richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7851 Commits
34 Branches
82 Tags
155 MiB
Tree: a2a2dfa419
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a2a2dfa419'
${ noResults }
kubespray/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml

334 lines
13 KiB
Raw Normal View History

Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Adjust task name since we allow empty kube_node (#11474)
6 months ago
Add check that kube-master, kube-node and etcd groups are not empty.
6 years ago
Allow empty kube_node group (#11248) While uncommon, provisioning only a control plane is a valid use case, so don't block it.
9 months ago
Add check that kube-master, kube-node and etcd groups are not empty.
6 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Add check that kube-master, kube-node and etcd groups are not empty.
6 years ago
allow non existing etcd group (#6797) When using kubeadm managed etcd, configuring an etcd group can now be skipped.
4 years ago
Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable (#8317) * Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable Signed-off-by: necatican <necaticanyildirim@gmail.com> * Add etcd kubeadm deployment documentation Signed-off-by: necatican <necaticanyildirim@gmail.com> * Refactor warning for the deprecated 'etcd_kubeadm_enabled' variable Signed-off-by: necatican <necaticanyildirim@gmail.com>
3 years ago
allow non existing etcd group (#6797) When using kubeadm managed etcd, configuring an etcd group can now be skipped.
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Fix uniontech os installation failure (#9862) Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
fix allow unsupported distribution (#9904) Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
1 year ago
Initial AlmaLinux support (#7538) * AlmaLinux: ansible>2.9.19 is needed to know about AlmaLinux * AlmaLinux: identify as a centos derrivative * AlmaLinux: add AlmaLinux to checks for CentOS * Use ansible_os_family to compare family and not distribution
3 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Drop canal network_plugin (#10100) According to the canal github[1] the repo is not maintained over 5 years. In addition, the README says ``` Originally, we thought we might more deeply integrate the two projects (possibly even going as far as a rebranding!). However, over time it became clear that that wasn't really necessary to fulfil our goal of making them work well together. Ultimately, we decided to focus on adding features to both projects rather than doing work just to combine them. ``` So it is difficult to support canal by Kubespray at this situation. [1]: https://github.com/projectcalico/canal
1 year ago
Add support to Ansible 2.9 (#5361)
5 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Require min version of Kubernetes (#4860) * Require minimum version of Kubernetes * Remove checksums for kubernetes version 1.12 * Add kube_version to precheck output and add min required version to README * Fix merge * Fix defaults * Fix typo in precheck
5 years ago
fix-typo (#5199)
5 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Require min version of Kubernetes (#4860) * Require minimum version of Kubernetes * Remove checksums for kubernetes version 1.12 * Add kube_version to precheck output and add min required version to README * Fix merge * Fix defaults * Fix typo in precheck
5 years ago
Workaround ansible bug where access var via dict doesn't get real value (#1912) * Change deprecated vagrant ansible flag 'sudo' to 'become' * Workaround ansible bug where access var via dict doesn't get real value When accessing a variable via it's name "{{ foo }}" its value is retrieved. But when the variable value is retrieved via the vars-dict "{{ vars['foo'] }}" this doesn't resolve the expression of the variable any more due to a bug. So e.g. a expression foo="{{ 1 == 1 }}" isn't longer resolved but just returned as string "1 == 1". * Make file yamllint complient
7 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
project: fix var-spacing ansible rule (#10266) * project: fix var-spacing ansible rule Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing on the beginning/end of jinja template Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing of default filter Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing between filter arguments Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix double space at beginning/end of jinja Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix remaining jinja[spacing] ansible-lint warning Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
ansible-lint: add spaces around variables [E206] (#4699)
5 years ago
Do not use ‘yes/no’ for boolean values (#11472) Consistent boolean values in ansible playbooks
6 months ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Workaround ansible bug where access var via dict doesn't get real value (#1912) * Change deprecated vagrant ansible flag 'sudo' to 'become' * Workaround ansible bug where access var via dict doesn't get real value When accessing a variable via it's name "{{ foo }}" its value is retrieved. But when the variable value is retrieved via the vars-dict "{{ vars['foo'] }}" this doesn't resolve the expression of the variable any more due to a bug. So e.g. a expression foo="{{ 1 == 1 }}" isn't longer resolved but just returned as string "1 == 1". * Make file yamllint complient
7 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
project: fix var-spacing ansible rule (#10266) * project: fix var-spacing ansible rule Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing on the beginning/end of jinja template Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing of default filter Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing between filter arguments Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix double space at beginning/end of jinja Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix remaining jinja[spacing] ansible-lint warning Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
preinstall: etcd group might not exists (#7202) fixes 8c1821228df4598d139aa4f9729799291350a470 Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Added configurable min memory assertions (#4307)
5 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Test group membership with group_names Testing for group membership with group names makes Kubespray more tolerant towards the structure of the inventory. Where 'inventory_hostname in groups["some_group"] would fail if "some_group" is not defined, '"some_group" in group_names' would not.
5 months ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Added configurable min memory assertions (#4307)
5 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Test group membership with group_names Testing for group membership with group names makes Kubespray more tolerant towards the structure of the inventory. Where 'inventory_hostname in groups["some_group"] would fail if "some_group" is not defined, '"some_group" in group_names' would not.
5 months ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
feat: Adding a check which determines if cgroups are enabled on a node (#11163) (#11165)
9 months ago
assert that number of pods on node does not exceed CIDR address range The number of pods on a given node is determined by the --max-pods=k directive. When the address space is exhausted, no more pods can be scheduled even if from the --max-pods-perspective, the node still has capacity. The special case that a pod is scheduled and uses the node IP in the host network namespace is too "soft" to derive a guarantee. Comparing kubelet_max_pods with kube_network_node_prefix when given allows to assert that pod limits match the CIDR address space.
6 years ago
Added filters for integer conversion of kubelet_max_pods and kube_network_node_prefix (#3857)
6 years ago
assert that number of pods on node does not exceed CIDR address range The number of pods on a given node is determined by the --max-pods=k directive. When the address space is exhausted, no more pods can be scheduled even if from the --max-pods-perspective, the node still has capacity. The special case that a pod is scheduled and uses the node IP in the host network namespace is too "soft" to derive a guarantee. Comparing kubelet_max_pods with kube_network_node_prefix when given allows to assert that pod limits match the CIDR address space.
6 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Test group membership with group_names Testing for group membership with group names makes Kubespray more tolerant towards the structure of the inventory. Where 'inventory_hostname in groups["some_group"] would fail if "some_group" is not defined, '"some_group" in group_names' would not.
5 months ago
assert that number of pods on node does not exceed CIDR address range The number of pods on a given node is determined by the --max-pods=k directive. When the address space is exhausted, no more pods can be scheduled even if from the --max-pods-perspective, the node still has capacity. The special case that a pod is scheduled and uses the node IP in the host network namespace is too "soft" to derive a guarantee. Comparing kubelet_max_pods with kube_network_node_prefix when given allows to assert that pod limits match the CIDR address space.
6 years ago
Ignore assertion comparison for kube_network_node_prefix when using calico (#5632) * Fix incorrect assertion comparison for kube_network_node_prefix * Ignore assertion comparison for kube_network_node_prefix when using calico * Adding more var docs description for kube_network_node_prefix * Fixing trailing whitespaces
5 years ago
assert that number of pods on node does not exceed CIDR address range The number of pods on a given node is determined by the --max-pods=k directive. When the address space is exhausted, no more pods can be scheduled even if from the --max-pods-perspective, the node still has capacity. The special case that a pod is scheduled and uses the node IP in the host network namespace is too "soft" to derive a guarantee. Comparing kubelet_max_pods with kube_network_node_prefix when given allows to assert that pod limits match the CIDR address space.
6 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Add assertion for IPv6 in verify settings Co-authored-by: Kenichi Omichi <ken1ohmichi@gmail.com>
2 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
add-ping-package (#9284)
2 years ago
project: fix var-spacing ansible rule (#10266) * project: fix var-spacing ansible rule Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing on the beginning/end of jinja template Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing of default filter Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing between filter arguments Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix double space at beginning/end of jinja Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix remaining jinja[spacing] ansible-lint warning Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
add-ping-package (#9284)
2 years ago
Fix iputils install failure in Kylin OS (#9453) Signed-off-by: bo.jiang <bo.jiang@daocloud.io> Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
add-ping-package (#9284)
2 years ago
Fix iputils install failure in Kylin OS (#9453) Signed-off-by: bo.jiang <bo.jiang@daocloud.io> Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
add-ping-package (#9284)
2 years ago
Fix ensure ping package error in fedora CoreOS & Flatcar (#9370) * fix-ensure-package-in-coreos * clean blank line
2 years ago
add-ping-package (#9284)
2 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Add ping_access_ip; allows to disable ping test (#7020) In some environments, it might not be possible to ping the IP address of the nodes, e.g., because ICMP echo is blocked. This commit allows kubespray to be configured to disable the ping check, while performing all other checks.
4 years ago
Running ping doesn't change state (#10160) Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
1 year ago
Disable swap in vagrant vms
7 years ago
Kubernetes Dashboard v1.7.1 Refactor This version required changing the previous access model for dashboard completely but it's a change for the better. Docs were updated. * New login/auth options that use apiserver auth proxying by default * Requires RBAC in `authorization_modes` * Only serves over https * No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL: * Can access from https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login you will be prompted for credentials * Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ * It is recommended to access dashboard from behind a gateway that enforces an authentication token, details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
7 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Support for disabling apiserver insecure port This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). Rework of #1937 with kubeadm support Also, fixed an issue in `kubeadm-migrate-certs` where the old apiserver cert was copied as the kubeadm key
7 years ago
Cloud provider support for OCI (Oracle Cloud Infrastructure) Signed-off-by: Jeff Bornemann <jeff.bornemann@oracle.com>
6 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Added cilium support (#2236) * Added cilium support * Fix typo in debian test config * Remove empty lines * Changed cilium version from <latest> to <v1.0.0-rc3> * Add missing changes for cilium * Add cilium to CI pipeline * Fix wrong file name * Check kernel version for cilium * fixed ci error * fixed cilium-ds.j2 template * added waiting for cilium pods to run * Fixed missing EOF * Fixed trailing spaces * Fixed trailing spaces * Fixed trailing spaces * Fixed too many blank lines * Updated tolerations,annotations in cilium DS template * Set cilium_version to iptables-1.9 to see if bug is fixed in CI * Update cilium image tag to v1.0.0-rc4 * Update Cilium test case CI vars filenames * Add optional prometheus flag, adjust initial readiness delay * Update README.md with cilium info
7 years ago
Update cilium minimum kernel preinstall check (#6376) Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
4 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Add a way to deploy cilium alongside another CNI (#6373) Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
4 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Add bad hostname preflight check Hostname must be a valid DNS name, which is checked as https://github.com/kubernetes/apimachinery/blob/master/pkg/util/validation/validation.go#L115 The situation I have encountered is that my hostname contained underscore which is disallowed and apiserver refused to start.
6 years ago
Fix ansible syntax to avoid ansible warnings (one more) (#3536) * warning on meta flush_handlers * avoid rm * avoid "Module remote_tmp /root/.ansible/tmp did not exist and was created with a mode of 0700, this may cause issues when running as another user. To avoid this, create the remote_tmp dir with the correct permissions manually" warning on subsequent tasks using blockinfile * is match
6 years ago
allow '.' in hostnames we use FQDN as inventory_hostname
6 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Update dir list
6 years ago
Resolve ansible-lint name errors (#10253) * project: fix ansible-lint name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: ignore jinja template error in names Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: capitalize ansible name Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: update notify after name capitalization Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Update dir list
6 years ago
Fix cloud_provider check (#8164) This fixes the preinstall check for cloud_provider option based on inventory/sample/group_vars/all/all.yml
3 years ago
Update dir list
6 years ago
change ignore_errors: to when: in assert tasks (#5716)
5 years ago
Update dir list
6 years ago
Instead of doc update, change the verify step
6 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Cleanup a deprecation warning (ipaddr filter) (#10518)
1 year ago
check kube_pods_subnet and kube_service_addresses to valid ip network range, not single ip address (#4188)
6 years ago
Do not use ‘yes/no’ for boolean values (#11472) Consistent boolean values in ansible playbooks
6 months ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Cleanup a deprecation warning (ipaddr filter) (#10518)
1 year ago
check kube_pods_subnet and kube_service_addresses to valid ip network range, not single ip address (#4188)
6 years ago
Do not use ‘yes/no’ for boolean values (#11472) Consistent boolean values in ansible playbooks
6 months ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Cleanup a deprecation warning (ipaddr filter) (#10518)
1 year ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Do not use ‘yes/no’ for boolean values (#11472) Consistent boolean values in ansible playbooks
6 months ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Assert that IP range is enough for the nodes (#8720) * Assert that IP range is enough for the nodes Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com> * Fixed whitespace * Fixed errors * Fixed errors Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com>
2 years ago
Cleanup a deprecation warning (ipaddr filter) (#10518)
1 year ago
Assert that IP range is enough for the nodes (#8720) * Assert that IP range is enough for the nodes Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com> * Fixed whitespace * Fixed errors * Fixed errors Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com>
2 years ago
Disable 'Check that IP range is enough for the nodes' when calico is used (#9491)
2 years ago
Do not use ‘yes/no’ for boolean values (#11472) Consistent boolean values in ansible playbooks
6 months ago
Assert that IP range is enough for the nodes (#8720) * Assert that IP range is enough for the nodes Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com> * Fixed whitespace * Fixed errors * Fixed errors Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com>
2 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Remove kubedns and dnsmasq. Move dns_late phase after apps (#4406) Both kubedns and dnsmasq modes are long not maintained. We should run dns_late steps at the end because sshd makes DNS lookups during Ansible run and has 2s timeouts for each failed lookup trying to connect to coredns before it is ready.
6 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Remove Vault (#3684) * Remove Vault * Remove reference to 'kargo' in the doc * change check order
6 years ago
project: fix var-spacing ansible rule (#10266) * project: fix var-spacing ansible rule Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing on the beginning/end of jinja template Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing of default filter Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing between filter arguments Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix double space at beginning/end of jinja Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix remaining jinja[spacing] ansible-lint warning Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Remove Vault (#3684) * Remove Vault * Remove reference to 'kargo' in the doc * change check order
6 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Enable kubeadm etcd mode (#4818) * Enable kubeadm etcd mode Uses cert commands from kubeadm experimental control plane to enable non-master nodes to obtain etcd certs. Related story: PROD-29434 Change-Id: Idafa1d223e5c6ceadf819b6f9c06adf4c4f74178 * Add validation checks and exclude calico kdd mode Change-Id: Ic234f5e71261d33191376e70d438f9f6d35f358c * Move etcd mode test to ubuntu flannel HA job Change-Id: I9af6fd80a1bbb1692ab10d6da095eb368f6bc732 * rename etcd_mode to etcd_kubeadm_enabled Change-Id: Ib196d6c8a52f48cae370b026f7687ff9ca69c172
5 years ago
Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable (#8317) * Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable Signed-off-by: necatican <necaticanyildirim@gmail.com> * Add etcd kubeadm deployment documentation Signed-off-by: necatican <necaticanyildirim@gmail.com> * Refactor warning for the deprecated 'etcd_kubeadm_enabled' variable Signed-off-by: necatican <necaticanyildirim@gmail.com>
3 years ago
Fix etcd install with docker and etcd_kubeadm_enabled (#5777) - This solves issue #5721 & #5713 (dupes) - Provide a cleaner default usage pattern for the download role around etcd that supports 'host' and 'docker' properly - Extract the 'etcdctl' as a separate task install piece and reuse it where appropriate - Update the kubeadm-etcd task to reflect the above change
5 years ago
Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable (#8317) * Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable Signed-off-by: necatican <necaticanyildirim@gmail.com> * Add etcd kubeadm deployment documentation Signed-off-by: necatican <necaticanyildirim@gmail.com> * Refactor warning for the deprecated 'etcd_kubeadm_enabled' variable Signed-off-by: necatican <necaticanyildirim@gmail.com>
3 years ago
preinstall: fixup etcd_deployment_type check (#7152) fixes 8331939aed2cc5ca6332933f1c2f450ad84872fd Thanks to Tomas Vanderka / karlism / LuckySB Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
preinstall: etcd group might not exists (#7202) fixes 8c1821228df4598d139aa4f9729799291350a470 Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
Fix etcd install with docker and etcd_kubeadm_enabled (#5777) - This solves issue #5721 & #5713 (dupes) - Provide a cleaner default usage pattern for the download role around etcd that supports 'host' and 'docker' properly - Extract the 'etcdctl' as a separate task install piece and reuse it where appropriate - Update the kubeadm-etcd task to reflect the above change
5 years ago
Add a container_manager validation (#8785)
2 years ago
Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable (#8317) * Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable Signed-off-by: necatican <necaticanyildirim@gmail.com> * Add etcd kubeadm deployment documentation Signed-off-by: necatican <necaticanyildirim@gmail.com> * Refactor warning for the deprecated 'etcd_kubeadm_enabled' variable Signed-off-by: necatican <necaticanyildirim@gmail.com>
3 years ago
preinstall: check etcd_deployment_type (#7149) Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable (#8317) * Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable Signed-off-by: necatican <necaticanyildirim@gmail.com> * Add etcd kubeadm deployment documentation Signed-off-by: necatican <necaticanyildirim@gmail.com> * Refactor warning for the deprecated 'etcd_kubeadm_enabled' variable Signed-off-by: necatican <necaticanyildirim@gmail.com>
3 years ago
preinstall: fixup etcd_deployment_type check (#7152) fixes 8331939aed2cc5ca6332933f1c2f450ad84872fd Thanks to Tomas Vanderka / karlism / LuckySB Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
preinstall: etcd group might not exists (#7202) fixes 8c1821228df4598d139aa4f9729799291350a470 Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
preinstall: fixup etcd_deployment_type check (#7152) fixes 8331939aed2cc5ca6332933f1c2f450ad84872fd Thanks to Tomas Vanderka / karlism / LuckySB Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
preinstall: check etcd_deployment_type (#7149) Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable (#8317) * Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable Signed-off-by: necatican <necaticanyildirim@gmail.com> * Add etcd kubeadm deployment documentation Signed-off-by: necatican <necaticanyildirim@gmail.com> * Refactor warning for the deprecated 'etcd_kubeadm_enabled' variable Signed-off-by: necatican <necaticanyildirim@gmail.com>
3 years ago
Do not use ‘yes/no’ for boolean values (#11472) Consistent boolean values in ansible playbooks
6 months ago
project: resolve ansible-lint key-order rule (#10314) Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable (#8317) * Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable Signed-off-by: necatican <necaticanyildirim@gmail.com> * Add etcd kubeadm deployment documentation Signed-off-by: necatican <necaticanyildirim@gmail.com> * Refactor warning for the deprecated 'etcd_kubeadm_enabled' variable Signed-off-by: necatican <necaticanyildirim@gmail.com>
3 years ago
Fix condition on kata_containers_version/kube_version when kata_containers_enabled is false (#8804)
2 years ago
Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable (#8317) * Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable Signed-off-by: necatican <necaticanyildirim@gmail.com> * Add etcd kubeadm deployment documentation Signed-off-by: necatican <necaticanyildirim@gmail.com> * Refactor warning for the deprecated 'etcd_kubeadm_enabled' variable Signed-off-by: necatican <necaticanyildirim@gmail.com>
3 years ago
Refactor download role (#5697) * download file * download containers * fix push image to nodes * pull if none image on host * fix * improve docker image tag checks. do not pull already cached images * rebase fix merge conflict * add support download_run_once when upgrade and scale cluster add some test with download_run_once * set default values to temp flag for every download cycle * add save,load abilty for containerd and crio when download_run_once=true * return redefine image save/load command to set_docker_image_facts.yml * move set command to set_container_facts * ctr in containerd_bin_dir * fix order of ctr image export arguments * temporary disable download_run_once for containerd and crio due https://github.com/containerd/containerd/issues/4075 * remove unused files * fix strict yaml linter warning and errors * refactor logical conditions to pull and cache container images * remove comment due lint check * document role * remove image_load_on_localhost, because cached images are always loaded to docker on remote sites * remove XXX from debug output
5 years ago
Add Kata Containers support to CRI-O runtime (#6830) * Enable Kata Containers for CRI-O runtime Kata Containers is an OCI runtime where containers are run inside lightweight VMs. This runtime has been enabled for containerd runtime thru the kata_containers_enabled variable. This change enables Kata Containers to CRI-O container runtime. Signed-off-by: Victor Morales <v.morales@samsung.com> * Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs' * Set manage_ns_lifecycle=true when KataContainers is enabed * Add preinstall check for katacontainers Signed-off-by: Victor Morales <v.morales@samsung.com> Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com>
4 years ago
gVisor: initial support for gVisor container runtime (#7661) * Docker/Containerd: move downloads urls to containerd-common * gVisor: initial support for gVisor container runtime
3 years ago
Remove support for CoreOS Container Linux (#6576)
4 years ago
Refactor download role (#5697) * download file * download containers * fix push image to nodes * pull if none image on host * fix * improve docker image tag checks. do not pull already cached images * rebase fix merge conflict * add support download_run_once when upgrade and scale cluster add some test with download_run_once * set default values to temp flag for every download cycle * add save,load abilty for containerd and crio when download_run_once=true * return redefine image save/load command to set_docker_image_facts.yml * move set command to set_container_facts * ctr in containerd_bin_dir * fix order of ctr image export arguments * temporary disable download_run_once for containerd and crio due https://github.com/containerd/containerd/issues/4075 * remove unused files * fix strict yaml linter warning and errors * refactor logical conditions to pull and cache container images * remove comment due lint check * document role * remove image_load_on_localhost, because cached images are always loaded to docker on remote sites * remove XXX from debug output
5 years ago
Fix kubespray flatcar ansible_os_family and ansible_distribution (#8029) Closes https://github.com/kubernetes-sigs/kubespray/issues/8028 Signed-off-by: Iago Santos <iago.santos.pardo@adfinis.com>
3 years ago
Remove support for CoreOS Container Linux (#6576)
4 years ago
Refactor download role (#5697) * download file * download containers * fix push image to nodes * pull if none image on host * fix * improve docker image tag checks. do not pull already cached images * rebase fix merge conflict * add support download_run_once when upgrade and scale cluster add some test with download_run_once * set default values to temp flag for every download cycle * add save,load abilty for containerd and crio when download_run_once=true * return redefine image save/load command to set_docker_image_facts.yml * move set command to set_container_facts * ctr in containerd_bin_dir * fix order of ctr image export arguments * temporary disable download_run_once for containerd and crio due https://github.com/containerd/containerd/issues/4075 * remove unused files * fix strict yaml linter warning and errors * refactor logical conditions to pull and cache container images * remove comment due lint check * document role * remove image_load_on_localhost, because cached images are always loaded to docker on remote sites * remove XXX from debug output
5 years ago
Set containerd version to 1.4.4 (#7398) * Set containerd version to 1.4.3 * Set containerd version to 1.4.4 Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
3 years ago
Do not use ‘yes/no’ for boolean values (#11472) Consistent boolean values in ansible playbooks
6 months ago
Set containerd version to 1.4.4 (#7398) * Set containerd version to 1.4.3 * Set containerd version to 1.4.4 Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
3 years ago
Enable stable and edge containerd versions (#8020)
3 years ago
Set containerd version to 1.4.4 (#7398) * Set containerd version to 1.4.3 * Set containerd version to 1.4.4 Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
3 years ago
Enable external CA mode for control-plane deployment (#8620)
2 years ago
Fix inconsistent handling of admission plugin list (#9407) * Fix inconsistent handling of admission plugin list * Adjust hardening doc with the normalized admission plugin list * Add pre-check for admission plugins format change * Ignore checking admission plugins value when variable is not defined
2 years ago
Convert OS specific packages to new format Uses the logic introduced in the previous patch to convert all kubernetes/preinstall/vars/* os specific files to the `pkgs` dictionary. Some niceties for devs: - always validate the `pkgs` variable to catch mistakes in CI. - ensure that `pkgs` is always sorted. This makes it easier to find the packages you're looking for.
10 months ago
  1. ---
  2. - name: Stop if kube_control_plane group is empty
  3. assert:
  4. that: groups.get( 'kube_control_plane' )
  5. run_once: true
  6. when: not ignore_assert_errors
  8. - name: Stop if etcd group is empty in external etcd mode
  9. assert:
  10. that: groups.get('etcd')
  11. fail_msg: "Group 'etcd' cannot be empty in external etcd mode"
  12. run_once: true
  13. when:
  14. - not ignore_assert_errors
  15. - etcd_deployment_type != "kubeadm"
  17. - name: Stop if non systemd OS type
  18. assert:
  19. that: ansible_service_mgr == "systemd"
  20. when: not ignore_assert_errors
  22. - name: Stop if the os does not support
  23. assert:
  24. that: (allow_unsupported_distribution_setup | default(false)) or ansible_distribution in supported_os_distributions
  25. msg: "{{ ansible_distribution }} is not a known OS"
  26. when: not ignore_assert_errors
  28. - name: Stop if unknown network plugin
  29. assert:
  30. that: kube_network_plugin in ['calico', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'kube-ovn', 'kube-router', 'macvlan', 'custom_cni']
  31. msg: "{{ kube_network_plugin }} is not supported"
  32. when:
  33. - kube_network_plugin is defined
  34. - not ignore_assert_errors
  36. - name: Stop if unsupported version of Kubernetes
  37. assert:
  38. that: kube_version is version(kube_version_min_required, '>=')
  39. msg: "The current release of Kubespray only support newer version of Kubernetes than {{ kube_version_min_required }} - You are trying to apply {{ kube_version }}"
  40. when: not ignore_assert_errors
  42. # simplify this items-list when https://github.com/ansible/ansible/issues/15753 is resolved
  43. - name: "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
  44. assert:
  45. that: item.value | type_debug == 'bool'
  46. msg: "{{ item.value }} isn't a bool"
  47. run_once: true
  48. with_items:
  49. - { name: download_run_once, value: "{{ download_run_once }}" }
  50. - { name: deploy_netchecker, value: "{{ deploy_netchecker }}" }
  51. - { name: download_always_pull, value: "{{ download_always_pull }}" }
  52. - { name: helm_enabled, value: "{{ helm_enabled }}" }
  53. - { name: openstack_lbaas_enabled, value: "{{ openstack_lbaas_enabled }}" }
  54. when: not ignore_assert_errors
  56. - name: Stop if even number of etcd hosts
  57. assert:
  58. that: groups.etcd | length is not divisibleby 2
  59. when:
  60. - not ignore_assert_errors
  61. - inventory_hostname in groups.get('etcd',[])
  63. - name: Stop if memory is too small for control plane nodes
  64. assert:
  65. that: ansible_memtotal_mb >= minimal_master_memory_mb
  66. when:
  67. - not ignore_assert_errors
  68. - ('kube_control_plane' in group_names)
  70. - name: Stop if memory is too small for nodes
  71. assert:
  72. that: ansible_memtotal_mb >= minimal_node_memory_mb
  73. when:
  74. - not ignore_assert_errors
  75. - ('kube_node' in group_names)
  77. # This command will fail if cgroups are not enabled on the node.
  78. # For reference: https://kubernetes.io/docs/concepts/architecture/cgroups/#check-cgroup-version
  79. - name: Stop if cgroups are not enabled on nodes
  80. command: stat -fc %T /sys/fs/cgroup/
  81. changed_when: false
  82. when: not ignore_assert_errors
  84. # This assertion will fail on the safe side: One can indeed schedule more pods
  85. # on a node than the CIDR-range has space for when additional pods use the host
  86. # network namespace. It is impossible to ascertain the number of such pods at
  87. # provisioning time, so to establish a guarantee, we factor these out.
  88. # NOTICE: the check blatantly ignores the inet6-case
  89. - name: Guarantee that enough network address space is available for all pods
  90. assert:
  91. that: "{{ (kubelet_max_pods | default(110)) | int <= (2 ** (32 - kube_network_node_prefix | int)) - 2 }}"
  92. msg: "Do not schedule more pods on a node than inet addresses are available."
  93. when:
  94. - not ignore_assert_errors
  95. - ('k8s_cluster' in group_names)
  96. - kube_network_node_prefix is defined
  97. - kube_network_plugin != 'calico'
  99. - name: Stop if ip var does not match local ips
  100. assert:
  101. that: (ip in ansible_all_ipv4_addresses) or (ip in ansible_all_ipv6_addresses)
  102. msg: "IPv4: '{{ ansible_all_ipv4_addresses }}' and IPv6: '{{ ansible_all_ipv6_addresses }}' do not contain '{{ ip }}'"
  103. when:
  104. - not ignore_assert_errors
  105. - ip is defined
  107. - name: Ensure ping package
  108. package:
  109. # noqa: jinja[spacing]
  110. name: >-
  111. {%- if ansible_os_family == 'Debian' -%}
  112. iputils-ping
  113. {%- else -%}
  114. iputils
  115. {%- endif -%}
  116. state: present
  117. when:
  118. - access_ip is defined
  119. - not ignore_assert_errors
  120. - ping_access_ip
  121. - not is_fedora_coreos
  122. - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
  124. - name: Stop if access_ip is not pingable
  125. command: ping -c1 {{ access_ip }}
  126. when:
  127. - access_ip is defined
  128. - not ignore_assert_errors
  129. - ping_access_ip
  130. changed_when: false
  132. - name: Stop if RBAC is not enabled when dashboard is enabled
  133. assert:
  134. that: rbac_enabled
  135. when:
  136. - dashboard_enabled
  137. - not ignore_assert_errors
  139. - name: Stop if RBAC is not enabled when OCI cloud controller is enabled
  140. assert:
  141. that: rbac_enabled
  142. when:
  143. - cloud_provider is defined and cloud_provider == "oci"
  144. - not ignore_assert_errors
  146. - name: Stop if kernel version is too low
  147. assert:
  148. that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
  149. when:
  150. - kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
  151. - not ignore_assert_errors
  153. - name: Stop if bad hostname
  154. assert:
  155. that: inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
  156. msg: "Hostname must consist of lower case alphanumeric characters, '.' or '-', and must start and end with an alphanumeric character"
  157. when: not ignore_assert_errors
  159. - name: Check cloud_provider value
  160. assert:
  161. that: cloud_provider in ['gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external']
  162. msg: "If set the 'cloud_provider' var must be set either to 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci' or 'external'"
  163. when:
  164. - cloud_provider is defined
  165. - not ignore_assert_errors
  166. tags:
  167. - cloud-provider
  168. - facts
  170. - name: "Check that kube_service_addresses is a network range"
  171. assert:
  172. that:
  173. - kube_service_addresses | ansible.utils.ipaddr('net')
  174. msg: "kube_service_addresses = '{{ kube_service_addresses }}' is not a valid network range"
  175. run_once: true
  177. - name: "Check that kube_pods_subnet is a network range"
  178. assert:
  179. that:
  180. - kube_pods_subnet | ansible.utils.ipaddr('net')
  181. msg: "kube_pods_subnet = '{{ kube_pods_subnet }}' is not a valid network range"
  182. run_once: true
  184. - name: "Check that kube_pods_subnet does not collide with kube_service_addresses"
  185. assert:
  186. that:
  187. - kube_pods_subnet | ansible.utils.ipaddr(kube_service_addresses) | string == 'None'
  188. msg: "kube_pods_subnet cannot be the same network segment as kube_service_addresses"
  189. run_once: true
  191. - name: "Check that IP range is enough for the nodes"
  192. assert:
  193. that:
  194. - 2 ** (kube_network_node_prefix - kube_pods_subnet | ansible.utils.ipaddr('prefix')) >= groups['k8s_cluster'] | length
  195. msg: "Not enough IPs are available for the desired node count."
  196. when: kube_network_plugin != 'calico'
  197. run_once: true
  199. - name: Stop if unknown dns mode
  200. assert:
  201. that: dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
  202. msg: "dns_mode can only be 'coredns', 'coredns_dual', 'manual' or 'none'"
  203. when: dns_mode is defined
  204. run_once: true
  206. - name: Stop if unknown kube proxy mode
  207. assert:
  208. that: kube_proxy_mode in ['iptables', 'ipvs']
  209. msg: "kube_proxy_mode can only be 'iptables' or 'ipvs'"
  210. when: kube_proxy_mode is defined
  211. run_once: true
  213. - name: Stop if unknown cert_management
  214. assert:
  215. that: cert_management | d('script') in ['script', 'none']
  216. msg: "cert_management can only be 'script' or 'none'"
  217. run_once: true
  219. - name: Stop if unknown resolvconf_mode
  220. assert:
  221. that: resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
  222. msg: "resolvconf_mode can only be 'docker_dns', 'host_resolvconf' or 'none'"
  223. when: resolvconf_mode is defined
  224. run_once: true
  226. - name: Stop if etcd deployment type is not host, docker or kubeadm
  227. assert:
  228. that: etcd_deployment_type in ['host', 'docker', 'kubeadm']
  229. msg: "The etcd deployment type, 'etcd_deployment_type', must be host, docker or kubeadm"
  230. when:
  231. - inventory_hostname in groups.get('etcd',[])
  233. - name: Stop if container manager is not docker, crio or containerd
  234. assert:
  235. that: container_manager in ['docker', 'crio', 'containerd']
  236. msg: "The container manager, 'container_manager', must be docker, crio or containerd"
  237. run_once: true
  239. - name: Stop if etcd deployment type is not host or kubeadm when container_manager != docker
  240. assert:
  241. that: etcd_deployment_type in ['host', 'kubeadm']
  242. msg: "The etcd deployment type, 'etcd_deployment_type', must be host or kubeadm when container_manager is not docker"
  243. when:
  244. - inventory_hostname in groups.get('etcd',[])
  245. - container_manager != 'docker'
  247. # TODO: Clean this task up when we drop backward compatibility support for `etcd_kubeadm_enabled`
  248. - name: Stop if etcd deployment type is not host or kubeadm when container_manager != docker and etcd_kubeadm_enabled is not defined
  249. run_once: true
  250. when: etcd_kubeadm_enabled is defined
  251. block:
  252. - name: Warn the user if they are still using `etcd_kubeadm_enabled`
  253. debug:
  254. msg: >
  255. "WARNING! => `etcd_kubeadm_enabled` is deprecated and will be removed in a future release.
  256. You can set `etcd_deployment_type` to `kubeadm` instead of setting `etcd_kubeadm_enabled` to `true`."
  257. changed_when: true
  259. - name: Stop if `etcd_kubeadm_enabled` is defined and `etcd_deployment_type` is not `kubeadm` or `host`
  260. assert:
  261. that: etcd_deployment_type == 'kubeadm'
  262. msg: >
  263. It is not possible to use `etcd_kubeadm_enabled` when `etcd_deployment_type` is set to {{ etcd_deployment_type }}.
  264. Unset the `etcd_kubeadm_enabled` variable and set `etcd_deployment_type` to desired deployment type (`host`, `kubeadm`, `docker`) instead."
  265. when: etcd_kubeadm_enabled
  267. - name: Stop if download_localhost is enabled but download_run_once is not
  268. assert:
  269. that: download_run_once
  270. msg: "download_localhost requires enable download_run_once"
  271. when: download_localhost
  273. - name: Stop if kata_containers_enabled is enabled when container_manager is docker
  274. assert:
  275. that: container_manager != 'docker'
  276. msg: "kata_containers_enabled support only for containerd and crio-o. See https://github.com/kata-containers/documentation/blob/1.11.4/how-to/run-kata-with-k8s.md#install-a-cri-implementation for details"
  277. when: kata_containers_enabled
  279. - name: Stop if gvisor_enabled is enabled when container_manager is not containerd
  280. assert:
  281. that: container_manager == 'containerd'
  282. msg: "gvisor_enabled support only compatible with containerd. See https://github.com/kubernetes-sigs/kubespray/issues/7650 for details"
  283. when: gvisor_enabled
  285. - name: Stop if download_localhost is enabled for Flatcar Container Linux
  286. assert:
  287. that: ansible_os_family not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
  288. msg: "download_run_once not supported for Flatcar Container Linux"
  289. when: download_run_once or download_force_cache
  291. - name: Ensure minimum containerd version
  292. assert:
  293. that: containerd_version is version(containerd_min_version_required, '>=')
  294. msg: "containerd_version is too low. Minimum version {{ containerd_min_version_required }}"
  295. run_once: true
  296. when:
  297. - containerd_version not in ['latest', 'edge', 'stable']
  298. - container_manager == 'containerd'
  300. - name: Stop if using deprecated containerd_config variable
  301. assert:
  302. that: containerd_config is not defined
  303. msg: "Variable containerd_config is now deprecated. See https://github.com/kubernetes-sigs/kubespray/blob/master/inventory/sample/group_vars/all/containerd.yml for details."
  304. when:
  305. - containerd_config is defined
  306. - not ignore_assert_errors
  308. - name: Stop if auto_renew_certificates is enabled when certificates are managed externally (kube_external_ca_mode is true)
  309. assert:
  310. that: not auto_renew_certificates
  311. msg: "Variable auto_renew_certificates must be disabled when CA are managed externally: kube_external_ca_mode = true"
  312. when:
  313. - kube_external_ca_mode
  314. - not ignore_assert_errors
  316. - name: Stop if using deprecated comma separated list for admission plugins
  317. assert:
  318. that: "',' not in kube_apiserver_enable_admission_plugins[0]"
  319. msg: "Comma-separated list for kube_apiserver_enable_admission_plugins is now deprecated, use separate list items for each plugin."
  320. when:
  321. - kube_apiserver_enable_admission_plugins is defined
  322. - kube_apiserver_enable_admission_plugins | length > 0
  324. - name: Verify that the packages list structure is valid
  325. ansible.utils.validate:
  326. criteria: "{{ lookup('file', 'pkgs-schema.json') }}"
  327. data: "{{ pkgs }}"
  329. - name: Verify that the packages list is sorted
  330. vars:
  331. pkgs_lists: "{{ pkgs.keys() | list }}"
  332. assert:
  333. that: "pkgs_lists | sort == pkgs_lists"
  334. fail_msg: "pkgs is not sorted: {{ pkgs_lists | ansible.utils.fact_diff(pkgs_lists | sort) }}"