Upgrade ansible (#10190)

* project: update all dependencies including ansible Upgrade to ansible 7.x and ansible-core 2.14.x. There seems to be issue with ansible 8/ansible-core 2.15 so we remain on those versions for now. It's quite a big bump already anyway. Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * tests: install aws galaxy collection Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * ansible-lint: disable various rules after ansible upgrade Temporarily disable a bunch of linting action following ansible upgrade. Those should be taken care of separately. Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve deprecated-module ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve no-free-form ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[meta] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[playbook] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[tasks] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve risky-file-permissions ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve risky-shell-pipe ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: remove deprecated warn args Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: use fqcn for non builtin tasks Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve syntax-check[missing-file] for contrib playbook Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: use arithmetic inside jinja to fix ansible 6 upgrade Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
2026-05-06 08:57:37 -02:30 · 2023-06-26 12:15:45 +02:00
parent 3311e0a296
commit 25cb90bc2d
81 changed files with 345 additions and 207 deletions
--- a/roles/kubernetes/control-plane/handlers/main.yml
+++ b/roles/kubernetes/control-plane/handlers/main.yml
@@ -44,7 +44,9 @@
    state: restarted

 - name: Master | Remove apiserver container docker
-  shell: docker ps -af name=k8s_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f
+  shell: "set -o pipefail && docker ps -af name=k8s_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f"
+  args:
+    executable: /bin/bash
  register: remove_apiserver_container
  retries: 10
  until: remove_apiserver_container.rc == 0
@@ -52,7 +54,9 @@
  when: container_manager == "docker"

 - name: Master | Remove apiserver container containerd/crio
-  shell: "{{ bin_dir }}/crictl pods --name kube-apiserver* -q | xargs -I% --no-run-if-empty bash -c '{{ bin_dir }}/crictl stopp % && {{ bin_dir }}/crictl rmp %'"
+  shell: "set -o pipefail && {{ bin_dir }}/crictl pods --name kube-apiserver* -q | xargs -I% --no-run-if-empty bash -c '{{ bin_dir }}/crictl stopp % && {{ bin_dir }}/crictl rmp %'"
+  args:
+    executable: /bin/bash
  register: remove_apiserver_container
  retries: 10
  until: remove_apiserver_container.rc == 0
@@ -60,7 +64,9 @@
  when: container_manager in ['containerd', 'crio']

 - name: Master | Remove scheduler container docker
-  shell: "{{ docker_bin_dir }}/docker ps -af name=k8s_kube-scheduler* -q | xargs --no-run-if-empty {{ docker_bin_dir }}/docker rm -f"
+  shell: "set -o pipefail && {{ docker_bin_dir }}/docker ps -af name=k8s_kube-scheduler* -q | xargs --no-run-if-empty {{ docker_bin_dir }}/docker rm -f"
+  args:
+    executable: /bin/bash
  register: remove_scheduler_container
  retries: 10
  until: remove_scheduler_container.rc == 0
@@ -68,7 +74,9 @@
  when: container_manager == "docker"

 - name: Master | Remove scheduler container containerd/crio
-  shell: "{{ bin_dir }}/crictl pods --name kube-scheduler* -q | xargs -I% --no-run-if-empty bash -c '{{ bin_dir }}/crictl stopp % && {{ bin_dir }}/crictl rmp %'"
+  shell: "set -o pipefail && {{ bin_dir }}/crictl pods --name kube-scheduler* -q | xargs -I% --no-run-if-empty bash -c '{{ bin_dir }}/crictl stopp % && {{ bin_dir }}/crictl rmp %'"
+  args:
+    executable: /bin/bash
  register: remove_scheduler_container
  retries: 10
  until: remove_scheduler_container.rc == 0
@@ -76,7 +84,9 @@
  when: container_manager in ['containerd', 'crio']

 - name: Master | Remove controller manager container docker
-  shell: "{{ docker_bin_dir }}/docker ps -af name=k8s_kube-controller-manager* -q | xargs --no-run-if-empty {{ docker_bin_dir }}/docker rm -f"
+  shell: "set -o pipefail && {{ docker_bin_dir }}/docker ps -af name=k8s_kube-controller-manager* -q | xargs --no-run-if-empty {{ docker_bin_dir }}/docker rm -f"
+  args:
+    executable: /bin/bash
  register: remove_cm_container
  retries: 10
  until: remove_cm_container.rc == 0
@@ -84,7 +94,9 @@
  when: container_manager == "docker"

 - name: Master | Remove controller manager container containerd/crio
-  shell: "{{ bin_dir }}/crictl pods --name kube-controller-manager* -q | xargs -I% --no-run-if-empty bash -c '{{ bin_dir }}/crictl stopp % && {{ bin_dir }}/crictl rmp %'"
+  shell: "set -o pipefail && {{ bin_dir }}/crictl pods --name kube-controller-manager* -q | xargs -I% --no-run-if-empty bash -c '{{ bin_dir }}/crictl stopp % && {{ bin_dir }}/crictl rmp %'"
+  args:
+    executable: /bin/bash
  register: remove_cm_container
  retries: 10
  until: remove_cm_container.rc == 0
--- a/roles/kubernetes/node/tasks/facts.yml
+++ b/roles/kubernetes/node/tasks/facts.yml
@@ -1,7 +1,9 @@
 ---
 - block:
  - name: look up docker cgroup driver
-    shell: "docker info | grep 'Cgroup Driver' | awk -F': ' '{ print $2; }'"
+    shell: "set -o pipefail && docker info | grep 'Cgroup Driver' | awk -F': ' '{ print $2; }'"
+    args:
+      executable: /bin/bash
    register: docker_cgroup_driver_result
    changed_when: false
    check_mode: no
@@ -13,7 +15,9 @@

 - block:
  - name: look up crio cgroup driver
-    shell: "{{ bin_dir }}/crio-status info | grep 'cgroup driver' | awk -F': ' '{ print $2; }'"
+    shell: "set -o pipefail && {{ bin_dir }}/crio-status info | grep 'cgroup driver' | awk -F': ' '{ print $2; }'"
+    args:
+      executable: /bin/bash
    register: crio_cgroup_driver_result
    changed_when: false

@@ -40,7 +44,6 @@
  when: kubelet_cgroup_driver == 'cgroupfs'

 - name: set kubelet_config_extra_args options when cgroupfs is used
-  vars:
  set_fact:
    kubelet_config_extra_args: "{{ kubelet_config_extra_args | combine(kubelet_config_extra_args_cgroupfs) }}"
  when: kubelet_cgroup_driver == 'cgroupfs'
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -41,7 +41,7 @@
    - haproxy

 - name: Ensure nodePort range is reserved
-  sysctl:
+  ansible.posix.sysctl:
    name: net.ipv4.ip_local_reserved_ports
    value: "{{ kube_apiserver_node_port_range }}"
    sysctl_set: yes
@@ -68,7 +68,7 @@
    mode: 0755

 - name: Enable br_netfilter module
-  modprobe:
+  community.general.modprobe:
    name: br_netfilter
    state: present
  when: modinfo_br_netfilter.rc == 0
@@ -89,7 +89,7 @@
  register: sysctl_bridge_nf_call_iptables

 - name: Enable bridge-nf-call tables
-  sysctl:
+  ansible.posix.sysctl:
    name: "{{ item }}"
    state: present
    sysctl_file: "{{ sysctl_file_path }}"
@@ -102,7 +102,7 @@
    - net.bridge.bridge-nf-call-ip6tables

 - name: Modprobe Kernel Module for IPVS
-  modprobe:
+  community.general.modprobe:
    name: "{{ item }}"
    state: present
  with_items:
@@ -115,7 +115,7 @@
    - kube-proxy

 - name: Modprobe nf_conntrack_ipv4
-  modprobe:
+  community.general.modprobe:
    name: nf_conntrack_ipv4
    state: present
  register: modprobe_nf_conntrack_ipv4
--- a/roles/kubernetes/preinstall/handlers/main.yml
+++ b/roles/kubernetes/preinstall/handlers/main.yml
@@ -68,7 +68,9 @@
  when: inventory_hostname in groups['kube_control_plane'] and dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'

 - name: Preinstall | restart kube-controller-manager docker
-  shell: "{{ docker_bin_dir }}/docker ps -f name=k8s_POD_kube-controller-manager* -q | xargs --no-run-if-empty {{ docker_bin_dir }}/docker rm -f"
+  shell: "set -o pipefail && {{ docker_bin_dir }}/docker ps -f name=k8s_POD_kube-controller-manager* -q | xargs --no-run-if-empty {{ docker_bin_dir }}/docker rm -f"
+  args:
+    executable: /bin/bash
  when:
    - container_manager == "docker"
    - inventory_hostname in groups['kube_control_plane']
@@ -77,7 +79,9 @@
    - kube_controller_set.stat.exists

 - name: Preinstall | restart kube-controller-manager crio/containerd
-  shell: "{{ bin_dir }}/crictl pods --name kube-controller-manager* -q | xargs -I% --no-run-if-empty bash -c '{{ bin_dir }}/crictl stopp % && {{ bin_dir }}/crictl rmp %'"
+  shell: "set -o pipefail && {{ bin_dir }}/crictl pods --name kube-controller-manager* -q | xargs -I% --no-run-if-empty bash -c '{{ bin_dir }}/crictl stopp % && {{ bin_dir }}/crictl rmp %'"
+  args:
+    executable: /bin/bash
  register: preinstall_restart_controller_manager
  retries: 10
  delay: 1
@@ -90,7 +94,9 @@
    - kube_controller_set.stat.exists

 - name: Preinstall | restart kube-apiserver docker
-  shell: "{{ docker_bin_dir }}/docker ps -f name=k8s_POD_kube-apiserver* -q | xargs --no-run-if-empty {{ docker_bin_dir }}/docker rm -f"
+  shell: "set -o pipefail && {{ docker_bin_dir }}/docker ps -f name=k8s_POD_kube-apiserver* -q | xargs --no-run-if-empty {{ docker_bin_dir }}/docker rm -f"
+  args:
+    executable: /bin/bash
  when:
    - container_manager == "docker"
    - inventory_hostname in groups['kube_control_plane']
@@ -99,7 +105,9 @@
    - kube_apiserver_set.stat.exists

 - name: Preinstall | restart kube-apiserver crio/containerd
-  shell: "{{ bin_dir }}/crictl pods --name kube-apiserver* -q | xargs -I% --no-run-if-empty bash -c '{{ bin_dir }}/crictl stopp % && {{ bin_dir }}/crictl rmp %'"
+  shell: "set -o pipefail && {{ bin_dir }}/crictl pods --name kube-apiserver* -q | xargs -I% --no-run-if-empty bash -c '{{ bin_dir }}/crictl stopp % && {{ bin_dir }}/crictl rmp %'"
+  args:
+    executable: /bin/bash
  register: preinstall_restart_apiserver
  retries: 10
  until: preinstall_restart_apiserver.rc == 0
--- a/roles/kubernetes/preinstall/tasks/0010-swapoff.yml
+++ b/roles/kubernetes/preinstall/tasks/0010-swapoff.yml
@@ -1,6 +1,6 @@
 ---
 - name: Remove swapfile from /etc/fstab
-  mount:
+  ansible.posix.mount:
    name: "{{ item }}"
    fstype: swap
    state: absent
--- a/roles/kubernetes/preinstall/tasks/0063-networkmanager-dns.yml
+++ b/roles/kubernetes/preinstall/tasks/0063-networkmanager-dns.yml
@@ -1,6 +1,6 @@
 ---
 - name: NetworkManager | Add nameservers to NM configuration
-  ini_file:
+  community.general.ini_file:
    path: /etc/NetworkManager/conf.d/dns.conf
    section: global-dns-domain-*
    option: servers
@@ -15,7 +15,7 @@
  when: not remove_default_searchdomains|default()|bool or (remove_default_searchdomains|default()|bool and searchdomains|default([])|length==0)

 - name: NetworkManager | Add DNS search to NM configuration
-  ini_file:
+  community.general.ini_file:
    path: /etc/NetworkManager/conf.d/dns.conf
    section: global-dns
    option: searches
@@ -25,7 +25,7 @@
  notify: Preinstall | update resolvconf for networkmanager

 - name: NetworkManager | Add DNS options to NM configuration
-  ini_file:
+  community.general.ini_file:
    path: /etc/NetworkManager/conf.d/dns.conf
    section: global-dns
    option: options
--- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
+++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
@@ -12,7 +12,7 @@
  register: slc

 - name: Set selinux policy
-  selinux:
+  ansible.posix.selinux:
    policy: targeted
    state: "{{ preinstall_selinux_state }}"
  when:
@@ -71,7 +71,7 @@
    mode: 0755

 - name: Enable ip forwarding
-  sysctl:
+  ansible.posix.sysctl:
    sysctl_file: "{{ sysctl_file_path }}"
    name: net.ipv4.ip_forward
    value: "1"
@@ -79,7 +79,7 @@
    reload: yes

 - name: Enable ipv6 forwarding
-  sysctl:
+  ansible.posix.sysctl:
    sysctl_file: "{{ sysctl_file_path }}"
    name: net.ipv6.conf.all.forwarding
    value: "1"
@@ -97,7 +97,7 @@
  ignore_errors: true  # noqa ignore-errors

 - name: Set fs.may_detach_mounts if needed
-  sysctl:
+  ansible.posix.sysctl:
    sysctl_file: "{{ sysctl_file_path }}"
    name: fs.may_detach_mounts
    value: 1
@@ -106,7 +106,7 @@
  when: fs_may_detach_mounts.stat.exists | d(false)

 - name: Ensure kube-bench parameters are set
-  sysctl:
+  ansible.posix.sysctl:
    sysctl_file: "{{ sysctl_file_path }}"
    name: "{{ item.name }}"
    value: "{{ item.value }}"
@@ -122,14 +122,14 @@
  when: kubelet_protect_kernel_defaults|bool

 - name: Check dummy module
-  modprobe:
+  community.general.modprobe:
    name: dummy
    state: present
    params: 'numdummies=0'
  when: enable_nodelocaldns

 - name: Set additional sysctl variables
-  sysctl:
+  ansible.posix.sysctl:
    sysctl_file: "{{ sysctl_file_path }}"
    name: "{{ item.name }}"
    value: "{{ item.value }}"
--- a/roles/kubernetes/preinstall/tasks/0081-ntp-configurations.yml
+++ b/roles/kubernetes/preinstall/tasks/0081-ntp-configurations.yml
@@ -78,7 +78,7 @@
    - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]

 - name: Set timezone
-  timezone:
+  community.general.timezone:
    name: "{{ ntp_timezone }}"
  when:
    - ntp_timezone
--- a/roles/kubernetes/tokens/tasks/gen_tokens.yml
+++ b/roles/kubernetes/tokens/tasks/gen_tokens.yml
@@ -45,7 +45,6 @@
 - name: Gen_tokens | Gather tokens
  shell: "set -o pipefail && tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0"
  args:
-    warn: false
    executable: /bin/bash
  register: tokens_data
  check_mode: no