External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-04-11 21:19:28 -02:30
Code Issues Packages Projects Releases Wiki Activity

Resolve ansible-lint name errors (#10253)

Browse Source 
* project: fix ansible-lint name

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

* project: ignore jinja template error in names

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

* project: capitalize ansible name

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

* project: update notify after name capitalization

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

---------

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
This commit is contained in:
Arthur Outhenin-Chalandre
2023-07-26 16:36:22 +02:00
committed by GitHub
parent b9e3861385
commit 36e5d742dc
162 changed files with 842 additions and 675 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/kubernetes/client/tasks/main.yml
View File

@@ -100,7 +100,7 @@
run_once: yes
when: kubectl_localhost
- name: create helper script kubectl.sh on ansible host
- name: Create helper script kubectl.sh on ansible host
copy:
content: |
#!/bin/bash

2
roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
View File

@@ -47,7 +47,7 @@
timeout: 180
- name: check already run
- name: Check already run
debug:
msg: "{{ kubeadm_already_run.stat.exists }}"

40
roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
View File

@@ -10,7 +10,7 @@
- kube_oidc_auth
- kube_oidc_ca_cert is defined
- name: kubeadm | Check if kubeadm has already run
- name: Kubeadm | Check if kubeadm has already run
stat:
path: "/var/lib/kubelet/config.yaml"
get_attributes: no
@@ -18,12 +18,12 @@
get_mime: no
register: kubeadm_already_run
- name: kubeadm | Backup kubeadm certs / kubeconfig
- name: Kubeadm | Backup kubeadm certs / kubeconfig
import_tasks: kubeadm-backup.yml
when:
- kubeadm_already_run.stat.exists
- name: kubeadm | aggregate all SANs
- name: Kubeadm | aggregate all SANs
set_fact:
apiserver_sans: "{{ (sans_base + groups['kube_control_plane'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_address + sans_override + sans_hostname + sans_fqdn + sans_kube_vip_address) | unique }}"
vars:
@@ -69,7 +69,7 @@
when: kubernetes_audit_webhook | default(false)
# Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
- name: set kubeadm_config_api_fqdn define
- name: Set kubeadm_config_api_fqdn define
set_fact:
kubeadm_config_api_fqdn: "{{ apiserver_loadbalancer_domain_name | default('lb-apiserver.kubernetes.local') }}"
when: loadbalancer_apiserver is defined
@@ -78,27 +78,27 @@
set_fact:
kubeadmConfig_api_version: v1beta3
- name: kubeadm | Create kubeadm config
- name: Kubeadm | Create kubeadm config
template:
src: "kubeadm-config.{{ kubeadmConfig_api_version }}.yaml.j2"
dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
mode: 0640
- name: kubeadm | Create directory to store admission control configurations
- name: Kubeadm | Create directory to store admission control configurations
file:
path: "{{ kube_config_dir }}/admission-controls"
state: directory
mode: 0640
when: kube_apiserver_admission_control_config_file
- name: kubeadm | Push admission control config file
- name: Kubeadm | Push admission control config file
template:
src: "admission-controls.yaml.j2"
dest: "{{ kube_config_dir }}/admission-controls/admission-controls.yaml"
mode: 0640
when: kube_apiserver_admission_control_config_file
- name: kubeadm | Push admission control config files
- name: Kubeadm | Push admission control config files
template:
src: "{{ item | lower }}.yaml.j2"
dest: "{{ kube_config_dir }}/admission-controls/{{ item | lower }}.yaml"
@@ -108,15 +108,15 @@
- item in kube_apiserver_admission_plugins_needs_configuration
loop: "{{ kube_apiserver_enable_admission_plugins }}"
- name: kubeadm | Check apiserver.crt SANs
- name: Kubeadm | Check apiserver.crt SANs
block:
- name: kubeadm | Check apiserver.crt SAN IPs
- name: Kubeadm | Check apiserver.crt SAN IPs
command:
cmd: "openssl x509 -noout -in {{ kube_cert_dir }}/apiserver.crt -checkip {{ item }}"
loop: "{{ apiserver_ips }}"
register: apiserver_sans_ip_check
changed_when: apiserver_sans_ip_check.stdout is not search('does match certificate')
- name: kubeadm | Check apiserver.crt SAN hosts
- name: Kubeadm | Check apiserver.crt SAN hosts
command:
cmd: "openssl x509 -noout -in {{ kube_cert_dir }}/apiserver.crt -checkhost {{ item }}"
loop: "{{ apiserver_hosts }}"
@@ -129,7 +129,7 @@
- kubeadm_already_run.stat.exists
- not kube_external_ca_mode
- name: kubeadm | regenerate apiserver cert 1/2
- name: Kubeadm | regenerate apiserver cert 1/2
file:
state: absent
path: "{{ kube_cert_dir }}/{{ item }}"
@@ -141,7 +141,7 @@
- apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed
- not kube_external_ca_mode
- name: kubeadm | regenerate apiserver cert 2/2
- name: Kubeadm | regenerate apiserver cert 2/2
command: >-
{{ bin_dir }}/kubeadm
init phase certs apiserver
@@ -151,14 +151,14 @@
- apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed
- not kube_external_ca_mode
- name: kubeadm | Create directory to store kubeadm patches
- name: Kubeadm | Create directory to store kubeadm patches
file:
path: "{{ kubeadm_patches.dest_dir }}"
state: directory
mode: 0640
when: kubeadm_patches is defined and kubeadm_patches.enabled
- name: kubeadm | Copy kubeadm patches from inventory files
- name: Kubeadm | Copy kubeadm patches from inventory files
copy:
src: "{{ kubeadm_patches.source_dir }}/"
dest: "{{ kubeadm_patches.dest_dir }}"
@@ -166,7 +166,7 @@
mode: 0644
when: kubeadm_patches is defined and kubeadm_patches.enabled
- name: kubeadm | Initialize first master
- name: Kubeadm | Initialize first master
command: >-
timeout -k {{ kubeadm_init_timeout }} {{ kubeadm_init_timeout }}
{{ bin_dir }}/kubeadm init
@@ -184,7 +184,7 @@
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
notify: Master | restart kubelet
- name: set kubeadm certificate key
- name: Set kubeadm certificate key
set_fact:
kubeadm_certificate_key: "{{ item | regex_search('--certificate-key ([^ ]+)', '\\1') | first }}"
with_items: "{{ hostvars[groups['kube_control_plane'][0]]['kubeadm_init'].stdout_lines | default([]) }}"
@@ -229,17 +229,17 @@
- podsecuritypolicy_enabled
- inventory_hostname == first_kube_control_plane
- name: kubeadm | Join other masters
- name: Kubeadm | Join other masters
include_tasks: kubeadm-secondary.yml
- name: kubeadm | upgrade kubernetes cluster
- name: Kubeadm | upgrade kubernetes cluster
include_tasks: kubeadm-upgrade.yml
when:
- upgrade_cluster_setup
- kubeadm_already_run.stat.exists
# FIXME(mattymo): from docs: If you don't want to taint your control-plane node, set this field to an empty slice, i.e. `taints: {}` in the YAML file.
- name: kubeadm | Remove taint for master with node role
- name: Kubeadm | Remove taint for master with node role
command: "{{ kubectl }} taint node {{ inventory_hostname }} {{ item }}"
delegate_to: "{{ first_kube_control_plane }}"
with_items:

10
roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml
View File

@@ -1,5 +1,5 @@
---
- name: kubeadm | Check api is up
- name: Kubeadm | Check api is up
uri:
url: "https://{{ ip | default(fallback_ips[inventory_hostname]) }}:{{ kube_apiserver_port }}/healthz"
validate_certs: false
@@ -9,7 +9,7 @@
delay: 5
until: _result.status == 200
- name: kubeadm | Upgrade first master
- name: Kubeadm | Upgrade first master
command: >-
timeout -k 600s 600s
{{ bin_dir }}/kubeadm
@@ -31,7 +31,7 @@
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
notify: Master | restart kubelet
- name: kubeadm | Upgrade other masters
- name: Kubeadm | Upgrade other masters
command: >-
timeout -k 600s 600s
{{ bin_dir }}/kubeadm
@@ -53,7 +53,7 @@
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
notify: Master | restart kubelet
- name: kubeadm | clean kubectl cache to refresh api types
- name: Kubeadm | clean kubectl cache to refresh api types
file:
path: "{{ item }}"
state: absent
@@ -62,7 +62,7 @@
- /root/.kube/http-cache
# FIXME: https://github.com/kubernetes/kubeadm/issues/1318
- name: kubeadm | scale down coredns replicas to 0 if not using coredns dns_mode
- name: Kubeadm | scale down coredns replicas to 0 if not using coredns dns_mode
command: >-
{{ kubectl }}
-n kube-system

6
roles/kubernetes/control-plane/tasks/main.yml
View File

@@ -1,5 +1,6 @@
---
- import_tasks: pre-upgrade.yml
- name: Pre-upgrade control plane
import_tasks: pre-upgrade.yml
tags:
- k8s-pre-upgrade
@@ -23,7 +24,8 @@
dest: "{{ kube_config_dir }}/kubescheduler-config.yaml"
mode: 0644
- import_tasks: encrypt-at-rest.yml
- name: Apply Kubernetes encrypt at rest config
import_tasks: encrypt-at-rest.yml
when:
- kube_encrypt_secret_data

4
roles/kubernetes/kubeadm/tasks/main.yml
View File

@@ -65,14 +65,14 @@
mode: 0640
when: not is_kube_master
- name: kubeadm | Create directory to store kubeadm patches
- name: Kubeadm | Create directory to store kubeadm patches
file:
path: "{{ kubeadm_patches.dest_dir }}"
state: directory
mode: 0640
when: kubeadm_patches is defined and kubeadm_patches.enabled
- name: kubeadm | Copy kubeadm patches from inventory files
- name: Kubeadm | Copy kubeadm patches from inventory files
copy:
src: "{{ kubeadm_patches.source_dir }}/"
dest: "{{ kubeadm_patches.dest_dir }}"

34
roles/kubernetes/node/tasks/cloud-credentials/azure-credential-check.yml
View File

@@ -1,82 +1,82 @@
---
- name: check azure_tenant_id value
- name: Check azure_tenant_id value
fail:
msg: "azure_tenant_id is missing"
when: azure_tenant_id is not defined or not azure_tenant_id
- name: check azure_subscription_id value
- name: Check azure_subscription_id value
fail:
msg: "azure_subscription_id is missing"
when: azure_subscription_id is not defined or not azure_subscription_id
- name: check azure_aad_client_id value
- name: Check azure_aad_client_id value
fail:
msg: "azure_aad_client_id is missing"
when: azure_aad_client_id is not defined or not azure_aad_client_id
- name: check azure_aad_client_secret value
- name: Check azure_aad_client_secret value
fail:
msg: "azure_aad_client_secret is missing"
when: azure_aad_client_secret is not defined or not azure_aad_client_secret
- name: check azure_resource_group value
- name: Check azure_resource_group value
fail:
msg: "azure_resource_group is missing"
when: azure_resource_group is not defined or not azure_resource_group
- name: check azure_location value
- name: Check azure_location value
fail:
msg: "azure_location is missing"
when: azure_location is not defined or not azure_location
- name: check azure_subnet_name value
- name: Check azure_subnet_name value
fail:
msg: "azure_subnet_name is missing"
when: azure_subnet_name is not defined or not azure_subnet_name
- name: check azure_security_group_name value
- name: Check azure_security_group_name value
fail:
msg: "azure_security_group_name is missing"
when: azure_security_group_name is not defined or not azure_security_group_name
- name: check azure_vnet_name value
- name: Check azure_vnet_name value
fail:
msg: "azure_vnet_name is missing"
when: azure_vnet_name is not defined or not azure_vnet_name
- name: check azure_vnet_resource_group value
- name: Check azure_vnet_resource_group value
fail:
msg: "azure_vnet_resource_group is missing"
when: azure_vnet_resource_group is not defined or not azure_vnet_resource_group
- name: check azure_route_table_name value
- name: Check azure_route_table_name value
fail:
msg: "azure_route_table_name is missing"
when: azure_route_table_name is not defined or not azure_route_table_name
- name: check azure_loadbalancer_sku value
- name: Check azure_loadbalancer_sku value
fail:
msg: "azure_loadbalancer_sku has an invalid value '{{ azure_loadbalancer_sku }}'. Supported values are 'basic', 'standard'"
when: azure_loadbalancer_sku not in ["basic", "standard"]
- name: "check azure_exclude_master_from_standard_lb is a bool"
- name: "Check azure_exclude_master_from_standard_lb is a bool"
assert:
that: azure_exclude_master_from_standard_lb | type_debug == 'bool'
- name: "check azure_disable_outbound_snat is a bool"
- name: "Check azure_disable_outbound_snat is a bool"
assert:
that: azure_disable_outbound_snat | type_debug == 'bool'
- name: "check azure_use_instance_metadata is a bool"
- name: "Check azure_use_instance_metadata is a bool"
assert:
that: azure_use_instance_metadata | type_debug == 'bool'
- name: check azure_vmtype value
- name: Check azure_vmtype value
fail:
msg: "azure_vmtype is missing. Supported values are 'standard' or 'vmss'"
when: azure_vmtype is not defined or not azure_vmtype
- name: check azure_cloud value
- name: Check azure_cloud value
fail:
msg: "azure_cloud has an invalid value '{{ azure_cloud }}'. Supported values are 'AzureChinaCloud', 'AzureGermanCloud', 'AzurePublicCloud', 'AzureUSGovernmentCloud'."
when: azure_cloud not in ["AzureChinaCloud", "AzureGermanCloud", "AzurePublicCloud", "AzureUSGovernmentCloud"]

12
roles/kubernetes/node/tasks/cloud-credentials/openstack-credential-check.yml
View File

@@ -1,32 +1,32 @@
---
- name: check openstack_auth_url value
- name: Check openstack_auth_url value
fail:
msg: "openstack_auth_url is missing"
when: openstack_auth_url is not defined or not openstack_auth_url
- name: check openstack_username value
- name: Check openstack_username value
fail:
msg: "openstack_username is missing"
when: openstack_username is not defined or not openstack_username
- name: check openstack_password value
- name: Check openstack_password value
fail:
msg: "openstack_password is missing"
when: openstack_password is not defined or not openstack_password
- name: check openstack_region value
- name: Check openstack_region value
fail:
msg: "openstack_region is missing"
when: openstack_region is not defined or not openstack_region
- name: check openstack_tenant_id value
- name: Check openstack_tenant_id value
fail:
msg: "one of openstack_tenant_id or openstack_trust_id must be specified"
when:
- openstack_tenant_id is not defined or not openstack_tenant_id
- openstack_trust_id is not defined
- name: check openstack_trust_id value
- name: Check openstack_trust_id value
fail:
msg: "one of openstack_tenant_id or openstack_trust_id must be specified"
when:

2
roles/kubernetes/node/tasks/cloud-credentials/vsphere-credential-check.yml
View File

@@ -1,5 +1,5 @@
---
- name: check vsphere environment variables
- name: Check vsphere environment variables
fail:
msg: "{{ item.name }} is missing"
when: item.value is not defined or not item.value

24
roles/kubernetes/node/tasks/facts.yml
View File

@@ -1,6 +1,7 @@
---
- block:
- name: look up docker cgroup driver
- name: Gather cgroups facts for docker
block:
- name: Look up docker cgroup driver
shell: "set -o pipefail && docker info | grep 'Cgroup Driver' | awk -F': ' '{ print $2; }'"
args:
executable: /bin/bash
@@ -8,47 +9,48 @@
changed_when: false
check_mode: no
- name: set kubelet_cgroup_driver_detected fact for docker
- name: Set kubelet_cgroup_driver_detected fact for docker
set_fact:
kubelet_cgroup_driver_detected: "{{ docker_cgroup_driver_result.stdout }}"
when: container_manager == 'docker'
- block:
- name: look up crio cgroup driver
- name: Gather cgroups facts for crio
block:
- name: Look up crio cgroup driver
shell: "set -o pipefail && {{ bin_dir }}/crio-status info | grep 'cgroup driver' | awk -F': ' '{ print $2; }'"
args:
executable: /bin/bash
register: crio_cgroup_driver_result
changed_when: false
- name: set kubelet_cgroup_driver_detected fact for crio
- name: Set kubelet_cgroup_driver_detected fact for crio
set_fact:
kubelet_cgroup_driver_detected: "{{ crio_cgroup_driver_result.stdout }}"
when: container_manager == 'crio'
- name: set kubelet_cgroup_driver_detected fact for containerd
- name: Set kubelet_cgroup_driver_detected fact for containerd
set_fact:
kubelet_cgroup_driver_detected: >-
{%- if containerd_use_systemd_cgroup -%}systemd{%- else -%}cgroupfs{%- endif -%}
when: container_manager == 'containerd'
- name: set kubelet_cgroup_driver
- name: Set kubelet_cgroup_driver
set_fact:
kubelet_cgroup_driver: "{{ kubelet_cgroup_driver_detected }}"
when: kubelet_cgroup_driver is undefined
- name: set kubelet_cgroups options when cgroupfs is used
- name: Set kubelet_cgroups options when cgroupfs is used
set_fact:
kubelet_runtime_cgroups: "{{ kubelet_runtime_cgroups_cgroupfs }}"
kubelet_kubelet_cgroups: "{{ kubelet_kubelet_cgroups_cgroupfs }}"
when: kubelet_cgroup_driver == 'cgroupfs'
- name: set kubelet_config_extra_args options when cgroupfs is used
- name: Set kubelet_config_extra_args options when cgroupfs is used
set_fact:
kubelet_config_extra_args: "{{ kubelet_config_extra_args | combine(kubelet_config_extra_args_cgroupfs) }}"
when: kubelet_cgroup_driver == 'cgroupfs'
- name: os specific vars
- name: Os specific vars
include_vars: "{{ item }}"
with_first_found:
- files:

4
roles/kubernetes/node/tasks/install.yml
View File

@@ -1,5 +1,5 @@
---
- name: install | Copy kubeadm binary from download dir
- name: Install | Copy kubeadm binary from download dir
copy:
src: "{{ downloads.kubeadm.dest }}"
dest: "{{ bin_dir }}/kubeadm"
@@ -10,7 +10,7 @@
when:
- not inventory_hostname in groups['kube_control_plane']
- name: install | Copy kubelet binary from download dir
- name: Install | Copy kubelet binary from download dir
copy:
src: "{{ downloads.kubelet.dest }}"
dest: "{{ bin_dir }}/kubelet"

2
roles/kubernetes/node/tasks/kubelet.yml
View File

@@ -39,7 +39,7 @@
- kubelet
- kubeadm
- name: flush_handlers and reload-systemd
- name: Flush_handlers and reload-systemd
meta: flush_handlers
- name: Enable kubelet

10
roles/kubernetes/node/tasks/loadbalancer/haproxy.yml
View File

@@ -1,17 +1,17 @@
---
- name: haproxy | Cleanup potentially deployed nginx-proxy
- name: Haproxy | Cleanup potentially deployed nginx-proxy
file:
path: "{{ kube_manifest_dir }}/nginx-proxy.yml"
state: absent
- name: haproxy | Make haproxy directory
- name: Haproxy | Make haproxy directory
file:
path: "{{ haproxy_config_dir }}"
state: directory
mode: 0755
owner: root
- name: haproxy | Write haproxy configuration
- name: Haproxy | Write haproxy configuration
template:
src: "loadbalancer/haproxy.cfg.j2"
dest: "{{ haproxy_config_dir }}/haproxy.cfg"
@@ -19,7 +19,7 @@
mode: 0755
backup: yes
- name: haproxy | Get checksum from config
- name: Haproxy | Get checksum from config
stat:
path: "{{ haproxy_config_dir }}/haproxy.cfg"
get_attributes: no
@@ -27,7 +27,7 @@
get_mime: no
register: haproxy_stat
- name: haproxy | Write static pod
- name: Haproxy | Write static pod
template:
src: manifests/haproxy.manifest.j2
dest: "{{ kube_manifest_dir }}/haproxy.yml"

4
roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml
View File

@@ -1,12 +1,12 @@
---
- name: kube-vip | Check cluster settings for kube-vip
- name: Kube-vip | Check cluster settings for kube-vip
fail:
msg: "kube-vip require kube_proxy_strict_arp = true, see https://github.com/kube-vip/kube-vip/blob/main/docs/kubernetes/arp/index.md"
when:
- kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp
- kube_vip_arp_enabled
- name: kube-vip | Write static pod
- name: Kube-vip | Write static pod
template:
src: manifests/kube-vip.manifest.j2
dest: "{{ kube_manifest_dir }}/kube-vip.yml"

10
roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml
View File

@@ -1,17 +1,17 @@
---
- name: haproxy | Cleanup potentially deployed haproxy
- name: Haproxy | Cleanup potentially deployed haproxy
file:
path: "{{ kube_manifest_dir }}/haproxy.yml"
state: absent
- name: nginx-proxy | Make nginx directory
- name: Nginx-proxy | Make nginx directory
file:
path: "{{ nginx_config_dir }}"
state: directory
mode: 0700
owner: root
- name: nginx-proxy | Write nginx-proxy configuration
- name: Nginx-proxy | Write nginx-proxy configuration
template:
src: "loadbalancer/nginx.conf.j2"
dest: "{{ nginx_config_dir }}/nginx.conf"
@@ -19,7 +19,7 @@
mode: 0755
backup: yes
- name: nginx-proxy | Get checksum from config
- name: Nginx-proxy | Get checksum from config
stat:
path: "{{ nginx_config_dir }}/nginx.conf"
get_attributes: no
@@ -27,7 +27,7 @@
get_mime: no
register: nginx_stat
- name: nginx-proxy | Write static pod
- name: Nginx-proxy | Write static pod
template:
src: manifests/nginx-proxy.manifest.j2
dest: "{{ kube_manifest_dir }}/nginx-proxy.yml"

24
roles/kubernetes/node/tasks/main.yml
View File

@@ -1,9 +1,11 @@
---
- import_tasks: facts.yml
- name: Fetch facts
import_tasks: facts.yml
tags:
- facts
- import_tasks: pre_upgrade.yml
- name: Pre-upgrade kubelet
import_tasks: pre_upgrade.yml
tags:
- kubelet
@@ -13,18 +15,21 @@
state: directory
mode: 0755
- import_tasks: install.yml
- name: Install kubelet binary
import_tasks: install.yml
tags:
- kubelet
- import_tasks: loadbalancer/kube-vip.yml
- name: Install kube-vip
import_tasks: loadbalancer/kube-vip.yml
when:
- is_kube_master
- kube_vip_enabled
tags:
- kube-vip
- import_tasks: loadbalancer/nginx-proxy.yml
- name: Install nginx-proxy
import_tasks: loadbalancer/nginx-proxy.yml
when:
- not is_kube_master or kube_apiserver_bind_address != '0.0.0.0'
- loadbalancer_apiserver_localhost
@@ -32,7 +37,8 @@
tags:
- nginx
- import_tasks: loadbalancer/haproxy.yml
- name: Install haproxy
import_tasks: loadbalancer/haproxy.yml
when:
- not is_kube_master or kube_apiserver_bind_address != '0.0.0.0'
- loadbalancer_apiserver_localhost
@@ -141,7 +147,8 @@
tags:
- kube-proxy
- include_tasks: "cloud-credentials/{{ cloud_provider }}-credential-check.yml"
- name: Check cloud provider credentials
include_tasks: "cloud-credentials/{{ cloud_provider }}-credential-check.yml"
when:
- cloud_provider is defined
- cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
@@ -187,7 +194,8 @@
tags:
- cloud-provider
- import_tasks: kubelet.yml
- name: Install kubelet
import_tasks: kubelet.yml
tags:
- kubelet
- kubeadm

2
roles/kubernetes/preinstall/tasks/0010-swapoff.yml
View File

@@ -9,7 +9,7 @@
- none
# kubelet fails even if ansible_swaptotal_mb = 0
- name: check swap
- name: Check swap
command: /sbin/swapon -s
register: swapon
changed_when: no

61
roles/kubernetes/preinstall/tasks/0020-set_facts.yml
View File

@@ -21,7 +21,7 @@
tags:
- facts
- name: check if booted with ostree
- name: Check if booted with ostree
stat:
path: /run/ostree-booted
get_attributes: no
@@ -29,7 +29,7 @@
get_mime: no
register: ostree
- name: set is_fedora_coreos
- name: Set is_fedora_coreos
lineinfile:
path: /etc/os-release
line: "VARIANT_ID=coreos"
@@ -38,18 +38,18 @@
register: os_variant_coreos
changed_when: false
- name: set is_fedora_coreos
- name: Set is_fedora_coreos
set_fact:
is_fedora_coreos: "{{ ostree.stat.exists and os_variant_coreos is not changed }}"
- name: check resolvconf
- name: Check resolvconf
command: which resolvconf
register: resolvconf
failed_when: false
changed_when: false
check_mode: no
- name: check existence of /etc/resolvconf/resolv.conf.d
- name: Check existence of /etc/resolvconf/resolv.conf.d
stat:
path: /etc/resolvconf/resolv.conf.d
get_attributes: no
@@ -58,7 +58,7 @@
failed_when: false
register: resolvconfd_path
- name: check status of /etc/resolv.conf
- name: Check status of /etc/resolv.conf
stat:
path: /etc/resolv.conf
follow: no
@@ -68,14 +68,15 @@
failed_when: false
register: resolvconf_stat
- block:
- name: Fetch resolconf
block:
- name: get content of /etc/resolv.conf
- name: Get content of /etc/resolv.conf
slurp:
src: /etc/resolv.conf
register: resolvconf_slurp
- name: get currently configured nameservers
- name: Get currently configured nameservers
set_fact:
configured_nameservers: "{{ resolvconf_slurp.content | b64decode | regex_findall('^nameserver\\s*(.*)', multiline=True) | ipaddr }}"
when: resolvconf_slurp.content is defined
@@ -100,7 +101,7 @@
changed_when: false
check_mode: false
- name: check systemd-resolved
- name: Check systemd-resolved
# noqa command-instead-of-module - Should we use service_facts for this?
command: systemctl is-active systemd-resolved
register: systemd_resolved_enabled
@@ -108,12 +109,12 @@
changed_when: false
check_mode: no
- name: set default dns if remove_default_searchdomains is false
- name: Set default dns if remove_default_searchdomains is false
set_fact:
default_searchdomains: ["default.svc.{{ dns_domain }}", "svc.{{ dns_domain }}"]
when: not remove_default_searchdomains | default() | bool or (remove_default_searchdomains | default() | bool and searchdomains | default([]) | length==0)
- name: set dns facts
- name: Set dns facts
set_fact:
resolvconf: >-
{%- if resolvconf.rc == 0 and resolvconfd_path.stat.isdir is defined and resolvconfd_path.stat.isdir -%}true{%- else -%}false{%- endif -%}
@@ -125,7 +126,7 @@
['169.254.169.253'] if cloud_provider is defined and cloud_provider == 'aws' else
[] }}"
- name: check if kubelet is configured
- name: Check if kubelet is configured
stat:
path: "{{ kube_config_dir }}/kubelet.env"
get_attributes: no
@@ -134,11 +135,11 @@
register: kubelet_configured
changed_when: false
- name: check if early DNS configuration stage
- name: Check if early DNS configuration stage
set_fact:
dns_early: "{{ not kubelet_configured.stat.exists }}"
- name: target resolv.conf files
- name: Target resolv.conf files
set_fact:
resolvconffile: /etc/resolv.conf
base: >-
@@ -147,12 +148,12 @@
{%- if resolvconf | bool -%}/etc/resolvconf/resolv.conf.d/head{%- endif -%}
when: not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] and not is_fedora_coreos
- name: target temporary resolvconf cloud init file (Flatcar Container Linux by Kinvolk / Fedora CoreOS)
- name: Target temporary resolvconf cloud init file (Flatcar Container Linux by Kinvolk / Fedora CoreOS)
set_fact:
resolvconffile: /tmp/resolveconf_cloud_init_conf
when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] or is_fedora_coreos
- name: check if /etc/dhclient.conf exists
- name: Check if /etc/dhclient.conf exists
stat:
path: /etc/dhclient.conf
get_attributes: no
@@ -160,12 +161,12 @@
get_mime: no
register: dhclient_stat
- name: target dhclient conf file for /etc/dhclient.conf
- name: Target dhclient conf file for /etc/dhclient.conf
set_fact:
dhclientconffile: /etc/dhclient.conf
when: dhclient_stat.stat.exists
- name: check if /etc/dhcp/dhclient.conf exists
- name: Check if /etc/dhcp/dhclient.conf exists
stat:
path: /etc/dhcp/dhclient.conf
get_attributes: no
@@ -173,22 +174,22 @@
get_mime: no
register: dhcp_dhclient_stat
- name: target dhclient conf file for /etc/dhcp/dhclient.conf
- name: Target dhclient conf file for /etc/dhcp/dhclient.conf
set_fact:
dhclientconffile: /etc/dhcp/dhclient.conf
when: dhcp_dhclient_stat.stat.exists
- name: target dhclient hook file for Red Hat family
- name: Target dhclient hook file for Red Hat family
set_fact:
dhclienthookfile: /etc/dhcp/dhclient.d/zdnsupdate.sh
when: ansible_os_family == "RedHat"
- name: target dhclient hook file for Debian family
- name: Target dhclient hook file for Debian family
set_fact:
dhclienthookfile: /etc/dhcp/dhclient-exit-hooks.d/zdnsupdate
when: ansible_os_family == "Debian"
- name: generate search domains to resolvconf
- name: Generate search domains to resolvconf
set_fact:
searchentries:
search {{ (default_searchdomains | default([]) + searchdomains | default([])) | join(' ') }}
@@ -199,7 +200,7 @@
supersede_domain:
supersede domain-name "{{ dns_domain }}";
- name: pick coredns cluster IP or default resolver
- name: Pick coredns cluster IP or default resolver
set_fact:
coredns_server: |-
{%- if dns_mode == 'coredns' and not dns_early | bool -%}
@@ -215,7 +216,7 @@
{%- endif -%}
# This task should only run after cluster/nodelocal DNS is up, otherwise all DNS lookups will timeout
- name: generate nameservers for resolvconf, including cluster DNS
- name: Generate nameservers for resolvconf, including cluster DNS
set_fact:
nameserverentries: |-
{{ (([nodelocaldns_ip] if enable_nodelocaldns else []) + (coredns_server | d([]) if not enable_nodelocaldns else []) + nameservers | d([]) + cloud_resolver | d([]) + (configured_nameservers | d([]) if not disable_host_nameservers | d() | bool else [])) | unique | join(',') }}
@@ -225,7 +226,7 @@
# This task should run instead of the above task when cluster/nodelocal DNS hasn't
# been deployed yet (like scale.yml/cluster.yml) or when it's down (reset.yml)
- name: generate nameservers for resolvconf, not including cluster DNS
- name: Generate nameservers for resolvconf, not including cluster DNS
set_fact:
nameserverentries: |-
{{ (nameservers | d([]) + cloud_resolver | d([]) + configured_nameservers | d([])) | unique | join(',') }}
@@ -233,7 +234,7 @@
supersede domain-name-servers {{ (nameservers | d([]) + cloud_resolver | d([])) | unique | join(', ') }};
when: dns_early and not dns_late
- name: gather os specific variables
- name: Gather os specific variables
include_vars: "{{ item }}"
with_first_found:
- files:
@@ -247,7 +248,7 @@
- ../vars
skip: true
- name: set etcd vars if using kubeadm mode
- name: Set etcd vars if using kubeadm mode
set_fact:
etcd_cert_dir: "{{ kube_cert_dir }}"
kube_etcd_cacert_file: "etcd/ca.crt"
@@ -256,7 +257,7 @@
when:
- etcd_deployment_type == "kubeadm"
- name: check /usr readonly
- name: Check /usr readonly
stat:
path: "/usr"
get_attributes: no
@@ -264,7 +265,7 @@
get_mime: no
register: usr
- name: set alternate flexvolume path
- name: Set alternate flexvolume path
set_fact:
kubelet_flexvolumes_plugins_dir: /var/lib/kubelet/volumeplugins
when: not usr.stat.writeable

2
roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
View File

@@ -152,7 +152,7 @@
msg: "Hostname must consist of lower case alphanumeric characters, '.' or '-', and must start and end with an alphanumeric character"
when: not ignore_assert_errors
- name: check cloud_provider value
- name: Check cloud_provider value
assert:
that: cloud_provider in ['gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external']
msg: "If set the 'cloud_provider' var must be set either to 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci' or 'external'"

6
roles/kubernetes/preinstall/tasks/0060-resolvconf.yml
View File

@@ -1,5 +1,5 @@
---
- name: create temporary resolveconf cloud init file
- name: Create temporary resolveconf cloud init file
command: cp -f /etc/resolv.conf "{{ resolvconffile }}"
when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
@@ -43,12 +43,12 @@
- [ 'search\s', 'nameserver\s', 'domain\s', 'options\s' ]
notify: Preinstall | propagate resolvconf to k8s components
- name: get temporary resolveconf cloud init file content
- name: Get temporary resolveconf cloud init file content
command: cat {{ resolvconffile }}
register: cloud_config
when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
- name: persist resolvconf cloud init file
- name: Persist resolvconf cloud init file
template:
dest: "{{ resolveconf_cloud_init_conf }}"
src: resolvconf.j2

2
roles/kubernetes/preinstall/tasks/0063-networkmanager-dns.yml
View File

@@ -9,7 +9,7 @@
backup: yes
notify: Preinstall | update resolvconf for networkmanager
- name: set default dns if remove_default_searchdomains is false
- name: Set default dns if remove_default_searchdomains is false
set_fact:
default_searchdomains: ["default.svc.{{ dns_domain }}", "svc.{{ dns_domain }}"]
when: not remove_default_searchdomains | default() | bool or (remove_default_searchdomains | default() | bool and searchdomains | default([]) | length==0)

3
roles/kubernetes/preinstall/tasks/0070-system-packages.yml
View File

@@ -9,7 +9,8 @@
- ansible_pkg_mgr == 'zypper'
tags: bootstrap-os
- block:
- name: Add debian 10 required repos
block:
- name: Add Debian Backports apt repo
apt_repository:
repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main"

10
roles/kubernetes/preinstall/tasks/0120-growpart-azure-centos-7.yml
View File

@@ -2,7 +2,7 @@
# Running growpart seems to be only required on Azure, as other Cloud Providers do this at boot time
- name: install growpart
- name: Install growpart
package:
name: cloud-utils-growpart
state: present
@@ -20,7 +20,7 @@
partition: "{{ _root_device | first | regex_replace('[^0-9]+([0-9]+)', '\\1') }}"
root_device: "{{ _root_device }}"
- name: check if growpart needs to be run
- name: Check if growpart needs to be run
command: growpart -N {{ device }} {{ partition }}
failed_when: False
changed_when: "'NOCHANGE:' not in growpart_needed.stdout"
@@ -28,17 +28,17 @@
environment:
LC_ALL: C
- name: check fs type
- name: Check fs type
command: file -Ls {{ root_device }}
changed_when: False
register: fs_type
- name: run growpart # noqa no-handler
- name: Run growpart # noqa no-handler
command: growpart {{ device }} {{ partition }}
when: growpart_needed.changed
environment:
LC_ALL: C
- name: run xfs_growfs # noqa no-handler
- name: Run xfs_growfs # noqa no-handler
command: xfs_growfs {{ root_device }}
when: growpart_needed.changed and 'XFS' in fs_type.stdout

45
roles/kubernetes/preinstall/tasks/main.yml
View File

@@ -1,26 +1,31 @@
---
# Disable swap
- import_tasks: 0010-swapoff.yml
- name: Disable swap
import_tasks: 0010-swapoff.yml
when:
- not dns_late
- kubelet_fail_swap_on
- import_tasks: 0020-set_facts.yml
- name: Set facts
import_tasks: 0020-set_facts.yml
tags:
- resolvconf
- facts
- import_tasks: 0040-verify-settings.yml
- name: Check settings
import_tasks: 0040-verify-settings.yml
when:
- not dns_late
tags:
- asserts
- import_tasks: 0050-create_directories.yml
- name: Create directories
import_tasks: 0050-create_directories.yml
when:
- not dns_late
- import_tasks: 0060-resolvconf.yml
- name: Apply resolvconf settings
import_tasks: 0060-resolvconf.yml
when:
- dns_mode != 'none'
- resolvconf_mode == 'host_resolvconf'
@@ -30,7 +35,8 @@
- bootstrap-os
- resolvconf
- import_tasks: 0061-systemd-resolved.yml
- name: Apply systemd-resolved settings
import_tasks: 0061-systemd-resolved.yml
when:
- dns_mode != 'none'
- resolvconf_mode == 'host_resolvconf'
@@ -39,13 +45,15 @@
- bootstrap-os
- resolvconf
- import_tasks: 0062-networkmanager-unmanaged-devices.yml
- name: Apply networkmanager unmanaged devices settings
import_tasks: 0062-networkmanager-unmanaged-devices.yml
when:
- networkmanager_enabled.rc == 0
tags:
- bootstrap-os
- import_tasks: 0063-networkmanager-dns.yml
- name: Apply networkmanager DNS settings
import_tasks: 0063-networkmanager-dns.yml
when:
- dns_mode != 'none'
- resolvconf_mode == 'host_resolvconf'
@@ -54,31 +62,36 @@
- bootstrap-os
- resolvconf
- import_tasks: 0070-system-packages.yml
- name: Install required system packages
import_tasks: 0070-system-packages.yml
when:
- not dns_late
tags:
- bootstrap-os
- import_tasks: 0080-system-configurations.yml
- name: Apply system configurations
import_tasks: 0080-system-configurations.yml
when:
- not dns_late
tags:
- bootstrap-os
- import_tasks: 0081-ntp-configurations.yml
- name: Configure NTP
import_tasks: 0081-ntp-configurations.yml
when:
- not dns_late
- ntp_enabled
tags:
- bootstrap-os
- import_tasks: 0090-etchosts.yml
- name: Configure /etc/hosts
import_tasks: 0090-etchosts.yml
tags:
- bootstrap-os
- etchosts
- import_tasks: 0100-dhclient-hooks.yml
- name: Configure dhclient
import_tasks: 0100-dhclient-hooks.yml
when:
- dns_mode != 'none'
- resolvconf_mode == 'host_resolvconf'
@@ -88,7 +101,8 @@
- bootstrap-os
- resolvconf
- import_tasks: 0110-dhclient-hooks-undo.yml
- name: Configure dhclient dhclient hooks
import_tasks: 0110-dhclient-hooks-undo.yml
when:
- dns_mode != 'none'
- resolvconf_mode != 'host_resolvconf'
@@ -115,7 +129,8 @@
tags:
- bootstrap-os
- import_tasks: 0120-growpart-azure-centos-7.yml
- name: Grow partition on azure CentOS
import_tasks: 0120-growpart-azure-centos-7.yml
when:
- not dns_late
- azure_check.stat.exists

6
roles/kubernetes/tokens/tasks/main.yml
View File

@@ -1,6 +1,7 @@
---
- import_tasks: check-tokens.yml
- name: Check tokens
import_tasks: check-tokens.yml
tags:
- k8s-secrets
- k8s-gen-tokens
@@ -13,7 +14,8 @@
mode: 0644
group: "{{ kube_cert_group }}"
- import_tasks: gen_tokens.yml
- name: Generate tokens
import_tasks: gen_tokens.yml
tags:
- k8s-secrets
- k8s-gen-tokens