[2.12] Add 1.16.14 and 1.16.15 support (#6583)

* Use k8s.gcr.io for kubernetes related images (#5764)

* Use k8s.gcr.io for kubernetes related images

* Use k8s.gcr.io in inventory sample

* [2.12] Update hashes and set default version to 1.16.14

* [2.12] Update hashes and set default version to 1.16.15

Co-authored-by: Florent Monbillard <f.monbillard@gmail.com>

.gitlab-ci.yml

@@ -38,7 +38,7 @@ before_script:
   tags:
     - packet
   variables:
-    KUBESPRAY_VERSION: v2.11.0
+    KUBESPRAY_VERSION: v2.11.2
   image: quay.io/kubespray/kubespray:$KUBESPRAY_VERSION
 
 .testcases: &testcases

.gitlab-ci/shellcheck.yml

@@ -6,7 +6,7 @@ shellcheck:
     SHELLCHECK_VERSION: v0.6.0
   before_script:
     - ./tests/scripts/rebase.sh
-    - curl --silent "https://storage.googleapis.com/shellcheck/shellcheck-"${SHELLCHECK_VERSION}".linux.x86_64.tar.xz" | tar -xJv
+    - curl --silent --location "https://github.com/koalaman/shellcheck/releases/download/"${SHELLCHECK_VERSION}"/shellcheck-"${SHELLCHECK_VERSION}".linux.x86_64.tar.xz" | tar -xJv
     - cp shellcheck-"${SHELLCHECK_VERSION}"/shellcheck /usr/bin/
     - shellcheck --version
   script:

.gitlab-ci/terraform.yml

@@ -92,70 +92,3 @@ tf-validate-aws:
 #     TF_VAR_facility: ams1
 #     TF_VAR_public_key_path: ""
 #     TF_VAR_operating_system: ubuntu_18_04
-
-.ovh_variables: &ovh_variables
-  OS_AUTH_URL: https://auth.cloud.ovh.net/v3
-  OS_PROJECT_ID: 8d3cd5d737d74227ace462dee0b903fe
-  OS_PROJECT_NAME: "9361447987648822"
-  OS_USER_DOMAIN_NAME: Default
-  OS_PROJECT_DOMAIN_ID: default
-  OS_USERNAME: 8XuhBMfkKVrk
-  OS_REGION_NAME: UK1
-  OS_INTERFACE: public
-  OS_IDENTITY_API_VERSION: "3"
-
-tf-ovh_ubuntu18-calico:
-  extends: .terraform_apply
-  when: on_success
-  variables:
-    <<: *ovh_variables
-    TF_VERSION: 0.12.12
-    PROVIDER: openstack
-    CLUSTER: $CI_COMMIT_REF_NAME
-    ANSIBLE_TIMEOUT: "60"
-    SSH_USER: ubuntu
-    TF_VAR_number_of_k8s_masters: "0"
-    TF_VAR_number_of_k8s_masters_no_floating_ip: "1"
-    TF_VAR_number_of_k8s_masters_no_floating_ip_no_etcd: "0"
-    TF_VAR_number_of_etcd: "0"
-    TF_VAR_number_of_k8s_nodes: "0"
-    TF_VAR_number_of_k8s_nodes_no_floating_ip: "1"
-    TF_VAR_number_of_gfs_nodes_no_floating_ip: "0"
-    TF_VAR_number_of_bastions: "0"
-    TF_VAR_number_of_k8s_masters_no_etcd: "0"
-    TF_VAR_use_neutron: "0"
-    TF_VAR_floatingip_pool: "Ext-Net"
-    TF_VAR_external_net: "6011fbc9-4cbf-46a4-8452-6890a340b60b"
-    TF_VAR_network_name: "Ext-Net"
-    TF_VAR_flavor_k8s_master: "defa64c3-bd46-43b4-858a-d93bbae0a229"    # s1-8
-    TF_VAR_flavor_k8s_node: "defa64c3-bd46-43b4-858a-d93bbae0a229"      # s1-8
-    TF_VAR_image: "Ubuntu 18.04"
-    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
-
-tf-ovh_coreos-calico:
-  extends: .terraform_apply
-  when: on_success
-  variables:
-    <<: *ovh_variables
-    TF_VERSION: 0.12.12
-    PROVIDER: openstack
-    CLUSTER: $CI_COMMIT_REF_NAME
-    ANSIBLE_TIMEOUT: "60"
-    SSH_USER: core
-    TF_VAR_number_of_k8s_masters: "0"
-    TF_VAR_number_of_k8s_masters_no_floating_ip: "1"
-    TF_VAR_number_of_k8s_masters_no_floating_ip_no_etcd: "0"
-    TF_VAR_number_of_etcd: "0"
-    TF_VAR_number_of_k8s_nodes: "0"
-    TF_VAR_number_of_k8s_nodes_no_floating_ip: "1"
-    TF_VAR_number_of_gfs_nodes_no_floating_ip: "0"
-    TF_VAR_number_of_bastions: "0"
-    TF_VAR_number_of_k8s_masters_no_etcd: "0"
-    TF_VAR_use_neutron: "0"
-    TF_VAR_floatingip_pool: "Ext-Net"
-    TF_VAR_external_net: "6011fbc9-4cbf-46a4-8452-6890a340b60b"
-    TF_VAR_network_name: "Ext-Net"
-    TF_VAR_flavor_k8s_master: "4d4fd037-9493-4f2b-9afe-b542b5248eac"    # b2-7
-    TF_VAR_flavor_k8s_node: "4d4fd037-9493-4f2b-9afe-b542b5248eac"      # b2-7
-    TF_VAR_image: "CoreOS Stable"
-    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'

Dockerfile

@@ -4,7 +4,7 @@ RUN mkdir /kubespray
 WORKDIR /kubespray
 RUN apt update -y && \
     apt install -y \
-    libssl-dev python3-dev sshpass apt-transport-https jq \
+    libssl-dev python3-dev sshpass apt-transport-https jq moreutils \
     ca-certificates curl gnupg2 software-properties-common python3-pip rsync
 RUN  curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
      add-apt-repository \
@@ -16,3 +16,6 @@ COPY . .
 RUN /usr/bin/python3 -m pip install pip -U && /usr/bin/python3 -m pip install -r tests/requirements.txt && python3 -m pip install -r requirements.txt && update-alternatives --install /usr/bin/python python /usr/bin/python3 1
 RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.14.4/bin/linux/amd64/kubectl \
     && chmod a+x kubectl && cp kubectl /usr/local/bin/kubectl
+
+# Some tools like yamllint need this
+ENV LANG=C.UTF-8

README.md

@@ -112,12 +112,13 @@ Note: Upstart/SysV init based OS types are not supported.
 ## Supported Components
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.16.3
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.16.15
-  - [etcd](https://github.com/coreos/etcd) v3.3.10
+  - [etcd](https://github.com/coreos/etcd) v3.3.12
   - [docker](https://www.docker.com/) v18.06 (see note)
+  - [containerd](https://containerd.io/) v1.2.13
   - [cri-o](http://cri-o.io/) v1.14.0 (experimental: see [CRI-O Note](docs/cri-o.md). Only on centos based OS)
 - Network Plugin
-  - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.1
+  - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.6
   - [calico](https://github.com/projectcalico/calico) v3.7.3
   - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
   - [cilium](https://github.com/cilium/cilium) v1.5.5
@@ -138,7 +139,7 @@ Note: The list of validated [docker versions](https://github.com/kubernetes/kube
 ## Requirements
 
 - **Minimum required version of Kubernetes is v1.15**
-- **Ansible v2.7.8 and python-netaddr is installed on the machine that will run Ansible commands**
+- **Ansible v2.7.16 and python-netaddr is installed on the machine that will run Ansible commands**
 - **Jinja 2.9 (or newer) is required to run the Ansible Playbooks**
 - The target servers must have **access to the Internet** in order to pull docker images. Otherwise, additional configuration is required (See [Offline Environment](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/downloads.md#offline-environment))
 - The target servers are configured to allow **IPv4 forwarding**.

contrib/terraform/terraform.py

@@ -357,7 +357,7 @@ def iter_host_ips(hosts, ips):
                 'ansible_ssh_host': ip,
             })
 
-        if 'use_access_ip' in host[1]['metadata'] and ihost[1]['metadata']['use_access_ip'] == "0":
+        if 'use_access_ip' in host[1]['metadata'] and host[1]['metadata']['use_access_ip'] == "0":
                 host[1].pop('access_ip')
 
         yield host

contrib/vault/roles/vault/tasks/bootstrap/ca_trust.yml

@@ -13,7 +13,7 @@
       /usr/local/share/ca-certificates/vault-ca.crt
       {%- elif ansible_os_family == "RedHat" -%}
       /etc/pki/ca-trust/source/anchors/vault-ca.crt
-      {%- elif ansible_os_family in ["Coreos", "Container Linux by CoreOS"] -%}
+      {%- elif ansible_os_family in ["Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] -%}
       /etc/ssl/certs/vault-ca.pem
       {%- endif %}
 
@@ -25,7 +25,7 @@
 
 - name: bootstrap/ca_trust | update ca-certificates (Debian/Ubuntu/CoreOS)
   command: update-ca-certificates
-  when: vault_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: vault_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: bootstrap/ca_trust | update ca-certificates (RedHat)
   command: update-ca-trust extract

docs/integration.md

@@ -7,7 +7,7 @@
 
 2. Add **forked repo** as submodule to desired folder in your existent ansible repo(for example 3d/kubespray):
   ```git submodule add https://github.com/YOUR_GITHUB/kubespray.git kubespray```
-  Git will create _.gitmodules_ file in your existent ansible repo:
+  Git will create `.gitmodules` file in your existent ansible repo:
 
    ```ini
    [submodule "3d/kubespray"]

inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml

@@ -20,10 +20,10 @@ kube_users_dir: "{{ kube_config_dir }}/users"
 kube_api_anonymous_auth: true
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.16.3
+kube_version: v1.16.15
 
 # kubernetes image repo define
-kube_image_repo: "{{ gcr_image_repo }}/google-containers"
+kube_image_repo: "k8s.gcr.io"
 
 # Where the binaries will be downloaded.
 # Note: ensure that you've enough disk space (about 1G)

requirements.txt

@@ -1,4 +1,4 @@
-ansible==2.7.12
+ansible==2.7.16
 jinja2==2.10.1
 netaddr==0.7.19
 pbr==5.2.0

roles/bootstrap-os/tasks/bootstrap-coreos.yml

@@ -10,7 +10,7 @@
   tags:
     - facts
 
-- name: Force binaries directory for Container Linux by CoreOS
+- name: Force binaries directory for Container Linux by CoreOS and Flatcar
   set_fact:
     bin_dir: "/opt/bin"
   tags:

roles/bootstrap-os/tasks/main.yml

@@ -14,7 +14,7 @@
   when: '"Clear Linux OS" in os_release.stdout'
 
 - include_tasks: bootstrap-coreos.yml
-  when: '"CoreOS" in os_release.stdout'
+  when: '"CoreOS" in os_release.stdout or "Flatcar" in os_release.stdout'
 
 - include_tasks: bootstrap-debian.yml
   when: '"Debian" in os_release.stdout or "Ubuntu" in os_release.stdout'
@@ -41,30 +41,30 @@
     gather_subset: '!all'
     filter: ansible_*
 
-- name: Assign inventory name to unconfigured hostnames (non-CoreOS, Suse and ClearLinux)
+- name: Assign inventory name to unconfigured hostnames (non-CoreOS, non-Flatcar, Suse and ClearLinux)
   hostname:
     name: "{{ inventory_hostname }}"
   when:
     - override_system_hostname
-    - ansible_os_family not in ['Suse', 'Container Linux by CoreOS', 'ClearLinux']
+    - ansible_os_family not in ['Suse', 'Container Linux by CoreOS', 'Flatcar Container Linux by Kinvolk', 'ClearLinux']
 
 # (2/3)
-- name: Assign inventory name to unconfigured hostnames (CoreOS, Suse and ClearLinux only)
+- name: Assign inventory name to unconfigured hostnames (CoreOS, non-Flatcar, Suse and ClearLinux only)
   command: "hostnamectl set-hostname {{ inventory_hostname }}"
   register: hostname_changed
   changed_when: false
   when:
     - override_system_hostname
-    - ansible_os_family in ['Suse', 'Container Linux by CoreOS', 'ClearLinux']
+    - ansible_os_family in ['Suse', 'Container Linux by CoreOS', 'Flatcar Container Linux by Kinvolk', 'ClearLinux']
 
 # (3/3)
-- name: Update hostname fact (CoreOS, Suse and ClearLinux only)
+- name: Update hostname fact (CoreOS, Flatcar, Suse and ClearLinux only)
   setup:
     gather_subset: '!all'
     filter: ansible_hostname
   when:
     - override_system_hostname
-    - ansible_os_family in ['Suse', 'Container Linux by CoreOS', 'ClearLinux']
+    - ansible_os_family in ['Suse', 'Flatcar Container Linux by Kinvolk', 'Container Linux by CoreOS', 'ClearLinux']
 
 - name: "Install ceph-commmon package"
   package:

roles/container-engine/containerd/defaults/main.yml

@@ -9,7 +9,7 @@ containerd_config:
     "docker.io": "https://registry-1.docker.io"
   max_container_log_line_size: -1
 
-containerd_version: '1.2.10'
+containerd_version: '1.2.13'
 containerd_package: 'containerd.io'
 
 containerd_cfg_dir: /etc/containerd

roles/container-engine/containerd/tasks/main.yml

@@ -26,6 +26,18 @@
 
 - include_tasks: containerd_repo.yml
 
+- name: Create containerd service systemd directory if it doesn't exist
+  file:
+    path: /etc/systemd/system/containerd.service.d
+    state: directory
+
+- name: Write containerd proxy drop-in
+  template:
+    src: http-proxy.conf.j2
+    dest: /etc/systemd/system/containerd.service.d/http-proxy.conf
+  notify: restart containerd
+  when: http_proxy is defined or https_proxy is defined
+
 - name: ensure containerd config directory
   file:
     dest: "{{ containerd_cfg_dir }}"

roles/container-engine/containerd/templates/http-proxy.conf.j2

@@ -0,0 +1,2 @@
+[Service]
+Environment={% if http_proxy is defined %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy is defined %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy is defined %}"NO_PROXY={{ no_proxy }}"{% endif %}

roles/container-engine/containerd/templates/rh_containerd.repo.j2

@@ -7,13 +7,3 @@ keepcache={{ docker_rpm_keepcache | default('1') }}
 gpgkey={{ docker_rh_repo_gpgkey }}
 {% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
 {% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8 %}module_hotfixes=True{% endif %}
-
-[docker-engine]
-name=Docker-Engine Repository
-baseurl={{ dockerproject_rh_repo_base_url }}
-enabled=1
-gpgcheck=1
-keepcache={{ docker_rpm_keepcache | default('1') }}
-gpgkey={{ dockerproject_rh_repo_gpgkey }}
-{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
-{% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8 %}module_hotfixes=True{% endif %}

roles/container-engine/containerd/templates/rh_docker.repo.j2

@@ -0,0 +1,9 @@
+[docker-ce]
+name=Docker-CE Repository
+baseurl={{ docker_rh_repo_base_url }}
+enabled=1
+gpgcheck=1
+keepcache={{ docker_rpm_keepcache | default('1') }}
+gpgkey={{ docker_rh_repo_gpgkey }}
+{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
+{% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8 %}module_hotfixes=True{% endif %}

roles/container-engine/containerd/vars/debian.yml

@@ -6,8 +6,10 @@ containerd_versioned_pkg:
   '1.2.5': "{{ containerd_package }}=1.2.5-1"
   '1.2.6': "{{ containerd_package }}=1.2.6-3"
   '1.2.10': "{{ containerd_package }}=1.2.10-3"
-  'stable': "{{ containerd_package }}=1.2.10-3"
+  '1.2.12': "{{ containerd_package }}=1.2.12-1"
-  'edge': "{{ containerd_package }}=1.2.10-3"
+  '1.2.13': "{{ containerd_package }}=1.2.13-1"
+  'stable': "{{ containerd_package }}=1.2.13-1"
+  'edge': "{{ containerd_package }}=1.2.13-1"
 
 containerd_package_info:
   pkg_mgr: apt

roles/container-engine/containerd/vars/redhat.yml

@@ -6,8 +6,10 @@ containerd_versioned_pkg:
   '1.2.5': "{{ containerd_package }}-1.2.5-3.1.el7"
   '1.2.6': "{{ containerd_package }}-1.2.6-3.3.el7"
   '1.2.10': "{{ containerd_package }}-1.2.10-3.2.el7"
-  'stable': "{{ containerd_package }}-1.2.10-3.2.el7"
+  '1.2.12': "{{ containerd_package }}-1.2.12-3.1.el7"
-  'edge': "{{ containerd_package }}-1.2.10-3.2.el7"
+  '1.2.13': "{{ containerd_package }}-1.2.13-3.1.el7"
+  'stable': "{{ containerd_package }}-1.2.13-3.1.el7"
+  'edge': "{{ containerd_package }}-1.2.13-3.1.el7"
 
 containerd_package_info:
   pkg_mgr: yum

roles/container-engine/containerd/vars/ubuntu-amd64.yml

@@ -6,8 +6,10 @@ containerd_versioned_pkg:
   '1.2.5': "{{ containerd_package }}=1.2.5-1"
   '1.2.6': "{{ containerd_package }}=1.2.6-3"
   '1.2.10': "{{ containerd_package }}=1.2.10-3"
-  'stable': "{{ containerd_package }}=1.2.10-3"
+  '1.2.12': "{{ containerd_package }}=1.2.12-1"
-  'edge': "{{ containerd_package }}=1.2.10-3"
+  '1.2.13': "{{ containerd_package }}=1.2.13-1"
+  'stable': "{{ containerd_package }}=1.2.13-1"
+  'edge': "{{ containerd_package }}=1.2.13-1"
 
 containerd_package_info:
   pkg_mgr: apt

roles/container-engine/cri-o/tasks/main.yaml

@@ -30,11 +30,10 @@
     state: present
   when: ansible_distribution in ["Ubuntu"]
 
-- name: Add CRI-O PPA
+- name: crictl | Download crictl
-  apt_repository:
+  include_tasks: "../../../download/tasks/download_file.yml"
-    repo: ppa:projectatomic/ppa
+  vars:
-    state: present
+    download: "{{ download_defaults | combine(downloads.crictl) }}"
-  when: ansible_distribution in ["Ubuntu"]
 
 - name: Install crictl
   unarchive:

roles/container-engine/docker/defaults/main.yml

@@ -38,11 +38,6 @@ docker_ubuntu_repo_gpgkey: 'https://download.docker.com/linux/ubuntu/gpg'
 # Debian docker-ce repo
 docker_debian_repo_base_url: "https://download.docker.com/linux/debian"
 docker_debian_repo_gpgkey: 'https://download.docker.com/linux/debian/gpg'
-# dockerproject repo
-dockerproject_rh_repo_base_url: 'https://yum.dockerproject.org/repo/main/centos/7'
-dockerproject_rh_repo_gpgkey: 'https://yum.dockerproject.org/gpg'
-dockerproject_apt_repo_base_url: 'https://apt.dockerproject.org/repo'
-dockerproject_apt_repo_gpgkey: 'https://apt.dockerproject.org/gpg'
 docker_bin_dir: "/usr/bin"
 # CentOS/RedHat Extras repo
 extras_rh_repo_base_url: "http://mirror.centos.org/centos/$releasever/extras/$basearch/"
@@ -67,4 +62,4 @@ docker_remove_packages_yum:
 docker_remove_packages_apt:
   - docker
   - docker-engine
-  - docker.io
+  - docker.io

roles/container-engine/docker/handlers/main.yml

@@ -15,7 +15,7 @@
   service:
     name: docker.socket
     state: restarted
-  when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
+  when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS', 'Flatcar', 'Flatcar Container Linux by Kinvolk']
 
 - name: Docker | reload docker
   service:

roles/container-engine/docker/tasks/main.yml

@@ -27,9 +27,6 @@
   tags:
     - facts
 
-# https://yum.dockerproject.org/repo/main/opensuse/ contains packages for an EOL
-# openSUSE version so we can't use it. The only alternative is to use the docker
-# packages from the distribution repositories.
 - name: Warn about Docker version on SUSE
   debug:
     msg: "SUSE distributions always install Docker from the distro repos"
@@ -46,7 +43,7 @@
           docker requires a minimum kernel version of
           {{ docker_kernel_min_version }} on
           {{ ansible_distribution }}-{{ ansible_distribution_version }}
-  when: (not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "ClearLinux"]) and (ansible_kernel is version(docker_kernel_min_version, "<"))
+  when: (not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "ClearLinux"]) and (ansible_kernel is version(docker_kernel_min_version, "<"))
   tags:
     - facts
 
@@ -63,7 +60,7 @@
   retries: 4
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ docker_repo_key_info.repo_keys }}"
-  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic)
+  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_atomic)
 
 - name: ensure docker-ce repository is enabled
   action: "{{ docker_repo_info.pkg_repo }}"
@@ -71,7 +68,7 @@
     repo: "{{ item }}"
     state: present
   with_items: "{{ docker_repo_info.repos }}"
-  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic) and (docker_repo_info.repos|length > 0)
+  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_atomic) and (docker_repo_info.repos|length > 0)
 
 - name: ensure docker-engine repository public key is installed
   action: "{{ dockerproject_repo_key_info.pkg_key }}"
@@ -85,7 +82,7 @@
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ dockerproject_repo_key_info.repo_keys }}"
   when:
-    - not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic)
+    - not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_atomic)
     - use_docker_engine is defined and use_docker_engine
 
 - name: ensure docker-engine repository is enabled
@@ -96,7 +93,7 @@
   with_items: "{{ dockerproject_repo_info.repos }}"
   when:
     - use_docker_engine is defined and use_docker_engine
-    - not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic) and (dockerproject_repo_info.repos|length > 0)
+    - not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_atomic) and (dockerproject_repo_info.repos|length > 0)
 
 - name: Configure docker repository on Fedora
   template:
@@ -105,9 +102,14 @@
   when: ansible_distribution == "Fedora" and not is_atomic
 
 - name: Configure docker repository on RedHat/CentOS/Oracle Linux
-  template:
+  yum_repository:
-    src: "rh_docker.repo.j2"
+    name: docker-ce
-    dest: "{{ yum_repo_dir }}/docker.repo"
+    baseurl: "{{ docker_rh_repo_base_url }}"
+    description: "Docker CE Stable - $basearch"
+    gpgcheck: yes
+    gpgkey: "{{ docker_rh_repo_gpgkey }}"
+    keepcache: "{{ docker_rpm_keepcache | default('1') }}"
+    proxy: " {{ http_proxy | default('_none_') }}"
   when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_atomic
 
 - name: check if container-selinux is available
@@ -160,7 +162,7 @@
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ docker_package_info.pkgs }}"
   notify: restart docker
-  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "ClearLinux"] or is_atomic) and (docker_package_info.pkgs|length > 0)
+  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "ClearLinux"] or is_atomic) and (docker_package_info.pkgs|length > 0)
   ignore_errors: true
 
 - name: Ensure docker packages are installed

roles/container-engine/docker/tasks/pre-upgrade.yml

@@ -1,4 +1,12 @@
 ---
+- name: Remove legacy docker repo file
+  file:
+    path: "{{ yum_repo_dir }}/docker.repo"
+    state: absent
+  when:
+    - ansible_distribution in ["CentOS","RedHat","OracleLinux"]
+    - not is_atomic
+
 - name: Ensure old versions of Docker are not installed. | Debian
   apt:
     name: '{{ docker_remove_packages_apt }}'

roles/container-engine/docker/tasks/systemd.yml

@@ -24,7 +24,7 @@
     dest: /etc/systemd/system/docker.service
   register: docker_service_file
   notify: restart docker
-  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"] or is_atomic)
+  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] or is_atomic)
 
 - name: Write docker options systemd drop-in
   template:

roles/container-engine/docker/templates/rh_docker.repo.j2

@@ -1,19 +0,0 @@
-[docker-ce]
-name=Docker-CE Repository
-baseurl={{ docker_rh_repo_base_url }}
-enabled=1
-gpgcheck=1
-keepcache={{ docker_rpm_keepcache | default('1') }}
-gpgkey={{ docker_rh_repo_gpgkey }}
-{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
-{% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8 %}module_hotfixes=True{% endif %}
-
-[docker-engine]
-name=Docker-Engine Repository
-baseurl={{ dockerproject_rh_repo_base_url }}
-enabled=1
-gpgcheck=1
-keepcache={{ docker_rpm_keepcache | default('1') }}
-gpgkey={{ dockerproject_rh_repo_gpgkey }}
-{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
-{% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8 %}module_hotfixes=True{% endif %}

roles/container-engine/docker/vars/debian.yml

@@ -2,7 +2,6 @@
 docker_kernel_min_version: '3.10'
 
 # https://download.docker.com/linux/debian/
-# https://apt.dockerproject.org/repo/dists/debian-wheezy/main/filelist
 docker_versioned_pkg:
   'latest': docker-ce
   '1.13': docker-engine=1.13.1-0~debian-{{ ansible_distribution_release|lower }}
@@ -38,7 +37,7 @@ docker_repo_info:
 
 dockerproject_repo_key_info:
   pkg_key: apt_key
-  url: '{{ dockerproject_apt_repo_gpgkey }}'
+  url: '{{ docker_debian_repo_gpgkey }}'
   repo_keys:
     - 58118E89F3A912897C070ADBF76221572C52609D
 
@@ -46,6 +45,6 @@ dockerproject_repo_info:
   pkg_repo: apt_repository
   repos:
     - >
-       deb {{ dockerproject_apt_repo_base_url }}
+       deb {{ docker_debian_repo_base_url }}
        {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
        main

roles/container-engine/docker/vars/redhat.yml

@@ -3,7 +3,6 @@ docker_kernel_min_version: '0'
 
 # https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
 # https://download.docker.com/linux/centos/7/x86_64/stable/Packages/
-# https://yum.dockerproject.org/repo/main/centos/7
 # or do 'yum --showduplicates list docker-engine'
 docker_versioned_pkg:
   'latest': docker-ce

roles/container-engine/docker/vars/ubuntu-amd64.yml

@@ -37,7 +37,7 @@ docker_repo_info:
 
 dockerproject_repo_key_info:
   pkg_key: apt_key
-  url: '{{ dockerproject_apt_repo_gpgkey }}'
+  url: '{{ docker_debian_repo_gpgkey }}'
   repo_keys:
     - 58118E89F3A912897C070ADBF76221572C52609D
 
@@ -45,6 +45,6 @@ dockerproject_repo_info:
   pkg_repo: apt_repository
   repos:
     - >
-       deb {{ dockerproject_apt_repo_base_url }}
+       deb {{ docker_debian_repo_base_url }}
        {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
        main

roles/container-engine/docker/vars/ubuntu-arm64.yml

@@ -33,7 +33,7 @@ docker_repo_info:
 
 dockerproject_repo_key_info:
   pkg_key: apt_key
-  url: '{{ dockerproject_apt_repo_gpgkey }}'
+  url: '{{ docker_debian_repo_gpgkey }}'
   repo_keys:
     - 58118E89F3A912897C070ADBF76221572C52609D
 
@@ -41,6 +41,6 @@ dockerproject_repo_info:
   pkg_repo: apt_repository
   repos:
     - >
-       deb {{ dockerproject_apt_repo_base_url }}
+       deb {{ docker_debian_repo_base_url }}
        {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
        main

roles/download/defaults/main.yml

@@ -49,13 +49,13 @@ download_delegate: "{% if download_localhost %}localhost{% else %}{{ groups['kub
 image_arch: "{{host_architecture | default('amd64')}}"
 
 # Versions
-kube_version: v1.16.3
+kube_version: v1.16.15
 kubeadm_version: "{{ kube_version }}"
-etcd_version: v3.3.10
+etcd_version: v3.3.12
 
 # gcr and kubernetes image repo define
 gcr_image_repo: "gcr.io"
-kube_image_repo: "{{ gcr_image_repo }}/google-containers"
+kube_image_repo: "k8s.gcr.io"
 
 # docker image repo define
 docker_image_repo: "docker.io"
@@ -76,7 +76,7 @@ typha_enabled: false
 flannel_version: "v0.11.0"
 flannel_cni_version: "v0.3.0"
 
-cni_version: "v0.8.1"
+cni_version: "v0.8.6"
 
 weave_version: 2.5.2
 pod_infra_version: 3.1
@@ -118,14 +118,36 @@ crictl_checksums:
     v1.15.0: c3b71be1f363e16078b51334967348aab4f72f46ef64a61fe7754e029779d45a
 
 # Checksums
-
 kubelet_checksums:
   arm:
+    v1.17.7: 3b368039523357959e451a35867b5659701e135ca2069cb9487c7459084c46d9
+    v1.17.6: e522cda9b86de29da72fd306968e1ba44cb85b61a743083f8fee39899a755210
+    v1.17.5: d1eb5b7a3a88030490f1619f2e7d723926214ba941e2172112bccb71f41d9aab
+    v1.17.4: c8c4d1b869c72b4203024615cafae1cca7df2fb89dd7f4a524d05ffa5edde559
+    v1.17.3: 06fe53b9780e4fa17b5e14f588bbaaa09fc0924ef4040e26a484fa3235c9e110
+    v1.17.2: 9a2ab021f8556fabcb00022052810b3d8136704141891439de1340ac9e439d6d
+    v1.17.1: 0219c940bad3238dfbdf8e4518241d861bbdd8fc93d172cc632c225d7dd57094
     v1.17.0: 75ae6ad8f4a7f2ac3988b37a01c28093f240745d17c1781135d1844057c8ae94
+    v1.16.15: fe4035e1a0a4eb36468cf765e39bb00c7b99bab81e3ba428c77c0296ec6e1039
+    v1.16.14: 17a2051b95aacf409e08325ae7eed6e0a41cf79a9488dba5fa701fa9254e0b71
+    v1.16.13: 0576575832a1e26ff823b4f8ca25cd51e211c3ab43b8880b2a74693c0733cd60
+    v1.16.12: edc35704864fdf5ea28b7bd17580e2155c8599f8f93ed0fb2979f89f747a3f97
+    v1.16.11: adb8c2ecc937b6486d73551121d986924a7e1f503a70d973cc683f8a6ae4f9ab
+    v1.16.10: a1e3b5af8d6e97fdd11154435266f606361978e9a9d0b836f69427c274153c0c
+    v1.16.9: 5c08b7754d0230dcd5493ab09e00c2e2397ce795cb450c0807220faa69e87548
+    v1.16.8: e3ac093071ad59f726ae0f88d1d10ada7ec559ed2b7817495339f4380ae32057
+    v1.16.7: ace84b05e4de55042ed4288eab14f33a5a23519ee7d9981be25b0cf3e74172c2
+    v1.16.6: 0fa3e0836bc0c7395d71c831ad2772f4baa9f4e13a5280228a53958340c95944
+    v1.16.5: c7a224bd0786594902dfd20a21d5377f005f5fe6624550fdfd8bcb8c015d4a0f
     v1.16.3: a64dbe966aa594fcd018de1189f2b5b453ca374978d4c175fb21ecf1b955f268
     v1.16.2: 3c251cd89d83bae5dbae534a7c2bfff09a8ad09e0b0eac02f93a580f471631a7
     v1.16.1: 605581ba04a1e971dd90f4741495ebc6051601144d03b03c63e2f22d03556b4b
     v1.16.0: 3158e95f4b78b12af0225b4c54c487d7926ac61c783a4646290c0f3da0dce5df
+    v1.15.11: 0f57ac2813003cd5be568617d6a160147d95cf89958e75fcd74491a97aeb29ec
+    v1.15.10: 95aa253abc6389c7698739ce1447524fc3e2ada591b9bb8f33ad8bd87bb4e7fc
+    v1.15.9: 333a395d533608709b4b565f9803525bb8ff53c92bbd3eaf187576d51db0d0f0
+    v1.15.8: 8726dca4f33b74dbf2192c8291f08b35b71055ee55abe6f460d80f288cddf060
+    v1.15.7: 84a255300805d2849c995fbba372e15666de6dd0463f158ff8a86048a67dd95c
     v1.15.6: 2cbe49cfd4b876493535eee6716ed52dcc2ba412109c24411e30f243e32b2b46
     v1.15.5: 86bf2fb7344eea2b75da8fdd990a2c16e07ee219a7533d50681b057ca9870a14
     v1.15.4: b112fa280b448e6c4f420de9744160c8a38ad8dd8d3fd6c74f15e339b13389b0
@@ -134,11 +156,34 @@ kubelet_checksums:
     v1.15.1: cb97d18c61b39f0721201fedcb0219b132e521d51a2595c1f7715700626097c6
     v1.15.0: 663c59fca7247ca325d4328cfc3ce77d1d4eddb251137f91ec62b8cd8823d1fc
   arm64:
+    v1.17.7: eb1715a745281f6aee34644653f73787acdd9f3904e3d58e1319ded4a16be013
+    v1.17.6: 6ded412f13e5d8bd0368372150334580a05cd4dc7629f437c789a5aa6008e8e5
+    v1.17.5: 9220a7390d9c5cb5c770d947babdec288d044126b9982bbd5d5c8785354a6701
+    v1.17.4: 77ca08cd3d03edda8d628e39a8cb45afe794582a9619d381ec5a70585999721a
+    v1.17.3: eeefd2f966dfb75ab4ab58829118f9bb314b75799a94d21c2ce8d083cc330dbc
+    v1.17.2: 133b69346da8e34daaf20f421657625a06630ec1e11f06961523836383cea72c
+    v1.17.1: c773512ade5da3188ed4c312d5ba01bfbf3f376f6e580e5b074827a5b25450aa
     v1.17.0: b1a4a2325383854a69ec768e7dc00f69378d3ccbc554859d910bf5b582264ea2
+    v1.16.15: 3d8337e2e0b613688d3828803988adeafedc9451c785478951002bf627beb36b
+    v1.16.14: cb4558510d00f3b06f4bf22ec7d7ed8c6417662e6344048ab36d9d3e60e3c028
+    v1.16.13: 66579a5e4f4133d2c66f506311884f7bcc8a0d719f63d119eddc0d4809f97781
+    v1.16.12: 0ef9d42e27bf85e9ff276f2181e17e2912941c3a7ae9086de722ac3c9cea997f
+    v1.16.11: 074a81dbe658bc47b9e5b9a4733743239c40bc83472b745c7c85774bf33ff3ab
+    v1.16.10: 0634e04a13393dfe8604a7798a11f4c3d2cdc9443e26cbc6d3af35e9ac9727ee
+    v1.16.9: 10c5dc66f309184389ffb7c2d8d9d4d8f291a81559385b5537bce8f0b8c7e918
+    v1.16.8: a6889c9957d8ec3ba15676b1e2eff021c9d120284f185d367626763dd15a245b
+    v1.16.7: bdfa1638e285e4665d9888770eb69aabfa6c08bcc8c6a2285bc06909c68fa4a0
+    v1.16.6: be9f90fec92d0e82a0f4f7005d1dbaa6e31877d48716452b86c7a7db097c53c4
+    v1.16.5: 10513b0a7845ff475a18f25a45e39cb73a35203102abee4701d8de7c0377b6ba
     v1.16.3: 0b937e729506c41d85980b97150dc89e4cd0b0e791c1d18d516c3f4784bf0255
     v1.16.2: c155ef87b6e73661a3f5de51d1f60feab4aebbade8f30bba6cf2e66fdc5f59b0
     v1.16.1: d056f403814dcbadcbb9f6be0db20295c04b7fcad6dc13c145b1a51bd1a927a4
     v1.16.0: 64bc4b211f05246f8ec33318db68a59ecc1ba7f1a6716eb1db7f3e0ea3495ca2
+    v1.15.11: 0ba28c49980c10743a09063c1046bb134f9761662c32b4d5795d4e9e5122839b
+    v1.15.10: 87c7e42ecbc5583b8c653b26a9dbafb3a3f79749c3163730e5a5bddf061e77ad
+    v1.15.9: 79c401fdc990e7f8126372ade68793981c2ea74270e4fdab0ad7152c22803620
+    v1.15.8: f6e4cf5fa4b97aa647fb09a513f47c2afeaabdc47c8976029215c1877a7727ce
+    v1.15.7: 17f2768566962fde520f9b4102549252665d1d89895f0f8102a150813da9efe3
     v1.15.6: d1d86b5da04c50843e08815577a7a630c691752a78688e45332ff636f49bd753
     v1.15.5: 5a20856d77617d78fb6e9c03c37373f7b712fd42b4324b2b41846836259fb911
     v1.15.4: f7085ca5bc75301c0738cccdcf54b6622b4aa2c7c5ff35eddbc34b8d52833d4b
@@ -147,11 +192,34 @@ kubelet_checksums:
     v1.15.1: 3032531dc8ff4ea1debafcfb7b84f6c39a83e67a452a50b64d1023ba57299100
     v1.15.0: a16443434eb0391991bff9a10288d83beb38be4d406954858d9fdc1063870284
   amd64:
+    v1.17.7: a6b66c94a37dd6ae830a9af5b9200884a2c0af868096a3c2553b2e876723c2a2
+    v1.17.6: 4b7fd5123bfafe2249bf91ed83469c2655a8d3295966e5fbd952f89b64b75f57
+    v1.17.5: c5fbfa83444bdeefb51934c29f0b4b7ffc43ce5a98d7f957d8a11e3440055383
+    v1.17.4: f3a427ddf610b568db60c8d47565041901220e1bbe257614b61bb4c76801d765
+    v1.17.3: a5c2349c61771f8bf9f80feb174f7e9d9a6c9e79559758ea538ed3dead07bdcb
+    v1.17.2: 33c6befab43ace4c4e89eab9c45d0cea5432f3cea4beaa956c786fe521f844bb
+    v1.17.1: ffd04d1934c193fa63b3fc7d285d3646ed215f07f726390eefb0913b810716c3
     v1.17.0: c2af77f501c3164e80171903028d35c632366f53dec0c8419828d4e55d86146f
+    v1.16.15: 498e9576617b1846956f73a2da3ddc430eb728d469e62fbbd629e54cf33e5882
+    v1.16.14: a094022d630a1fb34080c1e317e698a9adb9452b0c821c96d96511e8b4489956
+    v1.16.13: a88c0e9f8c4b5a2e91c2c4a8d772cc65ca3a0eb5d477cbce06fbf82d3e50c158
+    v1.16.12: fbc8c16b148dbb3234a3e13f80e6c6736557c10f8c046edfb1dc5337fe2dd40f
+    v1.16.11: edab125cf34c5e95cd883b52385861247cb68ed45605e0ba0774dcf55bde9519
+    v1.16.10: 82b38f444d11c2436040165b1addf46d0909a6daec9133cc979678835ef8e14b
+    v1.16.9: 79e7a1500e154b53087cf7895a710d081d2c357bd34d05362edf230e3c269e63
+    v1.16.8: 4573da19fed14c84f4434ab7cbedf5ded4bf89710c078d58c0703cf2332df198
+    v1.16.7: f49755b06848914c2729353d3580199a70ec8d732609660e90214b4f48ff4398
+    v1.16.6: 47b99b6b9c4654a3fd5e3f093763429f8a6007f788bd7394bd0b85cb7ae4b2d0
+    v1.16.5: f146a59db12869fd1dbe5fe58d6d03eba59989fff63766f488a4fea3fd7dd713
     v1.16.3: 4e8ef215809f1b2af44408bf6039c9e57546a8a209b49720d0489e3aece66938
     v1.16.2: 0c24425d7cc029bffd86bfbedcb6a63cd42c21052c3248e43918ef15d3fc03ee
     v1.16.1: 29a66f72ce8bf4b08eec868953cc9c179e0f2319a52480d3c1259a24a24a9eb3
     v1.16.0: 77ac3f347497434b790aba46e6e06bb2e6e7a6e76b05af739d33b0441d39a263
+    v1.15.11: 24859bb065493fd4d61de7ee0d801cd0254fa7d4431b2af91269db27e743b06e
+    v1.15.10: 33859bf393da38e36d2a7fc76f6f207d75763338f057d65bef56a19be9f87ca2
+    v1.15.9: 680d6afa09cd51061937ebb33fd5c9f3ff6892791de97b028b1e7d6b16383990
+    v1.15.8: 08c662c338da4bb4abfc7fb4bcee5549bc8495fc6c94483f317e32b60d95af2a
+    v1.15.7: e018fc3b934cb5325bc55444e029ddc357544191132794162de9e3663dd7e952
     v1.15.6: 0456b0c789c26fda218d37724dcf08f8f9deee1ab14f09184b03961cc1cf6fba
     v1.15.5: de590308448a62982aa6209b52da6de69ee4855e449e5508c288c8d12d074ec5
     v1.15.4: 6f8e06b422e86ad5c3008ebd1ba2136620b1ba02a7f26b9d4305cdf5fb3f8755
@@ -162,11 +230,34 @@ kubelet_checksums:
 
 kubectl_checksums:
   arm:
+    v1.17.7: 1b862c79333b7edee64f0317f8c5de8699f99b00709734e3341d41cca3b8f29b
+    v1.17.6: 2ad9897b84dd503c963ff790ce092aeb4c8e78ac64b7986a6c6ed1c601255419
+    v1.17.5: 470139a2ca98a85ab89210d07dc733d457d48a8419bbf038ee7e55276e2b5c35
+    v1.17.4: bec3f4163231d4df62ef75b1e435f646b576bfeff08a5e635a033c8223fb4c52
+    v1.17.3: 740e17e7fa2b6aed243e690cdb939f040aefe644a485429ed42b2b1fa7eac813
+    v1.17.2: 152e5b5e1a744ad8e4860bef212462750e0a38856990d6a4d0b3418bedb5346f
+    v1.17.1: a1e580e9140536c4a370c207ee66481cfe8d8876dc9021755a9d20232a97033d
     v1.17.0: 594b3e2f89dca09d82b176b51bf6c8c0fa524ed209c14ec915c9b36fa876601d
+    v1.16.15: 23436a1b74b535338543cb6e8a202d2cf62881479971393fabff0e692a1ec677
+    v1.16.14: be69bf086b263498a4e80e4df3b73315af0c7b9ac918a3af8946a8dff23d2d56
+    v1.16.13: 5fd835f53e20a3fbee21961eee0f492a205cc08df8221538185e57dca85ed82f
+    v1.16.12: 0f39db272aa24e12f5842bd30623801e677232ec42d469935d3ecf0040a72970
+    v1.16.11: f0d50fbc930d97220d5dccea309025f42341b7a99b113032d05860f03c7f33dc
+    v1.16.10: f196dfd5592f1d4cbe92b3e7a7de2307bbbf9cec0a09d4eb22b645650ed79af7
+    v1.16.9: 1d5627c9e186c6f3b501045e1328f54925d2ced852f93baf2e89a342fa85e788
+    v1.16.8: 803c3197845fd5f97c99bcba6e7a0af223128442deccca92df2d267d545db166
+    v1.16.7: 588ac4f1387442d0b0d8928080a7f42c1196ae9b0b9a3d6a25b048df26926e26
+    v1.16.6: 57b37697e4fae53b68786eaef5a2ea14cca38f62e9478aebd758648370c64608
+    v1.16.5: 06302f893a171260bf89c4cd7a1caa130f0290cf6e11ef9e83cac54c9c7c94f5
     v1.16.3: 2cc711c92eea6ca66aeefa2dab73c553db3551a267f8ee102daa9f2fbf34ee9b
     v1.16.2: 3b3331502ffbdf762904395246bfd2125c12569995eb66fa8b0a08fbd969877b
     v1.16.1: ee975a46a67967bf008db15d70e429b62d68ce3adfc7c8ddb6ef26194d220896
     v1.16.0: 86c130d211144f9665a4441f43ced8151e7df54a3af7e2874d46fbff79608e2e
+    v1.15.11: c341c4bbdc9f468a8e1614cec090f0714c305bf245503145a2ba23de29fdf785
+    v1.15.10: 2c701e0217f4840872a154648d707f0cda5786b60840701b3679bcfc2ba91229
+    v1.15.9: cf87205b4daff4509abd02a7ba9cc70e5c60666ed11621cb4caa03f3528e2bd0
+    v1.15.8: 1b4233629dbf98ef22745c70b65f0c496686a0a3d0ddf4b703b0561c4e1af491
+    v1.15.7: 5e0ab9c12bb474ba3803a1a9ed3552f898a6298ced1b4e683313101499461ba4
     v1.15.6: 3d61c27ecf56e2e35dbc6dcfe6b4b7d8258a646be76192ad5db3feeb576f6636
     v1.15.5: d5a125d3f67b3db0f88753f27b73eaa3213a98057ee1d8333ea4813e03626d1a
     v1.15.4: fb4cbcb6ea5c2f86ce6ba7cf33692fda53ee141656e533f673920a118c9e5d76
@@ -175,11 +266,34 @@ kubectl_checksums:
     v1.15.1: 17f1ba668d98f6d57b2494273a81b49c35aecc3d13a3de36cef390e0bad60ee0
     v1.15.0: 3ea07f7fa18309a630a9f317582de742befbf8efdcb22300a192941b4075c16f
   arm64:
+    v1.17.7: 00c71ceffa9b50af081d2838b102be49ca224a8aa928f5c948b804af84c58818
+    v1.17.6: ceccf6ef3e0ac523cb75d46d1b4979ae1f8cf199926244a9d828cb77f024e46b
+    v1.17.5: 160d1198a6da3eb082e197e368ba86c2acce435e073e9f3ee271aa59c7fb47d6
+    v1.17.4: 95867f3c977b1f754223b95dbb04a9ff45613529e9e4691ffa45c6b214f9fd4f
+    v1.17.3: d007a212240fef9fee30c59b4d4203bbc463d334f679c4d0d1af521b7e2c42e6
+    v1.17.2: 29c36d5866a76ca693a255567ac26d7558c1f02e6b840895093e47afe06594d9
+    v1.17.1: 4208be10e2c12b67e71219cd39b0b2ab065d4ec1b26e19c5da88cb8ebc64ea2f
     v1.17.0: cba12bfe0ee447b06f00813d7d4ba3fbdbf5116eccc4d3291987044f2d6f93c2
+    v1.16.15: 74719f137dc6d589a3b8a667bcb0f3c57eebd8f050dd2f7ad5b59ceb892a7b99
+    v1.16.14: 82450e2ce9a3fdac0f3103777ee03ae4b64d7e35bf437fd4fa3db86e9cf875b7
+    v1.16.13: 22013ef1558da3d8da2bf725e0441631029ab404816e765a240456906665e196
+    v1.16.12: 7f493dcf9d4edfeea68284c4cd7c74383be23f24e9aefd59c08dc37bc20b46db
+    v1.16.11: a6bc2f6b099c19fd1f0748ebb8cc90a710e2af32f1c245c08c92e77db609ce3b
+    v1.16.10: 94418c3817fdeac8263cdf019f78313a8a45b539e96a1962d11a308b75a18438
+    v1.16.9: c957a8a346b7e83c33b8ed6386b8d3e942e34bbc8794bdca33f7304977fc377e
+    v1.16.8: d08aab5f02db63690672e5d9052659589301323c010d90734788d5332ac99daa
+    v1.16.7: 404289fded50daeba0f66e36275498164f17ab121f6cd3cfb1bea6b85914c6e5
+    v1.16.6: 4b852e138a3adc8378ab6ce863144b328924535cc118e33eb1d6245af81a0fbb
+    v1.16.5: cb0142172c3a23a68d5c6194fcc599b58269eff1b47b817ac235e6dfac5b842f
     v1.16.3: ba7e98f837ba892eced9cae962c3648fe507c7fb4e9d7b1b969da8326bbc5dd9
     v1.16.2: d44669ee4d137ccb3375293eedb3b585ac36d69d3e875cd3d8158292454bfac1
     v1.16.1: 8366cd74910411dd9546117edd98b3248b6d33e8ea9b7e65de84168e0f162d47
     v1.16.0: bdec615287163fa53b315f9d0481da3900df4063b0a41c3a412077fe765ee6c2
+    v1.15.11: f0d871bf705f756df5fb01ce68847517d396f3ec2593b9f9b537379eb5f96532
+    v1.15.10: 85d38a113020d5db1683d12018368217d3c05ba00d9675ade63294cbce07ad6b
+    v1.15.9: 4fac0a403d71e47ded2f891000c015fa7f0ffcebf619ee24ac210a6e046c740d
+    v1.15.8: 9f5141915ddc329f2f2466be17b875f3bafe7e27d47d6b932eb6680905c04d51
+    v1.15.7: 26a666ded0f2e6d830788b07e3cad2ad2e75c4ac3a96607ca0b27f92188ba0e5
     v1.15.6: 04aee0d812990391460588d94b768cb6aa012dab8ec03633ec2c5915332d26d9
     v1.15.5: 39fe671e945f2bd38f35eeea9207c9b6d3e035606204ea3c6c943033d3babf5d
     v1.15.4: 910d75b86d1e937174cfd2ccb52b12195862e69ac39c50126af076ba791e9386
@@ -188,11 +302,34 @@ kubectl_checksums:
     v1.15.1: 1f5ad15f0522c5038ea014f4b6987a7a67d68585c1fb158349619b552c027a8c
     v1.15.0: db05f4c1799e019d5ebc51737f31132c191ffce13c516fa758e7137173abd855
   amd64:
+    v1.17.7: 7124a296518edda2ae326e754aec9be6d0ac86131e6f61b52f5ecaa413b66ae4
+    v1.17.6: 5e245f6af6fb761fbe4b3ac06b753f33b361ce0486c48c85b45731a7ee5e4cca
+    v1.17.5: 03cd1fa19f90d38005148793efdb17a9b58d01dedea641a8496b9cf228db3ab4
+    v1.17.4: 465b2d2bd7512b173860c6907d8127ee76a19a385aa7865608e57a5eebe23597
+    v1.17.3: ae8627adb1f0ae7bdb82ffd74a579953b8acdcd4b94aeefc7569078c3d7994c6
+    v1.17.2: 7732548b9c353114b0dfa173bc7bcdedd58a607a5b4ca49d867bdb4c05dc25a1
+    v1.17.1: a87a0acdc67d066bc331cb96c7fd29a883d67a41beeef538a0bd2878872ebad9
     v1.17.0: 6e0aaaffe5507a44ec6b1b8a0fb585285813b78cc045f8804e70a6aac9d1cb4c
+    v1.16.15: e8913069293156ddf55f243814a22d2384fc18b165efb6200606fdeaad146605
+    v1.16.14: c9cb4652768771e1e0abffb6bdb9cc0e38814913f0ab6afd2462f5e967734ad3
+    v1.16.13: ab861ec3ec347062bd1b87f8d78d15cd1ce251e74c5fe662e434056962d2a2c9
+    v1.16.12: db72e5c90de59e1bf287bef55eaf0b603c8d74b3dc552f356ccc02b08c2eb348
+    v1.16.11: fe65c523d52dbcd1973069a96ca4fd2d1c81ea941d79864114fd5e5c75549012
+    v1.16.10: 246d36e4ce67e74e95ff2ba578b9189f58e5def0e8830a24cd30fa3cf279742f
+    v1.16.9: 0f3a6618a2e7402b11a1d9b9ffeff3ba0c6765dc361815413ce7441799aecf96
+    v1.16.8: 1d8602496ca4b843824a9746206509991eb8d30b5bb8436b36a02718729934ed
+    v1.16.7: c31ca51b526489cd929be71fc1dc9c3cc24b6df5641b3505b467bac51862047d
+    v1.16.6: 05aae29c6e96fc07db195878263d3b625b623b9f16f87851e4a8ed8d234bcc2d
+    v1.16.5: 2f1bd0736cabbc660882a46b4188b0e7eb2085760a89fb84017cc8df7cd416d0
     v1.16.3: cded1b46405741575f31024b757fd967645e815bb0ab1c5f5fcd029f25cc0f2d
     v1.16.2: 3ff48e12f9c768ad548e4221d805281ea28dfcda5c18b3cd1797fe37aee3012e
     v1.16.1: 69cfb3eeaa0b77cc4923428855acdfc9ca9786544eeaff9c21913be830869d29
     v1.16.0: 4fc8a7024ef17b907820890f11ba7e59a6a578fa91ea593ce8e58b3260f7fb88
+    v1.15.11: 4b9053d6ffd34c68a16af1d99855e68d27b7578f75382f19648d425f29f0fbc5
+    v1.15.10: 38a0f73464f1c39ca383fd43196f84bdbe6e553fe3e677b6e7012ef7ad5eaf2b
+    v1.15.9: 4475f68c51af23925d7bd7fc3d1bd01bedd3d4ccbb64503517d586e31d6f607c
+    v1.15.8: 8a4ff87aab573b7e0462a91c125f51d945dda83ff9c76e695dd78816b0f60164
+    v1.15.7: 01eb6cf747a0164a68df07fac2a50698bab51af0306d2797ed5971786fde9779
     v1.15.6: 522115e0f11d83c08435a05e76120c89ea320782ccaff8e301bd14588ec50145
     v1.15.5: be84cf088241f29eca6221430f8fdb3788bc80eccb79b839d721c0daa6b46244
     v1.15.4: ada48ed9160f83bda949546fd2c7e443b97a5212c4f99148d66866c65ceb9dab
@@ -203,11 +340,34 @@ kubectl_checksums:
 
 kubeadm_checksums:
   arm:
+    v1.17.7: 47c911a7deff993e654da1e0644fe627e496292d7a7a5f43f33fa4cde6b6856d
+    v1.17.6: a12f4281d018a7d53611cb1c0c537cd8f82dc01f3e16c16513622c1d6c9db658
+    v1.17.5: ae2b66de65a6a435ff06ea8e542904e92c5eec0c42c2e57905a2a31a52106ca1
+    v1.17.4: d22dd143947aa442812b325f36d48929506ea8416230213ffb83c29c1c1222f5
+    v1.17.3: fc94d273927bc7e1dce91518133492f4e76aead6e795338317281fb0c6b6445e
+    v1.17.2: c0a74989da367d9c11b25d4fbd90e8d3d1a013a63c9be7bbce61b320715c1a83
+    v1.17.1: 501d1bacb863713dd9d0101d0021b0227869c4b1b9e903f6498333c613d384e1
     v1.17.0: 5fcf1234d89bc2a364c53b76b36134fc57278b456138d93c278805f2c9b186f1
+    v1.16.15: 68cec658085d799d6db5a828f9e49005e5f88130720ec916af5c17c557da586d
+    v1.16.14: 6c44968fbb3480e10eb88117a40abd8448153eb2445faf6d3a4b6869a80a29d4
+    v1.16.13: c18f6682f8f5787129b0a0903766822265c0e8052a3bd60a3594625615e6f928
+    v1.16.12: 0de9916e2117304d1f112a6d2bd53f08043f81329c2c12ca17635b98c88bc6a6
+    v1.16.11: 9489861c4856d9b0fdf7124a2bd38c01f29ecc4a83c1b602083e1cc739040d10
+    v1.16.10: e7c09d060fcbe5948ea43fa9b0465ea2c0fd91de76b403530df23062e3b44341
+    v1.16.9: fb2b48e7a866a09611d825fc122f6bc2b04473b0ccb06682436effd2351ad425
+    v1.16.8: df7737c2ffbd6001fabbed7c84e9ab4f483f750aff5e6052c245a7978ab203af
+    v1.16.7: 66dfa31f5ebd96b3f3a0243533772d68602d36c0e6c0114f4c004cd9c4bed481
+    v1.16.6: e7e19b2edacd811a81a6147235efbbea31029d9b1c51261eab393db50e618f65
+    v1.16.5: 83e0162a6b67ea12767eb8b90f245a1a97ab4c5bc19abda291861008038bba18
     v1.16.3: ff0bdab35e6ed3784db0db1022c94efcb89c5d6da314a3d6b811af3cb1bfb06e
     v1.16.2: cbddf79fbcdcde7046251b51ef52a16b08ed00bd9132f25cda5be9c82fa731fd
     v1.16.1: 38293a03064f47c3817299475b8dc950563854aff99a87d07cf31f0ebf402015
     v1.16.0: 6c666958e11b7d4513adecb3107c885c98bdc79f38d369c9f80eaaeae4ddfe66
+    v1.15.11: 47eb7b7e14cd58531bb39bbee618259b3d0a14e4d9cd9135ce4670bd8295e644
+    v1.15.10: 2515eb19b8cbd50dc639ec15d90835f3720cb64f9550e140b8f408ede9373f55
+    v1.15.9: 90047aa32b071f05892764c5bcfd28dcc6e0de51ea7af8c41269cde9eb15dfe2
+    v1.15.8: 612dbcdbcd2ba6ec2f54b431bee3d58589e6b50dcd707528bc83e89bf74128aa
+    v1.15.7: 313a5cde31a2c892dbde82f3c8ec3675787b8f26f27f14533d38bdf326f6c872
     v1.15.6: 0c6b9e3c91476b75e716c6789783c4bd0d480e94690b5e556b7d96b61fcf227e
     v1.15.5: 4a4ed964b61bbe99c4293c5ef0168cc8c2601d285e525d177b8b0d478960a8ab
     v1.15.4: 69984698052f1563fd44d78e1a68e140a552df7ed57ccd9c83bdfd82bc6103dd
@@ -216,11 +376,34 @@ kubeadm_checksums:
     v1.15.1: 855abd520291dcef0577a1a2ef87a70f522fd2b22603a12abcd86c2f7ec9c022
     v1.15.0: 9464030a1d4e101de5f47348f3514d5a9eb95cbce2e5e31f53ada1ca485cf75e
   arm64:
+    v1.17.7: 6c8622adf5a7a2dfc66ebe15058353b2e2660b01f1e8990bab7a9c7fca76bccb
+    v1.17.6: b9f20f98aeecc7b011727ff8be9008a8229cdbea6d3dd93f782622c306306288
+    v1.17.5: 6f004152ca1f60bb6ac7446e2c317957df5cff5ac55b60c08ce7869792dc4196
+    v1.17.4: 20e1e095f8c46e5dba6366eec162a40b22cd7639f32e83743afef3c0daafd127
+    v1.17.3: 92d584c2ff83790830384159fbf6d04798eea002d6315923657fd6f74c80f092
+    v1.17.2: 091864574d38d3e30ed57734419b55d0957f39291d6f573ff8fffc8d474fb9ec
+    v1.17.1: c640eb50406962628ac6e31fd840506a360b5d9c57d14007d0eaada28c49d64f
     v1.17.0: 0b94d1ace240a8f9995358ca2b66ac92072e3f3cd0543275b315dcd317798546
+    v1.16.15: f7cc47f8ec5eca6f72d90518ef91a08549a01ddc46a6e2c7b03756d83b8ecc8b
+    v1.16.14: 25c1b3a737fc8ca7037a80c89044d248dffa834e2f334b7bafdcc0dcb9ce914d
+    v1.16.13: e574ede80b3eacd197376edb1c04d950c8af62a036a049d16753615752b2d8be
+    v1.16.12: 67f675f8fb1ff3af56ca0a976323a65cabc35efa53b7896146684b8f53990741
+    v1.16.11: 21ae6f9275525130ec051ddbd09932f7baee2ab85b83f884a879a7b005f9fcb6
+    v1.16.10: 568d5be1cad4d2b2d4811055f2ec9fc478fd827d77d02b1ea1aa916eada7c32a
+    v1.16.9: 2045b51d08ca4f1ca646edf8ed716b79200ac587d08b4281b03ca0297ecb01e5
+    v1.16.8: 2300e2a7dc16512595c7aebc486799239039d33f33db2d085550d1f2d5f3129b
+    v1.16.7: 90b69bdebefea6496335485d24bd9829e16029bbc7aa771749044cecd1a60360
+    v1.16.6: f170c10da4824cdba274f1a8b37f1358b147c3224c47ad363fb80c8a2c13e54b
+    v1.16.5: c24ee225b5cad870491b5febcd12846fb2730439b4b843cb151d0c31d5f0ab5e
     v1.16.3: e9f8e806a4f18a6970d228e0434ce1ba976f6a0fde2690c6a3b1e2d72f23eaa0
     v1.16.2: 4287d025a0c9743325c8891b7139ff718c79e4302e2004c5472a06b410a196b1
     v1.16.1: 000aaffa911d3d46dad0a4af8d59408ee56eea5b8eff5cb1b9fbee9986763165
     v1.16.0: 9a1d21bfb6bd15697ac010665e5917a5364b340d5b60f2f0302c179d75da0f3f
+    v1.15.11: e947c5472e5167503a502e5825f8d11aa40d15bb8f2181d43331807bcd2a7731
+    v1.15.10: b318749f2865c403ce64f48ccb1d189597e19b726f9e866ae34108de3cc2916f
+    v1.15.9: 99f52bfb87a5e4720768d6249e4d450604690a77ad5afa6e4f246cf0d914b62d
+    v1.15.8: 1af2abc47e15aeafca6f8b10eaaca59746d7c4645d63fedd007ba0b455e3528a
+    v1.15.7: 39488a6b7d887d1ff4fe4801724e512ee547752c5337e3e50b8e32eade1e376a
     v1.15.6: 79aea11d6aaf7792135cabecd7446c9725966be7daf24a441ba89d9dec918d00
     v1.15.5: 26e0587398cf4b5bf4456aa65c507aa3713498025a43e3ae1654f54295f27464
     v1.15.4: df6747066627f8d803033c20e1161c0cd68f3e8ffd72a972f1cfc4221c67c6e9
@@ -229,11 +412,34 @@ kubeadm_checksums:
     v1.15.1: 44fbfad0f1026d249fc4f365f1e9562cd52d75360d4d1032731122ba5a4d57dc
     v1.15.0: fe3c79070814fe847a23209b1027672fe5c5e7e5c9611e329225058926836f96
   amd64:
+    v1.17.7: 9d4b97e93ddb204798b91fec063743e218c92b42798779b5248a49e1476226e2
+    v1.17.6: d4cfc9a0a734ba015594974ee4253b8965b95cdb6e83d8a6a946675aad418b40
+    v1.17.5: 9bd2fd1118b3d07d12e2a806c04bf34d99e79886c5318ddc003ba38f30da390c
+    v1.17.4: 3cdcffcf8a1660241a045cfdfed3ebbf7f7c6a0840f008e2b049b533bca5bb8c
+    v1.17.3: e34e3193a1161aea7269cee3f115e86ff71f01702a1c15fa0f71103bf2dba304
+    v1.17.2: 33a1d8e3cea2bdbb9fa9cb257c516289ee50d957fcb6d7b35919f5f0e6ca2f41
+    v1.17.1: 11bd31833dab9adb5b53398772dd1582264c3d1757cb3395e691d6a7379081ec
     v1.17.0: 0d8443f50fb7caab2e5e7e53f9dc56d5ffe55f021ec061f2e2bcba0481df5a48
+    v1.16.15: 2d00f583be1dcc0540122e1d3855d7074b6380176aa50673903334d2d612b10e
+    v1.16.14: afb935df01910d1e7de34a9cbe7cbc885d3345dbba571d8408b03eddd27bd0b2
+    v1.16.13: 3ddce3fb919f1e8b0a3e0a1ae1d20c9af0fd4a7d731be1e818597b3ecdb49023
+    v1.16.12: bb4d0f045600b883745016416c14533f823d582f4f20df691b7f79a6545b6480
+    v1.16.11: a40ed479d89271f2d5514121a3ad3cb0a9bc90845d511c0c87b1c99bcca880f1
+    v1.16.10: 726d42c569f25078d03b758477f17f543c845aef2ff48acd9d4269705ca1aa9d
+    v1.16.9: 99b3bd3a59e5832b2bfe3f3936ffd1f983e22913b32111684311d11fd2cefbf1
+    v1.16.8: 58a74986af13b969abc8b471822f36f3fda71f95ed1c006f48c8d2ab88f8edf1
+    v1.16.7: 018f7c2fae7a1ce7bc892edbea3ee2c493e4b023436be9f8f65fd392dc3e17b6
+    v1.16.6: dd4364fa61e7e3767066607395b771cf6fcd0fc57df82c7142fd33183cc6ef9e
+    v1.16.5: c68082771f752fa5b6c3ea8e4b19ebbd270d23da14372c8b72dbae65e8a7c4a5
     v1.16.3: acecd15cf5471d4870959020022676e14cb6901f3c8f97019e5faee8ca956fd7
     v1.16.2: 9cd4a5b087088a9053ff40113ca182f0c2f959e2e51049ed2f850785c2588e04
     v1.16.1: 52ee74a9376b5b7d5296d9dab9bc54614b1c99d168003a78bdaea50f358a6886
     v1.16.0: 18f30d65fb05148c73cc07c77a83f4a2427379af493ca9f60eda42239409e7ef
+    v1.15.11: 2ebc93a6f64419e5e7f26a4674c6784463c7b2a51c0afe8ec2c0423471e7cec3
+    v1.15.10: f4a6fb64125d3f517976a68db2ba0f76a85467681b6e1b50b95ea3397ec7e520
+    v1.15.9: 366a7f260cbd1aaa2661b1e3b83a7fc8781c8a8b07c71944bdaf66d49ff5abae
+    v1.15.8: 9c5a176ea2f4dbf383557211873ec95fe4ffdb5d54d4311f00b92ec592d2bae7
+    v1.15.7: d64d6e4a711d293758476ec3183091cbfeb1ed0a19d92eda8ff3350017ed6ba0
     v1.15.6: e1699c7afa090453241a009d9878fdd405a48f052e93e2ff056a8f2cf3a1cae7
     v1.15.5: e64bb0b2cfdcaa1f4063879bb358848c41aa1b5cc18b75c91994d11a9bf8c136
     v1.15.4: 3acf748ec5d69f316da85fb1e75945afb028f1e207ecb0b5986e23932c040194
@@ -246,12 +452,12 @@ etcd_binary_checksums:
   # Etcd does not have arm32 builds at the moment, having some dummy value is
   # required to avoid "no attribute" error
   arm: 0
-  arm64: 5ec97b0b872adce275b8130d19db314f7f2b803aeb24c4aae17a19e2d66853c4
+  arm64: 170b848ac1a071fe7d495d404a868a2c0090750b2944f8a260ef1c6125b2b4f4
-  amd64: 1620a59150ec0a0124a65540e23891243feb2d9a628092fb1edcc23974724a45
+  amd64: dc5d82df095dae0a2970e4d870b6929590689dd707ae3d33e7b86da0f7f211b6
 cni_binary_checksums:
-  arm: ae6ddbd87c05a79aceb92e1c8c32d11e302f6fc55045f87f6a3ea7e0268b2fda
+  arm: 28e61b5847265135dc1ca397bf94322ecce4acab5c79cc7d360ca3f6a655bdb7
-  arm64: acde854e3def3c776c532ae521c19d8784534918cc56449ff16945a2909bff6d
+  arm64: 43fbf750c5eccb10accffeeb092693c32b236fb25d919cf058c91a677822c999
-  amd64: e9bfc78acd3ae71be77eb8f3e890cc9078a33cc3797703b8ff2fc3077a232252
+  amd64: 994fbfcdbb2eedcfa87e48d8edb9bb365f4e2747a7e47658482556c12fd9b2f5
 calicoctl_binary_checksums:
   arm:
     v3.6.1: 0
@@ -302,7 +508,7 @@ calico_rr_image_repo: "{{ docker_image_repo }}/calico/routereflector"
 calico_rr_image_tag: "{{ calico_rr_version }}"
 calico_typha_image_repo: "{{ docker_image_repo }}/calico/typha"
 calico_typha_image_tag: "{{ calico_typha_version }}"
-pod_infra_image_repo: "{{ gcr_image_repo }}/google_containers/pause-{{ image_arch }}"
+pod_infra_image_repo: "{{ kube_image_repo }}/pause"
 pod_infra_image_tag: "{{ pod_infra_version }}"
 install_socat_image_repo: "{{ docker_image_repo }}/xueshanf/install-socat"
 install_socat_image_tag: "latest"
@@ -372,10 +578,10 @@ tiller_image_tag: "{{ helm_version }}"
 
 registry_image_repo: "{{ docker_image_repo }}/library/registry"
 registry_image_tag: "2.6"
-registry_proxy_image_repo: "{{ gcr_image_repo }}/google_containers/kube-registry-proxy"
+registry_proxy_image_repo: "{{ kube_image_repo }}/kube-registry-proxy"
 registry_proxy_image_tag: "0.4"
 metrics_server_version: "v0.3.3"
-metrics_server_image_repo: "{{ gcr_image_repo }}/google_containers/metrics-server-amd64"
+metrics_server_image_repo: "{{ kube_image_repo }}/metrics-server-{{ image_arch }}"
 metrics_server_image_tag: "{{ metrics_server_version }}"
 local_volume_provisioner_image_repo: "{{ quay_image_repo }}/external_storage/local-volume-provisioner"
 local_volume_provisioner_image_tag: "v2.3.2"
@@ -714,7 +920,7 @@ downloads:
       - k8s-cluster
 
   install_socat:
-    enabled: "{{ ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] }}"
+    enabled: "{{ ansible_os_family in ['CoreOS', 'Container Linux by CoreOS', 'Flatcar', 'Flatcar Container Linux by Kinvolk'] }}"
     container: true
     repo: "{{ install_socat_image_repo }}"
     tag: "{{ install_socat_image_tag }}"

roles/download/tasks/download_container.yml

@@ -50,7 +50,7 @@
         - download_force_cache
         - image_is_cached
         - not download_localhost
-        - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+        - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
     - name: download_container | Load image into docker
       shell: "{{ docker_bin_dir }}/docker load < {{ image_path_cached if download_localhost else image_path_final }}"
@@ -62,7 +62,7 @@
       when:
         - download_force_cache
         - image_is_cached
-        - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+        - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
     - name: download_container | Prepare container download
       include_tasks: check_pull_required.yml
@@ -109,7 +109,7 @@
       when:
         - download_force_cache
         - not image_is_cached or (image_changed | default(true))
-        - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+        - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
     - name: download_container | Copy image to ansible host cache
       synchronize:
@@ -123,7 +123,7 @@
         - not download_localhost
         - download_delegate == inventory_hostname
         - not image_is_cached or (image_changed | default(true))
-        - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+        - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
     - name: download_container | Remove container image from cache
       file:
@@ -131,7 +131,7 @@
         path: "{{ image_path_final }}"
       when:
         - not download_keep_remote_cache
-        - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+        - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   tags:
     - download

roles/download/tasks/download_file.yml

@@ -67,7 +67,7 @@
     when:
     - download_force_cache
     - file_is_cached
-    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   - name: download_file | Set mode and owner
     file:
@@ -78,7 +78,7 @@
     when:
     - download_force_cache
     - file_is_cached
-    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   # This must always be called, to check if the checksum matches. On no-match the file is re-downloaded.
   - name: download_file | Download item
@@ -116,7 +116,7 @@
     - not file_is_cached or get_url_result.changed
     - download_delegate == inventory_hostname
     - not (download_run_once and download_delegate == 'localhost')
-    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   tags:
   - download

roles/download/tasks/prep_download.yml

@@ -27,7 +27,7 @@
     mode: 0755
     owner: "{{ ansible_ssh_user | default(ansible_user_id) }}"
   when:
-    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: prep_download | Create local cache for files and images
   file:

roles/download/tasks/sync_container.yml

@@ -18,12 +18,12 @@
     retries: 4
     delay: "{{ retry_stagger | random + 3 }}"
     when:
-    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   - name: sync_container | Load container image into docker
     shell: "{{ docker_bin_dir }}/docker load < {{ image_path_final }}"
     when:
-    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   - name: sync_container | Remove container image from cache
     file:
@@ -31,7 +31,7 @@
       path: "{{ image_path_final }}"
     when:
     - not download_keep_remote_cache
-    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   tags:
   - upload

roles/download/tasks/sync_file.yml

@@ -30,7 +30,7 @@
     retries: 4
     delay: "{{ retry_stagger | random + 3 }}"
     when:
-    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   - name: sync_file | Set mode and owner
     file:

roles/etcd/meta/main.yml

@@ -2,7 +2,7 @@
 dependencies:
   - role: adduser
     user: "{{ addusers.etcd }}"
-    when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "ClearLinux"] or is_atomic)
+    when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "ClearLinux"] or is_atomic)
   - role: adduser
     user: "{{ addusers.kube }}"
-    when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "ClearLinux"] or is_atomic)
+    when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "ClearLinux"] or is_atomic)

roles/etcd/tasks/check_certs.yml

@@ -33,10 +33,29 @@
        ['{{ etcd_cert_dir }}/ca.pem',
        {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort %}
        {% for host in all_etcd_hosts %}
-       '{{ etcd_cert_dir }}/node-{{ host }}-key.pem'
+         '{{ etcd_cert_dir }}/node-{{ host }}-key.pem',
-       {% if not loop.last %}{{','}}{% endif %}
+         '{{ etcd_cert_dir }}/admin-{{ host }}-key.pem',
+         '{{ etcd_cert_dir }}/member-{{ host }}-key.pem'
+         {% if not loop.last %}{{','}}{% endif %}
        {% endfor %}]
 
+- name: "Check_certs | Set 'gen_master_certs' to true"
+  set_fact:
+    gen_master_certs: |-
+      {
+      {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort -%}
+      {% set existing_certs = etcdcert_master.files|map(attribute='path')|list|sort %}
+      {% for host in all_etcd_hosts -%}
+        {% set host_cert = "%s/member-%s-key.pem"|format(etcd_cert_dir, host) %}
+        {% if host_cert in existing_certs -%}
+        "{{ host }}": False,
+        {% else -%}
+        "{{ host }}": True,
+        {% endif -%}
+      {% endfor %}
+      }
+  run_once: true
+
 - name: "Check_certs | Set 'gen_node_certs' to true"
   set_fact:
     gen_node_certs: |-
@@ -59,6 +78,7 @@
     sync_certs: true
   when:
     - gen_node_certs[inventory_hostname] or
+      gen_master_certs[inventory_hostname] or
       (not etcdcert_node.results[0].stat.exists|default(false)) or
       (not etcdcert_node.results[1].stat.exists|default(false)) or
       (etcdcert_node.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcdcert_node.results[1].stat.path)|map(attribute="checksum")|first|default(''))

roles/etcd/tasks/configure.yml

@@ -2,9 +2,10 @@
 - name: Configure | Check if etcd cluster is healthy
   shell: "{{ bin_dir }}/etcdctl --endpoints={{ etcd_access_addresses }} cluster-health | grep -q 'cluster is healthy'"
   register: etcd_cluster_is_healthy
-  ignore_errors: true
+  failed_when: false
   changed_when: false
   check_mode: no
+  run_once: yes
   when: is_etcd_master and etcd_cluster_setup
   tags:
     - facts
@@ -16,9 +17,10 @@
 - name: Configure | Check if etcd-events cluster is healthy
   shell: "{{ bin_dir }}/etcdctl --endpoints={{ etcd_events_access_addresses }} cluster-health | grep -q 'cluster is healthy'"
   register: etcd_events_cluster_is_healthy
-  ignore_errors: true
+  failed_when: false
   changed_when: false
   check_mode: no
+  run_once: yes
   when: is_etcd_master and etcd_events_cluster_setup
   tags:
     - facts
@@ -49,22 +51,26 @@
     daemon_reload: true
   when: is_etcd_master
 
+# when scaling new etcd will fail to start
 - name: Configure | Ensure etcd is running
   service:
     name: etcd
     state: started
     enabled: yes
+  ignore_errors: "{{ etcd_cluster_is_healthy.rc == 0 }}"
   when: is_etcd_master and etcd_cluster_setup
 
+# when scaling new etcd will fail to start
 - name: Configure | Ensure etcd-events is running
   service:
     name: etcd-events
     state: started
     enabled: yes
+  ignore_errors: "{{ etcd_events_cluster_is_healthy.rc == 0 }}"
   when: is_etcd_master and etcd_events_cluster_setup
 
-- name: Configure | Check if etcd cluster is healthy
+- name: Configure | Wait for etcd cluster to be healthy
-  shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_client_url }} cluster-health | grep -q 'cluster is healthy'"
+  shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_access_addresses }} cluster-health | grep -q 'cluster is healthy'"
   register: etcd_cluster_is_healthy
   until: etcd_cluster_is_healthy.rc == 0
   retries: 4
@@ -72,7 +78,6 @@
   ignore_errors: false
   changed_when: false
   check_mode: no
-  delegate_to: "{{ groups['etcd'][0] }}"
   run_once: yes
   when:
     - is_etcd_master
@@ -84,8 +89,8 @@
     ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
     ETCDCTL_CA_FILE: "{{ etcd_cert_dir }}/ca.pem"
 
-- name: Configure | Check if etcd-events cluster is healthy
+- name: Configure | Wait for etcd-events cluster to be healthy
-  shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_events_client_url }} cluster-health | grep -q 'cluster is healthy'"
+  shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_events_access_addresses }} cluster-health | grep -q 'cluster is healthy'"
   register: etcd_events_cluster_is_healthy
   until: etcd_events_cluster_is_healthy.rc == 0
   retries: 4
@@ -93,12 +98,10 @@
   ignore_errors: false
   changed_when: false
   check_mode: no
-  delegate_to: "{{ groups['etcd'][0] }}"
   run_once: yes
   when:
     - is_etcd_master
     - etcd_events_cluster_setup
-    - etcd_cluster_setup
   tags:
     - facts
   environment:
@@ -136,14 +139,10 @@
 
 - name: Configure | Join member(s) to etcd cluster one at a time
   include_tasks: join_etcd_member.yml
-  vars:
-    target_node: "{{ item }}"
   with_items: "{{ groups['etcd'] }}"
   when: inventory_hostname == item and etcd_cluster_setup and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
 
 - name: Configure | Join member(s) to etcd-events cluster one at a time
   include_tasks: join_etcd-events_member.yml
-  vars:
-    target_node: "{{ item }}"
   with_items: "{{ groups['etcd'] }}"
   when: inventory_hostname == item and etcd_events_cluster_setup and etcd_events_member_in_cluster.rc != 0 and etcd_events_cluster_is_healthy.rc == 0

roles/etcd/tasks/gen_certs_script.yml

@@ -55,7 +55,7 @@
   command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
   environment:
     - MASTERS: "{% for m in groups['etcd'] %}
-                  {% if gen_node_certs[m] %}
+                  {% if gen_master_certs[m] %}
                     {{ m }}
                   {% endif %}
                 {% endfor %}"

roles/etcd/tasks/join_etcd-events_member.yml

@@ -5,7 +5,6 @@
   until: member_add_result.rc == 0
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
-  when: target_node == inventory_hostname
   environment:
     ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
     ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
@@ -21,7 +20,6 @@
           {{ etcd_member_name }}={{ etcd_events_peer_url }}
         {%- endif -%}
       {%- endfor -%}
-  when: target_node == inventory_hostname
 
 - name: Join Member | Ensure member is in etcd-events cluster
   shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_events_access_addresses }} member list | grep -q {{ etcd_events_access_address }}"
@@ -30,7 +28,12 @@
   check_mode: no
   tags:
     - facts
-  when: target_node == inventory_hostname
   environment:
     ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
     ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
+
+- name: Configure | Ensure etcd-events is running
+  service:
+    name: etcd-events
+    state: started
+    enabled: yes

roles/etcd/tasks/join_etcd_member.yml

@@ -5,7 +5,6 @@
   until: member_add_result.rc == 0
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
-  when: target_node == inventory_hostname
   environment:
     ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
     ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
@@ -22,7 +21,6 @@
           {{ etcd_member_name }}={{ etcd_peer_url }}
         {%- endif -%}
       {%- endfor -%}
-  when: target_node == inventory_hostname
 
 - name: Join Member | Ensure member is in etcd cluster
   shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_access_addresses }} member list | grep -q {{ etcd_access_address }}"
@@ -31,8 +29,13 @@
   check_mode: no
   tags:
     - facts
-  when: target_node == inventory_hostname
   environment:
     ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
     ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
     ETCDCTL_CA_FILE: "{{ etcd_cert_dir }}/ca.pem"
+
+- name: Configure | Ensure etcd is running
+  service:
+    name: etcd
+    state: started
+    enabled: yes

roles/etcd/tasks/upd_ca_trust.yml

@@ -6,7 +6,7 @@
       /usr/local/share/ca-certificates/etcd-ca.crt
       {%- elif ansible_os_family == "RedHat" -%}
       /etc/pki/ca-trust/source/anchors/etcd-ca.crt
-      {%- elif ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"] -%}
+      {%- elif ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] -%}
       /etc/ssl/certs/etcd-ca.pem
       {%- elif ansible_os_family == "Suse" -%}
       /etc/pki/trust/anchors/etcd-ca.pem
@@ -25,7 +25,7 @@
 
 - name: Gen_certs | update ca-certificates (Debian/Ubuntu/SUSE/Container Linux by CoreOS)
   command: update-ca-certificates
-  when: etcd_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Coreos", "Container Linux by CoreOS", "Suse"]
+  when: etcd_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "Suse"]
 
 - name: Gen_certs | update ca-certificates (RedHat)
   command: update-ca-trust extract

roles/kubernetes-apps/external_provisioner/local_volume_provisioner/README.md

@@ -118,7 +118,7 @@ delete the daemonset pod on the relevant host after creating volumes. The pod
 will be recreated and read the size correctly.
 
 Make sure to make any mounts persist via /etc/fstab or with systemd mounts (for
-CoreOS/Container Linux). Pods with persistent volume claims will not be
+CoreOS/Container Linux and Flatcar). Pods with persistent volume claims will not be
 able to start if the mounts become unavailable.
 
 Further reading

roles/kubernetes-apps/helm/tasks/install_host.yml

@@ -35,8 +35,8 @@
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
 
-- name: Helm | Copy socat wrapper for Container Linux
+- name: Helm | Copy socat wrapper for Container Linux and Flatcat
   command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/opt/bin {{ install_socat_image_repo }}:{{ install_socat_image_tag }}"
   args:
     creates: "{{ bin_dir }}/socat"
-  when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
+  when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS', 'Flatcar', 'Flatcar Container Linux by Kinvolk']

roles/kubernetes-apps/helm/tasks/main.yml

@@ -113,4 +113,4 @@
   shell: "umask 022 && {{ bin_dir }}/helm completion bash >/etc/bash_completion.d/helm.sh"
   when:
     - ((helm_container is defined and helm_container.changed) or (helm_task_result is defined and helm_task_result.changed))
-    - not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]

roles/kubernetes/kubeadm/tasks/main.yml

@@ -111,8 +111,8 @@
     | sed 's#server:.*#server: https://127.0.0.1:{{ kube_apiserver_port }}#g'
     | {{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf replace -f -
   run_once: true
+  delegate_to: "{{ groups['kube-master']|first }}"
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kubeadm_config_api_fqdn is not defined
     - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "")
     - not kube_proxy_remove
@@ -129,8 +129,8 @@
 - name: Restart all kube-proxy pods to ensure that they load the new configmap
   shell: "{{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf delete pod -n kube-system -l k8s-app=kube-proxy --force --grace-period=0"
   run_once: true
+  delegate_to: "{{ groups['kube-master']|first }}"
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kubeadm_config_api_fqdn is not defined
     - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "")
     - not kube_proxy_remove
@@ -153,8 +153,8 @@
 - name: Delete kube-proxy daemonset if kube_proxy_remove set, e.g. kube_network_plugin providing proxy services
   shell: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf delete daemonset -n kube-system kube-proxy"
   run_once: true
+  delegate_to: "{{ groups['kube-master']|first }}"
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kube_proxy_remove
     - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "")
   # When scaling/adding nodes in the existing k8s cluster, kube-proxy wouldn't be created, as `kubeadm init` wouldn't run.

roles/kubernetes/master/handlers/main.yml

@@ -93,7 +93,8 @@
 
 - name: Master | wait for kube-scheduler
   uri:
-    url: http://localhost:10251/healthz
+    url: https://localhost:10259/healthz
+    validate_certs: no
   register: scheduler_result
   until: scheduler_result.status == 200
   retries: 60
@@ -101,7 +102,8 @@
 
 - name: Master | wait for kube-controller-manager
   uri:
-    url: http://localhost:10252/healthz
+    url: https://localhost:10257/healthz
+    validate_certs: no
   register: controller_manager_result
   until: controller_manager_result.status == 200
   retries: 60
@@ -111,8 +113,6 @@
   uri:
     url: "{{ kube_apiserver_endpoint }}/healthz"
     validate_certs: no
-    client_cert: "{{ kube_apiserver_client_cert }}"
-    client_key: "{{ kube_apiserver_client_key }}"
   register: result
   until: result.status == 200
   retries: 60

roles/kubernetes/master/tasks/kubeadm-setup.yml

@@ -103,6 +103,37 @@
     - not upgrade_cluster_setup
     - kubeadm_already_run.stat.exists
 
+- name: kubeadm | Check if apiserver.crt contains all needed SANs
+  command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkip "{{ item }}"
+  with_items: "{{ apiserver_sans }}"
+  register: apiserver_sans_check
+  changed_when: "'does match certificate' not in apiserver_sans_check.stdout"
+  when:
+    - inventory_hostname == groups['kube-master']|first
+    - kubeadm_already_run.stat.exists
+
+- name: kubeadm | regenerate apiserver cert 1/2
+  file:
+    state: absent
+    path: "{{ kube_cert_dir }}/{{ item }}"
+  with_items:
+    - apiserver.crt
+    - apiserver.key
+  when:
+    - inventory_hostname == groups['kube-master']|first
+    - kubeadm_already_run.stat.exists
+    - apiserver_sans_check.changed
+
+- name: kubeadm | regenerate apiserver cert 2/2
+  command: >-
+    {{ bin_dir }}/kubeadm
+    init phase certs apiserver
+    --config={{ kube_config_dir }}/kubeadm-config.yaml
+  when:
+    - inventory_hostname == groups['kube-master']|first
+    - kubeadm_already_run.stat.exists
+    - apiserver_sans_check.changed
+
 - name: kubeadm | Initialize first master
   command: >-
     timeout -k 300s 300s

roles/kubernetes/master/tasks/kubeadm-upgrade.yml

@@ -1,4 +1,15 @@
 ---
+- name: "kubeadm | Wait for master kube-apiserver"
+  uri:
+    url: "https://{{ kube_apiserver_access_address }}:{{ kube_apiserver_port }}/version"
+    status_code: 200
+    validate_certs: false
+  register: kube_api_server_available
+  until: kube_api_server_available.status == 200
+  retries: 180
+  delay: 1
+  when: inventory_hostname == groups['kube-master']
+
 - name: kubeadm | Upgrade first master
   command: >-
     timeout -k 600s 600s

roles/kubernetes/node/tasks/install.yml

@@ -50,4 +50,4 @@
   command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/opt/bin {{ install_socat_image_repo }}:{{ install_socat_image_tag }}"
   args:
     creates: "{{ bin_dir }}/socat"
-  when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
+  when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS', 'Flatcar', 'Flatcar Container Linux by Kinvolk']

roles/kubernetes/node/tasks/main.yml

@@ -189,7 +189,7 @@
 
 - name: Test if openstack_cacert is a base64 string
   set_fact:
-    openstack_cacert_is_base64: "{% if openstack_cacert | b64decode %}true{% else %}false{% endif %}"
+    openstack_cacert_is_base64: "{% if openstack_cacert | search ('^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$') %}true{% else %}false{% endif %}"
   when:
     - cloud_provider is defined
     - cloud_provider == 'openstack'

roles/kubernetes/preinstall/defaults/main.yml

@@ -15,6 +15,7 @@ common_required_pkgs:
   - unzip
   - e2fsprogs
   - xfsprogs
+  - conntrack
 
 # Set to true if your network does not support IPv6
 # This maybe necessary for pulling Docker images from
@@ -54,3 +55,5 @@ etc_hosts_localhost_entries:
 # Minimal memory requirement in MB for safety checks
 minimal_node_memory_mb: 1024
 minimal_master_memory_mb: 1500
+
+yum_repo_dir: /etc/yum.repos.d

roles/kubernetes/preinstall/handlers/main.yml

@@ -9,18 +9,18 @@
     - Preinstall | restart kube-controller-manager crio/containerd
     - Preinstall | restart kube-apiserver docker
     - Preinstall | restart kube-apiserver crio/containerd
-  when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
-- name: Preinstall | update resolvconf for Container Linux by CoreOS
+- name: Preinstall | update resolvconf for Container Linux by CoreOS and Flatcar
   command: /bin/true
   notify:
     - Preinstall | apply resolvconf cloud-init
     - Preinstall | reload kubelet
-  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: Preinstall | apply resolvconf cloud-init
   command: /usr/bin/coreos-cloudinit --from-file {{ resolveconf_cloud_init_conf }}
-  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: Preinstall | reload kubelet
   service:

roles/kubernetes/preinstall/tasks/0020-verify-settings.yml

@@ -16,7 +16,7 @@
 
 - name: Stop if unknown OS
   assert:
-    that: ansible_os_family in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Coreos', 'Container Linux by CoreOS', 'Suse', 'ClearLinux', 'OracleLinux']
+    that: ansible_os_family in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Coreos', 'Container Linux by CoreOS', 'Flatcar', 'Flatcar Container Linux by Kinvolk', 'Suse', 'ClearLinux', 'OracleLinux']
     msg: "{{ ansible_os_family }} is not a known OS"
   ignore_errors: "{{ ignore_assert_errors }}"
 

roles/kubernetes/preinstall/tasks/0040-set_facts.yml

@@ -15,10 +15,10 @@
        {{ ansible_architecture }}
       {% endif %}
 
-- name: Force binaries directory for Container Linux by CoreOS
+- name: Force binaries directory for Container Linux by CoreOS and Flatcar
   set_fact:
     bin_dir: "/opt/bin"
-  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
   tags:
     - facts
 
@@ -85,12 +85,12 @@
       {%- if resolvconf|bool -%}/etc/resolvconf/resolv.conf.d/base{%- endif -%}
     head: >-
       {%- if resolvconf|bool -%}/etc/resolvconf/resolv.conf.d/head{%- endif -%}
-  when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: target temporary resolvconf cloud init file (Container Linux by CoreOS)
   set_fact:
     resolvconffile: /tmp/resolveconf_cloud_init_conf
-  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: check if /etc/dhclient.conf exists
   stat:

roles/kubernetes/preinstall/tasks/0060-resolvconf.yml

@@ -1,7 +1,7 @@
 ---
 - name: create temporary resolveconf cloud init file
   command: cp -f /etc/resolv.conf "{{ resolvconffile }}"
-  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: Add domain/search/nameservers/options to resolv.conf
   blockinfile:
@@ -47,7 +47,7 @@
 - name: get temporary resolveconf cloud init file content
   command: cat {{ resolvconffile }}
   register: cloud_config
-  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: persist resolvconf cloud init file
   template:
@@ -56,4 +56,4 @@
     owner: root
     mode: 0644
   notify: Preinstall | update resolvconf for Container Linux by CoreOS
-  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]

roles/kubernetes/preinstall/tasks/0070-system-packages.yml

@@ -17,6 +17,14 @@
   tags:
     - bootstrap-os
 
+- name: Remove legacy docker repo file
+  file:
+    path: "{{ yum_repo_dir }}/docker.repo"
+    state: absent
+  when:
+    - ansible_distribution in ["CentOS","RedHat","OracleLinux"]
+    - not is_atomic
+
 - name: Install python-dnf for latest RedHat versions
   command: dnf install -y python-dnf yum
   register: dnf_task_result
@@ -71,7 +79,7 @@
   until: pkgs_task_result is succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
-  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "ClearLinux"] or is_atomic)
+  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "ClearLinux"] or is_atomic)
   tags:
     - bootstrap-os
 

roles/kubernetes/preinstall/tasks/0080-system-configurations.yml

@@ -28,7 +28,7 @@
     backup: yes
   when:
     - disable_ipv6_dns
-    - not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
   tags:
     - bootstrap-os
 

roles/kubernetes/preinstall/tasks/0090-etchosts.yml

@@ -59,3 +59,8 @@
     backup: yes
     unsafe_writes: yes
   with_dict: "{{ etc_hosts_localhosts_dict_target }}"
+
+# gather facts to update ansible_fqdn
+- name: Update facts
+  setup:
+    gather_subset: min

roles/kubernetes/preinstall/tasks/main.yml

@@ -69,7 +69,7 @@
   when:
     - dns_mode != 'none'
     - resolvconf_mode == 'host_resolvconf'
-    - not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
   tags:
     - bootstrap-os
     - resolvconf
@@ -78,7 +78,7 @@
   when:
     - dns_mode != 'none'
     - resolvconf_mode != 'host_resolvconf'
-    - not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
   tags:
     - bootstrap-os
     - resolvconf

roles/kubespray-defaults/defaults/main.yaml

@@ -12,7 +12,7 @@ is_atomic: false
 disable_swap: true
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.16.3
+kube_version: v1.16.15
 
 ## The minimum version working
 kube_version_min_required: v1.15.0
@@ -416,7 +416,7 @@ no_proxy: >-
   {%- if additional_no_proxy is defined -%}
   {{ additional_no_proxy }},
   {%- endif -%}
-  127.0.0.1,localhost
+  127.0.0.1,localhost,{{kube_service_addresses}},{{kube_pods_subnet}}
   {%- endif %}
 
 proxy_env:
@@ -429,7 +429,7 @@ proxy_env:
 
 ssl_ca_dirs: >-
   [
-  {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
+  {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS', 'Flatcar', 'Flatcar Container Linux by Kinvolk'] -%}
   '/usr/share/ca-certificates',
   {% elif ansible_os_family == 'RedHat' -%}
   '/etc/pki/tls',

roles/network_plugin/macvlan/handlers/main.yml

@@ -3,7 +3,7 @@
   command: /bin/true
   notify:
     - Macvlan | reload network
-  when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: Macvlan | reload network
   service:
@@ -16,4 +16,4 @@
       networking
       {%- endif %}
     state: restarted
-  when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"] and kube_network_plugin not in ['canal', 'calico']
+  when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] and kube_network_plugin not in ['canal', 'calico']

roles/network_plugin/macvlan/tasks/main.yml

@@ -75,14 +75,14 @@
   template:
     src: coreos-service-nat_ouside.j2
     dest: /etc/systemd/system/enable_nat_ouside.service
-  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"] and enable_nat_default_gateway
+  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] and enable_nat_default_gateway
 
 - name: Macvlan | Enable service nat via gateway on coreos
   command: "{{ item }}"
   with_items:
     - systemctl daemon-reload
     - systemctl enable enable_nat_ouside.service
-  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"] and enable_nat_default_gateway
+  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] and enable_nat_default_gateway
 
 - name: Macvlan | Install network gateway interface on coreos
   template:
@@ -93,7 +93,7 @@
     - {src: coreos-interface-macvlan.cfg, dst: output.network }
     - {src: coreos-network-macvlan.cfg, dst: macvlan.network }
   notify: Macvlan | restart network
-  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: Macvlan | Install cni definition for Macvlan
   template:

roles/reset/tasks/main.yml

@@ -302,7 +302,7 @@
       {%- endif %}
     state: restarted
   when:
-    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    - ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
     - reset_restart_network
   tags:
     - services

tests/scripts/rebase.sh

@@ -5,5 +5,5 @@ set -euxo pipefail
 if [[ $CI_COMMIT_REF_NAME == pr-* ]]; then
   git config user.email "ci@kubespray.io"
   git config user.name "CI"
-  git pull --rebase origin master
+  git pull --rebase origin release-2.12
 fi

tests/scripts/testcases_run.sh

@@ -49,16 +49,16 @@ fi
 
 # Tests Cases
 ## Test Master API
-ansible-playbook -e ansible_python_interpreter=${PYPATH} --limit "all:!fake_hosts" tests/testcases/010_check-apiserver.yml $LOG_LEVEL
+ansible-playbook -e ansible_python_interpreter=${PYPATH} -e @${CI_TEST_VARS} --limit "all:!fake_hosts" tests/testcases/010_check-apiserver.yml $LOG_LEVEL
 
 ## Test that all pods are Running
-ansible-playbook -e ansible_python_interpreter=${PYPATH} --limit "all:!fake_hosts" tests/testcases/015_check-pods-running.yml $LOG_LEVEL
+ansible-playbook -e ansible_python_interpreter=${PYPATH} -e @${CI_TEST_VARS} --limit "all:!fake_hosts" tests/testcases/015_check-pods-running.yml $LOG_LEVEL
 
 ## Test pod creation and ping between them
-ansible-playbook -e ansible_python_interpreter=${PYPATH} --limit "all:!fake_hosts" tests/testcases/030_check-network.yml $LOG_LEVEL
+ansible-playbook -e ansible_python_interpreter=${PYPATH} -e @${CI_TEST_VARS} --limit "all:!fake_hosts" tests/testcases/030_check-network.yml $LOG_LEVEL
 
 ## Advanced DNS checks
-ansible-playbook -e ansible_python_interpreter=${PYPATH} --limit "all:!fake_hosts" tests/testcases/040_check-network-adv.yml $LOG_LEVEL
+ansible-playbook -e ansible_python_interpreter=${PYPATH} -e @${CI_TEST_VARS} --limit "all:!fake_hosts" tests/testcases/040_check-network-adv.yml $LOG_LEVEL
 
 ## Kubernetes conformance tests
 ansible-playbook -i ${ANSIBLE_INVENTORY} -e ansible_python_interpreter=${PYPATH} -e @${CI_TEST_VARS} --limit "all:!fake_hosts" tests/testcases/100_check-k8s-conformance.yml $LOG_LEVEL

tests/testcases/015_check-pods-running.yml

@@ -2,15 +2,15 @@
 - hosts: kube-master[0]
   tasks:
 
-  - name: Force binaries directory for Container Linux by CoreOS
+  - name: Force binaries directory for Container Linux by CoreOS and Flatcar
     set_fact:
       bin_dir: "/opt/bin"
-    when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   - name: Force binaries directory for other hosts
     set_fact:
       bin_dir: "/usr/local/bin"
-    when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   - name: Check kubectl output
     shell: "{{ bin_dir }}/kubectl get pods --all-namespaces -owide"

tests/testcases/030_check-network.yml

@@ -5,15 +5,15 @@
     test_image_tag: latest
 
   tasks:
-  - name: Force binaries directory for Container Linux by CoreOS
+  - name: Force binaries directory for Container Linux by CoreOS and Flatcar
     set_fact:
       bin_dir: "/opt/bin"
-    when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   - name: Force binaries directory for other hosts
     set_fact:
       bin_dir: "/usr/local/bin"
-    when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+    when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
   - name: Create test namespace
     shell: "{{ bin_dir }}/kubectl create namespace test"

tests/testcases/040_check-network-adv.yml

@@ -14,15 +14,21 @@
     netchecker_port: 31081
 
   tasks:
-    - name: Force binaries directory for Container Linux by CoreOS
+    - name: Flannel | Disable tx and rx offloading on VXLAN interfaces (see https://github.com/coreos/flannel/pull/1282)
+      shell: "ethtool --offload flannel.1 rx off tx off"
+      ignore_errors: true
+      when:
+        - kube_network_plugin|default('calico') == 'flannel'
+
+    - name: Force binaries directory for Container Linux by CoreOS and Flatcar
       set_fact:
         bin_dir: "/opt/bin"
-      when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+      when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
     - name: Force binaries directory on other hosts
       set_fact:
         bin_dir: "/usr/local/bin"
-      when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS"]
+      when: not ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
 
     - name: Wait for netchecker server
       shell: "{{ bin_dir }}/kubectl get pods -o wide --namespace {{ netcheck_namespace }} | grep ^netchecker-server"