richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7839 Commits
34 Branches
82 Tags
155 MiB
Tree: 99c6a884a9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '99c6a884a9'
${ noResults }
kubespray/roles/etcd/tasks/main.yml

104 lines
3.0 KiB
Raw Normal View History

Initial commit
9 years ago
Resolve ansible-lint name errors (#10253) * project: fix ansible-lint name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: ignore jinja template error in names Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: capitalize ansible name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: update notify after name capitalization Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Vault security hardening and role isolation
8 years ago
Normalize tags in all places to prepare for tag fixing in future (#1739)
7 years ago
Cleanup legacy syntax, spacing, files all to yml Migrate older inline= syntax to pure yml syntax for module args as to be consistant with most of the rest of the tasks Cleanup some spacing in various files Rename some files named yaml to yml for consistancy
8 years ago
Resolve ansible-lint name errors (#10253) * project: fix ansible-lint name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: ignore jinja template error in names Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: capitalize ansible name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: update notify after name capitalization Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Remove Vault (#3684) * Remove Vault * Remove reference to 'kargo' in the doc * change check order
6 years ago
project: fix var-spacing ansible rule (#10266) * project: fix var-spacing ansible rule Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing on the beginning/end of jinja template Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing of default filter Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing between filter arguments Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix double space at beginning/end of jinja Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix remaining jinja[spacing] ansible-lint warning Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Normalize tags in all places to prepare for tag fixing in future (#1739)
7 years ago
Vault security hardening and role isolation
8 years ago
Resolve ansible-lint name errors (#10253) * project: fix ansible-lint name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: ignore jinja template error in names Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: capitalize ansible name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: update notify after name capitalization Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
[etcd] Sometimes, we do not need to run etcd role on all nodes. (#9173) * WIP: sometimes,we not run etcd * fix ansible lint * like calico(kdd) cni, no need run etcd
2 years ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
[etcd] Sometimes, we do not need to run etcd role on all nodes. (#9173) * WIP: sometimes,we not run etcd * fix ansible lint * like calico(kdd) cni, no need run etcd
2 years ago
Resolve ansible-lint name errors (#10253) * project: fix ansible-lint name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: ignore jinja template error in names Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: capitalize ansible name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: update notify after name capitalization Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
[etcd] Sometimes, we do not need to run etcd role on all nodes. (#9173) * WIP: sometimes,we not run etcd * fix ansible lint * like calico(kdd) cni, no need run etcd
2 years ago
Drop canal network_plugin (#10100) According to the canal github[1] the repo is not maintained over 5 years. In addition, the README says ``` Originally, we thought we might more deeply integrate the two projects (possibly even going as far as a rebranding!). However, over time it became clear that that wasn't really necessary to fulfil our goal of making them work well together. Ultimately, we decided to focus on adding features to both projects rather than doing work just to combine them. ``` So it is difficult to support canal by Kubespray at this situation. [1]: https://github.com/projectcalico/canal
1 year ago
[etcd] Sometimes, we do not need to run etcd role on all nodes. (#9173) * WIP: sometimes,we not run etcd * fix ansible lint * like calico(kdd) cni, no need run etcd
2 years ago
Normalize tags in all places to prepare for tag fixing in future (#1739)
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Adding in certificate serial numbers to manifests (#1392)
7 years ago
Replace shell with command in order to allow the task to fail when openssl x509 does return zero (#3516)
6 years ago
Fix setting etcd client cert serial (#1775)
7 years ago
Idempotency fixes (#1838)
7 years ago
Do not use ‘yes/no’ for boolean values (#11472) Consistent boolean values in ansible playbooks
6 months ago
Calculate etcd client cert serial for appropriate groups (#3605) Standalone etcd nodes do not generate node-$hostname certs and do not need this serial calculated.
6 years ago
Drop canal network_plugin (#10100) According to the canal github[1] the repo is not maintained over 5 years. In addition, the README says ``` Originally, we thought we might more deeply integrate the two projects (possibly even going as far as a rebranding!). However, over time it became clear that that wasn't really necessary to fulfil our goal of making them work well together. Ultimately, we decided to focus on adding features to both projects rather than doing work just to combine them. ``` So it is difficult to support canal by Kubespray at this situation. [1]: https://github.com/projectcalico/canal
1 year ago
[etcd] Sometimes, we do not need to run etcd role on all nodes. (#9173) * WIP: sometimes,we not run etcd * fix ansible lint * like calico(kdd) cni, no need run etcd
2 years ago
Add tags to deploy components by --tags option (#2960) * Add tags for cert serial tasks This will help facilitate tag-based deployment of specific components. * fixup kubernetes node
6 years ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
Add tags to deploy components by --tags option (#2960) * Add tags for cert serial tasks This will help facilitate tag-based deployment of specific components. * fixup kubernetes node
6 years ago
Fix setting etcd client cert serial (#1775)
7 years ago
Replace shell with command in order to allow the task to fail when openssl x509 does return zero (#3516)
6 years ago
Calculate etcd client cert serial for appropriate groups (#3605) Standalone etcd nodes do not generate node-$hostname certs and do not need this serial calculated.
6 years ago
Drop canal network_plugin (#10100) According to the canal github[1] the repo is not maintained over 5 years. In addition, the README says ``` Originally, we thought we might more deeply integrate the two projects (possibly even going as far as a rebranding!). However, over time it became clear that that wasn't really necessary to fulfil our goal of making them work well together. Ultimately, we decided to focus on adding features to both projects rather than doing work just to combine them. ``` So it is difficult to support canal by Kubespray at this situation. [1]: https://github.com/projectcalico/canal
1 year ago
[etcd] Sometimes, we do not need to run etcd role on all nodes. (#9173) * WIP: sometimes,we not run etcd * fix ansible lint * like calico(kdd) cni, no need run etcd
2 years ago
Add tags to deploy components by --tags option (#2960) * Add tags for cert serial tasks This will help facilitate tag-based deployment of specific components. * fixup kubernetes node
6 years ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
Add tags to deploy components by --tags option (#2960) * Add tags for cert serial tasks This will help facilitate tag-based deployment of specific components. * fixup kubernetes node
6 years ago
Adding in certificate serial numbers to manifests (#1392)
7 years ago
Install etcdutl file by default (#10385)
1 year ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
Install etcdutl file by default (#10385)
1 year ago
Resolve ansible-lint name errors (#10253) * project: fix ansible-lint name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: ignore jinja template error in names Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: capitalize ansible name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: update notify after name capitalization Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
Normalize tags in all places to prepare for tag fixing in future (#1739)
7 years ago
Cleanup legacy syntax, spacing, files all to yml Migrate older inline= syntax to pure yml syntax for module args as to be consistant with most of the rest of the tasks Cleanup some spacing in various files Rename some files named yaml to yml for consistancy
8 years ago
Resolve ansible-lint name errors (#10253) * project: fix ansible-lint name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: ignore jinja template error in names Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: capitalize ansible name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: update notify after name capitalization Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
Cleanup legacy syntax, spacing, files all to yml Migrate older inline= syntax to pure yml syntax for module args as to be consistant with most of the rest of the tasks Cleanup some spacing in various files Rename some files named yaml to yml for consistancy
8 years ago
Resolve ansible-lint name errors (#10253) * project: fix ansible-lint name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: ignore jinja template error in names Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: capitalize ansible name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: update notify after name capitalization Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
use rsync instead of command
9 years ago
Remove standalone etcd specific play, cleanup host mode Now etcd role can optionally disable etcd cluster setup for faster deployment when it is combined with etcd role.
8 years ago
Restart etcd if the etcd version changes (#8556) Signed-off-by: Mac Chaffee <me@macchaffee.com>
3 years ago
Resolve ansible-lint name errors (#10253) * project: fix ansible-lint name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: ignore jinja template error in names Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: capitalize ansible name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: update notify after name capitalization Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
Flush handlers before etcd restart systemctl daemon-reload should be run before when task modifies/creates union for etcd. Otherwise etcd won't be able to start Closes #892 Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
8 years ago
Etcd cluster setup makeover The current way to setup the etc cluster is messy and buggy. - It checks for cluster is healthy before the cluster is even created. - The unit files are started on handlers, not in the task, so you mess with "flush handlers". - The join_member.yml is not used. - etcd events cluster is not configured for kubeadm - remove duplicate runs between running the role on etcd nodes and k8s nodes
7 years ago
Restart etcd if the etcd version changes (#8556) Signed-off-by: Mac Chaffee <me@macchaffee.com>
3 years ago
Resolve ansible-lint name errors (#10253) * project: fix ansible-lint name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: ignore jinja template error in names Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: capitalize ansible name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: update notify after name capitalization Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
Add etcd-events cluster for kube-apiserver (#2385) Add etcd-events cluster for kube-apiserver
7 years ago
Scale-up functionality for etcd cluster * Set ETCD_INITIAL_CLUSTER_STATE from `new` to `existing`, because parameter `new` makes sense only on cluster assembly stage. * If cluster exists and current node is not a part of the cluster, add it with command `etcdctl add member name url`. Closes kubespray/kargo/#270
8 years ago
Fix some typos (#3690) Signed-off-by: mooncake <xcoder@tenxcloud.com>
6 years ago
Resolve ansible-lint name errors (#10253) * project: fix ansible-lint name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: ignore jinja template error in names Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: capitalize ansible name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: update notify after name capitalization Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
  1. ---
  2. - name: Check etcd certs
  3. include_tasks: check_certs.yml
  4. when: cert_management == "script"
  5. tags:
  6. - etcd-secrets
  7. - facts
  9. - name: Generate etcd certs
  10. include_tasks: "gen_certs_script.yml"
  11. when:
  12. - cert_management | d('script') == "script"
  13. tags:
  14. - etcd-secrets
  16. - name: Trust etcd CA
  17. include_tasks: upd_ca_trust.yml
  18. when:
  19. - ('etcd' in group_names) or ('kube_control_plane' in group_names)
  20. tags:
  21. - etcd-secrets
  23. - name: Trust etcd CA on nodes if needed
  24. include_tasks: upd_ca_trust.yml
  25. when:
  26. - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
  27. - kube_network_plugin != "calico" or calico_datastore == "etcd"
  28. - inventory_hostname in groups['k8s_cluster']
  29. tags:
  30. - etcd-secrets
  32. - name: "Gen_certs | Get etcd certificate serials"
  33. command: "openssl x509 -in {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem -noout -serial"
  34. register: "etcd_client_cert_serial_result"
  35. changed_when: false
  36. check_mode: false
  37. when:
  38. - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
  39. - kube_network_plugin != "calico" or calico_datastore == "etcd"
  40. - inventory_hostname in groups['k8s_cluster']
  41. tags:
  42. - master # master tag is deprecated and replaced by control-plane
  43. - control-plane
  44. - network
  46. - name: Set etcd_client_cert_serial
  47. set_fact:
  48. etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout.split('=')[1] }}"
  49. when:
  50. - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
  51. - kube_network_plugin != "calico" or calico_datastore == "etcd"
  52. - inventory_hostname in groups['k8s_cluster']
  53. tags:
  54. - master # master tag is deprecated and replaced by control-plane
  55. - control-plane
  56. - network
  58. - name: Install etcdctl and etcdutl binary
  59. import_role:
  60. name: etcdctl_etcdutl
  61. tags:
  62. - etcdctl
  63. - etcdutl
  64. - upgrade
  65. when:
  66. - ('etcd' in group_names)
  67. - etcd_cluster_setup
  69. - name: Install etcd
  70. include_tasks: "install_{{ etcd_deployment_type }}.yml"
  71. when: ('etcd' in group_names)
  72. tags:
  73. - upgrade
  75. - name: Configure etcd
  76. include_tasks: configure.yml
  77. when: ('etcd' in group_names)
  79. - name: Refresh etcd config
  80. include_tasks: refresh_config.yml
  81. when: ('etcd' in group_names)
  83. - name: Restart etcd if certs changed
  84. command: /bin/true
  85. notify: Restart etcd
  86. when:
  87. - ('etcd' in group_names)
  88. - etcd_cluster_setup
  89. - etcd_secret_changed | default(false)
  91. - name: Restart etcd-events if certs changed
  92. command: /bin/true
  93. notify: Restart etcd
  94. when:
  95. - ('etcd' in group_names)
  96. - etcd_events_cluster_setup
  97. - etcd_secret_changed | default(false)
  99. # After etcd cluster is assembled, make sure that
  100. # initial state of the cluster is in `existing`
  101. # state instead of `new`.
  102. - name: Refresh etcd config again for idempotency
  103. include_tasks: refresh_config.yml
  104. when: ('etcd' in group_names)