* Disable control plane allocating podCIDR for nodes when using calico

Calico does not use the .spec.podCIDR field for its IP address
management.
Furthermore, it can false positives from the kube controller manager if
kube_network_node_prefix and calico_pool_blocksize are unaligned, which
is the case with the default shipped by kubespray.

If the subnets obtained from using kube_network_node_prefix are bigger,
this would result at some point in the control plane thinking it does
not have subnets left for a new node, while calico will work without
problems.

Explicitely set a default value of false for calico_ipam_host_local to
facilitate its use in templates.

* Don't default to kube_network_node_prefix for calico_pool_blocksize

They have different semantics: kube_network_node_prefix is intended to
be the size of the subnet for all pods on a node, while there can be
more than on calico block of the specified size (they are allocated on
demand).

Besides, this commit does not actually change anything, because the
current code is buggy: we don't ever default to
kube_network_node_prefix, since the variable is defined in the role
defaults.

Signed-off-by: tu1h <lihai.tu@daocloud.io>

This reverts commit ee0f1e9d.

Avoid restarting all api servers at once by changing their config.

We take advantage of group_by to create the list of nodes needing new
certs, instead of manually looping inside a Jinja template.

This should make the role more readable and less susceptible to
white space problems.

* Decouple role kubespray-defaults from download

Avoids doing re-importing the download role on every invocation of
kubespray-defaults (and skipping everything).

This has a measurable effect on playbook performance.

* Update docs refering to moved download defaults

This has now been removed and results in a 404 when trying to remove the
old key, even if it's not present.

remove embedded template

* Mask systemd swap.target do disable swap

This is a more generic way to disable swap, since it pulls .swap units
in systemd distributions; fstab is only one way to generate .swap units.

* Unconditionally disable swap

We only care to disable it (the "swapon" registered variable is not used
anywhere else.
This allows to get rid of the ignore_errors, since this was added
because swapon.stdout does not exist in check_mode (see issue #6642).

* Don't explicitly disable swapOnZram

We're already masking the swap.target, which would pull the zram unit,
hence no need to handle zram-generator specifically.

Kubeadm dns phase is correctly skipped.
This was a workaround for kubernetes/kubeadm#1557, which was actually
not a bug ; the correct fix was #4867

Followup of #10518

Allow to fail early (pre-commit time) for jinja error, rather than
waiting until executing the playbook and the invalid template.

I could not find a simple jinja pre-commit hook in the wild.

Signed-off-by: Kay Yan <kay.yan@daocloud.io>

add dnsPolicy: ClusterFirstWithHostNet to DaemonSets with hostNetwork: true value to avoid DNSConfigFormat events (#10618)

* Factorize identical playboooks steps in sub-playbooks

* Copy legacy_groups.yml into its sole user

Skippy is deprecated as its functionality has been incorporated into
the default callback plugin.

* Clean up redondant defaulting

drain_{timeout,grace_period}_after_failure don't exist at this point, so
they always default.

* Remove useless facts

The drain_*_after_failure are never used

Jessie has not received security updates for at least three years. See https://www.debian.org/releases/jessie/

* Try both conntrack modules instead of checking kernel version

Depending on kernel distributor, the kernel version might not be a
correct indicator of the conntrack module use.
Instead, we check both (and use the first found).

* Use modproble.persistent rather than manual persistence

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

When installed as an ansible collection, roles in
ansible_play_role_names will be designated by their FQDN (i.e
'kubernetes-sigs.kubespray.<role-name>).

It means we need to check for both when checking for roles in the play.

Older versions are unsupported for a long time.

This is untested. It passes terraform validate to un-broke the CI.

Signed-off-by: AbhishekKr <abhikumar163@gmail.com>

* Validate systemd unit files

This ensure that we fail early if we have a bad systemd unit file
(syntax error, using a version not available in the local version, etc)

* Hack to check systemd version for service files validation

factory-reset.target was introduced in system 250, same version as the
aliasing feature we need for verifying systemd services with ansible.
So we only actually executes the validation if that target is present.

This is an horrible hack which should be reverted as soon as we drop
support for distributions with systemd<250.

* Add helm support for custom_cni deployment

* Linting correction

* Ansible linting correction

* Add test packet with values

Signed-off-by: Lukáš Kubín <lukas.kubin@gmail.com>

* Add custom_cni configuration file with comments

Signed-off-by: Lukáš Kubín <lukas.kubin@gmail.com>

* Default values cleanup

Signed-off-by: Lukáš Kubín <lukas.kubin@gmail.com>

* Add details to custom_cni configuration file

Signed-off-by: Lukáš Kubín <lukas.kubin@gmail.com>

* Set correct yaml type of helm values

Signed-off-by: Lukáš Kubín <lukas.kubin@gmail.com>

* Set CNI filesystem ownership to root

Signed-off-by: Lukáš Kubín <lukas.kubin@gmail.com>

* Update cilium example parameter name

Signed-off-by: Lukáš Kubín <lukas.kubin@gmail.com>

---------

Signed-off-by: Lukáš Kubín <lukas.kubin@gmail.com>

* ansible: upgrade to version >= 2.15.5

Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>

* tests: update requirements

Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>

* contrib/openstack: fix wrong gitignore pattern

Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>

* tests: add missing tzdata requirement

Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>

* tests: remove some molecules tests

Those doesn't work in Ansible 2.15. Ansible can't load builtin now
apparently and these tests are not worth it.

Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>

---------

Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>