Fixed sync_tokens fact
Fixed sync_certs for k8s tokens fact
Disabled register docker images changability
Fixed CNI dir permission
Fix idempotency for etcd pre upgrade checks

Closes: #1135
Closes: #1026
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>

It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.

The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.

Default backend is now etcd3 (was etcd2).
The migration process consists of the following steps:
* check if migration is necessary
* stop etcd on first etcd server
* run migration script
* start etcd on first etcd server
* stop kube-apiserver until configuration is updated
* update kube-apiserver
* purge old etcdv2 data

Related-issue: https://github.com/kubernetes/community/issues/300
Upgraded nodes do not obtain labels automatically.
See https://github.com/kubernetes/kubernetes/pull/29459 for more details.

To use OpenID Connect Authentication beside deploying an OpenID Connect
Identity Provider it is necesarry to pass additional arguments to the Kube API Server.
These required arguments were added to the kube apiserver manifest.

when condition does not seem to work correctly at playbook
level for ansible 2.2.0.

Now etcd role can optionally disable etcd cluster setup for faster
deployment when it is combined with etcd role.

Also generate certs only when absent on master (rather than
when absent on target node)

By default kubedns and dnsmasq scale when installed.
Dnsmasq is no longer a daemonset. It is now a deployment.
Kubedns is no longer a replicationcluster. It is now a deployment.
Minimum replicas is two (to enable rolling updates).

Reduced memory erquirements for dnsmasq and kubedns

Until now it was not possible to add an API Loadbalancer
without an static IP Address. But certain Loadbalancers
like AWS Elastic Loadbalanacer dontt have an fixed IP address.
With this commit it is possible to add these kind of Loadbalancers
to the Kargo deployment.

The default version of Docker was switched to 1.13 in #1059.  This
change also bumped ubuntu from installing docker-engine 1.13.0 to
1.13.1.  This PR updates os families which had 1.13 defined, but
were using 1.13.0.

The impetus for this change is an issue running tiller 1.2.3 on
docker 1.13.0.  See discussion [1][2].

[1] https://github.com/kubernetes/helm/issues/1838
[2] https://github.com/kubernetes-incubator/kargo/pull/1100

Updates based on feedback

Simplify checks for file exists

remove invalid char

Review feedback. Use regular systemd file.

Add template for docker systemd atomic

By default Calico blocks traffic from endpoints
to the host itself by using an iptables DROP
action. It could lead to a situation when service
has one alive endpoint, but pods which run on
the same node can not access it. Changed the action
to RETURN.

Kubernetes project is about to set etcdv3 as default storage engine in
1.6. This patch allows to specify particular backend for
kube-apiserver. User may force the option to etcdv3 for new environment.
At the same time if the environment uses v2 it will continue uses it
until user decides to upgrade to v3.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>

Operator can specify any port for kube-api (6443 default) This helps in
case where some pods such as Ingress require 443 exclusively.

Closes: 820
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>

Closes: #1073
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>

This is to address out of memory issues on CI as well as help
fit deployments for people starting out with kargo on smaller
machines

When a apiserver_loadbalancer_domain_name is added to the Openssl.conf
the counter gets not increased correctly. This didnt seem to have an
effect at the current kargo version.

In real scenarios 365 days is short period of time. 3650 days is good
enough for long running k8s environments

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

* Leave all.yml to keep only optional vars
* Store groups' specific vars by existing group names
* Fix optional vars casted as mandatory (add default())
* Fix missing defaults for an optional IP var
* Relink group_vars for terraform to reflect changes

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

- Remove variable dup for Ubuntu
- Update Docker to 1.13

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>

Sometimes, a sysadmin might outright delete the SELinux rpms and
delete the configuration. This causes the selinux module to fail
with
```
IOError: [Errno 2] No such file or directory: '/etc/selinux/config'\n",
"module_stdout": "", "msg": "MODULE FAILURE"}
```

This simply checks that /etc/selinux/config exists before we try
to set it Permissive.

Update from feedback

This generates too much output and during upgrade scenarios
can bring us over the 4mb limit.

This works around 4MB limit for gitlab CI runner.

New deploy modes: scale, ha-scale, separate-scale
Creates 200 fake hosts for deployment with fake hostvars.

Useful for testing certificate generation and propagation to other
master nodes.

Updated test cases descriptions.