Fixed conflicts, ipip:true as defualt and added ipip_mode

roles/kargo-defaults/tasks/main.yaml → roles/kubespray-defaults/tasks/main.yaml

 - name: Configure defaults
   debug:
-    msg: "Check roles/kargo-defaults/defaults/main.yml"
+    msg: "Check roles/kubespray-defaults/defaults/main.yml"
   tags:
     - always

roles/network_plugin/calico/defaults/main.yml

@@ -4,6 +4,7 @@ nat_outgoing: true
 
 # Use IP-over-IP encapsulation across hosts
 ipip: true
+ipip_mode: always  # change to "cross-subnet" if you only want ipip encapsulation on traffic going across subnets
 
 # Set to true if you want your calico cni binaries to overwrite the
 # ones from hyperkube while leaving other cni plugins intact.

roles/network_plugin/calico/tasks/main.yml

@@ -94,7 +94,7 @@
   shell: >
     echo '{
     "kind": "ipPool",
-    "spec": {"disabled": false, "ipip": {"enabled": {{ ipip }}},
+    "spec": {"disabled": false, "ipip": {"enabled": {{ ipip }}, "mode": "{{ ipip_mode }}"},
              "nat-outgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }}},
     "apiVersion": "v1",
     "metadata": {"cidr": "{{ kube_pods_subnet }}"}

roles/reset/tasks/main.yml

@@ -83,6 +83,15 @@
     - /etc/dhcp/dhclient.d/zdnsupdate.sh
     - /etc/dhcp/dhclient-exit-hooks.d/zdnsupdate
     - "{{ bin_dir }}/kubelet"
+    - "{{ bin_dir }}/kubernetes-scripts"
+    - /run/flannel
+    - /etc/flannel
+    - /run/kubernetes
+    - /usr/local/share/ca-certificates/kube-ca.crt
+    - /usr/local/share/ca-certificates/etcd-ca.crt
+    - /etc/ssl/certs/kube-ca.pem
+    - /etc/ssl/certs/etcd-ca.pem
+    - /var/log/pods/
   tags: ['files']
 
 

roles/upgrade/post-upgrade/tasks/main.yml

@@ -3,4 +3,5 @@
 - name: Uncordon node
   command: "{{ bin_dir }}/kubectl uncordon {{ inventory_hostname }}"
   delegate_to: "{{ groups['kube-master'][0] }}"
-  when: needs_cordoning|default(false)
+  when: (needs_cordoning|default(false)) and ( {%- if inventory_hostname in groups['kube-node'] -%} true {%- else -%} false {%- endif -%} )
+

roles/upgrade/pre-upgrade/tasks/main.yml

@@ -7,11 +7,11 @@
 
 - set_fact:
     needs_cordoning: >-
-      {% if " Ready" in kubectl_nodes.stdout %}
+      {% if " Ready" in kubectl_nodes.stdout -%}
       true
-      {% else %}
+      {%- else -%}
       false
-      {% endif %}
+      {%- endif %}
 
 - name: Cordon node
   command: "{{ bin_dir }}/kubectl cordon {{ inventory_hostname }}"

roles/vault/tasks/bootstrap/ca_trust.yml

 ---
 
-- name: bootstrap/ca_trust | pull CA from cert from groups.vault|first
+- name: "bootstrap/ca_trust | pull CA from cert from {{groups.vault|first}}"
   command: "cat {{ vault_cert_dir }}/ca.pem"
   register: vault_cert_file_cat
   delegate_to: "{{ groups['vault']|first }}"

roles/vault/tasks/shared/issue_cert.yml

@@ -26,7 +26,7 @@
     mode: "{{ issue_cert_dir_mode | d('0755') }}"
     owner: "{{ issue_cert_file_owner | d('root') }}"
 
-- name: issue_cert | Generate the cert
+- name: "issue_cert | Generate the cert for {{ issue_cert_role }}"
   uri:
     url: "{{ issue_cert_url }}/v1/{{ issue_cert_mount|d('pki') }}/issue/{{ issue_cert_role }}"
     headers: "{{ issue_cert_headers }}"
@@ -40,7 +40,7 @@
   register: issue_cert_result
   when: inventory_hostname == issue_cert_hosts|first
 
-- name: issue_cert | Copy the cert to all hosts
+- name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
   copy:
     content: "{{ hostvars[issue_cert_hosts|first]['issue_cert_result']['json']['data']['certificate'] }}"
     dest: "{{ issue_cert_path }}"
@@ -48,7 +48,7 @@
     mode: "{{ issue_cert_file_mode | d('0644') }}"
     owner: "{{ issue_cert_file_owner | d('root') }}"
 
-- name: issue_cert | Copy the key to all hosts
+- name: "issue_cert | Copy key for {{ issue_cert_path }} to all hosts"
   copy:
     content: "{{ hostvars[issue_cert_hosts|first]['issue_cert_result']['json']['data']['private_key'] }}"
     dest: "{{ issue_cert_path.rsplit('.', 1)|first }}-key.{{ issue_cert_path.rsplit('.', 1)|last }}"

roles/vault/tasks/shared/sync.yml

@@ -28,7 +28,7 @@
     state: directory
   when: inventory_hostname not in sync_file_srcs
 
-- name: "sync_file | Copy the file to hosts that don't have it"
+- name: "sync_file | Copy {{ sync_file_path }} to hosts that don't have it"
   copy:
     content: "{{ sync_file_contents }}"
     dest: "{{ sync_file_path }}"
@@ -37,7 +37,7 @@
     owner: "{{ sync_file_owner|d('root') }}"
   when: inventory_hostname not in sync_file_srcs
 
-- name: "sync_file | Copy the key file to hosts that don't have it"
+- name: "sync_file | Copy {{ sync_file_key_path }} to hosts that don't have it"
   copy:
     content: "{{ sync_file_key_contents }}"
     dest: "{{ sync_file_key_path }}"

roles/vault/tasks/shared/sync_file.yml

@@ -19,12 +19,12 @@
   when: >-
         sync_file_is_cert|d() and (sync_file_key_path is not defined or sync_file_key_path == '')
 
-- name: "sync_file | Check if file exists"
+- name: "sync_file | Check if {{sync_file_path}} file exists"
   stat:
     path: "{{ sync_file_path }}"
   register: sync_file_stat
 
-- name: "sync_file | Check if key file exists"
+- name: "sync_file | Check if {{ sync_file_key_path }} key file exists"
   stat:
     path: "{{ sync_file_key_path }}"
   register: sync_file_key_stat

scale.yml

@@ -7,7 +7,7 @@
   vars:
     ansible_ssh_pipelining: false
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: bootstrap-os, tags: bootstrap-os}
 
 ##We still have to gather facts about our masters and etcd nodes
@@ -21,7 +21,7 @@
 - hosts: kube-node
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: kernel-upgrade, tags: kernel-upgrade, when: kernel_upgrade is defined and kernel_upgrade }
     - { role: kubernetes/preinstall, tags: preinstall }
     - { role: docker, tags: docker }

tests/cloud_playbooks/create-gce.yml

@@ -30,7 +30,7 @@
         credentials_file: "{{gce_credentials_file | default(omit)}}"
         project_id: "{{ gce_project_id }}"
         zone: "{{cloud_region}}"
-        metadata: '{"test_id": "{{test_id}}", "network": "{{kube_network_plugin}}"}'
+        metadata: '{"test_id": "{{test_id}}", "network": "{{kube_network_plugin}}", "startup-script": "{{startup_script}}"}'
         tags: "build-{{test_name}},{{kube_network_plugin}}"
       register: gce
 
@@ -52,5 +52,5 @@
       when: mode in ['scale', 'separate-scale', 'ha-scale']
 
     - name: Wait for SSH to come up
-      wait_for: host={{item.public_ip}} port=22 delay=10 timeout=180 state=started
+      wait_for: host={{item.public_ip}} port=22 delay=30 timeout=180 state=started
       with_items: "{{gce.instance_data}}"

upgrade-cluster.yml

@@ -2,7 +2,7 @@
 - hosts: localhost
   gather_facts: False
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: bastion-ssh-config, tags: ["localhost", "bastion"]}
 
 - hosts: k8s-cluster:etcd:calico-rr
@@ -13,7 +13,7 @@
     # fail. bootstrap-os fixes this on these systems, so in later plays it can be enabled.
     ansible_ssh_pipelining: false
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: bootstrap-os, tags: bootstrap-os}
 
 - hosts: k8s-cluster:etcd:calico-rr
@@ -25,7 +25,7 @@
 - hosts: k8s-cluster:etcd:calico-rr
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: kernel-upgrade, tags: kernel-upgrade, when: kernel_upgrade is defined and kernel_upgrade }
     - { role: kubernetes/preinstall, tags: preinstall }
     - { role: docker, tags: docker }
@@ -36,25 +36,25 @@
 - hosts: etcd:k8s-cluster:vault
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
-    - { role: kargo-defaults, when: "cert_management == 'vault'" }
+    - { role: kubespray-defaults, when: "cert_management == 'vault'" }
     - { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
 
 - hosts: etcd
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: etcd, tags: etcd, etcd_cluster_setup: true }
 
 - hosts: k8s-cluster
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: etcd, tags: etcd, etcd_cluster_setup: false }
 
 - hosts: etcd:k8s-cluster:vault
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
-    - { role: kargo-defaults, when: "cert_management == 'vault'"}
+    - { role: kubespray-defaults, when: "cert_management == 'vault'"}
     - { role: vault, tags: vault, when: "cert_management == 'vault'"}
 
 #Handle upgrades to master components first to maintain backwards compat.
@@ -62,46 +62,47 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   serial: 1
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: upgrade/pre-upgrade, tags: pre-upgrade }
     - { role: kubernetes/node, tags: node }
     - { role: kubernetes/master, tags: master }
     - { role: network_plugin, tags: network }
+    - { role: upgrade/post-upgrade, tags: post-upgrade }
 
 #Finally handle worker upgrades, based on given batch size
 - hosts: kube-node:!kube-master
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   serial: "{{ serial | default('20%') }}"
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: upgrade/pre-upgrade, tags: pre-upgrade }
     - { role: kubernetes/node, tags: node }
     - { role: network_plugin, tags: network }
     - { role: upgrade/post-upgrade, tags: post-upgrade }
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
 
 - hosts: kube-master
   any_errors_fatal: true
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: kubernetes-apps/network_plugin, tags: network }
     - { role: kubernetes-apps/policy_controller, tags: policy-controller }
 
 - hosts: calico-rr
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: network_plugin/calico/rr, tags: network }
 
 - hosts: k8s-cluster
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: dnsmasq, when: "dns_mode == 'dnsmasq_kubedns'", tags: dnsmasq }
     - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf }
 
 - hosts: kube-master[0]
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
-    - { role: kargo-defaults}
+    - { role: kubespray-defaults}
     - { role: kubernetes-apps, tags: apps }