Merge branch 'master' into synthscale

2026-02-20 12:40:12 -03:30 · 2017-02-21 22:17:43 +03:00
parent 2ba66f0b26 0afadb9149
commit d821448e2f
51 changed files with 317 additions and 122 deletions
--- a/roles/kubernetes/master/handlers/main.yml
+++ b/roles/kubernetes/master/handlers/main.yml
@@ -22,21 +22,24 @@
    state: restarted

 - name: Master | wait for kube-scheduler
-  uri: url=http://localhost:10251/healthz
+  uri:
+    url: http://localhost:10251/healthz
  register: scheduler_result
  until: scheduler_result.status == 200
  retries: 15
  delay: 5

 - name: Master | wait for kube-controller-manager
-  uri: url=http://localhost:10252/healthz
+  uri:
+    url: http://localhost:10252/healthz
  register: controller_manager_result
  until: controller_manager_result.status == 200
  retries: 15
  delay: 5

 - name: Master | wait for the apiserver to be running
-  uri: url=http://localhost:8080/healthz
+  uri:
+    url: http://localhost:8080/healthz
  register: result
  until: result.status == 200
  retries: 10
--- a/roles/kubernetes/master/tasks/main.yml
+++ b/roles/kubernetes/master/tasks/main.yml
@@ -36,7 +36,9 @@
 - meta: flush_handlers

 - name: copy kube system namespace manifest
-  copy: src=namespace.yml dest={{kube_config_dir}}/{{system_namespace}}-ns.yml
+  copy:
+    src: namespace.yml
+    dest: "{{kube_config_dir}}/{{system_namespace}}-ns.yml"
  run_once: yes
  when: inventory_hostname == groups['kube-master'][0]
  tags: apps
--- a/roles/kubernetes/master/tasks/pre-upgrade.yml
+++ b/roles/kubernetes/master/tasks/pre-upgrade.yml
@@ -43,7 +43,8 @@
  when: (secret_changed|default(false) or etcd_secret_changed|default(false)) and kube_apiserver_manifest.stat.exists

 - name: "Pre-upgrade | Pause while waiting for kubelet to delete kube-apiserver pod"
-  pause: seconds=20
+  pause:
+    seconds: 20
  when: (secret_changed|default(false) or etcd_secret_changed|default(false)) and kube_apiserver_manifest.stat.exists
  tags: kube-apiserver

--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -12,12 +12,18 @@
  tags: nginx

 - name: Write kubelet config file
-  template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
+  template:
+    src: kubelet.j2
+    dest: "{{ kube_config_dir }}/kubelet.env"
+    backup: yes
  notify: restart kubelet
  tags: kubelet

 - name: write the kubecfg (auth) file for kubelet
-  template: src=node-kubeconfig.yaml.j2 dest={{ kube_config_dir }}/node-kubeconfig.yaml backup=yes
+  template:
+    src: node-kubeconfig.yaml.j2
+    dest: "{{ kube_config_dir }}/node-kubeconfig.yaml"
+    backup: yes
  notify: restart kubelet
  tags: kubelet

--- a/roles/kubernetes/node/tasks/nginx-proxy.yml
+++ b/roles/kubernetes/node/tasks/nginx-proxy.yml
@@ -1,9 +1,20 @@
 ---
 - name: nginx-proxy | Write static pod
-  template: src=manifests/nginx-proxy.manifest.j2 dest={{kube_manifest_dir}}/nginx-proxy.yml
+  template:
+    src: manifests/nginx-proxy.manifest.j2
+    dest: "{{kube_manifest_dir}}/nginx-proxy.yml"

 - name: nginx-proxy | Make nginx directory
-  file: path=/etc/nginx state=directory mode=0700 owner=root
+  file:
+    path: /etc/nginx
+    state: directory
+    mode: 0700
+    owner: root

 - name: nginx-proxy | Write nginx-proxy configuration
-  template: src=nginx.conf.j2 dest="/etc/nginx/nginx.conf" owner=root mode=0755 backup=yes
+  template:
+    src: nginx.conf.j2
+    dest: "/etc/nginx/nginx.conf"
+    owner: root
+    mode: 0755
+    backup: yes
--- a/roles/kubernetes/preinstall/tasks/dhclient-hooks-undo.yml
+++ b/roles/kubernetes/preinstall/tasks/dhclient-hooks-undo.yml
@@ -14,7 +14,9 @@
  notify: Preinstall | restart network

 - name: Remove kargo specific dhclient hook
-  file: path="{{ dhclienthookfile }}" state=absent
+  file:
+    path: "{{ dhclienthookfile }}"
+    state: absent
  when: dhclienthookfile is defined
  notify: Preinstall | restart network

--- a/roles/kubernetes/preinstall/tasks/growpart-azure-centos-7.yml
+++ b/roles/kubernetes/preinstall/tasks/growpart-azure-centos-7.yml
@@ -3,7 +3,9 @@
 # Running growpart seems to be only required on Azure, as other Cloud Providers do this at boot time

 - name: install growpart
-  package: name=cloud-utils-growpart state=latest
+  package:
+    name: cloud-utils-growpart
+    state: latest

 - name: check if growpart needs to be run
  command: growpart -N /dev/sda 1
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -88,12 +88,18 @@
  tags: [network, calico, weave, canal, bootstrap-os]

 - name: Update package management cache (YUM)
-  yum: update_cache=yes name='*'
+  yum:
+    update_cache: yes
+    name: '*'
  when: ansible_pkg_mgr == 'yum'
  tags: bootstrap-os

 - name: Install latest version of python-apt for Debian distribs
-  apt: name=python-apt state=latest update_cache=yes cache_valid_time=3600
+  apt:
+    name: python-apt
+    state: latest
+    update_cache: yes
+    cache_valid_time: 3600
  when: ansible_os_family == "Debian"
  tags: bootstrap-os

@@ -125,9 +131,17 @@
  tags: bootstrap-os

 # Todo : selinux configuration
- name: Set selinux policy to permissive
-  selinux: policy=targeted state=permissive
+- name: Confirm selinux deployed
+  stat:
+    path: /etc/selinux/config
  when: ansible_os_family == "RedHat"
+  register: slc
+
+- name: Set selinux policy to permissive
+  selinux:
+    policy: targeted
+    state: permissive
+  when: ansible_os_family == "RedHat" and slc.stat.exists == True
  changed_when: False
  tags: bootstrap-os

@@ -146,7 +160,8 @@
  tags: bootstrap-os

 - name: Stat sysctl file configuration
-  stat: path={{sysctl_file_path}}
+  stat:
+    path: "{{sysctl_file_path}}"
  register: sysctl_file_stat
  tags: bootstrap-os

@@ -198,7 +213,8 @@
  tags: [bootstrap-os, resolvconf]

 - name: Check if we are running inside a Azure VM
-  stat: path=/var/lib/waagent/
+  stat:
+    path: /var/lib/waagent/
  register: azure_check
  tags: bootstrap-os

--- a/roles/kubernetes/preinstall/tasks/set_facts.yml
+++ b/roles/kubernetes/preinstall/tasks/set_facts.yml
@@ -1,12 +1,23 @@
 ---
- set_fact: kube_apiserver_count="{{ groups['kube-master'] | length }}"
- set_fact: kube_apiserver_address="{{ ip | default(ansible_default_ipv4['address']) }}"
- set_fact: kube_apiserver_access_address="{{ access_ip | default(kube_apiserver_address) }}"
- set_fact: is_kube_master="{{ inventory_hostname in groups['kube-master'] }}"
- set_fact: first_kube_master="{{ hostvars[groups['kube-master'][0]]['access_ip'] | default(hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address'])) }}"
+- set_fact:
+    kube_apiserver_count: "{{ groups['kube-master'] | length }}"
+
+- set_fact:
+    kube_apiserver_address: "{{ ip | default(ansible_default_ipv4['address']) }}"
+
+- set_fact:
+    kube_apiserver_access_address: "{{ access_ip | default(kube_apiserver_address) }}"
+
+- set_fact:
+    is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}"
+
+- set_fact:
+    first_kube_master: "{{ hostvars[groups['kube-master'][0]]['access_ip'] | default(hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address'])) }}"
+
 - set_fact:
    loadbalancer_apiserver_localhost: false
  when: loadbalancer_apiserver is defined
+
 - set_fact:
    kube_apiserver_endpoint: |-
      {% if not is_kube_master and loadbalancer_apiserver_localhost -%}
@@ -21,34 +32,54 @@
      {%-  endif -%}
      {%- endif %}

- set_fact: etcd_address="{{ ip | default(ansible_default_ipv4['address']) }}"
- set_fact: etcd_access_address="{{ access_ip | default(etcd_address) }}"
- set_fact: etcd_peer_url="https://{{ etcd_access_address }}:2380"
- set_fact: etcd_client_url="https://{{ etcd_access_address }}:2379"
- set_fact: etcd_authority="127.0.0.1:2379"
- set_fact: etcd_endpoint="https://{{ etcd_authority }}"
+- set_fact:
+    etcd_address: "{{ ip | default(ansible_default_ipv4['address']) }}"
+
+- set_fact:
+    etcd_access_address: "{{ access_ip | default(etcd_address) }}"
+
+- set_fact:
+    etcd_peer_url: "https://{{ etcd_access_address }}:2380"
+
+- set_fact:
+    etcd_client_url: "https://{{ etcd_access_address }}:2379"
+
+- set_fact:
+    etcd_authority: "127.0.0.1:2379"
+
+- set_fact:
+    etcd_endpoint: "https://{{ etcd_authority }}"
+
 - set_fact:
    etcd_access_addresses: |-
      {% for item in groups['etcd'] -%}
        https://{{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(hostvars[item]['ansible_default_ipv4']['address'])) }}:2379{% if not loop.last %},{% endif %}
      {%- endfor %}
- set_fact: etcd_access_endpoint="{% if etcd_multiaccess %}{{ etcd_access_addresses }}{% else %}{{ etcd_endpoint }}{% endif %}"
+
+- set_fact:
+    etcd_access_endpoint: "{% if etcd_multiaccess %}{{ etcd_access_addresses }}{% else %}{{ etcd_endpoint }}{% endif %}"
+
 - set_fact:
    etcd_member_name: |-
      {% for host in groups['etcd'] %}
      {%   if inventory_hostname == host %}{{"etcd"+loop.index|string }}{% endif %}
      {% endfor %}
+
 - set_fact:
    etcd_peer_addresses: |-
      {% for item in groups['etcd'] -%}
        {{ "etcd"+loop.index|string }}=https://{{ hostvars[item].access_ip | default(hostvars[item].ip | default(hostvars[item].ansible_default_ipv4['address'])) }}:2380{% if not loop.last %},{% endif %}
      {%- endfor %}
+
 - set_fact:
    is_etcd_master: "{{ inventory_hostname in groups['etcd'] }}"
+
 - set_fact:
    etcd_after_v3: etcd_version | version_compare("v3.0.0", ">=")
+
 - set_fact:
    etcd_container_bin_dir: "{% if etcd_after_v3 %}/usr/local/bin/{% else %}/{% endif %}"
+
 - set_fact:
    peer_with_calico_rr: "{{ 'calico-rr' in groups and groups['calico-rr']|length > 0 }}"

--- a/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml
+++ b/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml
@@ -39,11 +39,13 @@
  when: not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]

 - name: target temporary resolvconf cloud init file (Container Linux by CoreOS)
-  set_fact: resolvconffile=/tmp/resolveconf_cloud_init_conf
+  set_fact:
+    resolvconffile: /tmp/resolveconf_cloud_init_conf
  when: ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]

 - name: check if /etc/dhclient.conf exists
-  stat: path=/etc/dhclient.conf
+  stat:
+    path: /etc/dhclient.conf
  register: dhclient_stat

 - name: target dhclient conf file for /etc/dhclient.conf
@@ -52,7 +54,8 @@
  when: dhclient_stat.stat.exists

 - name: check if /etc/dhcp/dhclient.conf exists
-  stat: path=/etc/dhcp/dhclient.conf
+  stat:
+    path: /etc/dhcp/dhclient.conf
  register: dhcp_dhclient_stat

 - name: target dhclient conf file for /etc/dhcp/dhclient.conf
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -146,10 +146,10 @@

 - name: Gen_certs | check certificate permissions
  file:
-    path={{ kube_cert_dir }}
-    group={{ kube_cert_group }}
-    owner=kube
-    recurse=yes
+    path: "{{ kube_cert_dir }}"
+    group: "{{ kube_cert_group }}"
+    owner: kube
+    recurse: yes

 - name: Gen_certs | set permissions on keys
  shell: chmod 0600 {{ kube_cert_dir}}/*key.pem
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -1,29 +1,30 @@
 ---
 - include: check-certs.yml
  tags: [k8s-secrets, facts]
+
 - include: check-tokens.yml
  tags: [k8s-secrets, facts]

 - name: Make sure the certificate directory exits
  file:
-    path={{ kube_cert_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
+    path: "{{ kube_cert_dir }}"
+    state: directory
+    mode: o-rwx
+    group: "{{ kube_cert_group }}"

 - name: Make sure the tokens directory exits
  file:
-    path={{ kube_token_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
+    path: "{{ kube_token_dir }}"
+    state: directory
+    mode: o-rwx
+    group: "{{ kube_cert_group }}"

 - name: Make sure the users directory exits
  file:
-    path={{ kube_users_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
+    path: "{{ kube_users_dir }}"
+    state: directory
+    mode: o-rwx
+    group: "{{ kube_cert_group }}"

 - name: Populate users for basic auth in API
  lineinfile:
@@ -62,10 +63,10 @@

 - name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})"
  file:
-    path={{ kube_token_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
+    path: "{{ kube_token_dir }}"
+    state: directory
+    mode: o-rwx
+    group: "{{ kube_cert_group }}"
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
  when: gen_tokens|default(false)
@@ -77,9 +78,11 @@
 - include: sync_kube_master_certs.yml
  when: cert_management == "vault" and inventory_hostname in groups['kube-master']
  tags: k8s-secrets
+
 - include: sync_kube_node_certs.yml
  when: cert_management == "vault" and inventory_hostname in groups['k8s-cluster']
  tags: k8s-secrets
+
 - include: gen_certs_vault.yml
  when: cert_management == "vault"
  tags: k8s-secrets
--- a/roles/kubernetes/secrets/templates/openssl.conf.j2
+++ b/roles/kubernetes/secrets/templates/openssl.conf.j2
@@ -16,7 +16,7 @@ DNS.5 = localhost
 DNS.{{ 5 + loop.index }} = {{ host }}
 {% endfor %}
 {% if loadbalancer_apiserver is defined  and apiserver_loadbalancer_domain_name is defined %}
-{% set idx =  groups['kube-master'] | length | int + 5 %}
+{% set idx =  groups['kube-master'] | length | int + 5 + 1 %}
 DNS.{{ idx | string }} = {{ apiserver_loadbalancer_domain_name }}
 {% endif %}
 {% for host in groups['kube-master'] %}