* Add containerd_extra_args

This is useful for custom containerd config, e.g. auth

Signed-off-by: Zhong Jianxin <azuwis@gmail.com>

* Make containerd config.toml mode 0640

It may contain sensitive information like password

Signed-off-by: Zhong Jianxin <azuwis@gmail.com>

Also set in all/containerd.yml

* add CI test for auto_renew_certificates

* change timer value

fix typo error in rotate cert script

* kubelet absolute path

* kubelet absolute path

According to the document[1], audit-webhook-batch-max-size and
audit-webhook-batch-max-wait are used only in the batch mode.
This adds a condition to avoid unnecessary writting on the config.

[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#batching

This PR is to move the cilium kvstore options to the configmap
rather than specifying them in the deployment as args. This
is not technically necessary but keeping all the options in
one place is probably not a bad idea.

Tested with cilium 1.9.5.

When attempting a fresh install without cilium_ipsec_enabled I ran
into the following error:

failed: [k8m01] (item={'name': 'cilium', 'file': 'cilium-secret.yml', 'type': 'secret', 'when': 'cilium_ipsec_enabled'}) =>
{"ansible_loop_var": "item", "changed": false, "item": {"file": "cilium-secret.yml", "name": "cilium", "type": "secret",
"when": "cilium_ipsec_enabled"},"msg": "AnsibleUndefinedVariable: 'cilium_ipsec_key' is undefined"}

Moving the when condition from the item level to the task level solved
the issue.

* Add KubeSchedulerConfiguration for k8s 1.19 and up

With release of version 1.19.0 of kubernetes KubeSchedulerConfiguration
was graduated to beta. It allows to extend different stages of
scheduling with profiles. Such effect is achieved by using plugins and
extensions.

This patch adds KubeSchedulerConfiguration for versions 1.19 and later.
Configuration is set to k8s defaults or to kubespray vars. Moving those
defaults to new vars will be done in following patch.

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>

* KubeSchedulerConfiguration: add defaults

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>

* Add documentation for audit webhook variables

* Enclose the value of  audit_webhook_server_url in a codeblock

* Add default value for audit_webhook_batch_max_wait

* Add support for crun v0.19

* Change default crun version to v0.19

The PR https://github.com/kubernetes-sigs/kubespray/pull/6927 has been
merged and the issue https://github.com/kubernetes-sigs/kubespray/issues/6233
was fixed.
This removes unnecessary note for the above PR.

* Set containerd version to 1.4.3

* Set containerd version to 1.4.4

Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>

Starting with Cilium v1.9 the default ipam mode has changed to "Cluster
Scope". See:

https://docs.cilium.io/en/v1.9/concepts/networking/ipam/

With this ipam mode Cilium handles assigning subnets to nodes to use
for pod ip addresses. The default Kubespray deploy uses the Kube
Controller Manager for this (the --allocate-node-cidrs
kube-controller-manager flag is set). This makes the proper ipam mode
for kubespray using cilium v1.9+ "kubernetes".

Tested with Cilium 1.9.5.

This PR also mounts the cilium-config ConfigMap for this variable
to be read properly.

In the future we can probably remove the kvstore and kvstore-opt
Cilium Operator args since they can be in the ConfigMap. I will tackle
that after this merges.

fix undefinedElse

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

When upgrading cilium from 1.8.8 to 1.9.5 I ran into the following
error:

level=error msg="Unable to update CRD" error="customresourcedefinitions.apiextensions.k8s.io
\"ciliumnodes.cilium.io\" is forbidden: User \"system:serviceaccount:kube-system:cilium-operator\"
cannot update resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the
cluster scope" name=CiliumNode/v2 subsys=k8s

The fix was to add the update verb to the clusterrole. I also added
create to match the clusterrole created by the cilium helm chart.

DNSSEC is off by default on ubuntu/bionic64 (18.04) as per resolved.conf(5).
These tasks are artefacts of obsolete infra configuration, and no longer needed.

Further removing these tasks resolves the issue that the tasks always reports
'changed' and bounces systemd-resolved unneccesarily, even if there was no
actual modification of /etc/systemd/resolved.conf.

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

`-%` causes `etcd-unsupported-arch: arm64` to print on COL 1 instead of
COL 6.

Signed-off-by: anthr76 <hello@anthonyrabbito.com>

* Allow connecting to bastion via non-standard port

* Fix bastion connection when ansible_port is not provided

To avoid ModuleNotFoundError due to no module named 'setuptools_rust',
this adds cryptography installation to requirements.txt.

Created by jfc-evs originally as https://github.com/kubernetes-sigs/kubespray/pull/7264

* Remove contrib/vault

This is marked as broken since 2018 / 3dcb9146
This still reference apiserver.pem, not used since ddffdb63

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

* Finish nuking vault from the codebase

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>