From 0df32b03cadab6965322964b067c1e93eb2cb206 Mon Sep 17 00:00:00 2001 From: woopstar Date: Wed, 28 Mar 2018 17:42:12 +0200 Subject: [PATCH 1/4] Update openssl.conf to count better and work with Jinja 2.9 --- roles/etcd/templates/openssl.conf.j2 | 21 +++++---- .../secrets/templates/openssl.conf.j2 | 44 +++++++++++-------- 2 files changed, 36 insertions(+), 29 deletions(-) diff --git a/roles/etcd/templates/openssl.conf.j2 b/roles/etcd/templates/openssl.conf.j2 index 48327f0bf..2f4f7e262 100644 --- a/roles/etcd/templates/openssl.conf.j2 +++ b/roles/etcd/templates/openssl.conf.j2 @@ -1,4 +1,4 @@ -[req] +{% set counter = {'dns': 2,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req] req_extensions = v3_req distinguished_name = req_distinguished_name @@ -25,19 +25,18 @@ authorityKeyIdentifier=keyid:always,issuer [alt_names] DNS.1 = localhost {% for host in groups['etcd'] %} -DNS.{{ 1 + loop.index }} = {{ host }} +DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }} {% endfor %} -{% if loadbalancer_apiserver is defined %} -{% set idx = groups['etcd'] | length | int + 2 %} -DNS.{{ idx | string }} = {{ apiserver_loadbalancer_domain_name }} +{% if apiserver_loadbalancer_domain_name is defined %} +DNS.{{ counter["dns"] }} = {{ apiserver_loadbalancer_domain_name }}{{ increment(counter, 'dns') }} {% endif %} -{% set idx = groups['etcd'] | length | int + 3 %} {% for etcd_alt_name in etcd_cert_alt_names %} -DNS.{{ idx + 1 + loop.index }} = {{ etcd_alt_name }} +DNS.{{ counter["dns"] }} = {{ etcd_alt_name }}{{ increment(counter, 'dns') }} {% endfor %} {% for host in groups['etcd'] %} -IP.{{ 2 * loop.index - 1 }} = {{ hostvars[host]['access_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }} -IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }} +{% if hostvars[host]['access_ip'] is defined %} +IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter, 'ip') }} +{% endif %} +IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }} {% endfor %} -{% set idx = groups['etcd'] | length | int * 2 + 1 %} -IP.{{ idx }} = 127.0.0.1 +IP.{{ counter["ip"] }} = 127.0.0.1 diff --git a/roles/kubernetes/secrets/templates/openssl.conf.j2 b/roles/kubernetes/secrets/templates/openssl.conf.j2 index adc875ba6..579e2aad1 100644 --- a/roles/kubernetes/secrets/templates/openssl.conf.j2 +++ b/roles/kubernetes/secrets/templates/openssl.conf.j2 @@ -1,4 +1,4 @@ -[req] +{% set counter = {'dns': 6,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] @@ -13,31 +13,39 @@ DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.{{ dns_domain }} DNS.5 = localhost {% for host in groups['kube-master'] %} -DNS.{{ 5 + loop.index }} = {{ host }} +DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }} {% endfor %} -{% set idns = groups['kube-master'] | length | int + 5 %} -{% if loadbalancer_apiserver is defined %} -{% set idns = idns + 1 %} -DNS.{{ idns | string }} = {{ apiserver_loadbalancer_domain_name }} +{% for host in groups['kube-node'] %} +DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }} +{% endfor %} +{% if apiserver_loadbalancer_domain_name is defined %} +DNS.{{ counter["dns"] }} = {{ apiserver_loadbalancer_domain_name }}{{ increment(counter, 'dns') }} {% endif %} {% for host in groups['kube-master'] %} -IP.{{ 2 * loop.index - 1 }} = {{ hostvars[host]['access_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }} -IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }} -{% endfor %} -{% set idx = groups['kube-master'] | length | int * 2 + 1 %} -IP.{{ idx }} = {{ kube_apiserver_ip }} -{% if loadbalancer_apiserver is defined %} -IP.{{ idx + 1 }} = {{ loadbalancer_apiserver.address }} -{% set idx = idx + 1 %} +{% if hostvars[host]['access_ip'] is defined %} +IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter, 'ip') }} +{% endif %} +IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }} +{% endfor %} +{% for host in groups['kube-node'] %} +{% if hostvars[host]['access_ip'] is defined %} +IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter, 'ip') }} +{% endif %} +IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }} +{% endfor %} +{% if kube_apiserver_ip is defined %} +IP.{{ counter["ip"] }} = {{ kube_apiserver_ip }}{{ increment(counter, 'ip') }} +{% endif %} +{% if loadbalancer_apiserver.address is defined %} +IP.{{ counter["ip"] }} = {{ loadbalancer_apiserver.address }}{{ increment(counter, 'ip') }} {% endif %} -IP.{{ idx + 1 }} = 127.0.0.1 {% if supplementary_addresses_in_ssl_keys is defined %} -{% set is = idx + 1 %} {% for addr in supplementary_addresses_in_ssl_keys %} {% if addr | ipaddr %} -IP.{{ is + loop.index }} = {{ addr }} +IP.{{ counter["ip"] }} = {{ addr }}{{ increment(counter, 'ip') }} {% else %} -DNS.{{ idns + loop.index }} = {{ addr }} +DNS.{{ counter["dns"] }} = {{ addr }}{{ increment(counter, 'dns') }} {% endif %} {% endfor %} {% endif %} +IP.{{ counter["ip"] }} = 127.0.0.1 From 0b5404b2b7561e268e10bf96796170a4a326658c Mon Sep 17 00:00:00 2001 From: woopstar Date: Wed, 28 Mar 2018 20:28:02 +0200 Subject: [PATCH 2/4] Fix --- roles/kubernetes/secrets/templates/openssl.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/kubernetes/secrets/templates/openssl.conf.j2 b/roles/kubernetes/secrets/templates/openssl.conf.j2 index 579e2aad1..d9720c3fe 100644 --- a/roles/kubernetes/secrets/templates/openssl.conf.j2 +++ b/roles/kubernetes/secrets/templates/openssl.conf.j2 @@ -36,7 +36,7 @@ IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansib {% if kube_apiserver_ip is defined %} IP.{{ counter["ip"] }} = {{ kube_apiserver_ip }}{{ increment(counter, 'ip') }} {% endif %} -{% if loadbalancer_apiserver.address is defined %} +{% if loadbalancer_apiserver is defined and loadbalancer_apiserver.address is defined %} IP.{{ counter["ip"] }} = {{ loadbalancer_apiserver.address }}{{ increment(counter, 'ip') }} {% endif %} {% if supplementary_addresses_in_ssl_keys is defined %} From 004b0a3fcf47b601bfe2bf76c2a49b8144199858 Mon Sep 17 00:00:00 2001 From: woopstar Date: Fri, 30 Mar 2018 11:38:06 +0200 Subject: [PATCH 3/4] Fix merge conflict --- .../master/templates/kubeadm-config.yaml.j2 | 74 ++++++++++++++++++- 1 file changed, 70 insertions(+), 4 deletions(-) diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 index 393eaf99f..c2339d890 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 @@ -16,8 +16,11 @@ networking: serviceSubnet: {{ kube_service_addresses }} podSubnet: {{ kube_pods_subnet }} kubernetesVersion: {{ kube_version }} -{% if cloud_provider is defined and cloud_provider != "gce" %} -cloudProvider: {{ cloud_provider }} +{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} +cloud-provider: {{ cloud_provider }} +cloud-config: {{ kube_config_dir }}/cloud_config +{% elif cloud_provider is defined and cloud_provider == "aws" %} +cloud-provider: {{ cloud_provider }} {% endif %} {% if kube_proxy_mode == 'ipvs' %} kubeProxy: @@ -38,12 +41,24 @@ apiServerExtraArgs: apiserver-count: "{{ kube_apiserver_count }}" {% if kube_version | version_compare('v1.9', '>=') %} endpoint-reconciler-type: lease -{% endif %} +{% endif %} service-node-port-range: {{ kube_apiserver_node_port_range }} kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}" + profiling: "{{ kube_profiling }}" + enable-aggregator-routing: "{{ kube_api_aggregator_routing }}" + repair-malformed-updates: "false" +{% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %} + anonymous-auth: "{{ kube_api_anonymous_auth }}" +{% endif %} +{% if kube_feature_gates %} + feature-gates: {{ kube_feature_gates|join(',') }} +{% endif %} {% if kube_basic_auth|default(true) %} basic-auth-file: {{ kube_users_dir }}/known_users.csv {% endif %} +{% if kube_token_auth|default(true) %} + token-auth-file: {{ kube_token_dir }}/known_tokens.csv +{% endif %} {% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %} oidc-issuer-url: {{ kube_oidc_url }} oidc-client-id: {{ kube_oidc_client_id }} @@ -72,6 +87,23 @@ controllerManagerExtraArgs: node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }} node-monitor-period: {{ kube_controller_node_monitor_period }} pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }} + enable-hostpath-provisioner: "{{ kube_hostpath_dynamic_provisioner }}" + profiling: "{{ kube_profiling }}" +{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} + cloud-provider: {{cloud_provider}} + cloud-config: {{ kube_config_dir }}/cloud_config +{% elif cloud_provider is defined and cloud_provider in ["aws", "external"] %} + cloud-provider: {{cloud_provider}} +{% endif %} +{% if kube_network_plugin is defined and kube_network_plugin == 'cloud' %} + configure-cloud-routes: "true" +{% endif %} +{% if kube_network_plugin is defined and kube_network_plugin in ["cloud", "flannel", "canal", "cilium"] %} + allocate-node-cidrs: true + cluster-cidr: {{ kube_pods_subnet }} + service-cluster-ip-range: {{ kube_service_addresses }} + node-cidr-mask-size: {{ kube_network_node_prefix }} +{% endif %} {% if kube_feature_gates %} feature-gates: {{ kube_feature_gates|join(',') }} {% endif %} @@ -80,6 +112,13 @@ controllerManagerExtraArgs: {% endfor %} {% if kube_kubeadm_scheduler_extra_args|length > 0 %} schedulerExtraArgs: +{% if volume_cross_zone_attachment %} + policy-config-file: {{ kube_config_dir }}/kube-scheduler-policy.yaml +{% endif %} + profiling: "{{ kube_profiling }}" +{% if kube_feature_gates %} + feature-gates: {{ kube_feature_gates|join(',') }} +{% endif %} {% for key in kube_kubeadm_scheduler_extra_args %} {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}" {% endfor %} @@ -93,4 +132,31 @@ unifiedControlPlaneImage: "{{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}" {% if kube_override_hostname|default('') %} nodeName: {{ kube_override_hostname }} {% endif %} - +apiServerExtraVolumes: +{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} + - name: cloud-config + hostPath: {{ kube_config_dir }} + mountPath: {{ kube_config_dir }} +{% endif %} +{% if kube_basic_auth|default(true) %} +- name: basic-auth-config + hostPath: {{ kube_users_dir }} + mountPath: {{ kube_users_dir }} +{% endif %} +{% if kube_token_auth|default(true) %} +- name: token-auth-config + hostPath: {{ kube_token_dir }} + mountPath: {{ kube_token_dir }} +{% endif %} +controllerManagerExtraVolumes: +{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} + - name: cloud-config + hostPath: {{ kube_config_dir }} + mountPath: {{ kube_config_dir }} +{% endif %} +schedulerExtraVolumes: +{% if (cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"]) or volume_cross_zone_attachment %} + - name: cloud-config + hostPath: {{ kube_config_dir }} + mountPath: {{ kube_config_dir }} +{% endif %} From af5f376163af5f4f4bfe20efe04610c78f3e657b Mon Sep 17 00:00:00 2001 From: Andreas Kruger Date: Fri, 30 Mar 2018 11:42:20 +0200 Subject: [PATCH 4/4] Revert --- .../master/templates/kubeadm-config.yaml.j2 | 71 +------------------ 1 file changed, 2 insertions(+), 69 deletions(-) diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 index c2339d890..0eccb4918 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 @@ -16,11 +16,8 @@ networking: serviceSubnet: {{ kube_service_addresses }} podSubnet: {{ kube_pods_subnet }} kubernetesVersion: {{ kube_version }} -{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} -cloud-provider: {{ cloud_provider }} -cloud-config: {{ kube_config_dir }}/cloud_config -{% elif cloud_provider is defined and cloud_provider == "aws" %} -cloud-provider: {{ cloud_provider }} +{% if cloud_provider is defined and cloud_provider != "gce" %} +cloudProvider: {{ cloud_provider }} {% endif %} {% if kube_proxy_mode == 'ipvs' %} kubeProxy: @@ -44,21 +41,9 @@ apiServerExtraArgs: {% endif %} service-node-port-range: {{ kube_apiserver_node_port_range }} kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}" - profiling: "{{ kube_profiling }}" - enable-aggregator-routing: "{{ kube_api_aggregator_routing }}" - repair-malformed-updates: "false" -{% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %} - anonymous-auth: "{{ kube_api_anonymous_auth }}" -{% endif %} -{% if kube_feature_gates %} - feature-gates: {{ kube_feature_gates|join(',') }} -{% endif %} {% if kube_basic_auth|default(true) %} basic-auth-file: {{ kube_users_dir }}/known_users.csv {% endif %} -{% if kube_token_auth|default(true) %} - token-auth-file: {{ kube_token_dir }}/known_tokens.csv -{% endif %} {% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %} oidc-issuer-url: {{ kube_oidc_url }} oidc-client-id: {{ kube_oidc_client_id }} @@ -87,23 +72,6 @@ controllerManagerExtraArgs: node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }} node-monitor-period: {{ kube_controller_node_monitor_period }} pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }} - enable-hostpath-provisioner: "{{ kube_hostpath_dynamic_provisioner }}" - profiling: "{{ kube_profiling }}" -{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} - cloud-provider: {{cloud_provider}} - cloud-config: {{ kube_config_dir }}/cloud_config -{% elif cloud_provider is defined and cloud_provider in ["aws", "external"] %} - cloud-provider: {{cloud_provider}} -{% endif %} -{% if kube_network_plugin is defined and kube_network_plugin == 'cloud' %} - configure-cloud-routes: "true" -{% endif %} -{% if kube_network_plugin is defined and kube_network_plugin in ["cloud", "flannel", "canal", "cilium"] %} - allocate-node-cidrs: true - cluster-cidr: {{ kube_pods_subnet }} - service-cluster-ip-range: {{ kube_service_addresses }} - node-cidr-mask-size: {{ kube_network_node_prefix }} -{% endif %} {% if kube_feature_gates %} feature-gates: {{ kube_feature_gates|join(',') }} {% endif %} @@ -112,13 +80,6 @@ controllerManagerExtraArgs: {% endfor %} {% if kube_kubeadm_scheduler_extra_args|length > 0 %} schedulerExtraArgs: -{% if volume_cross_zone_attachment %} - policy-config-file: {{ kube_config_dir }}/kube-scheduler-policy.yaml -{% endif %} - profiling: "{{ kube_profiling }}" -{% if kube_feature_gates %} - feature-gates: {{ kube_feature_gates|join(',') }} -{% endif %} {% for key in kube_kubeadm_scheduler_extra_args %} {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}" {% endfor %} @@ -132,31 +93,3 @@ unifiedControlPlaneImage: "{{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}" {% if kube_override_hostname|default('') %} nodeName: {{ kube_override_hostname }} {% endif %} -apiServerExtraVolumes: -{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} - - name: cloud-config - hostPath: {{ kube_config_dir }} - mountPath: {{ kube_config_dir }} -{% endif %} -{% if kube_basic_auth|default(true) %} -- name: basic-auth-config - hostPath: {{ kube_users_dir }} - mountPath: {{ kube_users_dir }} -{% endif %} -{% if kube_token_auth|default(true) %} -- name: token-auth-config - hostPath: {{ kube_token_dir }} - mountPath: {{ kube_token_dir }} -{% endif %} -controllerManagerExtraVolumes: -{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} - - name: cloud-config - hostPath: {{ kube_config_dir }} - mountPath: {{ kube_config_dir }} -{% endif %} -schedulerExtraVolumes: -{% if (cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"]) or volume_cross_zone_attachment %} - - name: cloud-config - hostPath: {{ kube_config_dir }} - mountPath: {{ kube_config_dir }} -{% endif %}