`-%` causes `etcd-unsupported-arch: arm64` to print on COL 1 instead of
COL 6.

Signed-off-by: anthr76 <hello@anthonyrabbito.com>

* Allow connecting to bastion via non-standard port

* Fix bastion connection when ansible_port is not provided

* Remove contrib/vault

This is marked as broken since 2018 / 3dcb9146
This still reference apiserver.pem, not used since ddffdb63

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

* Finish nuking vault from the codebase

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

See: `https://github.com/cloudnativelabs/kube-router/releases/tag/v1.2.0`

This replaces kube-master with kube_control_plane because of [1]:

  The Kubernetes project is moving away from wording that is
  considered offensive. A new working group WG Naming was created
  to track this work, and the word "master" was declared as offensive.
  A proposal was formalized for replacing the word "master" with
  "control plane". This means it should be removed from source code,
  documentation, and user-facing configuration from Kubernetes and
  its sub-projects.

NOTE: The reason why this changes it to kube_control_plane not
      kube-control-plane is for valid group names on ansible.

[1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation

* Add support for cilium ipsec

* Fix typo for bpffs

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>

* Fix permissions of cinder cert

* Change runuser for external_cloud_controller to kube user with id 999, part of 999 - kube-cert group

While at it remove force_certificate_regeneration
This boolean only forced the renewal of the apiserver certs
Either manually use k8s-certs-renew.sh or set auto_renew_certificates

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

* Add crun download_url and checksum

* Change versioning format to crun native versioning

* Download crun using download_file.yml

* Get crun version from download defaults

* Delegate crun binary copy task to crun role

* Added experimental cri-o support for Amazon Linux 2

* Fixed dependencies order

* Download Calico KDD CRDs

* Replace kustomize with lineinfile and use ansible assemble module

* Replace find+lineinfile by sed in shell module to avoid nested loop

* add condition on sed

* use block for kdd tasks + remove supernumerary kdd manifest apply in start "Start Calico resources"

Signed-off-by: Mikael Johansson <mik.json@gmail.com>

The dummy module is needed for nodelocaldns.

c9c0c01d only fix the problem for new clusters

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

* add nodeselector and tolerations for metallb

* remove unnecessary commented lines in metallb template

* set default speaker toleration to match original manifest

When privileged is enabled for a container, all the `/dev/*` block
devices from the host are mounted into the guest. The
`privileged_without_host_devices` flag prevents host devices from
being passed to privileged containers.

More information:
* https://github.com/containerd/cri/pull/1225
* https://github.com/cri-o/cri-o/commit/1d0f68156ba382651c776a44f156614c4fcf981d

The important action in kubeadm-version.yml is the templating of the configuration,
not finding / setting the version

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

There are no reasons not to backup during upgrade

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

kubeadm never rotates sa.key/sa.pub, so there is no need to delete tokens/restart pods

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

kubeadm is the default for a long time now,
and admin.conf is created by it, so let kubeadm handle it

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

apiserver.pem is not used since ddffdb63

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

According to [etcd's docs](https://etcd.io/docs/v3.4.0/op-guide/configuration/#--log-package-levels), argument 'log-package-levels' should not contain underscores.

Using `kubeadm init phase kubeconfig all` breaks kubelet client certificate rotation
as we are missing `kubeadm init phase kubelet-finalize all` to point to `kubelet-client-current.pem`

kubeconfig format is stable so let's just use lineinfile,
this will avoid other future breakage

This revert to the logic before 6fe22483

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

On CentOS 8 they seem to be ignored by default, but better be extra safe
This also make it easy to exclude other network plugin interfaces

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

code improvement