01:00
Alexander Block
2b3dbae9d6
Introduce dns_mode and resolvconf_mode and implement docker_dns mode
...
Also update reset.yml to do more dns/network related cleanup.
2017-01-05 23:38:51 +01:00
Spencer Smith
bee6166b4c
remove assertion for family not being CoreOS
2017-01-05 13:36:25 -05:00
Brad Beam
43adafe746
Create network policy directory for canal
2017-01-05 10:54:27 -06:00
Brad Beam
ff24f9712a
Adding calicoctl to canal deployment
2017-01-05 10:54:27 -06:00
Bogdan Dobrelya
da9da08964
Better fix for different CoreOS os family facts
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-05 16:32:08 +01:00
Bogdan Dobrelya
68a6fa1146
Rename CoreOS fact
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-05 14:02:29 +01:00
Bogdan Dobrelya
8d9c4233e2
Merge branch 'master' into rkt
2017-01-05 10:34:18 +01:00
Brad Beam
9432a5cd73
Adding kubelet in rkt
2017-01-03 14:49:48 -06:00
Brad Beam
0f5a30ee8a
Allowing etcd to run via rkt
2017-01-03 10:10:38 -06:00
Brad Beam
18715b2116
Adding initial rkt support
2017-01-03 10:08:43 -06:00
Bogdan Dobrelya
2fe58c361f
Fix cert paths for flannel/calico policy apps
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-03 16:12:54 +01:00
Alexander Block
2538c958db
Upgrade docker version and do some cleanups for unsupported distros/docker versions
2017-01-02 18:05:50 +01:00
Bogdan Dobrelya
130f0908ce
Merge pull request #847 from bogdando/bug_769
...
Fix etc hosts for cluster nodes
2017-01-02 17:47:23 +01:00
Bogdan Dobrelya
62313afccc
Fix etc hosts for cluster nodes
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-02 13:20:51 +01:00
Bogdan Dobrelya
f16a512aea
Drop non systemd OS types support
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-02 12:14:03 +01:00
Matthew Mosesohn
bd0f787809
Fix etcd cert generation to support large deployments
...
Due to bash max args limits, we should pass all node filenames and
base64-encoded tar data through stdin/stdout instead.
Fixes #832
2016-12-30 12:55:26 +03:00
Bogdan Dobrelya
6e1c0cdd15
Systemd units, limits, and bin path fixes
...
* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
systemd limits due to the lack of consensus in the kernel community
requires out-of-tree kernel patches.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-28 15:49:42 +01:00
Matthew Mosesohn
2ac2a3ed93
Fix creation and sync of etcd certs
...
Admin certs only go to etcd nodes
Only generate cert-data for nodes that need sync
2016-12-28 14:21:17 +04:00
Matthew Mosesohn
612c5bb5f1
Merge pull request #818 from mattymo/calico-rr-certs
...
Fix calico-rr to use etcd certs instead of kube certs
2016-12-28 08:47:16 +03:00
Matthew Mosesohn
716b590f3b
Fix calico-rr to use etcd certs instead of kube certs
2016-12-27 17:04:50 +03:00
Bogdan Dobrelya
9b29df183b
Rework ignore_errors to report no reds
...
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2016-12-27 13:00:50 +01:00
Bogdan Dobrelya
222859601e
Do not forward bogus domains for upstream resolvers
...
Also fix kube log level 4 to log dnsmasq queries.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-23 11:53:14 +01:00
Matthew Mosesohn
a2c38f5f5f
Update etcd.j2
2016-12-22 22:29:24 +03:00
Matthew Mosesohn
e5374af95c
Adjust etcd server certificates
...
ETCD doesn't need cert/key options set. It only requires peer
cert options.
2016-12-22 23:05:17 +04:00
Spencer Smith
f3f16e3676
Workaround etcdctl not yet being installed ( #797 )
...
workaround case for etcdctl not yet being installed, only allow for return code of 0 (no error)
2016-12-22 12:41:38 -05:00
Matthew Mosesohn
370ad3acba
Merge pull request #760 from genti-t/issue-748-flannel-options
...
Fix Flannel network on CoreOS
2016-12-22 19:02:31 +03:00
Genti Topija
a42b458fdf
Fix Flannel network on CoreOS
...
Resolves : #748
2016-12-22 16:50:04 +01:00
Matthew Mosesohn
5457799aa3
Individual etcd ssl certs
...
Includes hooks for triggering calico, kubelet, and kube-apiserver restarts
if etcd certs changed.
2016-12-22 13:31:11 +03:00
Bogdan Dobrelya
85f31a369e
Merge pull request #786 from mattymo/bug777
...
Add wait for kube-apiserver to kubernetes-apps
2016-12-22 11:02:50 +01:00
Alexander Block
272d8e754b
Fix wrong path of dhclient on CentOS+Azure
...
This was alredy fixed in #755 but had to be reverted. This PR should be
more intelligent about deciding which path to use.
2016-12-21 21:51:07 +01:00
Spencer Smith
3575f890fc
create systemd drop-in path if not existent
2016-12-21 13:06:12 -05:00
Bogdan Dobrelya
b103799901
Revert "Do not forward private domains for upstream resolvers"
2016-12-21 15:24:17 +01:00
Matthew Mosesohn
b1eb852207
Add wait for kube-apiserver to kubernetes-apps
...
Fixes #777
2016-12-21 15:39:39 +03:00
Bogdan Dobrelya
f45872b558
Add download_always_pull check and sha256 for docker images
...
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-20 17:02:09 +01:00
Bogdan Dobrelya
763c1aff72
Merge pull request #722 from bogdando/dnsmasq_armors
...
Do not forward private domains for upstream resolvers
2016-12-20 14:25:17 +01:00
Bogdan Dobrelya
072c4e4669
Merge pull request #775 from kubernetes-incubator/register_master
...
Register master node as unschedulable
2016-12-20 14:17:55 +01:00
Bogdan Dobrelya
c147f710ab
Merge pull request #774 from kubernetes-incubator/ant31-patch-2
...
check if calico_peer_rr is defined
2016-12-19 18:19:03 +01:00
Matthew Mosesohn
6a705aa0b5
Fix etcd to-SSL upgrade and task register vars
2016-12-19 15:05:49 +03:00
Bogdan Dobrelya
4d4b0adc03
Do not forward private domains for upstream resolvers
...
Also fix kube log level 4 to log dnsmasq queries.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
2016-12-19 11:01:41 +01:00
Alexander Block
c43615c765
Register master node as unschedulable
...
Also refactor generation of kubelet args to not repeat args.
2016-12-19 10:47:43 +01:00
Antoine Legrand
c250737b0a
Update main.yml
2016-12-17 20:22:39 +01:00
Antoine Legrand
5c280ef54a
Merge pull request #704 from vwfs/bastion_hosts
...
Add support for bastion hosts
2016-12-17 12:08:49 +01:00
Antoine Legrand
5d46f62718
Merge pull request #763 from bogdando/resolver_fallback
...
Fallback to default resolver if no nameservers
2016-12-17 12:03:41 +01:00
Antoine Legrand
b1841fda76
Merge pull request #766 from kubernetes-incubator/docker12point5
...
Update docker to 1.12.5
2016-12-17 11:55:06 +01:00
Bogdan Dobrelya
e7e0e82f43
Fallback to default resolver if no nameservers
...
Current design expects users to define at least one
nameserver in the nameservers var to backup host OS DNS config
when the K8s cluster DNS service IP is not available and hosts
still have to resolve external or intranet FQDNs.
Fix undefined nameservers to fallback to the default_resolver.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-16 14:51:34 +01:00
Bogdan Dobrelya
7fc0b552a0
Revert "Fix wrong path for dhclient.conf on RedHat/CentOS"
2016-12-16 14:49:26 +01:00
Matthew Mosesohn
42dc2351b1
Update docker to 1.12.5
...
Note the new ubuntu/debian version string change:
https://github.com/docker/docker/issues/29355
2016-12-16 16:30:46 +03:00
Bogdan Dobrelya
fc2f616f94
Merge pull request #745 from kubernetes-incubator/fix_weave_start
...
Fix weave restart after docker daemon restart
2016-12-16 14:06:48 +01:00
Matthew Mosesohn
76e7048f06
Fix weave restart after docker daemon restart
2016-12-16 14:15:22 +03:00
Antoine Legrand
3bf2c0f54f
Merge pull request #757 from kubernetes-incubator/issue754
...
Add dns_domain for each host to /etc/hosts
2016-12-15 21:42:59 +01:00
Bogdan Dobrelya
290433b89f
Merge pull request #755 from kubernetes-incubator/fix_dhclientconf_path
...
Fix wrong path for dhclient.conf on RedHat/CentOS
2016-12-15 19:08:31 +01:00
Bogdan Dobrelya
80a8193d74
Merge pull request #746 from kubernetes-incubator/etcd_ssl_upgrade_fix
...
Fix etcd member list when upgrading ETCD from an old version
2016-12-15 12:31:34 +01:00
Matthew Mosesohn
ab4eb809d4
Add dns_domain for each host to /etc/hosts
...
Fixes #754
2016-12-15 13:34:59 +04:00
Bogdan Dobrelya
c09db6cd54
Merge pull request #749 from kubernetes-incubator/azure_ip_forward
...
Set net.ipv4.ip_forward=1 on all systems, not only on GCE
2016-12-15 10:19:43 +01:00
Alexander Block
2624da6161
Fix wrong path for dhclient.conf on RedHat/CentOS
...
/etc/dhclient.conf is ignored on RedHat/CentOS
Correct location is /etc/dhcp/dhclient.conf
2016-12-15 10:11:16 +01:00
Matthew Mosesohn
3b14519208
Fix etcd member list when upgrading ETCD from an old version
2016-12-15 12:00:45 +04:00
Bogdan Dobrelya
f635d224ed
Merge pull request #721 from adidenko/calico-add-rr
...
Add calico/routereflector support
2016-12-14 17:22:00 +01:00
Smaine Kahlouch
af76813bf4
Merge pull request #708 from vwfs/cloud_network
...
Add support for cloud-provider based networking
2016-12-14 16:23:20 +01:00
Alexander Block
cbcdc7d9a0
Set net.ipv4.ip_forward=1 on all systems, not only on GCE
2016-12-14 15:08:13 +01:00
Aleksandr Didenko
d5a9b34d9e
Add calico/routereflector support
...
Add BGP route reflectors support in order to optimize BGP topology
for deployments with Calico network plugin.
Also bump version of calico/ctl for some bug fixes.
2016-12-14 13:44:10 +01:00
Alexander Block
586ad91300
Add --reconcile-cidr flag to kubelet to support cloud network plugin in 1.4
2016-12-13 17:30:10 +01:00
Alexander Block
6887948537
Add check for azure_route_table_name and add it to all.yml
2016-12-13 17:30:10 +01:00
Alexander Block
5b0034c420
Add pseudo network plugin called "cloud" to use cloud provider for network
...
Allow to let the cloud provider configure proper routing for nodes.
2016-12-13 17:30:10 +01:00
Alexander Block
433eb1dc53
Add support for bastion hosts
2016-12-13 17:29:47 +01:00
Antoine Legrand
e22e4c02db
Merge branch 'master' into standalone_kubelet
2016-12-13 17:26:21 +01:00
Alexander Block
67cc40aefa
Move kube_version to group_vars/all to allow easier changing of version
...
Also allows to perform version dependent logic in Ansible roles.
2016-12-13 17:21:00 +01:00
Alexander Block
f9807798f3
Pass --anonymous-auth to apiserver
...
Fixes #732
2016-12-13 17:06:53 +01:00
Bogdan Dobrelya
2d566e27a6
Merge pull request #731 from bogdando/fix_resolvconf
...
Fix resolvconf
2016-12-13 16:48:37 +01:00
Bogdan Dobrelya
272b506802
Address standalone kubelet config case
...
Also place in global vars and do not repeat the kube_*_config_dir
and kube_namespace vars for better code maintainability and UX.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-13 16:35:53 +01:00
Bogdan Dobrelya
bab6ec8477
Fix resolvconf
...
Do not repeat options and nameservers in the dhclient hooks.
Do not prepend nameservers for dhclient but supersede and fail back
to the upstream_dns_resolvers then default_resolver. Fixes order of
nameservers placement, which is cluster DNS ip goes always first.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-13 15:48:53 +01:00
Alexander Block
0f0858703b
Fix reverse umount in reset role
...
The Jinja2 filter 'reverse' returned an iterator instead of a list,
resulting in the umount task to fail.
Intead of using the reverse filter, we use 'tac' to reverse the output
of the previous task.
2016-12-13 14:21:24 +01:00
Bogdan Dobrelya
38f5f4a8e3
Merge pull request #705 from vwfs/centos7-azure
...
Better support for CentOS 7 on Azure
2016-12-13 10:36:58 +01:00
Bogdan Dobrelya
659b482b62
Merge pull request #667 from bogdando/fix_dns
...
Rework DNS stack to meet hostnet pods needs
2016-12-12 21:38:13 +01:00
Bogdan Dobrelya
33f9f9b7ba
Update main.yml
2016-12-12 21:37:16 +01:00
Bogdan Dobrelya
8679f10f71
Rework DNS stack to meet hostnet pods needs
...
* For Debian/RedHat OS families (with NetworkManager/dhclient/resolvconf
optionally enabled) prepend /etc/resolv.conf with required nameservers,
options, and supersede domain and search domains via the dhclient/resolvconf
hooks.
* Drop (z)nodnsupdate dhclient hook and re-implement it to complement the
resolvconf -u command, which is distro/cloud provider specific.
Update docs as well.
* Enable network restart to apply and persist changes and simplify handlers
to rely on network restart only. This fixes DNS resolve for hostnet K8s
pods for Red Hat OS family. Skip network restart for canal/calico plugins,
unless https://github.com/projectcalico/felix/issues/1185 fixed.
* Replace linefiles line plus with_items to block mode as it's faster.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
2016-12-12 17:43:47 +01:00
Alexander Block
9172de48fd
Make growpart only run on Azure
2016-12-12 14:14:22 +01:00
Bogdan Dobrelya
5dd0caf1b5
Merge branch 'master' into tags_download
2016-12-12 11:44:00 +01:00
Matthew Mosesohn
1fe8dc2472
Merge pull request #707 from vwfs/reset_playbook
...
Add playbook and role to reset the cluster
2016-12-12 12:43:00 +03:00
Alexander Block
eb2890d245
Add growpart role to allow growing the root partition on CentOS
...
At least the OS images from Azure do not grow the root FS automatically.
2016-12-12 09:55:28 +01:00
Alexander Block
41a87fe305
Disable fastestmirror on CentOS
...
It actually slows down things dramatically when used in combination
with Ansible.
2016-12-12 09:54:39 +01:00
Alexander Block
a80cdcf867
Remove requiretty from sudoers to actually make pipelining work
...
Some systems (e.g. CentOS on Azure) have requiretty in sudoers which makes
pipelining fail.
2016-12-12 09:54:39 +01:00
Matthew Mosesohn
e731130f41
Merge pull request #713 from kubernetes-incubator/bump_kubedns
...
Bump kubedns version to 1.9
2016-12-10 11:08:42 +03:00
Bogdan Dobrelya
d2c369f3b7
Merge pull request #696 from bogdando/intranet_dns
...
Preconfigure dns stack early
2016-12-09 21:46:03 +01:00
Bogdan Dobrelya
aefe4a99d2
Preconfigure DNS stack and docker early
...
In order to enable offline/intranet installation cases:
* Move DNS/resolvconf configuration to preinstall role. Remove
skip_dnsmasq_k8s var as not needed anymore.
* Preconfigure DNS stack early, which may be the case when downloading
artifacts from intranet repositories. Do not configure
K8s DNS resolvers for hosts /etc/resolv.conf yet early (as they may be
not existing).
* Reconfigure K8s DNS resolvers for hosts only after kubedns/dnsmasq
was set up and before K8s apps to be created.
* Move docker install task to early stage as well and unbind it from the
etcd role's specific install path. Fix external flannel dependency on
docker role handlers. Also fix the docker restart handlers' steps
ordering to match the expected sequence (the socket then the service).
* Add default resolver fact, which is
the cloud provider specific and remove hardcoded GCE resolver.
* Reduce default ndots for hosts /etc/resolv.conf to 2. Multiple search
domains combined with high ndots values lead to poor performance of
DNS stack and make ansible workers to fail very often with the
"Timeout (12s) waiting for privilege escalation prompt:" error.
* Update docs.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-09 17:30:55 +01:00
Bogdan Dobrelya
10383c88ee
More granular control for download/upload images/binaries
...
Add upload tag allow users to exclude distributing images across nodes
when running with the download tag set.
Add related tags and update docs as well.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-09 17:04:55 +01:00
Alexander Block
74c4355af8
Changes according to code review
2016-12-09 16:33:10 +01:00
Matthew Mosesohn
6dc79b45ea
Bump kubedns version to 1.9
...
Version 1.9 has reduced verbosity for federation dns queries
which flood container logs.
2016-12-09 17:57:54 +03:00
Alexander Block
294d6ce221
Use proper style (spacing) for docker_storage_options
2016-12-09 13:56:56 +01:00
Alexander Block
14bd3e5d23
Allow to specify docker storage driver
2016-12-09 13:56:56 +01:00
Bogdan Dobrelya
c032d20962
Merge pull request #700 from bogdando/tags
...
Add tags
2016-12-09 13:23:56 +01:00
Bogdan Dobrelya
0b1ce03167
Add tags
...
Add tags to allow more granular tasks filtering.
Add generator script for MD formatted tags found.
Add docs for tags how-to.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-09 12:14:28 +01:00
Alexander Block
ddc399605a
Add playbook and role to reset the cluster
...
This deletes everything related to the cluster and allows to start from
scratch.
2016-12-09 11:15:36 +01:00
Aleksandr Didenko
63b655cd7b
Convert docker_versioned_pkg dict keys to string
...
This will allow to use '-e docker_version=1.12' in ansible playbook
execution. It's also backward-compatible and will work with floating
docker_version format in custom yaml files.
Closes #702
2016-12-09 09:17:36 +01:00
Matthew Mosesohn
be117265d9
Merge pull request #668 from bodepd/etcd_access_address
...
Use etcd host ip instead of hostname to build etcd_access_addresses
2016-12-09 07:54:12 +03:00
Bogdan Dobrelya
aee21136ce
Merge pull request #691 from adidenko/calico-old-cni-fix
...
Fix possible problems with legacy calicoctl
2016-12-08 12:00:08 +01:00
Dan Bode
f7a7e064b5
Allow etcd_access_addresses to be more flexible
...
The variale etcd_access_addresses is used to determine
how to address communication from other roles to
the etcd cluster.
It was set to the address that ansible uses to
connect to instance ({{ item }})s and not the
the variable:
ip_access
which had already been created and could already
be overridden through the access_ip variable.
This change allows ansible to connect to a machine using
a different address than the one used to access etcd.
2016-12-07 10:33:15 -08:00
Matthew Mosesohn
75782aa262
Force hardlink for calico/canal certs
...
Fixes : #669
2016-12-07 19:03:22 +03:00
Bogdan Dobrelya
1b17efee19
Merge pull request #692 from bogdando/gce_fixes
...
Change GCE sysctls placement and docs
2016-12-07 16:17:30 +01:00
Bogdan Dobrelya
965b27e48e
Change GCE sysctls placement and docs
...
Override GCE sysctl in /etc/sysctl.d/99-sysctl.conf instead of
the /etc/sysctl.d/11-gce-network-security.conf. It is recreated
by GCE, f.e. if gcloud CLI invokes some security related changes,
thus losing customizations we want to be persistent.
Update cloud providers firewall requirements in calico docs.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-07 12:53:45 +01:00
Aleksandr Didenko
611038e306
Fix possible problems with legacy calicoctl
...
When running legacy calicoctl we do not specify calico hostname in
calico-node container thus we should not specify it in CNI config.
Also move 'legacy_calicoctl' set_fact task to the top.
2016-12-07 12:26:44 +01:00
fen4o
10ce760450
add cluster-signing to kube-controller-manager
...
kube-controller-manager's cluster signing cert and key points by default to not
existing `/etc/kubernetes/ca/ca.pem` and `/etc/kubernetes/ca/ca.key` [docs][1]
[1]: http://kubernetes.io/docs/admin/kube-controller-manager/#options
2016-12-07 11:20:18 +02:00
Bogdan Dobrelya
8e28cb8095
Merge pull request #584 from chadswen/docker-options-refactor
...
Docker Options Refactor
2016-12-07 07:57:53 +01:00
Bogdan Dobrelya
ae7769d832
Merge pull request #684 from adidenko/fix-calico-peering
...
Calico: fix peering with routers for new version
2016-12-06 22:42:02 +01:00
Spencer Smith
08fb5b6c01
Merge pull request #627 from kubernetes-incubator/issue-626
...
add restart flag for docker run kubelet
2016-12-06 08:47:18 -08:00
Aleksandr Didenko
992fcd1680
Calico: fix peering with routers for new version
...
In new `calicoctl` version nodes peering with routers is broken.
We need to use predictable node names for calico-node and the
same names in calico `bgpPeer` resources and CNI.
2016-12-06 17:17:39 +01:00