* rename ansible groups to use _ instead of -

k8s-cluster -> k8s_cluster
k8s-node -> k8s_node
calico-rr -> calico_rr
no-floating -> no_floating

Note: kube-node,k8s-cluster groups in upgrade CI
      need clean-up after v2.16 is tagged

* ensure old groups are mapped to the new ones

* AlmaLinux: ansible>2.9.19 is needed to know about AlmaLinux

* AlmaLinux: identify as a centos derrivative

* AlmaLinux: add AlmaLinux to checks for CentOS

* Use ansible_os_family to compare family and not distribution

Fixes "mapping values are not allowed in this context

This allow to configure when K8S certificates renewal runs

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

We were regenerating only the cert of the first node
While at it speed up the check step

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

Use kubeadm_feature_gates instead of kube_feature_gates to leverage kubeadm feature gates and not to interfere with k8s components feature gates (#7447)

* add CI test for auto_renew_certificates

* change timer value

fix typo error in rotate cert script

According to the document[1], audit-webhook-batch-max-size and
audit-webhook-batch-max-wait are used only in the batch mode.
This adds a condition to avoid unnecessary writting on the config.

[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#batching

* Add KubeSchedulerConfiguration for k8s 1.19 and up

With release of version 1.19.0 of kubernetes KubeSchedulerConfiguration
was graduated to beta. It allows to extend different stages of
scheduling with profiles. Such effect is achieved by using plugins and
extensions.

This patch adds KubeSchedulerConfiguration for versions 1.19 and later.
Configuration is set to k8s defaults or to kubespray vars. Moving those
defaults to new vars will be done in following patch.

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>

* KubeSchedulerConfiguration: add defaults

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>

* Set containerd version to 1.4.3

* Set containerd version to 1.4.4

Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>

fix undefinedElse

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

`-%` causes `etcd-unsupported-arch: arm64` to print on COL 1 instead of
COL 6.

Signed-off-by: anthr76 <hello@anthonyrabbito.com>

* Remove contrib/vault

This is marked as broken since 2018 / 3dcb9146
This still reference apiserver.pem, not used since ddffdb63

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

* Finish nuking vault from the codebase

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

This replaces kube-master with kube_control_plane because of [1]:

  The Kubernetes project is moving away from wording that is
  considered offensive. A new working group WG Naming was created
  to track this work, and the word "master" was declared as offensive.
  A proposal was formalized for replacing the word "master" with
  "control plane". This means it should be removed from source code,
  documentation, and user-facing configuration from Kubernetes and
  its sub-projects.

NOTE: The reason why this changes it to kube_control_plane not
      kube-control-plane is for valid group names on ansible.

[1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation

While at it remove force_certificate_regeneration
This boolean only forced the renewal of the apiserver certs
Either manually use k8s-certs-renew.sh or set auto_renew_certificates

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

The dummy module is needed for nodelocaldns.

c9c0c01d only fix the problem for new clusters

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

The important action in kubeadm-version.yml is the templating of the configuration,
not finding / setting the version

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

There are no reasons not to backup during upgrade

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

kubeadm never rotates sa.key/sa.pub, so there is no need to delete tokens/restart pods

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

kubeadm is the default for a long time now,
and admin.conf is created by it, so let kubeadm handle it

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

apiserver.pem is not used since ddffdb63

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

According to [etcd's docs](https://etcd.io/docs/v3.4.0/op-guide/configuration/#--log-package-levels), argument 'log-package-levels' should not contain underscores.

Using `kubeadm init phase kubeconfig all` breaks kubelet client certificate rotation
as we are missing `kubeadm init phase kubelet-finalize all` to point to `kubelet-client-current.pem`

kubeconfig format is stable so let's just use lineinfile,
this will avoid other future breakage

This revert to the logic before 6fe22483

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

On CentOS 8 they seem to be ignored by default, but better be extra safe
This also make it easy to exclude other network plugin interfaces

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

code improvement

Since a790935d all proxy users
should be properly configured

Now when you have *_PROXY vars in your environment it can leads to failure
if NO_PROXY is not correct, or to persistent configuration changes
as seen with kubeadm in 1c5391dd

Instead of playing constant whack-a-bug, inject empty *_PROXY vars everywhere
at the play level, and override at the task level when needed

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

Fix "AnsibleUndefinedVariable: the inline if-expression on line xx evaluated to false and no else section was defined."

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>