Commit graph

1518 commits

Author SHA1 Message Date
Bogdan Dobrelya
bac3bf1a5f
Fix auto-evaluated API access endpoint for bind IP (#2086)
Auto configure API access endpoint with a custom bind IP, if provided.
Fix HA docs' http URLs are https in fact, clarify the insecure vs secure
API access modes as well.

Closes: #issues/2051

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2018-01-03 17:40:21 +01:00
RongZhang
e3b684df21
Remove blank lines
Remove blank lines
2018-01-03 00:54:04 -06:00
Steve Mitchell
e45b30d033 Add etcd key and cert environment variables for use with client auth 2018-01-02 13:52:17 -05:00
Matthew Mosesohn
ad6fecefa8
Update Kubernetes to v1.9.0 (#2100)
Update checksum for kubeadm
Use v1.9.0 kubeadm params
Include hash of ca.crt for kubeadm join
Update tag for testing upgrades
Add workaround for testing upgrades
Remove scale CI scenarios because of slow inventory parsing
in ansible 2.4.x.

Change region for tests to us-central1 to
improve ansible performance
2017-12-25 08:57:45 +00:00
Jan Jungnickel
3fdb2ccf55 Revert back to using an empty var as default to exclude hostname (#2110) 2017-12-22 22:09:59 +00:00
Matthew Mosesohn
29f5b55d42
remove unwanted whitespace for kube_override_hostname (#2105) 2017-12-22 11:31:18 +00:00
rong.zhang
5aef52e8c0 fix dashboard certs secret 2017-12-22 11:17:05 +08:00
Matthew Mosesohn
6bb46e3ecb
Fix param names in preparation for Kubernetes v1.9.0 (#2098)
This does not update v1.9.0, but fixes two incompatibilities
when trying to deploy v1.9.0.
2017-12-20 10:48:09 +00:00
Matthew Mosesohn
127bc01857
Do not override kubelet hostname if cloud_provider is used (#2095)
Starting with Kubernetes v1.8.4, kubelet ignores the AWS cloud
provider string and uses the override hostname, which fails
Node admission checks.

Fixes #2094
2017-12-19 20:18:20 +00:00
Evan Zeimet
a6975c1850 Rename runtime docker_version (#2082)
Renaming runtime docker_version to prevent setting that
value on the command line from breaking the play run.

This fixes #2081
2017-12-19 14:47:54 +00:00
Stanislav Makar
b2cb0725ac Default OpenStack Cinder Storage Class (#2083)
Add possibility to create default OpenStack Cinder Storage Class

Closes: #1609
2017-12-19 14:47:00 +00:00
rong.zhang
b974b144a8 Add RBAC to binding Dahsboard UI 2017-12-18 23:07:19 +08:00
Matthew Mosesohn
bfb25fa47b
Change vault cert ttl to 8y (#2013) 2017-12-15 13:34:00 +00:00
Matthew Mosesohn
b135bcb9d9 Split download container task for delegate and non-delegate modes (#2077)
Ansible cannot seem to handle omitting delegate_to since v2.4.0.0.

Possibly related: https://github.com/ansible/ansible/issues/30760
2017-12-14 16:45:54 +00:00
rong.zhang
0771cd8599 Remove dashboard_tls_key and dashboard_tls_cert 2017-12-13 15:42:20 +08:00
Fang Zhen
91d848f98a Make spliting system_search_domains more robust
The search line in /etc/resolv.conf could have
multiple spaces or tabs between domains.
split(' ') will give wrong results in some case,
use split() without argument instead.

e.g.
>>> 'domain.tld	cluster.tld '.split(' ')
['domain.tld\tcluster.tld', '']
>>> 'domain.tld cluster.tld '.split()
['domain.tld', 'cluster.tld']
2017-12-13 15:39:38 +08:00
rong.zhang
40edf8c6f5 Update dashboard version to v1.8.0
Update dependencies to be compatible with Kubernetes v1.8
2017-12-13 12:50:44 +08:00
Chad Swenson
e78562830f Retry kube container removal during upgrade
As we have seen with other containers, sometimes container removal fails on the first attempt due to some Docker bugs. Retrying typically corrects the issue.
2017-12-12 12:06:41 -06:00
Brad Beam
39ce1bd8be
Merge pull request #2059 from bradbeam/vaultalt
Fixing alt_names for vault cert generation
2017-12-12 09:28:51 -06:00
Spencer Smith
6291881943
Merge pull request #2057 from rsmitty/master
set docker_version fact regardless of docker_dns in use
2017-12-12 10:28:14 -05:00
Brad Beam
802fd94dad
Merge pull request #2054 from ArchiFleKs/os-cloud-provider-domain-fix
Fix domain id for OpenStack provider
2017-12-11 21:06:16 -06:00
Xu Zhipei
66f38a1b31 fix: always only one docker image got synced after download 2017-12-12 09:51:03 +08:00
Brad Beam
d3850a4da5 Fixing alt_names for vault cert generation 2017-12-11 17:28:18 -06:00
Spencer Smith
53a4355e60 set docker_version fact regardless of docker_dns in use 2017-12-11 17:48:11 -05:00
Brad Beam
19def41fdf
Merge pull request #2047 from bradbeam/vaulttime
Adding retries for vault-temp to come online
2017-12-11 09:04:57 -06:00
ArchiFleKs
44b9dce134 Fix domain id for OpenStack provider
OpenStack authentication does not support using a mix of DomainID and
DomainName, only one or the other should be used.
2017-12-11 15:57:33 +01:00
Brad Beam
fa5a538fe5
Merge pull request #2050 from jbonachera/fix-vault-tls-validation
append newline char to vault generated certs
2017-12-11 08:41:34 -06:00
Brad Beam
9643c2c1e3 Fixes to reset (#2046)
- adding additional directories to cleanup (rkt/vault)
- targeting kubespray ansible groups instead of all
2017-12-11 12:49:21 +00:00
Brad Beam
93f3614382 Fixes #2039 - changing alt_names to be string instead of list (#2043) 2017-12-11 12:48:07 +00:00
Brad Beam
cbc8a7d679
Merge pull request #1995 from b0r1sp/patch-1
Update main.yml
2017-12-10 21:45:02 -06:00
Julien BONACHERA
290bc993a5
append newline char to vault generated certs 2017-12-10 13:06:28 +01:00
Brad Beam
3694657eb6 Adding retries for vault-init to come online 2017-12-09 17:40:44 -06:00
Thomas Sarboni
79417e07ca Fix systemd service unit for docker >= 17.03 (#1844) 2017-12-08 13:12:45 +00:00
Spencer Smith
626b35e1b0
Merge pull request #2005 from riverzhang/patch-1
Delete helm home
2017-12-07 11:23:30 -05:00
Brad Beam
fed7b97dcb
Merge pull request #2030 from mattymo/removerbaccheck
Remove RBAC from boolean checks
2017-12-06 23:41:13 -06:00
Spencer Smith
c4458c9d9a
Merge pull request #1997 from mrbobbytables/feature-keepalived-cloud-provider
Add minimal keepalived-cloud-provider support
2017-12-06 23:28:27 -05:00
riverzhang
aeb3e647d4 Remove the network device created by the flannel (#2006)
* Remove the network device created by the flannel

Remove the network device created by the flannel

* Modify flannel.1 device path

Modify flannel.1 device path

* remove trailing spaces
2017-12-06 14:15:39 +00:00
Kuldip Madnani
fe036cbe77 Adding changes to handle updation of yum Management cache in rhel. (#2026)
* Adding changes to handle updation of yum cache in rhel.

* Removed the redundant spaces
2017-12-06 09:00:41 +00:00
Matthew Mosesohn
952ec65a40 Remove RBAC from boolean checks 2017-12-06 11:57:40 +03:00
Chad Swenson
b8788421d5 Support for disabling apiserver insecure port
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled).

Rework of #1937 with kubeadm support

Also, fixed an issue in `kubeadm-migrate-certs` where the old apiserver cert was copied as the kubeadm key
2017-12-05 09:13:45 -06:00
Brad Beam
c2347db934
Merge pull request #1953 from chadswen/dashboard-refactor
Kubernetes Dashboard v1.7.1 Refactor
2017-12-05 08:50:55 -06:00
Brad Beam
27ead5d4fa
Merge pull request #2003 from abelgana/master
Change altnames to alt_names
2017-12-05 08:48:32 -06:00
Stanislav Makar
6ade7c0a8d Update k8s version to 1.8.4 (#2015)
* Update k8s version to 1.8.4

* Update main.yml
2017-12-04 16:23:04 +00:00
Matthew Mosesohn
a0225507a0
Set helm deployment type to host (#2012) 2017-11-29 19:52:54 +00:00
Steven Hardy
d39a88d63f Allow setting --bind-address for apiserver hyperkube (#1985)
* Allow setting --bind-address for apiserver hyperkube

This is required if you wish to configure a loadbalancer (e.g haproxy)
running on the master nodes without choosing a different port for the
vip from that used by the API - in this case you need the API to bind to
a specific interface, then haproxy can bind the same port on the VIP:

root@overcloud-controller-0 ~]# netstat -taupen | grep 6443
tcp        0      0 192.168.24.6:6443       0.0.0.0:*               LISTEN      0          680613     134504/haproxy
tcp        0      0 192.168.24.16:6443      0.0.0.0:*               LISTEN      0          653329     131423/hyperkube
tcp        0      0 192.168.24.16:6443      192.168.24.16:58404     ESTABLISHED 0          652991     131423/hyperkube
tcp        0      0 192.168.24.16:58404     192.168.24.16:6443      ESTABLISHED 0          652986     131423/hyperkube

This can be achieved e.g via:

kube_apiserver_bind_address: 192.168.24.16

* Address code review feedback

* Update kube-apiserver.manifest.j2
2017-11-29 15:24:02 +00:00
unclejack
e5d353d0a7 contiv network support (#1914)
* Add Contiv support

Contiv is a network plugin for Kubernetes and Docker. It supports
vlan/vxlan/BGP/Cisco ACI technologies. It support firewall policies,
multiple networks and bridging pods onto physical networks.

* Update contiv version to 1.1.4

Update contiv version to 1.1.4 and added SVC_SUBNET in contiv-config.

* Load openvswitch module to workaround on CentOS7.4

* Set contiv cni version to 0.1.0

Correct contiv CNI version to 0.1.0.

* Use kube_apiserver_endpoint for K8S_API_SERVER

Use kube_apiserver_endpoint as K8S_API_SERVER to make contiv talks
to a available endpoint no matter if there's a loadbalancer or not.

* Make contiv use its own etcd

Before this commit, contiv is using a etcd proxy mode to k8s etcd,
this work fine when the etcd hosts are co-located with contiv etcd
proxy, however the k8s peering certs are only in etcd group, as a
result the etcd-proxy is not able to peering with the k8s etcd on
etcd group, plus the netplugin is always trying to find the etcd
endpoint on localhost, this will cause problem for all netplugins
not runnign on etcd group nodes.
This commit make contiv uses its own etcd, separate from k8s one.
on kube-master nodes (where net-master runs), it will run as leader
mode and on all rest nodes it will run as proxy mode.

* Use cp instead of rsync to copy cni binaries

Since rsync has been removed from hyperkube, this commit changes it
to use cp instead.

* Make contiv-etcd able to run on master nodes

* Add rbac_enabled flag for contiv pods

* Add contiv into CNI network plugin lists

* migrate contiv test to tests/files

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>

* Add required rules for contiv netplugin

* Better handling json return of fwdMode

* Make contiv etcd port configurable

* Use default var instead of templating

* roles/download/defaults/main.yml: use contiv 1.1.7

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
2017-11-29 14:24:16 +00:00
Di Xu
de422c822d update nginx tag to use multi-arch docker image (#2009) 2017-11-29 10:39:52 +00:00
Matthew Mosesohn
4d3326b542
Raise default vault lease TTL to 10y (#2008) 2017-11-29 10:38:59 +00:00
riverzhang
1b82138142 Delete helm home
Delete helm home
2017-11-29 13:27:09 +08:00
Christopher Randles
208ff8e350 Allow for more customization of the tiller deploy (#1946) 2017-11-28 18:33:57 +00:00
Matthew Mosesohn
ec54b36e05
add retries for calico/canal etcd commands (#2007) 2017-11-28 16:39:55 +00:00
Spencer Smith
38e8522cbf
Merge pull request #1983 from tomdee/bump-flannel-ver
Bump flannel version to v0.9.1
2017-11-28 11:38:55 -05:00
Spencer Smith
52f8687397
Merge pull request #1977 from mattymo/initializers
Disable initializers feature gate if istio is not used
2017-11-28 11:37:41 -05:00
Spencer Smith
43600ffcf8
Merge pull request #1972 from chadswen/master-static-pod-flush
Additional flush for static pod master upgrade
2017-11-28 11:36:38 -05:00
Christopher Randles
938d2d9e6e update helm/tiller to v2.7.2 -- security bugfix (#1986) 2017-11-28 14:52:42 +00:00
Kevin Lefevre
9368dbe0e7 update calico to 2.6.2 (#1874)
Move RS to deployment so no need to take care of the revision history
limits :
  - Delete the old RS
  - Make Calico manifest a deployment
  - move deployments to apps/v1beta2 API since Kubernetes 1.8
2017-11-28 12:01:30 +00:00
abelgana
fe3290601a
The variable altnames is used by this task.
Since the value will change on the default. It needs to change here also.
2017-11-27 06:57:16 -05:00
abelgana
e7173e1d62
Change altnames to alt_names
Hi,

Could you please check if it was a typo?

https://www.vaultproject.io/api/secret/pki/

Regards,
2017-11-25 17:29:21 -05:00
Bogdan Dobrelya
8aafe64397
Defaults for apiserver_loadbalancer_domain_name (#1993)
* Defaults for apiserver_loadbalancer_domain_name

When loadbalancer_apiserver is defined, use the
apiserver_loadbalancer_domain_name with a given default value.

Fix unconsistencies for checking if apiserver_loadbalancer_domain_name
is defined AND using it with a default value provided at once.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

* Define defaults for LB modes in common defaults

Adjust the defaults for apiserver_loadbalancer_domain_name and
loadbalancer_apiserver_localhost to come from a single source, which is
kubespray-defaults. Removes some confusion and simplefies the code.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-11-23 16:15:48 +00:00
Bob Killen
2140303fcc
add minimal keepalived-cloud-provider support 2017-11-23 08:43:36 -05:00
brx
b80ded63ca
Update main.yml
just a small spelling mistake
2017-11-21 22:37:52 +01:00
Simon Li
7be2521a31 Add flannel hairping mode 2017-11-21 10:43:50 +00:00
Tom Denham
15b9d54a32
Bump flannel version to v0.9.1 2017-11-16 12:52:18 -07:00
Spencer Smith
bc1a4e12ad fix broken variable in ansible 2.4.1.0 and ensure tasks for calico-rr (#1982) 2017-11-16 18:44:15 +00:00
Matthew Mosesohn
67419e8d0a
Run rotate_tokens role only once (#1970) 2017-11-15 18:50:23 +00:00
Chad Swenson
849aaf7435 Update to k8s 1.8.3 (#1971) 2017-11-15 17:43:22 +00:00
Chad Swenson
a89ee8c406 Add ability to use custom cert secret instead of init container provisioned self-signed certs 2017-11-15 10:05:52 -06:00
Chad Swenson
0c6f172e75 Kubernetes Dashboard v1.7.1 Refactor
This version required changing the previous access model for dashboard completely but it's a change for the better. Docs were updated.

* New login/auth options that use apiserver auth proxying by default
* Requires RBAC in `authorization_modes`
* Only serves over https
* No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL:
* Can access from https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login you will be prompted for credentials
* Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
* It is recommended to access dashboard from behind a gateway that enforces an authentication token, details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
2017-11-15 10:05:48 -06:00
Matthew Mosesohn
a67349b076 Disable initializers feature gate if istio is not used 2017-11-15 12:56:36 +00:00
Matthew Mosesohn
f9b68a5d17
Revert "Support for disabling apiserver insecure port" (#1974) 2017-11-14 13:41:28 +00:00
chenhonggc
c7910b51a1 --peers DEPRECATED - --endpoints should be used instead (#1943) 2017-11-14 11:28:35 +00:00
Chad Swenson
1f99710b21 Additional flush for static pod master upgrade
Thought this wasn't required at first but I forgot there's no auto flush at the end of these tasks since the `kubernetes/master` role is not the end of the play.
2017-11-13 18:11:57 -06:00
Aivars Sterns
5e558c361b update weave-net to 2.0.5 version (#1877) 2017-11-13 16:11:47 +00:00
neith00
5f39efcdfd adding mount for kubelet to enable rbd mounts (#1957)
* adding mount for kubelet to enable rbd mounts

* fix conditionnal variable name
2017-11-13 14:04:13 +00:00
Stanislav Makar
037edf1215 Fix failed task of setting up bash completion for helm (#1968)
Closes: #1967
2017-11-13 10:15:53 +00:00
Hyunsun Moon
37125866ca Make calico_node_ignorelooserpf have an effect (#1945) 2017-11-13 09:35:13 +00:00
Günther Grill
421e73b87c Add missing exclamation mark in shebang line (#1966) 2017-11-13 09:34:21 +00:00
Brad Beam
c115e5677e
Merge pull request #1828 from hzamani/patch-1
Use etcd_access_addresses for vault_etcd_url
2017-11-10 10:56:37 -05:00
Spencer Smith
09d85631dc
Merge pull request #1944 from chadswen/reload-master-pods
Master component and kubelet container upgrade fixes
2017-11-08 22:23:12 -05:00
Brad Beam
f25e4dc3ed
Merge pull request #1937 from chadswen/disable-api-insecure-port
Support for disabling apiserver insecure port
2017-11-08 18:13:49 -05:00
Spencer Smith
0126168472 provide environment for rkt trust and run with etcd 2017-11-08 12:57:22 -05:00
Chad Swenson
e9f795c5ce Master component and kubelet container upgrade fixes
* Fixes an issue where apiserver and friends (controller manager, scheduler) were prevented from restarting after manifests/secrets are changed. This occurred when a replaced kubelet doesn't reconcile new master manifests, which caused old master component versions to linger during deployment. In my case this was causing upgrades from k8s 1.6/1.7 -> k8s 1.8 to fail
* Improves transitions from kubelet container to host kubelet by preventing issues where kubelet container reappeared during the deployment
2017-11-08 01:40:33 -06:00
Chad Swenson
0c7e1889e4 Support for disabling apiserver insecure port
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to:

1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS)
2. Add apiserver client cert/key to the "Wait for apiserver up" checks
3. Update apiserver liveness probe to use HTTPS ports
4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately)
5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well.

Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check.

Options:

1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not.
2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port)
3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest)

Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
2017-11-06 14:01:10 -06:00
Günther Grill
0d55ed3600 Avoid that some read-only tasks cause an ansible-change (#1910) 2017-11-06 13:51:07 +00:00
Haiwei Liu
ad0cd6939a Add support cAdvisor (#1908)
Signed-off-by: Haiwei Liu <carllhw@gmail.com>
2017-11-06 13:50:28 +00:00
Stanislav Makar
33adb334cd Fix openstack tenant id variable name (#1932) 2017-11-05 08:40:41 +00:00
Spencer Smith
ef87a8a1f0
Merge pull request #1916 from vtomasr5/master
Fix bad handler directory name in kubeadm role
2017-11-03 18:14:48 -04:00
Spencer Smith
a595c84f7e
Merge pull request #1928 from chadswen/flannel-rbac-fix
Flannel RBAC Fix
2017-11-03 18:12:16 -04:00
Chad Swenson
b158dbcf79 Docker Version Update
Update default docker version to 17.03.1
2017-11-03 12:34:45 -05:00
Matthew Mosesohn
ab3832f3e7
Set host IP for kubelet always (#1924)
* Set host IP for kubelet always

Use ansible default IP if ip var is not set.

* Update main.yml
2017-11-03 10:19:37 +00:00
Kevin Lefevre
9bf415f749 update helm to v2.7.0 (#1875)
* update helm to v2.7.0

* Update main.yml
2017-11-03 07:15:00 +00:00
Günther Grill
a2bda9e5f1 Eliminate jinja2 template expression warning and rename coreos-python var (#1911)
* Change deprecated vagrant ansible flag 'sudo' to 'become'

* Emphasize, that the name of the pip_pyton_modules is only considered in coreos

* Remove useless unused variable

* Fix warning when jinja2 template-delimiters used in when statement

There is no need for jinja2 template-delimiters like {{ }} or {% %}
any more. They can just be omitted as described in https://github.com/ansible/ansible/issues/22397

* Fix broken link in getting-started guide
2017-11-03 07:11:36 +00:00
Günther Grill
0195725563 Workaround ansible bug where access var via dict doesn't get real value (#1912)
* Change deprecated vagrant ansible flag 'sudo' to 'become'

* Workaround ansible bug where access var via dict doesn't get real value

When accessing a variable via it's name "{{ foo }}" its value is
retrieved. But when the variable value is retrieved via the vars-dict
"{{ vars['foo'] }}" this doesn't resolve the expression of the variable
any more due to a bug. So e.g. a expression foo="{{ 1 == 1 }}" isn't
longer resolved but just returned as string "1 == 1".

* Make file yamllint complient
2017-11-03 07:11:14 +00:00
Spencer Smith
ec1170bd37 only mount volumes if local_volumes_enabled is true. fix mount flags in rkt. (#1923) 2017-11-03 07:10:37 +00:00
Matthew Mosesohn
66c67dbe73
Add optional helm deployment mode for host (#1920) 2017-11-03 07:09:24 +00:00
Chad Swenson
16ae2c1809 Flannel RBAC Fix
Fixes a bug that can occur if `cni-flannel-rbac.yml` was written but the playbook failed before it was applied. Uses the same approach as calico.
2017-11-02 23:20:23 -05:00
Spencer Smith
4771716ab2
Merge pull request #1907 from mattymo/disable_anon_auth
Block anonymous auth requests to kubelet
2017-11-02 12:01:39 -04:00
Spencer Smith
b156585739
Merge pull request #1917 from chadswen/docker-daemon-graph
Fix kubelet container with alternate Docker data paths
2017-11-02 11:58:55 -04:00
Matthew Mosesohn
520103df78 Change namespace for provisioner account 2017-11-02 10:16:08 +00:00
Matthew Mosesohn
3e3787de15 Fix local volume provisioner mount point for rkt 2017-11-02 09:45:26 +00:00