Matthew Mosesohn
74b78e75a1
Always trigger docker restart when docker package changes
Docker upgrade doesn't auto-restart docker, causing failures
when trying to start another container
7 years ago
Greg Althaus
6905edbeb6
Add a variable that defaults to kube_apiserver_port that defines
the which port the local nginx proxy should listen on for HA
local balancer configurations.
7 years ago
Greg Althaus
6c69da1573
This PR adds/or modifies a few tasks to allow for the playbook to
be run by limit on each node without regard for order.
The changes make sure that all of the directories needed to do
certificate management are on the master[0] or etcd[0] node regardless
of when the playbook gets run on each node. This allows for separate
ansible playbook runs in parallel that don't have to be synchronized.
7 years ago
Greg Althaus
95bf380d07
If the inventory name of the host exceeds 63 characters,
the openssl tools will fail to create signing requests because
the CN is too long. This is mainly a problem when FQDNs are used
in the inventory file.
THis will truncate the hostname for the CN field only at the
first dot. This should handle the issue for most cases.
7 years ago
Matthew Mosesohn
80703010bd
Use only one certificate for all apiservers
https://github.com/kubernetes/kubernetes/issues/25063
7 years ago
Alexander Block
1054f37765
Don't try to delete kargo specific config from dhclient when file does not exist
Also remove the check for != "RedHat" when removing the dhclient hook,
as this had also to be done on other distros. Instead, check if the
dhclienthookfile is defined.
7 years ago
Greg Althaus
f77257cf79
When running on CentOS7 image in AWS with selinux on, the order of
the tasks fail because selinux prevents ip-forwarding setting.
Moving the tasks around addresses two issues. Makes sure that
the correct python tools are in place before adjusting of selinux
and makes sure that ipforwarding is toggled after selinux adjustments.
7 years ago
Alexander Block
a7bf7867d7
Add tasks to undo changes to hosts /etc/resolv.conf and dhclient configs
7 years ago
Matthew Mosesohn
3f274115b0
Generate individual certificates for k8s hosts
7 years ago
Brad Beam
db8173da28
Adding /opt/cni /etc/cni to rkt run kubelet
7 years ago
Matthew Mosesohn
e22f938ae5
Bind nginx localhost proxy to localhost
This proxy should only be listening for local connections, not 0.0.0.0.
Fixes #868
7 years ago
Matthew Mosesohn
1dce56e2f8
Fix docker dns host scenario with no search domains
Fixes scenario where docker-dns.conf tries to create an empty
search entry
7 years ago
Aleksandr Didenko
d9539e0f27
Fix etcd cert generation for calico-rr role
"etcd_node_cert_data" variable is undefinded for "calico-rr" role.
This patch adds "calico-rr" nodes to task where "etcd_node_cert_data"
variable is registered.
7 years ago
Aleksandr Didenko
0909368339
Set latest stable versions for Calico images
Change version for calico images to v1.0.0. Also bump versions for
CNI and policy controller.
Also removing images repo and tag duplication from netchecker role
7 years ago
Alexander Block
a8b5b856d1
Only use default resolver in dnsmasq when we are using host_resolvconf mode
7 years ago
Alexander Block
1d2a18b355
Introduce dns_mode and resolvconf_mode and implement docker_dns mode
Also update reset.yml to do more dns/network related cleanup.
7 years ago
Spencer Smith
4a59340182
remove assertion for family not being CoreOS
7 years ago
Brad Beam
cf042b2a4c
Create network policy directory for canal
7 years ago
Brad Beam
65c86377fc
Adding calicoctl to canal deployment
7 years ago
Bogdan Dobrelya
5af2c42bde
Better fix for different CoreOS os family facts
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Bogdan Dobrelya
f7447837c5
Rename CoreOS fact
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Brad Beam
4b6f29d5e1
Adding kubelet in rkt
7 years ago
Brad Beam
8dc19374cc
Allowing etcd to run via rkt
8 years ago
Brad Beam
a8f2af0503
Adding initial rkt support
8 years ago
Bogdan Dobrelya
d8a2941e9e
Fix cert paths for flannel/calico policy apps
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Alexander Block
ab7df10a7d
Upgrade docker version and do some cleanups for unsupported distros/docker versions
7 years ago
Bogdan Dobrelya
97f96a6376
Fix etc hosts for cluster nodes
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Bogdan Dobrelya
58062be2a3
Drop non systemd OS types support
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Matthew Mosesohn
1f9f885379
Fix etcd cert generation to support large deployments
Due to bash max args limits, we should pass all node filenames and
base64-encoded tar data through stdin/stdout instead.
Fixes #832
7 years ago
Bogdan Dobrelya
a56d9de502
Systemd units, limits, and bin path fixes
* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
systemd limits due to the lack of consensus in the kernel community
requires out-of-tree kernel patches.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
7 years ago
Matthew Mosesohn
f0c0390646
Fix creation and sync of etcd certs
Admin certs only go to etcd nodes
Only generate cert-data for nodes that need sync
7 years ago
Matthew Mosesohn
6d9cd2d720
Fix calico-rr to use etcd certs instead of kube certs
7 years ago
Bogdan Dobrelya
79996b557b
Rework ignore_errors to report no reds
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Bogdan Dobrelya
bb0c3537cb
Do not forward bogus domains for upstream resolvers
Also fix kube log level 4 to log dnsmasq queries.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Matthew Mosesohn
385f7f6e75
Update etcd.j2
7 years ago
Matthew Mosesohn
9f1e3db906
Adjust etcd server certificates
ETCD doesn't need cert/key options set. It only requires peer
cert options.
7 years ago
Spencer Smith
b63d900625
Workaround etcdctl not yet being installed ( #797 )
workaround case for etcdctl not yet being installed, only allow for return code of 0 (no error)
7 years ago
Genti Topija
7c2785e083
Fix Flannel network on CoreOS
Resolves : #748
8 years ago
Matthew Mosesohn
ad796d188d
Individual etcd ssl certs
Includes hooks for triggering calico, kubelet, and kube-apiserver restarts
if etcd certs changed.
8 years ago
Alexander Block
8e4e3998dd
Fix wrong path of dhclient on CentOS+Azure
This was alredy fixed in #755 but had to be reverted. This PR should be
more intelligent about deciding which path to use.
7 years ago
Spencer Smith
8d9f207836
create systemd drop-in path if not existent
7 years ago
Bogdan Dobrelya
f10d1327d4
Revert "Do not forward private domains for upstream resolvers"
7 years ago
Matthew Mosesohn
d314174149
Add wait for kube-apiserver to kubernetes-apps
Fixes #777
7 years ago
Bogdan Dobrelya
b8bc8eee41
Add download_always_pull check and sha256 for docker images
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
7 years ago
Matthew Mosesohn
348fc5b109
Fix etcd to-SSL upgrade and task register vars
7 years ago
Bogdan Dobrelya
101864c050
Do not forward private domains for upstream resolvers
Also fix kube log level 4 to log dnsmasq queries.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
8 years ago
Alexander Block
fe150d4e4d
Register master node as unschedulable
Also refactor generation of kubelet args to not repeat args.
8 years ago
Antoine Legrand
048ac264a3
Update main.yml
8 years ago
Bogdan Dobrelya
1782d19e1f
Fallback to default resolver if no nameservers
Current design expects users to define at least one
nameserver in the nameservers var to backup host OS DNS config
when the K8s cluster DNS service IP is not available and hosts
still have to resolve external or intranet FQDNs.
Fix undefined nameservers to fallback to the default_resolver.
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Bogdan Dobrelya
e2476fbd0b
Revert "Fix wrong path for dhclient.conf on RedHat/CentOS"
8 years ago