richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4022 Commits
30 Branches
81 Tags
150 MiB
Tree: e25237455c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e25237455c'
${ noResults }
kubespray/roles/kubernetes/master/tasks/kubeadm-setup.yml

185 lines
6.4 KiB
Raw Normal View History

kubeadm support (#1631) * kubeadm support * move k8s master to a subtask * disable k8s secrets when using kubeadm * fix etcd cert serial var * move simple auth users to master role * make a kubeadm-specific env file for kubelet * add non-ha CI job * change ci boolean vars to json format * fixup * Update create-gce.yml * Update create-gce.yml * Update create-gce.yml
7 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Switch to kubeadm deployment mode (#3461) * Switch to kubeadm deployment mode Discuss:https://github.com/kubernetes-incubator/kubespray/issues/3301 * Add non-kubeadm upgrage to kubeadm cluster
6 years ago
Add scale master features (#3946) * Add scale master features * Add certificate management with kubeadm * Add kubeadm kubeconfig * Fix ymalroles error * fix upgrade cluster fialed * force update cert and keys when you reconfigure cluster
5 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Add scale master features (#3946) * Add scale master features * Add certificate management with kubeadm * Add kubeadm kubeconfig * Fix ymalroles error * fix upgrade cluster fialed * force update cert and keys when you reconfigure cluster
5 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Checking new CA key presence is not relevant to determine if kubeadm has already run (#3653)
6 years ago
Change file used to check kubeadm upgrade method (#1784) * Change file used to check kubeadm upgrade method Test for ca.crt instead of admin.conf because admin.conf is created during normal deployment. * more fixes for upgrade
7 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Change file used to check kubeadm upgrade method (#1784) * Change file used to check kubeadm upgrade method Test for ca.crt instead of admin.conf because admin.conf is created during normal deployment. * more fixes for upgrade
7 years ago
Remove non-kubeadm deployment (#3811) * Remove non-kubeadm deployment * More cleanup * More cleanup * More cleanup * More cleanup * Fix gitlab * Try stop gce first before absent to make the delete process work * More cleanup * Fix bug with checking if kubeadm has already run * Fix bug with checking if kubeadm has already run * More fixes * Fix test * fix * Fix gitlab checkout untill kubespray 2.8 is on quay * Fixed * Add upgrade path from non-kubeadm to kubeadm. Revert ssl path * Readd secret checking * Do gitlab checks from v2.7.0 test upgrade path to 2.8.0 * fix typo * Fix CI jobs to kubeadm again. Fix broken hyperkube path * Fix gitlab * Fix rotate tokens * More fixes * More fixes * Fix tokens
6 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Remove non-kubeadm deployment (#3811) * Remove non-kubeadm deployment * More cleanup * More cleanup * More cleanup * More cleanup * Fix gitlab * Try stop gce first before absent to make the delete process work * More cleanup * Fix bug with checking if kubeadm has already run * Fix bug with checking if kubeadm has already run * More fixes * Fix test * fix * Fix gitlab checkout untill kubespray 2.8 is on quay * Fixed * Add upgrade path from non-kubeadm to kubeadm. Revert ssl path * Readd secret checking * Do gitlab checks from v2.7.0 test upgrade path to 2.8.0 * fix typo * Fix CI jobs to kubeadm again. Fix broken hyperkube path * Fix gitlab * Fix rotate tokens * More fixes * More fixes * Fix tokens
6 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Remove non-kubeadm deployment (#3811) * Remove non-kubeadm deployment * More cleanup * More cleanup * More cleanup * More cleanup * Fix gitlab * Try stop gce first before absent to make the delete process work * More cleanup * Fix bug with checking if kubeadm has already run * Fix bug with checking if kubeadm has already run * More fixes * Fix test * fix * Fix gitlab checkout untill kubespray 2.8 is on quay * Fixed * Add upgrade path from non-kubeadm to kubeadm. Revert ssl path * Readd secret checking * Do gitlab checks from v2.7.0 test upgrade path to 2.8.0 * fix typo * Fix CI jobs to kubeadm again. Fix broken hyperkube path * Fix gitlab * Fix rotate tokens * More fixes * More fixes * Fix tokens
6 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
kubeadm support (#1631) * kubeadm support * move k8s master to a subtask * disable k8s secrets when using kubeadm * fix etcd cert serial var * move simple auth users to master role * make a kubeadm-specific env file for kubelet * add non-ha CI job * change ci boolean vars to json format * fixup * Update create-gce.yml * Update create-gce.yml * Update create-gce.yml
7 years ago
Defaults for apiserver_loadbalancer_domain_name (#1993) * Defaults for apiserver_loadbalancer_domain_name When loadbalancer_apiserver is defined, use the apiserver_loadbalancer_domain_name with a given default value. Fix unconsistencies for checking if apiserver_loadbalancer_domain_name is defined AND using it with a default value provided at once. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Define defaults for LB modes in common defaults Adjust the defaults for apiserver_loadbalancer_domain_name and loadbalancer_apiserver_localhost to come from a single source, which is kubespray-defaults. Removes some confusion and simplefies the code. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
kubeadm support (#1631) * kubeadm support * move k8s master to a subtask * disable k8s secrets when using kubeadm * fix etcd cert serial var * move simple auth users to master role * make a kubeadm-specific env file for kubelet * add non-ha CI job * change ci boolean vars to json format * fixup * Update create-gce.yml * Update create-gce.yml * Update create-gce.yml
7 years ago
Fixup line breaks for kubeadm SANs (#3908)
6 years ago
Fix apiServerCertSANs in kubeadm config file (#3839)
6 years ago
kubeadm support (#1631) * kubeadm support * move k8s master to a subtask * disable k8s secrets when using kubeadm * fix etcd cert serial var * move simple auth users to master role * make a kubeadm-specific env file for kubelet * add non-ha CI job * change ci boolean vars to json format * fixup * Update create-gce.yml * Update create-gce.yml * Update create-gce.yml
7 years ago
Fixup line breaks for kubeadm SANs (#3908)
6 years ago
(Re)add line break for supplementary addr in SANs (#3952) The change implemented in #3908 remove line breaks for supplementary addresses in kubeadm SANs, causing errors in the config file and failure to bring cluster up. This commit reimplement line breaks in between supplementary addresses.
5 years ago
Add possibility to insert more ip adresses in certificates (#1678) * Add possibility to insert more ip adresses in certificates * Add newline at end of files * Move supp ip parameters to k8s-cluster group file * Add supplementary addresses in kubeadm master role * Improve openssl indexes
7 years ago
Properly skip extra SANs when not specified for kubeadm (#1831)
7 years ago
Add possibility to insert more ip adresses in certificates (#1678) * Add possibility to insert more ip adresses in certificates * Add newline at end of files * Move supp ip parameters to k8s-cluster group file * Add supplementary addresses in kubeadm master role * Improve openssl indexes
7 years ago
kubeadm support (#1631) * kubeadm support * move k8s master to a subtask * disable k8s secrets when using kubeadm * fix etcd cert serial var * move simple auth users to master role * make a kubeadm-specific env file for kubelet * add non-ha CI job * change ci boolean vars to json format * fixup * Update create-gce.yml * Update create-gce.yml * Update create-gce.yml
7 years ago
Support audit
6 years ago
minor variable fix and reuse + handle auditlog redirected to stdout
6 years ago
Support audit
6 years ago
minor variable fix and reuse + handle auditlog redirected to stdout
6 years ago
Support audit
6 years ago
Add kubeadm controlplaneEndpoint Nginx LB(default) Other LB by kubeadm controlplane
6 years ago
Fix reconfigure and upgrade cluster (#3938)
6 years ago
kubeadm support (#1631) * kubeadm support * move k8s master to a subtask * disable k8s secrets when using kubeadm * fix etcd cert serial var * move simple auth users to master role * make a kubeadm-specific env file for kubelet * add non-ha CI job * change ci boolean vars to json format * fixup * Update create-gce.yml * Update create-gce.yml * Update create-gce.yml
7 years ago
Add scale master features (#3946) * Add scale master features * Add certificate management with kubeadm * Add kubeadm kubeconfig * Fix ymalroles error * fix upgrade cluster fialed * force update cert and keys when you reconfigure cluster
5 years ago
Enable HA deploy of kubeadm (#1658) * Enable HA deploy of kubeadm * raise delay to 60s for starting gce hosts
7 years ago
Fix skip upgrade first master (#3915)
6 years ago
Enable HA deploy of kubeadm (#1658) * Enable HA deploy of kubeadm * raise delay to 60s for starting gce hosts
7 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Enable HA deploy of kubeadm (#1658) * Enable HA deploy of kubeadm * raise delay to 60s for starting gce hosts
7 years ago
Checking new CA key presence is not relevant to determine if kubeadm has already run (#3653)
6 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Enable HA deploy of kubeadm (#1658) * Enable HA deploy of kubeadm * raise delay to 60s for starting gce hosts
7 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Enable HA deploy of kubeadm (#1658) * Enable HA deploy of kubeadm * raise delay to 60s for starting gce hosts
7 years ago
make certificates non-executable
6 years ago
Enable HA deploy of kubeadm (#1658) * Enable HA deploy of kubeadm * raise delay to 60s for starting gce hosts
7 years ago
Add scale master features (#3946) * Add scale master features * Add certificate management with kubeadm * Add kubeadm kubeconfig * Fix ymalroles error * fix upgrade cluster fialed * force update cert and keys when you reconfigure cluster
5 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Fix skip upgrade first master (#3915)
6 years ago
kubeadm support (#1631) * kubeadm support * move k8s master to a subtask * disable k8s secrets when using kubeadm * fix etcd cert serial var * move simple auth users to master role * make a kubeadm-specific env file for kubelet * add non-ha CI job * change ci boolean vars to json format * fixup * Update create-gce.yml * Update create-gce.yml * Update create-gce.yml
7 years ago
Retry kubeadm proxy and secondary master init tasks (#3715) Due to suboptimal external loadbalancer configs, the LoadBalancer might point to a downed kube-apiserver that is not set up yet.
6 years ago
Checking new CA key presence is not relevant to determine if kubeadm has already run (#3653)
6 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Fix reconfigure and upgrade cluster (#3938)
6 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Add scale master features (#3946) * Add scale master features * Add certificate management with kubeadm * Add kubeadm kubeconfig * Fix ymalroles error * fix upgrade cluster fialed * force update cert and keys when you reconfigure cluster
5 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Add scale master features (#3946) * Add scale master features * Add certificate management with kubeadm * Add kubeadm kubeconfig * Fix ymalroles error * fix upgrade cluster fialed * force update cert and keys when you reconfigure cluster
5 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Add scale master features (#3946) * Add scale master features * Add certificate management with kubeadm * Add kubeadm kubeconfig * Fix ymalroles error * fix upgrade cluster fialed * force update cert and keys when you reconfigure cluster
5 years ago
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
7 years ago
Use include/import tasks (#2192) import_tasks will consume far less memory, so it should be used whenever it is compatible.
6 years ago
Remove non-kubeadm deployment (#3811) * Remove non-kubeadm deployment * More cleanup * More cleanup * More cleanup * More cleanup * Fix gitlab * Try stop gce first before absent to make the delete process work * More cleanup * Fix bug with checking if kubeadm has already run * Fix bug with checking if kubeadm has already run * More fixes * Fix test * fix * Fix gitlab checkout untill kubespray 2.8 is on quay * Fixed * Add upgrade path from non-kubeadm to kubeadm. Revert ssl path * Readd secret checking * Do gitlab checks from v2.7.0 test upgrade path to 2.8.0 * fix typo * Fix CI jobs to kubeadm again. Fix broken hyperkube path * Fix gitlab * Fix rotate tokens * More fixes * More fixes * Fix tokens
6 years ago
Untaint master when it has node role (#3466)
6 years ago
Switch to kubeadm deployment mode (#3461) * Switch to kubeadm deployment mode Discuss:https://github.com/kubernetes-incubator/kubespray/issues/3301 * Add non-kubeadm upgrage to kubeadm cluster
6 years ago
Untaint master when it has node role (#3466)
6 years ago
Allow kubeadm master untaint to fail (#3549)
6 years ago
  1. ---
  2. - name: kubeadm | Check if old apiserver cert exists on host
  3. stat:
  4. path: "{{ kube_cert_dir }}/apiserver.pem"
  5. register: old_apiserver_cert
  6. delegate_to: "{{groups['kube-master']|first}}"
  7. run_once: true
  9. - name: kubeadm | Migrate old certs if necessary
  10. import_tasks: kubeadm-migrate-certs.yml
  11. when: old_apiserver_cert.stat.exists
  13. - name: kubeadm | Check apiserver key
  14. stat:
  15. path: "{{ kube_cert_dir }}/apiserver.key"
  16. register: apiserver_key_before
  17. delegate_to: "{{groups['kube-master']|first}}"
  18. run_once: true
  20. - name: kubeadm | Check if kubeadm has already run
  21. stat:
  22. path: "/var/lib/kubelet/config.yaml"
  23. register: kubeadm_already_run
  25. - name: kubeadm | Delete old admin.conf
  26. file:
  27. path: "{{ kube_config_dir }}/admin.conf"
  28. state: absent
  29. when:
  30. - not kubeadm_already_run.stat.exists
  32. - name: kubeadm | Delete old static pods
  33. file:
  34. path: "{{ kube_config_dir }}/manifests/{{item}}.manifest"
  35. state: absent
  36. with_items: ["kube-apiserver", "kube-controller-manager", "kube-scheduler", "kube-proxy"]
  37. when:
  38. - old_apiserver_cert.stat.exists
  40. - name: kubeadm | Forcefully delete old static pods
  41. shell: "docker ps -f name=k8s_{{item}} -q | xargs --no-run-if-empty docker rm -f"
  42. with_items: ["kube-apiserver", "kube-controller-manager", "kube-scheduler"]
  43. when:
  44. - old_apiserver_cert.stat.exists
  46. - name: kubeadm | aggregate all SANs
  47. set_fact:
  48. apiserver_sans: >-
  49. kubernetes
  50. kubernetes.default
  51. kubernetes.default.svc
  52. kubernetes.default.svc.{{ dns_domain }}
  53. {{ kube_apiserver_ip }}
  54. localhost
  55. 127.0.0.1
  56. {{ ' '.join(groups['kube-master']) }}
  57. {%- if loadbalancer_apiserver is defined %}
  58. {{ apiserver_loadbalancer_domain_name }}
  59. {%- endif %}
  60. {% for host in groups['kube-master'] -%}
  61. {%- if hostvars[host]['access_ip'] is defined -%}
  62. {{ hostvars[host]['access_ip'] }}
  63. {%- endif %}
  64. {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
  65. {%- endfor %}
  66. {%- if supplementary_addresses_in_ssl_keys is defined -%}
  67. {% for addr in supplementary_addresses_in_ssl_keys %}
  68. {{ addr }}
  69. {%- endfor %}
  70. {%- endif %}
  71. tags: facts
  73. - name: kubeadm | Copy etcd cert dir under k8s cert dir
  74. command: "cp -TR {{ etcd_cert_dir }} {{ kube_config_dir }}/ssl/etcd"
  75. changed_when: false
  77. - name: Create audit-policy directory
  78. file:
  79. path: "{{ audit_policy_file | dirname }}"
  80. state: directory
  81. when: kubernetes_audit|default(false)
  83. - name: Write api audit policy yaml
  84. template:
  85. src: apiserver-audit-policy.yaml.j2
  86. dest: "{{ audit_policy_file }}"
  87. when: kubernetes_audit|default(false)
  89. # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
  90. - name: set kubeadm_config_api_fqdn define
  91. set_fact:
  92. kubeadm_config_api_fqdn: "{{ apiserver_loadbalancer_domain_name|default('lb-apiserver.kubernetes.local') }}"
  93. when: loadbalancer_apiserver is defined
  95. - name: kubeadm | set kubeadm version
  96. import_tasks: kubeadm-version.yml
  98. - name: kubeadm | Certificate management with kubeadm
  99. import_tasks: kubeadm-certificate.yml
  100. when:
  101. - not upgrade_cluster_setup
  102. - kubeadm_already_run.stat.exists
  104. - name: kubeadm | Initialize first master
  105. command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
  106. register: kubeadm_init
  107. # Retry is because upload config sometimes fails
  108. retries: 3
  109. when: inventory_hostname == groups['kube-master']|first and not kubeadm_already_run.stat.exists
  110. failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
  111. notify: Master | restart kubelet
  113. - name: slurp kubeadm certs
  114. slurp:
  115. src: "{{ item }}"
  116. with_items:
  117. - "{{ kube_cert_dir }}/apiserver.crt"
  118. - "{{ kube_cert_dir }}/apiserver.key"
  119. - "{{ kube_cert_dir }}/apiserver-kubelet-client.crt"
  120. - "{{ kube_cert_dir }}/apiserver-kubelet-client.key"
  121. - "{{ kube_cert_dir }}/ca.crt"
  122. - "{{ kube_cert_dir }}/ca.key"
  123. - "{{ kube_cert_dir }}/front-proxy-ca.crt"
  124. - "{{ kube_cert_dir }}/front-proxy-ca.key"
  125. - "{{ kube_cert_dir }}/front-proxy-client.crt"
  126. - "{{ kube_cert_dir }}/front-proxy-client.key"
  127. - "{{ kube_cert_dir }}/sa.key"
  128. - "{{ kube_cert_dir }}/sa.pub"
  129. register: kubeadm_certs
  130. delegate_to: "{{ groups['kube-master']|first }}"
  131. run_once: true
  133. - name: kubeadm | write out kubeadm certs
  134. copy:
  135. dest: "{{ item.item }}"
  136. content: "{{ item.content | b64decode }}"
  137. owner: root
  138. group: root
  139. mode: 0600
  140. no_log: true
  141. register: copy_kubeadm_certs
  142. with_items: "{{ kubeadm_certs.results }}"
  143. when: inventory_hostname != groups['kube-master']|first
  145. - name: kubeadm | Kubeconfig management with kubeadm
  146. import_tasks: kubeadm-kubeconfig.yml
  147. when:
  148. - not upgrade_cluster_setup
  149. - kubeadm_already_run.stat.exists
  151. - name: kubeadm | Init other uninitialized masters
  152. command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
  153. register: kubeadm_init
  154. retries: 10
  155. until: kubeadm_init is succeeded or "field is immutable" in kubeadm_init.stderr
  156. when: inventory_hostname != groups['kube-master']|first and not kubeadm_already_run.stat.exists
  157. failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
  158. notify: Master | restart kubelet
  160. - name: kubeadm | upgrage kubernetes cluster
  161. import_tasks: kubeadm-upgrade.yml
  162. when: upgrade_cluster_setup
  164. - name: kubeadm | Check apiserver key again
  165. stat:
  166. path: "{{ kube_cert_dir }}/apiserver.key"
  167. register: apiserver_key_after
  168. delegate_to: "{{groups['kube-master']|first}}"
  169. run_once: true
  171. - name: kubeadm | Set secret_changed if service account key was updated
  172. command: /bin/true
  173. notify: Master | set secret_changed
  174. when: apiserver_key_before.stat.checksum|default("") != apiserver_key_after.stat.checksum
  176. - name: kubeadm | cleanup old certs if necessary
  177. import_tasks: kubeadm-cleanup-old-certs.yml
  178. when:
  179. - old_apiserver_cert.stat.exists
  181. - name: kubeadm | Remove taint for master with node role
  182. command: "{{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf taint node {{ inventory_hostname }} node-role.kubernetes.io/master:NoSchedule-"
  183. delegate_to: "{{groups['kube-master']|first}}"
  184. when: inventory_hostname in groups['kube-node']
  185. failed_when: false