Fixes upgrade from pre-individual node cert envs.

Netchecker is rewritten in Go lang with some new args instead of
env variables. Also netchecker-server no longer requires kubectl
container. Updating playbooks accordingly.

kube_apiserver_node_port_range should be accessible only
to kube-proxy and not be taken by a dynamic port allocation.

Potentially temporary if https://github.com/kubernetes/kubernetes/issues/40920
gets fixed.

- Docker 1.12 and further don't need nsenter hack. This patch removes
  it.  Also, it bumps the minimal version to 1.12.

Closes #776

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>

if the system doesn't have any config files at all.

Use stdin instead of bash args to pass node filenames and base64 data.
Use tempfile for master cert data

* Drop linux capabilities for unprivileged containerized
  worlkoads Kargo configures for deployments.
* Configure required securityContext/user/group/groups for kube
  components' static manifests, etcd, calico-rr and k8s apps,
  like dnsmasq daemonset.
* Rework cloud-init (etcd) users creation for CoreOS.
* Fix nologin paths, adjust defaults for addusers role and ensure
  supplementary groups membership added for users.
* Add netplug user for network plugins (yet unused by privileged
  networking containers though).
* Grant the kube and netplug users read access for etcd certs via
  the etcd certs group.
* Grant group read access to kube certs via the kube cert group.
* Remove priveleged mode for calico-rr and run it under its uid/gid
  and supplementary etcd_cert group.
* Adjust docs.
* Align cpu/memory limits and dropped caps with added rkt support
  for control plane.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

cert creation

rkt deploy mode doesn't create {{ bin_dir }}/kubelet, so
let's rely on kubelet.env file instad.

the which port the local nginx proxy should listen on for HA
local balancer configurations.

be run by limit on each node without regard for order.

The changes make sure that all of the directories needed to do
certificate management are on the master[0] or etcd[0] node regardless
of when the playbook gets run on each node.  This allows for separate
ansible playbook runs in parallel that don't have to be synchronized.

the openssl tools will fail to create signing requests because
the CN is too long.  This is mainly a problem when FQDNs are used
in the inventory file.

THis will truncate the hostname for the CN field only at the
first dot.  This should handle the issue for most cases.

https://github.com/kubernetes/kubernetes/issues/25063

Also remove the check for != "RedHat" when removing the dhclient hook,
as this had also to be done on other distros. Instead, check if the
dhclienthookfile is defined.

the tasks fail because selinux prevents ip-forwarding setting.

Moving the tasks around addresses two issues.  Makes sure that
the correct python tools are in place before adjusting of selinux
and makes sure that ipforwarding is toggled after selinux adjustments.

This proxy should only be listening for local connections, not 0.0.0.0.

Fixes #868

Also update reset.yml to do more dns/network related cleanup.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
  systemd limits due to the lack of consensus in the kernel community
  requires out-of-tree kernel patches.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

Also fix kube log level 4 to log dnsmasq queries.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>

Includes hooks for triggering calico, kubelet, and kube-apiserver restarts
if etcd certs changed.

This was alredy fixed in #755 but had to be reverted. This PR should be
more intelligent about deciding which path to use.