Verify valid settings before deploy (#1705)

Also fix yaml lint issues Fixes #1703
7 years ago · 327ed157ef
9 changed files with 94 additions and 19 deletions
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@ -116,6 +116,9 @@ bin_dir: /usr/local/bin
 ## Please specify true if you want to perform a kernel upgrade
 kernel_upgrade: false
 # Set to true to allow pre-checks to fail and continue deployment
 #ignore_assert_errors: false
 ## Etcd auto compaction retention for mvcc key value store in hour
 #etcd_compaction_retention: 0
--- a/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
+++ b/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 #FIXME(mattymo): Exclude built in secrets that were automatically rotated,
 #instead of filtering manually
 # FIXME(mattymo): Exclude built in secrets that were automatically rotated,
 # instead of filtering manually
 - name: Rotate Tokens | Get all serviceaccount tokens to expire
  shell: >-
    {{ bin_dir }}/kubectl get secrets --all-namespaces
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@ -63,7 +63,7 @@
 - name: kubeadm | Initialize first master
  command: timeout -k 240s 240s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --skip-preflight-checks
  register: kubeadm_init
  #Retry is because upload config sometimes fails
  # Retry is because upload config sometimes fails
  retries: 3
  when: inventory_hostname == groups['kube-master']|first and not admin_conf.stat.exists
  failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
@ -72,7 +72,7 @@
 - name: kubeadm | Upgrade first master
  command: timeout -k 240s 240s {{ bin_dir }}/kubeadm upgrade apply --config={{ kube_config_dir }}/kubeadm-config.yaml {{ kube_version }} --skip-preflight-checks
  register: kubeadm_upgrade
  #Retry is because upload config sometimes fails
  # Retry is because upload config sometimes fails
  retries: 3
  when: inventory_hostname == groups['kube-master']|first and (kubeadm_config.changed and admin_conf.stat.exists)
  failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr
--- a/roles/kubernetes/node/tasks/facts.yml
+++ b/roles/kubernetes/node/tasks/facts.yml
@ -1,3 +1,4 @@
 ---
 - name: look up docker cgroup driver
  shell: "docker info | grep 'Cgroup Driver' | awk -F': ' '{ print $2; }'"
  register: docker_cgroup_driver_result
--- a/roles/kubernetes/preinstall/defaults/main.yml
+++ b/roles/kubernetes/preinstall/defaults/main.yml
@ -1,6 +1,9 @@
 ---
 run_gitinfos: false
 # Set to true to allow pre-checks to fail and continue deployment
 ignore_assert_errors: false
 epel_rpm_download_url: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
 common_required_pkgs:
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - include: pre-upgrade.yml
  tags: [upgrade, bootstrap-os]
 - include: verify-settings.yml
  tags: asserts
 - name: Force binaries directory for Container Linux by CoreOS
  set_fact:
--- a/roles/kubernetes/preinstall/tasks/pre-upgrade.yml
+++ b/roles/kubernetes/preinstall/tasks/pre-upgrade.yml
@ -1,6 +0,0 @@
 ---
 - name: Stop if non systemd OS type
  assert:
    that: ansible_service_mgr == "systemd"
  tags:
    - asserts
--- a/roles/kubernetes/preinstall/tasks/verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/verify-settings.yml
@ -0,0 +1,71 @@
 ---
 - name: Stop if ansible version is too low
  assert:
    that:
      - ansible_version.full|version_compare('2.3.0.0', '>=')
  run_once: yes
 - name: Stop if non systemd OS type
  assert:
    that: ansible_service_mgr == "systemd"
  ignore_errors: "{{ ignore_assert_errors }}"
 - name: Stop if unknown OS
  assert:
    that: ansible_distribution in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Container Linux by CoreOS']
  ignore_errors: "{{ ignore_assert_errors }}"
 - name: Stop if unknown network plugin
  assert:
    that: network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud']
  when: network_plugin is defined
  ignore_errors: "{{ ignore_assert_errors }}"
 - name: Stop if incompatible network plugin and cloudprovider
  assert:
    that: network_plugin != calico
  when: cloud_provider is defined and cloud_provider == 'azure'
  ignore_errors: "{{ ignore_assert_errors }}"
 - name: "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
  assert:
    that: item|type_debug == 'bool'
  run_once: yes
  with_items:
    - kubeadm_enabled
    - download_run_once
    - deploy_netchecker
    - download_always_pull
    - efk_enabled
    - helm_enabled
    - openstack_lbaas_Enabled
    - rbac_enabled
  ignore_errors: "{{ ignore_assert_errors }}"
 - name: Stop if even number of etcd hosts
  assert:
    that: groups.etcd|length is not divisibleby 2
  ignore_errors: "{{ ignore_assert_errors }}"
 - name: Stop if memory is too small for masters
  assert:
    that: ansible_memtotal_mb >= 1500
  ignore_errors: "{{ ignore_assert_errors }}"
  when: inventory_hostname in groups['kube-master']
 - name: Stop if memory is too small for nodes
  assert:
    that: ansible_memtotal_mb >= 1024
  ignore_errors: "{{ ignore_assert_errors }}"
  when: inventory_hostname in groups['kube-node']
 - name: Stop if ip var does not match local ips
  assert:
    that: ip in ansible_all_ipv4_addresses
  ignore_errors: "{{ ignore_assert_errors }}"
  when: ip is defined
 - name: Stop if access_ip is not pingable
  command: ping -c1 {{ access_ip }}
  when: access_ip is defined
  ignore_errors: "{{ ignore_assert_errors }}"
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@ -10,6 +10,9 @@ is_atomic: false
 ## Change this to use another Kubernetes version, e.g. a current beta release
 kube_version: v1.6.7
 # Set to true to allow pre-checks to fail and continue deployment
 ignore_assert_errors: false
 # Directory where the binaries will be installed
 bin_dir: /usr/local/bin
 docker_bin_dir: /usr/bin
@ -129,15 +132,15 @@ efk_enabled: false
 enable_network_policy: false
 ## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (https://github.com/kubernetes/kubernetes/issues/50461)
 #openstack_blockstorage_version: "v1/v2/auto (default)"
 # openstack_blockstorage_version: "v1/v2/auto (default)"
 ## When OpenStack is used, if LBaaSv2 is available you can enable it with the following variables.
 openstack_lbaas_enabled: false
 #openstack_lbaas_subnet_id: "Neutron subnet ID (not network ID) to create LBaaS VIP"
 #openstack_lbaas_floating_network_id: "Neutron network ID (not subnet ID) to get floating IP from, disabled by default"
 #openstack_lbaas_create_monitor: "yes"
 #openstack_lbaas_monitor_delay: false
 #openstack_lbaas_monitor_timeout: false
 #openstack_lbaas_monitor_max_retries: false
 # openstack_lbaas_subnet_id: "Neutron subnet ID (not network ID) to create LBaaS VIP"
 # openstack_lbaas_floating_network_id: "Neutron network ID (not subnet ID) to get floating IP from, disabled by default"
 # openstack_lbaas_create_monitor: "yes"
 # openstack_lbaas_monitor_delay: false
 # openstack_lbaas_monitor_timeout: false
 # openstack_lbaas_monitor_max_retries: false
 ## List of authorization modes that must be configured for
 ## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and