bump rpm based docker versions to docker-ce-18.06.3.ce-3 (#4925)

* robust handling of API server SANs for 2.8 branch

* use apiserver_loadbalancer_domain_name if it is defined, according to PR 3977

requirements.txt

@@ -1,4 +1,4 @@
-ansible>=2.5.0,!=2.7.0
+ansible>=2.5.0,<2.7
 jinja2>=2.9.6
 netaddr
 pbr>=1.6

roles/container-engine/docker/vars/fedora.yml

@@ -6,7 +6,7 @@ docker_kernel_min_version: '0'
 docker_versioned_pkg:
   'latest': docker-ce
   '18.03': docker-ce-18.03.1.ce-3.fc28
-  '18.06': docker-ce-18.06.2.ce-3.fc28
+  '18.06': docker-ce-18.06.3.ce-3.fc28
 
 #
 # This is due to the fact that the docker

roles/container-engine/docker/vars/redhat.yml

@@ -14,8 +14,8 @@ docker_versioned_pkg:
   '17.09': docker-ce-17.09.0.ce-1.el7.centos
   '17.12': docker-ce-17.12.1.ce-1.el7.centos
   '18.03': docker-ce-18.03.1.ce-1.el7.centos
-  '18.06': docker-ce-18.06.2.ce-3.el7
+  '18.06': docker-ce-18.06.3.ce-3.el7
-  'stable': docker-ce-18.06.2.ce-3.el7
+  'stable': docker-ce-18.06.3.ce-3.el7
   'edge': docker-ce-17.12.1.ce-1.el7.centos
 
 docker_selinux_versioned_pkg:

roles/kubernetes/master/tasks/kubeadm-setup.yml

@@ -42,29 +42,21 @@
 
 - name: kubeadm | aggregate all SANs
   set_fact:
-    apiserver_sans: >-
+    apiserver_sans: "{{ (sans_base + groups['kube-master'] + sans_lb + sans_supp + sans_access_ip + sans_ip + sans_address) | unique }}"
-      kubernetes
+  vars:
-      kubernetes.default
+    sans_base:
-      kubernetes.default.svc
+      - "kubernetes"
-      kubernetes.default.svc.{{ dns_domain }}
+      - "kubernetes.default"
-      {{ kube_apiserver_ip }}
+      - "kubernetes.default.svc"
-      localhost
+      - "kubernetes.default.svc.{{ dns_domain }}"
-      127.0.0.1
+      - "{{ kube_apiserver_ip }}"
-      {{ ' '.join(groups['kube-master']) }}
+      - "localhost"
-      {%- if loadbalancer_apiserver is defined %}
+      - "127.0.0.1"
-      {{ apiserver_loadbalancer_domain_name }}
+    sans_lb: "{{ [apiserver_loadbalancer_domain_name] if apiserver_loadbalancer_domain_name is defined else [] }}"
-      {%- endif %}
+    sans_supp: "{{ supplementary_addresses_in_ssl_keys if supplementary_addresses_in_ssl_keys is defined else [] }}"
-      {% for host in groups['kube-master'] -%}
+    sans_access_ip: "{{ groups['kube-master'] | map('extract', hostvars, 'access_ip') | list | select('defined') | list }}"
-      {%- if hostvars[host]['access_ip'] is defined -%}
+    sans_ip: "{{ groups['kube-master'] | map('extract', hostvars, 'ip') | list | select('defined') | list }}"
-      {{ hostvars[host]['access_ip'] }}
+    sans_address: "{{ groups['kube-master'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | list | select('defined') | list }}"
-      {%- endif %}
-      {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
-      {%- endfor %}
-      {%- if supplementary_addresses_in_ssl_keys is defined -%}
-      {% for addr in supplementary_addresses_in_ssl_keys -%}
-      {{ addr }}
-      {%- endfor %}
-      {%- endif %}
   tags: facts
 
 - name: kubeadm | Copy etcd cert dir under k8s cert dir

roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2

@@ -98,6 +98,12 @@ apiServerExtraArgs:
 {%   if kube_oidc_groups_claim is defined %}
   oidc-groups-claim: {{ kube_oidc_groups_claim }}
 {%   endif %}
+{%   if kube_oidc_username_prefix is defined %}
+  oidc-username-prefix: {{ kube_oidc_username_prefix }}
+{%   endif %}
+{%   if kube_oidc_groups_prefix is defined %}
+  oidc-groups-prefix: {{ kube_oidc_groups_prefix }}
+{%   endif %}
 {% endif %}
 {% if kube_encrypt_secret_data %}
   experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
@@ -171,7 +177,7 @@ apiServerExtraVolumes:
 {% endif %}
 {% endif %}
 apiServerCertSANs:
-{% for san in  apiserver_sans.split() | unique %}
+{% for san in apiserver_sans %}
   - {{ san }}
 {% endfor %}
 certificatesDir: {{ kube_config_dir }}/ssl

roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2

@@ -83,6 +83,12 @@ apiServerExtraArgs:
 {%   if kube_oidc_groups_claim is defined %}
   oidc-groups-claim: {{ kube_oidc_groups_claim }}
 {%   endif %}
+{%   if kube_oidc_username_prefix is defined %}
+  oidc-username-prefix: {{ kube_oidc_username_prefix }}
+{%   endif %}
+{%   if kube_oidc_groups_prefix is defined %}
+  oidc-groups-prefix: {{ kube_oidc_groups_prefix }}
+{%   endif %}
 {% endif %}
 {% if kube_encrypt_secret_data %}
   experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
@@ -200,7 +206,7 @@ schedulerExtraArgs:
 {% endfor %}
 {% endif %}
 apiServerCertSANs:
-{% for san in apiserver_sans.split() | unique %}
+{% for san in apiserver_sans %}
   - {{ san }}
 {% endfor %}
 certificatesDir: {{ kube_config_dir }}/ssl

roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2

@@ -43,7 +43,7 @@ controlPlaneEndpoint: {{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.po
 controlPlaneEndpoint: {{ ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}
 {% endif %}
 apiServerCertSANs:
-{% for san in apiserver_sans.split() | unique %}
+{% for san in apiserver_sans %}
   - {{ san }}
 {% endfor %}
 certificatesDir: {{ kube_config_dir }}/ssl
@@ -93,6 +93,12 @@ apiServerExtraArgs:
 {%   if kube_oidc_groups_claim is defined %}
   oidc-groups-claim: {{ kube_oidc_groups_claim }}
 {%   endif %}
+{%   if kube_oidc_username_prefix is defined %}
+  oidc-username-prefix: {{ kube_oidc_username_prefix }}
+{%   endif %}
+{%   if kube_oidc_groups_prefix is defined %}
+  oidc-groups-prefix: {{ kube_oidc_groups_prefix }}
+{%   endif %}
 {% endif %}
 {% if kube_encrypt_secret_data %}
   experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml

roles/kubespray-defaults/defaults/main.yaml

@@ -213,7 +213,7 @@ docker_options: >-
   {% if docker_registry_mirrors is defined %}
   {{ docker_registry_mirrors | map('regex_replace', '^(.*)$', '--registry-mirror=\1' ) | list | join(' ') }}
   {%- endif %}
-  {%- if docker_version is version('17.05', '<') %}
+  {%- if docker_version is defined and docker_version is version('17.05', '<') %}
   --graph={{ docker_daemon_graph }} {{ docker_log_opts }}
   {%- else %}
   --data-root={{ docker_daemon_graph }} {{ docker_log_opts }}