Skip to content
  1. Feb 27, 2018
  2. Feb 17, 2018
    • melkosoft's avatar
      Added cilium support (#2236) · f13e76d0
      melkosoft authored
      * Added cilium support
      
      * Fix typo in debian test config
      
      * Remove empty lines
      
      * Changed cilium version from <latest> to <v1.0.0-rc3>
      
      * Add missing changes for cilium
      
      * Add cilium to CI pipeline
      
      * Fix wrong file name
      
      * Check kernel version for cilium
      
      * fixed ci error
      
      * fixed cilium-ds.j2 template
      
      * added waiting for cilium pods to run
      
      * Fixed missing EOF
      
      * Fixed trailing spaces
      
      * Fixed trailing spaces
      
      * Fixed trailing spaces
      
      * Fixed too many blank lines
      
      * Updated tolerations,annotations in cilium DS template
      
      * Set cilium_version to iptables-1.9 to see if bug is fixed in CI
      
      * Update cilium image tag to v1.0.0-rc4
      
      * Update Cilium test case CI vars filenames
      
      * Add optional prometheus flag, adjust initial readiness delay
      
      * Update README.md with cilium info
      f13e76d0
  3. Feb 09, 2018
    • jasdeep-hundal's avatar
      Remove redundant python-apt install · f57abae0
      jasdeep-hundal authored
      Ansible automatically installs the python-apt package when using
      the 'apt' Ansible module, if python-apt is not present. This patch
      removes the (unneeded) explicit installation in the Kubespray
      'preinstall' role.
      f57abae0
  4. Feb 07, 2018
  5. Jan 31, 2018
  6. Jan 29, 2018
  7. Jan 23, 2018
  8. Jan 05, 2018
  9. Dec 11, 2017
  10. Dec 06, 2017
  11. Dec 05, 2017
    • Chad Swenson's avatar
      Support for disabling apiserver insecure port · b8788421
      Chad Swenson authored
      This allows `kube_apiserver_insecure_port` to be set to 0 (disabled).
      
      Rework of #1937 with kubeadm support
      
      Also, fixed an issue in `kubeadm-migrate-certs` where the old apiserver cert was copied as the kubeadm key
      b8788421
  12. Nov 29, 2017
    • unclejack's avatar
      contiv network support (#1914) · e5d353d0
      unclejack authored
      
      
      * Add Contiv support
      
      Contiv is a network plugin for Kubernetes and Docker. It supports
      vlan/vxlan/BGP/Cisco ACI technologies. It support firewall policies,
      multiple networks and bridging pods onto physical networks.
      
      * Update contiv version to 1.1.4
      
      Update contiv version to 1.1.4 and added SVC_SUBNET in contiv-config.
      
      * Load openvswitch module to workaround on CentOS7.4
      
      * Set contiv cni version to 0.1.0
      
      Correct contiv CNI version to 0.1.0.
      
      * Use kube_apiserver_endpoint for K8S_API_SERVER
      
      Use kube_apiserver_endpoint as K8S_API_SERVER to make contiv talks
      to a available endpoint no matter if there's a loadbalancer or not.
      
      * Make contiv use its own etcd
      
      Before this commit, contiv is using a etcd proxy mode to k8s etcd,
      this work fine when the etcd hosts are co-located with contiv etcd
      proxy, however the k8s peering certs are only in etcd group, as a
      result the etcd-proxy is not able to peering with the k8s etcd on
      etcd group, plus the netplugin is always trying to find the etcd
      endpoint on localhost, this will cause problem for all netplugins
      not runnign on etcd group nodes.
      This commit make contiv uses its own etcd, separate from k8s one.
      on kube-master nodes (where net-master runs), it will run as leader
      mode and on all rest nodes it will run as proxy mode.
      
      * Use cp instead of rsync to copy cni binaries
      
      Since rsync has been removed from hyperkube, this commit changes it
      to use cp instead.
      
      * Make contiv-etcd able to run on master nodes
      
      * Add rbac_enabled flag for contiv pods
      
      * Add contiv into CNI network plugin lists
      
      * migrate contiv test to tests/files
      
      Signed-off-by: default avatarCristian Staretu <cristian.staretu@gmail.com>
      
      * Add required rules for contiv netplugin
      
      * Better handling json return of fwdMode
      
      * Make contiv etcd port configurable
      
      * Use default var instead of templating
      
      * roles/download/defaults/main.yml: use contiv 1.1.7
      
      Signed-off-by: default avatarCristian Staretu <cristian.staretu@gmail.com>
      e5d353d0
  13. Nov 23, 2017
  14. Nov 15, 2017
  15. Nov 14, 2017
  16. Nov 07, 2017
    • Chad Swenson's avatar
      Support for disabling apiserver insecure port · 0c7e1889
      Chad Swenson authored
      This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to:
      
      1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS)
      2. Add apiserver client cert/key to the "Wait for apiserver up" checks
      3. Update apiserver liveness probe to use HTTPS ports
      4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately)
      5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well.
      
      Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check.
      
      Options:
      
      1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not.
      2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port)
      3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest)
      
      Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
      0c7e1889
  17. Nov 05, 2017
  18. Nov 03, 2017
    • Günther Grill's avatar
      Workaround ansible bug where access var via dict doesn't get real value (#1912) · 01957255
      Günther Grill authored
      * Change deprecated vagrant ansible flag 'sudo' to 'become'
      
      * Workaround ansible bug where access var via dict doesn't get real value
      
      When accessing a variable via it's name "{{ foo }}" its value is
      retrieved. But when the variable value is retrieved via the vars-dict
      "{{ vars['foo'] }}" this doesn't resolve the expression of the variable
      any more due to a bug. So e.g. a expression foo="{{ 1 == 1 }}" isn't
      longer resolved but just returned as string "1 == 1".
      
      * Make file yamllint complient
      01957255
  19. Nov 02, 2017
  20. Oct 30, 2017
  21. Oct 27, 2017
  22. Oct 26, 2017
    • abelgana's avatar
      Sysctl reload if needed after IP forward enabling · d9160f19
      abelgana authored
      Add reload yes to reload sysctl if the value of net.ipv4.ip_forward changes.
      
      - name: Enable ip forwarding
        sysctl:
          sysctl_file: "{{sysctl_file_path}}"
          name: net.ipv4.ip_forward
          value: 1
          state: present
          reload: yes
        tags:
          - bootstrap-os
      d9160f19
  23. Oct 20, 2017
  24. Oct 18, 2017
    • pmontanari's avatar
      Update main.yml (#1822) · 20d80311
      pmontanari authored
      * Update main.yml
      
      Needs to set up resolv.conf before updating Yum cache otherwise no name resolution available (resolv.conf empty).
      
      * Update main.yml
      
      Removing trailing spaces
      20d80311
  25. Oct 17, 2017
  26. Oct 16, 2017
  27. Oct 11, 2017
    • Vijay Katam's avatar
      Rename dns_server, add var for selinux. (#1572) · 27ed73e3
      Vijay Katam authored
      * Rename dns_server to dnsmasq_dns_server so that it includes role prefix
      as the var name is generic and conflicts when integrating with existing ansible automation.
      *  Enable selinux state to be configurable with new var preinstall_selinux_state
      27ed73e3
    • Matthew Mosesohn's avatar
      Improve proxy (#1771) · eb0dcf60
      Matthew Mosesohn authored
      * Set no_proxy to all local ips
      
      * Use proxy settings on all necessary tasks
      eb0dcf60
  28. Oct 06, 2017
  29. Oct 05, 2017
  30. Oct 04, 2017
  31. Sep 29, 2017
  32. Sep 27, 2017
  33. Sep 25, 2017
Loading