Update Kubernetes to v1.9.0 (#2100)

Update checksum for kubeadm
Use v1.9.0 kubeadm params
Include hash of ca.crt for kubeadm join
Update tag for testing upgrades
Add workaround for testing upgrades
Remove scale CI scenarios because of slow inventory parsing
in ansible 2.4.x.

Change region for tests to us-central1 to
improve ansible performance

roles/kubernetes/kubeadm/tasks/main.yml

@@ -16,6 +16,13 @@
     path: "{{ kube_config_dir }}/kubelet.conf"
   register: kubelet_conf
 
+
+- name: Calculate kubeadm CA cert hash
+  shell: openssl x509 -pubkey -in {{ kube_config_dir }}/ssl/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
+  register: kubeadm_ca_hash
+  delegate_to: "{{ groups['kube-master'][0] }}"
+  run_once: true
+
 - name: Create kubeadm client config
   template:
     src: kubeadm-client.conf.j2
@@ -25,7 +32,10 @@
   register: kubeadm_client_conf
 
 - name: Join to cluster if needed
-  command: "{{ bin_dir }}/kubeadm join --config {{ kube_config_dir}}/kubeadm-client.conf --skip-preflight-checks"
+  command: >-
+    {{ bin_dir }}/kubeadm join
+    --config {{ kube_config_dir}}/kubeadm-client.conf
+    --ignore-preflight-errors=all
   register: kubeadm_join
   when: not is_kube_master and (kubeadm_client_conf.changed or not kubelet_conf.stat.exists)
 

roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2

@@ -4,3 +4,5 @@ caCertPath: {{ kube_config_dir }}/ssl/ca.crt
 token: {{ kubeadm_token }}
 discoveryTokenAPIServers:
 - {{ kubeadm_discovery_address | replace("https://", "")}}
+DiscoveryTokenCACertHashes:
+- sha256:{{ kubeadm_ca_hash.stdout }}

roles/kubernetes/master/tasks/kubeadm-setup.yml

@@ -72,7 +72,7 @@
   register: kubeadm_config
 
 - name: kubeadm | Initialize first master
-  command: timeout -k 240s 240s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --skip-preflight-checks
+  command: timeout -k 240s 240s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
   register: kubeadm_init
   # Retry is because upload config sometimes fails
   retries: 3
@@ -86,7 +86,7 @@
     {{ bin_dir }}/kubeadm
     upgrade apply -y {{ kube_version }}
     --config={{ kube_config_dir }}/kubeadm-config.yaml
-    --skip-preflight-checks
+    --ignore-preflight-errors=all
     --allow-experimental-upgrades
     --allow-release-candidate-upgrades
   register: kubeadm_upgrade
@@ -135,7 +135,7 @@
   when: inventory_hostname != groups['kube-master']|first
 
 - name: kubeadm | Init other uninitialized masters
-  command: timeout -k 240s 240s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --skip-preflight-checks
+  command: timeout -k 240s 240s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
   register: kubeadm_init
   when: inventory_hostname != groups['kube-master']|first and not kubeadm_ca.stat.exists
   failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
@@ -147,7 +147,7 @@
     {{ bin_dir }}/kubeadm
     upgrade apply -y {{ kube_version }}
     --config={{ kube_config_dir }}/kubeadm-config.yaml
-    --skip-preflight-checks
+    --ignore-preflight-errors=all
     --allow-experimental-upgrades
     --allow-release-candidate-upgrades
   register: kubeadm_upgrade

roles/kubernetes/master/templates/kubeadm-config.yaml.j2

@@ -16,7 +16,9 @@ networking:
   serviceSubnet: {{ kube_service_addresses }}
   podSubnet: {{ kube_pods_subnet }}
 kubernetesVersion: {{ kube_version }}
-cloudProvider: {{ cloud_provider|default('') }}
+{% if cloud_provider is defined and cloud_provider != "gce" %}
+cloudProvider: {{ cloud_provider }}
+{% endif %}
 authorizationModes:
 {% for mode in authorization_modes %}
 - {{ mode }}