Trigger reboot handler when version upgrade during update script

apiserver cert should be created only once

* Add tags for cert serial tasks

This will help facilitate tag-based deployment of specific components.

* fixup kubernetes node

* Move front-proxy-client certs back to kube mount

We want the same CA for all k8s certs

* Refactor vault to use a third party module

The module adds idempotency and reduces some of the repetitive
logic in the vault role

Requires ansible-modules-hashivault on ansible node and hvac
on the vault hosts themselves

Add upgrade test scenario
Remove bootstrap-os tags from tasks

* fix upgrade issues

* improve unseal logic

* specify ca and fix etcd check

* Fix initialization check

bump machine size

This reverts commit 51f4e658.

Add path for certificate location for SUSE distributions. Also make sure
the 'update-ca-certificates' command is executed on SUSE hosts as well.

The current way to setup the etc cluster is messy and buggy.

- It checks for cluster is healthy before the cluster is even created.
- The unit files are started on handlers, not in the task, so you mess with "flush handlers".
- The join_member.yml is not used.
- etcd events cluster is not configured for kubeadm
- remove duplicate runs between running the role on etcd nodes and k8s nodes

* Update etcd deployment to use correct cert and key

* Update to use admin cert for etcdctl commands

* Update handler to use admin cert too

Kubernetes makes this namespace automatically, so there is
no need for kubespray to manage it.

https://coreos.com/etcd/docs/latest/tuning.html

etcd_snapshot_count
and
ionice priority

Enable OOM killing like docker run etcd

Add etcd-events cluster for kube-apiserver

* Fixed generate front proxy client certs with vault

* fix vault cert management

* Distrebute etcd node certs to vault hosts

Now calico can be deployed if there are other existing pools
and not confuse IPAM and end up with pods in the wrong pools.

Fix bug issues #2289

When etcd exceeds its memory limit, it becomes useless but keeps running.
We should let OOM killer kill etcd process in the container, so systemd can spot
the problem and restart etcd according to "Restart" setting in etcd.service unit file.
If OOME problem keep repeating, i.e. it happens every single restart,
systemd will eventually back off and stop restarting it anyway.

--restart=on-failure:5 in this file has no effect because memory allocation error
doesn't by itself cause the process to die

Related: https://github.com/kubernetes-incubator/kubespray/blob/master/roles/etcd/templates/etcd-docker.service.j2

This kind of reverts a change introduced in #1860.

DNS entries generated from 'etcd_cert_alt_names' variable in etcd's
openssl.conf are not terminated by a newline.

This fixes issue #2207.

Some installation are failing to authenticate with peers due to
etcd picking up/resoling the wrong node.

By setting 'etcd_peer_client_auth' to "False" you can disable peer client cert
authentication.

Signed-off-by: Sébastien Han <seb@redhat.com>

import_tasks will consume far less memory, so it should be
used whenever it is compatible.

* Add support for cert alt names for etcd

* Update gen_certs_vault.yml