* Add note about changing private IP in admin.conf.

When I run kubespray, a load balancer is created which should be used instead of the ip of the controller node.

* Procedure to find load balancer and update admin.conf

When I run kubespray, a load balancer is used instead of the private ip of the controller.

* update version of ingress-nginx controller.

Change tag from controller-v0.34.0 to controller-v0.40.2 to use newest tag.

* Update docs about aws deploy templates.

In the yaml templates, there is no mention of idle timeouts. This is why I removed the documentation about it. This might be a mistake. Please verify this. I don't know enough to verify it myself.

* Change label when checking version.

When checking for `app.kubernetes.io/name=ingress-nginx`, a completed pod was selected which is not helpful when trying to `exec`. Changing the label selects the running controller pod.

* put back the information about ELB Idle Timeouts.

When I removed the information, I had overlooked that it was mentioned in the L7 yaml file. Thanks.

* fixed bug in etcd retention where backups are not sorted by date

* added directory filter to find command

and thereby support upgrade from e.g. 1.18.x to 1.19.y

Included OSes:
- Centos7/8
- Ubuntu18/20

New variables for overriding by default installed packages:
- centos_crio_packages
- ubuntu_crio_packages

* added an ansible var to manage retention of etcd backups

* refactord ls/grep into find in etcd backup removal command

* Enable Kata Containers for CRI-O runtime

Kata Containers is an OCI runtime where containers are run inside
lightweight VMs. This runtime has been enabled for containerd runtime
thru the kata_containers_enabled variable. This change enables Kata
Containers to CRI-O container runtime.

Signed-off-by: Victor Morales <v.morales@samsung.com>

* Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs'

* Set manage_ns_lifecycle=true when KataContainers is enabed

* Add preinstall check for katacontainers

Signed-off-by: Victor Morales <v.morales@samsung.com>

Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com>

Command line flags aren't added to kube-proxy which results in missing
feature gates set in this component. Add appropriate setting to
ConfigMap instead.

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>

'ansible.vars.hostvars.HostVarsVars object' has no attribute 'kubeadm_upload_cert'

kubeadm_upload_cert will never be found as a hostvar for the first
master since the task is executed for a worker.

Fix by executing the upload task for the first master and register
the needed key. After that, workers can read hostvars for the master

Var kubeadm_etcd_refresh_cert_key removed since it no longer has
any use.

When using kubeadm managed etcd, configuring an etcd group can now
be skipped.

* Adding option to disable gloablly applying a proxy to etc/yum.conf

* Change made to proxy_yum_globaly basedon reviewer feedback

* fix trailing spaces in ymllint

This fixes the Containerd + EL8 case that was missed in 7d1ab337

On CentOS 8 with proxy ansible render inline `proxy` and `module_hotfixes` options.

For example:
```
proxy=http://127.0.0.1:3128module_hotfixes=True
```

But expected result:
```
proxy=http://127.0.0.1:3128


module_hotfixes=True
```

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>

* Use existing variable for tiller service account name

* keep crb as tiller

I can't see any reason why audio devices would be needed, and it can cause issues with the host audio

* bump crio version to 1.19

* crio package name has changed for debian/ubuntu
* crio upgrade does not work, see #6757

* update crio info in docs

crio refuses to delete pods when cni is unavailable which is the
case e.g. using calico with kdd datastore. See:

https://github.com/cri-o/cri-o/issues/4084

Fix by deleting storage associated with containers. Stop and disable
crio service so switching container runtime can be done.

* Added option to force apiserver and respective client certificate to be regenerated without necessarily needing to bump the K8S cluster version

* Removed extra blank line

No longer used/supported

k8s_master_no_etcd_fips should not be input var

Signed-off-by: holmesb <5072156+holmesb@users.noreply.github.com>

Handlers with the same name (Kubeadm | restart kubelet) leads to incorrect playbook execution. As a result, after completing the tasks, kubelet does not restart. This PR fix this behavior

Users should opt in for features and not opt out.

After upgrading to newer Kubernetes(v1.17 at least), kubectl command
shows the following warning message:

  WARNING: Kubernetes configuration file is group-readable.
  This is insecure. Location: /home/foo/.kube/config

The kubeconfig was copied from {{ artifacts_dir }}/admin.conf with
kubeconfig_localhost feature. It is better to set valid file mode
at getting it on Kubespray.

If no_proxy_exclude_workers is true, workers will be excluded from the no_proxy variable.  This prevents docker engine restarting when scaling workers. (#6520)

Signed-off-by: holmesb <5072156+holmesb@users.noreply.github.com>

Remove task with install etcdctl from etcd role when etcd_kubeadm_enabled=true

The CA cert was only deployed on master nodes

Added Comment line above checksum section to add clarification about Kubespray's version support and testing (#6785)