Browse Source
Revert "Use K8s 1.14 and add kubeadm experimental control plane mode (#4317)" (#4510)
Revert "Use K8s 1.14 and add kubeadm experimental control plane mode (#4317)" (#4510)
This reverts commit 316508626d.
pull/4513/head
Matthew Mosesohn
6 years ago
committed by
Kubernetes Prow Robot
Kubernetes Prow Robot
37 changed files with 400 additions and 296 deletions
Split View
Diff Options
-
2README.md
-
2inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
-
2roles/download/defaults/main.yml
-
23roles/kubernetes/client/tasks/main.yml
-
17roles/kubernetes/kubeadm/tasks/main.yml
-
2roles/kubernetes/master/defaults/main/kube-proxy.yml
-
11roles/kubernetes/master/defaults/main/main.yml
-
30roles/kubernetes/master/tasks/kubeadm-certificate.yml
-
34roles/kubernetes/master/tasks/kubeadm-kubeconfig.yml
-
4roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
-
45roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
-
43roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml
-
123roles/kubernetes/master/tasks/kubeadm-setup.yml
-
5roles/kubernetes/master/tasks/kubeadm-version.yml
-
4roles/kubernetes/master/tasks/pre-upgrade.yml
-
204roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
-
10roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
-
10roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
-
10roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
-
26roles/kubernetes/master/templates/kubeadm-controlplane.v1beta1.yaml.j2
-
1roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
-
7roles/kubespray-defaults/defaults/main.yaml
-
4roles/network_plugin/calico/defaults/main.yml
-
19roles/network_plugin/calico/handlers/main.yml
-
4roles/network_plugin/calico/rr/defaults/main.yml
-
6roles/network_plugin/calico/rr/tasks/main.yml
-
3roles/network_plugin/calico/tasks/check.yml
-
8roles/network_plugin/calico/tasks/install.yml
-
2roles/network_plugin/calico/tasks/pre.yml
-
6roles/network_plugin/calico/templates/etcdv2-store.yml.j2
-
6roles/network_plugin/calico/templates/etcdv3-store.yml.j2
-
5roles/network_plugin/canal/defaults/main.yml
-
6roles/network_plugin/canal/tasks/main.yml
-
3roles/network_plugin/cilium/defaults/main.yml
-
2roles/network_plugin/cilium/handlers/main.yml
-
6roles/network_plugin/cilium/tasks/main.yml
-
1tests/files/gce_centos7-flannel-addons.yml
@ -0,0 +1,34 @@ |
|||
--- |
|||
- name: Backup old configuration files |
|||
copy: |
|||
src: "{{ kube_config_dir }}/{{ item.src }}" |
|||
dest: "{{ kube_config_dir }}/{{ item.dest }}" |
|||
remote_src: yes |
|||
with_items: |
|||
- {src: admin.conf, dest: admin.conf.old} |
|||
- {src: kubelet.conf, dest: kubelet.conf.old} |
|||
- {src: controller-manager.conf, dest: controller-manager.conf.old} |
|||
- {src: scheduler.conf, dest: scheduler.conf.old} |
|||
ignore_errors: yes |
|||
|
|||
- name: Remove old configuration files |
|||
file: |
|||
path: "{{ kube_config_dir }}/{{ item }}" |
|||
state: absent |
|||
with_items: |
|||
- admin.conf |
|||
- kubelet.conf |
|||
- controller-manager.conf |
|||
- scheduler.conf |
|||
|
|||
- name: Generate new configuration files |
|||
command: "{{ bin_dir }}/kubeadm init phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml" |
|||
environment: "{{ proxy_env }}" |
|||
when: kubeadm_version is version('v1.13.0', '>=') |
|||
ignore_errors: yes |
|||
|
|||
- name: Generate new configuration files |
|||
command: "{{ bin_dir }}/kubeadm alpha phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml" |
|||
environment: "{{ proxy_env }}" |
|||
when: kubeadm_version is version('v1.13.0', '<') |
|||
ignore_errors: yes |
|||
@ -1,45 +0,0 @@ |
|||
--- |
|||
- name: Set kubeadm_discovery_address |
|||
set_fact: |
|||
kubeadm_discovery_address: >- |
|||
{%- if "127.0.0.1" in kube_apiserver_endpoint or "localhost" in kube_apiserver_endpoint -%} |
|||
{{ first_kube_master }}:{{ kube_apiserver_port }} |
|||
{%- else -%} |
|||
{{ kube_apiserver_endpoint }} |
|||
{%- endif %} |
|||
tags: |
|||
- facts |
|||
|
|||
- name: Create kubeadm ControlPlane config |
|||
template: |
|||
src: "kubeadm-controlplane.{{ kubeadmConfig_api_version }}.yaml.j2" |
|||
dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml" |
|||
backup: yes |
|||
when: |
|||
- inventory_hostname != groups['kube-master']|first |
|||
- not kubeadm_already_run.stat.exists |
|||
|
|||
- name: Wait for k8s apiserver |
|||
wait_for: |
|||
host: "{{kubeadm_discovery_address.split(':')[0]}}" |
|||
port: "{{kubeadm_discovery_address.split(':')[1]}}" |
|||
timeout: 180 |
|||
|
|||
- name: Joining control plane node to the cluster. |
|||
command: >- |
|||
{{ bin_dir }}/kubeadm join |
|||
--config {{ kube_config_dir}}/kubeadm-controlplane.yaml |
|||
--ignore-preflight-errors=all |
|||
{% if kubeadm_certificate_key is defined %} |
|||
--certificate-key={{ kubeadm_certificate_key }} |
|||
{% endif %} |
|||
register: kubeadm_join_control_plane |
|||
when: |
|||
- inventory_hostname != groups['kube-master']|first |
|||
- not kubeadm_already_run.stat.exists |
|||
environment: |
|||
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}" |
|||
|
|||
- name: Set secret_changed to false to avoid extra token rotation |
|||
set_fact: |
|||
secret_changed: false |
|||
@ -1,43 +0,0 @@ |
|||
- name: slurp kubeadm certs |
|||
slurp: |
|||
src: "{{ item }}" |
|||
with_items: |
|||
- "{{ kube_cert_dir }}/apiserver.crt" |
|||
- "{{ kube_cert_dir }}/apiserver.key" |
|||
- "{{ kube_cert_dir }}/apiserver-kubelet-client.crt" |
|||
- "{{ kube_cert_dir }}/apiserver-kubelet-client.key" |
|||
- "{{ kube_cert_dir }}/ca.crt" |
|||
- "{{ kube_cert_dir }}/ca.key" |
|||
- "{{ kube_cert_dir }}/front-proxy-ca.crt" |
|||
- "{{ kube_cert_dir }}/front-proxy-ca.key" |
|||
- "{{ kube_cert_dir }}/front-proxy-client.crt" |
|||
- "{{ kube_cert_dir }}/front-proxy-client.key" |
|||
- "{{ kube_cert_dir }}/sa.key" |
|||
- "{{ kube_cert_dir }}/sa.pub" |
|||
register: kubeadm_certs |
|||
delegate_to: "{{ groups['kube-master']|first }}" |
|||
|
|||
- name: kubeadm | write out kubeadm certs |
|||
copy: |
|||
dest: "{{ item.item }}" |
|||
content: "{{ item.content | b64decode }}" |
|||
owner: root |
|||
group: root |
|||
mode: 0600 |
|||
no_log: true |
|||
register: copy_kubeadm_certs |
|||
with_items: "{{ kubeadm_certs.results }}" |
|||
when: inventory_hostname != groups['kube-master']|first |
|||
|
|||
- name: kubeadm | Init other uninitialized masters |
|||
command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all |
|||
register: kubeadm_init |
|||
retries: 10 |
|||
until: kubeadm_init is succeeded or "field is immutable" in kubeadm_init.stderr |
|||
when: |
|||
- inventory_hostname != groups['kube-master']|first |
|||
- not kubeadm_already_run.stat.exists |
|||
failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr |
|||
environment: |
|||
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}" |
|||
notify: Master | restart kubelet |
|||
@ -0,0 +1,204 @@ |
|||
apiVersion: kubeadm.k8s.io/v1alpha1 |
|||
kind: MasterConfiguration |
|||
api: |
|||
{% if kubeadm_config_api_fqdn is defined %} |
|||
controlPlaneEndpoint: {{ kubeadm_config_api_fqdn }} |
|||
bindPort: {{ loadbalancer_apiserver.port | default(kube_apiserver_port) }} |
|||
{% else %} |
|||
advertiseAddress: {{ ip | default(fallback_ips[inventory_hostname]) }} |
|||
bindPort: {{ kube_apiserver_port }} |
|||
{% endif %} |
|||
etcd: |
|||
endpoints: |
|||
{% for endpoint in etcd_access_addresses.split(',') %} |
|||
- {{ endpoint }} |
|||
{% endfor %} |
|||
caFile: {{ etcd_cert_dir }}/ca.pem |
|||
certFile: {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem |
|||
keyFile: {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem |
|||
networking: |
|||
dnsDomain: {{ dns_domain }} |
|||
serviceSubnet: {{ kube_service_addresses }} |
|||
podSubnet: {{ kube_pods_subnet }} |
|||
kubernetesVersion: {{ kube_version }} |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %} |
|||
cloudProvider: {{cloud_provider}} |
|||
cloudConfig: {{ kube_config_dir }}/cloud_config |
|||
{% elif cloud_provider is defined and cloud_provider in ["external"] %} |
|||
cloudConfig: {{ kube_config_dir }}/cloud_config |
|||
{% endif %} |
|||
{% if kube_proxy_mode == 'ipvs' %} |
|||
kubeProxy: |
|||
config: |
|||
{% if kube_version is version('v1.10', '<') %} |
|||
featureGates: SupportIPVSProxyMode=true |
|||
{% endif %} |
|||
{% if kube_version is version('v1.10', '>=') %} |
|||
featureGates: |
|||
SupportIPVSProxyMode: true |
|||
{% endif %} |
|||
mode: ipvs |
|||
{% endif %} |
|||
{% if kube_proxy_nodeport_addresses %} |
|||
nodePortAddresses: {{ kube_proxy_nodeport_addresses }} |
|||
{% endif %} |
|||
resourceContainer: "" |
|||
authorizationModes: |
|||
{% for mode in authorization_modes %} |
|||
- {{ mode }} |
|||
{% endfor %} |
|||
selfHosted: false |
|||
apiServerExtraArgs: |
|||
bind-address: {{ kube_apiserver_bind_address }} |
|||
{% if kube_apiserver_insecure_port|string != "0" %} |
|||
insecure-bind-address: {{ kube_apiserver_insecure_bind_address }} |
|||
{% endif %} |
|||
insecure-port: "{{ kube_apiserver_insecure_port }}" |
|||
{% if kube_version is version('v1.10', '<') %} |
|||
admission-control: {{ kube_apiserver_admission_control | join(',') }} |
|||
{% else %} |
|||
{% if kube_apiserver_enable_admission_plugins|length > 0 %} |
|||
enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }} |
|||
{% endif %} |
|||
{% if kube_apiserver_disable_admission_plugins|length > 0 %} |
|||
disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }} |
|||
{% endif %} |
|||
{% endif %} |
|||
apiserver-count: "{{ kube_apiserver_count }}" |
|||
{% if kube_version is version('v1.9', '>=') %} |
|||
endpoint-reconciler-type: lease |
|||
{% endif %} |
|||
{% if etcd_events_cluster_enabled %} |
|||
etcd-servers-overrides: "/events#{{ etcd_events_access_addresses }}" |
|||
{% endif %} |
|||
service-node-port-range: {{ kube_apiserver_node_port_range }} |
|||
kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}" |
|||
profiling: "{{ kube_profiling }}" |
|||
request-timeout: "{{ kube_apiserver_request_timeout }}" |
|||
repair-malformed-updates: "false" |
|||
enable-aggregator-routing: "{{ kube_api_aggregator_routing }}" |
|||
{% if kube_api_anonymous_auth is defined and kube_version is version('v1.5', '>=') %} |
|||
anonymous-auth: "{{ kube_api_anonymous_auth }}" |
|||
{% endif %} |
|||
{% if kube_basic_auth|default(true) %} |
|||
basic-auth-file: {{ kube_users_dir }}/known_users.csv |
|||
{% endif %} |
|||
{% if kube_token_auth|default(true) %} |
|||
token-auth-file: {{ kube_token_dir }}/known_tokens.csv |
|||
{% endif %} |
|||
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %} |
|||
oidc-issuer-url: {{ kube_oidc_url }} |
|||
oidc-client-id: {{ kube_oidc_client_id }} |
|||
{% if kube_oidc_ca_file is defined %} |
|||
oidc-ca-file: {{ kube_oidc_ca_file }} |
|||
{% endif %} |
|||
{% if kube_oidc_username_claim is defined %} |
|||
oidc-username-claim: {{ kube_oidc_username_claim }} |
|||
{% endif %} |
|||
{% if kube_oidc_groups_claim is defined %} |
|||
oidc-groups-claim: {{ kube_oidc_groups_claim }} |
|||
{% endif %} |
|||
{% if kube_oidc_username_prefix is defined %} |
|||
oidc-username-prefix: "{{ kube_oidc_username_prefix }}" |
|||
{% endif %} |
|||
{% if kube_oidc_groups_prefix is defined %} |
|||
oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}" |
|||
{% endif %} |
|||
{% endif %} |
|||
{% if kube_webhook_token_auth|default(false) %} |
|||
authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml |
|||
{% endif %} |
|||
{% if kube_encrypt_secret_data %} |
|||
experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml |
|||
{% endif %} |
|||
storage-backend: {{ kube_apiserver_storage_backend }} |
|||
{% if kube_api_runtime_config is defined %} |
|||
runtime-config: {{ kube_api_runtime_config | join(',') }} |
|||
{% endif %} |
|||
allow-privileged: "true" |
|||
{% for key in kube_kubeadm_apiserver_extra_args %} |
|||
{{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}" |
|||
{% endfor %} |
|||
{% if kube_feature_gates %} |
|||
feature-gates: {{ kube_feature_gates|join(',') }} |
|||
{% endif %} |
|||
{% if kube_network_plugin is defined and kube_network_plugin == 'cloud' %} |
|||
configure-cloud-routes: "true" |
|||
{% endif %} |
|||
controllerManagerExtraArgs: |
|||
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }} |
|||
node-monitor-period: {{ kube_controller_node_monitor_period }} |
|||
pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }} |
|||
node-cidr-mask-size: "{{ kube_network_node_prefix }}" |
|||
profiling: "{{ kube_profiling }}" |
|||
terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}" |
|||
{% if kube_feature_gates %} |
|||
feature-gates: {{ kube_feature_gates|join(',') }} |
|||
{% endif %} |
|||
{% for key in kube_kubeadm_controller_extra_args %} |
|||
{{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}" |
|||
{% endfor %} |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %} |
|||
controllerManagerExtraVolumes: |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined and openstack_cacert != "" %} |
|||
- name: openstackcacert |
|||
hostPath: "{{ kube_config_dir }}/openstack-cacert.pem" |
|||
mountPath: "{{ kube_config_dir }}/openstack-cacert.pem" |
|||
{% endif %} |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %} |
|||
- name: cloud-config |
|||
hostPath: {{ kube_config_dir }}/cloud_config |
|||
mountPath: {{ kube_config_dir }}/cloud_config |
|||
{% endif %} |
|||
{% endif %} |
|||
schedulerExtraArgs: |
|||
profiling: "{{ kube_profiling }}" |
|||
{% if kube_feature_gates %} |
|||
feature-gates: {{ kube_feature_gates|join(',') }} |
|||
{% endif %} |
|||
{% if kube_kubeadm_scheduler_extra_args|length > 0 %} |
|||
{% for key in kube_kubeadm_scheduler_extra_args %} |
|||
{{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}" |
|||
{% endfor %} |
|||
{% endif %} |
|||
{% if kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ssl_ca_dirs|length %} |
|||
apiServerExtraVolumes: |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %} |
|||
- name: cloud-config |
|||
hostPath: {{ kube_config_dir }}/cloud_config |
|||
mountPath: {{ kube_config_dir }}/cloud_config |
|||
{% endif %} |
|||
{% if kube_basic_auth|default(true) %} |
|||
- name: basic-auth-config |
|||
hostPath: {{ kube_users_dir }} |
|||
mountPath: {{ kube_users_dir }} |
|||
{% endif %} |
|||
{% if kube_token_auth|default(true) %} |
|||
- name: token-auth-config |
|||
hostPath: {{ kube_token_dir }} |
|||
mountPath: {{ kube_token_dir }} |
|||
{% endif %} |
|||
{% if kube_webhook_token_auth|default(false) %} |
|||
- name: webhook-token-auth-config |
|||
hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml |
|||
mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml |
|||
{% endif %} |
|||
{% if ssl_ca_dirs|length %} |
|||
{% for dir in ssl_ca_dirs %} |
|||
- name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} |
|||
hostPath: {{ dir }} |
|||
mountPath: {{ dir }} |
|||
writable: false |
|||
{% endfor %} |
|||
{% endif %} |
|||
{% endif %} |
|||
apiServerCertSANs: |
|||
{% for san in apiserver_sans %} |
|||
- {{ san }} |
|||
{% endfor %} |
|||
certificatesDir: {{ kube_cert_dir }} |
|||
imageRepository: {{ kube_image_repo }} |
|||
unifiedControlPlaneImage: "" |
|||
{% if kube_override_hostname|default('') %} |
|||
nodeName: {{ kube_override_hostname }} |
|||
{% endif %} |
|||
@ -1,26 +0,0 @@ |
|||
apiVersion: kubeadm.k8s.io/v1beta1 |
|||
kind: JoinConfiguration |
|||
discovery: |
|||
bootstrapToken: |
|||
{% if kubeadm_config_api_fqdn is defined %} |
|||
apiServerEndpoint: {{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }} |
|||
{% else %} |
|||
apiServerEndpoint: {{ kubeadm_discovery_address | replace("https://", "")}} |
|||
{% endif %} |
|||
token: {{ kubeadm_token }} |
|||
unsafeSkipCAVerification: true |
|||
timeout: {{ discovery_timeout }} |
|||
tlsBootstrapToken: {{ kubeadm_token }} |
|||
controlPlane: |
|||
localAPIEndpoint: |
|||
advertiseAddress: {{ kube_apiserver_address }} |
|||
bindPort: {{ kube_apiserver_port }} |
|||
nodeRegistration: |
|||
name: {{ inventory_hostname }} |
|||
{% if container_manager == 'crio' %} |
|||
criSocket: /var/run/crio/crio.sock |
|||
{% elif container_manager == 'rkt' %} |
|||
criSocket: /var/run/rkt.sock |
|||
{% else %} |
|||
criSocket: /var/run/dockershim.sock |
|||
{% endif %} |
|||
@ -1,14 +1,15 @@ |
|||
--- |
|||
- name: reset_calico_cni |
|||
- name: restart calico-node |
|||
command: /bin/true |
|||
notify: |
|||
- delete 10-calico.conflist |
|||
- delete calico-node containers |
|||
- Calico | reload systemd |
|||
- Calico | reload calico-node |
|||
|
|||
- name: delete 10-calico.conflist |
|||
file: |
|||
path: /etc/calico/10-calico.conflist |
|||
state: absent |
|||
- name: Calico | reload systemd |
|||
shell: systemctl daemon-reload |
|||
|
|||
- name: delete calico-node containers |
|||
shell: "docker ps -af name=k8s_POD_calico-node* -q | xargs --no-run-if-empty docker rm -f" |
|||
- name: Calico | reload calico-node |
|||
service: |
|||
name: calico-node |
|||
state: restarted |
|||
sleep: 10 |
|||
Write
Preview
Loading…
Cancel
Save