Commits · 393091928379139e7c8fb300c017905800f90376 · Mirror / Kubespray

Jan 16, 2025

Cleanup OWNERS files in each folders (#11892) · 39309192

ChengHao Yang authored Jan 16, 2025



* Cleanup not in k-sigs members OWNERS

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

* Cleanup inactive members on Kubespray

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

---------

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

39309192

Jan 15, 2025
- [kubernetes] Support Kubernetes v1.32.0 with RHEL8 (#11885) · b104bb7a
  Kay Yan authored Jan 16, 2025
  
  * [kubernetes] Support Kubernetes v1.32.0 * add workaround for RHEL8 Signed-off-by: Kay Yan <kay.yan@daocloud.io> --------- Signed-off-by: Kay Yan <kay.yan@daocloud.io> Co-authored-by: Mohamed Zaian <mohamedzaian@gmail.com>
  b104bb7a
- [ingress-nginx] expose custom tcp and udp ports in ingress-nginx-controller (#11850) · 403a73ac
  Christian Kröger authored Jan 15, 2025
  
  403a73ac
Jan 14, 2025
- Changed to use first_kube_control_plane to parse kubeadm_certificate_key (#11875) · 5ca23e3b
  Fredrik Liv authored Jan 14, 2025
  
  Co-authored-by: nvalembois <nvalembois@live.com>
  5ca23e3b
- Update CI test from AlmaLinux8 to AlmaLinux9 (#11889) · 3527cb19
  Kay Yan authored Jan 14, 2025
  
  Signed-off-by: Kay Yan <kay.yan@daocloud.io>
  3527cb19
Jan 13, 2025

Add `manual` option to the `external_cloud_provider` variable (#11883) · 5a353cb0

ChengHao Yang authored Jan 13, 2025



* Add `manual` option in the `external_cloud_provider` value

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

* Update external cloud provider description in roles & sample inventory

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

---------

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

5a353cb0

Jan 09, 2025
- add containerd registry mirror certificate configuration (#11857) · 1f186ed4
  kyrie authored Jan 09, 2025
  
  Signed-off-by: KubeKyrie <shaolong.qin@daocloud.io>
  1f186ed4
Jan 07, 2025

Structured AuthorizationConfiguration (#11852) · 8443f370

Chad Swenson authored Jan 07, 2025

Adds the ability to configure the Kubernetes API server with a structured authorization configuration file.

Structured AuthorizationConfiguration is a new feature in Kubernetes v1.29+ (GA in v1.32) that configures the API server's authorization modes with a structured configuration file.
AuthorizationConfiguration files offer features not available with the `--authorization-mode` flag, although Kubespray supports both methods and authorization-mode remains the default for now.

Note: Because the `--authorization-config` and `--authorization-mode` flags are mutually exclusive, the `authorization_modes` ansible variable is ignored when `kube_apiserver_use_authorization_config_file` is set to true. The two features cannot be used at the same time.

Docs: https://kubernetes.io/docs/reference/access-authn-authz/authorization/#configuring-the-api-server-using-an-authorization-config-file
Blog + Examples: https://kubernetes.io/blog/2024/04/26/multi-webhook-and-modular-authorization-made-much-easier/
KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3221-structured-authorization-configuration

I tested this all the way back to k8s v1.29 when AuthorizationConfiguration was first introduced as an alpha feature, although v1.29 required some additional workarounds with `kubeadm_patches`, which I included in example comments.

I also included some example comments with CEL expressions that allowed me to configure webhook authorizers without hitting kubeadm 1.29+ issues that block cluster creation and upgrades such as this one: https://github.com/kubernetes/cloud-provider-openstack/issues/2575.
My workaround configures the webhook to ignore requests from kubeadm and system components, which prevents fatal errors from webhooks that are not available yet, and should be authorized by Node or RBAC anyway.

8443f370

Jan 06, 2025
- enable bash completion tasks for Suse OS family (#11860) · 55d1e4a4
  Noam authored Jan 06, 2025
  
  * remove check for os family on bash completion tasks * add Suse
  55d1e4a4
Jan 02, 2025
- [ingress-nginx] upgrade to 1.12.0 (#11846) · 9ec9b3a2
  Mohamed Omar Zaian authored Jan 02, 2025
  
  View commits for tag v2.27.0 v2.27.0
  
  9ec9b3a2
Dec 31, 2024
- Add option to skip network plugin installation (#11844) · 0222a2a6
  Antoine Legrand authored Dec 31, 2024
  
  0222a2a6
Dec 27, 2024

Bump: Containerd upgrade to 1.7.24 & runc upgrade to v1.2.3 (#11833) · 54a01f27

ChengHao Yang authored Dec 27, 2024



* Bump: Containerd upgrade to 1.7.24

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

* Docs: README.md update Containerd version 1.7.24

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

* Bump: runc upgrade to v1.2.3

Runc upgrade to v1.2.3, and add v1.1.15, v1.2.x checksum

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

---------

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

54a01f27

Dec 26, 2024

Bump: Helm upgrade to v3.16.4 (#11832) · a6bc327d

ChengHao Yang authored Dec 26, 2024



* Bump: Helm default version v3.16.4

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

* Docs: README.md update helm version

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

---------

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

a6bc327d

[calico] Add version 3.29.1 and make it default (#11798) · 25d0380d
Mohamed Omar Zaian authored Dec 25, 2024

25d0380d

Bump: Kubernetes default version v1.31.4 (#11828) · 3305ae92

ChengHao Yang authored Dec 26, 2024



* Bump: kubernetes upgrade to 1.31.4

Add Kubernetes 1.31.4, 1.30.8 and 1.29.12 version

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

* Docs: Upgrade Kubernetes version to 1.31.4

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

---------

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

3305ae92

Dec 24, 2024

Fix using the default network manager in reset.yml (#11678) · e7a5e3ca

kyrie authored Dec 24, 2024



* enhance reset network service

Signed-off-by: KubeKyrie <shaolong.qin@daocloud.io>

* reset network service: use systemd module directly

---------

Signed-off-by: KubeKyrie <shaolong.qin@daocloud.io>
Co-authored-by: Max Gautier <mg@max.gautier.name>

e7a5e3ca

Dec 23, 2024

Only consider host in 'k8s_cluster' when checking if ip is a cached fact (#11817) · d173f1d9

Max Gautier authored Dec 23, 2024

This avoids spurious failure with 'localhost'.

It should also be more correct the inventory contains uncached hosts
which are not in `k8s_cluster` and therefore should not be Kubespray
business.

(We still use hostvars for uncached hosts, because it's easier to select
on 'ansible_default_ipv4' that way and does not change the end result)

d173f1d9

Dec 19, 2024

Add ResourceQuota plugin configuration (#11814) · 2fbf4806

Chad Swenson authored Dec 19, 2024

This enables [configuration](https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default) of the [ResourceQuota AdmissionController plugin](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#resourcequota). The configuration file will be empty by default when no limitedResources are set.

2fbf4806

kubernetes/preinstall: remove unused variable · 684f52ea
Max Gautier authored Dec 19, 2024

684f52ea
kubernetes/preinstall: dns vars cleanup · 55e095c1
Max Gautier authored Dec 19, 2024
```
- Move validation from facts to verify-settings
- Move set_fact to vars/
```
55e095c1

kubernetes/preinstall: dns setting cleanup(dhclient, resolvconf) · 1127a621

Max Gautier authored Dec 19, 2024

We use a lot of facts where variables are enough, and format too early,
which prevent reusing the variables in different contexts.

- Moves set_fact variables to the vars directory, remove unnecessary
 intermediate variables, and render them at usage sites to only do logic
 on native Ansible/Jinja lists.
- Use defaults/ rather than default filters for several variables.

1127a621

kubernetes/preinstall: switch coredns_server to vars/ · a3e569f5
Max Gautier authored Dec 18, 2024

a3e569f5
Add iproute(2) package checking (#11816) · bf703354
Ekko authored Dec 19, 2024
```
Signed-off-by: ekko <lihai.tu@daocloud.io>
```
bf703354

Dec 18, 2024
- Revert "apiserver: fix incorrect path to admission plugins config files (#11779)" (#11808) · 331671ac
  Max Gautier authored Dec 18, 2024
  
  This reverts commit 742409e6.
  331671ac
Dec 17, 2024
- remove legacy kubelet container pre-upgrade tasks (#11805) · 540c6ddb
  ERIK authored Dec 17, 2024
  
  Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
  540c6ddb
Dec 16, 2024
- apiserver: fix incorrect path to admission plugins config files (#11779) · 742409e6
  Max Gautier authored Dec 16, 2024
  
  742409e6
Dec 11, 2024

containerd: add After=dbus.service (#11781) · 1307b2fe

Max Gautier authored Dec 11, 2024

This is needed for shutdown ordering: while at startup, it's not a
problem that containerd start before dbus (the dbus socket already
exists) it needs to shutdown before dbus to do its cleanup (asking
systemd via dbus to cleanup cgroups).

1307b2fe

Dec 09, 2024

Convert netchecker to kubectl_apply_stdin · 7c71f257
Max Gautier authored Nov 09, 2024
```
Not that the Apparmor check result is no longer used since the PSP removal.
```
7c71f257
Convert nodelocaldns to kubectl_apply_stdin · 31e56ab7
Max Gautier authored Nov 09, 2024

31e56ab7

Convert CoreDNS Secondary to kubectl_apply_stdin · 4b7125f5

Max Gautier authored Nov 09, 2024

Note that we're reapplying the RBAC/Sa/Config from coredns which is not
strictly necessary, but harmless, when the secondary is enabled.

4b7125f5

Convert CoreDNS primary to kubectl_apply_stdin · e0c9152b
Max Gautier authored Nov 09, 2024

e0c9152b
Convert etcd_metrics to kubectl_apply_stdin · 63adac83
Max Gautier authored Nov 09, 2024

63adac83
Convert dashboard to kubectl_apply_stdin · 27ccfc7c
Max Gautier authored Nov 09, 2024

27ccfc7c

Define a standard commandline for applying manifests · 990d2a13

Max Gautier authored Nov 09, 2024

This is expected to be used in the command module this way:
command:
  cmd: "{{ kubectl_apply_stdin }}"
  stdin: <... rendered manifests > -> using the 'template' lookup plugin
  in most cases.

The advantages over the kube plugin module integrated in kubespray
(which this should replace eventually):
- way easier to modify to take advantage of new features (server-side
  apply for instance)
- no need for a separate template tasks + checking the result (which can
  introduce problem if the first playbook runs encounters an error).

990d2a13

Dec 06, 2024

calico: stop recording calico_kubelet_name (#11770) · 70c73f15

Max Gautier authored Dec 06, 2024

The variable is not used anymore since 29ea790c.
Besides, this tasks fails on dual stack installation.

70c73f15

Dec 02, 2024
- Optimize CA cert hash calculation with community.crypto (#11758) · 98807ffb
  ERIK authored Dec 02, 2024
  
  Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
  98807ffb
Nov 29, 2024
- support asymmetric encryption algorithms in ClusterConfigration (#11757) · 70b75d35
  ERIK authored Nov 29, 2024
  
  Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
  70b75d35
Nov 28, 2024
- containerd: always use config_path (#11755) · a074596c
  Max Gautier authored Nov 28, 2024
  
  config_path was introduced in containerd 1.5.0, and registry.mirrors is deprecated. There is no reason to keep the old alternative, so just always use config_path, and consequently remove the option.
  a074596c
- Revert "add encryptionAlgorithm for ClusterConfigration (#11751)" (#11756) · f8347148
  ERIK authored Nov 28, 2024
  
  This reverts commit 9f01effa.
  f8347148
- add encryptionAlgorithm for ClusterConfigration (#11751) · 9f01effa
  ERIK authored Nov 28, 2024
  
  Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
  9f01effa