Browse Source
Remove non-kubeadm deployment (#3811)
Remove non-kubeadm deployment (#3811)
* Remove non-kubeadm deployment * More cleanup * More cleanup * More cleanup * More cleanup * Fix gitlab * Try stop gce first before absent to make the delete process work * More cleanup * Fix bug with checking if kubeadm has already run * Fix bug with checking if kubeadm has already run * More fixes * Fix test * fix * Fix gitlab checkout untill kubespray 2.8 is on quay * Fixed * Add upgrade path from non-kubeadm to kubeadm. Revert ssl path * Readd secret checking * Do gitlab checks from v2.7.0 test upgrade path to 2.8.0 * fix typo * Fix CI jobs to kubeadm again. Fix broken hyperkube path * Fix gitlab * Fix rotate tokens * More fixes * More fixes * Fix tokenspull/3833/head
Andreas Krüger
6 years ago
committed by
Kubernetes Prow Robot
Kubernetes Prow Robot
65 changed files with 111 additions and 2042 deletions
Split View
Diff Options
-
9.gitlab-ci.yml
-
18cluster.yml
-
1contrib/dind/kubespray-dind.yaml
-
6contrib/dind/test-some_distros-kube_router_combo.env
-
10contrib/dind/test-some_distros-most_CNIs.env
-
3docs/cri-o.md
-
30docs/kube-router.md
-
3docs/vars.md
-
8inventory/sample/group_vars/all/all.yml
-
15roles/download/defaults/main.yml
-
2roles/kubernetes-apps/ansible/tasks/cleanup_dns.yml
-
10roles/kubernetes-apps/rotate_tokens/tasks/main.yml
-
19roles/kubernetes/client/tasks/main.yml
-
2roles/kubernetes/kubeadm/tasks/main.yml
-
13roles/kubernetes/master/handlers/main.yml
-
2roles/kubernetes/master/tasks/kubeadm-cleanup-old-certs.yml
-
12roles/kubernetes/master/tasks/kubeadm-setup.yml
-
15roles/kubernetes/master/tasks/main.yml
-
59roles/kubernetes/master/tasks/static-pod-setup.yml
-
1roles/kubernetes/master/tasks/users-file.yml
-
18roles/kubernetes/master/templates/kube-controller-manager-kubeconfig.yaml.j2
-
18roles/kubernetes/master/templates/kube-scheduler-kubeconfig.yaml.j2
-
2roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
-
2roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
-
2roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
-
18roles/kubernetes/master/templates/kubectl-kubeconfig.yaml.j2
-
237roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
-
132roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
-
82roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
-
9roles/kubernetes/node/defaults/main.yml
-
6roles/kubernetes/node/meta/main.yml
-
40roles/kubernetes/node/tasks/install.yml
-
9roles/kubernetes/node/tasks/install_docker.yml
-
30roles/kubernetes/node/tasks/install_host.yml
-
32roles/kubernetes/node/tasks/install_rkt.yml
-
37roles/kubernetes/node/tasks/main.yml
-
4roles/kubernetes/node/tasks/pre_upgrade.yml
-
18roles/kubernetes/node/templates/kube-proxy-kubeconfig.yaml.j2
-
43roles/kubernetes/node/templates/kubelet-container.j2
-
31roles/kubernetes/node/templates/kubelet.docker.service.j2
-
120roles/kubernetes/node/templates/kubelet.rkt.service.j2
-
151roles/kubernetes/node/templates/kubelet.standard.env.j2
-
110roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
-
4roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
-
1roles/kubernetes/preinstall/tasks/0040-set_facts.yml
-
2roles/kubernetes/secrets/defaults/main.yml
-
0roles/kubernetes/secrets/files/certs/.gitkeep
-
15roles/kubernetes/secrets/handlers/main.yml
-
1roles/kubernetes/secrets/meta/main.yml
-
82roles/kubernetes/secrets/tasks/check-certs.yml
-
227roles/kubernetes/secrets/tasks/gen_certs_script.yml
-
109roles/kubernetes/secrets/tasks/main.yml
-
30roles/kubernetes/secrets/tasks/upd_ca_trust.yml
-
151roles/kubernetes/secrets/templates/make-ssl.sh.j2
-
42roles/kubernetes/secrets/templates/openssl-master.conf.j2
-
20roles/kubernetes/secrets/templates/openssl-node.conf.j2
-
20roles/kubespray-defaults/defaults/main.yaml
-
2roles/remove-node/pre-remove/tasks/main.yml
-
2roles/upgrade/post-upgrade/tasks/main.yml
-
8roles/win_nodes/kubernetes_patch/tasks/main.yml
-
15scale.yml
-
15tests/cloud_playbooks/delete-gce.yml
-
2tests/files/gce_ubuntu-flannel-ha.yml
-
1tests/testcases/010_check-apiserver.yml
-
15upgrade-cluster.yml
@ -1,8 +1,6 @@ |
|||
DISTROS=(debian centos) |
|||
NETCHECKER_HOST=${NODES[0]} |
|||
EXTRAS=( |
|||
'kube_network_plugin=kube-router {"kubeadm_enabled":true,"kube_router_run_service_proxy":false}' |
|||
'kube_network_plugin=kube-router {"kubeadm_enabled":true,"kube_router_run_service_proxy":true}' |
|||
'kube_network_plugin=kube-router {"kubeadm_enabled":false,"kube_router_run_service_proxy":false}' |
|||
'kube_network_plugin=kube-router {"kubeadm_enabled":false,"kube_router_run_service_proxy":true}' |
|||
'kube_network_plugin=kube-router {"kube_router_run_service_proxy":false}' |
|||
'kube_network_plugin=kube-router {"kube_router_run_service_proxy":true}' |
|||
) |
|||
@ -1,8 +1,8 @@ |
|||
DISTROS=(debian centos) |
|||
EXTRAS=( |
|||
'kube_network_plugin=calico {"kubeadm_enabled":true}' |
|||
'kube_network_plugin=canal {"kubeadm_enabled":true}' |
|||
'kube_network_plugin=cilium {"kubeadm_enabled":true}' |
|||
'kube_network_plugin=flannel {"kubeadm_enabled":true}' |
|||
'kube_network_plugin=weave {"kubeadm_enabled":true}' |
|||
'kube_network_plugin=calico {}' |
|||
'kube_network_plugin=canal {}' |
|||
'kube_network_plugin=cilium {}' |
|||
'kube_network_plugin=flannel {}' |
|||
'kube_network_plugin=weave {}' |
|||
) |
|||
@ -1,59 +0,0 @@ |
|||
--- |
|||
- name: Create audit-policy directory |
|||
file: |
|||
path: "{{ audit_policy_file | dirname }}" |
|||
state: directory |
|||
tags: |
|||
- kube-apiserver |
|||
when: kubernetes_audit|default(false) |
|||
|
|||
- name: Write api audit policy yaml |
|||
template: |
|||
src: apiserver-audit-policy.yaml.j2 |
|||
dest: "{{ audit_policy_file }}" |
|||
notify: Master | Restart apiserver |
|||
tags: |
|||
- kube-apiserver |
|||
when: kubernetes_audit|default(false) |
|||
|
|||
- name: Write kube-apiserver manifest |
|||
template: |
|||
src: manifests/kube-apiserver.manifest.j2 |
|||
dest: "{{ kube_manifest_dir }}/kube-apiserver.manifest" |
|||
notify: Master | Restart apiserver |
|||
tags: |
|||
- kube-apiserver |
|||
|
|||
- meta: flush_handlers |
|||
|
|||
- name: Write kube-scheduler kubeconfig |
|||
template: |
|||
src: kube-scheduler-kubeconfig.yaml.j2 |
|||
dest: "{{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml" |
|||
tags: |
|||
- kube-scheduler |
|||
|
|||
- name: Write kube-scheduler manifest |
|||
template: |
|||
src: manifests/kube-scheduler.manifest.j2 |
|||
dest: "{{ kube_manifest_dir }}/kube-scheduler.manifest" |
|||
notify: Master | Restart kube-scheduler |
|||
tags: |
|||
- kube-scheduler |
|||
|
|||
- name: Write kube-controller-manager kubeconfig |
|||
template: |
|||
src: kube-controller-manager-kubeconfig.yaml.j2 |
|||
dest: "{{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml" |
|||
tags: |
|||
- kube-controller-manager |
|||
|
|||
- name: Write kube-controller-manager manifest |
|||
template: |
|||
src: manifests/kube-controller-manager.manifest.j2 |
|||
dest: "{{ kube_manifest_dir }}/kube-controller-manager.manifest" |
|||
notify: Master | Restart kube-controller-manager |
|||
tags: |
|||
- kube-controller-manager |
|||
|
|||
- meta: flush_handlers |
|||
@ -1,18 +0,0 @@ |
|||
apiVersion: v1 |
|||
kind: Config |
|||
clusters: |
|||
- name: local |
|||
cluster: |
|||
certificate-authority: {{ kube_cert_dir }}/ca.pem |
|||
server: {{ kube_apiserver_endpoint }} |
|||
users: |
|||
- name: kube-controller-manager |
|||
user: |
|||
client-certificate: {{ kube_cert_dir }}/kube-controller-manager.pem |
|||
client-key: {{ kube_cert_dir }}/kube-controller-manager-key.pem |
|||
contexts: |
|||
- context: |
|||
cluster: local |
|||
user: kube-controller-manager |
|||
name: kube-controller-manager-{{ cluster_name }} |
|||
current-context: kube-controller-manager-{{ cluster_name }} |
|||
@ -1,18 +0,0 @@ |
|||
apiVersion: v1 |
|||
kind: Config |
|||
clusters: |
|||
- name: local |
|||
cluster: |
|||
certificate-authority: {{ kube_cert_dir }}/ca.pem |
|||
server: {{ kube_apiserver_endpoint }} |
|||
users: |
|||
- name: kube-scheduler |
|||
user: |
|||
client-certificate: {{ kube_cert_dir }}/kube-scheduler.pem |
|||
client-key: {{ kube_cert_dir }}/kube-scheduler-key.pem |
|||
contexts: |
|||
- context: |
|||
cluster: local |
|||
user: kube-scheduler |
|||
name: kube-scheduler-{{ cluster_name }} |
|||
current-context: kube-scheduler-{{ cluster_name }} |
|||
@ -1,18 +0,0 @@ |
|||
apiVersion: v1 |
|||
kind: Config |
|||
current-context: kubectl-to-{{ cluster_name }} |
|||
preferences: {} |
|||
clusters: |
|||
- cluster: |
|||
certificate-authority-data: {{ kube_node_cert|b64encode }} |
|||
server: {{ kube_apiserver_endpoint }} |
|||
name: {{ cluster_name }} |
|||
contexts: |
|||
- context: |
|||
cluster: {{ cluster_name }} |
|||
user: kubectl |
|||
name: kubectl-to-{{ cluster_name }} |
|||
users: |
|||
- name: kubectl |
|||
user: |
|||
token: {{ kubectl_token }} |
|||
@ -1,237 +0,0 @@ |
|||
apiVersion: v1 |
|||
kind: Pod |
|||
metadata: |
|||
name: kube-apiserver |
|||
namespace: kube-system |
|||
labels: |
|||
k8s-app: kube-apiserver |
|||
kubespray: v2 |
|||
annotations: |
|||
kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}" |
|||
kubespray.apiserver-cert/serial: "{{ apiserver_cert_serial }}" |
|||
spec: |
|||
hostNetwork: true |
|||
{% if kube_version is version('v1.6', '>=') %} |
|||
dnsPolicy: ClusterFirst |
|||
{% endif %} |
|||
{% if kube_version is version('v1.11.1', '>=') %} |
|||
priorityClassName: system-node-critical |
|||
{% endif %} |
|||
containers: |
|||
- name: kube-apiserver |
|||
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} |
|||
imagePullPolicy: {{ k8s_image_pull_policy }} |
|||
resources: |
|||
limits: |
|||
cpu: {{ kube_apiserver_cpu_limit }} |
|||
memory: {{ kube_apiserver_memory_limit }} |
|||
requests: |
|||
cpu: {{ kube_apiserver_cpu_requests }} |
|||
memory: {{ kube_apiserver_memory_requests }} |
|||
command: |
|||
- /hyperkube |
|||
- apiserver |
|||
{% if kubernetes_audit %} |
|||
- --audit-log-path={{ audit_log_path }} |
|||
- --audit-log-maxage={{ audit_log_maxage }} |
|||
- --audit-log-maxbackup={{ audit_log_maxbackups }} |
|||
- --audit-log-maxsize={{ audit_log_maxsize }} |
|||
- --audit-policy-file={{ audit_policy_file }} |
|||
{% endif %} |
|||
- --advertise-address={{ ip | default(ansible_default_ipv4.address) }} |
|||
- --etcd-servers={{ etcd_access_addresses }} |
|||
{% if etcd_events_cluster_enabled %} |
|||
- --etcd-servers-overrides=/events#{{ etcd_events_access_addresses_semicolon }} |
|||
{% endif %} |
|||
{% if kube_version is version('v1.9', '<') %} |
|||
- --etcd-quorum-read=true |
|||
{% endif %} |
|||
- --etcd-cafile={{ etcd_cert_dir }}/ca.pem |
|||
- --etcd-certfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem |
|||
- --etcd-keyfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem |
|||
{% if kube_apiserver_insecure_port|string != "0" %} |
|||
- --insecure-bind-address={{ kube_apiserver_insecure_bind_address }} |
|||
{% endif %} |
|||
- --bind-address={{ kube_apiserver_bind_address }} |
|||
- --apiserver-count={{ kube_apiserver_count }} |
|||
{% if kube_version is version('v1.9', '>=') %} |
|||
- --endpoint-reconciler-type=lease |
|||
{% endif %} |
|||
{% if kube_version is version('v1.10', '<') %} |
|||
- --admission-control={{ kube_apiserver_admission_control | join(',') }} |
|||
{% else %} |
|||
{% if kube_apiserver_enable_admission_plugins|length > 0 %} |
|||
- --enable-admission-plugins={{ kube_apiserver_enable_admission_plugins | join(',') }} |
|||
{% endif %} |
|||
{% if kube_apiserver_disable_admission_plugins|length > 0 %} |
|||
- --disable-admission-plugins={{ kube_apiserver_disable_admission_plugins | join(',') }} |
|||
{% endif %} |
|||
{% endif %} |
|||
- --service-cluster-ip-range={{ kube_service_addresses }} |
|||
- --service-node-port-range={{ kube_apiserver_node_port_range }} |
|||
- --client-ca-file={{ kube_cert_dir }}/ca.pem |
|||
- --profiling={{ kube_profiling }} |
|||
- --repair-malformed-updates=false |
|||
- --kubelet-client-certificate={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem |
|||
- --kubelet-client-key={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem |
|||
- --service-account-lookup=true |
|||
- --kubelet-preferred-address-types={{ kubelet_preferred_address_types }} |
|||
- --request-timeout={{ kube_apiserver_request_timeout }} |
|||
{% if kube_basic_auth|default(true) %} |
|||
- --basic-auth-file={{ kube_users_dir }}/known_users.csv |
|||
{% endif %} |
|||
- --tls-cert-file={{ kube_cert_dir }}/apiserver.pem |
|||
- --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem |
|||
{% if kube_token_auth|default(true) %} |
|||
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv |
|||
{% endif %} |
|||
- --service-account-key-file={{ kube_cert_dir }}/service-account-key.pem |
|||
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %} |
|||
- --oidc-issuer-url={{ kube_oidc_url }} |
|||
- --oidc-client-id={{ kube_oidc_client_id }} |
|||
{% if kube_oidc_ca_file is defined %} |
|||
- --oidc-ca-file={{ kube_oidc_ca_file }} |
|||
{% endif %} |
|||
{% if kube_oidc_username_claim is defined %} |
|||
- --oidc-username-claim={{ kube_oidc_username_claim }} |
|||
{% endif %} |
|||
{% if kube_oidc_username_prefix is defined %} |
|||
- "--oidc-username-prefix={{ kube_oidc_username_prefix }}" |
|||
{% endif %} |
|||
{% if kube_oidc_groups_claim is defined %} |
|||
- --oidc-groups-claim={{ kube_oidc_groups_claim }} |
|||
{% endif %} |
|||
{% if kube_oidc_groups_prefix is defined %} |
|||
- "--oidc-groups-prefix={{ kube_oidc_groups_prefix }}" |
|||
{% endif %} |
|||
{% endif %} |
|||
- --secure-port={{ kube_apiserver_port }} |
|||
- --insecure-port={{ kube_apiserver_insecure_port }} |
|||
- --storage-backend={{ kube_apiserver_storage_backend }} |
|||
{% if kube_api_runtime_config is defined %} |
|||
{% for conf in kube_api_runtime_config %} |
|||
- --runtime-config={{ conf }} |
|||
{% endfor %} |
|||
{% endif %} |
|||
{% if enable_network_policy %} |
|||
{% if kube_version is version('v1.8', '<') %} |
|||
- --runtime-config=extensions/v1beta1/networkpolicies=true |
|||
{% endif %} |
|||
{% endif %} |
|||
- --v={{ kube_log_level }} |
|||
- --allow-privileged=true |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %} |
|||
- --cloud-provider={{ cloud_provider }} |
|||
- --cloud-config={{ kube_config_dir }}/cloud_config |
|||
{% endif %} |
|||
{% if kube_api_anonymous_auth is defined and kube_version is version('v1.5', '>=') %} |
|||
- --anonymous-auth={{ kube_api_anonymous_auth }} |
|||
{% endif %} |
|||
{% if authorization_modes %} |
|||
- --authorization-mode={{ authorization_modes|join(',') }} |
|||
{% endif %} |
|||
{% if kube_encrypt_secret_data %} |
|||
- --experimental-encryption-provider-config={{ kube_config_dir }}/ssl/secrets_encryption.yaml |
|||
{% endif %} |
|||
{% if kube_feature_gates %} |
|||
- --feature-gates={{ kube_feature_gates|join(',') }} |
|||
{% endif %} |
|||
{% if kube_version is version('v1.9', '>=') %} |
|||
- --requestheader-client-ca-file={{ kube_cert_dir }}/{{ kube_front_proxy_ca }} |
|||
{# FIXME(mattymo): Vault certs do not work with front-proxy-client #} |
|||
{% if cert_management == "vault" %} |
|||
- --requestheader-allowed-names= |
|||
{% else %} |
|||
- --requestheader-allowed-names=front-proxy-client |
|||
{% endif %} |
|||
- --requestheader-extra-headers-prefix=X-Remote-Extra- |
|||
- --requestheader-group-headers=X-Remote-Group |
|||
- --requestheader-username-headers=X-Remote-User |
|||
- --enable-aggregator-routing={{ kube_api_aggregator_routing }} |
|||
- --proxy-client-cert-file={{ kube_cert_dir }}/front-proxy-client.pem |
|||
- --proxy-client-key-file={{ kube_cert_dir }}/front-proxy-client-key.pem |
|||
{% else %} |
|||
- --proxy-client-cert-file={{ kube_cert_dir }}/apiserver.pem |
|||
- --proxy-client-key-file={{ kube_cert_dir }}/apiserver-key.pem |
|||
{% endif %} |
|||
{% if apiserver_custom_flags is string %} |
|||
- {{ apiserver_custom_flags }} |
|||
{% else %} |
|||
{% for flag in apiserver_custom_flags %} |
|||
- {{ flag }} |
|||
{% endfor %} |
|||
{% endif %} |
|||
livenessProbe: |
|||
httpGet: |
|||
host: 127.0.0.1 |
|||
path: /healthz |
|||
{% if kube_apiserver_insecure_port|int == 0 %} |
|||
port: {{ kube_apiserver_port }} |
|||
scheme: HTTPS |
|||
{% else %} |
|||
port: {{ kube_apiserver_insecure_port }} |
|||
{% endif %} |
|||
failureThreshold: 8 |
|||
initialDelaySeconds: 15 |
|||
periodSeconds: 10 |
|||
successThreshold: 1 |
|||
timeoutSeconds: 15 |
|||
volumeMounts: |
|||
- mountPath: {{ kube_config_dir }} |
|||
name: kubernetes-config |
|||
readOnly: true |
|||
- mountPath: /etc/ssl |
|||
name: ssl-certs-host |
|||
readOnly: true |
|||
{% for dir in ssl_ca_dirs %} |
|||
- mountPath: {{ dir }} |
|||
name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} |
|||
readOnly: true |
|||
{% endfor %} |
|||
- mountPath: {{ etcd_cert_dir }} |
|||
name: etcd-certs |
|||
readOnly: true |
|||
{% if cloud_provider is defined and cloud_provider == 'aws' and ansible_os_family == 'RedHat' %} |
|||
- mountPath: /etc/ssl/certs/ca-bundle.crt |
|||
name: rhel-ca-bundle |
|||
readOnly: true |
|||
{% endif %} |
|||
{% if kubernetes_audit %} |
|||
{% if audit_log_path != "-" %} |
|||
- mountPath: {{ audit_log_mountpath }} |
|||
name: {{ audit_log_name }} |
|||
Writable: true |
|||
{% endif %} |
|||
- mountPath: {{ audit_policy_mountpath }} |
|||
name: {{ audit_policy_name }} |
|||
{% endif %} |
|||
volumes: |
|||
- hostPath: |
|||
path: {{ kube_config_dir }} |
|||
name: kubernetes-config |
|||
- name: ssl-certs-host |
|||
hostPath: |
|||
path: /etc/ssl |
|||
{% for dir in ssl_ca_dirs %} |
|||
- name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} |
|||
hostPath: |
|||
path: {{ dir }} |
|||
{% endfor %} |
|||
- hostPath: |
|||
path: {{ etcd_cert_dir }} |
|||
name: etcd-certs |
|||
{% if cloud_provider is defined and cloud_provider == 'aws' and ansible_os_family == 'RedHat' %} |
|||
- hostPath: |
|||
path: /etc/ssl/certs/ca-bundle.crt |
|||
name: rhel-ca-bundle |
|||
{% endif %} |
|||
{% if kubernetes_audit %} |
|||
{% if audit_log_path != "-" %} |
|||
- hostPath: |
|||
path: {{ audit_log_hostpath }} |
|||
name: {{ audit_log_name }} |
|||
{% endif %} |
|||
- hostPath: |
|||
path: {{ audit_policy_hostpath }} |
|||
name: {{ audit_policy_name }} |
|||
{% endif %} |
|||
@ -1,132 +0,0 @@ |
|||
apiVersion: v1 |
|||
kind: Pod |
|||
metadata: |
|||
name: kube-controller-manager |
|||
namespace: kube-system |
|||
labels: |
|||
k8s-app: kube-controller-manager |
|||
annotations: |
|||
kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}" |
|||
kubespray.controller-manager-cert/serial: "{{ controller_manager_cert_serial }}" |
|||
spec: |
|||
hostNetwork: true |
|||
{% if kube_version is version('v1.6', '>=') %} |
|||
dnsPolicy: ClusterFirst |
|||
{% endif %} |
|||
{% if kube_version is version('v1.11.1', '>=') %} |
|||
priorityClassName: system-node-critical |
|||
{% endif %} |
|||
containers: |
|||
- name: kube-controller-manager |
|||
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} |
|||
imagePullPolicy: {{ k8s_image_pull_policy }} |
|||
resources: |
|||
limits: |
|||
cpu: {{ kube_controller_cpu_limit }} |
|||
memory: {{ kube_controller_memory_limit }} |
|||
requests: |
|||
cpu: {{ kube_controller_cpu_requests }} |
|||
memory: {{ kube_controller_memory_requests }} |
|||
command: |
|||
- /hyperkube |
|||
- controller-manager |
|||
- --kubeconfig={{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml |
|||
- --leader-elect=true |
|||
- --service-account-private-key-file={{ kube_cert_dir }}/service-account-key.pem |
|||
- --root-ca-file={{ kube_cert_dir }}/ca.pem |
|||
- --cluster-signing-cert-file={{ kube_cert_dir }}/ca.pem |
|||
- --cluster-signing-key-file={{ kube_cert_dir }}/ca-key.pem |
|||
- --enable-hostpath-provisioner={{ kube_hostpath_dynamic_provisioner }} |
|||
- --node-monitor-grace-period={{ kube_controller_node_monitor_grace_period }} |
|||
- --node-monitor-period={{ kube_controller_node_monitor_period }} |
|||
- --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }} |
|||
- --profiling={{ kube_profiling }} |
|||
- --terminated-pod-gc-threshold={{ kube_controller_terminated_pod_gc_threshold }} |
|||
- --v={{ kube_log_level }} |
|||
{% if rbac_enabled %} |
|||
- --use-service-account-credentials=true |
|||
{% endif %} |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %} |
|||
- --cloud-provider={{cloud_provider}} |
|||
- --cloud-config={{ kube_config_dir }}/cloud_config |
|||
{% elif cloud_provider is defined and cloud_provider in ["external", "oci"] %} |
|||
- --cloud-provider=external |
|||
{% endif %} |
|||
{% if kube_network_plugin is defined and kube_network_plugin == 'cloud' %} |
|||
- --configure-cloud-routes=true |
|||
{% else %} |
|||
- --configure-cloud-routes=false |
|||
{% endif %} |
|||
{% if kube_network_plugin is defined and kube_network_plugin in ["cloud", "flannel", "canal", "cilium", "kube-router"] %} |
|||
- --allocate-node-cidrs=true |
|||
- --cluster-cidr={{ kube_pods_subnet }} |
|||
- --service-cluster-ip-range={{ kube_service_addresses }} |
|||
- --node-cidr-mask-size={{ kube_network_node_prefix }} |
|||
{% endif %} |
|||
{% if kube_feature_gates %} |
|||
- --feature-gates={{ kube_feature_gates|join(',') }} |
|||
{% endif %} |
|||
{% if controller_mgr_custom_flags is string %} |
|||
- {{ controller_mgr_custom_flags }} |
|||
{% else %} |
|||
{% for flag in controller_mgr_custom_flags %} |
|||
- {{ flag }} |
|||
{% endfor %} |
|||
{% endif %} |
|||
livenessProbe: |
|||
httpGet: |
|||
host: 127.0.0.1 |
|||
path: /healthz |
|||
port: 10252 |
|||
initialDelaySeconds: 30 |
|||
timeoutSeconds: 10 |
|||
volumeMounts: |
|||
- mountPath: /etc/ssl |
|||
name: ssl-certs-host |
|||
readOnly: true |
|||
{% for dir in ssl_ca_dirs %} |
|||
- mountPath: {{ dir }} |
|||
name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} |
|||
readOnly: true |
|||
{% endfor %} |
|||
- mountPath: "{{kube_config_dir}}/ssl" |
|||
name: etc-kube-ssl |
|||
readOnly: true |
|||
- mountPath: "{{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml" |
|||
name: kubeconfig |
|||
readOnly: true |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %} |
|||
- mountPath: "{{ kube_config_dir }}/cloud_config" |
|||
name: cloudconfig |
|||
readOnly: true |
|||
{% endif %} |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined and openstack_cacert != "" %} |
|||
- mountPath: "{{ kube_config_dir }}/openstack-cacert.pem" |
|||
name: openstackcacert |
|||
readOnly: true |
|||
{% endif %} |
|||
volumes: |
|||
- name: ssl-certs-host |
|||
hostPath: |
|||
path: /etc/ssl |
|||
{% for dir in ssl_ca_dirs %} |
|||
- name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} |
|||
hostPath: |
|||
path: {{ dir }} |
|||
{% endfor %} |
|||
- name: etc-kube-ssl |
|||
hostPath: |
|||
path: "{{ kube_config_dir }}/ssl" |
|||
- name: kubeconfig |
|||
hostPath: |
|||
path: "{{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml" |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %} |
|||
- hostPath: |
|||
path: "{{ kube_config_dir }}/cloud_config" |
|||
name: cloudconfig |
|||
{% endif %} |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined and openstack_cacert != "" %} |
|||
- hostPath: |
|||
path: "{{ kube_config_dir }}/openstack-cacert.pem" |
|||
name: openstackcacert |
|||
{% endif %} |
|||
@ -1,82 +0,0 @@ |
|||
apiVersion: v1 |
|||
kind: Pod |
|||
metadata: |
|||
name: kube-scheduler |
|||
namespace: kube-system |
|||
labels: |
|||
k8s-app: kube-scheduler |
|||
annotations: |
|||
kubespray.scheduler-cert/serial: "{{ scheduler_cert_serial }}" |
|||
spec: |
|||
hostNetwork: true |
|||
{% if kube_version is version('v1.6', '>=') %} |
|||
dnsPolicy: ClusterFirst |
|||
{% endif %} |
|||
{% if kube_version is version('v1.11.1', '>=') %} |
|||
priorityClassName: system-node-critical |
|||
{% endif %} |
|||
containers: |
|||
- name: kube-scheduler |
|||
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} |
|||
imagePullPolicy: {{ k8s_image_pull_policy }} |
|||
resources: |
|||
limits: |
|||
cpu: {{ kube_scheduler_cpu_limit }} |
|||
memory: {{ kube_scheduler_memory_limit }} |
|||
requests: |
|||
cpu: {{ kube_scheduler_cpu_requests }} |
|||
memory: {{ kube_scheduler_memory_requests }} |
|||
command: |
|||
- /hyperkube |
|||
- scheduler |
|||
- --leader-elect=true |
|||
- --kubeconfig={{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml |
|||
- --profiling={{ kube_profiling }} |
|||
- --v={{ kube_log_level }} |
|||
{% if kube_feature_gates %} |
|||
- --feature-gates={{ kube_feature_gates|join(',') }} |
|||
{% endif %} |
|||
{% if scheduler_custom_flags is string %} |
|||
- {{ scheduler_custom_flags }} |
|||
{% else %} |
|||
{% for flag in scheduler_custom_flags %} |
|||
- {{ flag }} |
|||
{% endfor %} |
|||
{% endif %} |
|||
livenessProbe: |
|||
httpGet: |
|||
host: 127.0.0.1 |
|||
path: /healthz |
|||
port: 10251 |
|||
initialDelaySeconds: 30 |
|||
timeoutSeconds: 10 |
|||
volumeMounts: |
|||
- mountPath: /etc/ssl |
|||
name: ssl-certs-host |
|||
readOnly: true |
|||
{% for dir in ssl_ca_dirs %} |
|||
- mountPath: {{ dir }} |
|||
name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} |
|||
readOnly: true |
|||
{% endfor %} |
|||
- mountPath: "{{ kube_config_dir }}/ssl" |
|||
name: etc-kube-ssl |
|||
readOnly: true |
|||
- mountPath: "{{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml" |
|||
name: kubeconfig |
|||
readOnly: true |
|||
volumes: |
|||
- name: ssl-certs-host |
|||
hostPath: |
|||
path: /etc/ssl |
|||
{% for dir in ssl_ca_dirs %} |
|||
- name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} |
|||
hostPath: |
|||
path: {{ dir }} |
|||
{% endfor %} |
|||
- name: etc-kube-ssl |
|||
hostPath: |
|||
path: "{{ kube_config_dir }}/ssl" |
|||
- name: kubeconfig |
|||
hostPath: |
|||
path: "{{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml" |
|||
@ -1,6 +0,0 @@ |
|||
--- |
|||
dependencies: |
|||
- role: kubernetes/secrets |
|||
when: not kubeadm_enabled |
|||
tags: |
|||
- k8s-secrets |
|||
@ -1,9 +0,0 @@ |
|||
--- |
|||
- name: install | Install kubelet launch script |
|||
template: |
|||
src: kubelet-container.j2 |
|||
dest: "{{ bin_dir }}/kubelet" |
|||
owner: kube |
|||
mode: 0755 |
|||
backup: yes |
|||
notify: restart kubelet |
|||
@ -1,30 +0,0 @@ |
|||
--- |
|||
|
|||
- name: install | Copy kubelet binary from download dir |
|||
synchronize: |
|||
src: "{{ local_release_dir }}/hyperkube" |
|||
dest: "{{ bin_dir }}/kubelet" |
|||
compress: no |
|||
perms: yes |
|||
owner: no |
|||
group: no |
|||
delegate_to: "{{ inventory_hostname }}" |
|||
tags: |
|||
- hyperkube |
|||
- upgrade |
|||
notify: restart kubelet |
|||
|
|||
- name: install | Set kubelet binary permissions |
|||
file: |
|||
path: "{{ bin_dir }}/kubelet" |
|||
mode: "0755" |
|||
state: file |
|||
tags: |
|||
- hyperkube |
|||
- upgrade |
|||
|
|||
- name: install | Copy socat wrapper for Container Linux |
|||
command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/opt/bin {{ install_socat_image_repo }}:{{ install_socat_image_tag }}" |
|||
args: |
|||
creates: "{{ bin_dir }}/socat" |
|||
when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] |
|||
@ -1,32 +0,0 @@ |
|||
--- |
|||
- name: Trust kubelet container |
|||
command: >- |
|||
/usr/bin/rkt trust |
|||
--skip-fingerprint-review |
|||
--root |
|||
{{ item }} |
|||
register: kubelet_rkt_trust_result |
|||
until: kubelet_rkt_trust_result.rc == 0 |
|||
with_items: |
|||
- "https://quay.io/aci-signing-key" |
|||
- "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg" |
|||
retries: 4 |
|||
delay: "{{ retry_stagger | random + 3 }}" |
|||
changed_when: false |
|||
|
|||
- name: create kubelet working directory |
|||
file: |
|||
state: directory |
|||
path: /var/lib/kubelet |
|||
|
|||
- name: Create kubelet service systemd directory |
|||
file: |
|||
path: /etc/systemd/system/kubelet.service.d |
|||
state: directory |
|||
|
|||
- name: Write kubelet proxy drop-in |
|||
template: |
|||
src: http-proxy.conf.j2 |
|||
dest: /etc/systemd/system/kubelet.service.d/http-proxy.conf |
|||
when: http_proxy is defined or https_proxy is defined |
|||
notify: restart kubelet |
|||
@ -1,18 +0,0 @@ |
|||
apiVersion: v1 |
|||
kind: Config |
|||
clusters: |
|||
- name: local |
|||
cluster: |
|||
certificate-authority: {{ kube_cert_dir }}/ca.pem |
|||
server: {{ kube_apiserver_endpoint }} |
|||
users: |
|||
- name: kube-proxy |
|||
user: |
|||
client-certificate: {{ kube_cert_dir }}/kube-proxy-{{ inventory_hostname }}.pem |
|||
client-key: {{ kube_cert_dir }}/kube-proxy-{{ inventory_hostname }}-key.pem |
|||
contexts: |
|||
- context: |
|||
cluster: local |
|||
user: kube-proxy |
|||
name: kube-proxy-{{ cluster_name }} |
|||
current-context: kube-proxy-{{ cluster_name }} |
|||
@ -1,43 +0,0 @@ |
|||
#!/bin/bash |
|||
{{ docker_bin_dir }}/docker run \ |
|||
--net=host \ |
|||
--pid=host \ |
|||
--privileged \ |
|||
--name=kubelet \ |
|||
--restart=on-failure:5 \ |
|||
--memory={{ kube_memory_reserved|regex_replace('Mi', 'M') }} \ |
|||
--cpu-shares={{ kube_cpu_reserved|regex_replace('m', '') }} \ |
|||
-v /dev:/dev:rw \ |
|||
-v /etc/cni:/etc/cni:ro \ |
|||
-v /opt/cni:/opt/cni:ro \ |
|||
-v /etc/ssl:/etc/ssl:ro \ |
|||
-v /etc/resolv.conf:/etc/resolv.conf \ |
|||
{% for dir in ssl_ca_dirs -%} |
|||
-v {{ dir }}:{{ dir }}:ro \ |
|||
{% endfor -%} |
|||
{% if kubelet_load_modules -%} |
|||
-v /lib/modules:/lib/modules:ro \ |
|||
{% endif -%} |
|||
-v /sys:/sys:ro \ |
|||
-v {{ docker_daemon_graph }}:{{ docker_daemon_graph }}:rw \ |
|||
-v /var/log:/var/log:rw \ |
|||
-v /var/lib/kubelet:/var/lib/kubelet:shared \ |
|||
-v /var/lib/calico:/var/lib/calico:shared \ |
|||
-v /var/lib/cni:/var/lib/cni:shared \ |
|||
-v /var/run:/var/run:rw \ |
|||
{# we can run into issues with double mounting /var/lib/kubelet #} |
|||
{# surely there's a better way to do this #} |
|||
{% if '/var/lib/kubelet' not in kubelet_flexvolumes_plugins_dir %} |
|||
-v {{ kubelet_flexvolumes_plugins_dir }}:{{ kubelet_flexvolumes_plugins_dir }}:rw \ |
|||
{% endif -%} |
|||
{% if local_volume_provisioner_enabled -%} |
|||
{% for class in local_volume_provisioner_storage_classes -%} |
|||
-v {{ class.host_dir }}:{{ class.host_dir }}:rw \ |
|||
-v {{ class.mount_dir }}:{{ class.mount_dir }}:rw \ |
|||
{% endfor -%} |
|||
{% endif %} |
|||
-v {{kube_config_dir}}:{{kube_config_dir}}:ro \ |
|||
-v /etc/os-release:/etc/os-release:ro \ |
|||
{{ hyperkube_image_repo }}:{{ hyperkube_image_tag}} \ |
|||
./hyperkube kubelet \ |
|||
"$@" |
|||
@ -1,31 +0,0 @@ |
|||
[Unit] |
|||
Description=Kubernetes Kubelet Server |
|||
Documentation=https://github.com/GoogleCloudPlatform/kubernetes |
|||
After=docker.service |
|||
Wants=docker.socket |
|||
|
|||
[Service] |
|||
User=root |
|||
EnvironmentFile={{kube_config_dir}}/kubelet.env |
|||
ExecStart={{ bin_dir }}/kubelet \ |
|||
$KUBE_LOGTOSTDERR \ |
|||
$KUBE_LOG_LEVEL \ |
|||
$KUBELET_API_SERVER \ |
|||
$KUBELET_ADDRESS \ |
|||
$KUBELET_PORT \ |
|||
$KUBELET_HOSTNAME \ |
|||
$KUBE_ALLOW_PRIV \ |
|||
$KUBELET_ARGS \ |
|||
$DOCKER_SOCKET \ |
|||
$KUBELET_NETWORK_PLUGIN \ |
|||
$KUBELET_VOLUME_PLUGIN \ |
|||
$KUBELET_CLOUDPROVIDER |
|||
Restart=always |
|||
RestartSec=10s |
|||
ExecStartPre=-{{ docker_bin_dir }}/docker rm -f kubelet |
|||
ExecStartPre=-/bin/mkdir -p {{ kubelet_flexvolumes_plugins_dir }} |
|||
ExecReload={{ docker_bin_dir }}/docker restart kubelet |
|||
|
|||
|
|||
[Install] |
|||
WantedBy=multi-user.target |
|||
@ -1,120 +0,0 @@ |
|||
[Unit] |
|||
Description=Kubernetes Kubelet Server |
|||
Documentation=https://github.com/GoogleCloudPlatform/kubernetes |
|||
Wants=network.target |
|||
|
|||
[Service] |
|||
User=root |
|||
Restart=on-failure |
|||
RestartSec=10s |
|||
TimeoutStartSec=0 |
|||
LimitNOFILE=40000 |
|||
|
|||
ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/kubelet.uuid |
|||
ExecStartPre=-/bin/mkdir -p /var/lib/kubelet |
|||
ExecStartPre=-/bin/mkdir -p {{ kubelet_flexvolumes_plugins_dir }} |
|||
|
|||
EnvironmentFile={{kube_config_dir}}/kubelet.env |
|||
# stage1-fly mounts /proc /sys /dev so no need to duplicate the mounts |
|||
ExecStart=/usr/bin/rkt run \ |
|||
{% if kubelet_load_modules == true %} |
|||
--volume lib-modules,kind=host,source=/lib/modules \ |
|||
{% endif %} |
|||
--volume os-release,kind=host,source=/etc/os-release,readOnly=true \ |
|||
--volume hosts,kind=host,source=/etc/hosts,readOnly=true \ |
|||
--volume dns,kind=host,source=/etc/resolv.conf \ |
|||
--volume etc-kubernetes,kind=host,source={{ kube_config_dir }},readOnly=false \ |
|||
--volume etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \ |
|||
--volume etcd-ssl,kind=host,source={{ etcd_config_dir }},readOnly=true \ |
|||
--volume run,kind=host,source=/run,readOnly=false \ |
|||
{% for dir in ssl_ca_dirs -%} |
|||
--volume {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }},kind=host,source={{ dir }},readOnly=true \ |
|||
{% endfor -%} |
|||
--volume var-lib-docker,kind=host,source={{ docker_daemon_graph }},readOnly=false \ |
|||
--volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false,recursive=true \ |
|||
--volume var-log,kind=host,source=/var/log \ |
|||
{% if kube_network_plugin in ["calico", "weave", "canal", "flannel", "contiv", "cilium", "kube-router"] %} |
|||
--volume etc-cni,kind=host,source=/etc/cni,readOnly=true \ |
|||
--volume opt-cni,kind=host,source=/opt/cni,readOnly=true \ |
|||
--volume var-lib-cni,kind=host,source=/var/lib/cni,readOnly=false \ |
|||
{% endif %} |
|||
{% if kube_network_plugin in ["calico", "canal"] %} |
|||
--volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=false \ |
|||
{% endif %} |
|||
{# we can run into issues with double mounting /var/lib/kubelet #} |
|||
{# surely there's a better way to do this #} |
|||
{% if '/var/lib/kubelet' not in kubelet_flexvolumes_plugins_dir %} |
|||
--volume flexvolumes,kind=host,source={{ kubelet_flexvolumes_plugins_dir }},readOnly=false \ |
|||
{% endif -%} |
|||
{% if local_volume_provisioner_enabled %} |
|||
{% for class in local_volume_provisioner_storage_classes %} |
|||
--volume local-volume-provisioner-base-dir,kind=host,source={{ class.host_dir }},readOnly=false \ |
|||
{# Not pretty, but needed to avoid double mount #} |
|||
{% if class.host_dir not in class.mount_dir and class.mount_dir not in class.host_dir %} |
|||
--volume local-volume-provisioner-mount-dir,kind=host,source={{ class.mount_dir }},readOnly=false \ |
|||
{% endif %} |
|||
{% endfor %} |
|||
{% endif %} |
|||
{% if kubelet_load_modules == true %} |
|||
--mount volume=lib-modules,target=/lib/modules \ |
|||
{% endif %} |
|||
--mount volume=etc-cni,target=/etc/cni \ |
|||
--mount volume=opt-cni,target=/opt/cni \ |
|||
--mount volume=var-lib-cni,target=/var/lib/cni \ |
|||
{% if kube_network_plugin in ["calico", "canal"] %} |
|||
--mount volume=var-lib-calico,target=/var/lib/calico \ |
|||
{% endif %} |
|||
--mount volume=os-release,target=/etc/os-release \ |
|||
--mount volume=dns,target=/etc/resolv.conf \ |
|||
--mount volume=etc-kubernetes,target={{ kube_config_dir }} \ |
|||
--mount volume=etc-ssl-certs,target=/etc/ssl/certs \ |
|||
--mount volume=etcd-ssl,target={{ etcd_config_dir }} \ |
|||
--mount volume=run,target=/run \ |
|||
{% for dir in ssl_ca_dirs -%} |
|||
--mount volume={{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }},target={{ dir }} \ |
|||
{% endfor -%} |
|||
--mount volume=var-lib-docker,target=/var/lib/docker \ |
|||
--mount volume=var-lib-kubelet,target=/var/lib/kubelet \ |
|||
--mount volume=var-log,target=/var/log \ |
|||
--mount volume=hosts,target=/etc/hosts \ |
|||
{# we can run into issues with double mounting /var/lib/kubelet #} |
|||
{# surely there's a better way to do this #} |
|||
{% if '/var/lib/kubelet' not in kubelet_flexvolumes_plugins_dir %} |
|||
--mount volume=flexvolumes,target={{ kubelet_flexvolumes_plugins_dir }} \ |
|||
{% endif -%} |
|||
{% if local_volume_provisioner_enabled %} |
|||
{% for class in local_volume_provisioner_storage_classes %} |
|||
--mount volume=local-volume-provisioner-base-dir,target={{ class.host_dir }} \ |
|||
{# Not pretty, but needed to avoid double mount #} |
|||
{% if class.host_dir not in class.mount_dir and class.mount_dir not in class.host_dir %} |
|||
--mount volume=local-volume-provisioner-mount-dir,target={{ class.mount_dir }} \ |
|||
{% endif %} |
|||
{% endfor %} |
|||
{% endif %} |
|||
--stage1-from-dir=stage1-fly.aci \ |
|||
{% if kube_hyperkube_image_repo == "docker" %} |
|||
--insecure-options=image \ |
|||
docker://{{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} \ |
|||
{% else %} |
|||
{{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} \ |
|||
{% endif %} |
|||
--uuid-file-save=/var/run/kubelet.uuid \ |
|||
--debug --exec=/kubelet -- \ |
|||
$KUBE_LOGTOSTDERR \ |
|||
$KUBE_LOG_LEVEL \ |
|||
$KUBELET_API_SERVER \ |
|||
$KUBELET_ADDRESS \ |
|||
$KUBELET_PORT \ |
|||
$KUBELET_HOSTNAME \ |
|||
$KUBE_ALLOW_PRIV \ |
|||
$KUBELET_ARGS \ |
|||
$DOCKER_SOCKET \ |
|||
$KUBELET_REGISTER_NODE \ |
|||
$KUBELET_NETWORK_PLUGIN \ |
|||
$KUBELET_VOLUME_PLUGIN \ |
|||
$KUBELET_CLOUDPROVIDER |
|||
|
|||
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/run/kubelet.uuid |
|||
|
|||
[Install] |
|||
WantedBy=multi-user.target |
|||
@ -1,151 +0,0 @@ |
|||
# logging to stderr means we get it in the systemd journal |
|||
KUBE_LOGTOSTDERR="--logtostderr=true" |
|||
KUBE_LOG_LEVEL="--v={{ kube_log_level }}" |
|||
# The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces) |
|||
KUBELET_ADDRESS="--address={{ kubelet_bind_address }} --node-ip={{ kubelet_address }}" |
|||
# The port for the info server to serve on |
|||
# KUBELET_PORT="--port=10250" |
|||
{% if kube_override_hostname|default('') %} |
|||
# You may leave this blank to use the actual hostname |
|||
KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}" |
|||
{% endif %} |
|||
{# Base kubelet args #} |
|||
{% set kubelet_args_base %} |
|||
--pod-manifest-path={{ kube_manifest_dir }} \ |
|||
{% if kube_version is version('v1.12.0', '<') %} |
|||
--cadvisor-port={{ kube_cadvisor_port }} \ |
|||
{% endif %} |
|||
--pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \ |
|||
--node-status-update-frequency={{ kubelet_status_update_frequency }} \ |
|||
{% if container_manager == 'docker' and kube_version is version('v1.12.0', '<') %} |
|||
--docker-disable-shared-pid={{ kubelet_disable_shared_pid }} \ |
|||
{% endif %} |
|||
--client-ca-file={{ kube_cert_dir }}/ca.pem \ |
|||
--tls-cert-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem \ |
|||
--tls-private-key-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem \ |
|||
--anonymous-auth=false \ |
|||
--read-only-port={{ kube_read_only_port }} \ |
|||
{% if kube_version is version('v1.6', '>=') %} |
|||
{# flag got removed with 1.7.0 #} |
|||
{% if kube_version is version('v1.7', '<') %} |
|||
--enable-cri={{ kubelet_enable_cri }} \ |
|||
{% endif %} |
|||
{% if container_manager == 'crio' %} |
|||
--container-runtime=remote \ |
|||
--container-runtime-endpoint=/var/run/crio/crio.sock \ |
|||
{% endif %} |
|||
--cgroup-driver={{ kubelet_cgroup_driver|default(kubelet_cgroup_driver_detected) }} \ |
|||
--cgroups-per-qos={{ kubelet_cgroups_per_qos }} \ |
|||
--max-pods={{ kubelet_max_pods }} \ |
|||
{% if kube_version is version('v1.8', '<') %} |
|||
--experimental-fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \ |
|||
{% else %} |
|||
--fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \ |
|||
{% endif %} |
|||
{% if kubelet_authentication_token_webhook %} |
|||
--authentication-token-webhook \ |
|||
{% endif %} |
|||
{% if kubelet_authorization_mode_webhook %} |
|||
--authorization-mode=Webhook \ |
|||
{% endif %} |
|||
{% if ansible_architecture == "aarch64" and ansible_os_family == "RedHat" %} |
|||
--cgroup-driver=systemd \ |
|||
{% endif %} |
|||
--enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} {% endif %}{% endset %} |
|||
|
|||
{# DNS settings for kubelet #} |
|||
{% if dns_mode in ['kubedns', 'coredns'] %} |
|||
{% set kubelet_args_cluster_dns %}--cluster-dns={{ skydns_server }}{% endset %} |
|||
{% elif dns_mode == 'coredns_dual' %} |
|||
{% set kubelet_args_cluster_dns %}--cluster-dns={{ skydns_server }},{{ skydns_server_secondary }}{% endset %} |
|||
{% elif dns_mode == 'dnsmasq_kubedns' %} |
|||
{% set kubelet_args_cluster_dns %}--cluster-dns={{ dnsmasq_dns_server }}{% endset %} |
|||
{% elif dns_mode == 'manual' %} |
|||
{% set kubelet_args_cluster_dns %}--cluster-dns={{ manual_dns_server }}{% endset %} |
|||
{% else %} |
|||
{% set kubelet_args_cluster_dns %}{% endset %} |
|||
{% endif %} |
|||
{% set kubelet_args_dns %}{{ kubelet_args_cluster_dns }} --cluster-domain={{ dns_domain }} --resolv-conf={{ kube_resolv_conf }}{% endset %} |
|||
|
|||
{# Location of the apiserver #} |
|||
{% if kube_version is version('v1.8', '<') %} |
|||
{% set kubelet_args_kubeconfig %}--kubeconfig={{ kube_config_dir}}/node-kubeconfig.yaml --require-kubeconfig{% endset %} |
|||
{% else %} |
|||
{% set kubelet_args_kubeconfig %}--kubeconfig={{ kube_config_dir}}/node-kubeconfig.yaml{% endset %} |
|||
{% endif %} |
|||
|
|||
{% set role_node_taints = [] %} |
|||
{% if standalone_kubelet|bool %} |
|||
{# We are on a master-only host. Make the master unschedulable in this case. #} |
|||
{% if kube_version is version('v1.6', '>=') %} |
|||
{# Set taints on the master so that it's unschedulable by default. Use node-role.kubernetes.io/master taint like kubeadm. #} |
|||
{% set dummy = role_node_taints.append('node-role.kubernetes.io/master=:NoSchedule') %} |
|||
{% else %} |
|||
{# --register-with-taints was added in 1.6 so just register unschedulable if Kubernetes < 1.6 #} |
|||
{% set kubelet_args_kubeconfig %}{{ kubelet_args_kubeconfig }} --register-schedulable=false{% endset %} |
|||
{% endif %} |
|||
{% endif %} |
|||
{% set all_node_taints = node_taints|default([]) + role_node_taints %} |
|||
|
|||
{# Node reserved CPU/memory #} |
|||
{% if is_kube_master|bool %} |
|||
{% set kube_reserved %}--kube-reserved cpu={{ kube_master_cpu_reserved }},memory={{ kube_master_memory_reserved|regex_replace('Mi', 'M') }}{% endset %} |
|||
{% else %} |
|||
{% set kube_reserved %}--kube-reserved cpu={{ kube_cpu_reserved }},memory={{ kube_memory_reserved|regex_replace('Mi', 'M') }}{% endset %} |
|||
{% endif %} |
|||
|
|||
{# Kubelet node labels #} |
|||
{% set role_node_labels = [] %} |
|||
{% if inventory_hostname in groups['kube-master'] %} |
|||
{% set dummy = role_node_labels.append("node-role.kubernetes.io/master=''") %} |
|||
{% if not standalone_kubelet|bool %} |
|||
{% set dummy = role_node_labels.append("node-role.kubernetes.io/node=''") %} |
|||
{% endif %} |
|||
{% else %} |
|||
{% set dummy = role_node_labels.append("node-role.kubernetes.io/node=''") %} |
|||
{% endif %} |
|||
{% if nvidia_gpu_nodes is defined and nvidia_accelerator_enabled|bool %} |
|||
{% if inventory_hostname in nvidia_gpu_nodes %} |
|||
{% set dummy = role_node_labels.append('nvidia.com/gpu=true') %} |
|||
{% endif %} |
|||
{% endif %} |
|||
{% set inventory_node_labels = [] %} |
|||
{% if node_labels is defined and node_labels is mapping %} |
|||
{% for labelname, labelvalue in node_labels.items() %} |
|||
{% set dummy = inventory_node_labels.append('%s=%s'|format(labelname, labelvalue)) %} |
|||
{% endfor %} |
|||
{% endif %} |
|||
{% set all_node_labels = role_node_labels + inventory_node_labels %} |
|||
|
|||
{# Kubelet node taints for gpu #} |
|||
{% if nvidia_gpu_nodes is defined and nvidia_accelerator_enabled|bool %} |
|||
{% if inventory_hostname in nvidia_gpu_nodes %} |
|||
{% set kubelet_args_kubeconfig %}{{ kubelet_args_kubeconfig }} --register-with-taints=nvidia.com/gpu=:NoSchedule{% endset %} |
|||
{% endif %} |
|||
{% endif %} |
|||
|
|||
KUBELET_ARGS="{{ kubelet_args_base }} {{ kubelet_args_dns }} {{ kubelet_args_kubeconfig }} {{ kube_reserved }} {% if all_node_taints %}--register-with-taints={{ all_node_taints | join(',') }} {% endif %}--node-labels={{ all_node_labels | join(',') }} {% if kube_feature_gates %} --feature-gates={{ kube_feature_gates|join(',') }} {% endif %} {% if kubelet_custom_flags is string %} {{kubelet_custom_flags}} {% else %}{% for flag in kubelet_custom_flags %} {{flag}} {% endfor %}{% endif %}{% if inventory_hostname in groups['kube-node'] %}{% if kubelet_node_custom_flags is string %} {{kubelet_node_custom_flags}} {% else %}{% for flag in kubelet_node_custom_flags %} {{flag}} {% endfor %}{% endif %}{% endif %}" |
|||
|
|||
{% if kube_network_plugin is defined and kube_network_plugin in ["calico", "canal", "flannel", "weave", "contiv", "cilium", "kube-router"] %} |
|||
KUBELET_NETWORK_PLUGIN="--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin" |
|||
{% elif kube_network_plugin is defined and kube_network_plugin == "weave" %} |
|||
DOCKER_SOCKET="--docker-endpoint=unix:/var/run/weave/weave.sock" |
|||
{% elif kube_network_plugin is defined and kube_network_plugin == "cloud" %} |
|||
KUBELET_NETWORK_PLUGIN="--hairpin-mode=promiscuous-bridge --network-plugin=kubenet" |
|||
{% endif %} |
|||
|
|||
KUBELET_VOLUME_PLUGIN="--volume-plugin-dir={{ kubelet_flexvolumes_plugins_dir }}" |
|||
|
|||
# Should this cluster be allowed to run privileged docker containers |
|||
KUBE_ALLOW_PRIV="--allow-privileged=true" |
|||
{% if cloud_provider is defined and cloud_provider in ["openstack", "vsphere", "aws"] %} |
|||
KUBELET_CLOUDPROVIDER="--cloud-provider={{ cloud_provider }} --cloud-config={{ kube_config_dir }}/cloud_config" |
|||
{% elif cloud_provider is defined and cloud_provider in ["azure"] %} |
|||
KUBELET_CLOUDPROVIDER="--cloud-provider={{ cloud_provider }} --cloud-config={{ kube_config_dir }}/cloud_config --azure-container-registry-config={{ kube_config_dir }}/cloud_config" |
|||
{% elif cloud_provider is defined and cloud_provider in ["oci", "external"] %} |
|||
KUBELET_CLOUDPROVIDER="--cloud-provider=external" |
|||
{% else %} |
|||
KUBELET_CLOUDPROVIDER="" |
|||
{% endif %} |
|||
|
|||
PATH={{ bin_dir }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
|||
@ -1,110 +0,0 @@ |
|||
apiVersion: v1 |
|||
kind: Pod |
|||
metadata: |
|||
name: kube-proxy |
|||
namespace: kube-system |
|||
labels: |
|||
k8s-app: kube-proxy |
|||
annotations: |
|||
kubespray.kube-proxy-cert/serial: "{{ kube_proxy_cert_serial }}" |
|||
spec: |
|||
hostNetwork: true |
|||
{% if kube_version is version('v1.6', '>=') %} |
|||
dnsPolicy: ClusterFirst |
|||
{% endif %} |
|||
nodeSelector: |
|||
beta.kubernetes.io/os: linux |
|||
{% if kube_version is version('v1.11.1', '>=') %} |
|||
priorityClassName: system-node-critical |
|||
{% endif %} |
|||
containers: |
|||
- name: kube-proxy |
|||
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} |
|||
imagePullPolicy: {{ k8s_image_pull_policy }} |
|||
resources: |
|||
limits: |
|||
cpu: {{ kube_proxy_cpu_limit }} |
|||
memory: {{ kube_proxy_memory_limit }} |
|||
requests: |
|||
cpu: {{ kube_proxy_cpu_requests }} |
|||
memory: {{ kube_proxy_memory_requests }} |
|||
livenessProbe: |
|||
httpGet: |
|||
host: 127.0.0.1 |
|||
path: /healthz |
|||
port: 10256 |
|||
failureThreshold: 8 |
|||
initialDelaySeconds: 15 |
|||
periodSeconds: 10 |
|||
successThreshold: 1 |
|||
timeoutSeconds: 15 |
|||
command: |
|||
- /hyperkube |
|||
- proxy |
|||
- --v={{ kube_log_level }} |
|||
- --kubeconfig={{kube_config_dir}}/kube-proxy-kubeconfig.yaml |
|||
- --bind-address={{ ip | default(ansible_default_ipv4.address) }} |
|||
- --cluster-cidr={{ kube_pods_subnet }} |
|||
- --proxy-mode={{ kube_proxy_mode }} |
|||
- --oom-score-adj=-998 |
|||
- --healthz-bind-address={{ kube_proxy_healthz_bind_address }} |
|||
- --resource-container="" |
|||
{% if kube_proxy_nodeport_addresses %} |
|||
- --nodeport-addresses={{ kube_proxy_nodeport_addresses_cidr }} |
|||
{% endif %} |
|||
{% if kube_proxy_masquerade_all and kube_proxy_mode == "iptables" %} |
|||
- --masquerade-all |
|||
{% elif kube_proxy_mode == 'ipvs' %} |
|||
- --masquerade-all |
|||
{% if kube_version is version('v1.10', '<') %} |
|||
- --feature-gates=SupportIPVSProxyMode=true |
|||
{% endif %} |
|||
- --ipvs-min-sync-period=5s |
|||
- --ipvs-sync-period=5s |
|||
- --ipvs-scheduler=rr |
|||
{% endif %} |
|||
securityContext: |
|||
privileged: true |
|||
volumeMounts: |
|||
- mountPath: /etc/ssl/certs |
|||
name: ssl-certs-host |
|||
readOnly: true |
|||
- mountPath: "{{ kube_config_dir }}/ssl" |
|||
name: etc-kube-ssl |
|||
readOnly: true |
|||
- mountPath: "{{ kube_config_dir }}/kube-proxy-kubeconfig.yaml" |
|||
name: kubeconfig |
|||
readOnly: true |
|||
- mountPath: /var/run/dbus |
|||
name: var-run-dbus |
|||
readOnly: false |
|||
- mountPath: /lib/modules |
|||
name: lib-modules |
|||
readOnly: true |
|||
- mountPath: /run/xtables.lock |
|||
name: xtables-lock |
|||
readOnly: false |
|||
volumes: |
|||
- name: ssl-certs-host |
|||
hostPath: |
|||
{% if ansible_os_family == 'RedHat' %} |
|||
path: /etc/pki/tls |
|||
{% else %} |
|||
path: /usr/share/ca-certificates |
|||
{% endif %} |
|||
- name: etc-kube-ssl |
|||
hostPath: |
|||
path: "{{ kube_config_dir }}/ssl" |
|||
- name: kubeconfig |
|||
hostPath: |
|||
path: "{{ kube_config_dir }}/kube-proxy-kubeconfig.yaml" |
|||
- name: var-run-dbus |
|||
hostPath: |
|||
path: /var/run/dbus |
|||
- hostPath: |
|||
path: /lib/modules |
|||
name: lib-modules |
|||
- hostPath: |
|||
path: /run/xtables.lock |
|||
type: FileOrCreate |
|||
name: xtables-lock |
|||
@ -1,2 +0,0 @@ |
|||
--- |
|||
kube_cert_group: kube-cert |
|||
@ -1,15 +0,0 @@ |
|||
--- |
|||
- name: set secret_changed |
|||
command: /bin/true |
|||
notify: |
|||
- set secret_changed to true |
|||
- clear kubeconfig for root user |
|||
|
|||
- name: set secret_changed to true |
|||
set_fact: |
|||
secret_changed: true |
|||
|
|||
- name: clear kubeconfig for root user |
|||
file: |
|||
path: /root/.kube/config |
|||
state: absent |
|||
@ -1 +0,0 @@ |
|||
--- |
|||
@ -1,82 +0,0 @@ |
|||
--- |
|||
- name: "Check_certs | check if the certs have already been generated on first master" |
|||
find: |
|||
paths: "{{ kube_cert_dir }}" |
|||
patterns: "*.pem" |
|||
get_checksum: true |
|||
delegate_to: "{{groups['kube-master'][0]}}" |
|||
register: kubecert_master |
|||
run_once: true |
|||
|
|||
- name: "Check_certs | Set default value for 'sync_certs', 'gen_certs', and 'secret_changed' to false" |
|||
set_fact: |
|||
sync_certs: false |
|||
gen_certs: false |
|||
secret_changed: false |
|||
|
|||
- name: "Check_certs | Set 'gen_certs' to true" |
|||
set_fact: |
|||
gen_certs: true |
|||
when: "not item in kubecert_master.files|map(attribute='path') | list" |
|||
run_once: true |
|||
with_items: >- |
|||
['{{ kube_cert_dir }}/ca.pem', |
|||
'{{ kube_cert_dir }}/apiserver.pem', |
|||
'{{ kube_cert_dir }}/apiserver-key.pem', |
|||
'{{ kube_cert_dir }}/kube-scheduler.pem', |
|||
'{{ kube_cert_dir }}/kube-scheduler-key.pem', |
|||
'{{ kube_cert_dir }}/kube-controller-manager.pem', |
|||
'{{ kube_cert_dir }}/kube-controller-manager-key.pem', |
|||
'{{ kube_cert_dir }}/front-proxy-ca.pem', |
|||
'{{ kube_cert_dir }}/front-proxy-ca-key.pem', |
|||
'{{ kube_cert_dir }}/front-proxy-client.pem', |
|||
'{{ kube_cert_dir }}/front-proxy-client-key.pem', |
|||
'{{ kube_cert_dir }}/service-account-key.pem', |
|||
{% for host in groups['kube-master'] %} |
|||
'{{ kube_cert_dir }}/admin-{{ host }}.pem', |
|||
'{{ kube_cert_dir }}/admin-{{ host }}-key.pem' |
|||
{% if not loop.last %}{{','}}{% endif %} |
|||
{% endfor %}, |
|||
{% for host in groups['k8s-cluster'] %} |
|||
'{{ kube_cert_dir }}/node-{{ host }}.pem', |
|||
'{{ kube_cert_dir }}/node-{{ host }}-key.pem', |
|||
'{{ kube_cert_dir }}/kube-proxy-{{ host }}.pem', |
|||
'{{ kube_cert_dir }}/kube-proxy-{{ host }}-key.pem' |
|||
{% if not loop.last %}{{','}}{% endif %} |
|||
{% endfor %}] |
|||
|
|||
- name: "Check_certs | Set 'gen_master_certs' to true" |
|||
set_fact: |
|||
gen_master_certs: |- |
|||
{%- set gen = False -%} |
|||
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %} |
|||
{% for cert in ['apiserver.pem', 'apiserver-key.pem', |
|||
'kube-scheduler.pem','kube-scheduler-key.pem', |
|||
'kube-controller-manager.pem','kube-controller-manager-key.pem', |
|||
'front-proxy-ca.pem','front-proxy-ca-key.pem', |
|||
'front-proxy-client.pem','front-proxy-client-key.pem', |
|||
'service-account-key.pem'] -%} |
|||
{% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %} |
|||
{% if not cert_file in existing_certs -%} |
|||
{%- set gen = True -%} |
|||
{% endif -%} |
|||
{% endfor %} |
|||
{{ gen }} |
|||
run_once: true |
|||
|
|||
- name: "Check_certs | Set 'gen_node_certs' to true" |
|||
set_fact: |
|||
gen_node_certs: |- |
|||
{ |
|||
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %} |
|||
{% for host in groups['k8s-cluster'] -%} |
|||
{% set host_cert = "%s/node-%s-key.pem"|format(kube_cert_dir, host) %} |
|||
{% set kube_proxy_cert = "%s/kube-proxy-%s-key.pem"|format(kube_cert_dir, host) %} |
|||
{% if host_cert in existing_certs and kube_proxy_cert in existing_certs -%} |
|||
"{{ host }}": False, |
|||
{% else -%} |
|||
"{{ host }}": True, |
|||
{% endif -%} |
|||
{% endfor %} |
|||
} |
|||
run_once: true |
|||
@ -1,227 +0,0 @@ |
|||
--- |
|||
- name: "Gen_certs | Create kubernetes config directory (on {{groups['kube-master'][0]}})" |
|||
file: |
|||
path: "{{ kube_config_dir }}" |
|||
state: directory |
|||
owner: kube |
|||
run_once: yes |
|||
delegate_to: "{{groups['kube-master'][0]}}" |
|||
when: gen_certs|default(false) |
|||
tags: |
|||
- kubelet |
|||
- k8s-secrets |
|||
- kube-controller-manager |
|||
- kube-apiserver |
|||
- apps |
|||
- network |
|||
- master |
|||
- node |
|||
|
|||
- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})" |
|||
file: |
|||
path: "{{ kube_script_dir }}" |
|||
state: directory |
|||
owner: kube |
|||
run_once: yes |
|||
delegate_to: "{{groups['kube-master'][0]}}" |
|||
when: gen_certs|default(false) |
|||
tags: |
|||
- k8s-secrets |
|||
|
|||
- name: Gen_certs | write masters openssl config |
|||
template: |
|||
src: "openssl-master.conf.j2" |
|||
dest: "{{ kube_config_dir }}/openssl-master.conf" |
|||
run_once: yes |
|||
delegate_to: "{{ groups['kube-master']|first }}" |
|||
when: gen_certs|default(false) |
|||
|
|||
- name: Gen_certs | write nodes openssl config |
|||
template: |
|||
src: "openssl-node.conf.j2" |
|||
dest: "{{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf" |
|||
delegate_to: "{{ groups['kube-master']|first }}" |
|||
when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster'] |
|||
|
|||
- name: Gen_certs | copy certs generation script |
|||
template: |
|||
src: "make-ssl.sh.j2" |
|||
dest: "{{ kube_script_dir }}/make-ssl.sh" |
|||
mode: 0700 |
|||
run_once: yes |
|||
delegate_to: "{{groups['kube-master'][0]}}" |
|||
when: gen_certs|default(false) |
|||
|
|||
- name: Gen_certs | run master cert generation script |
|||
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl-master.conf -d {{ kube_cert_dir }}" |
|||
environment: |
|||
- MASTERS: "{% for m in groups['kube-master'] %} |
|||
{% if gen_master_certs|default(false) %} |
|||
{{ m }} |
|||
{% endif %} |
|||
{% endfor %}" |
|||
delegate_to: "{{ groups['kube-master']|first }}" |
|||
run_once: true |
|||
when: gen_certs|default(false) |
|||
notify: set secret_changed |
|||
|
|||
- name: Gen_certs | run nodes cert generation script |
|||
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf -d {{ kube_cert_dir }}" |
|||
environment: |
|||
- HOSTS: "{{ inventory_hostname }}" |
|||
delegate_to: "{{ groups['kube-master']|first }}" |
|||
when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster'] |
|||
notify: set secret_changed |
|||
|
|||
- set_fact: |
|||
all_master_certs: "['ca-key.pem', |
|||
'apiserver.pem', |
|||
'apiserver-key.pem', |
|||
'kube-scheduler.pem', |
|||
'kube-scheduler-key.pem', |
|||
'kube-controller-manager.pem', |
|||
'kube-controller-manager-key.pem', |
|||
'front-proxy-ca.pem', |
|||
'front-proxy-ca-key.pem', |
|||
'front-proxy-client.pem', |
|||
'front-proxy-client-key.pem', |
|||
'service-account-key.pem', |
|||
{% for node in groups['kube-master'] %} |
|||
'admin-{{ node }}.pem', |
|||
'admin-{{ node }}-key.pem', |
|||
{% endfor %}]" |
|||
my_master_certs: ['ca-key.pem', |
|||
'admin-{{ inventory_hostname }}.pem', |
|||
'admin-{{ inventory_hostname }}-key.pem', |
|||
'apiserver.pem', |
|||
'apiserver-key.pem', |
|||
'front-proxy-ca.pem', |
|||
'front-proxy-ca-key.pem', |
|||
'front-proxy-client.pem', |
|||
'front-proxy-client-key.pem', |
|||
'service-account-key.pem', |
|||
'kube-scheduler.pem', |
|||
'kube-scheduler-key.pem', |
|||
'kube-controller-manager.pem', |
|||
'kube-controller-manager-key.pem'] |
|||
all_node_certs: "['ca.pem', |
|||
{% for node in groups['k8s-cluster'] %} |
|||
'node-{{ node }}.pem', |
|||
'node-{{ node }}-key.pem', |
|||
'kube-proxy-{{ node }}.pem', |
|||
'kube-proxy-{{ node }}-key.pem', |
|||
{% endfor %}]" |
|||
my_node_certs: ['ca.pem', |
|||
'node-{{ inventory_hostname }}.pem', |
|||
'node-{{ inventory_hostname }}-key.pem', |
|||
'kube-proxy-{{ inventory_hostname }}.pem', |
|||
'kube-proxy-{{ inventory_hostname }}-key.pem'] |
|||
tags: |
|||
- facts |
|||
|
|||
- name: "Check certs | check if a cert already exists on node" |
|||
find: |
|||
paths: "{{ kube_cert_dir }}" |
|||
patterns: "*.pem" |
|||
get_checksum: true |
|||
register: kubecert_node |
|||
when: inventory_hostname != groups['kube-master'][0] |
|||
|
|||
- name: "Check_certs | Set 'sync_certs' to true on masters" |
|||
set_fact: |
|||
sync_certs: true |
|||
when: inventory_hostname in groups['kube-master'] and |
|||
inventory_hostname != groups['kube-master'][0] and |
|||
(not item in kubecert_node.files | map(attribute='path') | map("basename") | list or |
|||
kubecert_node.files | selectattr("path", "equalto", '%s/%s'|format(kube_cert_dir, item)) | map(attribute="checksum")|first|default('') != kubecert_master.files | selectattr("path", "equalto", '%s/%s'|format(kube_cert_dir, item)) | map(attribute="checksum")|first|default('')) |
|||
with_items: |
|||
- "{{ my_master_certs + all_node_certs }}" |
|||
|
|||
- name: "Check_certs | Set 'sync_certs' to true on nodes" |
|||
set_fact: |
|||
sync_certs: true |
|||
when: inventory_hostname in groups['kube-node'] and |
|||
inventory_hostname != groups['kube-master'][0] and |
|||
(not item in kubecert_node.files | map(attribute='path') | map("basename") | list or |
|||
kubecert_node.files | selectattr("path", "equalto", '%s/%s'|format(kube_cert_dir, item)) | map(attribute="checksum")|first|default('') != kubecert_master.files | selectattr("path", "equalto", '%s/%s'|format(kube_cert_dir, item)) | map(attribute="checksum")|first|default('')) |
|||
with_items: |
|||
- "{{ my_node_certs }}" |
|||
|
|||
- name: Gen_certs | Gather master certs |
|||
shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0" |
|||
args: |
|||
executable: /bin/bash |
|||
no_log: true |
|||
register: master_cert_data |
|||
check_mode: no |
|||
delegate_to: "{{groups['kube-master'][0]}}" |
|||
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and |
|||
inventory_hostname != groups['kube-master'][0] |
|||
|
|||
- name: Gen_certs | Gather node certs |
|||
shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_node_certs|join(' ') }} | base64 --wrap=0" |
|||
args: |
|||
executable: /bin/bash |
|||
no_log: true |
|||
register: node_cert_data |
|||
check_mode: no |
|||
delegate_to: "{{groups['kube-master'][0]}}" |
|||
when: inventory_hostname in groups['kube-node'] and |
|||
sync_certs|default(false) and |
|||
inventory_hostname != groups['kube-master'][0] |
|||
|
|||
# NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k |
|||
# char limit when using shell command |
|||
|
|||
# FIXME(mattymo): Use tempfile module in ansible 2.3 |
|||
- name: Gen_certs | Prepare tempfile for unpacking certs on masters |
|||
command: mktemp /tmp/certsXXXXX.tar.gz |
|||
register: cert_tempfile |
|||
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and |
|||
inventory_hostname != groups['kube-master'][0] |
|||
|
|||
- name: Gen_certs | Write master certs to tempfile |
|||
copy: |
|||
content: "{{master_cert_data.stdout}}" |
|||
dest: "{{cert_tempfile.stdout}}" |
|||
owner: root |
|||
mode: "0600" |
|||
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and |
|||
inventory_hostname != groups['kube-master'][0] |
|||
|
|||
- name: Gen_certs | Unpack certs on masters |
|||
shell: "base64 -d < {{ cert_tempfile.stdout }} | tar xz -C {{ kube_cert_dir }}" |
|||
no_log: true |
|||
changed_when: false |
|||
check_mode: no |
|||
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and |
|||
inventory_hostname != groups['kube-master'][0] |
|||
notify: set secret_changed |
|||
|
|||
- name: Gen_certs | Cleanup tempfile on masters |
|||
file: |
|||
path: "{{cert_tempfile.stdout}}" |
|||
state: absent |
|||
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and |
|||
inventory_hostname != groups['kube-master'][0] |
|||
|
|||
- name: Gen_certs | Copy certs on nodes |
|||
shell: "base64 -d <<< '{{node_cert_data.stdout|quote}}' | tar xz -C {{ kube_cert_dir }}" |
|||
args: |
|||
executable: /bin/bash |
|||
no_log: true |
|||
changed_when: false |
|||
check_mode: no |
|||
when: inventory_hostname in groups['kube-node'] and |
|||
sync_certs|default(false) and |
|||
inventory_hostname != groups['kube-master'][0] |
|||
notify: set secret_changed |
|||
|
|||
- name: Gen_certs | check certificate permissions |
|||
file: |
|||
path: "{{ kube_cert_dir }}" |
|||
group: "{{ kube_cert_group }}" |
|||
state: directory |
|||
owner: kube |
|||
mode: "u=rwX,g-rwx,o-rwx" |
|||
recurse: yes |
|||
@ -1,109 +0,0 @@ |
|||
--- |
|||
- import_tasks: check-certs.yml |
|||
tags: |
|||
- k8s-secrets |
|||
- k8s-gen-certs |
|||
- facts |
|||
|
|||
- name: Make sure the certificate directory exits |
|||
file: |
|||
path: "{{ kube_cert_dir }}" |
|||
state: directory |
|||
mode: o-rwx |
|||
group: "{{ kube_cert_group }}" |
|||
|
|||
# |
|||
# The following directory creates make sure that the directories |
|||
# exist on the first master for cases where the first master isn't |
|||
# being run. |
|||
# |
|||
- name: "Gen_certs | Create kubernetes config directory (on {{groups['kube-master'][0]}})" |
|||
file: |
|||
path: "{{ kube_config_dir }}" |
|||
state: directory |
|||
owner: kube |
|||
run_once: yes |
|||
delegate_to: "{{groups['kube-master'][0]}}" |
|||
when: gen_certs|default(false) |
|||
tags: |
|||
- kubelet |
|||
- k8s-secrets |
|||
- kube-controller-manager |
|||
- kube-apiserver |
|||
- apps |
|||
- network |
|||
- master |
|||
- node |
|||
|
|||
- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})" |
|||
file: |
|||
path: "{{ kube_script_dir }}" |
|||
state: directory |
|||
owner: kube |
|||
run_once: yes |
|||
delegate_to: "{{groups['kube-master'][0]}}" |
|||
when: gen_certs|default(false) |
|||
tags: |
|||
- k8s-secrets |
|||
|
|||
- include_tasks: "gen_certs_script.yml" |
|||
when: |
|||
- cert_management |d('script') == 'script' |
|||
tags: |
|||
- k8s-secrets |
|||
- k8s-gen-certs |
|||
|
|||
- import_tasks: upd_ca_trust.yml |
|||
tags: |
|||
- k8s-secrets |
|||
- k8s-gen-certs |
|||
|
|||
- name: "Gen_certs | Get certificate serials on kube masters" |
|||
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2" |
|||
register: "master_certificate_serials" |
|||
changed_when: false |
|||
with_items: |
|||
- "admin-{{ inventory_hostname }}.pem" |
|||
- "apiserver.pem" |
|||
- "kube-controller-manager.pem" |
|||
- "kube-scheduler.pem" |
|||
when: inventory_hostname in groups['kube-master'] |
|||
tags: |
|||
- master |
|||
- kubelet |
|||
- node |
|||
|
|||
- name: "Gen_certs | set kube master certificate serial facts" |
|||
set_fact: |
|||
etcd_admin_cert_serial: "{{ master_certificate_serials.results[0].stdout|default() }}" |
|||
apiserver_cert_serial: "{{ master_certificate_serials.results[1].stdout|default() }}" |
|||
controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}" |
|||
scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}" |
|||
when: inventory_hostname in groups['kube-master'] |
|||
tags: |
|||
- master |
|||
- kubelet |
|||
- node |
|||
|
|||
- name: "Gen_certs | Get certificate serials on kube nodes" |
|||
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2" |
|||
register: "node_certificate_serials" |
|||
changed_when: false |
|||
with_items: |
|||
- "node-{{ inventory_hostname }}.pem" |
|||
- "kube-proxy-{{ inventory_hostname }}.pem" |
|||
when: |
|||
- inventory_hostname in groups['k8s-cluster'] |
|||
tags: |
|||
- node |
|||
- kube-proxy |
|||
|
|||
- name: "Gen_certs | set kube node certificate serial facts" |
|||
set_fact: |
|||
kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}" |
|||
kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}" |
|||
when: inventory_hostname in groups['k8s-cluster'] |
|||
tags: |
|||
- kubelet |
|||
- node |
|||
- kube-proxy |
|||
@ -1,30 +0,0 @@ |
|||
--- |
|||
- name: Gen_certs | target ca-certificates path |
|||
set_fact: |
|||
ca_cert_path: |- |
|||
{% if ansible_os_family == "Debian" -%} |
|||
/usr/local/share/ca-certificates/kube-ca.crt |
|||
{%- elif ansible_os_family == "RedHat" -%} |
|||
/etc/pki/ca-trust/source/anchors/kube-ca.crt |
|||
{%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%} |
|||
/etc/ssl/certs/kube-ca.pem |
|||
{%- elif ansible_os_family == "Suse" -%} |
|||
/etc/pki/trust/anchors/kube-ca.pem |
|||
{%- endif %} |
|||
tags: |
|||
- facts |
|||
|
|||
- name: Gen_certs | add CA to trusted CA dir |
|||
copy: |
|||
src: "{{ kube_cert_dir }}/ca.pem" |
|||
dest: "{{ ca_cert_path }}" |
|||
remote_src: true |
|||
register: kube_ca_cert |
|||
|
|||
- name: Gen_certs | update ca-certificates (Debian/Ubuntu/SUSE/Container Linux by CoreOS) |
|||
command: update-ca-certificates |
|||
when: kube_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Container Linux by CoreOS", "Suse"] |
|||
|
|||
- name: Gen_certs | update ca-certificates (RedHat) |
|||
command: update-ca-trust extract |
|||
when: kube_ca_cert.changed and ansible_os_family == "RedHat" |
|||
@ -1,151 +0,0 @@ |
|||
#!/bin/bash |
|||
|
|||
# Author: Smana smainklh@gmail.com |
|||
# |
|||
# Licensed under the Apache License, Version 2.0 (the "License"); |
|||
# you may not use this file except in compliance with the License. |
|||
# You may obtain a copy of the License at |
|||
# |
|||
# http://www.apache.org/licenses/LICENSE-2.0 |
|||
# |
|||
# Unless required by applicable law or agreed to in writing, software |
|||
# distributed under the License is distributed on an "AS IS" BASIS, |
|||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
# See the License for the specific language governing permissions and |
|||
# limitations under the License. |
|||
|
|||
set -o errexit |
|||
set -o pipefail |
|||
|
|||
usage() |
|||
{ |
|||
cat << EOF |
|||
Create self signed certificates |
|||
|
|||
Usage : $(basename $0) -f <config> [-d <ssldir>] |
|||
-h | --help : Show this message |
|||
-f | --config : Openssl configuration file |
|||
-d | --ssldir : Directory where the certificates will be installed |
|||
|
|||
Environmental variables MASTERS and HOSTS should be set to generate keys |
|||
for each host. |
|||
|
|||
ex : |
|||
MASTERS=node1 HOSTS="node1 node2" $(basename $0) -f openssl.conf -d /srv/ssl |
|||
EOF |
|||
} |
|||
|
|||
# Options parsing |
|||
while (($#)); do |
|||
case "$1" in |
|||
-h | --help) usage; exit 0;; |
|||
-f | --config) CONFIG=${2}; shift 2;; |
|||
-d | --ssldir) SSLDIR="${2}"; shift 2;; |
|||
*) |
|||
usage |
|||
echo "ERROR : Unknown option" |
|||
exit 3 |
|||
;; |
|||
esac |
|||
done |
|||
|
|||
if [ -z ${CONFIG} ]; then |
|||
echo "ERROR: the openssl configuration file is missing. option -f" |
|||
exit 1 |
|||
fi |
|||
if [ -z ${SSLDIR} ]; then |
|||
SSLDIR="/etc/kubernetes/certs" |
|||
fi |
|||
|
|||
tmpdir=$(mktemp -d /tmp/kubernetes_cacert.XXXXXX) |
|||
trap 'rm -rf "${tmpdir}"' EXIT |
|||
cd "${tmpdir}" |
|||
|
|||
mkdir -p "${SSLDIR}" |
|||
|
|||
# Root CA |
|||
if [ -e "$SSLDIR/ca-key.pem" ]; then |
|||
# Reuse existing CA |
|||
cp $SSLDIR/{ca.pem,ca-key.pem} . |
|||
else |
|||
openssl genrsa -out ca-key.pem {{certificates_key_size}} > /dev/null 2>&1 |
|||
openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1 |
|||
fi |
|||
|
|||
# Front proxy client CA |
|||
if [ -e "$SSLDIR/front-proxy-ca-key.pem" ]; then |
|||
# Reuse existing front proxy CA |
|||
cp $SSLDIR/{front-proxy-ca.pem,front-proxy-ca-key.pem} . |
|||
else |
|||
openssl genrsa -out front-proxy-ca-key.pem {{certificates_key_size}} > /dev/null 2>&1 |
|||
openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days {{certificates_duration}} -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>&1 |
|||
fi |
|||
|
|||
gen_key_and_cert() { |
|||
local name=$1 |
|||
local subject=$2 |
|||
openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1 |
|||
openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1 |
|||
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1 |
|||
} |
|||
|
|||
gen_key_and_cert_front_proxy() { |
|||
local name=$1 |
|||
local subject=$2 |
|||
openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1 |
|||
openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1 |
|||
openssl x509 -req -in ${name}.csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1 |
|||
} |
|||
|
|||
# Admins |
|||
if [ -n "$MASTERS" ]; then |
|||
|
|||
# service-account |
|||
# If --service-account-private-key-file was previously configured to use apiserver-key.pem then copy that to the new dedicated service-account signing key location to avoid disruptions |
|||
if [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then |
|||
cp $SSLDIR/apiserver-key.pem $SSLDIR/service-account-key.pem |
|||
fi |
|||
# Generate dedicated service account signing key if one doesn't exist |
|||
if ! [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then |
|||
openssl genrsa -out service-account-key.pem {{certificates_key_size}} > /dev/null 2>&1 |
|||
fi |
|||
|
|||
# kube-apiserver |
|||
# Generate only if we don't have existing ca and apiserver certs |
|||
if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then |
|||
gen_key_and_cert "apiserver" "/CN=kube-apiserver" |
|||
cat ca.pem >> apiserver.pem |
|||
fi |
|||
# If any host requires new certs, just regenerate scheduler and controller-manager master certs |
|||
# kube-scheduler |
|||
gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler" |
|||
# kube-controller-manager |
|||
gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager" |
|||
# metrics aggregator |
|||
gen_key_and_cert_front_proxy "front-proxy-client" "/CN=front-proxy-client" |
|||
|
|||
for host in $MASTERS; do |
|||
cn="${host}" |
|||
# admin |
|||
gen_key_and_cert "admin-${host}" "/CN=kube-admin-${cn}/O=system:masters" |
|||
done |
|||
fi |
|||
|
|||
# Nodes |
|||
if [ -n "$HOSTS" ]; then |
|||
for host in $HOSTS; do |
|||
cn="${host}" |
|||
gen_key_and_cert "node-${host}" "/CN=system:node:${cn,,}/O=system:nodes" |
|||
done |
|||
fi |
|||
|
|||
# system:node-proxier |
|||
if [ -n "$HOSTS" ]; then |
|||
for host in $HOSTS; do |
|||
# kube-proxy |
|||
gen_key_and_cert "kube-proxy-${host}" "/CN=system:kube-proxy/O=system:node-proxier" |
|||
done |
|||
fi |
|||
|
|||
# Install certs |
|||
mv *.pem ${SSLDIR}/ |
|||
@ -1,42 +0,0 @@ |
|||
{% set counter = {'dns': 6,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req] |
|||
req_extensions = v3_req |
|||
distinguished_name = req_distinguished_name |
|||
[req_distinguished_name] |
|||
[ v3_req ] |
|||
basicConstraints = CA:FALSE |
|||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
|||
subjectAltName = @alt_names |
|||
[alt_names] |
|||
DNS.1 = kubernetes |
|||
DNS.2 = kubernetes.default |
|||
DNS.3 = kubernetes.default.svc |
|||
DNS.4 = kubernetes.default.svc.{{ dns_domain }} |
|||
DNS.5 = localhost |
|||
{% for host in groups['kube-master'] %} |
|||
DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }} |
|||
{% endfor %} |
|||
{% if apiserver_loadbalancer_domain_name is defined %} |
|||
DNS.{{ counter["dns"] }} = {{ apiserver_loadbalancer_domain_name }}{{ increment(counter, 'dns') }} |
|||
{% endif %} |
|||
{% for host in groups['kube-master'] %} |
|||
{% if hostvars[host]['access_ip'] is defined %} |
|||
IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter, 'ip') }} |
|||
{% endif %} |
|||
IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }} |
|||
{% endfor %} |
|||
{% if kube_apiserver_ip is defined %} |
|||
IP.{{ counter["ip"] }} = {{ kube_apiserver_ip }}{{ increment(counter, 'ip') }} |
|||
{% endif %} |
|||
{% if loadbalancer_apiserver is defined and loadbalancer_apiserver.address is defined %} |
|||
IP.{{ counter["ip"] }} = {{ loadbalancer_apiserver.address }}{{ increment(counter, 'ip') }} |
|||
{% endif %} |
|||
{% if supplementary_addresses_in_ssl_keys is defined %} |
|||
{% for addr in supplementary_addresses_in_ssl_keys %} |
|||
{% if addr | ipaddr %} |
|||
IP.{{ counter["ip"] }} = {{ addr }}{{ increment(counter, 'ip') }} |
|||
{% else %} |
|||
DNS.{{ counter["dns"] }} = {{ addr }}{{ increment(counter, 'dns') }} |
|||
{% endif %} |
|||
{% endfor %} |
|||
{% endif %} |
|||
IP.{{ counter["ip"] }} = 127.0.0.1 |
|||
@ -1,20 +0,0 @@ |
|||
{% set counter = {'dns': 6,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req] |
|||
req_extensions = v3_req |
|||
distinguished_name = req_distinguished_name |
|||
[req_distinguished_name] |
|||
[ v3_req ] |
|||
basicConstraints = CA:FALSE |
|||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
|||
subjectAltName = @alt_names |
|||
[alt_names] |
|||
DNS.1 = kubernetes |
|||
DNS.2 = kubernetes.default |
|||
DNS.3 = kubernetes.default.svc |
|||
DNS.4 = kubernetes.default.svc.{{ dns_domain }} |
|||
DNS.5 = localhost |
|||
DNS.{{ counter["dns"] }} = {{ inventory_hostname }}{{ increment(counter, 'dns') }} |
|||
{% if hostvars[inventory_hostname]['access_ip'] is defined %} |
|||
IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['access_ip'] }}{{ increment(counter, 'ip') }} |
|||
{% endif %} |
|||
IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['ip'] | default(hostvars[inventory_hostname]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }} |
|||
IP.{{ counter["ip"] }} = 127.0.0.1 |
|||
@ -1,6 +1,6 @@ |
|||
--- |
|||
- name: Uncordon node |
|||
command: "{{ bin_dir }}/kubectl uncordon {{ inventory_hostname }}" |
|||
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf uncordon {{ inventory_hostname }}" |
|||
delegate_to: "{{ groups['kube-master'][0] }}" |
|||
when: |
|||
- needs_cordoning|default(false) |
|||
Write
Preview
Loading…
Cancel
Save