mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2026-02-23 05:56:02 -03:30
Merge branch 'master' into master
This commit is contained in:
bobahspb
GitHub
@@ -91,7 +91,7 @@
|
||||
- name: Start Resources
|
||||
kube:
|
||||
name: "{{item.item.name}}"
|
||||
namespace: "{{system_namespace}}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: "{{item.item.type}}"
|
||||
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||
|
||||
@@ -3,11 +3,11 @@ kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: dnsmasq
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: dnsmasq
|
||||
namespace: "{{ system_namespace}}"
|
||||
namespace: "kube-system"
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: dnsmasq
|
||||
namespace: "{{system_namespace}}"
|
||||
namespace: "kube-system"
|
||||
labels:
|
||||
k8s-app: dnsmasq
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -3,6 +3,6 @@ apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: dnsmasq
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -6,7 +6,7 @@ metadata:
|
||||
kubernetes.io/cluster-service: 'true'
|
||||
k8s-app: dnsmasq
|
||||
name: dnsmasq
|
||||
namespace: {{system_namespace}}
|
||||
namespace: kube-system
|
||||
spec:
|
||||
ports:
|
||||
- port: 53
|
||||
|
||||
@@ -21,6 +21,10 @@ docker_dns_servers_strict: yes
|
||||
|
||||
docker_container_storage_setup: false
|
||||
|
||||
# Used to override obsoletes=0
|
||||
yum_conf: /etc/yum.conf
|
||||
docker_yum_conf: /etc/yum_docker.conf
|
||||
|
||||
# CentOS/RedHat docker-ce repo
|
||||
docker_rh_repo_base_url: 'https://download.docker.com/linux/centos/7/$basearch/stable'
|
||||
docker_rh_repo_gpgkey: 'https://download.docker.com/linux/centos/gpg'
|
||||
|
||||
@@ -30,6 +30,8 @@
|
||||
tags:
|
||||
- facts
|
||||
|
||||
- import_tasks: pre-upgrade.yml
|
||||
|
||||
- name: ensure docker-ce repository public key is installed
|
||||
action: "{{ docker_repo_key_info.pkg_key }}"
|
||||
args:
|
||||
@@ -78,11 +80,27 @@
|
||||
dest: "/etc/yum.repos.d/docker.repo"
|
||||
when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
|
||||
|
||||
- name: Copy yum.conf for editing
|
||||
copy:
|
||||
src: "{{ yum_conf }}"
|
||||
dest: "{{ docker_yum_conf }}"
|
||||
remote_src: yes
|
||||
when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
|
||||
|
||||
- name: Edit copy of yum.conf to set obsoletes=0
|
||||
lineinfile:
|
||||
path: "{{ docker_yum_conf }}"
|
||||
state: present
|
||||
regexp: '^obsoletes='
|
||||
line: 'obsoletes=0'
|
||||
when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
|
||||
|
||||
- name: ensure docker packages are installed
|
||||
action: "{{ docker_package_info.pkg_mgr }}"
|
||||
args:
|
||||
pkg: "{{item.name}}"
|
||||
force: "{{item.force|default(omit)}}"
|
||||
conf_file: "{{item.yum_conf|default(omit)}}"
|
||||
state: present
|
||||
register: docker_task_result
|
||||
until: docker_task_result|succeeded
|
||||
|
||||
20
roles/docker/tasks/pre-upgrade.yml
Normal file
20
roles/docker/tasks/pre-upgrade.yml
Normal file
@@ -0,0 +1,20 @@
|
||||
---
|
||||
- name: Ensure old versions of Docker are not installed. | Debian
|
||||
package:
|
||||
name: '{{ item }}'
|
||||
state: absent
|
||||
with_items:
|
||||
- docker
|
||||
- docker-engine
|
||||
when: ansible_os_family == 'Debian' and (docker_versioned_pkg[docker_version | string] | search('docker-ce'))
|
||||
|
||||
- name: Ensure old versions of Docker are not installed. | RedHat
|
||||
package:
|
||||
name: '{{ item }}'
|
||||
state: absent
|
||||
with_items:
|
||||
- docker
|
||||
- docker-common
|
||||
- docker-engine
|
||||
- docker-selinux
|
||||
when: ansible_os_family == 'RedHat' and (docker_versioned_pkg[docker_version | string] | search('docker-ce'))
|
||||
@@ -28,7 +28,9 @@ docker_package_info:
|
||||
pkg_mgr: yum
|
||||
pkgs:
|
||||
- name: "{{ docker_selinux_versioned_pkg[docker_selinux_version | string] }}"
|
||||
yum_conf: "{{ docker_yum_conf }}"
|
||||
- name: "{{ docker_versioned_pkg[docker_version | string] }}"
|
||||
yum_conf: "{{ docker_yum_conf }}"
|
||||
|
||||
docker_repo_key_info:
|
||||
pkg_key: ''
|
||||
|
||||
@@ -70,8 +70,8 @@ calico_policy_image_repo: "quay.io/calico/kube-controllers"
|
||||
calico_policy_image_tag: "{{ calico_policy_version }}"
|
||||
calico_rr_image_repo: "quay.io/calico/routereflector"
|
||||
calico_rr_image_tag: "{{ calico_rr_version }}"
|
||||
hyperkube_image_repo: "quay.io/coreos/hyperkube"
|
||||
hyperkube_image_tag: "{{ kube_version }}_coreos.0"
|
||||
hyperkube_image_repo: "gcr.io/google-containers/hyperkube"
|
||||
hyperkube_image_tag: "{{ kube_version }}"
|
||||
pod_infra_image_repo: "gcr.io/google_containers/pause-amd64"
|
||||
pod_infra_image_tag: "{{ pod_infra_version }}"
|
||||
install_socat_image_repo: "xueshanf/install-socat"
|
||||
@@ -124,7 +124,6 @@ fluentd_image_tag: "{{ fluentd_version }}"
|
||||
kibana_version: "v4.6.1"
|
||||
kibana_image_repo: "gcr.io/google_containers/kibana"
|
||||
kibana_image_tag: "{{ kibana_version }}"
|
||||
|
||||
helm_version: "v2.8.1"
|
||||
helm_image_repo: "lachlanevenson/k8s-helm"
|
||||
helm_image_tag: "{{ helm_version }}"
|
||||
@@ -132,6 +131,11 @@ tiller_image_repo: "gcr.io/kubernetes-helm/tiller"
|
||||
tiller_image_tag: "{{ helm_version }}"
|
||||
vault_image_repo: "vault"
|
||||
vault_image_tag: "{{ vault_version }}"
|
||||
cert_manager_version: "v0.2.3"
|
||||
cert_manager_controller_image_repo: "quay.io/jetstack/cert-manager-controller"
|
||||
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
||||
cert_manager_ingress_shim_image_repo: "quay.io/jetstack/cert-manager-ingress-shim"
|
||||
cert_manager_ingress_shim_image_tag: "{{ cert_manager_version }}"
|
||||
|
||||
downloads:
|
||||
netcheck_server:
|
||||
@@ -140,18 +144,24 @@ downloads:
|
||||
repo: "{{ netcheck_server_img_repo }}"
|
||||
tag: "{{ netcheck_server_tag }}"
|
||||
sha256: "{{ netcheck_server_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
netcheck_agent:
|
||||
enabled: "{{ deploy_netchecker }}"
|
||||
container: true
|
||||
repo: "{{ netcheck_agent_img_repo }}"
|
||||
tag: "{{ netcheck_agent_tag }}"
|
||||
sha256: "{{ netcheck_agent_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
etcd:
|
||||
enabled: true
|
||||
container: true
|
||||
repo: "{{ etcd_image_repo }}"
|
||||
tag: "{{ etcd_image_tag }}"
|
||||
sha256: "{{ etcd_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- etcd
|
||||
kubeadm:
|
||||
enabled: "{{ kubeadm_enabled }}"
|
||||
file: true
|
||||
@@ -163,6 +173,8 @@ downloads:
|
||||
unarchive: false
|
||||
owner: "root"
|
||||
mode: "0755"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
istioctl:
|
||||
enabled: "{{ istio_enabled }}"
|
||||
file: true
|
||||
@@ -174,140 +186,186 @@ downloads:
|
||||
unarchive: false
|
||||
owner: "root"
|
||||
mode: "0755"
|
||||
groups:
|
||||
- kube-master
|
||||
hyperkube:
|
||||
enabled: true
|
||||
container: true
|
||||
repo: "{{ hyperkube_image_repo }}"
|
||||
tag: "{{ hyperkube_image_tag }}"
|
||||
sha256: "{{ hyperkube_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
cilium:
|
||||
enabled: "{{ kube_network_plugin == 'cilium' }}"
|
||||
container: true
|
||||
repo: "{{ cilium_image_repo }}"
|
||||
tag: "{{ cilium_image_tag }}"
|
||||
sha256: "{{ cilium_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
flannel:
|
||||
enabled: "{{ kube_network_plugin == 'flannel' or kube_network_plugin == 'canal' }}"
|
||||
container: true
|
||||
repo: "{{ flannel_image_repo }}"
|
||||
tag: "{{ flannel_image_tag }}"
|
||||
sha256: "{{ flannel_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
flannel_cni:
|
||||
enabled: "{{ kube_network_plugin == 'flannel' }}"
|
||||
container: true
|
||||
repo: "{{ flannel_cni_image_repo }}"
|
||||
tag: "{{ flannel_cni_image_tag }}"
|
||||
sha256: "{{ flannel_cni_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
calicoctl:
|
||||
enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
|
||||
container: true
|
||||
repo: "{{ calicoctl_image_repo }}"
|
||||
tag: "{{ calicoctl_image_tag }}"
|
||||
sha256: "{{ calicoctl_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
calico_node:
|
||||
enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
|
||||
container: true
|
||||
repo: "{{ calico_node_image_repo }}"
|
||||
tag: "{{ calico_node_image_tag }}"
|
||||
sha256: "{{ calico_node_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
calico_cni:
|
||||
enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
|
||||
container: true
|
||||
repo: "{{ calico_cni_image_repo }}"
|
||||
tag: "{{ calico_cni_image_tag }}"
|
||||
sha256: "{{ calico_cni_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
calico_policy:
|
||||
enabled: "{{ enable_network_policy or kube_network_plugin == 'canal' }}"
|
||||
container: true
|
||||
repo: "{{ calico_policy_image_repo }}"
|
||||
tag: "{{ calico_policy_image_tag }}"
|
||||
sha256: "{{ calico_policy_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
calico_rr:
|
||||
enabled: "{{ peer_with_calico_rr is defined and peer_with_calico_rr and kube_network_plugin == 'calico' }}"
|
||||
container: true
|
||||
repo: "{{ calico_rr_image_repo }}"
|
||||
tag: "{{ calico_rr_image_tag }}"
|
||||
sha256: "{{ calico_rr_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- calico-rr
|
||||
weave_kube:
|
||||
enabled: "{{ kube_network_plugin == 'weave' }}"
|
||||
container: true
|
||||
repo: "{{ weave_kube_image_repo }}"
|
||||
tag: "{{ weave_kube_image_tag }}"
|
||||
sha256: "{{ weave_kube_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
weave_npc:
|
||||
enabled: "{{ kube_network_plugin == 'weave' }}"
|
||||
container: true
|
||||
repo: "{{ weave_npc_image_repo }}"
|
||||
tag: "{{ weave_npc_image_tag }}"
|
||||
sha256: "{{ weave_npc_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
contiv:
|
||||
enabled: "{{ kube_network_plugin == 'contiv' }}"
|
||||
container: true
|
||||
repo: "{{ contiv_image_repo }}"
|
||||
tag: "{{ contiv_image_tag }}"
|
||||
sha256: "{{ contiv_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
contiv_auth_proxy:
|
||||
enabled: "{{ kube_network_plugin == 'contiv' }}"
|
||||
container: true
|
||||
repo: "{{ contiv_auth_proxy_image_repo }}"
|
||||
tag: "{{ contiv_auth_proxy_image_tag }}"
|
||||
sha256: "{{ contiv_auth_proxy_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
pod_infra:
|
||||
enabled: true
|
||||
container: true
|
||||
repo: "{{ pod_infra_image_repo }}"
|
||||
tag: "{{ pod_infra_image_tag }}"
|
||||
sha256: "{{ pod_infra_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
install_socat:
|
||||
enabled: "{{ ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] }}"
|
||||
container: true
|
||||
repo: "{{ install_socat_image_repo }}"
|
||||
tag: "{{ install_socat_image_tag }}"
|
||||
sha256: "{{ install_socat_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- k8s-cluster
|
||||
nginx:
|
||||
enabled: true
|
||||
enabled: "{{ loadbalancer_apiserver_localhost }}"
|
||||
container: true
|
||||
repo: "{{ nginx_image_repo }}"
|
||||
tag: "{{ nginx_image_tag }}"
|
||||
sha256: "{{ nginx_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
dnsmasq:
|
||||
enabled: "{{ dns_mode == 'dnsmasq_kubedns' }}"
|
||||
container: true
|
||||
repo: "{{ dnsmasq_image_repo }}"
|
||||
tag: "{{ dnsmasq_image_tag }}"
|
||||
sha256: "{{ dnsmasq_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
kubedns:
|
||||
enabled: "{{ dns_mode in ['kubedns', 'dnsmasq_kubedns'] }}"
|
||||
container: true
|
||||
repo: "{{ kubedns_image_repo }}"
|
||||
tag: "{{ kubedns_image_tag }}"
|
||||
sha256: "{{ kubedns_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
coredns:
|
||||
enabled: "{{ dns_mode in ['coredns', 'coredns_dual'] }}"
|
||||
container: true
|
||||
repo: "{{ coredns_image_repo }}"
|
||||
tag: "{{ coredns_image_tag }}"
|
||||
sha256: "{{ coredns_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
dnsmasq_nanny:
|
||||
enabled: "{{ dns_mode in ['kubedns', 'dnsmasq_kubedns'] }}"
|
||||
container: true
|
||||
repo: "{{ dnsmasq_nanny_image_repo }}"
|
||||
tag: "{{ dnsmasq_nanny_image_tag }}"
|
||||
sha256: "{{ dnsmasq_nanny_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
dnsmasq_sidecar:
|
||||
enabled: "{{ dns_mode in ['kubedns', 'dnsmasq_kubedns'] }}"
|
||||
container: true
|
||||
repo: "{{ dnsmasq_sidecar_image_repo }}"
|
||||
tag: "{{ dnsmasq_sidecar_image_tag }}"
|
||||
sha256: "{{ dnsmasq_sidecar_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
kubednsautoscaler:
|
||||
enabled: "{{ dns_mode in ['kubedns', 'dnsmasq_kubedns'] }}"
|
||||
container: true
|
||||
repo: "{{ kubednsautoscaler_image_repo }}"
|
||||
tag: "{{ kubednsautoscaler_image_tag }}"
|
||||
sha256: "{{ kubednsautoscaler_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
testbox:
|
||||
enabled: true
|
||||
enabled: false
|
||||
container: true
|
||||
repo: "{{ test_image_repo }}"
|
||||
tag: "{{ test_image_tag }}"
|
||||
@@ -318,30 +376,40 @@ downloads:
|
||||
repo: "{{ elasticsearch_image_repo }}"
|
||||
tag: "{{ elasticsearch_image_tag }}"
|
||||
sha256: "{{ elasticsearch_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
fluentd:
|
||||
enabled: "{{ efk_enabled }}"
|
||||
container: true
|
||||
repo: "{{ fluentd_image_repo }}"
|
||||
tag: "{{ fluentd_image_tag }}"
|
||||
sha256: "{{ fluentd_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
kibana:
|
||||
enabled: "{{ efk_enabled }}"
|
||||
container: true
|
||||
repo: "{{ kibana_image_repo }}"
|
||||
tag: "{{ kibana_image_tag }}"
|
||||
sha256: "{{ kibana_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
helm:
|
||||
enabled: "{{ helm_enabled }}"
|
||||
container: true
|
||||
repo: "{{ helm_image_repo }}"
|
||||
tag: "{{ helm_image_tag }}"
|
||||
sha256: "{{ helm_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
tiller:
|
||||
enabled: "{{ helm_enabled }}"
|
||||
container: true
|
||||
repo: "{{ tiller_image_repo }}"
|
||||
tag: "{{ tiller_image_tag }}"
|
||||
sha256: "{{ tiller_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
vault:
|
||||
enabled: "{{ cert_management == 'vault' }}"
|
||||
container: "{{ vault_deployment_type != 'host' }}"
|
||||
@@ -356,6 +424,24 @@ downloads:
|
||||
unarchive: true
|
||||
url: "{{ vault_download_url }}"
|
||||
version: "{{ vault_version }}"
|
||||
groups:
|
||||
- vault
|
||||
cert_manager_controller:
|
||||
enabled: "{{ cert_manager_enabled }}"
|
||||
container: true
|
||||
repo: "{{ cert_manager_controller_image_repo }}"
|
||||
tag: "{{ cert_manager_controller_image_tag }}"
|
||||
sha256: "{{ cert_manager_controller_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
cert_manager_ingress_shim:
|
||||
enabled: "{{ cert_manager_enabled }}"
|
||||
container: true
|
||||
repo: "{{ cert_manager_ingress_shim_image_repo }}"
|
||||
tag: "{{ cert_manager_ingress_shim_image_tag }}"
|
||||
sha256: "{{ cert_manager_ingress_shim_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
|
||||
download_defaults:
|
||||
container: false
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
when:
|
||||
- download.enabled
|
||||
- download.container
|
||||
- group_names | intersect(download.groups) | length
|
||||
tags:
|
||||
- facts
|
||||
|
||||
@@ -23,6 +24,7 @@
|
||||
- download.enabled
|
||||
- download.container
|
||||
- pull_required|default(download_always_pull)
|
||||
- group_names | intersect(download.groups) | length
|
||||
delegate_to: "{{ download_delegate }}"
|
||||
delegate_facts: yes
|
||||
run_once: yes
|
||||
@@ -38,3 +40,4 @@
|
||||
- download.enabled
|
||||
- download.container
|
||||
- pull_required|default(download_always_pull)
|
||||
- group_names | intersect(download.groups) | length
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
when:
|
||||
- download.enabled
|
||||
- download.file
|
||||
- group_names | intersect(download.groups) | length
|
||||
|
||||
- name: file_download | Download item
|
||||
get_url:
|
||||
@@ -28,6 +29,7 @@
|
||||
when:
|
||||
- download.enabled
|
||||
- download.file
|
||||
- group_names | intersect(download.groups) | length
|
||||
|
||||
- name: file_download | Extract archives
|
||||
unarchive:
|
||||
@@ -40,3 +42,4 @@
|
||||
- download.enabled
|
||||
- download.file
|
||||
- download.unarchive|default(False)
|
||||
- group_names | intersect(download.groups) | length
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
when:
|
||||
- download.enabled
|
||||
- download.container
|
||||
- group_names | intersect(download.groups) | length
|
||||
tags:
|
||||
- facts
|
||||
|
||||
@@ -17,6 +18,7 @@
|
||||
- download.enabled
|
||||
- download.container
|
||||
- download_run_once
|
||||
- group_names | intersect(download.groups) | length
|
||||
tags:
|
||||
- facts
|
||||
|
||||
@@ -27,6 +29,7 @@
|
||||
- download.enabled
|
||||
- download.container
|
||||
- download_run_once
|
||||
- group_names | intersect(download.groups) | length
|
||||
|
||||
- name: "container_download | Update the 'container_changed' fact"
|
||||
set_fact:
|
||||
@@ -36,6 +39,7 @@
|
||||
- download.container
|
||||
- download_run_once
|
||||
- pull_required|default(download_always_pull)
|
||||
- group_names | intersect(download.groups) | length
|
||||
run_once: "{{ download_run_once }}"
|
||||
tags:
|
||||
- facts
|
||||
@@ -53,6 +57,7 @@
|
||||
- download.enabled
|
||||
- download.container
|
||||
- download_run_once
|
||||
- group_names | intersect(download.groups) | length
|
||||
tags:
|
||||
- facts
|
||||
|
||||
@@ -68,6 +73,7 @@
|
||||
- download_run_once
|
||||
- (ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"] or download_delegate == "localhost")
|
||||
- (container_changed or not img.stat.exists)
|
||||
- group_names | intersect(download.groups) | length
|
||||
|
||||
- name: container_download | copy container images to ansible host
|
||||
synchronize:
|
||||
@@ -87,6 +93,7 @@
|
||||
- inventory_hostname == download_delegate
|
||||
- download_delegate != "localhost"
|
||||
- saved.changed
|
||||
- group_names | intersect(download.groups) | length
|
||||
|
||||
- name: container_download | upload container images to nodes
|
||||
synchronize:
|
||||
@@ -108,6 +115,7 @@
|
||||
- (ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"] and
|
||||
inventory_hostname != download_delegate or
|
||||
download_delegate == "localhost")
|
||||
- group_names | intersect(download.groups) | length
|
||||
tags:
|
||||
- upload
|
||||
- upgrade
|
||||
@@ -120,6 +128,7 @@
|
||||
- download_run_once
|
||||
- (ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"] and
|
||||
inventory_hostname != download_delegate or download_delegate == "localhost")
|
||||
- group_names | intersect(download.groups) | length
|
||||
tags:
|
||||
- upload
|
||||
- upgrade
|
||||
|
||||
@@ -12,9 +12,9 @@ etcd_cert_group: root
|
||||
# Note: This does not set up DNS entries. It simply adds the following DNS
|
||||
# entries to the certificate
|
||||
etcd_cert_alt_names:
|
||||
- "etcd.{{ system_namespace }}.svc.{{ dns_domain }}"
|
||||
- "etcd.{{ system_namespace }}.svc"
|
||||
- "etcd.{{ system_namespace }}"
|
||||
- "etcd.kube-system.svc.{{ dns_domain }}"
|
||||
- "etcd.kube-system.svc"
|
||||
- "etcd.kube-system"
|
||||
- "etcd"
|
||||
|
||||
etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
|
||||
@@ -22,12 +22,12 @@ etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
|
||||
etcd_heartbeat_interval: "250"
|
||||
etcd_election_timeout: "5000"
|
||||
|
||||
#etcd_snapshot_count: "10000"
|
||||
# etcd_snapshot_count: "10000"
|
||||
|
||||
# Parameters for ionice
|
||||
# -c takes an integer between 0 and 3 or one of the strings none, realtime, best-effort or idle.
|
||||
# -n takes an integer between 0 (highest priority) and 7 (lowest priority)
|
||||
#etcd_ionice: "-c2 -n0"
|
||||
# etcd_ionice: "-c2 -n0"
|
||||
|
||||
etcd_metrics: "basic"
|
||||
|
||||
|
||||
@@ -48,7 +48,7 @@
|
||||
snapshot save {{ etcd_backup_directory }}/snapshot.db
|
||||
environment:
|
||||
ETCDCTL_API: 3
|
||||
ETCDCTL_CERT: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||
ETCDCTL_CERT: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
|
||||
retries: 3
|
||||
delay: "{{ retry_stagger | random + 3 }}"
|
||||
|
||||
@@ -9,8 +9,8 @@
|
||||
tags:
|
||||
- facts
|
||||
environment:
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
|
||||
|
||||
- name: Configure | Check if member is in etcd-events cluster
|
||||
shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_events_access_addresses }} member list | grep -q {{ etcd_access_address }}"
|
||||
@@ -22,8 +22,8 @@
|
||||
tags:
|
||||
- facts
|
||||
environment:
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
|
||||
|
||||
- name: Configure | Copy etcd.service systemd file
|
||||
template:
|
||||
|
||||
@@ -7,8 +7,8 @@
|
||||
delay: "{{ retry_stagger | random + 3 }}"
|
||||
when: target_node == inventory_hostname
|
||||
environment:
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
|
||||
|
||||
- include_tasks: refresh_config.yml
|
||||
vars:
|
||||
@@ -43,5 +43,5 @@
|
||||
- facts
|
||||
when: target_node == inventory_hostname
|
||||
environment:
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
|
||||
|
||||
@@ -7,8 +7,8 @@
|
||||
delay: "{{ retry_stagger | random + 3 }}"
|
||||
when: target_node == inventory_hostname
|
||||
environment:
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
|
||||
|
||||
- include_tasks: refresh_config.yml
|
||||
vars:
|
||||
@@ -43,5 +43,5 @@
|
||||
- facts
|
||||
when: target_node == inventory_hostname
|
||||
environment:
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
|
||||
|
||||
@@ -7,8 +7,8 @@
|
||||
delay: "{{ retry_stagger | random + 3 }}"
|
||||
when: target_node == inventory_hostname
|
||||
environment:
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
|
||||
|
||||
- include_tasks: refresh_config.yml
|
||||
vars:
|
||||
@@ -43,5 +43,5 @@
|
||||
- facts
|
||||
when: target_node == inventory_hostname
|
||||
environment:
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
|
||||
|
||||
@@ -29,13 +29,13 @@
|
||||
tags:
|
||||
- upgrade
|
||||
|
||||
- import_tasks: set_cluster_health.yml
|
||||
- include_tasks: set_cluster_health.yml
|
||||
when: is_etcd_master and etcd_cluster_setup
|
||||
|
||||
- import_tasks: configure.yml
|
||||
- include_tasks: configure.yml
|
||||
when: is_etcd_master and etcd_cluster_setup
|
||||
|
||||
- import_tasks: refresh_config.yml
|
||||
- include_tasks: refresh_config.yml
|
||||
when: is_etcd_master and etcd_cluster_setup
|
||||
|
||||
- name: Restart etcd if certs changed
|
||||
@@ -68,8 +68,8 @@
|
||||
# After etcd cluster is assembled, make sure that
|
||||
# initial state of the cluster is in `existing`
|
||||
# state insted of `new`.
|
||||
- import_tasks: set_cluster_health.yml
|
||||
- include_tasks: set_cluster_health.yml
|
||||
when: is_etcd_master and etcd_cluster_setup
|
||||
|
||||
- import_tasks: refresh_config.yml
|
||||
- include_tasks: refresh_config.yml
|
||||
when: is_etcd_master and etcd_cluster_setup
|
||||
|
||||
@@ -9,8 +9,8 @@
|
||||
tags:
|
||||
- facts
|
||||
environment:
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
|
||||
|
||||
- name: Configure | Check if etcd-events cluster is healthy
|
||||
shell: "{{ bin_dir }}/etcdctl --endpoints={{ etcd_events_access_addresses }} cluster-health | grep -q 'cluster is healthy'"
|
||||
@@ -22,5 +22,5 @@
|
||||
tags:
|
||||
- facts
|
||||
environment:
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
|
||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
[req]
|
||||
{% set counter = {'dns': 2,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req]
|
||||
req_extensions = v3_req
|
||||
distinguished_name = req_distinguished_name
|
||||
|
||||
@@ -25,19 +25,18 @@ authorityKeyIdentifier=keyid:always,issuer
|
||||
[alt_names]
|
||||
DNS.1 = localhost
|
||||
{% for host in groups['etcd'] %}
|
||||
DNS.{{ 1 + loop.index }} = {{ host }}
|
||||
DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }}
|
||||
{% endfor %}
|
||||
{% if loadbalancer_apiserver is defined %}
|
||||
{% set idx = groups['etcd'] | length | int + 2 %}
|
||||
DNS.{{ idx | string }} = {{ apiserver_loadbalancer_domain_name }}
|
||||
{% if apiserver_loadbalancer_domain_name is defined %}
|
||||
DNS.{{ counter["dns"] }} = {{ apiserver_loadbalancer_domain_name }}{{ increment(counter, 'dns') }}
|
||||
{% endif %}
|
||||
{% set idx = groups['etcd'] | length | int + 3 %}
|
||||
{% for etcd_alt_name in etcd_cert_alt_names %}
|
||||
DNS.{{ idx + 1 + loop.index }} = {{ etcd_alt_name }}
|
||||
DNS.{{ counter["dns"] }} = {{ etcd_alt_name }}{{ increment(counter, 'dns') }}
|
||||
{% endfor %}
|
||||
{% for host in groups['etcd'] %}
|
||||
IP.{{ 2 * loop.index - 1 }} = {{ hostvars[host]['access_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
|
||||
IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
|
||||
{% if hostvars[host]['access_ip'] is defined %}
|
||||
IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter, 'ip') }}
|
||||
{% endif %}
|
||||
IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }}
|
||||
{% endfor %}
|
||||
{% set idx = groups['etcd'] | length | int * 2 + 1 %}
|
||||
IP.{{ idx }} = 127.0.0.1
|
||||
IP.{{ counter["ip"] }} = 127.0.0.1
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
- name: Kubernetes Apps | Delete old CoreDNS resources
|
||||
kube:
|
||||
name: "coredns"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item }}"
|
||||
state: absent
|
||||
@@ -16,7 +16,7 @@
|
||||
- name: Kubernetes Apps | Delete kubeadm CoreDNS
|
||||
kube:
|
||||
name: "coredns"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "deploy"
|
||||
state: absent
|
||||
@@ -28,7 +28,7 @@
|
||||
- name: Kubernetes Apps | Delete old KubeDNS resources
|
||||
kube:
|
||||
name: "kube-dns"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item }}"
|
||||
state: absent
|
||||
@@ -41,7 +41,7 @@
|
||||
- name: Kubernetes Apps | Delete kubeadm KubeDNS
|
||||
kube:
|
||||
name: "kube-dns"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item }}"
|
||||
state: absent
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
- name: Kubernetes Apps | Start dashboard
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ kube_config_dir }}/{{ item.item.file }}"
|
||||
|
||||
@@ -37,7 +37,7 @@
|
||||
- name: Kubernetes Apps | Start Resources
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ kube_config_dir }}/{{ item.item.file }}"
|
||||
@@ -50,6 +50,10 @@
|
||||
- dns_mode != 'none'
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
- not item|skipped
|
||||
register: resource_result
|
||||
until: resource_result|succeeded
|
||||
retries: 4
|
||||
delay: 5
|
||||
tags:
|
||||
- dnsmasq
|
||||
|
||||
|
||||
@@ -15,4 +15,4 @@ roleRef:
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: coredns
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: coredns
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
data:
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: coredns{{ coredns_ordinal_suffix | default('') }}
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: coredns{{ coredns_ordinal_suffix | default('') }}
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: coredns
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: coredns{{ coredns_ordinal_suffix | default('') }}
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: coredns{{ coredns_ordinal_suffix | default('') }}
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -25,7 +25,7 @@ metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard-certs
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
type: Opaque
|
||||
|
||||
---
|
||||
@@ -37,7 +37,7 @@ metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
|
||||
---
|
||||
# ------------------- Dashboard Role & Role Binding ------------------- #
|
||||
@@ -46,7 +46,7 @@ kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: kubernetes-dashboard-minimal
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
rules:
|
||||
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
|
||||
- apiGroups: [""]
|
||||
@@ -81,7 +81,7 @@ apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: kubernetes-dashboard-minimal
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
@@ -89,7 +89,7 @@ roleRef:
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kubernetes-dashboard
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
|
||||
---
|
||||
# ------------------- Gross Hack For anonymous auth through api proxy ------------------- #
|
||||
@@ -103,7 +103,7 @@ rules:
|
||||
resources: ["services/proxy"]
|
||||
resourceNames: ["https:kubernetes-dashboard:"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/{{ system_namespace }}/services/https:kubernetes-dashboard:/proxy/*"]
|
||||
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||
|
||||
---
|
||||
@@ -128,7 +128,7 @@ metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 10
|
||||
@@ -200,7 +200,7 @@ metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
spec:
|
||||
ports:
|
||||
- port: 443
|
||||
|
||||
@@ -17,7 +17,7 @@ kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: cluster-proportional-autoscaler
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["nodes"]
|
||||
|
||||
@@ -17,11 +17,11 @@ kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: cluster-proportional-autoscaler
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cluster-proportional-autoscaler
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: cluster-proportional-autoscaler
|
||||
|
||||
@@ -17,4 +17,4 @@ kind: ServiceAccount
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: cluster-proportional-autoscaler
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
|
||||
@@ -17,7 +17,7 @@ apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: kubedns-autoscaler
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kubedns-autoscaler
|
||||
kubernetes.io/cluster-service: "true"
|
||||
@@ -40,7 +40,7 @@ spec:
|
||||
memory: "10Mi"
|
||||
command:
|
||||
- /cluster-proportional-autoscaler
|
||||
- --namespace={{ system_namespace }}
|
||||
- --namespace=kube-system
|
||||
- --configmap=kubedns-autoscaler
|
||||
# Should keep target in sync with cluster/addons/dns/kubedns-controller.yaml.base
|
||||
- --target=Deployment/kube-dns
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: kube-dns
|
||||
namespace: "{{system_namespace}}"
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-dns
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -3,6 +3,6 @@ apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kube-dns
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kube-dns
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-dns
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -126,32 +126,3 @@
|
||||
- kube_version | version_compare('v1.9.3', '<=')
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
tags: vsphere
|
||||
|
||||
# This is not a cluster role, but should be run after kubeconfig is set on master
|
||||
- name: Write kube system namespace manifest
|
||||
template:
|
||||
src: namespace.j2
|
||||
dest: "{{kube_config_dir}}/{{system_namespace}}-ns.yml"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
tags:
|
||||
- apps
|
||||
|
||||
- name: Check if kube system namespace exists
|
||||
command: "{{ bin_dir }}/kubectl get ns {{system_namespace}}"
|
||||
register: 'kubesystem'
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
tags:
|
||||
- apps
|
||||
|
||||
- name: Create kube system namespace
|
||||
command: "{{ bin_dir }}/kubectl create -f {{kube_config_dir}}/{{system_namespace}}-ns.yml"
|
||||
retries: 4
|
||||
delay: "{{ retry_stagger | random + 3 }}"
|
||||
register: create_system_ns
|
||||
until: create_system_ns.rc == 0
|
||||
changed_when: False
|
||||
when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0
|
||||
tags:
|
||||
- apps
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: "{{system_namespace}}"
|
||||
name: "kube-system"
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
when: rbac_enabled
|
||||
|
||||
- name: "ElasticSearch | Create Serviceaccount and Clusterrolebinding (RBAC)"
|
||||
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/{{ item }} -n {{ system_namespace }}"
|
||||
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/{{ item }} -n kube-system"
|
||||
with_items:
|
||||
- "efk-sa.yml"
|
||||
- "efk-clusterrolebinding.yml"
|
||||
@@ -24,7 +24,7 @@
|
||||
register: es_deployment_manifest
|
||||
|
||||
- name: "ElasticSearch | Create ES deployment"
|
||||
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-deployment.yaml -n {{ system_namespace }}"
|
||||
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-deployment.yaml -n kube-system"
|
||||
run_once: true
|
||||
when: es_deployment_manifest.changed
|
||||
|
||||
@@ -35,6 +35,6 @@
|
||||
register: es_service_manifest
|
||||
|
||||
- name: "ElasticSearch | Create ES service"
|
||||
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-service.yaml -n {{ system_namespace }}"
|
||||
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-service.yaml -n kube-system"
|
||||
run_once: true
|
||||
when: es_service_manifest.changed
|
||||
|
||||
@@ -3,11 +3,11 @@ kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: efk
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: efk
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
|
||||
@@ -3,6 +3,6 @@ apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: efk
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -4,7 +4,7 @@ apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: elasticsearch-logging-v1
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: elasticsearch-logging
|
||||
version: "{{ elasticsearch_image_tag }}"
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: elasticsearch-logging
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
labels:
|
||||
k8s-app: elasticsearch-logging
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -17,6 +17,6 @@
|
||||
register: fluentd_ds_manifest
|
||||
|
||||
- name: "Fluentd | Create fluentd daemonset"
|
||||
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/fluentd-ds.yaml -n {{ system_namespace }}"
|
||||
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/fluentd-ds.yaml -n kube-system"
|
||||
run_once: true
|
||||
when: fluentd_ds_manifest.changed
|
||||
|
||||
@@ -2,7 +2,7 @@ apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: fluentd-config
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
data:
|
||||
{{ fluentd_config_file }}: |
|
||||
# This configuration file for Fluentd / td-agent is used
|
||||
|
||||
@@ -4,7 +4,7 @@ apiVersion: extensions/v1beta1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: "fluentd-es-v{{ fluentd_version }}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
labels:
|
||||
k8s-app: fluentd-es
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
filename: "{{kube_config_dir}}/kibana-deployment.yaml"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
name: "kibana-logging"
|
||||
namespace: "{{system_namespace}}"
|
||||
namespace: "kube-system"
|
||||
resource: "deployment"
|
||||
state: "latest"
|
||||
with_items: "{{ kibana_deployment_manifest.changed }}"
|
||||
@@ -27,7 +27,7 @@
|
||||
filename: "{{kube_config_dir}}/kibana-service.yaml"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
name: "kibana-logging"
|
||||
namespace: "{{system_namespace}}"
|
||||
namespace: "kube-system"
|
||||
resource: "svc"
|
||||
state: "latest"
|
||||
with_items: "{{ kibana_service_manifest.changed }}"
|
||||
|
||||
@@ -4,7 +4,7 @@ apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: kibana-logging
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
labels:
|
||||
k8s-app: kibana-logging
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kibana-logging
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
labels:
|
||||
k8s-app: kibana-logging
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
cephfs_provisioner_image_repo: quay.io/kubespray/cephfs-provisioner
|
||||
cephfs_provisioner_image_tag: 92295a30
|
||||
|
||||
cephfs_provisioner_namespace: "{{ system_namespace }}"
|
||||
cephfs_provisioner_namespace: "kube-system"
|
||||
cephfs_provisioner_cluster: ceph
|
||||
cephfs_provisioner_monitors: []
|
||||
cephfs_provisioner_admin_id: admin
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
local_volume_provisioner_image_repo: quay.io/external_storage/local-volume-provisioner
|
||||
local_volume_provisioner_image_tag: v2.0.0
|
||||
|
||||
local_volume_provisioner_namespace: "{{ system_namespace }}"
|
||||
local_volume_provisioner_namespace: "kube-system"
|
||||
local_volume_provisioner_base_dir: /mnt/disks
|
||||
local_volume_provisioner_mount_dir: /mnt/disks
|
||||
local_volume_provisioner_storage_class: local-storage
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
- name: Helm | Apply Helm Manifests (RBAC)
|
||||
kube:
|
||||
name: "{{item.item.name}}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: "{{item.item.type}}"
|
||||
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||
@@ -28,7 +28,7 @@
|
||||
|
||||
- name: Helm | Install/upgrade helm
|
||||
command: >
|
||||
{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ system_namespace }}
|
||||
{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace=kube-system
|
||||
{% if helm_skip_refresh %} --skip-refresh{% endif %}
|
||||
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
|
||||
{% if rbac_enabled %} --service-account=tiller{% endif %}
|
||||
|
||||
@@ -3,11 +3,11 @@ kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: tiller
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: tiller
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
|
||||
@@ -3,6 +3,6 @@ apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: tiller
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
Deployment files
|
||||
================
|
||||
|
||||
This directory contains example deployment manifests for cert-manager that can
|
||||
be used in place of the official Helm chart.
|
||||
|
||||
This is useful if you are deploying cert-manager into an environment without
|
||||
Helm, or want to inspect a 'bare minimum' deployment.
|
||||
|
||||
Where do these come from?
|
||||
-------------------------
|
||||
|
||||
The manifests in these subdirectories are generated from the Helm chart
|
||||
automatically. The `values.yaml` files used to configure cert-manager can be
|
||||
found in [`hack/deploy`](../../hack/deploy/).
|
||||
|
||||
They are automatically generated by running `./hack/update-deploy-gen.sh`.
|
||||
@@ -0,0 +1,6 @@
|
||||
---
|
||||
cert_manager_namespace: "cert-manager"
|
||||
cert_manager_cpu_requests: 10m
|
||||
cert_manager_cpu_limits: 30m
|
||||
cert_manager_memory_requests: 32Mi
|
||||
cert_manager_memory_limits: 200Mi
|
||||
@@ -0,0 +1,38 @@
|
||||
---
|
||||
|
||||
- name: Cert Manager | Create addon dir
|
||||
file:
|
||||
path: "{{ kube_config_dir }}/addons/cert_manager"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: Cert Manager | Create manifests
|
||||
template:
|
||||
src: "{{ item.file }}.j2"
|
||||
dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
|
||||
with_items:
|
||||
- { name: cert-manager-ns, file: cert-manager-ns.yml, type: ns }
|
||||
- { name: cert-manager-sa, file: cert-manager-sa.yml, type: sa }
|
||||
- { name: cert-manager-clusterrole, file: cert-manager-clusterrole.yml, type: clusterrole }
|
||||
- { name: cert-manager-clusterrolebinding, file: cert-manager-clusterrolebinding.yml, type: clusterrolebinding }
|
||||
- { name: cert-manager-issuer-crd, file: cert-manager-issuer-crd.yml, type: crd }
|
||||
- { name: cert-manager-clusterissuer-crd, file: cert-manager-clusterissuer-crd.yml, type: crd }
|
||||
- { name: cert-manager-certificate-crd, file: cert-manager-certificate-crd.yml, type: crd }
|
||||
- { name: cert-manager-deploy, file: cert-manager-deploy.yml, type: deploy }
|
||||
register: cert_manager_manifests
|
||||
when:
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Cert Manager | Apply manifests
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "{{ cert_manager_namespace }}"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}"
|
||||
state: "latest"
|
||||
with_items: "{{ cert_manager_manifests.results }}"
|
||||
when:
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
@@ -0,0 +1,21 @@
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: certificates.certmanager.k8s.io
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
spec:
|
||||
group: certmanager.k8s.io
|
||||
version: v1alpha1
|
||||
scope: Namespaced
|
||||
names:
|
||||
kind: Certificate
|
||||
plural: certificates
|
||||
shortNames:
|
||||
- cert
|
||||
- certs
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: clusterissuers.certmanager.k8s.io
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
spec:
|
||||
group: certmanager.k8s.io
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: ClusterIssuer
|
||||
plural: clusterissuers
|
||||
scope: Cluster
|
||||
@@ -0,0 +1,25 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
rules:
|
||||
- apiGroups: ["certmanager.k8s.io"]
|
||||
resources: ["certificates", "issuers", "clusterissuers"]
|
||||
verbs: ["*"]
|
||||
- apiGroups: [""]
|
||||
# TODO: remove endpoints once 0.4 is released. We include it here in case
|
||||
# users use the 'master' version of the Helm chart with a 0.2.x release of
|
||||
# cert-manager that still performs leader election with Endpoint resources.
|
||||
# We advise users don't do this, but some will anyway and this will reduce
|
||||
# friction.
|
||||
resources: ["endpoints", "configmaps", "secrets", "events", "services", "pods"]
|
||||
verbs: ["*"]
|
||||
- apiGroups: ["extensions"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["*"]
|
||||
@@ -0,0 +1,18 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
kind: ServiceAccount
|
||||
@@ -0,0 +1,51 @@
|
||||
---
|
||||
apiVersion: apps/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
spec:
|
||||
replicas: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: cert-manager
|
||||
release: cert-manager
|
||||
annotations:
|
||||
spec:
|
||||
serviceAccountName: cert-manager
|
||||
containers:
|
||||
- name: cert-manager
|
||||
image: {{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
args:
|
||||
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
resources:
|
||||
requests:
|
||||
cpu: {{ cert_manager_cpu_requests }}
|
||||
memory: {{ cert_manager_memory_requests }}
|
||||
limits:
|
||||
cpu: {{ cert_manager_cpu_limits }}
|
||||
memory: {{ cert_manager_memory_limits }}
|
||||
|
||||
- name: ingress-shim
|
||||
image: {{ cert_manager_ingress_shim_image_repo }}:{{ cert_manager_ingress_shim_image_tag }}
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
resources:
|
||||
requests:
|
||||
cpu: {{ cert_manager_cpu_requests }}
|
||||
memory: {{ cert_manager_memory_requests }}
|
||||
limits:
|
||||
cpu: {{ cert_manager_cpu_limits }}
|
||||
memory: {{ cert_manager_memory_limits }}
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: issuers.certmanager.k8s.io
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
spec:
|
||||
group: certmanager.k8s.io
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: Issuer
|
||||
plural: issuers
|
||||
scope: Namespaced
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
name: {{ cert_manager_namespace }}
|
||||
@@ -0,0 +1,11 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
@@ -20,6 +20,9 @@ spec:
|
||||
labels:
|
||||
k8s-app: ingress-nginx
|
||||
version: v{{ ingress_nginx_controller_image_tag }}
|
||||
annotations:
|
||||
prometheus.io/port: '10254'
|
||||
prometheus.io/scrape: 'true'
|
||||
spec:
|
||||
{% if ingress_nginx_host_network %}
|
||||
hostNetwork: true
|
||||
@@ -78,3 +81,4 @@ spec:
|
||||
{% if rbac_enabled %}
|
||||
serviceAccountName: ingress-nginx
|
||||
{% endif %}
|
||||
|
||||
|
||||
@@ -6,3 +6,10 @@ dependencies:
|
||||
- apps
|
||||
- ingress-nginx
|
||||
- ingress-controller
|
||||
|
||||
- role: kubernetes-apps/ingress_controller/cert_manager
|
||||
when: cert_manager_enabled
|
||||
tags:
|
||||
- apps
|
||||
- cert-manager
|
||||
- ingress-controller
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
- name: Start Calico resources
|
||||
kube:
|
||||
name: "{{item.item.name}}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: "{{item.item.type}}"
|
||||
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
- name: Canal | Start Resources
|
||||
kube:
|
||||
name: "{{item.item.name}}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: "{{item.item.type}}"
|
||||
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
- name: Cilium | Start Resources
|
||||
kube:
|
||||
name: "{{item.item.name}}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: "{{item.item.type}}"
|
||||
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||
@@ -11,7 +11,7 @@
|
||||
when: inventory_hostname == groups['kube-master'][0] and not item|skipped
|
||||
|
||||
- name: Cilium | Wait for pods to run
|
||||
command: "{{bin_dir}}/kubectl -n {{system_namespace}} get pods -l k8s-app=cilium -o jsonpath='{.items[?(@.status.containerStatuses[0].ready==false)].metadata.name}'"
|
||||
command: "{{bin_dir}}/kubectl -n kube-system get pods -l k8s-app=cilium -o jsonpath='{.items[?(@.status.containerStatuses[0].ready==false)].metadata.name}'"
|
||||
register: pods_not_ready
|
||||
until: pods_not_ready.stdout.find("cilium")==-1
|
||||
retries: 30
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
- name: Contiv | Create Kubernetes resources
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ contiv_config_dir }}/{{ item.item.file }}"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
- name: Flannel | Start Resources
|
||||
kube:
|
||||
name: "{{item.item.name}}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: "{{item.item.type}}"
|
||||
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
filename: "{{ kube_config_dir }}/weave-net.yml"
|
||||
resource: "ds"
|
||||
namespace: "{{system_namespace}}"
|
||||
namespace: "kube-system"
|
||||
state: "latest"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
name: calico-policy-controller
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: rs
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
state: absent
|
||||
run_once: true
|
||||
|
||||
@@ -32,7 +32,7 @@
|
||||
- name: Start of Calico kube controllers
|
||||
kube:
|
||||
name: "{{item.item.name}}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: "{{item.item.type}}"
|
||||
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||
|
||||
@@ -2,7 +2,7 @@ apiVersion: apps/v1beta2
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: calico-kube-controllers
|
||||
kubernetes.io/cluster-service: "true"
|
||||
@@ -15,7 +15,7 @@ spec:
|
||||
template:
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
k8s-app: calico-kube-controllers
|
||||
|
||||
@@ -3,7 +3,7 @@ kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
|
||||
@@ -10,4 +10,4 @@ roleRef:
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: calico-kube-controllers
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
|
||||
@@ -3,6 +3,6 @@ apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
|
||||
@@ -4,6 +4,6 @@ registry_image_tag: 2.6
|
||||
registry_proxy_image_repo: gcr.io/google_containers/kube-registry-proxy
|
||||
registry_proxy_image_tag: 0.4
|
||||
|
||||
registry_namespace: "{{ system_namespace }}"
|
||||
registry_namespace: "kube-system"
|
||||
registry_storage_class: ""
|
||||
registry_disk_size: "10Gi"
|
||||
|
||||
@@ -44,5 +44,5 @@
|
||||
when: needs_rotation
|
||||
|
||||
- name: Rotate Tokens | Delete pods in system namespace
|
||||
command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
|
||||
command: "{{ bin_dir }}/kubectl delete pods -n kube-system --all"
|
||||
when: needs_rotation
|
||||
|
||||
@@ -96,4 +96,5 @@ volume_cross_zone_attachment: false
|
||||
## Encrypting Secret Data at Rest
|
||||
kube_encrypt_secret_data: false
|
||||
kube_encrypt_token: "{{ lookup('password', inventory_dir + '/credentials/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
|
||||
kube_encryption_algorithm: "aescbc" # Must be either: aescbc, secretbox or aesgcm
|
||||
# Must be either: aescbc, secretbox or aesgcm
|
||||
kube_encryption_algorithm: "aescbc"
|
||||
|
||||
@@ -9,4 +9,6 @@
|
||||
- {src: apiserver-key.pem, dest: apiserver.key}
|
||||
- {src: ca.pem, dest: ca.crt}
|
||||
- {src: ca-key.pem, dest: ca.key}
|
||||
- {src: service-account-key.pem, dest: sa.pub}
|
||||
- {src: service-account-key.pem, dest: sa.key}
|
||||
register: kubeadm_copy_old_certs
|
||||
|
||||
@@ -30,4 +30,7 @@
|
||||
with_items:
|
||||
- ["kube-apiserver", "kube-controller-manager", "kube-scheduler"]
|
||||
when: kube_apiserver_manifest_replaced.changed
|
||||
run_once: true
|
||||
register: remove_master_container
|
||||
retries: 4
|
||||
until: remove_master_container.rc == 0
|
||||
delay: 5
|
||||
@@ -38,7 +38,7 @@ apiServerExtraArgs:
|
||||
apiserver-count: "{{ kube_apiserver_count }}"
|
||||
{% if kube_version | version_compare('v1.9', '>=') %}
|
||||
endpoint-reconciler-type: lease
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
service-node-port-range: {{ kube_apiserver_node_port_range }}
|
||||
kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
|
||||
{% if kube_basic_auth|default(true) %}
|
||||
@@ -90,3 +90,6 @@ apiServerCertSANs:
|
||||
{% endfor %}
|
||||
certificatesDir: {{ kube_config_dir }}/ssl
|
||||
unifiedControlPlaneImage: "{{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}"
|
||||
{% if kube_override_hostname|default('') %}
|
||||
nodeName: {{ kube_override_hostname }}
|
||||
{% endif %}
|
||||
|
||||
@@ -2,7 +2,7 @@ apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: kube-apiserver
|
||||
namespace: {{system_namespace}}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-apiserver
|
||||
kubespray: v2
|
||||
@@ -63,7 +63,7 @@ spec:
|
||||
{% if kube_token_auth|default(true) %}
|
||||
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv
|
||||
{% endif %}
|
||||
- --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
||||
- --service-account-key-file={{ kube_cert_dir }}/service-account-key.pem
|
||||
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
|
||||
- --oidc-issuer-url={{ kube_oidc_url }}
|
||||
- --oidc-client-id={{ kube_oidc_client_id }}
|
||||
|
||||
@@ -2,7 +2,7 @@ apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: kube-controller-manager
|
||||
namespace: {{system_namespace}}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-controller-manager
|
||||
annotations:
|
||||
@@ -29,7 +29,7 @@ spec:
|
||||
- controller-manager
|
||||
- --kubeconfig={{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml
|
||||
- --leader-elect=true
|
||||
- --service-account-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
||||
- --service-account-private-key-file={{ kube_cert_dir }}/service-account-key.pem
|
||||
- --root-ca-file={{ kube_cert_dir }}/ca.pem
|
||||
- --cluster-signing-cert-file={{ kube_cert_dir }}/ca.pem
|
||||
- --cluster-signing-key-file={{ kube_cert_dir }}/ca-key.pem
|
||||
|
||||
@@ -2,7 +2,7 @@ apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: kube-scheduler
|
||||
namespace: {{ system_namespace }}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-scheduler
|
||||
annotations:
|
||||
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
namespace_kubesystem:
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: "{{system_namespace}}"
|
||||
@@ -134,6 +134,19 @@
|
||||
tags:
|
||||
- kube-proxy
|
||||
|
||||
- name: Write cloud-config
|
||||
template:
|
||||
src: "{{ cloud_provider }}-cloud-config.j2"
|
||||
dest: "{{ kube_config_dir }}/cloud_config"
|
||||
group: "{{ kube_cert_group }}"
|
||||
mode: 0640
|
||||
when:
|
||||
- cloud_provider is defined
|
||||
- cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
|
||||
notify: restart kubelet
|
||||
tags:
|
||||
- cloud-provider
|
||||
|
||||
# reload-systemd
|
||||
- meta: flush_handlers
|
||||
|
||||
|
||||
@@ -81,18 +81,26 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
|
||||
{% endif %}
|
||||
|
||||
{# Kubelet node labels #}
|
||||
{% set role_node_labels = [] %}
|
||||
{% if inventory_hostname in groups['kube-master'] %}
|
||||
{% set node_labels %}--node-labels=node-role.kubernetes.io/master=true{% endset %}
|
||||
{% do role_node_labels.append('node-role.kubernetes.io/master=true') %}
|
||||
{% if not standalone_kubelet|bool %}
|
||||
{% set node_labels %}{{ node_labels }},node-role.kubernetes.io/node=true{% endset %}
|
||||
{% do role_node_labels.append('node-role.kubernetes.io/node=true') %}
|
||||
{% endif %}
|
||||
{% elif inventory_hostname in groups['kube-ingress']|default([]) %}
|
||||
{% set node_labels %}--node-labels=node-role.kubernetes.io/ingress=true{% endset %}
|
||||
{% do role_node_labels.append('node-role.kubernetes.io/ingress=true') %}
|
||||
{% else %}
|
||||
{% set node_labels %}--node-labels=node-role.kubernetes.io/node=true{% endset %}
|
||||
{% do role_node_labels.append('node-role.kubernetes.io/node=true') %}
|
||||
{% endif %}
|
||||
{% set inventory_node_labels = [] %}
|
||||
{% if node_labels is defined %}
|
||||
{% for labelname, labelvalue in node_labels.iteritems() %}
|
||||
{% do inventory_node_labels.append(labelname + '=' + labelvalue) %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% set all_node_labels = role_node_labels + inventory_node_labels %}
|
||||
|
||||
KUBELET_ARGS="{{ kubelet_args_base }} {{ kubelet_args_dns }} {{ kubelet_args_kubeconfig }} {{ kube_reserved }} {{ node_labels }} {% if kube_feature_gates %} --feature-gates={{ kube_feature_gates|join(',') }} {% endif %} {% if kubelet_custom_flags is string %} {{kubelet_custom_flags}} {% else %}{% for flag in kubelet_custom_flags %} {{flag}} {% endfor %}{% endif %}"
|
||||
KUBELET_ARGS="{{ kubelet_args_base }} {{ kubelet_args_dns }} {{ kubelet_args_kubeconfig }} {{ kube_reserved }} --node-labels={{ all_node_labels | join(',') }} {% if kube_feature_gates %} --feature-gates={{ kube_feature_gates|join(',') }} {% endif %} {% if kubelet_custom_flags is string %} {{kubelet_custom_flags}} {% else %}{% for flag in kubelet_custom_flags %} {{flag}} {% endfor %}{% endif %}"
|
||||
{% if kube_network_plugin is defined and kube_network_plugin in ["calico", "canal", "flannel", "weave", "contiv", "cilium"] %}
|
||||
KUBELET_NETWORK_PLUGIN="--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
|
||||
{% elif kube_network_plugin is defined and kube_network_plugin == "weave" %}
|
||||
|
||||
@@ -2,7 +2,7 @@ apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: kube-proxy
|
||||
namespace: {{system_namespace}}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-proxy
|
||||
annotations:
|
||||
@@ -48,7 +48,6 @@ spec:
|
||||
{% elif kube_proxy_mode == 'ipvs' %}
|
||||
- --masquerade-all
|
||||
- --feature-gates=SupportIPVSProxyMode=true
|
||||
- --proxy-mode=ipvs
|
||||
- --ipvs-min-sync-period=5s
|
||||
- --ipvs-sync-period=5s
|
||||
- --ipvs-scheduler=rr
|
||||
|
||||
@@ -2,7 +2,7 @@ apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: nginx-proxy
|
||||
namespace: {{system_namespace}}
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: kube-nginx
|
||||
spec:
|
||||
|
||||
@@ -256,19 +256,6 @@
|
||||
tags:
|
||||
- bootstrap-os
|
||||
|
||||
- name: Write cloud-config
|
||||
template:
|
||||
src: "{{ cloud_provider }}-cloud-config.j2"
|
||||
dest: "{{ kube_config_dir }}/cloud_config"
|
||||
group: "{{ kube_cert_group }}"
|
||||
mode: 0640
|
||||
when:
|
||||
- inventory_hostname in groups['k8s-cluster']
|
||||
- cloud_provider is defined
|
||||
- cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
|
||||
tags:
|
||||
- cloud-provider
|
||||
|
||||
- import_tasks: etchosts.yml
|
||||
tags:
|
||||
- bootstrap-os
|
||||
|
||||
@@ -82,6 +82,17 @@ gen_key_and_cert() {
|
||||
|
||||
# Admins
|
||||
if [ -n "$MASTERS" ]; then
|
||||
|
||||
# service-account
|
||||
# If --service-account-private-key-file was previously configured to use apiserver-key.pem then copy that to the new dedicated service-account signing key location to avoid disruptions
|
||||
if [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
|
||||
cp $SSLDIR/apiserver-key.pem $SSLDIR/service-account-key.pem
|
||||
fi
|
||||
# Generate dedicated service account signing key if one doesn't exist
|
||||
if ! [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
|
||||
openssl genrsa -out service-account-key.pem 2048 > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
# kube-apiserver
|
||||
# Generate only if we don't have existing ca and apiserver certs
|
||||
if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then
|
||||
|
||||
@@ -105,9 +105,9 @@
|
||||
{%- set certs = {'sync': False} -%}
|
||||
{% if gen_node_certs[inventory_hostname] or
|
||||
(not kubecert_node.results[0].stat.exists|default(False)) or
|
||||
(not kubecert_node.results[10].stat.exists|default(False)) or
|
||||
(not kubecert_node.results[7].stat.exists|default(False)) or
|
||||
(kubecert_node.results[10].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[10].stat.path)|map(attribute="checksum")|first|default('')) -%}
|
||||
(not kubecert_node.results[12].stat.exists|default(False)) or
|
||||
(not kubecert_node.results[8].stat.exists|default(False)) or
|
||||
(kubecert_node.results[12].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[12].stat.path)|map(attribute="checksum")|first|default('')) -%}
|
||||
{%- set _ = certs.update({'sync': True}) -%}
|
||||
{% endif %}
|
||||
{{ certs.sync }}
|
||||
|
||||
@@ -75,6 +75,7 @@
|
||||
'kube-controller-manager-key.pem',
|
||||
'front-proxy-client.pem',
|
||||
'front-proxy-client-key.pem',
|
||||
'service-account-key.pem',
|
||||
{% for node in groups['kube-master'] %}
|
||||
'admin-{{ node }}.pem',
|
||||
'admin-{{ node }}-key.pem',
|
||||
@@ -86,6 +87,7 @@
|
||||
'apiserver-key.pem',
|
||||
'front-proxy-client.pem',
|
||||
'front-proxy-client-key.pem',
|
||||
'service-account-key.pem',
|
||||
'kube-scheduler.pem',
|
||||
'kube-scheduler-key.pem',
|
||||
'kube-controller-manager.pem',
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
[req]
|
||||
{% set counter = {'dns': 6,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req]
|
||||
req_extensions = v3_req
|
||||
distinguished_name = req_distinguished_name
|
||||
[req_distinguished_name]
|
||||
@@ -13,31 +13,30 @@ DNS.3 = kubernetes.default.svc
|
||||
DNS.4 = kubernetes.default.svc.{{ dns_domain }}
|
||||
DNS.5 = localhost
|
||||
{% for host in groups['kube-master'] %}
|
||||
DNS.{{ 5 + loop.index }} = {{ host }}
|
||||
DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }}
|
||||
{% endfor %}
|
||||
{% set idns = groups['kube-master'] | length | int + 5 %}
|
||||
{% if loadbalancer_apiserver is defined %}
|
||||
{% set idns = idns + 1 %}
|
||||
DNS.{{ idns | string }} = {{ apiserver_loadbalancer_domain_name }}
|
||||
{% if apiserver_loadbalancer_domain_name is defined %}
|
||||
DNS.{{ counter["dns"] }} = {{ apiserver_loadbalancer_domain_name }}{{ increment(counter, 'dns') }}
|
||||
{% endif %}
|
||||
{% for host in groups['kube-master'] %}
|
||||
IP.{{ 2 * loop.index - 1 }} = {{ hostvars[host]['access_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
|
||||
IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
|
||||
{% endfor %}
|
||||
{% set idx = groups['kube-master'] | length | int * 2 + 1 %}
|
||||
IP.{{ idx }} = {{ kube_apiserver_ip }}
|
||||
{% if loadbalancer_apiserver is defined %}
|
||||
IP.{{ idx + 1 }} = {{ loadbalancer_apiserver.address }}
|
||||
{% set idx = idx + 1 %}
|
||||
{% if hostvars[host]['access_ip'] is defined %}
|
||||
IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter, 'ip') }}
|
||||
{% endif %}
|
||||
IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }}
|
||||
{% endfor %}
|
||||
{% if kube_apiserver_ip is defined %}
|
||||
IP.{{ counter["ip"] }} = {{ kube_apiserver_ip }}{{ increment(counter, 'ip') }}
|
||||
{% endif %}
|
||||
{% if loadbalancer_apiserver is defined and loadbalancer_apiserver.address is defined %}
|
||||
IP.{{ counter["ip"] }} = {{ loadbalancer_apiserver.address }}{{ increment(counter, 'ip') }}
|
||||
{% endif %}
|
||||
IP.{{ idx + 1 }} = 127.0.0.1
|
||||
{% if supplementary_addresses_in_ssl_keys is defined %}
|
||||
{% set is = idx + 1 %}
|
||||
{% for addr in supplementary_addresses_in_ssl_keys %}
|
||||
{% if addr | ipaddr %}
|
||||
IP.{{ is + loop.index }} = {{ addr }}
|
||||
IP.{{ counter["ip"] }} = {{ addr }}{{ increment(counter, 'ip') }}
|
||||
{% else %}
|
||||
DNS.{{ idns + loop.index }} = {{ addr }}
|
||||
DNS.{{ counter["dns"] }} = {{ addr }}{{ increment(counter, 'dns') }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
IP.{{ counter["ip"] }} = 127.0.0.1
|
||||
|
||||
@@ -61,7 +61,6 @@ dns_domain: "{{ cluster_name }}"
|
||||
kube_config_dir: /etc/kubernetes
|
||||
kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
|
||||
kube_manifest_dir: "{{ kube_config_dir }}/manifests"
|
||||
system_namespace: kube-system
|
||||
|
||||
# This is where all the cert scripts and certs will be located
|
||||
kube_cert_dir: "{{ kube_config_dir }}/ssl"
|
||||
@@ -175,6 +174,7 @@ local_volume_provisioner_enabled: "{{ local_volumes_enabled | default('false') }
|
||||
persistent_volumes_enabled: false
|
||||
cephfs_provisioner_enabled: false
|
||||
ingress_nginx_enabled: false
|
||||
cert_manager_enabled: false
|
||||
|
||||
## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (Fixed in 1.9: https://github.com/kubernetes/kubernetes/issues/50461)
|
||||
# openstack_blockstorage_version: "v1/v2/auto (default)"
|
||||
@@ -241,6 +241,7 @@ weave_peers: uninitialized
|
||||
|
||||
## Set no_proxy to all assigned cluster IPs and hostnames
|
||||
no_proxy: >-
|
||||
{%- if http_proxy is defined or https_proxy is defined %}
|
||||
{%- if loadbalancer_apiserver is defined -%}
|
||||
{{ apiserver_loadbalancer_domain_name| default('') }},
|
||||
{{ loadbalancer_apiserver.address | default('') }},
|
||||
@@ -254,11 +255,12 @@ no_proxy: >-
|
||||
{{ item }},{{ item }}.{{ dns_domain }},
|
||||
{%- endfor -%}
|
||||
127.0.0.1,localhost
|
||||
{%- endif %}
|
||||
|
||||
proxy_env:
|
||||
http_proxy: "{{ http_proxy| default ('') }}"
|
||||
https_proxy: "{{ https_proxy| default ('') }}"
|
||||
no_proxy: "{{ no_proxy }}"
|
||||
no_proxy: "{{ no_proxy| default ('') }}"
|
||||
|
||||
# Vars for pointing to kubernetes api endpoints
|
||||
is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}"
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user