C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
1735 commits 17 branches 66 tags 141 MiB
Commit graph

1022 commits

Author SHA1 Message Date
Matthew Mosesohn
bd7b91b07a Merge pull request #1166 from rogerwelin/master 
add iptables --flush to reset role
 2017-04-03 17:25:10 +03:00
Matthew Mosesohn
0b2141817a Merge pull request #1182 from artem-panchenko/bumpCalicoPolicyControllerVersion 
Bump calico policy controller version
 2017-04-03 17:21:52 +03:00
Paweł Skrzyński
cee89ec562 Use hostname module to set hostname, and do it for all Os not only CoreOS 2017-04-03 15:09:33 +02:00
Matthew Mosesohn
a5391ff21a use etcd2 when upgrading unless forced 2017-04-03 15:07:42 +03:00
Matthew Mosesohn
c30fcc1a5b Merge pull request #1194 from adidenko/fix-sync_certs 
Fix multiline when condition in sync_certs task
 2017-03-31 17:39:40 +03:00
Aleksandr Didenko
0762afd390 Fix multiline when condition in sync_certs task 
Folded style in multiline 'when' condition causes error with
unexpected ident. Changing it to literal style should fix
the issue.

Closes #1190
 2017-03-30 22:21:04 +02:00
Spencer Smith
c2a5453f6f Merge pull request #1170 from jlothian/atomic-docker-network 
1169 - fix docker systemd unit
 2017-03-30 13:13:28 -07:00
Matthew Mosesohn
423fe7e51d Update .gitlab-ci.yml 2017-03-30 12:19:15 +04:00
Matthew Mosesohn
0e648347f9 fix etcd restart 2017-03-29 23:22:49 +04:00
Matthew Mosesohn
1d4e6b2ade delete master containers forcefully 2017-03-27 19:08:22 +03:00
Matthew Mosesohn
1e1dfe2cab restart scheduler and controller-manager too 2017-03-27 13:51:35 +03:00
Matthew Mosesohn
eab686bd56 ensure post-upgrade purge ones only once 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
f953303722 switch debian8-canal-ha to ubuntu 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
a7bedd30ab move network plugins out of grouped upgrades 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
1a96970918 Fix delegate tasks for kubectl and etcdctl 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
bf3425322f Significantly reduce memory requirements 
Canal runs more pods and upgrades need a bit of extra
room to load new pods in and get the old ones out.
 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
f1f58166e5 Only cordon Ready nodes 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
68a1faaaa0 Move graceful upgrade test to debian canal HA, adjust drain 
Graceful upgrades require 3 nodes
Drain now has a command timeout of 40s
 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
986a89be66 Merge pull request #1181 from holser/refactor_etcd 
Refactor etcd role
 2017-03-27 13:05:35 +03:00
Sergii Golovatiuk
77671dbd05 Refactor etcd role 
- Run docker run from script rather than directly from systemd target
- Refactoring styling/templates

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-03-24 12:34:15 +01:00
Artem Panchenko
bc0db79c86 Bump calico policy controller version 
Latest released version of kube-policy-controller
contains important bug fixes and should be used
by default.
 2017-03-24 12:13:09 +02:00
Matthew Mosesohn
503dc26f11 Merge pull request #1177 from rutsky/replace-nbsp 
replace non-breakable space with regular space
 2017-03-23 12:59:45 +03:00
Matthew Mosesohn
5879d62869 Merge pull request #1179 from kubernetes-incubator/missing_defaults 
Add missing defaults
 2017-03-23 12:16:13 +03:00
Antoine Legrand
9f1ca9377f Add missing defaults 2017-03-23 10:05:34 +01:00
Vladimir Rutsky
bc30ea7582 replace non-breakable space with regular space 
Non-brekable space is 0xc2 0xa0 byte sequence in UTF-8.

To find one:

    $ git grep -I -P '\xc2\xa0'

To replace with regular space:

    $ git grep -l -I -P '\xc2\xa0' | xargs sed -i 's/\xc2\xa0/ /g'

This commit doesn't include changes that will overlap with commit f1c59a91a1.
 2017-03-23 00:25:01 +03:00
Matthew Mosesohn
daf88282cc Merge pull request #1172 from mattymo/dnsmasq_upgrade 
Use checksum of dnsmasq config to trigger updates of dnsmasq
 2017-03-22 18:00:10 +03:00
Matthew Mosesohn
8098b77e41 Merge pull request #1167 from mattymo/dnsmasq_when_deploying_master 
Change wait for dnsmasq to skip if there are no kube-nodes in play
 2017-03-22 17:59:56 +03:00
Brad Beam
388469c70a Setting defaults for docker log rotation 2017-03-22 09:40:10 -04:00
Roger Welin
da26c560b2 add iptables --flush to reset role 2017-03-22 11:10:24 +01:00
Matthew Mosesohn
e020457d1d Use checksum of dnsmasq config to trigger updates of dnsmasq 
Allows config changes made by Ansible to restart dnsmasq deployment
 2017-03-22 13:03:55 +03:00
Josh Lothian
18404db076 1169 - fix docker systemd unit 
The docker-network environment file masks the new values
put into /etc/systemd/system/docker.service.d/flannel-options.conf
to renumber the docker0 to work correctly with flannel.
 2017-03-21 15:22:14 -05:00
Matthew Mosesohn
51985ab9de Change wait for dnsmasq to skip if there are no kube-nodes in play 
Also changed unnecessary delay to a max timeout (now defaulting to 1s sleep
between tries)

Also rename play_hosts to ansible_play_hosts
 2017-03-21 18:55:22 +03:00
Matthew Mosesohn
df09b8dc36 Merge pull request #1159 from holser/etcd_backup_restore 
Backup etcd
 2017-03-21 13:07:44 +03:00
Matthew Mosesohn
b68e545bad Merge pull request #1155 from mattymo/helm 
Add helm deployment
 2017-03-20 17:00:06 +03:00
Sergii Golovatiuk
e635fecc01 Backup etcd data before restarting etcd 
etcd is crucial part of kubernetes cluster. Ansible restarts etcd on
reconfiguration. Backup helps operator to restore cluster manually in
case of any issues.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-03-20 14:50:52 +01:00
Matthew Mosesohn
f9ef55c796 Merge pull request #1152 from mattymo/redhat_weave 
Fix weave on RHEL deployment
 2017-03-19 16:45:20 +03:00
Matthew Mosesohn
182a2e682f Merge pull request #1149 from mattymo/centos-retries 
Retry yum/apt/rpm download commands
 2017-03-18 11:12:36 +03:00
Matthew Mosesohn
579a6299c0 Add helm deployment 2017-03-17 20:24:41 +03:00
Matthew Mosesohn
dd56342361 Retry yum/apt/rpm download commands, fix succeeded filter 2017-03-17 18:56:26 +03:00
Matthew Mosesohn
b060d3279c Merge pull request #1146 from mattymo/resolvconf_optimize 
Condense resolvconf sources before starting loop
 2017-03-17 18:42:32 +03:00
Matthew Mosesohn
446a4bbdc8 Fix weave on RHEL deployment 
Reduce retry delay checking weave
Always load br_netfilter module
 2017-03-17 18:17:47 +03:00
Matthew Mosesohn
a5876a1ac8 Merge pull request #1136 from adidenko/fix-calico-policy-order 
Move calico-policy-controller into separate role
 2017-03-17 17:32:14 +03:00
Aleksandr Didenko
1adf231512 Move calico-policy-controller into separate role 
By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132
 2017-03-17 11:21:52 +01:00
Matthew Mosesohn
2586d01345 Condense resolvconf sources before starting loop 2017-03-17 13:06:56 +03:00
Matthew Mosesohn
3ee77a08cd Update calico to 1.1.0-rc8 
Fixes bug in CentOS/RHEL in felix related to overlayfs driver.
 2017-03-16 19:23:36 +03:00
Matthew Mosesohn
bf5bf13003 Merge pull request #1087 from bradbeam/openstack 
Adding openstack domain id
 2017-03-16 17:53:14 +03:00
Matthew Mosesohn
7e13e17d9f Merge pull request #1108 from idcrook/issue_1107-docker-versioning 
Adding Docker CE 'stable' and 'edge' version packages
 2017-03-16 16:32:13 +03:00
Matthew Mosesohn
ad03f3ac84 Merge branch 'master' into idempotency2 2017-03-16 09:29:43 +03:00
Matthew Mosesohn
261aeb6112 Merge pull request #1138 from mattymo/idempotency-fixes 
Idempotency fixes for etcd certs and resolvconf tasks
 2017-03-16 09:20:28 +03:00
Matthew Mosesohn
fad22bae97 More idempotency fixes 
Fixed sync_tokens fact
Fixed sync_certs for k8s tokens fact
Disabled register docker images changability
Fixed CNI dir permission
Fix idempotency for etcd pre upgrade checks
 2017-03-15 19:06:39 +03:00
Matthew Mosesohn
7b5d6c7a06 Merge pull request #1137 from holser/bug/1135 
Turn on iptables for flannel
 2017-03-15 17:06:42 +03:00
Matthew Mosesohn
20247b9c0a Merge pull request #1080 from VincentS/Granular_Auth_Control 
Granular authentication Control
 2017-03-15 13:12:51 +03:00
Matthew Mosesohn
210d9503f3 Merge pull request #1117 from mattymo/etcd3-upgrade 
Migrate k8s data to etcd3 api store
 2017-03-15 12:56:06 +03:00
Matthew Mosesohn
4287993811 Make resolvconf preinstall idempotent 2017-03-15 01:20:13 +04:00
Sergii Golovatiuk
97a7f1c4a5 Turn on iptables for flannel 
Closes: #1135
Closes: #1026
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-03-14 17:54:55 +01:00
Vincent Schwarzer
ea1f072c7e Granular authentication Control 
It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.

The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.
 2017-03-14 16:57:35 +01:00
Matthew Mosesohn
8450ff00cc Merge pull request #1134 from mattymo/1.6-support 
Explicitly set cni-bin-dir
 2017-03-14 17:53:08 +03:00
Matthew Mosesohn
25b366dd98 Migrate k8s data to etcd3 api store 
Default backend is now etcd3 (was etcd2).
The migration process consists of the following steps:
* check if migration is necessary
* stop etcd on first etcd server
* run migration script
* start etcd on first etcd server
* stop kube-apiserver until configuration is updated
* update kube-apiserver
* purge old etcdv2 data
 2017-03-14 17:50:20 +03:00
Matthew Mosesohn
bb66bb19e8 Fix etcd idempotency 2017-03-14 17:23:29 +03:00
Matthew Mosesohn
e486dabc42 Merge pull request #1078 from VincentS/oidc_support 
Added Support for OpenID Connect Authentication
 2017-03-14 12:07:21 +03:00
Matthew Mosesohn
944fa9d975 Explicitly set cni-bin-dir 2017-03-13 20:13:21 +03:00
Matthew Mosesohn
f2900d65e1 Merge pull request #1118 from mattymo/noderolelabels 
Add node labels in kubelet
 2017-03-13 19:04:21 +03:00
David Crook
9e6983a11f updated debian and ubuntu package names based on testing 
docker-ce is not the .deb package until the repositories are switched over to new "downloads" docker webserver
 2017-03-06 16:54:39 -07:00
David Crook
32d1edf0b9 removed irrelevant comments 2017-03-06 16:02:53 -07:00
David Crook
b1d701ae47 Merge branch 'master' into issue_1107-docker-versioning 2017-03-06 16:00:31 -07:00
Brad Beam
0c96b5d3fc Removing cloud_provider tag to fix scenario where cloud_provider is not defined 2017-03-06 10:52:38 -06:00
Matthew Mosesohn
8065a2355c Add node labels in kubelet 
Related-issue: https://github.com/kubernetes/community/issues/300
Upgraded nodes do not obtain labels automatically.
See https://github.com/kubernetes/kubernetes/pull/29459 for more details.
 2017-03-06 17:18:42 +03:00
Vincent Schwarzer
ea6bf9143f Added Support for OpenID Connect Authentication 
To use OpenID Connect Authentication beside deploying an OpenID Connect
Identity Provider it is necesarry to pass additional arguments to the Kube API Server.
These required arguments were added to the kube apiserver manifest.
 2017-03-06 12:40:35 +01:00
Antoine Legrand
bfe58a7750 Merge pull request #1045 from bradbeam/vsphere 
Adding vsphere cloud provider support
 2017-03-06 12:34:05 +01:00
Antoine Legrand
8595bf50cd Merge pull request #1112 from mattymo/skip_vault_if_disabled 
Disable vault role properly on ansible 2.2.0
 2017-03-06 11:27:53 +01:00
Matthew Mosesohn
7a3956173a Disable vault role properly on ansible 2.2.0 
when condition does not seem to work correctly at playbook
level for ansible 2.2.0.
 2017-03-05 00:43:01 +04:00
Matthew Mosesohn
f247a75afd Remove standalone etcd specific play, cleanup host mode 
Now etcd role can optionally disable etcd cluster setup for faster
deployment when it is combined with etcd role.
 2017-03-04 00:34:26 +04:00
Matthew Mosesohn
cd3c402454 Merge pull request #1111 from mattymo/use_find_for_certs 
Use find module for checking for certificates
 2017-03-03 20:08:33 +03:00
Matthew Mosesohn
7e1aa3b43b Use find module for checking for certificates 
Also generate certs only when absent on master (rather than
when absent on target node)
 2017-03-03 16:21:01 +03:00
Bogdan Dobrelya
1cca1909c9 Merge pull request #1071 from vijaykatam/atomic_host 
Add support for atomic host
 2017-03-03 13:03:59 +01:00
Matthew Mosesohn
4b50274b33 Merge pull request #1075 from VincentS/loadbalancer_aws 
Possibility to add Loadbalancers without static IP (e.g. AWS ELB) #1074
 2017-03-03 14:07:22 +03:00
David Crook
8eb0957fe0 first pass at adding 'stable' and 'edge' version packages 
- Only have ubuntu to test on
  - fedora and redhat are placeholders/guesses
  - the "old" package repositories seem to have the "new" CE version which is `1.13.1` based
- `docker-ce` looks like it is named as a backported `docker-engine` package in some
  places

- Did not change the `defaults` version anywhere, so should work as before
- Did not point to new package repositories, as existing ones have the new packages.
 2017-03-02 13:48:09 -07:00
Matthew Mosesohn
d1299f358b Merge pull request #1060 from holser/etcdv3 
Allow to specify etcd backend for kube-api
 2017-03-02 17:24:09 +03:00
Matthew Mosesohn
09c3a4f8d1 Merge pull request #1093 from mattymo/scaledns 
Add autoscalers for dnsmasq and kubedns
 2017-03-02 16:58:56 +03:00
Matthew Mosesohn
576ffe83c7 Add autoscalers for dnsmasq and kubedns 
By default kubedns and dnsmasq scale when installed.
Dnsmasq is no longer a daemonset. It is now a deployment.
Kubedns is no longer a replicationcluster. It is now a deployment.
Minimum replicas is two (to enable rolling updates).

Reduced memory erquirements for dnsmasq and kubedns
 2017-03-02 13:44:22 +03:00
Vincent Schwarzer
9164b9cdcf Changes based on feedback (additional ansible checks) 2017-03-02 11:04:10 +01:00
Vincent Schwarzer
3ef7365cae Modified how adding LB for the Kube API is handled (AWS) 
Until now it was not possible to add an API Loadbalancer
without an static IP Address. But certain Loadbalancers
like AWS Elastic Loadbalanacer dontt have an fixed IP address.
With this commit it is possible to add these kind of Loadbalancers
to the Kargo deployment.
 2017-03-02 11:04:10 +01:00
Matthew Mosesohn
b9cd6d4e4d Merge pull request #1101 from retr0h/docker-1.13.1 
Use docker-engine 1.13.1
 2017-03-02 12:31:58 +03:00
John Dewey
e19bd9b543 Use docker-engine 1.13.1 
The default version of Docker was switched to 1.13 in #1059.  This
change also bumped ubuntu from installing docker-engine 1.13.0 to
1.13.1.  This PR updates os families which had 1.13 defined, but
were using 1.13.0.

The impetus for this change is an issue running tiller 1.2.3 on
docker 1.13.0.  See discussion [1][2].

[1] https://github.com/kubernetes/helm/issues/1838
[2] https://github.com/kubernetes-incubator/kargo/pull/1100
 2017-03-01 12:53:39 -08:00
Matthew Mosesohn
b6861ebed0 Merge pull request #959 from galthaus/host-mode-restart 
Restart kube-controller for host_resolvconf mode
 2017-03-01 20:54:21 +03:00
Vijay Katam
8fc5a844b3 Add support for atomic host 
Updates based on feedback

Simplify checks for file exists

remove invalid char

Review feedback. Use regular systemd file.

Add template for docker systemd atomic
 2017-03-01 09:38:19 -08:00
Antoine Legrand
f7c3a8efe2 Merge pull request #1076 from VincentS/etcd_openssl_count_fix 
Fixed counter in ETCD Openssl.conf
 2017-03-01 14:17:27 +01:00
Bogdan Dobrelya
7f1a1c3123 Merge pull request #1090 from artem-panchenko/calicoAcceptHostEndpointConnections 
Allow connections from pods to local endpoints
 2017-03-01 13:37:05 +01:00
Artem Panchenko
05c8061c24 Allow connections from pods to local endpoints 
By default Calico blocks traffic from endpoints
to the host itself by using an iptables DROP
action. It could lead to a situation when service
has one alive endpoint, but pods which run on
the same node can not access it. Changed the action
to RETURN.
 2017-03-01 09:21:02 +02:00
Matthew Mosesohn
2f86520ce7 Merge pull request #1066 from bradbeam/rkt-kubelet-cloudprovider 
Adding KUBELET_CLOUDPROVIDER to kubelet.rkt.service
 2017-02-28 20:02:56 +03:00
Sergii Golovatiuk
d9f67a343c Allow to specify etcd backend for kube-api 
Kubernetes project is about to set etcdv3 as default storage engine in
1.6. This patch allows to specify particular backend for
kube-apiserver. User may force the option to etcdv3 for new environment.
At the same time if the environment uses v2 it will continue uses it
until user decides to upgrade to v3.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-28 17:13:22 +01:00
Sergii Golovatiuk
2a88210f78 Change kube-api default port from 443 to 6443 
Operator can specify any port for kube-api (6443 default) This helps in
case where some pods such as Ingress require 443 exclusively.

Closes: 820
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-28 15:45:35 +01:00
Brad Beam
a939c53d86 Adding KUBELET_CLOUDPROVIDER to kubelet.rkt.service 2017-02-28 06:29:35 -06:00
Matthew Mosesohn
015f1305eb Merge pull request #1086 from bradbeam/lowermem 
Lower default memory requests
 2017-02-28 13:37:28 +03:00
Brad Beam
607fb7c89d Making openstack domain name optional 2017-02-27 21:19:27 -06:00
Xavier Lange
60af40af27 Bug fix: support kilo's keystone requirement for domain-name, extracts from ENV var 2017-02-27 21:18:30 -06:00
Brad Beam
6a144213c9 Updating vsphere cloud provider support 2017-02-27 15:08:04 -06:00
Sergii Golovatiuk
a011677697 Make etcd data dir configurable. 
Closes: #1073
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
 2017-02-27 21:35:51 +01:00
Jan Jungnickel
c11f981692 Initial support for vsphere as cloud provider 2017-02-27 12:51:41 -06:00
Brad Beam
c50bb7d252 Lower default memory requests 
This is to address out of memory issues on CI as well as help
fit deployments for people starting out with kargo on smaller
machines
 2017-02-27 10:53:43 -06:00