C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
3246 commits 17 branches 66 tags 141 MiB
Commit graph

2055 commits

Author SHA1 Message Date
Andreas Krüger 2ca7087018
Merge pull request #2524 from avoidik/systemd_user_kubelet 
Set exact user for Kubelet services
 2018-03-27 16:41:10 +02:00
Andreas Krüger d665f14682
Merge pull request #2526 from mzehrer/patch-1 
Remove  kibana_base_url
 2018-03-27 12:40:31 +02:00
avoidik e375678674 Set exact user for Kubelet services 2018-03-27 11:13:52 +03:00
Sergey Bondarev 4f7479d94d add etc tunning options 
https://coreos.com/etcd/docs/latest/tuning.html

etcd_snapshot_count
and
ionice priority
 2018-03-26 17:25:51 +03:00
Michael Zehrer b8d1652baf
Remove kibana_base_url 
The default for kibana_base_url does not make sense an makes kibana unusable. The default path forces a 404 when you try to open kibana in the browser. Not setting kibana_base_url works just fine.
 2018-03-25 16:08:07 +02:00
Andreas Krüger f7dc73b830
Merge pull request #2521 from f84anton/patch-1 
optional calico_ip_auto_method variable with IP_AUTODETECTION_METHOD
 2018-03-24 18:37:03 +01:00
Dann Bohn 1d0415a6cf fixes typo in kube_override_hostname for kubeadm 2018-03-24 13:29:07 -04:00
Wong Hoi Sing Edison 3f5c60886b Upgrade Weave to 2.2.1 
- Fix #2414, so namespace isolation should now works
- Update weave-net.yml.j2 as per latest https://cloud.weave.works/k8s/net
- Other minor fixup
 2018-03-24 17:27:12 +08:00
Anton Fayzrahmanov a75598b3f4
IP_AUTODETECTION_METHOD docs 2018-03-24 01:54:17 +03:00
Anton Fayzrahmanov 60a057cace
Update calico-node.yml.j2 2018-03-24 01:46:26 +03:00
Anton Fayzrahmanov dd9d0c0530
optional calico_ip_auto_method variable with IP_AUTODETECTION_METHOD 
can be set to one of
first-found
can-reach 
interface
 2018-03-23 16:33:20 +03:00
Dann Bohn 9fa995ac9d only sets nodeName in kubeadm-config when kube_override_hostname is set 2018-03-23 08:33:25 -04:00
Wong Hoi Sing Edison caec3de364 Updating to use calico-node v2.6.8 2018-03-22 12:33:04 -05:00
Erik Stidham 60bfc56e8e Update Calico and Canal 
- Updating to use calico-node v2.6.7
- A few updates to their manifests too
 2018-03-22 12:30:23 -05:00
Wong Hoi Sing Edison 206e24448b CephFS Provisioner Addon Fixup 2018-03-22 23:03:13 +08:00
Wong Hoi Sing Edison bb1eb9fec8 Add labels for namespace 2018-03-22 21:33:32 +08:00
Keyvan Hedayati b0d7115e9b hswong3i/kubespray#3: Use {{ cluster_name }} for valid FQDN in REGISTRY_HOST 2018-03-22 21:33:32 +08:00
Wong Hoi Sing Edison f8ebd08e75 Registry Addon Fixup 2018-03-22 21:33:32 +08:00
Andreas Krüger 30e4b89837
Merge pull request #2504 from brtknr/patch-1 
Update kube-apiserver.manifest.j2 and kubeadm-config.yaml.j2 to incorporate `endpoint-reconciler-type: lease`
 2018-03-22 09:15:55 +01:00
Andreas Krüger 405c711edb
Remove v in tag 2018-03-22 09:07:28 +01:00
Chad Swenson 0e6b4e80f7
Merge pull request #2490 from woopstar/workaround-fix-1 
Only apply roles from first master node to fix regression
 2018-03-21 20:29:59 -05:00
Chad Swenson 9949782e96
Merge pull request #2489 from woopstar/token-fix-1 
Only copy tokens if tokens_list contains any
 2018-03-21 20:28:06 -05:00
Chad Swenson bbb6e7b3da
Merge pull request #2508 from melkosoft/cilium 
Cilium v.1.0.0-rc8
 2018-03-21 20:25:43 -05:00
Chad Swenson bc68188209
Merge pull request #2498 from zmsp/master 
Upgraded kubernetes from 1.9.3 to 1.9.5
 2018-03-21 20:25:05 -05:00
woopstar d3780e181e Switch hyperkube from CoreOS to Google 2018-03-21 23:27:16 +01:00
Andreas Krüger 2e202051e3
Merge pull request #2364 from whereismyjetpack/default-download 
set local_release_dir in downloads to match others
 2018-03-21 23:16:48 +01:00
Chad Swenson 448c1d5faa
Merge pull request #2509 from chadswen/flannel-update 
Update flannel version to v0.10.0
 2018-03-21 12:15:09 -05:00
Andreas Krüger ff2b8e5e60
Merge pull request #2503 from woopstar/kubelet-fix-1 
Fix duplicate --proxy-client-cert-file and --proxy-client-key-file
 2018-03-21 10:03:31 +01:00
Erwan Miran 8b71ef8ceb Labels from role (node-role.k8s.io/node) and labels from inventory are merged into node-labels parameter in kubelet 2018-03-21 09:19:05 +01:00
mirwan ee8f678010 Addition of the .creds extension to the credentials files generated by password lookup in order for Ansible not to consider them as inventory files with inventory_ignore_extensions set accordingly (#2446) 2018-03-21 10:50:32 +03:00
Chad Swenson a6b918c1a1
Merge pull request #2485 from LuckySB/flannel_iface_regexp 
Add --iface-regex options to flannel
 2018-03-20 21:18:01 -05:00
Chad Swenson c025ab4eb4 Update flannel version to v0.10.0 2018-03-20 19:59:51 -05:00
melkosoft ae30009fbc changed version to 1.0.0-rc8 2018-03-20 14:18:56 -07:00
melkosoft 158d775306 changed cilium to 1.0.0-rc7. Set CI to use coreos for cilium test 2018-03-20 12:43:26 -07:00
woopstar 9d540165c0 Set kube_api_aggregator_routing to default false as we use kube-proxy 2018-03-20 16:28:05 +01:00
Bharat Kunwar 13e47e73c8
Update kubeadm-config.yaml.j2 
As requested
 2018-03-20 13:33:36 +00:00
Bharat Kunwar d2fd7b7462
Update kube-apiserver.manifest.j2 2018-03-20 12:19:53 +00:00
Bharat Kunwar d9453f323b
Update kube-apiserver.manifest.j2 2018-03-20 12:16:35 +00:00
Bharat Kunwar b787b76c6c
Update kube-apiserver.manifest.j2 
Ensure that kube-apiserver will respond even if one of the nodes are down.
 2018-03-20 12:06:34 +00:00
woopstar a94a407a43 Fix duplicate --proxy-client-cert-file and --proxy-client-key-file 2018-03-20 12:08:36 +01:00
gorazio 96e46c4209
bump after CLA signing 2018-03-20 10:23:50 +03:00
gorazio aa30fa8009
Add prometheus annotations to spec in ingress 
Added annotations from metadata to spec.template.metadata. Without it, pod does not get any annotations, and Prometheus didn't see it
 2018-03-20 08:47:36 +03:00
Zobair Shahadat ebfee51aca Upgraded kubernetes from 1.9.3 to 1.9.5 2018-03-19 15:42:24 -04:00
Andreas Holmsten 14ac7d797b Rotate local-volume-provisioner token 
When tokens need to rotate, include local-volume-provisioner
 2018-03-19 13:04:18 +01:00
Andreas Krüger f253691a68
Merge pull request #2347 from hswong3i/multiple_artifacts_dir 
Support multiple artifacts under individual inventory directory
 2018-03-19 12:45:55 +01:00
Sergey Bondarev 038da7255f check if group kube-ingress is not empty 
fix spelling mistaker ingress_nginx_host_network
set default value for ingress_nginx_host_network: false
 2018-03-19 12:59:38 +03:00
woopstar f1d2f84043 Only apply roles from first master node to fix regression 2018-03-18 16:15:01 +01:00
woopstar b9a949820a Only copy tokens if tokens_list contains any 2018-03-18 08:42:38 +01:00
Andreas Krüger 50e5f0d28b
Merge pull request #2468 from LuckySB/master 
change expirations period for generated certificate from 10y to 100 years
 2018-03-17 19:43:40 +01:00
Sergey Bondarev 1481f7d64b Dedicated node for ingress nginx controller 
The ability to create dedicated node for ingress nginx controller
host type network for nginx controller

and add from example https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/static-ip/nginx-ingress-controller.yaml
terminationGracePeriodSeconds: 60
 2018-03-17 02:54:46 +03:00
Chad Swenson 7d33650019
Merge pull request #2462 from woopstar/coredns-patch 
Add CoreDNS support
 2018-03-16 18:33:36 -05:00
woopstar e40368ae2b Add CoreDNS support with various fixes 
Added CoreDNS to downloads

Updated with labels. Should now work without RBAC too

Fix DNS settings on hosts

Rename CoreDNS service from kube-dns to coredns

Add rotate based on http://edgeofsanity.net/rant/2017/12/20/systemd-resolved-is-broken.html

Updated docs with CoreDNS info

Added labels and fixed minor settings from official yaml file: https://github.com/kubernetes/kubernetes/blob/release-1.9/cluster/addons/dns/coredns.yaml.sed

Added a secondary deployment and secondary service ip. This is to mitigate dns timeouts and create high resitency for failures. See discussion at 'https://github.com/coreos/coreos-kubernetes/issues/641#issuecomment-281174806'

Set dns list correct. Thanks to @whereismyjetpack

Only download KubeDNS or CoreDNS if selected

Move dns cleanup to its own file and import tasks based on dns mode

Fix install of KubeDNS when dnsmask_kubedns mode is selected

Add new dns option coredns_dual for dual stack deployment. Added variable to configure replicas deployed. Updated docs for dual stack deployment. Removed rotate option in resolv.conf.

Run DNS manifests for CoreDNS and KubeDNS

Set skydns servers on dual stack deployment

Use only one template for CoreDNS dual deployment

Set correct cluster ip for the dns server
 2018-03-16 21:51:37 +01:00
Sergey Bondarev b7e6dd0dd4 Add --iface-regex options to flannel 
Flannel use interface for inter-host communication setted on --iface options
Defaults to the interface for the default route on the machine.

flannel config set via daemonset, and flannel config on all nodes is the same.
But different nodes can have different interface names for the inter-host communication network

The option --iface-regex allows the flannel to find the interface on which the address is set from the inter-host communication network
 2018-03-16 21:44:36 +03:00
Qasim Sarfraz 8ee2091955
Merge pull request #3 from kubernetes-incubator/master 
Sync Upstream
 2018-03-16 17:21:54 +01:00
Sergey Bondarev 3fac550090 Merge remote-tracking branch 'upstream/master' 2018-03-16 14:09:54 +03:00
Andreas Krüger d29a1db134
Merge pull request #2461 from woopstar/patch-11 
Add support to kubeadm too
 2018-03-16 08:24:31 +01:00
Andreas Krüger 653d97dda4
Merge pull request #2472 from woopstar/patch-12 
Make sure output from extra args is strings
 2018-03-16 08:23:50 +01:00
woopstar 40c0f3756b Encapsulate item instead of casting to string 2018-03-15 20:27:21 +01:00
Andreas Krüger 3d6fd49179 Added option for encrypting secrets to etcd v.2 (#2428) 
* Added option for encrypting secrets to etcd

* Fix keylength to 32

* Forgot the default

* Rename secrets.yaml to secrets_encryption.yaml

* Fix static path for secrets file to use ansible variable

* Rename secrets.yaml.j2 to secrets_encryption.yaml.j2

* Base64 encode the token

* Fixed merge error

* Changed path to credentials dir

* Update path to secrets file which is now readable inside the apiserver container. Set better file permissions

* Add encryption option to k8s-cluster.yml
 2018-03-15 22:20:05 +03:00
Oleg Vyukov d843e3d562 Fix indent Custom ConfigMap ingress-nginx (#2447) 2018-03-15 22:18:18 +03:00
Andreas Krüger 788e41a315
Make sure output from extra args is strings 
Setting the following:

```
kube_kubeadm_controller_extra_args:
  address: 0.0.0.0
  terminated-pod-gc-threshold: "100"
```

Results in `terminated-pod-gc-threshold: 100` in the kubeadm config file. But it has to be a string to work.
 2018-03-14 19:23:43 +01:00
MQasimSarfraz 1bcc641dae Create vsphere clusterrole only if it doesnt exists 2018-03-14 11:29:35 +00:00
Sergey Bondarev f8fed0f308 change expirations period for generated certificate from 10 years to 100 years 2018-03-14 13:33:36 +03:00
zhengchuan hu d1e6632e6a Fix err in kubelet.kubeadm.env.j2 
1. 404 link url
2. kubelet_authentication_token_webhook is not work
3. kube_reserved variable set twice
 2018-03-14 17:25:21 +08:00
Aivars Sterns 710295bd2f
Merge pull request #2434 from protomech/feature/azure-vnet-resource-group 
add support for azure vnetResourceGroup
 2018-03-13 17:42:09 +02:00
RongZhang 3e2d68cd32
Merge pull request #2455 from whereismyjetpack/kube-limits 
uses new kube_memory_reserved/kube_cpu_reserved variables in kubelt
 2018-03-13 06:28:07 -05:00
Dann Bohn f3788525ff fixes yamllint for docker defaults, and weave network plugin 2018-03-13 06:15:48 -04:00
Andreas Krüger 39d247a238
Add support to kubeadm too 
Explicitly defines the --kubelet-preferred-address-types parameter #2418

Fixes #2453
 2018-03-13 10:31:15 +01:00
rong.zhang d264da8f08 Fix yamllint roles error for #2188 commit 2018-03-13 14:28:49 +08:00
MQasimSarfraz 9a4aa4288c Fix vsphere cloud_provider RBAC permissions 2018-03-12 18:07:08 +00:00
Dann Bohn 50e3ccfa2b uses new kube_memory_reserved/kube_cpu_reserved variables in kubelt 2018-03-12 12:46:14 -04:00
RongZhang 69a3c33ceb
Merge pull request #2429 from riverzhang/patch-6 
Fix Docker exits prematurely
 2018-03-12 06:16:25 -05:00
RongZhang 649b1ae868
Merge pull request #2452 from riverzhang/dockerproject 
Fix issues #2451 Support docker-ce and docker-engine
 2018-03-12 06:15:44 -05:00
Aivars Sterns 973cc12ca9
Merge pull request #2188 from cornelius-keller/fix_weave 
fix nodePort for weave
 2018-03-12 10:55:41 +02:00
Aivars Sterns 436de45dd4
Merge pull request #2295 from manics/supplementary-bugfix 
Fix indexing of supplementary DNS in openssl.conf
 2018-03-12 10:54:56 +02:00
Aivars Sterns 5f186a2835
Merge pull request #2418 from kubernetes-incubator/1439br 
Explicitly defines the --kubelet-preferred-address-types parameter
 2018-03-12 10:53:48 +02:00
RongZhang ecec94ee7e Fix Docker exits prematurely 
details:https://github.com/moby/moby/pull/31490/files
 2018-03-12 14:44:47 +08:00
rong.zhang 196995a1a7 Fix issues#2451 Support docker-ce and docker-engine 
Support docker-ce and docker-engine include redhat/centos ubuntu debian
 2018-03-12 13:31:31 +08:00
Spencer Smith 3a714fd4ac
Merge pull request #2427 from hswong3i/local_volume_provisioner_default 
FIXUP #2424: local_provisioner directory should be created only if enabled
 2018-03-10 09:00:35 -05:00
Spencer Smith c47fdc9aa0
Merge pull request #2445 from chadswen/kube-cert-directory-fix 
Fix kubernetes cert permission sync
 2018-03-09 15:10:35 -05:00
Spencer Smith 5c4cfb54ae
Merge pull request #2444 from chadswen/system-node-crb-name 
Prefix system:node CRB
 2018-03-09 15:09:01 -05:00
chadswen cd153a1fb3 Fix kubernetes cert permission sync 
Add `state: directory` to `file` task so that `recurse: yes` will actually take effect and ensure
certs/keys have the right file mode and owner
 2018-03-09 00:11:10 -06:00
chadswen b0ab92c921 Prefix system:node CRB 
Change the name of `system:node` CRB to `kubespray:system:node` to avoid
conflicts with the auto-reconciled CRB also named `system:node`

Fixes #2121
 2018-03-08 23:56:46 -06:00
RongZhang 5007a69eee
Merge pull request #2437 from huzhengchuan/fix/callo-routereflector 
Fix always download calico_rr image
 2018-03-08 23:22:48 -06:00
Chad Swenson 8a46e050e3
Merge pull request #2433 from octarinesec/eyeofthefrog/systemd_command_fix 
Fix systemd version detection
 2018-03-08 22:28:12 -06:00
zhengchuan hu 8e36ad09b4 clean http-proxy.conf 2018-03-08 23:16:02 +08:00
zhengchuan hu 96a92503cb Fix always download calico_rr image 2018-03-08 17:04:16 +08:00
RongZhang 5253153dbb
Merge pull request #2416 from riverzhang/delete-node 
Remove nodes
 2018-03-08 01:55:20 -06:00
rong.zhang 12c78e622b Remove nodes 
Drain node except daemonsets resource
Use reset cluser for delete deploy data
Then delete node
 2018-03-08 15:03:42 +08:00
RongZhang 216bf2e867
Merge pull request #2422 from riverzhang/patch-5 
Enable OOM killing for etcd-events
 2018-03-07 23:15:19 -06:00
Wong Hoi Sing Edison a086686e9f Support multiple artifacts under individual inventory directory 2018-03-08 11:57:53 +08:00
Wong Hoi Sing Edison 6402004018 FIXUP #2424: local_provisioner directory should be created only if enabled 2018-03-08 11:57:46 +08:00
RongZhang 955f833120
Merge pull request #2430 from huzhengchuan/fix/kube-reserve 
fix the name of some variable
 2018-03-07 21:25:32 -06:00
Chris Mildebrandt 605738757d Fix systemd version detection 
Change "command" to "shell" in order for the pipe to work correctly
 2018-03-07 11:32:47 -08:00
Wong Hoi Sing Edison 3f96b2da7a Add Custom ConfigMap Support for ingress-nginx 2018-03-07 21:37:45 +08:00
RongZhang dbf40bbbb8 docker-ce instead of docker-engine repo (#2423) 
* Use docker-ce 17.03.2
* Docker-engine may be discarded
 2018-03-07 15:11:20 +03:00
zhengchuan hu 646d473e8e fix the name of some variable 2018-03-07 18:30:34 +08:00
Aivars Sterns 6975cd1622
Merge pull request #2419 from hswong3i/ingress_nginx_labels 
Add labels for ingress_nginx_namespace
 2018-03-06 08:01:13 +02:00
Aivars Sterns b7f9bf43c2
Merge pull request #2421 from ctlam/master 
Adding ssh_private_key_file to ProxyCommand
 2018-03-06 07:59:26 +02:00
RongZhang 388b627f72
Enable OOM killing for etcd-events 
Enable OOM killing like docker run etcd
 2018-03-05 20:46:39 -06:00
Dominic Lam f9019ab116 Adding ssh_private_key_file to ProxyCommand 
This is trying to match what the roles/bastion-ssh-config is trying to do. When the setup is going through bastion, we want to ssh private key to be used on the bastion instance.
 2018-03-05 13:15:10 -08:00
Michael Beatty 07657aecf4 add support for azure vnetResourceGroup 2018-03-05 13:40:25 -06:00
Wong Hoi Sing Edison e65904eee3 Add labels for ingress_nginx_namespace, also only setup serviceAccountName if rbac_enabled 2018-03-05 23:11:18 +08:00
Ayaz Ahmed Khan 89847d5684 Explicitly defines the --kubelet-preferred-address-types parameter 
to the API server configuration.

This solves the problem where if you have non-resolvable node names,
and try to scale the server by adding new nodes, kubectl commands
start to fail for newly added nodes, giving a TCP timeout error when
trying to resolve the node hostname against a public DNS.
 2018-03-05 15:25:14 +01:00
Jonas Kongslund 585303ad66 Start with three dashes for consistency 2018-03-03 10:05:05 +04:00
Jonas Kongslund a800ed094b Added support for webhook authentication/authorization on the secure kubelet endpoint 2018-03-03 10:00:09 +04:00
Wong Hoi Sing Edison fd46442188 Integrate kubernetes/ingress-nginx 0.11.0 to Kubespray 2018-03-02 23:33:19 +08:00
Matthew Mosesohn 9837b7926f
Use proper lookup of etcd host for calico (#2408) 
Fixes #2397
 2018-03-02 15:36:52 +03:00
Aivars Sterns b75b6b513b
Merge pull request #2406 from riverzhang/fedora 
Delete unused fedora docker repo
 2018-03-02 09:33:57 +02:00
rong.zhang 2a3b48edaf Delete unused fedora docker repo 2018-03-02 14:39:13 +08:00
Antoine Legrand 5cc77eb6fd
Merge pull request #2294 from Nowaker/patch-1 
Enable OOM killing
 2018-03-01 14:56:26 +01:00
Aivars Sterns 8b21034b31
Merge pull request #2344 from hswong3i/local_volume_provisioner_fixup 
Upgrade Local Volume Provisioner Addon to v2.0.0
 2018-03-01 13:12:44 +02:00
RongZhang 67ffd8e923 Add etcd-events cluster for kube-apiserver (#2385) 
Add etcd-events cluster for kube-apiserver
 2018-03-01 11:39:14 +03:00
Chad Swenson af7edf4dff
Merge pull request #2369 from eviln1/fix-insecure-apiserver-port 
fix apiserver manifest when disabling insecure_port
 2018-02-28 17:48:08 -06:00
Spencer Smith 0fd3b9f7af
Merge pull request #2391 from Miouge1/latest-helm 
Install latest version of Helm
 2018-02-28 15:04:41 -05:00
Matthew Mosesohn 7ef9f4dfdd
Revert "Add pre-upgrade task for moving credentials file" (#2393) 2018-02-28 22:41:52 +03:00
Brad Beam 6ce507f39f
Merge pull request #2345 from mattymo/credentials_upgrade_fix 
Add pre-upgrade task for moving credentials file
 2018-02-28 12:39:02 -06:00
Brad Beam 34cab91e86
Merge pull request #2366 from z1nkum/bump_dashboard_tag 
Bump dashboard from 1.8.1 to 1.8.3 because of reload bug
 2018-02-28 12:38:34 -06:00
Brad Beam 63de9bdba3
Merge pull request #2363 from whereismyjetpack/default-kube-proxy 
default kube_proxy_mode in kubernetes-defaults
 2018-02-28 12:37:46 -06:00
Brad Beam afb6e7dfc3
Merge pull request #2362 from mattymo/calico_ignore_extra_pools_again 
Use CNI to assign kube_pods_subnet for calico
 2018-02-28 12:36:50 -06:00
Brad Beam ad89d1c876 Update pre_upgrade.yml 2018-02-28 19:07:44 +03:00
Simon Li 6b80ac6500
Fix indexing of supplementary DNS in openssl.conf 2018-02-28 16:04:52 +00:00
Miouge1 2257dc9baa Install latest version of Helm 2018-02-28 16:29:38 +01:00
Dmitry Vlasov 977e7ae105 remove obsolete init image, bump dashboard version 1.8.1 -> 1.8.3 2018-02-28 12:52:59 +03:00
Matthew Mosesohn bc0fc5df98
Use node cert for etcd tasks instead of delegating to first etcd (#2386) 
For etcdctl commands, use admin cert instead of node because this file
doesn't exist on etcd only hosts.
 2018-02-27 22:23:51 +03:00
Matthew Mosesohn bb469005b2 Add pre-upgrade task for moving credentials file 2018-02-27 17:35:15 +03:00
Brad Beam 89ade65ad6 Fixing etcd certs for calico rr (#2374) 2018-02-27 17:34:07 +03:00
RongZhang 128d3ef94c Fix run kubectl error (#2199) 
* Fix run kubectl error

Fix run kubectl error when first master doesn't work

* if access_ip is define use first_kube_master
else different master use a different ip

* Delete set first_kube_master and use kube_apiserver_access_address
 2018-02-27 16:32:20 +03:00
RongZhang b7e06085c7 Upgrade to Kubernetes v1.9.3 (#2323) 
Upgrade to Kubernetes v1.9.3
 2018-02-27 14:31:59 +03:00
Chad Swenson 9e85a023c1
Merge pull request #2360 from mattymo/reset_fixes 
retry unmount kubelet dirs
 2018-02-26 18:30:38 -06:00
Brad Beam 4b5f780ff0
Merge pull request #2357 from octarinesec/eyeofthefrog/set_TasksMax_infinity_for_ubuntu 
Set TasksMax to infinity on any OS with systemd
 2018-02-22 21:31:10 -06:00
Brad Beam 31659efe13 Fixing cert name in calico/canal for etcd check (#2358) 2018-02-22 17:37:07 +03:00
Nedim Haveric 2bd3776ddb fix apiserver manifest when disabling insecure_port 2018-02-22 14:00:32 +01:00
Brad Beam c874f16c02 Fixing credential lookup for fe proxy and vault (#2361) 2018-02-22 15:09:26 +03:00
Maxim Krasilnikov ba91304636 Fixed generate front proxy client certs with vault (#2359) 
* Fixed generate front proxy client certs with vault

* fix vault cert management

* Distrebute etcd node certs to vault hosts
 2018-02-22 15:08:50 +03:00
Andreas Krüger 42a0f46268 Add health check to kube proxy (#2356) 
Adding health checking to kube proxy. Fixes #2308
 2018-02-21 23:14:45 +03:00
Andreas Krüger d84ff06f73 Set filemode to 0640 (#2315) 
* Set filemode to 0640

weave-net.yml file is readable by all users on the host. It however contains the weave_password to encrypt all pod communication. It should only be readable by root.

* Set mode 0640 on users_file with basic auth
 2018-02-21 23:13:46 +03:00
Matthew Mosesohn 87f33a4644 Use CNI to assign kube_pods_subnet for calico 
Now calico can be deployed if there are other existing pools
and not confuse IPAM and end up with pods in the wrong pools.
 2018-02-21 20:32:28 +03:00
Dann Bohn 2d69b05c77 set local_release_dir in downloads to match others 2018-02-21 11:35:34 -05:00
Dann Bohn 2eb57ee5cd default kube_proxy_mode in kubernetes-defaults 2018-02-21 11:33:25 -05:00
Chris Mildebrandt 85c69c2a4a Add check for atomic hosts in template 2018-02-21 08:26:18 -08:00
Matthew Mosesohn c20f38b89c retry unmount kubelet dirs 2018-02-21 14:41:57 +03:00
Wong Hoi Sing Edison d4c61d2628 Fixup for gce_centos7-flannel-addons 2018-02-21 13:41:25 +08:00
Wong Hoi Sing Edison deef47c923 Upgrade Local Volume Provisioner Addon to v2.0.0 2018-02-21 13:41:25 +08:00
Chris Mildebrandt c19d8994b9 Set TasksMax to infinity on any OS with systemd 2018-02-20 11:55:13 -08:00
Chad Swenson 2de6da25a8
Merge pull request #2312 from woopstar/patch-7 
Added iptables lock fix and ajusted oom-score
 2018-02-19 22:47:07 -06:00
melkosoft f13e76d022 Added cilium support (#2236) 
* Added cilium support

* Fix typo in debian test config

* Remove empty lines

* Changed cilium version from <latest> to <v1.0.0-rc3>

* Add missing changes for cilium

* Add cilium to CI pipeline

* Fix wrong file name

* Check kernel version for cilium

* fixed ci error

* fixed cilium-ds.j2 template

* added waiting for cilium pods to run

* Fixed missing EOF

* Fixed trailing spaces

* Fixed trailing spaces

* Fixed trailing spaces

* Fixed too many blank lines

* Updated tolerations,annotations in cilium DS template

* Set cilium_version to iptables-1.9 to see if bug is fixed in CI

* Update cilium image tag to v1.0.0-rc4

* Update Cilium test case CI vars filenames

* Add optional prometheus flag, adjust initial readiness delay

* Update README.md with cilium info
 2018-02-16 21:37:47 -06:00
Dann Bohn 95e2bde15b set nodeName to "{{ inventory_hostname }}" in kubeadm-config 2018-02-16 16:20:08 -05:00
Miouge1 4c280e59d4 Use legacy policy config to apply the scheduler policy 2018-02-16 13:43:35 +01:00
Antoine Legrand 76a89039ad
Merge pull request #2285 from jasdeep-hundal/do_not_install_python_apt 
Remove redundant python-apt install
 2018-02-15 17:04:08 +01:00
Sebastian Söderqvist ba2107ea8c is-default-class is case sensative so we must return a lowercase string 2018-02-15 10:51:42 +01:00
southquist 3f44a33738 allow for configurable openstack storage class 2018-02-14 11:32:56 +01:00
RongZhang c0aad0a6d5 Fix install etcd by host service (#2297) 
Fix bug issues #2289
 2018-02-12 17:34:01 +01:00
Andreas Krüger 41ca67bf54
Added iptables lock fix and ajusted oom-score 
xtables lock was missing. Added new option for oom-score to make sure it's not killed in an OOM situation before regular pods.
 2018-02-12 10:21:38 +01:00
Virgil Chereches d72232f15b Increased timeout values for k8s API server restart 2018-02-12 07:35:29 +00:00
Maxim Krasilnikov 03c61685fb
Added apiserver extra args variable for kubeadm config (#2291) 2018-02-12 10:29:46 +03:00
Antoine Legrand 46284198f8
Merge pull request #2298 from clkao/patch-2 
Fix version comparison
 2018-02-11 17:22:39 +01:00
RongZhang bbb1da1a83
Fix default_resolver is undefined 
fix issues #2265
 2018-02-10 10:08:26 -06:00
Wong Hoi Sing Edison 07075add3d Add optional StorageClass name with cephfs_provisioner_storage_class 2018-02-10 20:31:34 +08:00
Chia-liang Kao 338238d086
Fix version comparison 
`FAILED! => {"changed": false, "msg": "AnsibleFilterError: Version comparison: unorderable types: str() < int()"}`
 2018-02-10 03:49:49 +08:00
Brad Beam 03bb729fea Making status and detection mo betta 2018-02-09 12:30:46 -06:00
Damian Nowak f8a59446e8 Enable OOM killing 
When etcd exceeds its memory limit, it becomes useless but keeps running.
We should let OOM killer kill etcd process in the container, so systemd can spot
the problem and restart etcd according to "Restart" setting in etcd.service unit file.
If OOME problem keep repeating, i.e. it happens every single restart,
systemd will eventually back off and stop restarting it anyway.

--restart=on-failure:5 in this file has no effect because memory allocation error
doesn't by itself cause the process to die

Related: https://github.com/kubernetes-incubator/kubespray/blob/master/roles/etcd/templates/etcd-docker.service.j2

This kind of reverts a change introduced in #1860.
 2018-02-09 11:00:13 -06:00
mlushpenko 4e61fb9cd3 Refactored kubeadm join process and fixed uncrodonng for master nodes 2018-02-09 15:51:47 +01:00
mlushpenko b472c2df98 Fix safe upgrade 
Even though there it kubeadm_token_ttl=0 which means that kubeadm token never expires, it is not present in `kubeadm token list` after cluster is provisioned (at least after it is running for some time) and there is issue regarding this https://github.com/kubernetes/kubeadm/issues/335, so we need to create a new temporary token during the cluster upgrade.
 2018-02-09 15:51:47 +01:00
mkrasilnikov bc67deee78 Added missing cephfs_provisioner_enabled to kubespray-defaults vars 2018-02-09 17:03:38 +03:00
jasdeep-hundal f57abae01e Remove redundant python-apt install 
Ansible automatically installs the python-apt package when using
the 'apt' Ansible module, if python-apt is not present. This patch
removes the (unneeded) explicit installation in the Kubespray
'preinstall' role.
 2018-02-08 18:59:37 -08:00
Antoine Legrand 275b1d6897
Merge pull request #2274 from mirwan/local_volume_provisioner_configmap_in_daemonset 
Local volume provisioner fixes
 2018-02-09 00:59:47 +01:00
Erwan Miran e9a676951b storageClass name template as suggested by @eyeofthefrog 2018-02-09 00:11:07 +01:00
Antoine Legrand b31d905704
Merge pull request #2230 from hswong3i/cephfs_provisioner 
Add cephfs_provisioner Support for Kubespray
 2018-02-08 16:52:15 +01:00
Aivars Sterns c70c44b07b
Merge pull request #2257 from rzenker/tb/baremetal-tweaks 
baremetal tweaks
 2018-02-08 15:48:55 +00:00
Aivars Sterns 20583e3d15
Merge pull request #2067 from manics/sysctl-net-brfilter 
Always set net.bridge.bridge-nf-call-* sysctl
 2018-02-08 15:43:46 +00:00
Aivars Sterns 9f4588cd0c
Merge pull request #2266 from riverzhang/epel-release 
Disalbe install epel-release rpm on Centos/Redhat
 2018-02-08 15:42:28 +00:00
Wong Hoi Sing Edison b25e0f82b1 Add cephfs_provisioner Support for Kubespray 2018-02-08 22:27:54 +08:00
Maxim Krasilnikov cae1c683aa
Merge pull request #2271 from leseb/retry-get-token 
kubernetes-apps: retry get default token name
 2018-02-08 16:46:32 +03:00
Antoine Legrand 57e7a5a34a
Merge pull request #2233 from hswong3i/multiple_inventory_dir 
Support multiple inventory files under individual inventory directory
 2018-02-08 11:57:04 +01:00
Antoine Legrand 7bce70339f
Merge pull request #2251 from woopstar/metrics-server-patch-2 
Adding metrics-server support for K8s version 1.9
 2018-02-08 11:16:44 +01:00
Erwan Miran e1aaef7d4d Removal of surnumerary slash 2018-02-08 09:06:17 +01:00
Wong Hoi Sing Edison 1a1d154e14 Support multiple inventory files under individual inventory directory 2018-02-08 08:08:15 +08:00
Brad Beam 384e5dd4c4
Merge pull request #2160 from kongslund/disable-read-only-port 
Make the Kubelet read-only port configurable and disable it by default
 2018-02-07 13:06:32 -06:00
Erwan Miran abfb147292 MountDir in configmap and daemonset must be the same 2018-02-07 18:42:42 +01:00
Erwan Miran 44eb03f78a typo 2018-02-07 17:57:54 +01:00
Erwan Miran 857784747b local-provisioner:v1.0.1 still expects json configmap 2018-02-07 17:47:05 +01:00
Erwan Miran 7a2cb5e41c local-provisioner:v1.0.1 still uses VOLUME_CONFIG_NAME env to read ConfigMap 2018-02-07 17:01:19 +01:00
Antoine Legrand 712bdfc82f
Merge pull request #2260 from mirwan/local_volume_provisioner_fixes 
local_volume_provisioner_enabled replacement
 2018-02-07 13:42:00 +01:00
Sébastien Han 34bd47de79 kubernetes-apps: retry get default token name 
In some installation, it can take up to 3sec to get the value. Retrying
for 5 sec will ensure the command won't return 1.

Signed-off-by: Sébastien Han <seb@redhat.com>
 2018-02-07 12:09:51 +01:00
Antoine Legrand fe57c13b51
Merge pull request #2172 from leseb/etcd-auth 
etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH
 2018-02-07 11:25:56 +01:00
woopstar f9df692056 Issue front proxy certs for vault 2018-02-07 11:03:10 +01:00
woopstar f193b12059 Kubeadm auto creates this 2018-02-07 10:50:34 +01:00
woopstar 2cd254954c Remove defaults of allowed names. Updated kubeadm 2018-02-07 10:07:55 +01:00
woopstar 4dab92ce69 Rename from aggregator-proxy-client to front-proxy-client to match kubeadm design. Added kubeadm support too. Changed to use variables set and not hardcode paths. Still missing cert generation for Vault 2018-02-07 09:50:19 +01:00
Erwan Miran ca08614641 yamllint fix 2018-02-07 09:12:28 +01:00
rong.zhang 47adf4bce6 Disalbe install epel-release rpm on Centos/Redhat 
1.Disalbe install epel-release rpm on Centos/Redhat
2.Use yum install epel-release
 2018-02-07 14:58:50 +08:00
Brad Beam 7928cd20fb
Merge pull request #2037 from tiewei/contiv-etcd-split 
Split contiv etcd and etcd-proxy into two daemonsets
 2018-02-06 15:37:16 -06:00
Ryan Zenker ad9049a49e baremetal tweaks 
* allow installs to not have hostname overriden with fqdn from inventory
* calico-config no longer requires local as and will default to global
* when cloudprovider is not defined, use the inventory_hostname for cni-calico
* allow reset to not restart network (buggy nodes die with this cmd)
* default kube_override_hostname to inventory_hostname instead of ansible_hostname
 2018-02-06 13:52:22 -05:00
Erwan Miran b4e264251f JSON/YAML syntax fix 2018-02-06 17:17:10 +01:00
Erwan Miran 8006a6cd82 local_volumes_enabled replaced by local_volume_provisioner_enabled 2018-02-06 17:12:09 +01:00
Andreas Krüger 5cd6b0c753
Adding missing defaults for weave 
The PR #2203 add's missing defaults for weave, but no signed CLA. So this PR fixes it.
 2018-02-06 14:25:07 +01:00
Andreas Krüger bb339265fc
Set default registry_enabled to false 
In PR #2244 the `registry_enabled` is missing in defaults, causing a deployment to fail, if it is not set in k8s-cluster.yml
 2018-02-06 14:17:06 +01:00
Antoine Legrand bb4446e94c
Merge pull request #2226 from manics/supplemental-addresses 
Enable additional addresses to be added to certificates
 2018-02-06 13:51:54 +01:00
Antoine Legrand d2102671cd
Merge pull request #2214 from woopstar/patch-3 
Loadbalancer Apiserver Address is missing
 2018-02-06 13:47:55 +01:00
Antoine Legrand 138e0c2301
Merge pull request #2250 from woopstar/weave-mtu-patch 
Added option to set MTU on Weave
 2018-02-06 12:13:54 +01:00
Antoine Legrand 37cfd289d8
Merge pull request #2248 from hswong3i/dashboard.yml.j2 
Dashboard template should not suffix with .yml.j2
 2018-02-06 11:25:02 +01:00
Antoine Legrand 9f3081580a
Merge pull request #2249 from hswong3i/kubedns-deploy.yml.j2 
KubeDNS template should not suffix with .yml.j2
 2018-02-06 11:24:19 +01:00
Antoine Legrand a3248379db
Merge branch 'master' into local_volume_provisioner 2018-02-06 09:28:27 +01:00
Antoine Legrand 0774c8385c
Merge pull request #2244 from hswong3i/registry 
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
 2018-02-06 09:20:48 +01:00
woopstar b2d30d68e7 Rename CN for aggreator back. Add flags to apiserver when version is >= 1.9 2018-02-05 20:37:14 +01:00
woopstar 82d10b882c Added fixes from whereismyjetpack 2018-02-05 20:07:12 +01:00
Maxim Krasilnikov 95b8ac5f62 Added optional controller and scheduler extra args to kubeadm config (#2205) 2018-02-05 16:49:13 +03:00
woopstar 0b4168cad4 WIP. Adding metrics-server support for K8s version 1.9 2018-02-05 10:37:41 +01:00
woopstar 3289472e31 Added option to set MTU on Weave 2018-02-05 10:23:48 +01:00
Wong Hoi Sing Edison 4ad53339f6 KubeDNS template should not suffix with .yml.j2 2018-02-05 16:26:54 +08:00
Wong Hoi Sing Edison a4d3da6a8e Dashboard template should not suffix with .yml.j2 2018-02-05 16:18:21 +08:00
Wong Hoi Sing Edison 7954ea2525 Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray 2018-02-05 12:21:09 +08:00
Chad Swenson bd1f0bcfd7
Merge pull request #2201 from riverzhang/ipvs 
Support ipvs mode for kube-proxy
 2018-02-01 22:29:52 -06:00
Wong Hoi Sing Edison bc2e26d7ef update apiVersion 2018-02-01 14:16:32 +08:00
Wong Hoi Sing Edison fd80013917 lint and cleanup local_volume_provisioner 2018-02-01 14:14:18 +08:00
Chad Swenson f7d52564aa
Merge pull request #2084 from riverzhang/devicemapper 
Fix can not use devicemapper driver
 2018-01-31 20:52:22 -06:00
Spencer Smith f7e8d1149a
Merge pull request #2229 from whereismyjetpack/etcd-quorum-read 
--etcd-quorum-read is depricated in kube >= 1.9
 2018-01-31 17:10:10 -05:00
Spencer Smith bd091caaf9
Merge pull request #2200 from riverzhang/hyperkube 
Upgrade to Kubernetes v1.9.2
 2018-01-31 16:08:22 -05:00
Spencer Smith b455a1bf76
Merge pull request #2212 from mattymo/missing_defaults 
Add missing group var default values to kubespray-defaults
 2018-01-31 16:07:53 -05:00
Spencer Smith c0a3bcf9b3
Merge pull request #2221 from Xuxe/patch-vcp-v1.9.2 
Updated vSphere cloud provider config for Kubernetes >= v1.9.2 and added resource pool deployment variable
 2018-01-31 16:06:07 -05:00
Dann Bohn dc6c703741 --etcd-quorum-read is depricated in kube >= 1.9 2018-01-31 15:49:52 -05:00
Matthew Mosesohn 16629d0b8e Vault should use cert auth for etcd 2018-01-31 20:37:14 +03:00
Julian Hübenthal 7f79210ed1 reworked vsphere-cloud-config template 2018-01-31 16:51:23 +01:00
Simon Li 27a1a697e7
supplementary_addresses_in_ssl_keys can be a hostname 2018-01-31 15:16:08 +00:00
Aivars Sterns c1267004ef
Merge pull request #2130 from ArchiFleKs/simplify_os_provider 
Simplify and update OpenStack cloud provider
 2018-01-31 12:02:02 +02:00
Julian Hübenthal 9cdd2214f9 render vsphere_resource_pool only if defined 2018-01-31 09:56:43 +01:00
Julian Hübenthal 989e9174c2 Added vSphere cloud provider config update for Kubernetes >= 1.9.2 2018-01-31 09:15:46 +01:00
rong.zhang 3993e12335 Fix can not be used devicemapper driver 
Fix can not be used devicemapper driver
 2018-01-31 15:51:11 +08:00
Brad Beam ac4d782937
Merge pull request #2074 from fangzhen/fix-domains-split 
Make spliting system_search_domains more robust
 2018-01-30 21:01:19 -06:00
rong.zhang 32d18ca992 remove trailing space 2018-01-31 09:50:41 +08:00
Matthew Mosesohn 2df4b6c5d2
Rename default_resolver to cloud_resolver (#2209) 
Cloud resolvers are mandatory for hosts on GCE and OpenStack
clouds. The 8.8.8.8 alternative resolver was dropped because
there is already a default nameserver. The new var name
reflects the purpose better.

Also restart apiserver when modifying dns settings.
 2018-01-31 00:26:07 +03:00
Andreas Krüger 088d36da09
Increase the idx counter 
Fix the idx counter to increase too, or you will end up with two same indexes.
 2018-01-30 21:48:13 +01:00
Andreas Krüger 6f36faa4f9
Loadbalancer Apiserver Address is missing 
If you configure your external loadbalancer to do a simple tcp pass-through to the api servers, and you do not use a DNS FQDN but just the ip, then you need to add the ip adress to the certificates too.

Example config:

```
## External LB example config
apiserver_loadbalancer_domain_name: "10.50.63.10"
loadbalancer_apiserver:
  address: 10.50.63.10
  port: 8383
```
 2018-01-30 17:33:00 +01:00
RongZhang 3846384d56 Bump kube-dns to 1.14.8 (#2204) 
Bump kube-dns to 1.14.8
 2018-01-30 19:23:37 +03:00
Dmitri Rubinstein 331f141f63 Fix DNS entries in etcd's openssl.conf by adding a newline. (#2208) 
DNS entries generated from 'etcd_cert_alt_names' variable in etcd's
openssl.conf are not terminated by a newline.

This fixes issue #2207.
 2018-01-30 16:26:58 +03:00
Matthew Mosesohn 62dd3d2a9d Add missing group var default values to kubespray-defaults 2018-01-30 16:04:00 +03:00
Sébastien Han fa8a128e49 etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH 
Some installation are failing to authenticate with peers due to
etcd picking up/resoling the wrong node.

By setting 'etcd_peer_client_auth' to "False" you can disable peer client cert
authentication.

Signed-off-by: Sébastien Han <seb@redhat.com>
 2018-01-30 11:19:12 +01:00
rong.zhang b10c308a5a Support ipvs mode for kube-proxy 
Support ipvs mode for kube-proxy
 2018-01-30 13:09:01 +08:00
rong.zhang e22c70e431 Upgrade to Kubernetes v1.9.2 2018-01-30 13:04:38 +08:00
Chad Swenson f4fe9e3421
Merge pull request #2171 from ArchiFleKs/kubeproxy-lvs 
Add lib/modules to kube-proxy to enable LVS
 2018-01-29 22:58:02 -06:00
Brad Beam da173615e4
Merge pull request #2048 from xizhibei/master 
Fix: always only one container got synced after download
 2018-01-29 16:01:11 -06:00
Matthew Mosesohn dc6a17e092
Use include/import tasks (#2192) 
import_tasks will consume far less memory, so it should be
used whenever it is compatible.
 2018-01-29 14:37:48 +03:00
Miouge1 240d4193ae Update information about network sizes 2018-01-26 15:23:21 +01:00
Matthew Mosesohn ac66e98ae9
Upgrade to Kubernetes v1.9.1 (#2152) 
Raise drain timeout to 5m
 2018-01-25 18:44:44 +03:00
Matthew Mosesohn d2935ffed0
Optionally ignore the presence of extra calico pools (#2190) 2018-01-25 18:44:20 +03:00
Chad Swenson c6e0fcea31
Merge pull request #1948 from sgmitchell/secured-etcd 
Enable etcd secure client to prevent etcdctl access without cert and key
 2018-01-25 09:35:51 -06:00
Chad Swenson 5d014d986b
Merge pull request #1992 from manics/flannel-hairpin 
Enable flannel hairpin mode
 2018-01-24 21:20:03 -06:00
mirwan 714994cad8 iptables: flush nat table as well as filter table upon reset (#2174) 
* iptables: flush nat table as well as filter table upon reset

* Indentation fix
 2018-01-24 20:22:49 -06:00
Brad Beam 08fe61e058
Merge pull request #2071 from riverzhang/dashboard 
Update dashboard version to v1.8.1
 2018-01-24 20:10:05 -06:00
Brad Beam 0c8bed21ee
Merge pull request #2019 from chadswen/disable-api-insecure-port 
Support for disabling apiserver insecure port (the sequel)
 2018-01-24 19:58:53 -06:00
Brad Beam 98eb845f8c
Merge pull request #2173 from mirwan/hardcoded_dnsmasq-autoscaler_image 
Dnsmasq autoscaler image should be a variable
 2018-01-24 16:15:59 -06:00
Brad Beam 98300e3165
Merge pull request #2155 from brutus333/fix/pvc 
Fix for Issue #2141
 2018-01-24 16:15:33 -06:00
Cornelius Keller e22759d8f0 fix nodePort for weave 2018-01-24 10:31:51 +01:00
Matthew Mosesohn bf1411060e Add optional manual dns_mode (#2178) 2018-01-23 14:28:42 +01:00
Virgil Chereches a4d142368b Renamed variable from disable_volume_zone_conflict to volume_cross_zone_attachment and removed cloud provider condition; fix identation 2018-01-23 13:14:00 +00:00
Brad Beam eb80f9b606
Merge pull request #2154 from tdihp/proxy-conf-restart-docker 
Restart docker when http-proxy.conf changed.
 2018-01-22 08:39:05 -06:00
Stanislav Makar ae47b617e3 Fix 'no such host' problem (#2148) 
Fix 'no such host' problem reported by commands *kubectl logs* and *kubectl exec*
when cloud_provider is OpenStack

Closes: #2147
 2018-01-22 16:08:24 +03:00
Erwan Miran e5b4011aa4 move hardcoded dnsmasq autoscaler image to its own variable 2018-01-18 16:04:29 +01:00
Virgil Chereches 3125f93b3f Added disable_volume_zone_conflict variable 2018-01-18 10:55:23 +00:00
Spencer Smith f19c8e8c1d
Merge pull request #2132 from PhilippeChepy/flex-volumes 
Add support for flex volumes plugins.
 2018-01-17 15:00:45 -05:00
ArchiFleKs 637604d08f Add lib/modules to kube-proxy to enable LVS 
kube-proxy is complaining of missing modules at startup. There is a plan
to also support an LVS implementation of kube-proxy in additon to
userspace and iptables
 2018-01-17 16:35:53 +01:00
Jonas Kongslund 11844c987c Make the Kubelet read-only port configurable and disable it by default. Fixes #2159. 2018-01-16 11:11:41 +04:00
Virgil Chereches 8c45c88d15 Fix for Issue #2141 - added policy file 2018-01-12 07:15:35 +00:00
Virgil Chereches c87bb2f239 Fix for Issue #2141 2018-01-12 07:07:02 +00:00
heping 32eeb9a0e0 Restart docker when http-proxy.conf changed. 2018-01-12 10:56:25 +08:00
rong.zhang df21fc8643 Remove initContainer 2018-01-10 12:17:17 +08:00
Spencer Smith ccd9cc3dce
Merge pull request #2146 from abelgana/master 
Manage deprecated kubelet option
 2018-01-09 17:19:42 -05:00
Spencer Smith 81867402f6
Merge pull request #2145 from pslijkhuis/master 
Add kubelet_custom_flags to kubelet.kubeadm.env.j2
 2018-01-09 17:19:09 -05:00
Spencer Smith 4f5d61212b
Merge pull request #2144 from neith00/weave-2.1.3 
updated weave to 2.1.3
 2018-01-09 17:18:26 -05:00
Spencer Smith ef96123482
Merge pull request #2068 from chadswen/remove-container-retries 
Retry kube container removal during upgrade
 2018-01-09 15:03:50 -05:00
Spencer Smith ee27ab0052
Merge pull request #2124 from riverzhang/patch-3 
Remove blank lines
 2018-01-09 14:58:49 -05:00
Spencer Smith 57f87ba083
Merge pull request #2142 from trilogy-group/hotfix/fluentd-template 
fix fluentd template
 2018-01-09 14:44:50 -05:00
abelgana a9bb72c6fd
require-kubeconfig is depricated since k8s v1.8 2018-01-09 14:35:42 -05:00
abelgana 9506c2e597
require-kubeconfig is deprecated since K8s v1.8 2018-01-09 14:33:05 -05:00
Peter Slijkhuis 32884357ff Add kubelet_custom_flags to kubelet.kubeadm.env.j2 2018-01-09 14:04:36 +01:00
neith00 88204642b7
updated weave to 2.1.3 2018-01-09 13:50:42 +01:00
Matthew Mosesohn 1401286910
Add support for cert alt names for etcd (#2139) 
* Add support for cert alt names for etcd

* Update gen_certs_vault.yml
 2018-01-09 14:37:34 +03:00
Lukasz Piatkowski 12eb242224 fix fluentd template 2018-01-08 13:40:47 +00:00
Philippe Chepy df9faa1743 Add support for flex volumes plugins. 2018-01-05 17:56:36 +01:00
ArchiFleKs ce85bcaee7 Simplify and update OpenStack cloud provider 
Simplify the number of variables necessary to "just" enable OpenStack
cloud provider. Also add the new options available in K8s 1.9.
 2018-01-05 12:05:24 +01:00
rong.zhang 6ed2a60978 fix run dashboard error 2018-01-04 13:13:36 +08:00
Bogdan Dobrelya bac3bf1a5f
Fix auto-evaluated API access endpoint for bind IP (#2086) 
Auto configure API access endpoint with a custom bind IP, if provided.
Fix HA docs' http URLs are https in fact, clarify the insecure vs secure
API access modes as well.

Closes: #issues/2051

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
 2018-01-03 17:40:21 +01:00
RongZhang e3b684df21
Remove blank lines 
Remove blank lines
 2018-01-03 00:54:04 -06:00
Steve Mitchell e45b30d033 Add etcd key and cert environment variables for use with client auth 2018-01-02 13:52:17 -05:00
Matthew Mosesohn ad6fecefa8
Update Kubernetes to v1.9.0 (#2100) 
Update checksum for kubeadm
Use v1.9.0 kubeadm params
Include hash of ca.crt for kubeadm join
Update tag for testing upgrades
Add workaround for testing upgrades
Remove scale CI scenarios because of slow inventory parsing
in ansible 2.4.x.

Change region for tests to us-central1 to
improve ansible performance
 2017-12-25 08:57:45 +00:00
Jan Jungnickel 3fdb2ccf55 Revert back to using an empty var as default to exclude hostname (#2110) 2017-12-22 22:09:59 +00:00
Matthew Mosesohn 29f5b55d42
remove unwanted whitespace for kube_override_hostname (#2105) 2017-12-22 11:31:18 +00:00
rong.zhang 5aef52e8c0 fix dashboard certs secret 2017-12-22 11:17:05 +08:00
Matthew Mosesohn 6bb46e3ecb
Fix param names in preparation for Kubernetes v1.9.0 (#2098) 
This does not update v1.9.0, but fixes two incompatibilities
when trying to deploy v1.9.0.
 2017-12-20 10:48:09 +00:00
Matthew Mosesohn 127bc01857
Do not override kubelet hostname if cloud_provider is used (#2095) 
Starting with Kubernetes v1.8.4, kubelet ignores the AWS cloud
provider string and uses the override hostname, which fails
Node admission checks.

Fixes #2094
 2017-12-19 20:18:20 +00:00
Evan Zeimet a6975c1850 Rename runtime docker_version (#2082) 
Renaming runtime docker_version to prevent setting that
value on the command line from breaking the play run.

This fixes #2081
 2017-12-19 14:47:54 +00:00
Stanislav Makar b2cb0725ac Default OpenStack Cinder Storage Class (#2083) 
Add possibility to create default OpenStack Cinder Storage Class

Closes: #1609
 2017-12-19 14:47:00 +00:00
rong.zhang b974b144a8 Add RBAC to binding Dahsboard UI 2017-12-18 23:07:19 +08:00
Matthew Mosesohn bfb25fa47b
Change vault cert ttl to 8y (#2013) 2017-12-15 13:34:00 +00:00
Wei Tie 3bb505d43f Remove unrequired mounts 2017-12-14 14:59:40 -08:00
Matthew Mosesohn b135bcb9d9 Split download container task for delegate and non-delegate modes (#2077) 
Ansible cannot seem to handle omitting delegate_to since v2.4.0.0.

Possibly related: https://github.com/ansible/ansible/issues/30760
 2017-12-14 16:45:54 +00:00
Wei Tie 4e97225424 Add quote for etcd endpoints 2017-12-13 18:35:12 -08:00
rong.zhang 0771cd8599 Remove dashboard_tls_key and dashboard_tls_cert 2017-12-13 15:42:20 +08:00
Fang Zhen 91d848f98a Make spliting system_search_domains more robust 
The search line in /etc/resolv.conf could have
multiple spaces or tabs between domains.
split(' ') will give wrong results in some case,
use split() without argument instead.

e.g.
>>> 'domain.tld	cluster.tld '.split(' ')
['domain.tld\tcluster.tld', '']
>>> 'domain.tld cluster.tld '.split()
['domain.tld', 'cluster.tld']
 2017-12-13 15:39:38 +08:00
rong.zhang 40edf8c6f5 Update dashboard version to v1.8.0 
Update dependencies to be compatible with Kubernetes v1.8
 2017-12-13 12:50:44 +08:00
Chad Swenson e78562830f Retry kube container removal during upgrade 
As we have seen with other containers, sometimes container removal fails on the first attempt due to some Docker bugs. Retrying typically corrects the issue.
 2017-12-12 12:06:41 -06:00
Simon Li bef259a6eb Always set net.bridge.bridge-nf-call-* sysctl 2017-12-12 17:11:35 +00:00
Brad Beam 39ce1bd8be
Merge pull request #2059 from bradbeam/vaultalt 
Fixing alt_names for vault cert generation
 2017-12-12 09:28:51 -06:00
Spencer Smith 6291881943
Merge pull request #2057 from rsmitty/master 
set docker_version fact regardless of docker_dns in use
 2017-12-12 10:28:14 -05:00
Brad Beam 802fd94dad
Merge pull request #2054 from ArchiFleKs/os-cloud-provider-domain-fix 
Fix domain id for OpenStack provider
 2017-12-11 21:06:16 -06:00
Xu Zhipei 66f38a1b31 fix: always only one docker image got synced after download 2017-12-12 09:51:03 +08:00
Brad Beam d3850a4da5 Fixing alt_names for vault cert generation 2017-12-11 17:28:18 -06:00
Spencer Smith 53a4355e60 set docker_version fact regardless of docker_dns in use 2017-12-11 17:48:11 -05:00
Brad Beam 19def41fdf
Merge pull request #2047 from bradbeam/vaulttime 
Adding retries for vault-temp to come online
 2017-12-11 09:04:57 -06:00
ArchiFleKs 44b9dce134 Fix domain id for OpenStack provider 
OpenStack authentication does not support using a mix of DomainID and
DomainName, only one or the other should be used.
 2017-12-11 15:57:33 +01:00
Brad Beam fa5a538fe5
Merge pull request #2050 from jbonachera/fix-vault-tls-validation 
append newline char to vault generated certs
 2017-12-11 08:41:34 -06:00
Brad Beam 9643c2c1e3 Fixes to reset (#2046) 
- adding additional directories to cleanup (rkt/vault)
- targeting kubespray ansible groups instead of all
 2017-12-11 12:49:21 +00:00
Brad Beam 93f3614382 Fixes #2039 - changing alt_names to be string instead of list (#2043) 2017-12-11 12:48:07 +00:00
Brad Beam cbc8a7d679
Merge pull request #1995 from b0r1sp/patch-1 
Update main.yml
 2017-12-10 21:45:02 -06:00
Julien BONACHERA 290bc993a5
append newline char to vault generated certs 2017-12-10 13:06:28 +01:00
Brad Beam 3694657eb6 Adding retries for vault-init to come online 2017-12-09 17:40:44 -06:00
Thomas Sarboni 79417e07ca Fix systemd service unit for docker >= 17.03 (#1844) 2017-12-08 13:12:45 +00:00
Wei Tie dad95c873b Remove templating for etcd members 
Use a etcd-initer init container to generate etcd args, it determines
etcd name by comparing its ip and etcd cluster ips. This way will
make etcd configuration independent to the ansible templating so
that could be easier on adding master nodes.
 2017-12-07 23:33:29 -08:00
Spencer Smith 626b35e1b0
Merge pull request #2005 from riverzhang/patch-1 
Delete helm home
 2017-12-07 11:23:30 -05:00
Wei Tie 5881ba43f8 Split contiv etcd and etcd-proxy into two daemonsets 
Putting contiv etcd and etcd-proxy into the same daemonset and manage
the difference by a env file is not good for scaling (adding nodes).
This commit split them into two daemonsets so that when adding nodes,
k8s could automatically starting a etcd-proxy on new nodes without need
to run related play that putting env file.
 2017-12-06 22:21:50 -08:00
Brad Beam fed7b97dcb
Merge pull request #2030 from mattymo/removerbaccheck 
Remove RBAC from boolean checks
 2017-12-06 23:41:13 -06:00
Spencer Smith c4458c9d9a
Merge pull request #1997 from mrbobbytables/feature-keepalived-cloud-provider 
Add minimal keepalived-cloud-provider support
 2017-12-06 23:28:27 -05:00
riverzhang aeb3e647d4 Remove the network device created by the flannel (#2006) 
* Remove the network device created by the flannel

Remove the network device created by the flannel

* Modify flannel.1 device path

Modify flannel.1 device path

* remove trailing spaces
 2017-12-06 14:15:39 +00:00
Kuldip Madnani fe036cbe77 Adding changes to handle updation of yum Management cache in rhel. (#2026) 
* Adding changes to handle updation of yum cache in rhel.

* Removed the redundant spaces
 2017-12-06 09:00:41 +00:00
Matthew Mosesohn 952ec65a40 Remove RBAC from boolean checks 2017-12-06 11:57:40 +03:00
Chad Swenson b8788421d5 Support for disabling apiserver insecure port 
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled).

Rework of #1937 with kubeadm support

Also, fixed an issue in `kubeadm-migrate-certs` where the old apiserver cert was copied as the kubeadm key
 2017-12-05 09:13:45 -06:00
Brad Beam c2347db934
Merge pull request #1953 from chadswen/dashboard-refactor 
Kubernetes Dashboard v1.7.1 Refactor
 2017-12-05 08:50:55 -06:00
Brad Beam 27ead5d4fa
Merge pull request #2003 from abelgana/master 
Change altnames to alt_names
 2017-12-05 08:48:32 -06:00
Stanislav Makar 6ade7c0a8d Update k8s version to 1.8.4 (#2015) 
* Update k8s version to 1.8.4

* Update main.yml
 2017-12-04 16:23:04 +00:00
Matthew Mosesohn a0225507a0
Set helm deployment type to host (#2012) 2017-11-29 19:52:54 +00:00
Steven Hardy d39a88d63f Allow setting --bind-address for apiserver hyperkube (#1985) 
* Allow setting --bind-address for apiserver hyperkube

This is required if you wish to configure a loadbalancer (e.g haproxy)
running on the master nodes without choosing a different port for the
vip from that used by the API - in this case you need the API to bind to
a specific interface, then haproxy can bind the same port on the VIP:

root@overcloud-controller-0 ~]# netstat -taupen | grep 6443
tcp        0      0 192.168.24.6:6443       0.0.0.0:*               LISTEN      0          680613     134504/haproxy
tcp        0      0 192.168.24.16:6443      0.0.0.0:*               LISTEN      0          653329     131423/hyperkube
tcp        0      0 192.168.24.16:6443      192.168.24.16:58404     ESTABLISHED 0          652991     131423/hyperkube
tcp        0      0 192.168.24.16:58404     192.168.24.16:6443      ESTABLISHED 0          652986     131423/hyperkube

This can be achieved e.g via:

kube_apiserver_bind_address: 192.168.24.16

* Address code review feedback

* Update kube-apiserver.manifest.j2
 2017-11-29 15:24:02 +00:00
unclejack e5d353d0a7 contiv network support (#1914) 
* Add Contiv support

Contiv is a network plugin for Kubernetes and Docker. It supports
vlan/vxlan/BGP/Cisco ACI technologies. It support firewall policies,
multiple networks and bridging pods onto physical networks.

* Update contiv version to 1.1.4

Update contiv version to 1.1.4 and added SVC_SUBNET in contiv-config.

* Load openvswitch module to workaround on CentOS7.4

* Set contiv cni version to 0.1.0

Correct contiv CNI version to 0.1.0.

* Use kube_apiserver_endpoint for K8S_API_SERVER

Use kube_apiserver_endpoint as K8S_API_SERVER to make contiv talks
to a available endpoint no matter if there's a loadbalancer or not.

* Make contiv use its own etcd

Before this commit, contiv is using a etcd proxy mode to k8s etcd,
this work fine when the etcd hosts are co-located with contiv etcd
proxy, however the k8s peering certs are only in etcd group, as a
result the etcd-proxy is not able to peering with the k8s etcd on
etcd group, plus the netplugin is always trying to find the etcd
endpoint on localhost, this will cause problem for all netplugins
not runnign on etcd group nodes.
This commit make contiv uses its own etcd, separate from k8s one.
on kube-master nodes (where net-master runs), it will run as leader
mode and on all rest nodes it will run as proxy mode.

* Use cp instead of rsync to copy cni binaries

Since rsync has been removed from hyperkube, this commit changes it
to use cp instead.

* Make contiv-etcd able to run on master nodes

* Add rbac_enabled flag for contiv pods

* Add contiv into CNI network plugin lists

* migrate contiv test to tests/files

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>

* Add required rules for contiv netplugin

* Better handling json return of fwdMode

* Make contiv etcd port configurable

* Use default var instead of templating

* roles/download/defaults/main.yml: use contiv 1.1.7

Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
 2017-11-29 14:24:16 +00:00
Di Xu de422c822d update nginx tag to use multi-arch docker image (#2009) 2017-11-29 10:39:52 +00:00
Matthew Mosesohn 4d3326b542
Raise default vault lease TTL to 10y (#2008) 2017-11-29 10:38:59 +00:00
riverzhang 1b82138142 Delete helm home 
Delete helm home
 2017-11-29 13:27:09 +08:00
Christopher Randles 208ff8e350 Allow for more customization of the tiller deploy (#1946) 2017-11-28 18:33:57 +00:00
Matthew Mosesohn ec54b36e05
add retries for calico/canal etcd commands (#2007) 2017-11-28 16:39:55 +00:00
Spencer Smith 38e8522cbf
Merge pull request #1983 from tomdee/bump-flannel-ver 
Bump flannel version to v0.9.1
 2017-11-28 11:38:55 -05:00
Spencer Smith 52f8687397
Merge pull request #1977 from mattymo/initializers 
Disable initializers feature gate if istio is not used
 2017-11-28 11:37:41 -05:00
Spencer Smith 43600ffcf8
Merge pull request #1972 from chadswen/master-static-pod-flush 
Additional flush for static pod master upgrade
 2017-11-28 11:36:38 -05:00
Christopher Randles 938d2d9e6e update helm/tiller to v2.7.2 -- security bugfix (#1986) 2017-11-28 14:52:42 +00:00
Kevin Lefevre 9368dbe0e7 update calico to 2.6.2 (#1874) 
Move RS to deployment so no need to take care of the revision history
limits :
  - Delete the old RS
  - Make Calico manifest a deployment
  - move deployments to apps/v1beta2 API since Kubernetes 1.8
 2017-11-28 12:01:30 +00:00
abelgana fe3290601a
The variable altnames is used by this task. 
Since the value will change on the default. It needs to change here also.
 2017-11-27 06:57:16 -05:00
abelgana e7173e1d62
Change altnames to alt_names 
Hi,

Could you please check if it was a typo?

https://www.vaultproject.io/api/secret/pki/

Regards,
 2017-11-25 17:29:21 -05:00
Bogdan Dobrelya 8aafe64397
Defaults for apiserver_loadbalancer_domain_name (#1993) 
* Defaults for apiserver_loadbalancer_domain_name

When loadbalancer_apiserver is defined, use the
apiserver_loadbalancer_domain_name with a given default value.

Fix unconsistencies for checking if apiserver_loadbalancer_domain_name
is defined AND using it with a default value provided at once.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

* Define defaults for LB modes in common defaults

Adjust the defaults for apiserver_loadbalancer_domain_name and
loadbalancer_apiserver_localhost to come from a single source, which is
kubespray-defaults. Removes some confusion and simplefies the code.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
 2017-11-23 16:15:48 +00:00
Bob Killen 2140303fcc
add minimal keepalived-cloud-provider support 2017-11-23 08:43:36 -05:00
brx b80ded63ca
Update main.yml 
just a small spelling mistake
 2017-11-21 22:37:52 +01:00
Simon Li 7be2521a31 Add flannel hairping mode 2017-11-21 10:43:50 +00:00
Tom Denham 15b9d54a32
Bump flannel version to v0.9.1 2017-11-16 12:52:18 -07:00