Merge branch 'master' of https://github.com/kubernetes-sigs/kubespray

* 'master' of https://github.com/kubernetes-sigs/kubespray: Add a way to deploy cilium alongside another CNI (kubernetes-sigs#6373) Cleanup old build-cephfs-provisioner.yml playbook (kubernetes-sigs#6418) Always enable GitLab CI artifacts for cluster-dump (kubernetes-sigs#6412) Remove allow-release-candidate-upgrades already include in experimental-upgrades flag (kubernetes-sigs#6349) add calico-node selinux (kubernetes-sigs#6359) Add oomichi to reviwers of MetalLB addon (kubernetes-sigs#6393) Respect kube_override_hostname during removal/upgrade (kubernetes-sigs#6347) Fixed fedora modular repos activation for fcos (kubernetes-sigs#6300) Fix kube-proxy post deployment removal (kubernetes-sigs#5554) Remove old csi-attacher flag and fix RBAC for Cinder CSI (kubernetes-sigs#6358) Update cilium minimum kernel preinstall check (kubernetes-sigs#6376) Add readiness probe to dns-autoscaler (kubernetes-sigs#6382) Add Fedora CoreOS kubevirt image for tests (kubernetes-sigs#6337) allow kubeadm to upgrade etcd (kubernetes-sigs#6345) crio: harden downloads with retry (kubernetes-sigs#6374) Add workaround with include_task for mitogen (kubernetes-sigs#6312)
kubesail · Jul 19, 2020 · 13dbcfe · 13dbcfe
2 parents 22c06b6 + 1a1fe99
commit 13dbcfe
Show file tree

Hide file tree

Showing 30 changed files with 105 additions and 107 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -42,6 +42,7 @@ before_script:
     - packet
   image: quay.io/kubespray/kubespray:$KUBESPRAY_VERSION
   artifacts:
+    when: always
     paths:
       - cluster-dump/
 

diff --git a/.gitlab-ci/packet.yml b/.gitlab-ci/packet.yml
@@ -63,6 +63,11 @@ packet_ubuntu16-kube-router-sep:
   extends: .packet
   when: manual
 
+packet_ubuntu16-kube-router-svc-proxy:
+  stage: deploy-part2
+  extends: .packet
+  when: manual
+
 packet_debian10-containerd:
   stage: deploy-part2
   extends: .packet

diff --git a/.gitlab-ci/terraform.yml b/.gitlab-ci/terraform.yml
@@ -38,6 +38,7 @@
   when: manual
   only: [/^pr-.*$/]
   artifacts:
+    when: always
     paths:
       - cluster-dump/
   variables:

diff --git a/extra_playbooks/build-cephfs-provisioner.yml b/extra_playbooks/build-cephfs-provisioner.yml
diff --git a/roles/container-engine/cri-o/tasks/crio_repo.yml b/roles/container-engine/cri-o/tasks/crio_repo.yml
@@ -10,6 +10,10 @@
     url: "https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/{{ crio_kubic_debian_repo_name }}/Release.key"
     state: present
   when: crio_kubic_debian_repo_name is defined
+  register: apt_key_download
+  until: apt_key_download is succeeded
+  retries: 4
+  delay: "{{ retry_stagger | d(3) }}"
 
 - name: Add CRI-O kubic repo
   apt_repository:
@@ -38,15 +42,17 @@
 
 - name: Enable modular repos for CRI-O
   ini_file:
-    path: "/etc/yum.repos.d/{{ item }}.repo"
-    section: "{{ item }}"
+    path: "/etc/yum.repos.d/{{ item.repo }}.repo"
+    section: "{{ item.section }}"
     option: enabled
     value: 1
   become: true
   when: is_ostree
   loop:
-    - "fedora-updates-modular"
-    - "fedora-modular"
+    - repo: "fedora-updates-modular"
+      section: "updates-modular"
+    - repo: "fedora-modular"
+      section: "fedora-modular"
 
 - name: Enable CRI-O module
   command: "dnf -y module enable cri-o:{{ crio_version }}"

diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
@@ -47,6 +47,10 @@
   when: not is_ostree
   with_items: "{{ crio_packages }}"
   notify: restart crio
+  register: package_install
+  until: package_install is succeeded
+  retries: 4
+  delay: "{{ retry_stagger | d(3) }}"
 
 - name: Gather the rpm package facts
   package_facts:

diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
@@ -682,7 +682,7 @@ downloads:
     - k8s-cluster
 
   cilium:
-    enabled: "{{ kube_network_plugin == 'cilium' }}"
+    enabled: "{{ kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool }}"
     container: true
     repo: "{{ cilium_image_repo }}"
     tag: "{{ cilium_image_tag }}"
@@ -691,7 +691,7 @@ downloads:
     - k8s-cluster
 
   cilium_init:
-    enabled: "{{ kube_network_plugin == 'cilium' }}"
+    enabled: "{{ kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool }}"
     container: true
     repo: "{{ cilium_init_image_repo }}"
     tag: "{{ cilium_init_image_tag }}"
@@ -700,7 +700,7 @@ downloads:
     - k8s-cluster
 
   cilium_operator:
-    enabled: "{{ kube_network_plugin == 'cilium' }}"
+    enabled: "{{ kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool }}"
     container: true
     repo: "{{ cilium_operator_image_repo }}"
     tag: "{{ cilium_operator_image_tag }}"

diff --git a/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 b/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2
@@ -65,6 +65,11 @@ spec:
           requests:
             cpu: {{ dns_autoscaler_cpu_requests }}
             memory: {{ dns_autoscaler_memory_requests }}
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
         command:
         - /cluster-proportional-autoscaler
         - --namespace=kube-system

diff --git a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin-rbac.yml.j2 b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin-rbac.yml.j2
@@ -16,16 +16,19 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "update"]
+    verbs: ["get", "list", "watch", "patch"]
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get", "list", "watch"]
   - apiGroups: ["storage.k8s.io"]
     resources: ["volumeattachments"]
-    verbs: ["get", "list", "watch", "update"]
+    verbs: ["get", "list", "watch", "patch"]
   - apiGroups: ["storage.k8s.io"]
     resources: ["csinodes"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments/status"]
+    verbs: ["patch"]
 
 
 ---

diff --git a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin.yml.j2 b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin.yml.j2
@@ -27,7 +27,6 @@ spec:
             - "--csi-address=$(ADDRESS)"
 {% if cinder_csi_controller_replicas is defined and cinder_csi_controller_replicas > 1 %}
             - --leader-election
-            - --leader-election-type=leases
             - --leader-election-namespace=kube-system
 {% endif %}
           env:

diff --git a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/basedirs.yml b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/basedirs.yml
@@ -0,0 +1,12 @@
+---
+# include to workaround mitogen issue
+# https://github.com/dw/mitogen/issues/663
+
+- name: "Local Volume Provisioner | Ensure base dir {{ delegate_host_base_dir.1 }} is created on {{ delegate_host_base_dir.0 }}"
+  file:
+    path: "{{ local_volume_provisioner_storage_classes[delegate_host_base_dir.1].host_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "{{ local_volume_provisioner_directory_mode }}"
+  delegate_to: "{{ delegate_host_base_dir.0 }}"
diff --git a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/main.yml b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/main.yml
@@ -1,15 +1,10 @@
 ---
+
 - name: Local Volume Provisioner | Ensure base dir is created on all hosts
-  file:
-    path: "{{ local_volume_provisioner_storage_classes[item.1].host_dir }}"
-    state: directory
-    owner: root
-    group: root
-    mode: "{{ local_volume_provisioner_directory_mode }}"
-  delegate_to: "{{ item[0] }}"
-  with_nested:
-    - "{{ groups['k8s-cluster'] }}"
-    - "{{ local_volume_provisioner_storage_classes.keys() | list }}"
+  include_tasks: basedirs.yml
+  loop_control:
+    loop_var: delegate_host_base_dir
+  loop: "{{ groups['k8s-cluster'] | product(local_volume_provisioner_storage_classes.keys()) | list }}"
 
 - name: Local Volume Provisioner | Create addon dir
   file:

diff --git a/roles/kubernetes-apps/metallb/OWNERS b/roles/kubernetes-apps/metallb/OWNERS
@@ -0,0 +1,5 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+reviewers:
+  - oomichi
diff --git a/roles/kubernetes-apps/network_plugin/meta/main.yml b/roles/kubernetes-apps/network_plugin/meta/main.yml
@@ -1,7 +1,7 @@
 ---
 dependencies:
   - role: kubernetes-apps/network_plugin/cilium
-    when: kube_network_plugin == 'cilium'
+    when: kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
     tags:
       - cilium
 

diff --git a/roles/kubernetes/kubeadm/defaults/main.yml b/roles/kubernetes/kubeadm/defaults/main.yml
@@ -4,9 +4,6 @@
 discovery_timeout: 60s
 kubeadm_join_timeout: 120s
 
-# Optionally remove kube_proxy installed by kubeadm
-kube_proxy_remove: false
-
 # If non-empty, will use this string as identification instead of the actual hostname
 kube_override_hostname: >-
   {%- if cloud_provider is defined and cloud_provider in [ 'aws' ] -%}

diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -163,7 +163,6 @@
   delegate_to: "{{ groups['kube-master']|first }}"
   when:
     - kube_proxy_remove
-    - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "")
   # When scaling/adding nodes in the existing k8s cluster, kube-proxy wouldn't be created, as `kubeadm init` wouldn't run.
   ignore_errors: true
   tags:

diff --git a/roles/kubernetes/master/tasks/kubeadm-upgrade.yml b/roles/kubernetes/master/tasks/kubeadm-upgrade.yml
@@ -17,9 +17,7 @@
     --config={{ kube_config_dir }}/kubeadm-config.yaml
     --ignore-preflight-errors=all
     --allow-experimental-upgrades
-    --allow-release-candidate-upgrades
-    --etcd-upgrade=false
-    --certificate-renewal=true
+    --etcd-upgrade={{ etcd_kubeadm_enabled | bool | lower }}
     --force
   register: kubeadm_upgrade
   # Retry is because upload config sometimes fails
@@ -39,9 +37,7 @@
     --config={{ kube_config_dir }}/kubeadm-config.yaml
     --ignore-preflight-errors=all
     --allow-experimental-upgrades
-    --allow-release-candidate-upgrades
-    --etcd-upgrade=false
-    --certificate-renewal=true
+    --etcd-upgrade={{ etcd_kubeadm_enabled | bool | lower }}
     --force
   register: kubeadm_upgrade
   when: inventory_hostname != groups['kube-master']|first

diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
@@ -22,9 +22,6 @@ kubelet_kubelet_cgroups: "/systemd/system.slice"
 ### fail with swap on (default true)
 kubelet_fail_swap_on: true
 
-# Optionally remove kube_proxy installed by kubeadm
-kube_proxy_remove: false
-
 # Reserve this space for kube resources
 kube_memory_reserved: 256M
 kube_cpu_reserved: 100m

diff --git a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
@@ -128,9 +128,9 @@
 
 - name: Stop if kernel version is too low
   assert:
-    that: ansible_kernel.split('-')[0] is version('4.8', '>=')
+    that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
   when:
-    - kube_network_plugin == 'cilium'
+    - kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
     - not ignore_assert_errors
 
 - name: Stop if bad hostname

diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -57,6 +57,8 @@ spec:
               name: host-local-net-dir
             - mountPath: /host/opt/cni/bin
               name: cni-bin-dir
+          securityContext:
+            privileged: true
 {% endif %}
         # This container installs the Calico CNI binaries
         # and CNI network config file on each node.
@@ -88,6 +90,8 @@ spec:
               name: cni-net-dir
             - mountPath: /host/opt/cni/bin
               name: cni-bin-dir
+          securityContext:
+            privileged: true
 {% endif %}
       containers:
 {% if calico_version is version('v3.3.0', '>=') and calico_version is version('v3.4.0', '<') %}

diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
@@ -33,3 +33,7 @@ cilium_monitor_aggregation: medium
 cilium_preallocate_bpf_maps: false
 cilium_tofqdns_enable_poller: false
 cilium_enable_legacy_services: false
+
+# Deploy cilium even if kube_network_plugin is not cilium.
+# This enables to deploy cilium alongside another CNI to replace kube-proxy.
+cilium_deploy_additionally: false
diff --git a/roles/network_plugin/meta/main.yml b/roles/network_plugin/meta/main.yml
@@ -1,7 +1,7 @@
 ---
 dependencies:
   - role: network_plugin/cilium
-    when: kube_network_plugin == 'cilium'
+    when: kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
     tags:
       - cilium
 

diff --git a/roles/remove-node/post-remove/tasks/main.yml b/roles/remove-node/post-remove/tasks/main.yml
@@ -1,5 +1,5 @@
 ---
 - name: Delete node
-  command: "{{ bin_dir }}/kubectl delete node {{ inventory_hostname }}"
+  command: "{{ bin_dir }}/kubectl delete node {{ kube_override_hostname|default(inventory_hostname) }}"
   delegate_to: "{{ groups['kube-master']|first }}"
   ignore_errors: yes
diff --git a/roles/remove-node/pre-remove/tasks/main.yml b/roles/remove-node/pre-remove/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: cordon-node | Mark all nodes as unschedulable before drain
   command: >-
-    {{ bin_dir }}/kubectl cordon {{ item }}
+    {{ bin_dir }}/kubectl cordon {{ hostvars[item]['kube_override_hostname']|default(item) }}
   with_items:
     - "{{ node.split(',') | default(groups['kube-node']) }}"
   failed_when: false
@@ -16,7 +16,7 @@
       --ignore-daemonsets
       --grace-period {{ drain_grace_period }}
       --timeout {{ drain_timeout }}
-      --delete-local-data {{ item }}
+      --delete-local-data {{ hostvars[item]['kube_override_hostname']|default(item) }}
   with_items:
     - "{{ node.split(',') | default(groups['kube-node']) }}"
   failed_when: false

diff --git a/roles/upgrade/post-upgrade/tasks/main.yml b/roles/upgrade/post-upgrade/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: Uncordon node
-  command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf uncordon {{ inventory_hostname }}"
+  command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf uncordon {{ kube_override_hostname|default(inventory_hostname) }}"
   delegate_to: "{{ groups['kube-master'][0] }}"
   when:
     - needs_cordoning|default(false)