CentOS 7 provides up to date Ansible with really old jinja version
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 332cc1cd58b7e7cf65922a85fafe748f4fabbf0e)
We were regenerating only the cert of the first node
While at it speed up the check step
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit e444b3c1401fb69182283ec87616bceda287e21e)
Conflicts:
roles/kubernetes/master/tasks/kubeadm-setup.yml
* add CI test for auto_renew_certificates
* change timer value
fix typo error in rotate cert script
(cherry picked from commit cce0940e1f6b3a255fc8170a3cd4b0fdd109327f)
Conflicts:
roles/kubernetes/master/templates/k8s-certs-renew.timer.j2
* Remove ignore_errors from drain tasks and enable retires
* Fix lint error by checking if stdout length is not 0, ie string is not empty.
(cherry picked from commit ccd3aeebbc5c4da85155b365bab66d6441dc3e81)
`-%` causes `etcd-unsupported-arch: arm64` to print on COL 1 instead of
COL 6.
Signed-off-by: anthr76 <hello@anthonyrabbito.com>
(cherry picked from commit edfa3e9b14167c5c6b76083360948611c120af0a)
* Allow connecting to bastion via non-standard port
* Fix bastion connection when ansible_port is not provided
(cherry picked from commit 6fa3565dacb2f48d3f98b062ae631069ed18848b)
To avoid ModuleNotFoundError due to no module named 'setuptools_rust',
this adds cryptography installation to requirements.txt.
Created by jfc-evs originally as https://github.com/kubernetes-sigs/kubespray/pull/7264
(cherry picked from commit 49abf6007a8eee36d0deda6786f483e08f5e6fe3)
While at it remove force_certificate_regeneration
This boolean only forced the renewal of the apiserver certs
Either manually use k8s-certs-renew.sh or set auto_renew_certificates
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit efa180392b8e7cca75cac8e11534b55f99cb9ee4)
Conflicts:
roles/kubernetes/master/templates/k8s-certs-renew.service.j2
roles/kubernetes/master/templates/k8s-certs-renew.sh.j2
roles/kubernetes/master/templates/k8s-certs-renew.timer.j2
* Download Calico KDD CRDs
* Replace kustomize with lineinfile and use ansible assemble module
* Replace find+lineinfile by sed in shell module to avoid nested loop
* add condition on sed
* use block for kdd tasks + remove supernumerary kdd manifest apply in start "Start Calico resources"
(cherry picked from commit 1c62af0c95321ac09fa2289b586c82b3df24376d)
Conflicts:
roles/network_plugin/calico/tasks/install.yml
15.1 has reached EOL on 2021-02-02.
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
(cherry picked from commit 69d11daef6f6211b9741621a76b82829963492e9)
"The error was: 'proxy_disable_env' is undefined\n\nThe error appears to
be in '<censored>scale.yml': line 72, column 7"
Fixes 067db686f6e8149b7a94d43d74f89e55595a95ad
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 057e8b435877c8682c57f3bd5168728a07c7a9a9)
c9c0c01de019e502b2e73e6fd65e9bf52e063bb6 only fix the problem for new clusters
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 14b63ede8c311685088f38ba00a032ee4a828c09)
Conflicts:
roles/kubernetes/master/tasks/kubelet-fix-client-cert-rotation.yml
* Update ansible to v2.9.18
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
* Update jinja2 to v2.11.3
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
(cherry picked from commit b07c5966a616e00668786a16ab31e6de75aa3226)
When privileged is enabled for a container, all the `/dev/*` block
devices from the host are mounted into the guest. The
`privileged_without_host_devices` flag prevents host devices from
being passed to privileged containers.
More information:
* https://github.com/containerd/cri/pull/1225
* 1d0f68156b
(cherry picked from commit dc5df57c262efd4f856295f7f67813568a527f25)
The important action in kubeadm-version.yml is the templating of the configuration,
not finding / setting the version
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit a9c97e5253c455546c2c7fdd794147eeb9b8ab7a)
Conflicts:
roles/kubernetes/master/tasks/kubeadm-version.yml
There are no reasons not to backup during upgrade
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 53e5ef6b4e2b4f9e8fd797773f4eabf7701158da)
Conflicts:
roles/kubernetes/master/tasks/kubeadm-backup.yml
roles/kubernetes/master/tasks/kubeadm-certificate.yml
kubeadm never rotates sa.key/sa.pub, so there is no need to delete tokens/restart pods
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 8800b5c01d7dbdc99f81464ba5f2f96799e7eed1)
kubeadm is the default for a long time now,
and admin.conf is created by it, so let kubeadm handle it
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 280036fad65736a7f0944190a0f8803fb79b786e)
apiserver.pem is not used since ddffdb63bfcc65a1731a16d316ce10d4903e3261
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit fedd671d68bfadc3446ae5a5c9961ae769773c4a)
Conflicts:
roles/kubernetes/master/tasks/kubeadm-cleanup-old-certs.yml
roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
Using `kubeadm init phase kubeconfig all` breaks kubelet client certificate rotation
as we are missing `kubeadm init phase kubelet-finalize all` to point to `kubelet-client-current.pem`
kubeconfig format is stable so let's just use lineinfile,
this will avoid other future breakage
This revert to the logic before 6fe2248314fb319563a60ae023b552371e34e148
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit c9c0c01de019e502b2e73e6fd65e9bf52e063bb6)
On CentOS 8 they seem to be ignored by default, but better be extra safe
This also make it easy to exclude other network plugin interfaces
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit e442b1d2b9ce7734093a724c3d35462f1b3cbcb8)
By default Ansible stat module compute checksum, list extended attributes and find mime type
To find all stat invocations that really use one of those:
git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)'
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit de1d9df7875d1f451fb7974840ddc0a645551b6e)
Conflicts:
roles/etcd/tasks/check_certs.yml
