Add tags

Add tags to allow more granular tasks filtering. Add generator script for MD formatted tags found. Add docs for tags how-to. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2026-02-22 13:36:06 -03:30 · 2016-12-08 14:36:00 +01:00
parent 710d5ae48e
commit 8cc84e132a
35 changed files with 205 additions and 10 deletions
--- a/roles/bootstrap-os/tasks/bootstrap-coreos.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-coreos.yml
@@ -3,7 +3,7 @@
  raw: stat /opt/bin/.bootstrapped
  register: need_bootstrap
  ignore_errors: True
-
+  tags: facts

 - name: Bootstrap | Run bootstrap.sh
  script: bootstrap.sh
@@ -11,6 +11,7 @@

 - set_fact:
    ansible_python_interpreter: "/opt/bin/python"
+  tags: facts

 - name: Bootstrap | Check if we need to install pip
  shell: "{{ansible_python_interpreter}} -m pip --version"
@@ -18,6 +19,7 @@
  ignore_errors: True
  changed_when: false
  when: (need_bootstrap | failed)
+  tags: facts

 - name: Bootstrap | Copy get-pip.py
  copy: src=get-pip.py dest=~/get-pip.py
--- a/roles/bootstrap-os/tasks/bootstrap-ubuntu.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-ubuntu.yml
@@ -5,6 +5,7 @@
  raw: which python
  register: need_bootstrap
  ignore_errors: True
+  tags: facts

 - name: Bootstrap | Install python 2.x
  raw: apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y python-minimal
@@ -12,3 +13,4 @@

 - set_fact:
    ansible_python_interpreter: "/usr/bin/python"
+  tags: facts
--- a/roles/dnsmasq/meta/main.yml
+++ b/roles/dnsmasq/meta/main.yml
@@ -3,3 +3,4 @@ dependencies:
  - role: download
    file: "{{ downloads.dnsmasq }}"
    when: not skip_dnsmasq|default(false) and download_localhost|default(false)
+    tags: [download, dnsmasq]
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@@ -1,5 +1,7 @@
 ---
 - include: dnsmasq.yml
  when: "{{ not skip_dnsmasq_k8s|bool }}"
+  tags: dnsmasq

 - include: resolvconf.yml
+  tags: resolvconf
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -12,6 +12,7 @@
      paths:
      - ../vars
      skip: true
+  tags: facts

 - name: check for minimum kernel version
  fail:
@@ -20,6 +21,7 @@
          {{ docker_kernel_min_version }} on
          {{ ansible_distribution }}-{{ ansible_distribution_version }}
  when: (ansible_os_family != "CoreOS") and (ansible_kernel|version_compare(docker_kernel_min_version, "<"))
+  tags: facts

 - name: ensure docker repository public key is installed
  action: "{{ docker_repo_key_info.pkg_key }}"
@@ -76,4 +78,4 @@
    enabled: yes
    state: started
  with_items:
-    - docker
+    - docker
--- a/roles/docker/tasks/non-systemd.yml
+++ b/roles/docker/tasks/non-systemd.yml
@@ -4,19 +4,23 @@
  set_fact:
    docker_options_file: >-
      {%- if ansible_os_family == "Debian" -%}/etc/default/docker{%- elif ansible_os_family == "RedHat" -%}/etc/sysconfig/docker{%- endif -%}
+  tags: facts

 - name: Set docker options config variable name
  set_fact:
    docker_options_name: >-
      {%- if ansible_os_family == "Debian" -%}DOCKER_OPTS{%- elif ansible_os_family == "RedHat" -%}other_args{%- endif -%}
+  tags: facts

 - name: Set docker options config value to be written
  set_fact:
    docker_options_value: '"{{ docker_options }} $DOCKER_NETWORK_OPTIONS $DOCKER_STORAGE_OPTIONS $INSECURE_REGISTRY"'
+  tags: facts

 - name: Set docker options config line to be written
  set_fact:
    docker_options_line: "{{ docker_options_name }}={{ docker_options_value }}"
+  tags: facts

 - name: Set docker proxy lines to be written
  set_fact:
@@ -24,6 +28,7 @@
     - { name: "HTTP_PROXY", value: '"{{ http_proxy }}"' }
     - { name: "HTTPS_PROXY", value: '"{{ https_proxy }}"' }
     - { name: "NO_PROXY", value: '"{{ no_proxy }}"' }
+  tags: facts

 - name: Remove docker daemon proxy config lines that don't match desired lines
  lineinfile:
@@ -58,4 +63,4 @@
    mode: 0644
  notify: restart docker

- meta: flush_handlers
+- meta: flush_handlers
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -45,6 +45,7 @@

 - set_fact:
    download_delegate: "{% if download_localhost %}localhost{% else %}{{groups['kube-master'][0]}}{% endif %}"
+  tags: facts

 - name: Create dest directory for saved/loaded container images
  file: path="{{local_release_dir}}/containers" state=directory recurse=yes mode=0755 owner={{ansible_ssh_user|default(ansible_user_id)}}
@@ -78,6 +79,7 @@

 - set_fact:
    fname: "{{local_release_dir}}/containers/{{download.repo|regex_replace('/|\0|:', '_')}}:{{download.tag|regex_replace('/|\0|:', '_')}}.tar"
+  tags: facts

 - name: "Set default value for 'container_changed' to false"
  set_fact:
@@ -89,6 +91,7 @@
  when: "{{ download.enabled|bool and download.container|bool }}"
  delegate_to: "{{ download_delegate if download_run_once|bool else inventory_hostname }}"
  run_once: "{{ download_run_once|bool }}"
+  tags: facts

 - name: Stat saved container image
  stat: path="{{fname}}"
--- a/roles/etcd/meta/main.yml
+++ b/roles/etcd/meta/main.yml
@@ -7,3 +7,4 @@ dependencies:
    when: (ansible_os_family != "CoreOS" and etcd_deployment_type == "docker" or inventory_hostname in groups['k8s-cluster'])
  - role: download
    file: "{{ downloads.etcd }}"
+    tags: download
--- a/roles/etcd/tasks/configure.yml
+++ b/roles/etcd/tasks/configure.yml
@@ -5,6 +5,7 @@
  ignore_errors: true
  changed_when: false
  when: is_etcd_master
+  tags: facts

 - name: Configure | Add member to the cluster if it is not there
  when: is_etcd_master and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
--- a/roles/etcd/tasks/gen_certs.yml
+++ b/roles/etcd/tasks/gen_certs.yml
@@ -42,6 +42,7 @@
 - set_fact:
    master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'member.pem', 'member-key.pem']
    node_certs: ['ca.pem', 'node.pem', 'node-key.pem']
+  tags: facts

 - name: Gen_certs | Gather etcd master certs
  shell: "tar cfz - -C {{ etcd_cert_dir }} {{ master_certs|join(' ') }} {{ node_certs|join(' ') }}| base64 --wrap=0"
@@ -78,6 +79,7 @@
    state=directory
    owner=kube
    recurse=yes
+  tags: facts

 - name: Gen_certs | set permissions on keys
  shell: chmod 0600 {{ etcd_cert_dir}}/*key.pem
@@ -94,6 +96,7 @@
      {%- elif ansible_os_family == "CoreOS" -%}
      /etc/ssl/certs/etcd-ca.pem
      {%- endif %}
+  tags: facts

 - name: Gen_certs | add CA to trusted CA dir
  copy:
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -1,9 +1,13 @@
 ---
 - include: pre_upgrade.yml
+  tags: etcd-pre-upgrade
 - include: check_certs.yml
+  tags: [etcd-secrets, facts]
 - include: gen_certs.yml
+  tags: etcd-secrets
 - include: install.yml
  when: is_etcd_master
+  tags: upgrade
 - include: set_cluster_health.yml
  when: is_etcd_master
 - include: configure.yml
--- a/roles/etcd/tasks/pre_upgrade.yml
+++ b/roles/etcd/tasks/pre_upgrade.yml
@@ -2,11 +2,13 @@
  stat:
    path: /etc/systemd/system/etcd-proxy.service
  register: kube_apiserver_service_file
+  tags: facts

 - name: "Pre-upgrade | check for etcd-proxy init script"
  stat:
    path: /etc/init.d/etcd-proxy
  register: kube_apiserver_init_script
+  tags: facts

 - name: "Pre-upgrade | stop etcd-proxy if service defined"
  service:
--- a/roles/etcd/tasks/set_cluster_health.yml
+++ b/roles/etcd/tasks/set_cluster_health.yml
@@ -5,3 +5,4 @@
  ignore_errors: true
  changed_when: false
  when: is_etcd_master
+  tags: facts
--- a/roles/kubernetes-apps/ansible/tasks/main.yaml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yaml
@@ -6,6 +6,7 @@
    - {file: kubedns-svc.yml, type: svc}
  register: manifests
  when: inventory_hostname == groups['kube-master'][0]
+  tags: dnsmasq

 - name: Kubernetes Apps | Start Resources
  kube:
@@ -17,11 +18,14 @@
    state: "{{item.changed | ternary('latest','present') }}"
  with_items: "{{ manifests.results }}"
  when: inventory_hostname == groups['kube-master'][0]
+  tags: dnsmasq

 - include: tasks/calico-policy-controller.yml
  when: ( enable_network_policy is defined and enable_network_policy == True ) or
    ( kube_network_plugin == 'canal' )
+  tags: [network, canal]

 - name: Kubernetes Apps | Netchecker
  include: tasks/netchecker.yml
  when: deploy_netchecker
+  tags: netchecker
--- a/roles/kubernetes-apps/network_plugin/meta/main.yml
+++ b/roles/kubernetes-apps/network_plugin/meta/main.yml
@@ -2,3 +2,4 @@
 dependencies:
 - role: kubernetes-apps/network_plugin/canal
   when: kube_network_plugin == 'canal'
+   tags: canal
--- a/roles/kubernetes/master/meta/main.yml
+++ b/roles/kubernetes/master/meta/main.yml
@@ -2,3 +2,4 @@
 dependencies:
  - role: download
    file: "{{ downloads.hyperkube }}"
+    tags: [download, hyperkube]
--- a/roles/kubernetes/master/tasks/main.yml
+++ b/roles/kubernetes/master/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 - include: pre-upgrade.yml
-
+  tags: k8s-pre-upgrade

 - name: Copy kubectl from hyperkube container
  command: "/usr/bin/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp /hyperkube /systembindir/kubectl"
@@ -9,12 +9,14 @@
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false
+  tags: [hyperkube, kubectl, upgrade]

 - name: Gather kubectl bash completion
  command: "{{ bin_dir }}/kubectl completion bash"
  no_log: true
  register: kubectl_bash_completion
  when: ansible_os_family in ["Debian","RedHat"]
+  tags: kubectl

 - name: Write kubectl bash completion
  copy:
@@ -24,12 +26,14 @@
    group: root
    mode: 0755
  when: ansible_os_family in ["Debian","RedHat"] and kubectl_bash_completion.changed
+  tags: [kubectl, upgrade]

 - name: Write kube-apiserver manifest
  template:
    src: manifests/kube-apiserver.manifest.j2
    dest: "{{ kube_manifest_dir }}/kube-apiserver.manifest"
  notify: Master | wait for the apiserver to be running
+  tags: kube-apiserver

 - meta: flush_handlers
 # Create kube-system namespace
@@ -37,6 +41,7 @@
  copy: src=namespace.yml dest=/etc/kubernetes/kube-system-ns.yml
  run_once: yes
  when: inventory_hostname == groups['kube-master'][0]
+  tags: apps

 - name: Check if kube-system exists
  command: "{{ bin_dir }}/kubectl get ns kube-system"
@@ -44,11 +49,13 @@
  changed_when: False
  failed_when: False
  run_once: yes
+  tags: apps

 - name: Create 'kube-system' namespace
  command: "{{ bin_dir }}/kubectl create -f /etc/kubernetes/kube-system-ns.yml"
  changed_when: False
  when: kubesystem|failed and inventory_hostname == groups['kube-master'][0]
+  tags: apps

 # Write other manifests
 - name: Write kube-controller-manager manifest
@@ -56,9 +63,11 @@
    src: manifests/kube-controller-manager.manifest.j2
    dest: "{{ kube_manifest_dir }}/kube-controller-manager.manifest"
  notify: Master | wait for kube-controller-manager
+  tags: kube-controller-manager

 - name: Write kube-scheduler manifest
  template:
    src: manifests/kube-scheduler.manifest.j2
    dest: "{{ kube_manifest_dir }}/kube-scheduler.manifest"
  notify: Master | wait for kube-scheduler
+  tags: kube-scheduler
--- a/roles/kubernetes/master/tasks/pre-upgrade.yml
+++ b/roles/kubernetes/master/tasks/pre-upgrade.yml
@@ -3,17 +3,20 @@
  stat:
    path: /etc/systemd/system/kube-apiserver.service
  register: kube_apiserver_service_file
+  tags: [facts, kube-apiserver]

 - name: "Pre-upgrade | check for kube-apiserver init script"
  stat:
    path: /etc/init.d/kube-apiserver
  register: kube_apiserver_init_script
+  tags: [facts, kube-apiserver]

 - name: "Pre-upgrade | stop kube-apiserver if service defined"
  service:
    name: kube-apiserver
    state: stopped
  when: (kube_apiserver_service_file.stat.exists|default(False) or kube_apiserver_init_script.stat.exists|default(False))
+  tags: kube-apiserver

 - name: "Pre-upgrade | remove kube-apiserver service definition"
  file:
@@ -23,3 +26,4 @@
  with_items:
    - /etc/systemd/system/kube-apiserver.service
    - /etc/init.d/kube-apiserver
+  tags: kube-apiserver
--- a/roles/kubernetes/node/meta/main.yml
+++ b/roles/kubernetes/node/meta/main.yml
@@ -2,28 +2,39 @@
 dependencies:
  - role: download
    file: "{{ downloads.hyperkube }}"
+    tags: [download, hyperkube, kubelet, network, canal, calico, weave, kube-controller-manager, kube-scheduler, kube-apiserver, kube-proxy, kubectl]
  - role: download
    file: "{{ downloads.pod_infra }}"
+    tags: [download, kubelet]
  - role: kubernetes/secrets
+    tags: k8s-secrets
  - role: download
    file: "{{ downloads.nginx }}"
+    tags: [download, nginx]
  - role: download
    file: "{{ downloads.testbox }}"
+    tags: download
  - role: download
    file: "{{ downloads.netcheck_server }}"
    when: deploy_netchecker
+    tags: [download, netchecker]
  - role: download
    file: "{{ downloads.netcheck_agent }}"
    when: deploy_netchecker
+    tags: [download, netchecker]
  - role: download
    file: "{{ downloads.netcheck_kubectl }}"
    when: deploy_netchecker
+    tags: [download, netchecker]
  - role: download
    file: "{{ downloads.kubednsmasq }}"
    when: not skip_dnsmasq_k8s|default(false)
+    tags: [download, dnsmasq]
  - role: download
    file: "{{ downloads.kubedns }}"
    when: not skip_dnsmasq_k8s|default(false)
+    tags: [download, dnsmasq]
  - role: download
    file: "{{ downloads.exechealthz }}"
    when: not skip_dnsmasq_k8s|default(false)
+    tags: [download, dnsmasq]
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -1,23 +1,26 @@
 ---
 - include: install.yml
+  tags: kubelet

 - include: nginx-proxy.yml
  when: is_kube_master == false and loadbalancer_apiserver_localhost|default(false)
+  tags: nginx

 - name: Write kubelet config file
  template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
-  notify:
-    - restart kubelet
+  notify: restart kubelet
+  tags: kubelet

 - name: write the kubecfg (auth) file for kubelet
  template: src=node-kubeconfig.yaml.j2 dest={{ kube_config_dir }}/node-kubeconfig.yaml backup=yes
-  notify:
-    - restart kubelet
+  notify: restart kubelet
+  tags: kubelet

 - name: Write proxy manifest
  template:
    src: manifests/kube-proxy.manifest.j2
    dest: "{{ kube_manifest_dir }}/kube-proxy.manifest"
+  tags: kube-proxy

 # reload-systemd
 - meta: flush_handlers
@@ -27,3 +30,4 @@
    name: kubelet
    enabled: yes
    state: started
+  tags: kubelet
--- a/roles/kubernetes/preinstall/meta/main.yml
+++ b/roles/kubernetes/preinstall/meta/main.yml
@@ -2,3 +2,4 @@
 dependencies:
  - role: adduser
    user: "{{ addusers.kube }}"
+    tags: kubelet
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -3,6 +3,7 @@
  set_fact:
    bin_dir: "/opt/bin"
  when: ansible_os_family == "CoreOS"
+  tags: facts

 - name: check bin dir exists
  file:
@@ -10,11 +11,14 @@
    state: directory
    owner: root
  become: true
+  tags: bootstrap-os

 - include: gitinfos.yml
  when: run_gitinfos
+  tags: facts

 - include: set_facts.yml
+  tags: facts

 - name: gather os specific variables
  include_vars: "{{ item }}"
@@ -29,6 +33,7 @@
      paths:
      - ../vars
      skip: true
+  tags: facts

 - name: Create kubernetes config directory
  file:
@@ -36,6 +41,7 @@
    state: directory
    owner: kube
  when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
+  tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]

 - name: Create kubernetes script directory
  file:
@@ -43,6 +49,7 @@
    state: directory
    owner: kube
  when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
+  tags: [k8s-secrets, bootstrap-os]

 - name: Create kubernetes manifests directory
  file:
@@ -50,6 +57,7 @@
    state: directory
    owner: kube
  when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
+  tags: [kubelet, bootstrap-os, master, node]

 - name: Create kubernetes logs directory
  file:
@@ -57,17 +65,21 @@
    state: directory
    owner: kube
  when: ansible_service_mgr in ["sysvinit","upstart"] and "{{ inventory_hostname in groups['k8s-cluster'] }}"
+  tags: [bootstrap-os, master, node]

 - name: check cloud_provider value
  fail:
    msg: "If set the 'cloud_provider' var must be set either to 'generic', 'gce', 'aws', 'azure' or 'openstack'"
  when: cloud_provider is defined and cloud_provider not in ['generic', 'gce', 'aws', 'openstack', 'azure']
+  tags: [cloud-provider, facts]

 - include: openstack-credential-check.yml
  when: cloud_provider is defined and cloud_provider == 'openstack'
+  tags: [cloud-provider, openstack, facts]

 - include: azure-credential-check.yml
  when: cloud_provider is defined and cloud_provider == 'azure'
+  tags: [cloud-provider, azure, facts]

 - name: Fix ipv4 forward rule in GCE security policy
  lineinfile:
@@ -79,6 +91,7 @@
    backup: yes
    validate: 'sysctl -f %s'
  when: cloud_provider is defined and cloud_provider == 'gce'
+  tags: [cloud-provider, gce, bootstrap-os]

 - name: Create cni directories
  file:
@@ -89,26 +102,31 @@
    - "/etc/cni/net.d"
    - "/opt/cni/bin"
  when: kube_network_plugin in ["calico", "weave", "canal"] and "{{ inventory_hostname in groups['k8s-cluster'] }}"
+  tags: [network, calico, weave, canal, bootstrap-os]

 - name: Update package management cache (YUM)
  yum: update_cache=yes name='*'
  when: ansible_pkg_mgr == 'yum'
+  tags: bootstrap-os

 - name: Install latest version of python-apt for Debian distribs
  apt: name=python-apt state=latest update_cache=yes cache_valid_time=3600
  when: ansible_os_family == "Debian"
+  tags: bootstrap-os

 - name: Install python-dnf for latest RedHat versions
  command: dnf install -y python-dnf yum
  when: ansible_distribution == "Fedora" and
        ansible_distribution_major_version > 21
  changed_when: False
+  tags: bootstrap-os

 - name: Install epel-release on RedHat/CentOS
  shell: rpm -qa | grep epel-release || rpm -ivh {{ epel_rpm_download_url }}
  when: ansible_distribution in ["CentOS","RedHat"] and
        ansible_distribution_major_version >= 7
  changed_when: False
+  tags: bootstrap-os

 - name: Install packages requirements
  action:
@@ -121,6 +139,7 @@
  delay: "{{ retry_stagger | random + 3 }}"
  with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}"
  when: ansible_os_family != "CoreOS"
+  tags: bootstrap-os

 - name: Disable IPv6 DNS lookup
  lineinfile:
@@ -129,12 +148,14 @@
    state: present
    backup: yes
  when: disable_ipv6_dns and ansible_os_family != "CoreOS"
+  tags: bootstrap-os

 # Todo : selinux configuration
 - name: Set selinux policy to permissive
  selinux: policy=targeted state=permissive
  when: ansible_os_family == "RedHat"
  changed_when: False
+  tags: bootstrap-os

 - name: Write openstack cloud-config
  template:
@@ -143,6 +164,7 @@
    group: "{{ kube_cert_group }}"
    mode: 0640
  when: cloud_provider is defined and cloud_provider == "openstack"
+  tags: [cloud-provider, openstack]

 - name: Write azure cloud-config
  template:
@@ -151,5 +173,7 @@
    group: "{{ kube_cert_group }}"
    mode: 0640
  when: cloud_provider is defined and cloud_provider == "azure"
+  tags: [cloud-provider, azure]

 - include: etchosts.yml
+  tags: [bootstrap-os, etchosts]
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -26,6 +26,7 @@
 - set_fact:
    master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'apiserver-key.pem', 'apiserver.pem']
    node_certs: ['ca.pem', 'node.pem', 'node-key.pem']
+  tags: facts

 - name: Gen_certs | Gather master certs
  shell: "tar cfz - -C {{ kube_cert_dir }} {{ master_certs|join(' ') }} {{ node_certs|join(' ') }} | base64 --wrap=0"
@@ -75,6 +76,7 @@
      {%- elif ansible_os_family == "CoreOS" -%}
      /etc/ssl/certs/kube-ca.pem
      {%- endif %}
+  tags: facts

 - name: Gen_certs | add CA to trusted CA dir
  copy:
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -1,6 +1,8 @@
 ---
 - include: check-certs.yml
+  tags: [k8s-secrets, facts]
 - include: check-tokens.yml
+  tags: [k8s-secrets, facts]

 - name: Make sure the certificate directory exits
  file:
@@ -34,5 +36,6 @@
  notify: set secret_changed

 - include: gen_certs.yml
-
+  tags: k8s-secrets
 - include: gen_tokens.yml
+  tags: k8s-secrets
--- a/roles/network_plugin/calico/meta/main.yml
+++ b/roles/network_plugin/calico/meta/main.yml
@@ -2,9 +2,13 @@
 dependencies:
  - role: download
    file: "{{ downloads.calico_cni }}"
+    tags: download
  - role: download
    file: "{{ downloads.calico_node }}"
+    tags: download
  - role: download
    file: "{{ downloads.calicoctl }}"
+    tags: download
  - role: download
    file: "{{ downloads.hyperkube }}"
+    tags: download
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -3,6 +3,7 @@
  run_once: true
  set_fact:
    legacy_calicoctl: "{{ calicoctl_image_tag | version_compare('v1.0.0', '<') }}"
+  tags: facts

 - name: Calico | Write Calico cni config
  template:
@@ -46,6 +47,7 @@
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false
+  tags: [hyperkube, upgrade]

 - name: Calico | Copy cni plugins from calico/cni container
  command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'"
@@ -55,6 +57,7 @@
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false
  when: "{{ overwrite_hyperkube_cni|bool }}"
+  tags: [hyperkube, upgrade]

 - name: Calico | wait for etcd
  uri: url=https://localhost:2379/health validate_certs=no
@@ -75,6 +78,7 @@
  register: calico_conf
  delegate_to: "{{groups['etcd'][0]}}"
  run_once: true
+  tags: facts

 - name: Calico | Configure calico network pool
  shell: >
@@ -98,6 +102,7 @@
    ipip_arg: "--ipip"
  when: (legacy_calicoctl and
         cloud_provider is defined or ipip)
+  tags: facts

 - name: Calico (old) | Define nat-outgoing pool argument
  run_once: true
@@ -105,12 +110,14 @@
    nat_arg: "--nat-outgoing"
  when: (legacy_calicoctl and
         nat_outgoing|default(false) and not peer_with_router|default(false))
+  tags: facts

 - name: Calico (old) | Define calico pool task name
  run_once: true
  set_fact:
    pool_task_name: "with options {{ ipip_arg|default('') }} {{ nat_arg|default('') }}"
  when: (legacy_calicoctl and ipip_arg|default(false) or nat_arg|default(false))
+  tags: facts

 - name: Calico (old) | Configure calico network pool {{ pool_task_name|default('') }}
  command: "{{ bin_dir}}/calicoctl pool add {{ kube_pods_subnet }} {{ ipip_arg|default('') }} {{ nat_arg|default('') }}"
@@ -134,6 +141,7 @@
 - set_fact:
    calico_pools: "{{ calico_pools_raw.stdout | from_json }}"
  run_once: true
+  tags: facts

 - name: Calico | Check if calico pool is properly configured
  fail:
@@ -142,6 +150,7 @@
  when: ( calico_pools['node']['nodes'] | length > 1 ) or
        ( not calico_pools['node']['nodes'][0]['key'] | search(".*{{ kube_pods_subnet | ipaddr('network') }}.*") )
  run_once: true
+  tags: facts

 - name: Calico | Write /etc/network-environment
  template: src=network-environment.j2 dest=/etc/network-environment
--- a/roles/network_plugin/canal/meta/main.yml
+++ b/roles/network_plugin/canal/meta/main.yml
@@ -2,11 +2,16 @@
 dependencies:
  - role: download
    file: "{{ downloads.flannel }}"
+    tags: download
  - role: download
    file: "{{ downloads.calico_node }}"
+    tags: download
  - role: download
    file: "{{ downloads.calicoctl }}"
+    tags: download
  - role: download
    file: "{{ downloads.calico_cni }}"
+    tags: download
  - role: download
    file: "{{ downloads.calico_policy }}"
+    tags: download
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -49,6 +49,7 @@
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false
+  tags: [hyperkube, upgrade]

 - name: Canal | Copy cni plugins from calico/cni
  command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'"
@@ -57,3 +58,4 @@
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false
+  tags: [hyperkube, upgrade]
--- a/roles/network_plugin/flannel/meta/main.yml
+++ b/roles/network_plugin/flannel/meta/main.yml
@@ -2,3 +2,4 @@
 dependencies:
  - role: download
    file: "{{ downloads.flannel }}"
+    tags: download
--- a/roles/network_plugin/flannel/tasks/main.yml
+++ b/roles/network_plugin/flannel/tasks/main.yml
@@ -26,6 +26,7 @@

 - set_fact:
    flannel_subnet: "{{ flannel_subnet_output.stdout }}"
+  tags: facts

 - name: Flannel | Get flannel_mtu from subnet.env
  shell: cat /run/flannel/subnet.env | awk -F'=' '$1 == "FLANNEL_MTU" {print $2}'
@@ -34,17 +35,21 @@

 - set_fact:
    flannel_mtu: "{{ flannel_mtu_output.stdout }}"
+  tags: facts

 - set_fact:
    docker_options_file: >-
      {%- if ansible_os_family == "Debian" -%}/etc/default/docker{%- elif ansible_os_family == "RedHat" -%}/etc/sysconfig/docker{%- endif -%}
+  tags: facts

 - set_fact:
    docker_options_name: >-
      {%- if ansible_os_family == "Debian" -%}DOCKER_OPTS{%- elif ansible_os_family == "RedHat" -%}other_args{%- endif -%}
+  tags: facts

 - set_fact:
    docker_network_options: '"--bip={{ flannel_subnet }} --mtu={{ flannel_mtu }}"'
+  tags: facts

 - name: Flannel | Remove non-systemd docker daemon network options that don't match desired line
  lineinfile:
@@ -73,4 +78,4 @@
    - restart docker
  when: ansible_service_mgr == "systemd"

- meta: flush_handlers
+- meta: flush_handlers
--- a/roles/network_plugin/meta/main.yml
+++ b/roles/network_plugin/meta/main.yml
@@ -2,9 +2,13 @@
 dependencies:
 - role: network_plugin/calico
   when: kube_network_plugin == 'calico'
+   tags: calico
 - role: network_plugin/flannel
   when: kube_network_plugin == 'flannel'
+   tags: flannel
 - role: network_plugin/weave
   when: kube_network_plugin == 'weave'
+   tags: weave
 - role: network_plugin/canal
   when: kube_network_plugin == 'canal'
+   tags: canal
--- a/roles/network_plugin/weave/meta/main.yml
+++ b/roles/network_plugin/weave/meta/main.yml
@@ -2,3 +2,4 @@
 dependencies:
  - role: download
    file: "{{ downloads.weave }}"
+    tags: download
--- a/roles/network_plugin/weave/tasks/main.yml
+++ b/roles/network_plugin/weave/tasks/main.yml
@@ -6,6 +6,7 @@
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false
+  tags: [hyperkube, upgrade]

 - name: Weave | Install weave
  command: rsync -piu "{{ local_release_dir }}/weave/bin/weave" "{{ bin_dir }}/weave"