Merge branch 'master' into goreportcard

README.md

@@ -4,8 +4,11 @@
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes/contrib)](https://goreportcard.com/report/github.com/kubernetes/contrib)
 [![APACHEv2 License](https://img.shields.io/badge/license-APACHEv2-blue.svg)](https://github.com/kubernetes/contrib/blob/master/LICENSE)
 
-This is a place for various components in the Kubernetes ecosystem
-that aren't part of the Kubernetes core.
+**Do not add new projects to this repository.** We eventually want to
+move all code in this repository to more appropriate repositories (see 
+[#762](https://github.com/kubernetes/contrib/issues/762)). Create a new
+repository in `kubernetes-incubator` instead 
+([process](https://github.com/kubernetes/community/blob/master/incubator.md)).
 
 ## Getting the Code
 

ansible/inventory/group_vars/all.yml

@@ -107,12 +107,20 @@ dns_setup: true
 # How many replicas in the Replication Controller
 dns_replicas: 1
 
+# Certificate authority private key should not be kept on server
+# but you probably want to keep it to generate user certificates. Set
+# that value to "true" to keep ca.key file on {{ kube_cert_dir}}.
+# It's recommanded to remove the private key from the server. So if you set
+# kube_cert_keep_ca to true, please copy the ca.key file somewhere that
+# is secured, and remove it from server.
+kube_cert_keep_ca: false
+
 # There are other variable in roles/kubernetes/defaults/main.yml but changing
 # them comes with a much higher risk to your cluster. So proceed over there
 # with caution.
 
 # See kube documentation for apiserver runtime config options.  Example below enables HPA, deployments features.
-#kube_apiserver_options:
+#kube_apiserver_additional_options:
 #  - --runtime-config=extensions/v1beta1/deployments=true
 
 # To enable etcd auto cert generation set the following *_scheme vars to "https"

ansible/roles/etcd/tasks/main.yml

@@ -15,5 +15,5 @@
 
 - name: Restart etcd
   include: restart.yml
-  when: etcd_modified is not defined or (etcd_modified is defined and etcd_started.changed == false)
+  when: etcd_modified is not defined or etcd_started.changed == false
   tags: restart

ansible/roles/etcd/tasks/start.yml

@@ -1,6 +1,2 @@
 ---
-- include: etcd-start.yml
-  when: not is_coreos
-
-- include: etcd2-start.yml
-  when: is_coreos
+- include: "{% if not is_coreos %}etcd-start{% else %}etcd2-start{% endif %}.yml"

ansible/roles/kubernetes/files/make-ca-cert.sh

@@ -27,6 +27,7 @@ set -o pipefail
 # MASTERS - DNS name for the masters
 # DNS_DOMAIN - which will be passed to minions in --cluster-domain
 # SERVICE_CLUSTER_IP_RANGE - where all service IPs are allocated
+# KUBE_CERT_KEEP_CA - to keep ca.key file or not, "true"|"false"
 
 # Also the following will be respected
 # CERT_DIR - where to place the finished certs
@@ -38,6 +39,7 @@ service_range="${SERVICE_CLUSTER_IP_RANGE:="10.0.0.0/16"}"
 dns_domain="${DNS_DOMAIN:="cluster.local"}"
 cert_dir="${CERT_DIR:-"/srv/kubernetes"}"
 cert_group="${CERT_GROUP:="kube-cert"}"
+keep_ca_priv_key="${KUBE_CERT_KEEP_CA:="false"}"
 
 # The following certificate pairs are created:
 #
@@ -142,6 +144,10 @@ cp -p pki/issued/kubelet.crt "${cert_dir}/kubelet.crt"
 cp -p pki/private/kubelet.key "${cert_dir}/kubelet.key"
 
 CERTS=("ca.crt" "server.key" "server.crt" "kubelet.key" "kubelet.crt" "kubecfg.key" "kubecfg.crt")
+if [[ "${keep_ca_priv_key}" == "true" ]]; then
+    cp -p pki/private/ca.key "${cert_dir}/ca.key"
+    CERTS+=("ca.key")
+fi
 for cert in "${CERTS[@]}"; do
   chgrp "${cert_group}" "${cert_dir}/${cert}"
   chmod 660 "${cert_dir}/${cert}"

ansible/roles/kubernetes/tasks/gen_certs.yml

@@ -38,6 +38,7 @@
     HTTPS_PROXY: "{{ https_proxy|default('') }}"
     CLUSTER_HOSTNAME: "{{ master_cluster_hostname|default('') }}"
     CLUSTER_PUBLIC_HOSTNAME: "{{ master_cluster_public_hostname|default('') }}"
+    KUBE_CERT_KEEP_CA: "{{ kube_cert_keep_ca | default('false') | lower }}"
 
 - name: Verify certificate permissions
   file:
@@ -51,3 +52,11 @@
     - "{{ kube_cert_dir }}/server.key"
     - "{{ kube_cert_dir }}/kubecfg.crt"
     - "{{ kube_cert_dir }}/kubecfg.key"
+
+- name: Check CA private key permissions if kube_cert_keep_ca is set to "true"
+  file:
+    path: "{{ kube_cert_dir }}/ca.key"
+    group: "{{ kube_cert_group }}"
+    owner: kube
+    mode: 0440
+  when: kube_cert_keep_ca

ansible/roles/master/defaults/main.yml

@@ -31,10 +31,6 @@ kube_master_rpms:
   - kubernetes-client
   - kubernetes-master
 
-kube_apiserver_options: []
-kube_controller_manager_options: []
-kube_scheduler_options: []
-
 etcd_client_port: '2379'
 
 kube_apiserver_options:
@@ -44,6 +40,7 @@ kube_apiserver_options:
   - "--token-auth-file={{ kube_token_dir }}/known_tokens.csv"
   - "--service-account-key-file={{ kube_cert_dir }}/server.crt"
   - "--bind-address={{ kube_apiserver_bind_address }}"
+  - "--apiserver-count={{ groups['masters']|length }}"
 
 kube_controller_manager_options:
   - "--kubeconfig={{ kube_config_dir }}/controller-manager.kubeconfig"

ansible/roles/master/templates/apiserver.j2

@@ -23,4 +23,4 @@ KUBE_ETCD_SERVERS="--etcd-servers={% for node in groups['etcd'] %}{% if etcd_url
 KUBE_ADMISSION_CONTROL="--admission-control={{ admission_controllers }}"
 
 # Add your own!
-KUBE_API_ARGS="{{ kube_apiserver_additional_options|join(' ') }} {{ kube_apiserver_additional_options|join(' ') }}"
+KUBE_API_ARGS="{{ kube_apiserver_options|join(' ') }} {{ kube_apiserver_additional_options|join(' ') }}"

ansible/roles/node/defaults/main.yml

@@ -15,11 +15,6 @@ kube_node_rpms:
   - kubernetes-client
   - kubernetes-node
 
-kubelet_options: []
-#  - "--host-network-sources=*"
-#  - "--pod-infra-container-image=gcr.io/google_containers/pause:2.0"
-kube_proxy_options: []
-
 kubelet_options:
   - "--kubeconfig={{ kube_config_dir }}/kubelet.kubeconfig"
   - "--config={{ kube_manifest_dir }}"
@@ -28,4 +23,9 @@ kube_proxy_options:
   - "--kubeconfig={{ kube_config_dir }}/proxy.kubeconfig"
 
 kubelet_additional_options: []
+#  - "--host-network-sources=*"
+#  - "--pod-infra-container-image=gcr.io/google_containers/pause:2.0"
+
 kube_proxy_additional_options: []
+
+disable_swap: true

ansible/roles/node/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Disable swap
+  include: swapoff.yml
+  tags: configure
+  when: disable_swap
+
 # Install the kube node components
 # E.g. applying package manager, downloading binaries from github, etc.
 - name: Install kube node

ansible/roles/node/tasks/swapoff.yml

@@ -0,0 +1,9 @@
+# This task disables swap for Kubernetes node (see https://github.com/kubernetes/kubernetes/pull/31996)
+- name: Remove swapfile from /etc/fstab
+  mount:
+    name: swap
+    fstype: swap
+    state: absent
+- name: Disable swap
+  command: swapoff -a
+  when: ansible_swaptotal_mb > 0

ansible/roles/pre-ansible/tasks/main.yml

@@ -40,3 +40,7 @@
 
 - include: fedora-dnf.yml
   when: os_version.stdout|int >= 22 and 'Fedora' in distro.stdout and is_atomic is not defined
+
+- name: install python 2 on Ubuntu
+  raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
+  when: "'Ubuntu' in distro.stdout"

ansible/vagrant/Vagrantfile

@@ -44,6 +44,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   config.vm.provider "libvirt"
   config.vm.provider "aws"
   config.vm.provider "openstack"
+  config.vm.provider "opennebula"
 
   # By default, Vagrant itself assumes that sudo requires no
   # password, therefore it does not need a tty. Some OS images
@@ -106,6 +107,13 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     end
   end
 
+  def set_opennebula_box(config)
+    case $os_image
+    when :centos7
+      config.vm.box = "dummy"
+    end
+  end
+
   def set_openstack(os, config, n)
     set_openstack_box(config)
 
@@ -173,6 +181,22 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     aws.region = "YOUR REGION"
   end
 
+  def set_opennebula(opennebula, config, n)
+    set_opennebula_box(config)
+
+    config.ssh.username = "YOUR IMAGE UNAME"
+    config.ssh.private_key_path = "PATH TO YOUR KEY"
+
+    opennebula.endpoint = "RPC2 ENDPOINT"
+    opennebula.username = "USERNAME TO ACCESS RPC"
+    opennebula.password = "PASSWORD"
+    opennebula.template_id = 1
+    opennebula.title = n.vm.hostname
+    opennebula.cpu = 2
+    opennebula.vcpu = 2
+    opennebula.memory = 4096
+  end
+
   def set_provider(n, vm_idx)
     n.vm.provider :openstack do |os, override|
       set_openstack(os, override, n)
@@ -186,6 +210,9 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
      n.vm.provider :aws do |aws, override|
       set_aws(aws, override, n)
     end
+    n.vm.provider :opennebula do |opennebula, override|
+      set_opennebula(opennebula, override, n)
+    end
   end
 
   def set_common_ansible_options(ansible)
@@ -277,6 +304,11 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
         yield ansible, :aws
       end
     end
+    n.vm.provider :opennebula do |opennebula, override|
+      override.vm.provision :ansible do |ansible|
+        yield ansible, :opennebula
+      end
+    end
   end
 
   config.vm.synced_folder ".", "/vagrant", disabled: true

cluster-autoscaler/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM gcr.io/google_containers/ubuntu-slim:0.1
+FROM gcr.io/google-containers/ubuntu-slim:0.8
 MAINTAINER Marcin Wielgus "mwielgus@google.com"
 
 ADD cluster-autoscaler cluster-autoscaler