1298.6.0 fixes some sporadic network issues. It also includes docker
1.12.6 which includes several stability fixes for kubernetes.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>

limit jinja2 version to <2.9

Ansible 2.2.1 requires jinja2<2.9, see <https://github.com/ansible/ansible/blob/v2.2.1.0-1/setup.py#L25>,
but without explicit limiting upper jinja2 version here pip ignores
Ansible requirements and installs latest available jinja2
(pip is not very smart here), which is incompatible with with
Ansible 2.2.1.
With incompatible jinja2 version "ansible-vault create" (and probably other parts)
fails with:
  ERROR! Unexpected Exception: The 'jinja2<2.9' distribution was not found 
  and is required by ansible
This upper limit should be removed in 2.2.2 release, see:
<https://github.com/ansible/ansible/commit/978311bf3f91dae5806ab72b665b0937adce38ad>

Fix weave on RHEL deployment

Retry yum/apt/rpm download commands

remove obsolete script

Currently Kubernetes version can be selected using "kube_version" variable.

fix jinja package name

Jinja 2.* releases are published under `Jinja2` name.

Condense resolvconf sources before starting loop

Reduce retry delay checking weave
Always load br_netfilter module

Move calico-policy-controller into separate role

By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132

Update calico to 1.1.0-rc8

Fixed Formatting / Ansbile-Playbook Command Upgrade Cluster

- added -b and fixed typo in ansible-playbook command 
- fixed formatting issue

Fixes bug in CentOS/RHEL in felix related to overlayfs driver.

Adding openstack domain id

Adding Docker CE 'stable' and 'edge' version packages

More idempotency fixes

Idempotency fixes for etcd certs and resolvconf tasks

Restores working order of contrib/terraform/openstack

Fixed sync_tokens fact
Fixed sync_certs for k8s tokens fact
Disabled register docker images changability
Fixed CNI dir permission
Fix idempotency for etcd pre upgrade checks

Turn on iptables for flannel

Added Jinja 2.8 to Docs

Added Jinja 2.8 Requirements to docs and pip requirements file which
is needed to run the current Ansible Playbooks.

Fix for CoreOS Docu

CoreOS docu was referencing outdated bootstrap playbook that
is now part of kargo itself.

Granular authentication Control

Migrate k8s data to etcd3 api store

Closes: #1135
Closes: #1026
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>

It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.

The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.

Explicitly set cni-bin-dir

Default backend is now etcd3 (was etcd2).
The migration process consists of the following steps:
* check if migration is necessary
* stop etcd on first etcd server
* run migration script
* start etcd on first etcd server
* stop kube-apiserver until configuration is updated
* update kube-apiserver
* purge old etcdv2 data

Added Support for OpenID Connect Authentication