diff --git a/roles/kubernetes/preinstall/tasks/swapoff.yml b/roles/kubernetes/preinstall/tasks/0010-swapoff.yml similarity index 100% rename from roles/kubernetes/preinstall/tasks/swapoff.yml rename to roles/kubernetes/preinstall/tasks/0010-swapoff.yml diff --git a/roles/kubernetes/preinstall/tasks/verify-settings.yml b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml similarity index 91% rename from roles/kubernetes/preinstall/tasks/verify-settings.yml rename to roles/kubernetes/preinstall/tasks/0020-verify-settings.yml index 003f33cf2..5e5e675af 100644 --- a/roles/kubernetes/preinstall/tasks/verify-settings.yml +++ b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml @@ -115,3 +115,15 @@ that: inventory_hostname | match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") msg: "Hostname must consist of lower case alphanumeric characters, '.' or '-', and must start and end with an alphanumeric character" ignore_errors: "{{ ignore_assert_errors }}" + +- name: check cloud_provider value + assert: + that: cloud_provider in ['generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external'] + msg: "If set the 'cloud_provider' var must be set either to 'generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', or external" + when: + - cloud_provider is defined + + ignore_errors: "{{ ignore_assert_errors }}" + tags: + - cloud-provider + - facts diff --git a/roles/kubernetes/preinstall/tasks/pre_upgrade.yml b/roles/kubernetes/preinstall/tasks/0030-pre_upgrade.yml similarity index 100% rename from roles/kubernetes/preinstall/tasks/pre_upgrade.yml rename to roles/kubernetes/preinstall/tasks/0030-pre_upgrade.yml diff --git a/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml b/roles/kubernetes/preinstall/tasks/0040-set_facts.yml similarity index 80% rename from roles/kubernetes/preinstall/tasks/set_resolv_facts.yml rename to roles/kubernetes/preinstall/tasks/0040-set_facts.yml index 4e535fb0f..d2bb46937 100644 --- a/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml +++ b/roles/kubernetes/preinstall/tasks/0040-set_facts.yml @@ -1,4 +1,23 @@ --- +- name: Force binaries directory for Container Linux by CoreOS + set_fact: + bin_dir: "/opt/bin" + when: ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] + tags: + - facts + +- name: check if atomic host + stat: + path: /run/ostree-booted + register: ostree + +- set_fact: + is_atomic: "{{ ostree.stat.exists }}" + +- set_fact: + kube_cert_group: "kube" + when: is_atomic + - name: check resolvconf shell: which resolvconf register: resolvconf @@ -111,3 +130,17 @@ nameserver {{( dnsmasq_server + nameservers|d([]) + cloud_resolver|d([])) | join(',nameserver ')}} supersede_nameserver: supersede domain-name-servers {{( dnsmasq_server + nameservers|d([]) + cloud_resolver|d([])) | join(', ') }}; + +- name: gather os specific variables + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}.yml" + - "{{ ansible_os_family|lower }}.yml" + - defaults.yml + paths: + - ../vars + skip: true diff --git a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml new file mode 100644 index 000000000..a91f81eb0 --- /dev/null +++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml @@ -0,0 +1,58 @@ +- name: Create kubernetes directories + file: + path: "{{ item }}" + state: directory + owner: kube + when: inventory_hostname in groups['k8s-cluster'] + become: true + tags: + - kubelet + - k8s-secrets + - kube-controller-manager + - kube-apiserver + - bootstrap-os + - apps + - network + - master + - node + with_items: + - "{{bin_dir}}" + - "{{ kube_config_dir }}" + - "{{ kube_config_dir }}/ssl" + - "{{ kube_manifest_dir }}" + - "{{ kube_script_dir }}" + +- name: Create cni directories + file: + path: "{{ item }}" + state: directory + owner: kube + with_items: + - "/etc/cni/net.d" + - "/opt/cni/bin" + - "/var/lib/calico" + when: + - kube_network_plugin in ["calico", "weave", "canal", "flannel", "contiv", "cilium"] + - inventory_hostname in groups['k8s-cluster'] + tags: + - network + - cilium + - calico + - weave + - canal + - contiv + - bootstrap-os + +- name: Create local volume provisioner directories + file: + path: "{{ item }}" + state: directory + owner: kube + with_items: + - "{{ local_volume_provisioner_base_dir }}" + - "{{ local_volume_provisioner_mount_dir }}" + when: + - inventory_hostname in groups['k8s-cluster'] + - local_volume_provisioner_enabled + tags: + - persistent_volumes diff --git a/roles/kubernetes/preinstall/tasks/resolvconf.yml b/roles/kubernetes/preinstall/tasks/0060-resolvconf.yml similarity index 100% rename from roles/kubernetes/preinstall/tasks/resolvconf.yml rename to roles/kubernetes/preinstall/tasks/0060-resolvconf.yml diff --git a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml new file mode 100644 index 000000000..2df3a0025 --- /dev/null +++ b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml @@ -0,0 +1,94 @@ +- name: Update package management cache (YUM) + yum: + update_cache: yes + name: '*' + register: yum_task_result + until: yum_task_result|succeeded + retries: 4 + delay: "{{ retry_stagger | random + 3 }}" + when: + - ansible_pkg_mgr == 'yum' + - ansible_distribution != 'RedHat' + - not is_atomic + +- name: Expire management cache (YUM) for Updation - Redhat + shell: yum clean expire-cache + register: expire_cache_output + until: expire_cache_output|succeeded + retries: 4 + delay: "{{ retry_stagger | random + 3 }}" + when: + - ansible_pkg_mgr == 'yum' + - ansible_distribution == 'RedHat' + - not is_atomic + tags: bootstrap-os + +- name: Update package management cache (YUM) - Redhat + shell: yum makecache + register: make_cache_output + until: make_cache_output|succeeded + retries: 4 + delay: "{{ retry_stagger | random + 3 }}" + when: + - ansible_pkg_mgr == 'yum' + - ansible_distribution == 'RedHat' + - expire_cache_output.rc == 0 + - not is_atomic + tags: bootstrap-os + +- name: Update package management cache (zypper) - SUSE + shell: zypper -n --gpg-auto-import-keys ref + register: make_cache_output + until: make_cache_output|succeeded + retries: 4 + delay: "{{ retry_stagger | random + 3 }}" + when: + - ansible_pkg_mgr == 'zypper' + tags: bootstrap-os + +- name: Update package management cache (APT) + apt: + update_cache: yes + cache_valid_time: 3600 + when: ansible_os_family == "Debian" + tags: + - bootstrap-os + +- name: Install python-dnf for latest RedHat versions + command: dnf install -y python-dnf yum + register: dnf_task_result + until: dnf_task_result|succeeded + retries: 4 + delay: "{{ retry_stagger | random + 3 }}" + when: + - ansible_distribution == "Fedora" + - ansible_distribution_major_version|int > 21 + - not is_atomic + changed_when: False + tags: + - bootstrap-os + +- name: Install epel-release on RedHat/CentOS + yum: + name: epel-release + state: present + when: + - ansible_distribution in ["CentOS","RedHat"] + - not is_atomic + - epel_enabled|bool + tags: + - bootstrap-os + +- name: Install packages requirements + action: + module: "{{ ansible_pkg_mgr }}" + name: "{{ item }}" + state: latest + register: pkgs_task_result + until: pkgs_task_result|succeeded + retries: 4 + delay: "{{ retry_stagger | random + 3 }}" + with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}" + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) + tags: + - bootstrap-os diff --git a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml new file mode 100644 index 000000000..76944cb61 --- /dev/null +++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml @@ -0,0 +1,53 @@ +# Todo : selinux configuration +- name: Confirm selinux deployed + stat: + path: /etc/selinux/config + when: ansible_os_family == "RedHat" + register: slc + +- name: Set selinux policy + selinux: + policy: targeted + state: "{{ preinstall_selinux_state }}" + when: + - ansible_os_family == "RedHat" + - slc.stat.exists == True + changed_when: False + tags: + - bootstrap-os + +- name: Disable IPv6 DNS lookup + lineinfile: + dest: /etc/gai.conf + line: "precedence ::ffff:0:0/96 100" + state: present + backup: yes + when: + - disable_ipv6_dns + - not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] + tags: + - bootstrap-os + +- name: Stat sysctl file configuration + stat: + path: "{{sysctl_file_path}}" + register: sysctl_file_stat + tags: + - bootstrap-os + +- name: Change sysctl file path to link source if linked + set_fact: + sysctl_file_path: "{{sysctl_file_stat.stat.lnk_source}}" + when: + - sysctl_file_stat.stat.islnk is defined + - sysctl_file_stat.stat.islnk + tags: + - bootstrap-os + +- name: Enable ip forwarding + sysctl: + sysctl_file: "{{sysctl_file_path}}" + name: net.ipv4.ip_forward + value: 1 + state: present + reload: yes diff --git a/roles/kubernetes/preinstall/tasks/etchosts.yml b/roles/kubernetes/preinstall/tasks/0090-etchosts.yml similarity index 100% rename from roles/kubernetes/preinstall/tasks/etchosts.yml rename to roles/kubernetes/preinstall/tasks/0090-etchosts.yml diff --git a/roles/kubernetes/preinstall/tasks/dhclient-hooks.yml b/roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml similarity index 100% rename from roles/kubernetes/preinstall/tasks/dhclient-hooks.yml rename to roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml diff --git a/roles/kubernetes/preinstall/tasks/dhclient-hooks-undo.yml b/roles/kubernetes/preinstall/tasks/0110-dhclient-hooks-undo.yml similarity index 100% rename from roles/kubernetes/preinstall/tasks/dhclient-hooks-undo.yml rename to roles/kubernetes/preinstall/tasks/0110-dhclient-hooks-undo.yml diff --git a/roles/kubernetes/preinstall/tasks/growpart-azure-centos-7.yml b/roles/kubernetes/preinstall/tasks/0120-growpart-azure-centos-7.yml similarity index 100% rename from roles/kubernetes/preinstall/tasks/growpart-azure-centos-7.yml rename to roles/kubernetes/preinstall/tasks/0120-growpart-azure-centos-7.yml diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml index 505a6f829..d749a941f 100644 --- a/roles/kubernetes/preinstall/tasks/main.yml +++ b/roles/kubernetes/preinstall/tasks/main.yml @@ -1,122 +1,26 @@ --- # Disable swap -- import_tasks: swapoff.yml +- import_tasks: 0010-swapoff.yml when: disable_swap -- import_tasks: verify-settings.yml +- import_tasks: 0020-verify-settings.yml tags: - asserts # This is run before bin_dir is pinned because these tasks are run on localhost -- import_tasks: pre_upgrade.yml +- import_tasks: 0030-pre_upgrade.yml run_once: true tags: - upgrade -- name: Force binaries directory for Container Linux by CoreOS - set_fact: - bin_dir: "/opt/bin" - when: ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] +- import_tasks: 0040-set_facts.yml tags: + - resolvconf - facts -- name: check bin dir exists - file: - path: "{{bin_dir}}" - state: directory - owner: root - become: true - tags: - - bootstrap-os - -- import_tasks: set_facts.yml - tags: - - facts - -- name: gather os specific variables - include_vars: "{{ item }}" - with_first_found: - - files: - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}.yml" - - "{{ ansible_os_family|lower }}.yml" - - defaults.yml - paths: - - ../vars - skip: true - tags: - - facts - -- name: Create kubernetes directories - file: - path: "{{ item }}" - state: directory - owner: kube - when: inventory_hostname in groups['k8s-cluster'] - tags: - - kubelet - - k8s-secrets - - kube-controller-manager - - kube-apiserver - - bootstrap-os - - apps - - network - - master - - node - with_items: - - "{{ kube_config_dir }}" - - "{{ kube_config_dir }}/ssl" - - "{{ kube_manifest_dir }}" - - "{{ kube_script_dir }}" - -- name: check cloud_provider value - fail: - msg: "If set the 'cloud_provider' var must be set either to 'generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', or external" - when: - - cloud_provider is defined - - cloud_provider not in ['generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external'] - tags: - - cloud-provider - - facts - -- name: Create cni directories - file: - path: "{{ item }}" - state: directory - owner: kube - with_items: - - "/etc/cni/net.d" - - "/opt/cni/bin" - - "/var/lib/calico" - when: - - kube_network_plugin in ["calico", "weave", "canal", "flannel", "contiv", "cilium"] - - inventory_hostname in groups['k8s-cluster'] - tags: - - network - - cilium - - calico - - weave - - canal - - contiv - - bootstrap-os - -- name: Create local volume provisioner directories - file: - path: "{{ item }}" - state: directory - owner: kube - with_items: - - "{{ local_volume_provisioner_base_dir }}" - - "{{ local_volume_provisioner_mount_dir }}" - when: - - inventory_hostname in groups['k8s-cluster'] - - local_volume_provisioner_enabled - tags: - - persistent_volumes +- import_tasks: 0050-create_directories.yml -- import_tasks: resolvconf.yml +- import_tasks: 0060-resolvconf.yml when: - dns_mode != 'none' - resolvconf_mode == 'host_resolvconf' @@ -124,164 +28,20 @@ - bootstrap-os - resolvconf -- name: Update package management cache (YUM) - yum: - update_cache: yes - name: '*' - register: yum_task_result - until: yum_task_result|succeeded - retries: 4 - delay: "{{ retry_stagger | random + 3 }}" - when: - - ansible_pkg_mgr == 'yum' - - ansible_distribution != 'RedHat' - - not is_atomic - tags: bootstrap-os - -- name: Expire management cache (YUM) for Updation - Redhat - shell: yum clean expire-cache - register: expire_cache_output - until: expire_cache_output|succeeded - retries: 4 - delay: "{{ retry_stagger | random + 3 }}" - when: - - ansible_pkg_mgr == 'yum' - - ansible_distribution == 'RedHat' - - not is_atomic - tags: bootstrap-os - -- name: Update package management cache (YUM) - Redhat - shell: yum makecache - register: make_cache_output - until: make_cache_output|succeeded - retries: 4 - delay: "{{ retry_stagger | random + 3 }}" - when: - - ansible_pkg_mgr == 'yum' - - ansible_distribution == 'RedHat' - - expire_cache_output.rc == 0 - - not is_atomic - tags: bootstrap-os - -- name: Update package management cache (zypper) - SUSE - shell: zypper -n --gpg-auto-import-keys ref - register: make_cache_output - until: make_cache_output|succeeded - retries: 4 - delay: "{{ retry_stagger | random + 3 }}" - when: - - ansible_pkg_mgr == 'zypper' - tags: bootstrap-os - -- name: Update package management cache (APT) - apt: - update_cache: yes - cache_valid_time: 3600 - when: ansible_os_family == "Debian" - tags: - - bootstrap-os - -- name: Install python-dnf for latest RedHat versions - command: dnf install -y python-dnf yum - register: dnf_task_result - until: dnf_task_result|succeeded - retries: 4 - delay: "{{ retry_stagger | random + 3 }}" - when: - - ansible_distribution == "Fedora" - - ansible_distribution_major_version|int > 21 - - not is_atomic - changed_when: False - tags: - - bootstrap-os - -- name: Install epel-release on RedHat/CentOS - yum: - name: epel-release - state: present - when: - - ansible_distribution in ["CentOS","RedHat"] - - not is_atomic - - epel_enabled|bool - tags: - - bootstrap-os - -- name: Install packages requirements - action: - module: "{{ ansible_pkg_mgr }}" - name: "{{ item }}" - state: latest - register: pkgs_task_result - until: pkgs_task_result|succeeded - retries: 4 - delay: "{{ retry_stagger | random + 3 }}" - with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}" - when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) - tags: - - bootstrap-os - -# Todo : selinux configuration -- name: Confirm selinux deployed - stat: - path: /etc/selinux/config - when: ansible_os_family == "RedHat" - register: slc - -- name: Set selinux policy - selinux: - policy: targeted - state: "{{ preinstall_selinux_state }}" - when: - - ansible_os_family == "RedHat" - - slc.stat.exists == True - changed_when: False - tags: - - bootstrap-os - -- name: Disable IPv6 DNS lookup - lineinfile: - dest: /etc/gai.conf - line: "precedence ::ffff:0:0/96 100" - state: present - backup: yes - when: - - disable_ipv6_dns - - not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] - tags: - - bootstrap-os - -- name: Stat sysctl file configuration - stat: - path: "{{sysctl_file_path}}" - register: sysctl_file_stat - tags: - - bootstrap-os - -- name: Change sysctl file path to link source if linked - set_fact: - sysctl_file_path: "{{sysctl_file_stat.stat.lnk_source}}" - when: - - sysctl_file_stat.stat.islnk is defined - - sysctl_file_stat.stat.islnk +- import_tasks: 0070-system-packages.yml tags: - bootstrap-os -- name: Enable ip forwarding - sysctl: - sysctl_file: "{{sysctl_file_path}}" - name: net.ipv4.ip_forward - value: 1 - state: present - reload: yes +- import_tasks: 0080-system-configurations.yml tags: - bootstrap-os -- import_tasks: etchosts.yml +- import_tasks: 0090-etchosts.yml tags: - bootstrap-os - etchosts -- import_tasks: dhclient-hooks.yml +- import_tasks: 0100-dhclient-hooks.yml when: - dns_mode != 'none' - resolvconf_mode == 'host_resolvconf' @@ -290,7 +50,7 @@ - bootstrap-os - resolvconf -- import_tasks: dhclient-hooks-undo.yml +- import_tasks: 0110-dhclient-hooks-undo.yml when: - dns_mode != 'none' - resolvconf_mode != 'host_resolvconf' @@ -306,7 +66,7 @@ tags: - bootstrap-os -- import_tasks: growpart-azure-centos-7.yml +- import_tasks: 0120-growpart-azure-centos-7.yml when: - azure_check.stat.exists - ansible_distribution in ["CentOS","RedHat"] diff --git a/roles/kubernetes/preinstall/tasks/set_facts.yml b/roles/kubernetes/preinstall/tasks/set_facts.yml deleted file mode 100644 index a514aa079..000000000 --- a/roles/kubernetes/preinstall/tasks/set_facts.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: check if atomic host - stat: - path: /run/ostree-booted - register: ostree - -- set_fact: - is_atomic: "{{ ostree.stat.exists }}" - -- set_fact: - kube_cert_group: "kube" - when: is_atomic - -- import_tasks: set_resolv_facts.yml - tags: - - resolvconf - - facts