diff --git a/.gitlab-ci/packet.yml b/.gitlab-ci/packet.yml index 208c3d9c152..3d1e9ce3873 100644 --- a/.gitlab-ci/packet.yml +++ b/.gitlab-ci/packet.yml @@ -88,6 +88,11 @@ packet_ubuntu20-crio: packet_ubuntu22-calico-all-in-one: extends: .packet_pr +packet_ubuntu22-calico-all-in-one-upgrade: + extends: .packet_pr + variables: + UPGRADE_TEST: graceful + packet_ubuntu24-calico-etcd-datastore: extends: .packet_pr diff --git a/.yamllint b/.yamllint index eb061917ee4..56786e0a988 100644 --- a/.yamllint +++ b/.yamllint @@ -26,4 +26,3 @@ rules: octal-values: forbid-implicit-octal: true # yamllint defaults to false forbid-explicit-octal: true # yamllint defaults to false - truthy: disable diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index 66677687bc2..5dd20051527 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -7,11 +7,13 @@ aliases: - oomichi - yankay - ant31 + - vannten kubespray-reviewers: - cyclinder - erikjiang - mrfreezeex - mzaian + - tico88612 - vannten - yankay kubespray-emeritus_approvers: diff --git a/README.md b/README.md index 136778e72bd..9d3a57c816d 100644 --- a/README.md +++ b/README.md @@ -160,17 +160,17 @@ Note: Upstart/SysV init based OS types are not supported. ## Supported Components - Core - - [kubernetes](https://github.com/kubernetes/kubernetes) v1.30.3 + - [kubernetes](https://github.com/kubernetes/kubernetes) v1.30.4 - [etcd](https://github.com/etcd-io/etcd) v3.5.12 - [docker](https://www.docker.com/) v26.1 - - [containerd](https://containerd.io/) v1.7.20 + - [containerd](https://containerd.io/) v1.7.21 - [cri-o](http://cri-o.io/) v1.30.3 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS) - Network Plugin - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0 - - [calico](https://github.com/projectcalico/calico) v3.27.3 + - [calico](https://github.com/projectcalico/calico) v3.28.1 - [cilium](https://github.com/cilium/cilium) v1.15.4 - [flannel](https://github.com/flannel-io/flannel) v0.22.0 - - [kube-ovn](https://github.com/alauda/kube-ovn) v1.11.5 + - [kube-ovn](https://github.com/alauda/kube-ovn) v1.12.21 - [kube-router](https://github.com/cloudnativelabs/kube-router) v2.0.0 - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) v3.8 - [weave](https://github.com/rajch/weave) v2.8.7 @@ -178,10 +178,10 @@ Note: Upstart/SysV init based OS types are not supported. - Application - [cert-manager](https://github.com/jetstack/cert-manager) v1.14.7 - [coredns](https://github.com/coredns/coredns) v1.11.1 - - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.10.1 + - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.11.2 - [krew](https://github.com/kubernetes-sigs/krew) v0.4.4 - [argocd](https://argoproj.github.io/) v2.11.0 - - [helm](https://helm.sh/) v3.14.2 + - [helm](https://helm.sh/) v3.15.4 - [metallb](https://metallb.universe.tf/) v0.13.9 - [registry](https://github.com/distribution/distribution) v2.8.1 - Storage Plugin @@ -193,7 +193,7 @@ Note: Upstart/SysV init based OS types are not supported. - [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.9.2 - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.24 - [local-volume-provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) v2.5.0 - - [node-feature-discovery](https://github.com/kubernetes-sigs/node-feature-discovery) v0.14.2 + - [node-feature-discovery](https://github.com/kubernetes-sigs/node-feature-discovery) v0.16.4 ## Container Runtime Notes diff --git a/contrib/azurerm/generate-inventory.yml b/contrib/azurerm/generate-inventory.yml index 01ee386626e..59e1e90b6a4 100644 --- a/contrib/azurerm/generate-inventory.yml +++ b/contrib/azurerm/generate-inventory.yml @@ -1,6 +1,6 @@ --- - name: Generate Azure inventory hosts: localhost - gather_facts: False + gather_facts: false roles: - generate-inventory diff --git a/contrib/azurerm/generate-inventory_2.yml b/contrib/azurerm/generate-inventory_2.yml index 9173e1d8204..8c2cbff86b5 100644 --- a/contrib/azurerm/generate-inventory_2.yml +++ b/contrib/azurerm/generate-inventory_2.yml @@ -1,6 +1,6 @@ --- - name: Generate Azure inventory hosts: localhost - gather_facts: False + gather_facts: false roles: - generate-inventory_2 diff --git a/contrib/azurerm/generate-templates.yml b/contrib/azurerm/generate-templates.yml index f1fcb626f8b..f2cf231bc4d 100644 --- a/contrib/azurerm/generate-templates.yml +++ b/contrib/azurerm/generate-templates.yml @@ -1,6 +1,6 @@ --- - name: Generate Azure templates hosts: localhost - gather_facts: False + gather_facts: false roles: - generate-templates diff --git a/contrib/dind/dind-cluster.yaml b/contrib/dind/dind-cluster.yaml index 258837d083c..0c61c3f2d48 100644 --- a/contrib/dind/dind-cluster.yaml +++ b/contrib/dind/dind-cluster.yaml @@ -1,7 +1,7 @@ --- - name: Create nodes as docker containers hosts: localhost - gather_facts: False + gather_facts: false roles: - { role: dind-host } diff --git a/contrib/dind/kubespray-dind.yaml b/contrib/dind/kubespray-dind.yaml index ecfb5573a70..6d57cf00d18 100644 --- a/contrib/dind/kubespray-dind.yaml +++ b/contrib/dind/kubespray-dind.yaml @@ -15,7 +15,7 @@ docker_storage_options: -s overlay2 --storage-opt overlay2.override_kernel_check dns_mode: coredns -deploy_netchecker: True +deploy_netchecker: true netcheck_agent_image_repo: quay.io/l23network/k8s-netchecker-agent netcheck_server_image_repo: quay.io/l23network/k8s-netchecker-server netcheck_agent_image_tag: v1.0 diff --git a/contrib/dind/roles/dind-cluster/tasks/main.yaml b/contrib/dind/roles/dind-cluster/tasks/main.yaml index dcb086c6447..1a3630f9ff6 100644 --- a/contrib/dind/roles/dind-cluster/tasks/main.yaml +++ b/contrib/dind/roles/dind-cluster/tasks/main.yaml @@ -14,7 +14,7 @@ src: "/bin/true" dest: "{{ item }}" state: link - force: yes + force: true with_items: # DIND box may have swap enable, don't bother - /sbin/swapoff @@ -58,7 +58,7 @@ name: "{{ distro_user }}" uid: 1000 # groups: sudo - append: yes + append: true - name: Allow password-less sudo to "{{ distro_user }}" copy: diff --git a/contrib/dind/roles/dind-host/tasks/main.yaml b/contrib/dind/roles/dind-host/tasks/main.yaml index 56c8ff4c513..e0dc71008d5 100644 --- a/contrib/dind/roles/dind-host/tasks/main.yaml +++ b/contrib/dind/roles/dind-host/tasks/main.yaml @@ -19,7 +19,7 @@ state: started hostname: "{{ item }}" command: "{{ distro_init }}" - # recreate: yes + # recreate: true privileged: true tmpfs: - /sys/module/nf_conntrack/parameters diff --git a/contrib/kvm-setup/kvm-setup.yml b/contrib/kvm-setup/kvm-setup.yml index b8d44058767..73b81978969 100644 --- a/contrib/kvm-setup/kvm-setup.yml +++ b/contrib/kvm-setup/kvm-setup.yml @@ -1,8 +1,8 @@ --- - name: Prepare Hypervisor to later install kubespray VMs hosts: localhost - gather_facts: False - become: yes + gather_facts: false + become: true vars: bootstrap_os: none roles: diff --git a/contrib/kvm-setup/roles/kvm-setup/tasks/main.yml b/contrib/kvm-setup/roles/kvm-setup/tasks/main.yml index 3e8ade645bb..dfcd3be7367 100644 --- a/contrib/kvm-setup/roles/kvm-setup/tasks/main.yml +++ b/contrib/kvm-setup/roles/kvm-setup/tasks/main.yml @@ -11,12 +11,12 @@ - name: Install required packages apt: - upgrade: yes - update_cache: yes + upgrade: true + update_cache: true cache_valid_time: 3600 name: "{{ item }}" state: present - install_recommends: no + install_recommends: false with_items: - dnsutils - ntp diff --git a/contrib/kvm-setup/roles/kvm-setup/tasks/sysctl.yml b/contrib/kvm-setup/roles/kvm-setup/tasks/sysctl.yml index 6934eccf3b9..75b7ff8fd22 100644 --- a/contrib/kvm-setup/roles/kvm-setup/tasks/sysctl.yml +++ b/contrib/kvm-setup/roles/kvm-setup/tasks/sysctl.yml @@ -30,7 +30,7 @@ value: 1 sysctl_file: "{{ sysctl_file_path }}" state: present - reload: yes + reload: true - name: Set bridge-nf-call-{arptables,iptables} to 0 ansible.posix.sysctl: @@ -38,7 +38,7 @@ state: present value: 0 sysctl_file: "{{ sysctl_file_path }}" - reload: yes + reload: true with_items: - net.bridge.bridge-nf-call-arptables - net.bridge.bridge-nf-call-ip6tables diff --git a/contrib/network-storage/glusterfs/roles/glusterfs/README.md b/contrib/network-storage/glusterfs/roles/glusterfs/README.md index dda243df04f..9e5bf5dcfbc 100644 --- a/contrib/network-storage/glusterfs/roles/glusterfs/README.md +++ b/contrib/network-storage/glusterfs/roles/glusterfs/README.md @@ -21,7 +21,7 @@ glusterfs_default_release: "" You can specify a `default_release` for apt on Debian/Ubuntu by overriding this variable. This is helpful if you need a different package or version for the main GlusterFS packages (e.g. GlusterFS 3.5.x instead of 3.2.x with the `wheezy-backports` default release on Debian Wheezy). ```yaml -glusterfs_ppa_use: yes +glusterfs_ppa_use: true glusterfs_ppa_version: "3.5" ``` diff --git a/contrib/network-storage/glusterfs/roles/glusterfs/client/defaults/main.yml b/contrib/network-storage/glusterfs/roles/glusterfs/client/defaults/main.yml index b9f0d2d1d3b..c3fff2e6324 100644 --- a/contrib/network-storage/glusterfs/roles/glusterfs/client/defaults/main.yml +++ b/contrib/network-storage/glusterfs/roles/glusterfs/client/defaults/main.yml @@ -1,7 +1,7 @@ --- # For Ubuntu. glusterfs_default_release: "" -glusterfs_ppa_use: yes +glusterfs_ppa_use: true glusterfs_ppa_version: "4.1" # Gluster configuration. diff --git a/contrib/network-storage/glusterfs/roles/glusterfs/client/tasks/setup-Debian.yml b/contrib/network-storage/glusterfs/roles/glusterfs/client/tasks/setup-Debian.yml index da7a4d8decc..0d7cc18747a 100644 --- a/contrib/network-storage/glusterfs/roles/glusterfs/client/tasks/setup-Debian.yml +++ b/contrib/network-storage/glusterfs/roles/glusterfs/client/tasks/setup-Debian.yml @@ -3,7 +3,7 @@ apt_repository: repo: 'ppa:gluster/glusterfs-{{ glusterfs_ppa_version }}' state: present - update_cache: yes + update_cache: true register: glusterfs_ppa_added when: glusterfs_ppa_use diff --git a/contrib/network-storage/glusterfs/roles/glusterfs/server/defaults/main.yml b/contrib/network-storage/glusterfs/roles/glusterfs/server/defaults/main.yml index ef9a71eba40..7d6e1025b1f 100644 --- a/contrib/network-storage/glusterfs/roles/glusterfs/server/defaults/main.yml +++ b/contrib/network-storage/glusterfs/roles/glusterfs/server/defaults/main.yml @@ -1,7 +1,7 @@ --- # For Ubuntu. glusterfs_default_release: "" -glusterfs_ppa_use: yes +glusterfs_ppa_use: true glusterfs_ppa_version: "3.12" # Gluster configuration. diff --git a/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/main.yml b/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/main.yml index 6bdc41420ed..a9f7698a37e 100644 --- a/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/main.yml +++ b/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/main.yml @@ -43,7 +43,7 @@ service: name: "{{ glusterfs_daemon }}" state: started - enabled: yes + enabled: true - name: Ensure Gluster brick and mount directories exist. file: @@ -62,7 +62,7 @@ replicas: "{{ groups['gfs-cluster'] | length }}" cluster: "{% for item in groups['gfs-cluster'] -%}{{ hostvars[item]['ip'] | default(hostvars[item].ansible_default_ipv4['address']) }}{% if not loop.last %},{% endif %}{%- endfor %}" host: "{{ inventory_hostname }}" - force: yes + force: true run_once: true when: groups['gfs-cluster'] | length > 1 @@ -73,7 +73,7 @@ brick: "{{ gluster_brick_dir }}" cluster: "{% for item in groups['gfs-cluster'] -%}{{ hostvars[item]['ip'] | default(hostvars[item].ansible_default_ipv4['address']) }}{% if not loop.last %},{% endif %}{%- endfor %}" host: "{{ inventory_hostname }}" - force: yes + force: true run_once: true when: groups['gfs-cluster'] | length <= 1 diff --git a/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/setup-Debian.yml b/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/setup-Debian.yml index 104735903ee..4d4b1b4b80d 100644 --- a/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/setup-Debian.yml +++ b/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/setup-Debian.yml @@ -3,7 +3,7 @@ apt_repository: repo: 'ppa:gluster/glusterfs-{{ glusterfs_ppa_version }}' state: present - update_cache: yes + update_cache: true register: glusterfs_ppa_added when: glusterfs_ppa_use diff --git a/contrib/network-storage/heketi/heketi-tear-down.yml b/contrib/network-storage/heketi/heketi-tear-down.yml index e64f085cb67..8c9d1c3a000 100644 --- a/contrib/network-storage/heketi/heketi-tear-down.yml +++ b/contrib/network-storage/heketi/heketi-tear-down.yml @@ -6,6 +6,6 @@ - name: Teardown disks in heketi hosts: heketi-node - become: yes + become: true roles: - { role: tear-down-disks } diff --git a/contrib/offline/generate_list.yml b/contrib/offline/generate_list.yml index 6b2bcf8067f..f103d031f72 100644 --- a/contrib/offline/generate_list.yml +++ b/contrib/offline/generate_list.yml @@ -1,7 +1,7 @@ --- - name: Collect container images for offline deployment hosts: localhost - become: no + become: false roles: # Just load default variables from roles. diff --git a/contrib/os-services/roles/prepare/tasks/main.yml b/contrib/os-services/roles/prepare/tasks/main.yml index 177712e42d9..487b3b6f1ce 100644 --- a/contrib/os-services/roles/prepare/tasks/main.yml +++ b/contrib/os-services/roles/prepare/tasks/main.yml @@ -10,7 +10,7 @@ systemd_service: name: firewalld state: stopped - enabled: no + enabled: false when: "'firewalld.service' in services and services['firewalld.service'].status != 'not-found'" @@ -18,6 +18,6 @@ systemd_service: name: ufw state: stopped - enabled: no + enabled: false when: "'ufw.service' in services and services['ufw.service'].status != 'not-found'" diff --git a/contrib/terraform/terraform.py b/contrib/terraform/terraform.py index f67b9d82dba..f8487bf6b6a 100755 --- a/contrib/terraform/terraform.py +++ b/contrib/terraform/terraform.py @@ -368,7 +368,7 @@ def iter_host_ips(hosts, ips): 'ansible_host': ip, }) - if 'use_access_ip' in host[1]['metadata'] and host[1]['metadata']['use_access_ip'] == "0": + if 'use_access_ip' in host[1]['metadata'] and host[1]['metadata']['use_access_ip'] == "0" and 'access_ip' in host[1]: host[1].pop('access_ip') yield host diff --git a/docs/ingress/ingress_nginx.md b/docs/ingress/ingress_nginx.md index f465dc60f59..3aa184b797d 100644 --- a/docs/ingress/ingress_nginx.md +++ b/docs/ingress/ingress_nginx.md @@ -35,7 +35,7 @@ kubectl create clusterrolebinding cluster-admin-binding \ The following **Mandatory Command** is required for all deployments except for AWS. See below for the AWS version. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/cloud/deploy.yaml ``` ### Provider Specific Steps diff --git a/extra_playbooks/upgrade-only-k8s.yml b/extra_playbooks/upgrade-only-k8s.yml index 4207f8d28cb..5f396fa28eb 100644 --- a/extra_playbooks/upgrade-only-k8s.yml +++ b/extra_playbooks/upgrade-only-k8s.yml @@ -12,7 +12,7 @@ - name: Setup ssh config to use the bastion hosts: localhost - gather_facts: False + gather_facts: false roles: - { role: kubespray-defaults} - { role: bastion-ssh-config, tags: ["localhost", "bastion"]} diff --git a/inventory/sample/group_vars/all/containerd.yml b/inventory/sample/group_vars/all/containerd.yml index 1888b24180d..c8fa4194325 100644 --- a/inventory/sample/group_vars/all/containerd.yml +++ b/inventory/sample/group_vars/all/containerd.yml @@ -24,8 +24,21 @@ # containerd_grpc_max_recv_message_size: 16777216 # containerd_grpc_max_send_message_size: 16777216 +# Containerd debug socket location: unix or tcp format +# containerd_debug_address: "" + +# Containerd log level # containerd_debug_level: "info" +# Containerd logs format, supported values: text, json +# containerd_debug_format: "" + +# Containerd debug socket UID +# containerd_debug_uid: 0 + +# Containerd debug socket GID +# containerd_debug_gid: 0 + # containerd_metrics_address: "" # containerd_metrics_grpc_histogram: false diff --git a/inventory/sample/group_vars/all/offline.yml b/inventory/sample/group_vars/all/offline.yml index 56d43375a18..6fb8dfc0333 100644 --- a/inventory/sample/group_vars/all/offline.yml +++ b/inventory/sample/group_vars/all/offline.yml @@ -18,7 +18,7 @@ # quay_image_repo: "{{ registry_host }}" ## Kubernetes components -# kubeadm_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kubeadm_version }}/bin/linux/{{ image_arch }}/kubeadm" +# kubeadm_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubeadm" # kubectl_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubectl" # kubelet_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubelet" diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml index 6bcdde8cbcb..a352e4cf683 100644 --- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml +++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml @@ -17,7 +17,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens" kube_api_anonymous_auth: true ## Change this to use another Kubernetes version, e.g. a current beta release -kube_version: v1.30.3 +kube_version: v1.30.4 # Where the binaries will be downloaded. # Note: ensure that you've enough disk space (about 1G) diff --git a/playbooks/ansible_version.yml b/playbooks/ansible_version.yml index aa2d6b47642..2c8bac63c28 100644 --- a/playbooks/ansible_version.yml +++ b/playbooks/ansible_version.yml @@ -2,7 +2,7 @@ - name: Check Ansible version hosts: all gather_facts: false - become: no + become: false run_once: true vars: minimal_ansible_version: 2.16.4 diff --git a/playbooks/boilerplate.yml b/playbooks/boilerplate.yml index 137a4c2c5b4..eafa9b42f12 100644 --- a/playbooks/boilerplate.yml +++ b/playbooks/boilerplate.yml @@ -51,7 +51,7 @@ - name: Install bastion ssh config hosts: bastion[0] - gather_facts: False + gather_facts: false environment: "{{ proxy_disable_env }}" roles: - { role: kubespray-defaults } diff --git a/playbooks/cluster.yml b/playbooks/cluster.yml index c433a8c6928..ca67a28d333 100644 --- a/playbooks/cluster.yml +++ b/playbooks/cluster.yml @@ -7,7 +7,7 @@ - name: Prepare for etcd install hosts: k8s_cluster:etcd - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -21,7 +21,7 @@ - name: Install Kubernetes nodes hosts: k8s_cluster - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -30,7 +30,7 @@ - name: Install the control plane hosts: kube_control_plane - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -41,7 +41,7 @@ - name: Invoke kubeadm and install a CNI hosts: k8s_cluster - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -54,7 +54,7 @@ - name: Install Calico Route Reflector hosts: calico_rr - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -63,7 +63,7 @@ - name: Patch Kubernetes for Windows hosts: kube_control_plane[0] - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -72,7 +72,7 @@ - name: Install Kubernetes apps hosts: kube_control_plane - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -86,7 +86,7 @@ - name: Apply resolv.conf changes now that cluster DNS is up hosts: k8s_cluster - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: diff --git a/playbooks/facts.yml b/playbooks/facts.yml index 77823aca40f..d35eea80c28 100644 --- a/playbooks/facts.yml +++ b/playbooks/facts.yml @@ -15,7 +15,7 @@ - name: Gather facts hosts: k8s_cluster:etcd:calico_rr - gather_facts: False + gather_facts: false tags: always tasks: - name: Gather minimal facts diff --git a/playbooks/install_etcd.yml b/playbooks/install_etcd.yml index b8e4d1d89b0..1f585119ca4 100644 --- a/playbooks/install_etcd.yml +++ b/playbooks/install_etcd.yml @@ -16,7 +16,7 @@ - name: Install etcd hosts: etcd:kube_control_plane:_kubespray_needs_etcd - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: diff --git a/playbooks/remove_node.yml b/playbooks/remove_node.yml index e01338965e1..f994dae43bb 100644 --- a/playbooks/remove_node.yml +++ b/playbooks/remove_node.yml @@ -4,13 +4,13 @@ - name: Confirm node removal hosts: "{{ node | default('etcd:k8s_cluster:calico_rr') }}" - gather_facts: no + gather_facts: false tasks: - name: Confirm Execution pause: prompt: "Are you sure you want to delete nodes state? Type 'yes' to delete nodes." register: pause_result - run_once: True + run_once: true when: - not (skip_confirmation | default(false) | bool) @@ -25,7 +25,7 @@ - name: Reset node hosts: "{{ node | default('kube_node') }}" - gather_facts: no + gather_facts: false environment: "{{ proxy_disable_env }}" roles: - { role: kubespray-defaults, when: reset_nodes | default(True) | bool } @@ -36,7 +36,7 @@ # Currently cannot remove first master or etcd - name: Post node removal hosts: "{{ node | default('kube_control_plane[1:]:etcd[1:]') }}" - gather_facts: no + gather_facts: false environment: "{{ proxy_disable_env }}" roles: - { role: kubespray-defaults, when: reset_nodes | default(True) | bool } diff --git a/playbooks/reset.yml b/playbooks/reset.yml index 5742bd844e4..6fa18c0aca1 100644 --- a/playbooks/reset.yml +++ b/playbooks/reset.yml @@ -7,13 +7,13 @@ - name: Reset cluster hosts: etcd:k8s_cluster:calico_rr - gather_facts: False + gather_facts: false pre_tasks: - name: Reset Confirmation pause: prompt: "Are you sure you want to reset cluster state? Type 'yes' to reset your cluster." register: reset_confirmation_prompt - run_once: True + run_once: true when: - not (skip_confirmation | default(false) | bool) - reset_confirmation is not defined diff --git a/playbooks/scale.yml b/playbooks/scale.yml index 171e378328d..ef093660785 100644 --- a/playbooks/scale.yml +++ b/playbooks/scale.yml @@ -7,7 +7,7 @@ - name: Generate the etcd certificates beforehand hosts: etcd:kube_control_plane - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -24,7 +24,7 @@ - name: Download images to ansible host cache via first kube_control_plane node hosts: kube_control_plane[0] - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -34,7 +34,7 @@ - name: Target only workers to get kubelet installed and checking in on any new nodes(engine) hosts: kube_node - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -53,7 +53,7 @@ - name: Target only workers to get kubelet installed and checking in on any new nodes(node) hosts: kube_node - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -63,7 +63,7 @@ - name: Upload control plane certs and retrieve encryption key hosts: kube_control_plane | first environment: "{{ proxy_disable_env }}" - gather_facts: False + gather_facts: false tags: kubeadm roles: - { role: kubespray-defaults } @@ -84,7 +84,7 @@ - name: Target only workers to get kubelet installed and checking in on any new nodes(network) hosts: kube_node - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -96,7 +96,7 @@ - name: Apply resolv.conf changes now that cluster DNS is up hosts: k8s_cluster - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: diff --git a/playbooks/upgrade_cluster.yml b/playbooks/upgrade_cluster.yml index 3180fec9310..99511a8206f 100644 --- a/playbooks/upgrade_cluster.yml +++ b/playbooks/upgrade_cluster.yml @@ -7,7 +7,7 @@ - name: Download images to ansible host cache via first kube_control_plane node hosts: kube_control_plane[0] - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -17,7 +17,7 @@ - name: Prepare nodes for upgrade hosts: k8s_cluster:etcd:calico_rr - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -27,7 +27,7 @@ - name: Upgrade container engine on non-cluster nodes hosts: etcd:calico_rr:!k8s_cluster - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" serial: "{{ serial | default('20%') }}" @@ -39,7 +39,7 @@ import_playbook: install_etcd.yml - name: Handle upgrades to master components first to maintain backwards compat. - gather_facts: False + gather_facts: false hosts: kube_control_plane any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" @@ -62,7 +62,7 @@ - name: Upgrade calico and external cloud provider on all masters, calico-rrs, and nodes hosts: kube_control_plane:calico_rr:kube_node - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" serial: "{{ serial | default('20%') }}" environment: "{{ proxy_disable_env }}" @@ -75,7 +75,7 @@ - name: Finally handle worker upgrades, based on given batch size hosts: kube_node:calico_rr:!kube_control_plane - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" serial: "{{ serial | default('20%') }}" @@ -93,7 +93,7 @@ - name: Patch Kubernetes for Windows hosts: kube_control_plane[0] - gather_facts: False + gather_facts: false any_errors_fatal: true environment: "{{ proxy_disable_env }}" roles: @@ -102,7 +102,7 @@ - name: Install Calico Route Reflector hosts: calico_rr - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -111,7 +111,7 @@ - name: Install Kubernetes apps hosts: kube_control_plane - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: @@ -122,7 +122,7 @@ - name: Apply resolv.conf changes now that cluster DNS is up hosts: k8s_cluster - gather_facts: False + gather_facts: false any_errors_fatal: "{{ any_errors_fatal | default(true) }}" environment: "{{ proxy_disable_env }}" roles: diff --git a/roles/adduser/defaults/main.yml b/roles/adduser/defaults/main.yml index df3fc2d0284..3307032e058 100644 --- a/roles/adduser/defaults/main.yml +++ b/roles/adduser/defaults/main.yml @@ -7,14 +7,14 @@ addusers: etcd: name: etcd comment: "Etcd user" - create_home: no - system: yes + create_home: false + system: true shell: /sbin/nologin kube: name: kube comment: "Kubernetes user" - create_home: no - system: yes + create_home: false + system: true shell: /sbin/nologin group: "{{ kube_cert_group }}" diff --git a/roles/adduser/vars/coreos.yml b/roles/adduser/vars/coreos.yml index 5c258df6e56..60fb05cf0dc 100644 --- a/roles/adduser/vars/coreos.yml +++ b/roles/adduser/vars/coreos.yml @@ -3,6 +3,6 @@ addusers: - name: kube comment: "Kubernetes user" shell: /sbin/nologin - system: yes + system: true group: "{{ kube_cert_group }}" - create_home: no + create_home: false diff --git a/roles/adduser/vars/debian.yml b/roles/adduser/vars/debian.yml index 99e5b382175..b14b8612e51 100644 --- a/roles/adduser/vars/debian.yml +++ b/roles/adduser/vars/debian.yml @@ -2,14 +2,14 @@ addusers: - name: etcd comment: "Etcd user" - create_home: yes + create_home: true home: "{{ etcd_data_dir }}" - system: yes + system: true shell: /sbin/nologin - name: kube comment: "Kubernetes user" - create_home: no - system: yes + create_home: false + system: true shell: /sbin/nologin group: "{{ kube_cert_group }}" diff --git a/roles/adduser/vars/redhat.yml b/roles/adduser/vars/redhat.yml index 99e5b382175..b14b8612e51 100644 --- a/roles/adduser/vars/redhat.yml +++ b/roles/adduser/vars/redhat.yml @@ -2,14 +2,14 @@ addusers: - name: etcd comment: "Etcd user" - create_home: yes + create_home: true home: "{{ etcd_data_dir }}" - system: yes + system: true shell: /sbin/nologin - name: kube comment: "Kubernetes user" - create_home: no - system: yes + create_home: false + system: true shell: /sbin/nologin group: "{{ kube_cert_group }}" diff --git a/roles/bootstrap-os/molecule/default/converge.yml b/roles/bootstrap-os/molecule/default/converge.yml index 1f44ec9ca2c..89a83255944 100644 --- a/roles/bootstrap-os/molecule/default/converge.yml +++ b/roles/bootstrap-os/molecule/default/converge.yml @@ -1,6 +1,6 @@ --- - name: Converge hosts: all - gather_facts: no + gather_facts: false roles: - role: bootstrap-os diff --git a/roles/bootstrap-os/tasks/amzn.yml b/roles/bootstrap-os/tasks/amzn.yml index 0da5591caa3..8a473a07f87 100644 --- a/roles/bootstrap-os/tasks/amzn.yml +++ b/roles/bootstrap-os/tasks/amzn.yml @@ -8,9 +8,9 @@ file: epel description: Extra Packages for Enterprise Linux 7 - $basearch baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch - gpgcheck: yes + gpgcheck: true gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 - skip_if_unavailable: yes - enabled: yes - repo_gpgcheck: no + skip_if_unavailable: true + enabled: true + repo_gpgcheck: false when: epel_enabled diff --git a/roles/bootstrap-os/tasks/centos.yml b/roles/bootstrap-os/tasks/centos.yml index fc9a3cf0cff..304a37b079e 100644 --- a/roles/bootstrap-os/tasks/centos.yml +++ b/roles/bootstrap-os/tasks/centos.yml @@ -119,9 +119,9 @@ - name: Check presence of fastestmirror.conf stat: path: /etc/yum/pluginconf.d/fastestmirror.conf - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: fastestmirror # the fastestmirror plugin can actually slow down Ansible deployments diff --git a/roles/bootstrap-os/tasks/debian.yml b/roles/bootstrap-os/tasks/debian.yml index 5835ae1643a..9ede45f9bdf 100644 --- a/roles/bootstrap-os/tasks/debian.yml +++ b/roles/bootstrap-os/tasks/debian.yml @@ -63,9 +63,17 @@ - '"value from" in bootstrap_update_apt_result.stdout' ignore_errors: true +- name: Check unattended-upgrades file exist + stat: + path: /etc/apt/apt.conf.d/50unattended-upgrades + register: unattended_upgrades_file_stat + when: + - os_release_dict['ID'] == 'ubuntu' + - ubuntu_kernel_unattended_upgrades_disabled + - name: Disable kernel unattended-upgrades lineinfile: - path: /etc/apt/apt.conf.d/50unattended-upgrades + path: "{{ unattended_upgrades_file_stat.stat.path }}" insertafter: "Unattended-Upgrade::Package-Blacklist" line: '"linux-";' state: present @@ -73,3 +81,4 @@ when: - os_release_dict['ID'] == 'ubuntu' - ubuntu_kernel_unattended_upgrades_disabled + - unattended_upgrades_file_stat.stat.exists diff --git a/roles/bootstrap-os/tasks/fedora-coreos.yml b/roles/bootstrap-os/tasks/fedora-coreos.yml index b8c0f3fe7b6..3062a5a8834 100644 --- a/roles/bootstrap-os/tasks/fedora-coreos.yml +++ b/roles/bootstrap-os/tasks/fedora-coreos.yml @@ -28,7 +28,7 @@ raw: "nohup bash -c 'sleep 5s && shutdown -r now'" become: true ignore_errors: true # noqa ignore-errors - ignore_unreachable: yes + ignore_unreachable: true when: need_bootstrap.rc != 0 - name: Wait for the reboot to complete diff --git a/roles/bootstrap-os/tasks/main.yml b/roles/bootstrap-os/tasks/main.yml index e62fbf49654..c16fe1bec63 100644 --- a/roles/bootstrap-os/tasks/main.yml +++ b/roles/bootstrap-os/tasks/main.yml @@ -22,7 +22,7 @@ - "{{ os_release_dict['ID'] }}.yml" paths: - vars/ - skip: True + skip: true - name: Include tasks include_tasks: "{{ included_tasks_file }}" with_first_found: diff --git a/roles/bootstrap-os/tasks/opensuse.yml b/roles/bootstrap-os/tasks/opensuse.yml index 9b69dcd8916..5a4f9dead52 100644 --- a/roles/bootstrap-os/tasks/opensuse.yml +++ b/roles/bootstrap-os/tasks/opensuse.yml @@ -8,9 +8,9 @@ - name: Check that /etc/sysconfig/proxy file exists stat: path: /etc/sysconfig/proxy - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: stat_result - name: Create the /etc/sysconfig/proxy empty file diff --git a/roles/bootstrap-os/tasks/redhat.yml b/roles/bootstrap-os/tasks/redhat.yml index 0aae5a0d6cc..76a39b2f515 100644 --- a/roles/bootstrap-os/tasks/redhat.yml +++ b/roles/bootstrap-os/tasks/redhat.yml @@ -87,9 +87,9 @@ - name: Check presence of fastestmirror.conf stat: path: /etc/yum/pluginconf.d/fastestmirror.conf - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: fastestmirror # the fastestmirror plugin can actually slow down Ansible deployments diff --git a/roles/bootstrap-os/vars/fedora-coreos.yml b/roles/bootstrap-os/vars/fedora-coreos.yml index e0bb069f9e2..37e4c46e8e3 100644 --- a/roles/bootstrap-os/vars/fedora-coreos.yml +++ b/roles/bootstrap-os/vars/fedora-coreos.yml @@ -1,2 +1,2 @@ --- -is_fedora_coreos: True +is_fedora_coreos: true diff --git a/roles/container-engine/containerd-common/tasks/main.yml b/roles/container-engine/containerd-common/tasks/main.yml index d0cf1f13942..c5b89680869 100644 --- a/roles/container-engine/containerd-common/tasks/main.yml +++ b/roles/container-engine/containerd-common/tasks/main.yml @@ -2,9 +2,9 @@ - name: Containerd-common | check if fedora coreos stat: path: /run/ostree-booted - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: ostree - name: Containerd-common | set is_ostree diff --git a/roles/container-engine/containerd/defaults/main.yml b/roles/container-engine/containerd/defaults/main.yml index 291e96e347f..f04bb927a54 100644 --- a/roles/container-engine/containerd/defaults/main.yml +++ b/roles/container-engine/containerd/defaults/main.yml @@ -46,7 +46,11 @@ containerd_base_runtime_specs: containerd_grpc_max_recv_message_size: 16777216 containerd_grpc_max_send_message_size: 16777216 +containerd_debug_address: "" containerd_debug_level: "info" +containerd_debug_format: "" +containerd_debug_uid: 0 +containerd_debug_gid: 0 containerd_metrics_address: "" @@ -66,6 +70,12 @@ containerd_enable_unprivileged_ports: false # If enabled it will allow non root users to use icmp sockets containerd_enable_unprivileged_icmp: false +containerd_enable_selinux: false +containerd_disable_apparmor: false +containerd_tolerate_missing_hugetlb_controller: true +containerd_disable_hugetlb_controller: true +containerd_image_pull_progress_timeout: 5m + containerd_cfg_dir: /etc/containerd # Extra config to be put in {{ containerd_cfg_dir }}/config.toml literally diff --git a/roles/container-engine/containerd/handlers/main.yml b/roles/container-engine/containerd/handlers/main.yml index 4e7722f4fb2..6a024fd59c6 100644 --- a/roles/container-engine/containerd/handlers/main.yml +++ b/roles/container-engine/containerd/handlers/main.yml @@ -3,9 +3,9 @@ systemd_service: name: containerd state: restarted - enabled: yes - daemon-reload: yes - masked: no + enabled: true + daemon-reload: true + masked: false listen: Restart containerd - name: Containerd | wait for containerd diff --git a/roles/container-engine/containerd/molecule/default/prepare.yml b/roles/container-engine/containerd/molecule/default/prepare.yml index ddc9c045396..a3d09ad8005 100644 --- a/roles/container-engine/containerd/molecule/default/prepare.yml +++ b/roles/container-engine/containerd/molecule/default/prepare.yml @@ -1,7 +1,7 @@ --- - name: Prepare hosts: all - gather_facts: False + gather_facts: false become: true vars: ignore_assert_errors: true @@ -19,7 +19,7 @@ - name: Prepare CNI hosts: all - gather_facts: False + gather_facts: false become: true vars: ignore_assert_errors: true diff --git a/roles/container-engine/containerd/tasks/main.yml b/roles/container-engine/containerd/tasks/main.yml index 073412cd0a0..8b8c12cbbf7 100644 --- a/roles/container-engine/containerd/tasks/main.yml +++ b/roles/container-engine/containerd/tasks/main.yml @@ -36,7 +36,7 @@ src: "{{ downloads.containerd.dest }}" dest: "{{ containerd_bin_dir }}" mode: "0755" - remote_src: yes + remote_src: true extra_opts: - --strip-components=1 notify: Restart containerd @@ -138,6 +138,6 @@ - name: Containerd | Ensure containerd is started and enabled systemd_service: name: containerd - daemon_reload: yes - enabled: yes + daemon_reload: true + enabled: true state: started diff --git a/roles/container-engine/containerd/templates/config.toml.j2 b/roles/container-engine/containerd/templates/config.toml.j2 index 23e2d7b5bd8..3f65ef5d7b0 100644 --- a/roles/container-engine/containerd/templates/config.toml.j2 +++ b/roles/container-engine/containerd/templates/config.toml.j2 @@ -12,7 +12,11 @@ oom_score = {{ containerd_oom_score }} max_send_message_size = {{ containerd_grpc_max_send_message_size }} [debug] + address = "{{ containerd_debug_address }}" level = "{{ containerd_debug_level }}" + format = "{{ containerd_debug_format }}" + uid = {{ containerd_debug_uid }} + gid = {{ containerd_debug_gid }} [metrics] address = "{{ containerd_metrics_address }}" @@ -24,6 +28,11 @@ oom_score = {{ containerd_oom_score }} max_container_log_line_size = {{ containerd_max_container_log_line_size }} enable_unprivileged_ports = {{ containerd_enable_unprivileged_ports | lower }} enable_unprivileged_icmp = {{ containerd_enable_unprivileged_icmp | lower }} + enable_selinux = {{ containerd_enable_selinux | lower }} + disable_apparmor = {{ containerd_disable_apparmor | lower }} + tolerate_missing_hugetlb_controller = {{ containerd_tolerate_missing_hugetlb_controller | lower }} + disable_hugetlb_controller = {{ containerd_disable_hugetlb_controller | lower }} + image_pull_progress_timeout = "{{ containerd_image_pull_progress_timeout }}" {% if enable_cdi %} enable_cdi = true cdi_spec_dirs = ["/etc/cdi", "/var/run/cdi"] diff --git a/roles/container-engine/cri-dockerd/handlers/main.yml b/roles/container-engine/cri-dockerd/handlers/main.yml index 00d00e7b2b9..f60f28fce29 100644 --- a/roles/container-engine/cri-dockerd/handlers/main.yml +++ b/roles/container-engine/cri-dockerd/handlers/main.yml @@ -3,7 +3,7 @@ systemd_service: name: cri-dockerd daemon_reload: true - masked: no + masked: false listen: Restart and enable cri-dockerd - name: Cri-dockerd | restart docker.service @@ -27,5 +27,5 @@ - name: Cri-dockerd | enable cri-dockerd service service: name: cri-dockerd.service - enabled: yes + enabled: true listen: Restart and enable cri-dockerd diff --git a/roles/container-engine/cri-o/handlers/main.yml b/roles/container-engine/cri-o/handlers/main.yml index d173ce41b00..0595e4f94ea 100644 --- a/roles/container-engine/cri-o/handlers/main.yml +++ b/roles/container-engine/cri-o/handlers/main.yml @@ -8,5 +8,5 @@ service: name: crio state: restarted - enabled: yes + enabled: true listen: Restart crio diff --git a/roles/container-engine/cri-o/molecule/default/prepare.yml b/roles/container-engine/cri-o/molecule/default/prepare.yml index c769d7cd2d3..55ad5174d70 100644 --- a/roles/container-engine/cri-o/molecule/default/prepare.yml +++ b/roles/container-engine/cri-o/molecule/default/prepare.yml @@ -1,7 +1,7 @@ --- - name: Prepare hosts: all - gather_facts: False + gather_facts: false become: true vars: ignore_assert_errors: true @@ -19,7 +19,7 @@ - name: Prepare CNI hosts: all - gather_facts: False + gather_facts: false become: true vars: ignore_assert_errors: true diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml index a7b234563dc..bde2e075623 100644 --- a/roles/container-engine/cri-o/tasks/main.yaml +++ b/roles/container-engine/cri-o/tasks/main.yaml @@ -5,9 +5,9 @@ - name: Cri-o | check if fedora coreos stat: path: /run/ostree-booted - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: ostree - name: Cri-o | set is_ostree diff --git a/roles/container-engine/cri-o/tasks/setup-amazon.yaml b/roles/container-engine/cri-o/tasks/setup-amazon.yaml index 2462c30fdfd..cef0112b293 100644 --- a/roles/container-engine/cri-o/tasks/setup-amazon.yaml +++ b/roles/container-engine/cri-o/tasks/setup-amazon.yaml @@ -8,7 +8,7 @@ lineinfile: dest: /etc/yum.repos.d/amzn2-extras.repo line: "[amzn2extra-docker]" - check_mode: yes + check_mode: true register: amzn2_extras_docker_repo when: - amzn2_extras_file_stat.stat.exists @@ -19,7 +19,7 @@ section: amzn2extra-docker option: enabled value: "0" - backup: yes + backup: true mode: "0644" when: - amzn2_extras_file_stat.stat.exists diff --git a/roles/container-engine/crictl/handlers/main.yml b/roles/container-engine/crictl/handlers/main.yml index 785823fc4b8..d6ffe169a50 100644 --- a/roles/container-engine/crictl/handlers/main.yml +++ b/roles/container-engine/crictl/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: Get crictl completion command: "{{ bin_dir }}/crictl completion" - changed_when: False + changed_when: false register: cri_completion check_mode: false diff --git a/roles/container-engine/docker-storage/tasks/main.yml b/roles/container-engine/docker-storage/tasks/main.yml index e3c713db22c..d90dcb775c3 100644 --- a/roles/container-engine/docker-storage/tasks/main.yml +++ b/roles/container-engine/docker-storage/tasks/main.yml @@ -39,7 +39,7 @@ state: present - name: Docker-storage-setup | install and run container-storage-setup - become: yes + become: true script: | install_container_storage_setup.sh \ {{ docker_container_storage_setup_repository }} \ diff --git a/roles/container-engine/docker/handlers/main.yml b/roles/container-engine/docker/handlers/main.yml index 72e95e6bf5b..76d16f58927 100644 --- a/roles/container-engine/docker/handlers/main.yml +++ b/roles/container-engine/docker/handlers/main.yml @@ -3,7 +3,7 @@ systemd_service: name: docker daemon_reload: true - masked: no + masked: false listen: Restart docker - name: Docker | reload docker.socket diff --git a/roles/container-engine/docker/tasks/main.yml b/roles/container-engine/docker/tasks/main.yml index 55b3a0be6c5..e56fe4ca994 100644 --- a/roles/container-engine/docker/tasks/main.yml +++ b/roles/container-engine/docker/tasks/main.yml @@ -2,9 +2,9 @@ - name: Check if fedora coreos stat: path: /run/ostree-booted - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: ostree - name: Set is_ostree @@ -66,7 +66,7 @@ path: /etc/apt/sources.list regexp: 'buster-backports' state: absent - backup: yes + backup: true when: - ansible_os_family == 'Debian' - ansible_distribution_release == "buster" @@ -183,7 +183,7 @@ - name: Ensure docker service is started and enabled service: name: "{{ item }}" - enabled: yes + enabled: true state: started with_items: - docker diff --git a/roles/container-engine/docker/tasks/set_facts_dns.yml b/roles/container-engine/docker/tasks/set_facts_dns.yml index d7c10392e85..d0ccd745a70 100644 --- a/roles/container-engine/docker/tasks/set_facts_dns.yml +++ b/roles/container-engine/docker/tasks/set_facts_dns.yml @@ -21,9 +21,9 @@ shell: set -o pipefail && grep "^nameserver" /etc/resolv.conf | sed -r 's/^nameserver\s*([^#\s]+)\s*(#.*)?/\1/' args: executable: /bin/bash - changed_when: False + changed_when: false register: system_nameservers - check_mode: no + check_mode: false - name: Check system search domains # noqa risky-shell-pipe - if resolf.conf has no search domain, grep will exit 1 which would force us to add failed_when: false @@ -31,9 +31,9 @@ shell: grep "^search" /etc/resolv.conf | sed -r 's/^search\s*([^#]+)\s*(#.*)?/\1/' args: executable: /bin/bash - changed_when: False + changed_when: false register: system_search_domains - check_mode: no + check_mode: false - name: Add system nameservers to docker options set_fact: diff --git a/roles/container-engine/gvisor/tasks/main.yml b/roles/container-engine/gvisor/tasks/main.yml index 13b19a2f6fa..4bab9a99671 100644 --- a/roles/container-engine/gvisor/tasks/main.yml +++ b/roles/container-engine/gvisor/tasks/main.yml @@ -14,7 +14,7 @@ src: "{{ item.src }}" dest: "{{ bin_dir }}/{{ item.dest }}" mode: "0755" - remote_src: yes + remote_src: true with_items: - { src: "{{ downloads.gvisor_runsc.dest }}", dest: "runsc" } - { src: "{{ downloads.gvisor_containerd_shim.dest }}", dest: "containerd-shim-runsc-v1" } diff --git a/roles/container-engine/kata-containers/tasks/main.yml b/roles/container-engine/kata-containers/tasks/main.yml index 38778987d44..5014c214a49 100644 --- a/roles/container-engine/kata-containers/tasks/main.yml +++ b/roles/container-engine/kata-containers/tasks/main.yml @@ -11,7 +11,7 @@ mode: "0755" owner: root group: root - remote_src: yes + remote_src: true - name: Kata-containers | Create config directory file: diff --git a/roles/container-engine/nerdctl/handlers/main.yml b/roles/container-engine/nerdctl/handlers/main.yml index 98de60c1c3e..1744706075c 100644 --- a/roles/container-engine/nerdctl/handlers/main.yml +++ b/roles/container-engine/nerdctl/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: Get nerdctl completion command: "{{ bin_dir }}/nerdctl completion bash" - changed_when: False + changed_when: false register: nerdctl_completion check_mode: false diff --git a/roles/container-engine/runc/tasks/main.yml b/roles/container-engine/runc/tasks/main.yml index 3ee3fdae05f..1d388768d47 100644 --- a/roles/container-engine/runc/tasks/main.yml +++ b/roles/container-engine/runc/tasks/main.yml @@ -2,9 +2,9 @@ - name: Runc | check if fedora coreos stat: path: /run/ostree-booted - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: ostree - name: Runc | set is_ostree diff --git a/roles/container-engine/skopeo/tasks/main.yml b/roles/container-engine/skopeo/tasks/main.yml index 95bb9697fb1..8f21e3f1c3b 100644 --- a/roles/container-engine/skopeo/tasks/main.yml +++ b/roles/container-engine/skopeo/tasks/main.yml @@ -2,9 +2,9 @@ - name: Skopeo | check if fedora coreos stat: path: /run/ostree-booted - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: ostree - name: Skopeo | set is_ostree diff --git a/roles/container-engine/validate-container-engine/tasks/main.yml b/roles/container-engine/validate-container-engine/tasks/main.yml index 08ea1e5ca38..ffb541c2480 100644 --- a/roles/container-engine/validate-container-engine/tasks/main.yml +++ b/roles/container-engine/validate-container-engine/tasks/main.yml @@ -2,9 +2,9 @@ - name: Validate-container-engine | check if fedora coreos stat: path: /run/ostree-booted - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: ostree tags: - facts @@ -30,8 +30,8 @@ - name: Check if containerd is installed find: file_type: file - recurse: yes - use_regex: yes + recurse: true + use_regex: true patterns: - containerd.service$ paths: @@ -45,8 +45,8 @@ - name: Check if docker is installed find: file_type: file - recurse: yes - use_regex: yes + recurse: true + use_regex: true patterns: - docker.service$ paths: @@ -60,8 +60,8 @@ - name: Check if crio is installed find: file_type: file - recurse: yes - use_regex: yes + recurse: true + use_regex: true patterns: - crio.service$ paths: diff --git a/roles/download/tasks/check_pull_required.yml b/roles/download/tasks/check_pull_required.yml index e5ae1dcf349..58501312572 100644 --- a/roles/download/tasks/check_pull_required.yml +++ b/roles/download/tasks/check_pull_required.yml @@ -5,7 +5,7 @@ shell: "{{ image_info_command }}" register: docker_images changed_when: false - check_mode: no + check_mode: false when: not download_always_pull - name: Check_pull_required | Set pull_required if the desired image is not yet loaded diff --git a/roles/download/tasks/download_container.yml b/roles/download/tasks/download_container.yml index f98adfa3f9f..5e67fe8c550 100644 --- a/roles/download/tasks/download_container.yml +++ b/roles/download/tasks/download_container.yml @@ -26,12 +26,12 @@ - name: Download_container | Determine if image is in cache stat: path: "{{ image_path_cached }}" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false delegate_to: localhost connection: local - delegate_facts: no + delegate_facts: false register: cache_image changed_when: false become: false @@ -57,7 +57,7 @@ - name: Download_container | Download image if required command: "{{ image_pull_command_on_localhost if download_localhost else image_pull_command }} {{ image_reponame }}" delegate_to: "{{ download_delegate if download_run_once else inventory_hostname }}" - delegate_facts: yes + delegate_facts: true run_once: "{{ download_run_once }}" register: pull_task_result until: pull_task_result is succeeded @@ -72,7 +72,7 @@ - name: Download_container | Save and compress image shell: "{{ image_save_command_on_localhost if download_localhost else image_save_command }}" # noqa command-instead-of-shell - image_save_command_on_localhost contains a pipe, therefore requires shell delegate_to: "{{ download_delegate }}" - delegate_facts: no + delegate_facts: false register: container_save_status failed_when: container_save_status.stderr run_once: true @@ -99,7 +99,7 @@ dest: "{{ image_path_final }}" use_ssh_args: true mode: push - delegate_facts: no + delegate_facts: false register: upload_image failed_when: not upload_image until: upload_image is succeeded diff --git a/roles/download/tasks/download_file.yml b/roles/download/tasks/download_file.yml index 00dd33a28eb..53a7a819798 100644 --- a/roles/download/tasks/download_file.yml +++ b/roles/download/tasks/download_file.yml @@ -24,13 +24,13 @@ owner: "{{ download.owner | default(omit) }}" mode: "0755" state: directory - recurse: yes + recurse: true - name: Download_file | Create local cache directory file: path: "{{ file_path_cached | dirname }}" state: directory - recurse: yes + recurse: true delegate_to: localhost connection: local delegate_facts: false @@ -45,7 +45,7 @@ file: path: "{{ file_path_cached | dirname }}" state: directory - recurse: yes + recurse: true delegate_to: "{{ download_delegate }}" delegate_facts: false run_once: true diff --git a/roles/download/tasks/extract_file.yml b/roles/download/tasks/extract_file.yml index 59d0531f613..ce7536f4fae 100644 --- a/roles/download/tasks/extract_file.yml +++ b/roles/download/tasks/extract_file.yml @@ -5,7 +5,7 @@ dest: "{{ download.dest | dirname }}" owner: "{{ download.owner | default(omit) }}" mode: "{{ download.mode | default(omit) }}" - copy: no + copy: false extra_opts: "{{ download.unarchive_extra_opts | default(omit) }}" when: - download.unarchive | default(false) diff --git a/roles/download/tasks/prep_download.yml b/roles/download/tasks/prep_download.yml index a8a79d71115..15f3a91daf1 100644 --- a/roles/download/tasks/prep_download.yml +++ b/roles/download/tasks/prep_download.yml @@ -62,7 +62,7 @@ register: docker_images failed_when: false changed_when: false - check_mode: no + check_mode: false when: download_container - name: Prep_download | Create staging directory on remote node @@ -81,7 +81,7 @@ mode: "0755" delegate_to: localhost connection: local - delegate_facts: no + delegate_facts: false run_once: true become: false when: diff --git a/roles/download/tasks/prep_kubeadm_images.yml b/roles/download/tasks/prep_kubeadm_images.yml index ca7055c4967..c1e8c6cdcba 100644 --- a/roles/download/tasks/prep_kubeadm_images.yml +++ b/roles/download/tasks/prep_kubeadm_images.yml @@ -1,11 +1,4 @@ --- -- name: Prep_kubeadm_images | Check kubeadm version matches kubernetes version - fail: - msg: "Kubeadm version {{ kubeadm_version }} do not matches kubernetes {{ kube_version }}" - when: - - not skip_downloads | default(false) - - not kubeadm_version == downloads.kubeadm.version - - name: Prep_kubeadm_images | Download kubeadm binary include_tasks: "download_file.yml" vars: diff --git a/roles/etcd/handlers/backup.yml b/roles/etcd/handlers/backup.yml index 9c05a3ad00f..84e03accd0b 100644 --- a/roles/etcd/handlers/backup.yml +++ b/roles/etcd/handlers/backup.yml @@ -23,9 +23,9 @@ - name: Stat etcd v2 data directory stat: path: "{{ etcd_data_dir }}/member" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: etcd_data_dir_member listen: Restart etcd when: etcd_cluster_is_healthy.rc == 0 diff --git a/roles/etcd/handlers/main.yml b/roles/etcd/handlers/main.yml index 62a8999456e..9c8b8a82f16 100644 --- a/roles/etcd/handlers/main.yml +++ b/roles/etcd/handlers/main.yml @@ -26,7 +26,7 @@ - name: Wait for etcd up uri: url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2379/health" - validate_certs: no + validate_certs: false client_cert: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem" client_key: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem" register: result @@ -41,7 +41,7 @@ - name: Wait for etcd-events up uri: url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2383/health" - validate_certs: no + validate_certs: false client_cert: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem" client_key: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem" register: result diff --git a/roles/etcd/tasks/check_certs.yml b/roles/etcd/tasks/check_certs.yml index 1611f9ec1d9..440685aa739 100644 --- a/roles/etcd/tasks/check_certs.yml +++ b/roles/etcd/tasks/check_certs.yml @@ -17,9 +17,9 @@ - name: "Check certs | Register ca and etcd admin/member certs on etcd hosts" stat: path: "{{ etcd_cert_dir }}/{{ item }}" - get_attributes: no - get_checksum: yes - get_mime: no + get_attributes: false + get_checksum: true + get_mime: false register: etcd_member_certs when: inventory_hostname in groups['etcd'] with_items: diff --git a/roles/etcd/tasks/configure.yml b/roles/etcd/tasks/configure.yml index 4cf5387a09d..b7b943f0d10 100644 --- a/roles/etcd/tasks/configure.yml +++ b/roles/etcd/tasks/configure.yml @@ -6,8 +6,8 @@ register: etcd_cluster_is_healthy failed_when: false changed_when: false - check_mode: no - run_once: yes + check_mode: false + run_once: true when: - is_etcd_master - etcd_cluster_setup @@ -27,8 +27,8 @@ register: etcd_events_cluster_is_healthy failed_when: false changed_when: false - check_mode: no - run_once: yes + check_mode: false + run_once: true when: - is_etcd_master - etcd_events_cluster_setup @@ -49,7 +49,7 @@ template: src: "etcd-{{ etcd_deployment_type }}.service.j2" dest: /etc/systemd/system/etcd.service - backup: yes + backup: true mode: "0644" # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release) # Remove once we drop support for systemd < 250 @@ -60,7 +60,7 @@ template: src: "etcd-events-{{ etcd_deployment_type }}.service.j2" dest: /etc/systemd/system/etcd-events.service - backup: yes + backup: true mode: "0644" validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:etcd-events-{{ etcd_deployment_type }}.service'" # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release) @@ -77,7 +77,7 @@ service: name: etcd state: started - enabled: yes + enabled: true ignore_errors: "{{ etcd_cluster_is_healthy.rc == 0 }}" # noqa ignore-errors when: is_etcd_master and etcd_cluster_setup @@ -86,7 +86,7 @@ service: name: etcd-events state: started - enabled: yes + enabled: true ignore_errors: "{{ etcd_events_cluster_is_healthy.rc != 0 }}" # noqa ignore-errors when: is_etcd_master and etcd_events_cluster_setup @@ -99,8 +99,8 @@ retries: "{{ etcd_retries }}" delay: "{{ retry_stagger | random + 3 }}" changed_when: false - check_mode: no - run_once: yes + check_mode: false + run_once: true when: - is_etcd_master - etcd_cluster_setup @@ -122,8 +122,8 @@ retries: "{{ etcd_retries }}" delay: "{{ retry_stagger | random + 3 }}" changed_when: false - check_mode: no - run_once: yes + check_mode: false + run_once: true when: - is_etcd_master - etcd_events_cluster_setup @@ -141,7 +141,7 @@ register: etcd_member_in_cluster ignore_errors: true # noqa ignore-errors changed_when: false - check_mode: no + check_mode: false when: is_etcd_master and etcd_cluster_setup tags: - facts @@ -157,7 +157,7 @@ register: etcd_events_member_in_cluster ignore_errors: true # noqa ignore-errors changed_when: false - check_mode: no + check_mode: false when: is_etcd_master and etcd_events_cluster_setup tags: - facts diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml index 711c14d6479..934b5eb370d 100644 --- a/roles/etcd/tasks/gen_certs_script.yml +++ b/roles/etcd/tasks/gen_certs_script.yml @@ -6,7 +6,7 @@ state: directory owner: "{{ etcd_owner }}" mode: "{{ etcd_cert_dir_mode }}" - recurse: yes + recurse: true - name: "Gen_certs | create etcd script dir (on {{ groups['etcd'][0] }})" file: @@ -14,7 +14,7 @@ state: directory owner: root mode: "0700" - run_once: yes + run_once: true when: inventory_hostname == groups['etcd'][0] - name: Gen_certs | write openssl config @@ -22,7 +22,7 @@ src: "openssl.conf.j2" dest: "{{ etcd_config_dir }}/openssl.conf" mode: "0640" - run_once: yes + run_once: true delegate_to: "{{ groups['etcd'][0] }}" when: - gen_certs | default(false) @@ -33,7 +33,7 @@ src: "make-ssl-etcd.sh.j2" dest: "{{ etcd_script_dir }}/make-ssl-etcd.sh" mode: "0700" - run_once: yes + run_once: true when: - gen_certs | default(false) - inventory_hostname == groups['etcd'][0] @@ -43,7 +43,7 @@ environment: MASTERS: "{{ groups['gen_master_certs_True'] | ansible.builtin.intersect(groups['etcd']) | join(' ') }}" HOSTS: "{{ groups['gen_node_certs_True'] | ansible.builtin.intersect(groups['kube_control_plane']) | join(' ') }}" - run_once: yes + run_once: true delegate_to: "{{ groups['etcd'][0] }}" when: gen_certs | default(false) notify: Set etcd_secret_changed @@ -52,7 +52,7 @@ command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}" environment: HOSTS: "{{ groups['gen_node_certs_True'] | ansible.builtin.intersect(groups['k8s_cluster']) | join(' ') }}" - run_once: yes + run_once: true delegate_to: "{{ groups['etcd'][0] }}" when: - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool @@ -153,4 +153,4 @@ state: directory owner: "{{ etcd_owner }}" mode: "{{ etcd_cert_dir_mode }}" - recurse: yes + recurse: true diff --git a/roles/etcd/tasks/gen_nodes_certs_script.yml b/roles/etcd/tasks/gen_nodes_certs_script.yml index 2093bf8807f..e074d0c01a7 100644 --- a/roles/etcd/tasks/gen_nodes_certs_script.yml +++ b/roles/etcd/tasks/gen_nodes_certs_script.yml @@ -21,7 +21,7 @@ executable: /bin/bash no_log: "{{ not (unsafe_show_logs | bool) }}" register: etcd_node_certs - check_mode: no + check_mode: false delegate_to: "{{ groups['etcd'][0] }}" changed_when: false diff --git a/roles/etcd/tasks/install_docker.yml b/roles/etcd/tasks/install_docker.yml index a7aba5094c5..f393bd4eb66 100644 --- a/roles/etcd/tasks/install_docker.yml +++ b/roles/etcd/tasks/install_docker.yml @@ -29,7 +29,7 @@ dest: "{{ bin_dir }}/etcd" owner: 'root' mode: "0750" - backup: yes + backup: true when: etcd_cluster_setup - name: Install etcd-events launch script @@ -38,5 +38,5 @@ dest: "{{ bin_dir }}/etcd-events" owner: 'root' mode: "0750" - backup: yes + backup: true when: etcd_events_cluster_setup diff --git a/roles/etcd/tasks/install_host.yml b/roles/etcd/tasks/install_host.yml index 7bfc7e2ab02..eb67952ea3c 100644 --- a/roles/etcd/tasks/install_host.yml +++ b/roles/etcd/tasks/install_host.yml @@ -25,7 +25,7 @@ src: "{{ local_release_dir }}/etcd-{{ etcd_version }}-linux-{{ host_architecture }}/{{ item }}" dest: "{{ bin_dir }}/{{ item }}" mode: "0755" - remote_src: yes + remote_src: true with_items: - etcd when: etcd_cluster_setup diff --git a/roles/etcd/tasks/join_etcd-events_member.yml b/roles/etcd/tasks/join_etcd-events_member.yml index 0fad331e389..106f06e0336 100644 --- a/roles/etcd/tasks/join_etcd-events_member.yml +++ b/roles/etcd/tasks/join_etcd-events_member.yml @@ -32,7 +32,7 @@ executable: /bin/bash register: etcd_events_member_in_cluster changed_when: false - check_mode: no + check_mode: false tags: - facts environment: @@ -46,4 +46,4 @@ service: name: etcd-events state: started - enabled: yes + enabled: true diff --git a/roles/etcd/tasks/join_etcd_member.yml b/roles/etcd/tasks/join_etcd_member.yml index ee77d4b2631..a2e37714d68 100644 --- a/roles/etcd/tasks/join_etcd_member.yml +++ b/roles/etcd/tasks/join_etcd_member.yml @@ -33,7 +33,7 @@ executable: /bin/bash register: etcd_member_in_cluster changed_when: false - check_mode: no + check_mode: false retries: "{{ etcd_retries }}" delay: "{{ retry_stagger | random + 3 }}" until: etcd_member_in_cluster.rc == 0 @@ -50,4 +50,4 @@ service: name: etcd state: started - enabled: yes + enabled: true diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 40ca3de5f12..74d5f16d399 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -33,7 +33,7 @@ command: "openssl x509 -in {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem -noout -serial" register: "etcd_client_cert_serial_result" changed_when: false - check_mode: no + check_mode: false when: - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool - kube_network_plugin != "calico" or calico_datastore == "etcd" diff --git a/roles/etcdctl_etcdutl/tasks/main.yml b/roles/etcdctl_etcdutl/tasks/main.yml index b9e6832f549..053e14295f4 100644 --- a/roles/etcdctl_etcdutl/tasks/main.yml +++ b/roles/etcdctl_etcdutl/tasks/main.yml @@ -24,7 +24,7 @@ unarchive: src: "{{ downloads.etcd.dest }}" dest: "{{ local_release_dir }}/" - remote_src: yes + remote_src: true when: container_manager in ['crio', 'containerd'] - name: Copy etcdctl and etcdutl binary from download dir @@ -32,7 +32,7 @@ src: "{{ local_release_dir }}/etcd-{{ etcd_version }}-linux-{{ host_architecture }}/{{ item }}" dest: "{{ bin_dir }}/{{ item }}" mode: "0755" - remote_src: yes + remote_src: true with_items: - etcdctl - etcdutl diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index e3d82f10699..18deee8053e 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -2,7 +2,7 @@ - name: Kubernetes Apps | Wait for kube-apiserver uri: url: "{{ kube_apiserver_endpoint }}/healthz" - validate_certs: no + validate_certs: false client_cert: "{{ kube_apiserver_client_cert }}" client_key: "{{ kube_apiserver_client_key }}" register: result diff --git a/roles/kubernetes-apps/argocd/tasks/main.yml b/roles/kubernetes-apps/argocd/tasks/main.yml index 3cfe06fc7ba..05c63337bed 100644 --- a/roles/kubernetes-apps/argocd/tasks/main.yml +++ b/roles/kubernetes-apps/argocd/tasks/main.yml @@ -8,10 +8,10 @@ ansible.posix.synchronize: src: "{{ downloads.yq.dest }}" dest: "{{ bin_dir }}/yq" - compress: no - perms: yes - owner: no - group: no + compress: false + perms: true + owner: false + group: false delegate_to: "{{ inventory_hostname }}" - name: Kubernetes Apps | Set ArgoCD template list @@ -49,17 +49,17 @@ ansible.posix.synchronize: src: "{{ local_release_dir }}/{{ item.file }}" dest: "{{ kube_config_dir }}/{{ item.file }}" - compress: no - perms: yes - owner: no - group: no + compress: false + perms: true + owner: false + group: false delegate_to: "{{ inventory_hostname }}" with_items: "{{ argocd_templates | selectattr('url', 'defined') | list }}" when: - "inventory_hostname == groups['kube_control_plane'][0]" - name: Kubernetes Apps | Set ArgoCD namespace for remote manifests - become: yes + become: true command: | {{ bin_dir }}/yq eval-all -i '.metadata.namespace="{{ argocd_namespace }}"' {{ kube_config_dir }}/{{ item.file }} with_items: "{{ argocd_templates | selectattr('url', 'defined') | list }}" @@ -69,7 +69,7 @@ - "inventory_hostname == groups['kube_control_plane'][0]" - name: Kubernetes Apps | Create ArgoCD manifests from templates - become: yes + become: true template: src: "{{ item.file }}.j2" dest: "{{ kube_config_dir }}/{{ item.file }}" @@ -81,7 +81,7 @@ - "inventory_hostname == groups['kube_control_plane'][0]" - name: Kubernetes Apps | Install ArgoCD - become: yes + become: true kube: name: ArgoCD kubectl: "{{ bin_dir }}/kubectl" @@ -93,7 +93,7 @@ # https://github.com/argoproj/argo-cd/blob/master/docs/faq.md#i-forgot-the-admin-password-how-do-i-reset-it - name: Kubernetes Apps | Set ArgoCD custom admin password - become: yes + become: true shell: | {{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n {{ argocd_namespace }} patch secret argocd-secret -p \ '{ diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml index 8d7230e0af0..ef4737eac4f 100644 --- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml +++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml @@ -2,7 +2,7 @@ - name: Kubernetes Apps | Wait for kube-apiserver uri: url: "{{ kube_apiserver_endpoint }}/healthz" - validate_certs: no + validate_certs: false client_cert: "{{ kube_apiserver_client_cert }}" client_key: "{{ kube_apiserver_client_key }}" register: result diff --git a/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml b/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml index 0d4144141ba..325e3cb7d89 100644 --- a/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml +++ b/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml @@ -21,7 +21,7 @@ vsphere_csi_controller_replicas: 1 csi_endpoint: '{% if external_vsphere_version >= "7.0u1" %}/csi{% else %}/var/lib/csi/sockets/pluginproxy{% endif %}' -vsphere_csi_aggressive_node_drain: False +vsphere_csi_aggressive_node_drain: false vsphere_csi_aggressive_node_unreachable_timeout: 300 vsphere_csi_aggressive_node_not_ready_timeout: 300 diff --git a/roles/kubernetes-apps/helm/tasks/main.yml b/roles/kubernetes-apps/helm/tasks/main.yml index 61596aefb02..5951381a2ca 100644 --- a/roles/kubernetes-apps/helm/tasks/main.yml +++ b/roles/kubernetes-apps/helm/tasks/main.yml @@ -37,13 +37,13 @@ - name: Helm | Get helm completion command: "{{ bin_dir }}/helm completion bash" - changed_when: False + changed_when: false register: helm_completion - check_mode: False + check_mode: false - name: Helm | Install helm completion copy: dest: /etc/bash_completion.d/helm.sh content: "{{ helm_completion.stdout }}" mode: "0755" - become: True + become: true diff --git a/roles/kubernetes-apps/helm/tasks/pyyaml-flatcar.yml b/roles/kubernetes-apps/helm/tasks/pyyaml-flatcar.yml index ea0d63a08d0..72f0e2182aa 100644 --- a/roles/kubernetes-apps/helm/tasks/pyyaml-flatcar.yml +++ b/roles/kubernetes-apps/helm/tasks/pyyaml-flatcar.yml @@ -2,13 +2,13 @@ - name: Get installed pip version command: "{{ ansible_python_interpreter if ansible_python_interpreter is defined else 'python' }} -m pip --version" register: pip_version_output - ignore_errors: yes + ignore_errors: true changed_when: false - name: Get installed PyYAML version command: "{{ ansible_python_interpreter if ansible_python_interpreter is defined else 'python' }} -m pip show PyYAML" register: pyyaml_version_output - ignore_errors: yes + ignore_errors: true changed_when: false - name: Install pip diff --git a/roles/kubernetes-apps/krew/tasks/krew.yml b/roles/kubernetes-apps/krew/tasks/krew.yml index e46dbb48dcc..3308aef8570 100644 --- a/roles/kubernetes-apps/krew/tasks/krew.yml +++ b/roles/kubernetes-apps/krew/tasks/krew.yml @@ -24,15 +24,15 @@ - name: Krew | Get krew completion command: "{{ local_release_dir }}/krew-{{ host_os }}_{{ image_arch }} completion bash" - changed_when: False + changed_when: false register: krew_completion - check_mode: False - ignore_errors: yes # noqa ignore-errors + check_mode: false + ignore_errors: true # noqa ignore-errors - name: Krew | Install krew completion copy: dest: /etc/bash_completion.d/krew.sh content: "{{ krew_completion.stdout }}" mode: "0755" - become: True + become: true when: krew_completion.rc == 0 diff --git a/roles/kubernetes-apps/network_plugin/weave/tasks/main.yml b/roles/kubernetes-apps/network_plugin/weave/tasks/main.yml index bc0f932d8d6..587b652a5bf 100644 --- a/roles/kubernetes-apps/network_plugin/weave/tasks/main.yml +++ b/roles/kubernetes-apps/network_plugin/weave/tasks/main.yml @@ -13,7 +13,7 @@ - name: Weave | Wait for Weave to become available uri: url: http://127.0.0.1:6784/status - return_content: yes + return_content: true register: weave_status retries: 180 delay: 5 diff --git a/roles/kubernetes-apps/node_feature_discovery/templates/nfd-api-crds.yaml.j2 b/roles/kubernetes-apps/node_feature_discovery/templates/nfd-api-crds.yaml.j2 index 6866c7ffe99..0a73c5dcae8 100644 --- a/roles/kubernetes-apps/node_feature_discovery/templates/nfd-api-crds.yaml.j2 +++ b/roles/kubernetes-apps/node_feature_discovery/templates/nfd-api-crds.yaml.j2 @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: nodefeatures.nfd.k8s-sigs.io spec: group: nfd.k8s-sigs.io @@ -17,23 +17,30 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: NodeFeature resource holds the features discovered for one node - in the cluster. + description: |- + NodeFeature resource holds the features discovered for one node in the + cluster. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: NodeFeatureSpec describes a NodeFeature object. + description: Specification of the NodeFeature, containing features discovered + for a node. properties: features: description: Features is the full "raw" features data that has been @@ -47,6 +54,7 @@ spec: elements: additionalProperties: type: string + description: Individual features of the feature set. type: object required: - elements @@ -64,6 +72,7 @@ spec: description: Nil is a dummy empty struct for protobuf compatibility type: object + description: Individual features of the feature set. type: object required: - elements @@ -77,6 +86,7 @@ spec: which is an instance having multiple attributes. properties: elements: + description: Individual features of the feature set. items: description: InstanceFeature represents one instance of a complex features, e.g. a device. @@ -84,6 +94,7 @@ spec: attributes: additionalProperties: type: string + description: Attributes of the instance feature. type: object required: - attributes @@ -113,7 +124,278 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 + name: nodefeaturegroups.nfd.k8s-sigs.io +spec: + group: nfd.k8s-sigs.io + names: + kind: NodeFeatureGroup + listKind: NodeFeatureGroupList + plural: nodefeaturegroups + shortNames: + - nfg + singular: nodefeaturegroup + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: NodeFeatureGroup resource holds Node pools by featureGroup + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the rules to be evaluated. + properties: + featureGroupRules: + description: List of rules to evaluate to determine nodes that belong + in this group. + items: + description: GroupRule defines a rule for nodegroup filtering. + properties: + matchAny: + description: MatchAny specifies a list of matchers one of which + must match. + items: + description: MatchAnyElem specifies one sub-matcher of MatchAny. + properties: + matchFeatures: + description: MatchFeatures specifies a set of matcher + terms all of which must match. + items: + description: |- + FeatureMatcherTerm defines requirements against one feature set. All + requirements (specified as MatchExpressions) are evaluated against each + element in the feature set. + properties: + feature: + description: Feature is the name of the feature + set to match against. + type: string + matchExpressions: + additionalProperties: + description: |- + MatchExpression specifies an expression to evaluate against a set of input + values. It contains an operator that is applied when matching the input and + an array of values that the operator evaluates the input against. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: |- + Value is the list of values that the operand evaluates the input + against. Value should be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly one element if the + operator is Gt or Lt and exactly two elements if the operator is GtLt. + In other cases Value should contain at least one element. + items: + type: string + type: array + required: + - op + type: object + description: |- + MatchExpressions is the set of per-element expressions evaluated. These + match against the value of the specified elements. + type: object + matchName: + description: |- + MatchName in an expression that is matched against the name of each + element in the feature set. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: |- + Value is the list of values that the operand evaluates the input + against. Value should be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly one element if the + operator is Gt or Lt and exactly two elements if the operator is GtLt. + In other cases Value should contain at least one element. + items: + type: string + type: array + required: + - op + type: object + required: + - feature + type: object + type: array + required: + - matchFeatures + type: object + type: array + matchFeatures: + description: MatchFeatures specifies a set of matcher terms + all of which must match. + items: + description: |- + FeatureMatcherTerm defines requirements against one feature set. All + requirements (specified as MatchExpressions) are evaluated against each + element in the feature set. + properties: + feature: + description: Feature is the name of the feature set to + match against. + type: string + matchExpressions: + additionalProperties: + description: |- + MatchExpression specifies an expression to evaluate against a set of input + values. It contains an operator that is applied when matching the input and + an array of values that the operator evaluates the input against. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: |- + Value is the list of values that the operand evaluates the input + against. Value should be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly one element if the + operator is Gt or Lt and exactly two elements if the operator is GtLt. + In other cases Value should contain at least one element. + items: + type: string + type: array + required: + - op + type: object + description: |- + MatchExpressions is the set of per-element expressions evaluated. These + match against the value of the specified elements. + type: object + matchName: + description: |- + MatchName in an expression that is matched against the name of each + element in the feature set. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: |- + Value is the list of values that the operand evaluates the input + against. Value should be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly one element if the + operator is Gt or Lt and exactly two elements if the operator is GtLt. + In other cases Value should contain at least one element. + items: + type: string + type: array + required: + - op + type: object + required: + - feature + type: object + type: array + name: + description: Name of the rule. + type: string + required: + - name + type: object + type: array + required: + - featureGroupRules + type: object + status: + description: |- + Status of the NodeFeatureGroup after the most recent evaluation of the + specification. + properties: + nodes: + description: Nodes is a list of FeatureGroupNode in the cluster that + match the featureGroupRules + items: + properties: + name: + description: Name of the node. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 name: nodefeaturerules.nfd.k8s-sigs.io spec: group: nfd.k8s-sigs.io @@ -129,23 +411,29 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: NodeFeatureRule resource specifies a configuration for feature-based + description: |- + NodeFeatureRule resource specifies a configuration for feature-based customization of node objects, such as node labeling. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: NodeFeatureRuleSpec describes a NodeFeatureRule. + description: Spec defines the rules to be evaluated. properties: rules: description: Rules is a list of node customization rules. @@ -153,6 +441,11 @@ spec: description: Rule defines a rule for node customization such as labeling. properties: + annotations: + additionalProperties: + type: string + description: Annotations to create if the rule matches. + type: object extendedResources: additionalProperties: type: string @@ -164,10 +457,10 @@ spec: description: Labels to create if the rule matches. type: object labelsTemplate: - description: LabelsTemplate specifies a template to expand for - dynamically generating multiple labels. Data (after template - expansion) must be keys with an optional value ([=]) - separated by newlines. + description: |- + LabelsTemplate specifies a template to expand for dynamically generating + multiple labels. Data (after template expansion) must be keys with an + optional value ([=]) separated by newlines. type: string matchAny: description: MatchAny specifies a list of matchers one of which @@ -179,25 +472,21 @@ spec: description: MatchFeatures specifies a set of matcher terms all of which must match. items: - description: FeatureMatcherTerm defines requirements - against one feature set. All requirements (specified - as MatchExpressions) are evaluated against each element - in the feature set. + description: |- + FeatureMatcherTerm defines requirements against one feature set. All + requirements (specified as MatchExpressions) are evaluated against each + element in the feature set. properties: feature: + description: Feature is the name of the feature + set to match against. type: string matchExpressions: additionalProperties: - description: "MatchExpression specifies an expression - to evaluate against a set of input values. It - contains an operator that is applied when matching - the input and an array of values that the operator - evaluates the input against. \n NB: CreateMatchExpression - or MustCreateMatchExpression() should be used - for creating new instances. \n NB: Validate() - must be called if Op or Value fields are modified - or if a new instance is created from scratch - without using the helper functions." + description: |- + MatchExpression specifies an expression to evaluate against a set of input + values. It contains an operator that is applied when matching the input and + an array of values that the operator evaluates the input against. properties: op: description: Op is the operator to be applied. @@ -214,28 +503,56 @@ spec: - IsFalse type: string value: - description: Value is the list of values that - the operand evaluates the input against. - Value should be empty if the operator is - Exists, DoesNotExist, IsTrue or IsFalse. - Value should contain exactly one element - if the operator is Gt or Lt and exactly - two elements if the operator is GtLt. In - other cases Value should contain at least - one element. + description: |- + Value is the list of values that the operand evaluates the input + against. Value should be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly one element if the + operator is Gt or Lt and exactly two elements if the operator is GtLt. + In other cases Value should contain at least one element. items: type: string type: array required: - op type: object - description: MatchExpressionSet contains a set of - MatchExpressions, each of which is evaluated against - a set of input values. + description: |- + MatchExpressions is the set of per-element expressions evaluated. These + match against the value of the specified elements. + type: object + matchName: + description: |- + MatchName in an expression that is matched against the name of each + element in the feature set. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: |- + Value is the list of values that the operand evaluates the input + against. Value should be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly one element if the + operator is Gt or Lt and exactly two elements if the operator is GtLt. + In other cases Value should contain at least one element. + items: + type: string + type: array + required: + - op type: object required: - feature - - matchExpressions type: object type: array required: @@ -246,23 +563,21 @@ spec: description: MatchFeatures specifies a set of matcher terms all of which must match. items: - description: FeatureMatcherTerm defines requirements against - one feature set. All requirements (specified as MatchExpressions) - are evaluated against each element in the feature set. + description: |- + FeatureMatcherTerm defines requirements against one feature set. All + requirements (specified as MatchExpressions) are evaluated against each + element in the feature set. properties: feature: + description: Feature is the name of the feature set to + match against. type: string matchExpressions: additionalProperties: - description: "MatchExpression specifies an expression - to evaluate against a set of input values. It contains - an operator that is applied when matching the input - and an array of values that the operator evaluates - the input against. \n NB: CreateMatchExpression or - MustCreateMatchExpression() should be used for creating - new instances. \n NB: Validate() must be called if - Op or Value fields are modified or if a new instance - is created from scratch without using the helper functions." + description: |- + MatchExpression specifies an expression to evaluate against a set of input + values. It contains an operator that is applied when matching the input and + an array of values that the operator evaluates the input against. properties: op: description: Op is the operator to be applied. @@ -279,25 +594,56 @@ spec: - IsFalse type: string value: - description: Value is the list of values that the - operand evaluates the input against. Value should - be empty if the operator is Exists, DoesNotExist, - IsTrue or IsFalse. Value should contain exactly - one element if the operator is Gt or Lt and exactly - two elements if the operator is GtLt. In other - cases Value should contain at least one element. + description: |- + Value is the list of values that the operand evaluates the input + against. Value should be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly one element if the + operator is Gt or Lt and exactly two elements if the operator is GtLt. + In other cases Value should contain at least one element. items: type: string type: array required: - op type: object - description: MatchExpressionSet contains a set of MatchExpressions, - each of which is evaluated against a set of input values. + description: |- + MatchExpressions is the set of per-element expressions evaluated. These + match against the value of the specified elements. + type: object + matchName: + description: |- + MatchName in an expression that is matched against the name of each + element in the feature set. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: |- + Value is the list of values that the operand evaluates the input + against. Value should be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly one element if the + operator is Gt or Lt and exactly two elements if the operator is GtLt. + In other cases Value should contain at least one element. + items: + type: string + type: array + required: + - op type: object required: - feature - - matchExpressions type: object type: array name: @@ -306,21 +652,24 @@ spec: taints: description: Taints to create if the rule matches. items: - description: The node this Taint is attached to has the "effect" - on any pod that does not tolerate the Taint. + description: |- + The node this Taint is attached to has the "effect" on + any pod that does not tolerate the Taint. properties: effect: - description: Required. The effect of the taint on pods - that do not tolerate the taint. Valid effects are NoSchedule, - PreferNoSchedule and NoExecute. + description: |- + Required. The effect of the taint on pods + that do not tolerate the taint. + Valid effects are NoSchedule, PreferNoSchedule and NoExecute. type: string key: description: Required. The taint key to be applied to a node. type: string timeAdded: - description: TimeAdded represents the time at which the - taint was added. It is only written for NoExecute taints. + description: |- + TimeAdded represents the time at which the taint was added. + It is only written for NoExecute taints. format: date-time type: string value: @@ -335,17 +684,17 @@ spec: vars: additionalProperties: type: string - description: Vars is the variables to store if the rule matches. - Variables do not directly inflict any changes in the node - object. However, they can be referenced from other rules enabling - more complex rule hierarchies, without exposing intermediary - output values as labels. + description: |- + Vars is the variables to store if the rule matches. Variables do not + directly inflict any changes in the node object. However, they can be + referenced from other rules enabling more complex rule hierarchies, + without exposing intermediary output values as labels. type: object varsTemplate: - description: VarsTemplate specifies a template to expand for - dynamically generating multiple variables. Data (after template - expansion) must be keys with an optional value ([=]) - separated by newlines. + description: |- + VarsTemplate specifies a template to expand for dynamically generating + multiple variables. Data (after template expansion) must be keys with an + optional value ([=]) separated by newlines. type: string required: - name diff --git a/roles/kubernetes-apps/node_feature_discovery/templates/nfd-clusterrole.yaml.j2 b/roles/kubernetes-apps/node_feature_discovery/templates/nfd-clusterrole.yaml.j2 index ce880d86e15..328b3e660e4 100644 --- a/roles/kubernetes-apps/node_feature_discovery/templates/nfd-clusterrole.yaml.j2 +++ b/roles/kubernetes-apps/node_feature_discovery/templates/nfd-clusterrole.yaml.j2 @@ -18,10 +18,18 @@ rules: resources: - nodefeatures - nodefeaturerules + - nodefeaturegroups verbs: - get - list - watch +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeaturegroup/status + verbs: + - patch + - update - apiGroups: - coordination.k8s.io resources: diff --git a/roles/kubernetes-apps/node_feature_discovery/templates/nfd-master.yaml.j2 b/roles/kubernetes-apps/node_feature_discovery/templates/nfd-master.yaml.j2 index 34867301490..c4aacefd8ec 100644 --- a/roles/kubernetes-apps/node_feature_discovery/templates/nfd-master.yaml.j2 +++ b/roles/kubernetes-apps/node_feature_discovery/templates/nfd-master.yaml.j2 @@ -33,22 +33,18 @@ spec: image: {{ node_feature_discovery_image_repo }}:{{ node_feature_discovery_image_tag }} imagePullPolicy: IfNotPresent livenessProbe: - exec: - command: - - "/usr/bin/grpc_health_probe" - - "-addr=:8080" + grpc: + port: 8082 initialDelaySeconds: 10 periodSeconds: 10 readinessProbe: - exec: - command: - - "/usr/bin/grpc_health_probe" - - "-addr=:8080" + grpc: + port: 8082 initialDelaySeconds: 5 periodSeconds: 10 failureThreshold: 10 ports: - - containerPort: 8080 + - containerPort: 8082 name: grpc - containerPort: 8081 name: metrics diff --git a/roles/kubernetes-apps/node_feature_discovery/templates/nfd-role.yaml.j2 b/roles/kubernetes-apps/node_feature_discovery/templates/nfd-role.yaml.j2 index 62813459890..074e39bdea0 100644 --- a/roles/kubernetes-apps/node_feature_discovery/templates/nfd-role.yaml.j2 +++ b/roles/kubernetes-apps/node_feature_discovery/templates/nfd-role.yaml.j2 @@ -12,3 +12,9 @@ rules: - create - get - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get diff --git a/roles/kubernetes/client/tasks/main.yml b/roles/kubernetes/client/tasks/main.yml index cc788775048..9202051981f 100644 --- a/roles/kubernetes/client/tasks/main.yml +++ b/roles/kubernetes/client/tasks/main.yml @@ -30,9 +30,9 @@ copy: src: "{{ kube_config_dir }}/admin.conf" dest: "{{ ansible_env.HOME | default('/root') }}/.kube/config" - remote_src: yes + remote_src: true mode: "0600" - backup: yes + backup: true - name: Create kube artifacts dir file: @@ -41,8 +41,8 @@ state: directory delegate_to: localhost connection: local - become: no - run_once: yes + become: false + run_once: true when: kubeconfig_localhost - name: Wait for k8s apiserver @@ -54,7 +54,7 @@ - name: Get admin kubeconfig from remote host slurp: src: "{{ kube_config_dir }}/admin.conf" - run_once: yes + run_once: true register: raw_admin_kubeconfig when: kubeconfig_localhost @@ -83,21 +83,21 @@ mode: "0600" delegate_to: localhost connection: local - become: no - run_once: yes + become: false + run_once: true when: kubeconfig_localhost - name: Copy kubectl binary to ansible host fetch: src: "{{ bin_dir }}/kubectl" dest: "{{ artifacts_dir }}/kubectl" - flat: yes - validate_checksum: no + flat: true + validate_checksum: false register: copy_binary_result until: copy_binary_result is not failed retries: 20 - become: no - run_once: yes + become: false + run_once: true when: kubectl_localhost - name: Create helper script kubectl.sh on ansible host @@ -107,8 +107,8 @@ ${BASH_SOURCE%/*}/kubectl --kubeconfig=${BASH_SOURCE%/*}/admin.conf "$@" dest: "{{ artifacts_dir }}/kubectl.sh" mode: "0755" - become: no - run_once: yes + become: false + run_once: true delegate_to: localhost connection: local when: kubectl_localhost and kubeconfig_localhost diff --git a/roles/kubernetes/control-plane/handlers/main.yml b/roles/kubernetes/control-plane/handlers/main.yml index be5fdffb125..3d7f3e07409 100644 --- a/roles/kubernetes/control-plane/handlers/main.yml +++ b/roles/kubernetes/control-plane/handlers/main.yml @@ -81,7 +81,7 @@ endpoint: "{{ kube_scheduler_bind_address if kube_scheduler_bind_address != '0.0.0.0' else 'localhost' }}" uri: url: https://{{ endpoint }}:10259/healthz - validate_certs: no + validate_certs: false register: scheduler_result until: scheduler_result.status == 200 retries: 60 @@ -95,7 +95,7 @@ endpoint: "{{ kube_controller_manager_bind_address if kube_controller_manager_bind_address != '0.0.0.0' else 'localhost' }}" uri: url: https://{{ endpoint }}:10257/healthz - validate_certs: no + validate_certs: false register: controller_manager_result until: controller_manager_result.status == 200 retries: 60 @@ -107,7 +107,7 @@ - name: Master | wait for the apiserver to be running uri: url: "{{ kube_apiserver_endpoint }}/healthz" - validate_certs: no + validate_certs: false register: result until: result.status == 200 retries: 60 diff --git a/roles/kubernetes/control-plane/tasks/define-first-kube-control.yml b/roles/kubernetes/control-plane/tasks/define-first-kube-control.yml index ce5894d11b1..5faa184858f 100644 --- a/roles/kubernetes/control-plane/tasks/define-first-kube-control.yml +++ b/roles/kubernetes/control-plane/tasks/define-first-kube-control.yml @@ -3,7 +3,7 @@ - name: Check which kube-control nodes are already members of the cluster command: "{{ bin_dir }}/kubectl get nodes --selector=node-role.kubernetes.io/control-plane -o json" register: kube_control_planes_raw - ignore_errors: yes + ignore_errors: true changed_when: false - name: Set fact joined_control_planes @@ -12,7 +12,7 @@ delegate_to: "{{ item }}" loop: "{{ groups['kube_control_plane'] }}" when: kube_control_planes_raw is succeeded - run_once: yes + run_once: true - name: Set fact first_kube_control_plane set_fact: diff --git a/roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml b/roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml index 9b998c52bc7..2950c76e27d 100644 --- a/roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml +++ b/roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml @@ -2,9 +2,9 @@ - name: Check if secret for encrypting data at rest already exist stat: path: "{{ kube_cert_dir }}/secrets_encryption.yaml" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: secrets_encryption_file - name: Slurp secrets_encryption file if it exists diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml index 36bb62798ec..918f7cf47da 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml @@ -4,7 +4,7 @@ src: "{{ kube_cert_dir }}/{{ item }}" dest: "{{ kube_cert_dir }}/{{ item }}.old" mode: preserve - remote_src: yes + remote_src: true with_items: - apiserver.crt - apiserver.key @@ -19,7 +19,7 @@ src: "{{ kube_config_dir }}/{{ item }}" dest: "{{ kube_config_dir }}/{{ item }}.old" mode: preserve - remote_src: yes + remote_src: true with_items: - admin.conf - controller-manager.conf diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml b/roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml index 5376aba81e6..e47f571d339 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml @@ -5,7 +5,7 @@ dest: "{{ kube_config_dir }}/{{ item }}" regexp: '^ server: https' line: ' server: {{ kube_apiserver_endpoint }}' - backup: yes + backup: true with_items: - admin.conf - controller-manager.conf diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml b/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml index 128e93f3662..413d4946cb8 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml @@ -25,7 +25,7 @@ - name: Parse certificate key if not set set_fact: kubeadm_certificate_key: "{{ hostvars[groups['kube_control_plane'][0]]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}" - run_once: yes + run_once: true when: - hostvars[groups['kube_control_plane'][0]]['kubeadm_upload_cert'] is defined - hostvars[groups['kube_control_plane'][0]]['kubeadm_upload_cert'] is not skipped @@ -35,7 +35,7 @@ src: "kubeadm-controlplane.{{ kubeadmConfig_api_version }}.yaml.j2" dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml" mode: "0640" - backup: yes + backup: true when: - inventory_hostname != first_kube_control_plane - not kubeadm_already_run.stat.exists diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index dfbe604a4c8..52700af2e59 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -13,9 +13,9 @@ - name: Kubeadm | Check if kubeadm has already run stat: path: "/var/lib/kubelet/config.yaml" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: kubeadm_already_run - name: Kubeadm | Backup kubeadm certs / kubeconfig diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml b/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml index 7638a896864..f88921e98ac 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml @@ -15,7 +15,6 @@ {{ bin_dir }}/kubeadm upgrade apply -y {{ kube_version }} --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }} - --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all --allow-experimental-upgrades --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | bool | lower }} @@ -37,7 +36,6 @@ {{ bin_dir }}/kubeadm upgrade apply -y {{ kube_version }} --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }} - --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all --allow-experimental-upgrades --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | bool | lower }} diff --git a/roles/kubernetes/control-plane/tasks/kubelet-fix-client-cert-rotation.yml b/roles/kubernetes/control-plane/tasks/kubelet-fix-client-cert-rotation.yml index 7d0c1a0d59e..409ecb043a0 100644 --- a/roles/kubernetes/control-plane/tasks/kubelet-fix-client-cert-rotation.yml +++ b/roles/kubernetes/control-plane/tasks/kubelet-fix-client-cert-rotation.yml @@ -4,7 +4,7 @@ path: "{{ kube_config_dir }}/kubelet.conf" regexp: '^ client-certificate-data: ' line: ' client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem' - backup: yes + backup: true notify: - "Master | reload kubelet" @@ -13,6 +13,6 @@ path: "{{ kube_config_dir }}/kubelet.conf" regexp: '^ client-key-data: ' line: ' client-key: /var/lib/kubelet/pki/kubelet-client-current.pem' - backup: yes + backup: true notify: - "Master | reload kubelet" diff --git a/roles/kubernetes/control-plane/tasks/main.yml b/roles/kubernetes/control-plane/tasks/main.yml index 5d58014e80b..518bac96131 100644 --- a/roles/kubernetes/control-plane/tasks/main.yml +++ b/roles/kubernetes/control-plane/tasks/main.yml @@ -120,7 +120,7 @@ - name: Renew K8S control plane certificates monthly 2/2 systemd_service: name: k8s-certs-renew.timer - enabled: yes + enabled: true state: started daemon_reload: "{{ k8s_certs_units is changed }}" when: auto_renew_certificates diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 index 0eb746aef6b..ca48a3a9116 100644 --- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 +++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 @@ -127,7 +127,6 @@ apiServer: anonymous-auth: "{{ kube_api_anonymous_auth }}" {% endif %} authorization-mode: {{ authorization_modes | join(',') }} - advertise-address: {{ kube_apiserver_address }} bind-address: {{ kube_apiserver_bind_address }} {% if kube_apiserver_enable_admission_plugins | length > 0 %} enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }} diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml index 2b5778726aa..ad6ac36beaf 100644 --- a/roles/kubernetes/kubeadm/tasks/main.yml +++ b/roles/kubernetes/kubeadm/tasks/main.yml @@ -14,17 +14,17 @@ - name: Check if kubelet.conf exists stat: path: "{{ kube_config_dir }}/kubelet.conf" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: kubelet_conf - name: Check if kubeadm CA cert is accessible stat: path: "{{ kube_cert_dir }}/ca.crt" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: kubeadm_ca_stat delegate_to: "{{ groups['kube_control_plane'][0] }}" run_once: true @@ -79,7 +79,7 @@ template: src: "kubeadm-client.conf.{{ kubeadmConfig_api_version }}.j2" dest: "{{ kube_config_dir }}/kubeadm-client.conf" - backup: yes + backup: true mode: "0640" when: not is_kube_master @@ -140,7 +140,7 @@ dest: "{{ kube_config_dir }}/kubelet.conf" regexp: 'server:' line: ' server: {{ kube_apiserver_endpoint }}' - backup: yes + backup: true when: - kubeadm_config_api_fqdn is not defined - not is_kube_master @@ -152,7 +152,7 @@ dest: "{{ kube_config_dir }}/kubelet.conf" regexp: '^ server: https' line: ' server: {{ kube_apiserver_endpoint }}' - backup: yes + backup: true when: - not is_kube_master - loadbalancer_apiserver is defined diff --git a/roles/kubernetes/node-label/tasks/main.yml b/roles/kubernetes/node-label/tasks/main.yml index 00e87504c6f..3ebb6459476 100644 --- a/roles/kubernetes/node-label/tasks/main.yml +++ b/roles/kubernetes/node-label/tasks/main.yml @@ -2,7 +2,7 @@ - name: Kubernetes Apps | Wait for kube-apiserver uri: url: "{{ kube_apiserver_endpoint }}/healthz" - validate_certs: no + validate_certs: false client_cert: "{{ kube_apiserver_client_cert }}" client_key: "{{ kube_apiserver_client_key }}" register: result diff --git a/roles/kubernetes/node/tasks/facts.yml b/roles/kubernetes/node/tasks/facts.yml index 0aaa11d60a7..6e8995274cb 100644 --- a/roles/kubernetes/node/tasks/facts.yml +++ b/roles/kubernetes/node/tasks/facts.yml @@ -8,7 +8,7 @@ executable: /bin/bash register: docker_cgroup_driver_result changed_when: false - check_mode: no + check_mode: false - name: Set kubelet_cgroup_driver_detected fact for docker set_fact: diff --git a/roles/kubernetes/node/tasks/kubelet.yml b/roles/kubernetes/node/tasks/kubelet.yml index b63aefe1f18..1f27bd072d1 100644 --- a/roles/kubernetes/node/tasks/kubelet.yml +++ b/roles/kubernetes/node/tasks/kubelet.yml @@ -11,7 +11,7 @@ src: "kubelet.env.{{ kubeletConfig_api_version }}.j2" dest: "{{ kube_config_dir }}/kubelet.env" setype: "{{ (preinstall_selinux_state != 'disabled') | ternary('etc_t', omit) }}" - backup: yes + backup: true mode: "0600" notify: Node | restart kubelet tags: @@ -32,7 +32,7 @@ template: src: "kubelet.service.j2" dest: "/etc/systemd/system/kubelet.service" - backup: "yes" + backup: true mode: "0600" validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:kubelet.service'" # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release) @@ -48,7 +48,7 @@ - name: Enable kubelet service: name: kubelet - enabled: yes + enabled: true state: started tags: - kubelet diff --git a/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml b/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml index 2d3454e5a2f..b4c58126e48 100644 --- a/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml +++ b/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml @@ -17,14 +17,14 @@ dest: "{{ haproxy_config_dir }}/haproxy.cfg" owner: root mode: "0755" - backup: yes + backup: true - name: Haproxy | Get checksum from config stat: path: "{{ haproxy_config_dir }}/haproxy.cfg" - get_attributes: no - get_checksum: yes - get_mime: no + get_attributes: false + get_checksum: true + get_mime: false register: haproxy_stat - name: Haproxy | Write static pod diff --git a/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml b/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml index 7e34715932a..b52261a62c0 100644 --- a/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml +++ b/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml @@ -6,6 +6,32 @@ - kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp - kube_vip_arp_enabled +- name: Kube-vip | Check if super-admin.conf exists + stat: + path: "{{ kube_config_dir }}/super-admin.conf" + failed_when: false + changed_when: false + register: stat_kube_vip_super_admin + +- name: Kube-vip | Check if kubeadm has already run + stat: + path: "/var/lib/kubelet/config.yaml" + get_attributes: false + get_checksum: false + get_mime: false + register: kubeadm_already_run + +- name: Kube-vip | Set admin.conf + set_fact: + kube_vip_admin_conf: admin.conf + +- name: Kube-vip | Set admin.conf for first Control Plane + set_fact: + kube_vip_admin_conf: super-admin.conf + when: + - inventory_hostname == groups['kube_control_plane'] | first + - (stat_kube_vip_super_admin.stat.exists and stat_kube_vip_super_admin.stat.isreg) or (not kubeadm_already_run.stat.exists ) + - name: Kube-vip | Write static pod template: src: manifests/kube-vip.manifest.j2 diff --git a/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml b/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml index aeeacc80d15..66ebe55e0cb 100644 --- a/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml +++ b/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml @@ -17,14 +17,14 @@ dest: "{{ nginx_config_dir }}/nginx.conf" owner: root mode: "0755" - backup: yes + backup: true - name: Nginx-proxy | Get checksum from config stat: path: "{{ nginx_config_dir }}/nginx.conf" - get_attributes: no - get_checksum: yes - get_mime: no + get_attributes: false + get_checksum: true + get_mime: false register: nginx_stat - name: Nginx-proxy | Write static pod diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml index 7dc2114057e..56117bc3a99 100644 --- a/roles/kubernetes/node/tasks/main.yml +++ b/roles/kubernetes/node/tasks/main.yml @@ -51,10 +51,10 @@ ansible.posix.sysctl: name: net.ipv4.ip_local_reserved_ports value: "{{ kube_apiserver_node_port_range }}" - sysctl_set: yes + sysctl_set: true sysctl_file: "{{ sysctl_file_path }}" state: present - reload: yes + reload: true when: kube_apiserver_node_port_range is defined tags: - kube-proxy @@ -66,7 +66,7 @@ register: modinfo_br_netfilter failed_when: modinfo_br_netfilter.rc not in [0, 1] changed_when: false - check_mode: no + check_mode: false # TODO: Remove once upstream issue is fixed # https://github.com/ansible-collections/community.general/issues/7717 @@ -97,7 +97,7 @@ command: "sysctl net.bridge.bridge-nf-call-iptables" failed_when: false changed_when: false - check_mode: no + check_mode: false register: sysctl_bridge_nf_call_iptables - name: Enable bridge-nf-call tables @@ -106,7 +106,7 @@ state: present sysctl_file: "{{ sysctl_file_path }}" value: "1" - reload: yes + reload: true when: sysctl_bridge_nf_call_iptables.rc == 0 with_items: - net.bridge.bridge-nf-call-iptables diff --git a/roles/kubernetes/node/tasks/pre_upgrade.yml b/roles/kubernetes/node/tasks/pre_upgrade.yml index d9c2d07ef17..e4bbf6b747b 100644 --- a/roles/kubernetes/node/tasks/pre_upgrade.yml +++ b/roles/kubernetes/node/tasks/pre_upgrade.yml @@ -11,7 +11,7 @@ executable: /bin/bash failed_when: false changed_when: false - check_mode: no + check_mode: false register: kubelet_container_check - name: "Pre-upgrade | copy /var/lib/cni from kubelet" diff --git a/roles/kubernetes/node/templates/manifests/kube-vip.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-vip.manifest.j2 index 11a971e9321..35b6f0eeeb9 100644 --- a/roles/kubernetes/node/templates/manifests/kube-vip.manifest.j2 +++ b/roles/kubernetes/node/templates/manifests/kube-vip.manifest.j2 @@ -119,6 +119,6 @@ spec: hostNetwork: true volumes: - hostPath: - path: /etc/kubernetes/admin.conf + path: /etc/kubernetes/{{kube_vip_admin_conf}} name: kubeconfig status: {} diff --git a/roles/kubernetes/preinstall/handlers/main.yml b/roles/kubernetes/preinstall/handlers/main.yml index 35140ab42fc..cc69fe42c8d 100644 --- a/roles/kubernetes/preinstall/handlers/main.yml +++ b/roles/kubernetes/preinstall/handlers/main.yml @@ -31,9 +31,9 @@ - name: Preinstall | kube-apiserver configured stat: path: "{{ kube_manifest_dir }}/kube-apiserver.yaml" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: kube_apiserver_set when: inventory_hostname in groups['kube_control_plane'] and dns_mode != 'none' and resolvconf_mode == 'host_resolvconf' listen: Preinstall | propagate resolvconf to k8s components @@ -42,9 +42,9 @@ - name: Preinstall | kube-controller configured stat: path: "{{ kube_manifest_dir }}/kube-controller-manager.yaml" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: kube_controller_set when: inventory_hostname in groups['kube_control_plane'] and dns_mode != 'none' and resolvconf_mode == 'host_resolvconf' listen: Preinstall | propagate resolvconf to k8s components @@ -109,7 +109,7 @@ - name: Preinstall | wait for the apiserver to be running uri: url: "{{ kube_apiserver_endpoint }}/healthz" - validate_certs: no + validate_certs: false register: result until: result.status == 200 retries: 60 diff --git a/roles/kubernetes/preinstall/tasks/0010-swapoff.yml b/roles/kubernetes/preinstall/tasks/0010-swapoff.yml index 45474c844d4..76d95d11d90 100644 --- a/roles/kubernetes/preinstall/tasks/0010-swapoff.yml +++ b/roles/kubernetes/preinstall/tasks/0010-swapoff.yml @@ -2,9 +2,9 @@ - name: Check if /etc/fstab exists stat: path: "/etc/fstab" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: fstab_file - name: Remove swapfile from /etc/fstab diff --git a/roles/kubernetes/preinstall/tasks/0020-set_facts.yml b/roles/kubernetes/preinstall/tasks/0020-set_facts.yml index ea0b8849fa4..263bca400a1 100644 --- a/roles/kubernetes/preinstall/tasks/0020-set_facts.yml +++ b/roles/kubernetes/preinstall/tasks/0020-set_facts.yml @@ -12,28 +12,28 @@ register: resolvconf failed_when: false changed_when: false - check_mode: no + check_mode: false - name: Check existence of /etc/resolvconf/resolv.conf.d stat: path: /etc/resolvconf/resolv.conf.d - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false failed_when: false register: resolvconfd_path - name: Check status of /etc/resolv.conf stat: path: /etc/resolv.conf - follow: no - get_attributes: no - get_checksum: no - get_mime: no + follow: false + get_attributes: false + get_checksum: false + get_mime: false failed_when: false register: resolvconf_stat -- name: Fetch resolconf +- name: Fetch resolvconf when: resolvconf_stat.stat.exists is defined and resolvconf_stat.stat.exists block: @@ -72,7 +72,7 @@ register: systemd_resolved_enabled failed_when: false changed_when: false - check_mode: no + check_mode: false - name: Set default dns if remove_default_searchdomains is false set_fact: @@ -94,9 +94,9 @@ - name: Check if kubelet is configured stat: path: "{{ kube_config_dir }}/kubelet.env" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: kubelet_configured changed_when: false @@ -121,9 +121,9 @@ - name: Check if /etc/dhclient.conf exists stat: path: /etc/dhclient.conf - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: dhclient_stat - name: Target dhclient conf file for /etc/dhclient.conf @@ -134,9 +134,9 @@ - name: Check if /etc/dhcp/dhclient.conf exists stat: path: /etc/dhcp/dhclient.conf - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: dhcp_dhclient_stat - name: Target dhclient conf file for /etc/dhcp/dhclient.conf @@ -218,9 +218,9 @@ - name: Check /usr readonly stat: path: "/usr" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: usr - name: Set alternate flexvolume path diff --git a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml index 1bb0f4856f4..af9ca0674de 100644 --- a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml +++ b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml @@ -1,5 +1,5 @@ --- -- name: Stop if either kube_control_plane or kube_node group is empty +- name: Stop if kube_control_plane group is empty assert: that: groups.get( 'kube_control_plane' ) run_once: true @@ -44,7 +44,7 @@ assert: that: item.value | type_debug == 'bool' msg: "{{ item.value }} isn't a bool" - run_once: yes + run_once: true with_items: - { name: download_run_once, value: "{{ download_run_once }}" } - { name: deploy_netchecker, value: "{{ deploy_netchecker }}" } @@ -172,21 +172,21 @@ that: - kube_service_addresses | ansible.utils.ipaddr('net') msg: "kube_service_addresses = '{{ kube_service_addresses }}' is not a valid network range" - run_once: yes + run_once: true - name: "Check that kube_pods_subnet is a network range" assert: that: - kube_pods_subnet | ansible.utils.ipaddr('net') msg: "kube_pods_subnet = '{{ kube_pods_subnet }}' is not a valid network range" - run_once: yes + run_once: true - name: "Check that kube_pods_subnet does not collide with kube_service_addresses" assert: that: - kube_pods_subnet | ansible.utils.ipaddr(kube_service_addresses) | string == 'None' msg: "kube_pods_subnet cannot be the same network segment as kube_service_addresses" - run_once: yes + run_once: true - name: "Check that IP range is enough for the nodes" assert: @@ -194,7 +194,7 @@ - 2 ** (kube_network_node_prefix - kube_pods_subnet | ansible.utils.ipaddr('prefix')) >= groups['k8s_cluster'] | length msg: "Not enough IPs are available for the desired node count." when: kube_network_plugin != 'calico' - run_once: yes + run_once: true - name: Stop if unknown dns mode assert: @@ -246,7 +246,7 @@ # TODO: Clean this task up when we drop backward compatibility support for `etcd_kubeadm_enabled` - name: Stop if etcd deployment type is not host or kubeadm when container_manager != docker and etcd_kubeadm_enabled is not defined - run_once: yes + run_once: true when: etcd_kubeadm_enabled is defined block: - name: Warn the user if they are still using `etcd_kubeadm_enabled` @@ -292,7 +292,7 @@ assert: that: containerd_version is version(containerd_min_version_required, '>=') msg: "containerd_version is too low. Minimum version {{ containerd_min_version_required }}" - run_once: yes + run_once: true when: - containerd_version not in ['latest', 'edge', 'stable'] - container_manager == 'containerd' diff --git a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml index 2fff8ef5608..507a72d7817 100644 --- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml +++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml @@ -48,9 +48,9 @@ - name: Check if kubernetes kubeadm compat cert dir exists stat: path: "{{ kube_cert_compat_dir }}" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: kube_cert_compat_dir_check when: - inventory_hostname in groups['k8s_cluster'] diff --git a/roles/kubernetes/preinstall/tasks/0060-resolvconf.yml b/roles/kubernetes/preinstall/tasks/0060-resolvconf.yml index 6219161fa4f..9aad0dba8e3 100644 --- a/roles/kubernetes/preinstall/tasks/0060-resolvconf.yml +++ b/roles/kubernetes/preinstall/tasks/0060-resolvconf.yml @@ -16,7 +16,7 @@ options ndots:{{ ndots }} timeout:{{ dns_timeout | default('2') }} attempts:{{ dns_attempts | default('2') }} state: present insertbefore: BOF - create: yes + create: true backup: "{{ not resolvconf_stat.stat.islnk }}" marker: "# Ansible entries {mark}" mode: "0644" diff --git a/roles/kubernetes/preinstall/tasks/0062-networkmanager-unmanaged-devices.yml b/roles/kubernetes/preinstall/tasks/0062-networkmanager-unmanaged-devices.yml index ca51e88b910..6ebed25535a 100644 --- a/roles/kubernetes/preinstall/tasks/0062-networkmanager-unmanaged-devices.yml +++ b/roles/kubernetes/preinstall/tasks/0062-networkmanager-unmanaged-devices.yml @@ -3,7 +3,7 @@ file: path: "/etc/NetworkManager/conf.d" state: directory - recurse: yes + recurse: true - name: NetworkManager | Prevent NetworkManager from managing Calico interfaces (cali*/tunl*/vxlan.calico) copy: diff --git a/roles/kubernetes/preinstall/tasks/0063-networkmanager-dns.yml b/roles/kubernetes/preinstall/tasks/0063-networkmanager-dns.yml index e155f0a1805..6dfa7242643 100644 --- a/roles/kubernetes/preinstall/tasks/0063-networkmanager-dns.yml +++ b/roles/kubernetes/preinstall/tasks/0063-networkmanager-dns.yml @@ -6,7 +6,7 @@ option: servers value: "{{ nameserverentries }}" mode: '0600' - backup: yes + backup: true when: - nameserverentries != "127.0.0.53" or systemd_resolved_enabled.rc != 0 notify: Preinstall | update resolvconf for networkmanager @@ -23,7 +23,7 @@ option: searches value: "{{ (default_searchdomains | default([]) + searchdomains | default([])) | join(',') }}" mode: '0600' - backup: yes + backup: true notify: Preinstall | update resolvconf for networkmanager - name: NetworkManager | Add DNS options to NM configuration @@ -33,5 +33,5 @@ option: options value: "ndots:{{ ndots }},timeout:{{ dns_timeout | default('2') }},attempts:{{ dns_attempts | default('2') }}" mode: '0600' - backup: yes + backup: true notify: Preinstall | update resolvconf for networkmanager diff --git a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml index cddbe1ecfec..c8b480c8449 100644 --- a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml +++ b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml @@ -34,7 +34,7 @@ - name: Update package management cache (APT) apt: - update_cache: yes + update_cache: true cache_valid_time: 3600 when: ansible_os_family == "Debian" tags: diff --git a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml index 5b2c7d10af9..8941a649a4c 100644 --- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml +++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml @@ -3,9 +3,9 @@ - name: Confirm selinux deployed stat: path: /etc/selinux/config - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false when: - ansible_os_family == "RedHat" - "'Amazon' not in ansible_distribution" @@ -27,8 +27,8 @@ dest: /etc/gai.conf line: "precedence ::ffff:0:0/96 100" state: present - create: yes - backup: yes + create: true + backup: true mode: "0644" when: - disable_ipv6_dns @@ -47,9 +47,9 @@ - name: Stat sysctl file configuration stat: path: "{{ sysctl_file_path }}" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: sysctl_file_stat tags: - bootstrap-os @@ -75,7 +75,7 @@ name: net.ipv4.ip_forward value: "1" state: present - reload: yes + reload: true - name: Enable ipv6 forwarding ansible.posix.sysctl: @@ -83,15 +83,15 @@ name: net.ipv6.conf.all.forwarding value: "1" state: present - reload: yes + reload: true when: enable_dual_stack_networks | bool - name: Check if we need to set fs.may_detach_mounts stat: path: /proc/sys/fs/may_detach_mounts - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: fs_may_detach_mounts ignore_errors: true # noqa ignore-errors @@ -101,7 +101,7 @@ name: fs.may_detach_mounts value: 1 state: present - reload: yes + reload: true when: fs_may_detach_mounts.stat.exists | d(false) - name: Ensure kubelet expected parameters are set @@ -110,7 +110,7 @@ name: "{{ item.name }}" value: "{{ item.value }}" state: present - reload: yes + reload: true with_items: - { name: kernel.keys.root_maxbytes, value: 25000000 } - { name: kernel.keys.root_maxkeys, value: 1000000 } @@ -133,7 +133,7 @@ name: "{{ item.name }}" value: "{{ item.value }}" state: present - reload: yes + reload: true with_items: "{{ additional_sysctl }}" - name: Disable fapolicyd service diff --git a/roles/kubernetes/preinstall/tasks/0090-etchosts.yml b/roles/kubernetes/preinstall/tasks/0090-etchosts.yml index 4ec9a69e6e2..0b44d26adc6 100644 --- a/roles/kubernetes/preinstall/tasks/0090-etchosts.yml +++ b/roles/kubernetes/preinstall/tasks/0090-etchosts.yml @@ -11,17 +11,17 @@ {% endfor %} delegate_to: localhost connection: local - delegate_facts: yes - run_once: yes + delegate_facts: true + run_once: true - name: Hosts | populate inventory into hosts file blockinfile: path: /etc/hosts block: "{{ hostvars.localhost.etc_hosts_inventory_block }}" state: "{{ 'present' if populate_inventory_to_hosts_file else 'absent' }}" - create: yes - backup: yes - unsafe_writes: yes + create: true + backup: true + unsafe_writes: true marker: "# Ansible inventory hosts {mark}" mode: "0644" @@ -31,8 +31,8 @@ regexp: ".*{{ apiserver_loadbalancer_domain_name }}$" line: "{{ loadbalancer_apiserver.address }} {{ apiserver_loadbalancer_domain_name }}" state: present - backup: yes - unsafe_writes: yes + backup: true + unsafe_writes: true when: - populate_loadbalancer_apiserver_to_hosts_file - loadbalancer_apiserver is defined @@ -69,8 +69,8 @@ line: "{{ item.key }} {{ item.value | join(' ') }}" regexp: "^{{ item.key }}.*$" state: present - backup: yes - unsafe_writes: yes + backup: true + unsafe_writes: true loop: "{{ etc_hosts_localhosts_dict_target | default({}) | dict2items }}" # gather facts to update ansible_fqdn diff --git a/roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml b/roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml index 6276034d3d7..9745ab261bc 100644 --- a/roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml +++ b/roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml @@ -6,10 +6,10 @@ {{ item }} {% endfor %} path: "{{ dhclientconffile }}" - create: yes + create: true state: present insertbefore: BOF - backup: yes + backup: true marker: "# Ansible entries {mark}" mode: "0644" notify: Preinstall | propagate resolvconf to k8s components diff --git a/roles/kubernetes/preinstall/tasks/0110-dhclient-hooks-undo.yml b/roles/kubernetes/preinstall/tasks/0110-dhclient-hooks-undo.yml index 024e39f9fd4..dd320d50a96 100644 --- a/roles/kubernetes/preinstall/tasks/0110-dhclient-hooks-undo.yml +++ b/roles/kubernetes/preinstall/tasks/0110-dhclient-hooks-undo.yml @@ -7,7 +7,7 @@ blockinfile: path: "{{ dhclientconffile }}" state: absent - backup: yes + backup: true marker: "# Ansible entries {mark}" notify: Preinstall | propagate resolvconf to k8s components diff --git a/roles/kubernetes/preinstall/tasks/0120-growpart-azure-centos-7.yml b/roles/kubernetes/preinstall/tasks/0120-growpart-azure-centos-7.yml index 621629f6ade..b9c35875e03 100644 --- a/roles/kubernetes/preinstall/tasks/0120-growpart-azure-centos-7.yml +++ b/roles/kubernetes/preinstall/tasks/0120-growpart-azure-centos-7.yml @@ -22,7 +22,7 @@ - name: Check if growpart needs to be run command: growpart -N {{ device }} {{ partition }} - failed_when: False + failed_when: false changed_when: "'NOCHANGE:' not in growpart_needed.stdout" register: growpart_needed environment: @@ -30,7 +30,7 @@ - name: Check fs type command: file -Ls {{ root_device }} - changed_when: False + changed_when: false register: fs_type - name: Run growpart # noqa no-handler diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml index ee846f8ba02..722beecd3a8 100644 --- a/roles/kubernetes/preinstall/tasks/main.yml +++ b/roles/kubernetes/preinstall/tasks/main.yml @@ -121,9 +121,9 @@ - name: Check if we are running inside a Azure VM stat: path: /var/lib/waagent/ - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: azure_check when: - not dns_late diff --git a/roles/kubernetes/tokens/tasks/check-tokens.yml b/roles/kubernetes/tokens/tasks/check-tokens.yml index a157a0597ee..d8bb203e91c 100644 --- a/roles/kubernetes/tokens/tasks/check-tokens.yml +++ b/roles/kubernetes/tokens/tasks/check-tokens.yml @@ -2,9 +2,9 @@ - name: "Check_tokens | check if the tokens have already been generated on first master" stat: path: "{{ kube_token_dir }}/known_tokens.csv" - get_attributes: no - get_checksum: yes - get_mime: no + get_attributes: false + get_checksum: true + get_mime: false delegate_to: "{{ groups['kube_control_plane'][0] }}" register: known_tokens_master run_once: true @@ -23,9 +23,9 @@ - name: "Check tokens | check if a cert already exists" stat: path: "{{ kube_token_dir }}/known_tokens.csv" - get_attributes: no - get_checksum: yes - get_mime: no + get_attributes: false + get_checksum: true + get_mime: false register: known_tokens - name: "Check_tokens | Set 'sync_tokens' to true" diff --git a/roles/kubernetes/tokens/tasks/gen_tokens.yml b/roles/kubernetes/tokens/tasks/gen_tokens.yml index 1dabf965755..a64aea9e022 100644 --- a/roles/kubernetes/tokens/tasks/gen_tokens.yml +++ b/roles/kubernetes/tokens/tasks/gen_tokens.yml @@ -4,7 +4,7 @@ src: "kube-gen-token.sh" dest: "{{ kube_script_dir }}/kube-gen-token.sh" mode: "0700" - run_once: yes + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" when: gen_tokens | default(false) @@ -17,7 +17,7 @@ - "{{ groups['kube_control_plane'] }}" register: gentoken_master changed_when: "'Added' in gentoken_master.stdout" - run_once: yes + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" when: gen_tokens | default(false) @@ -30,14 +30,14 @@ - "{{ groups['kube_node'] }}" register: gentoken_node changed_when: "'Added' in gentoken_node.stdout" - run_once: yes + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" when: gen_tokens | default(false) - name: Gen_tokens | Get list of tokens from first master command: "find {{ kube_token_dir }} -maxdepth 1 -type f" register: tokens_list - check_mode: no + check_mode: false delegate_to: "{{ groups['kube_control_plane'][0] }}" run_once: true when: sync_tokens | default(false) @@ -47,7 +47,7 @@ args: executable: /bin/bash register: tokens_data - check_mode: no + check_mode: false delegate_to: "{{ groups['kube_control_plane'][0] }}" run_once: true when: sync_tokens | default(false) diff --git a/roles/kubespray-defaults/defaults/main/checksums.yml b/roles/kubespray-defaults/defaults/main/checksums.yml index a997d66514e..27e928e14d3 100644 --- a/roles/kubespray-defaults/defaults/main/checksums.yml +++ b/roles/kubespray-defaults/defaults/main/checksums.yml @@ -73,6 +73,7 @@ crio_archive_checksums: # Kubernetes versions above Kubespray's current target version are untested and should be used with caution. kubelet_checksums: arm: + v1.30.4: 0 v1.30.3: 0 v1.30.2: 0 v1.30.1: 0 @@ -99,6 +100,7 @@ kubelet_checksums: v1.28.1: 0 v1.28.0: 0 arm64: + v1.30.4: d3df7a4acff9aba5518930b9c417e8e0ca8cf5e105b7fee6504891fa8f3e962a v1.30.3: 41d1926cd7b9c7c250c45f11c8fa9d1946cae98aec2eefc61a2cb4933612bcce v1.30.2: 72ceb082311b42032827a936f80cd2437b8eee03053d05dbe36ba48585febfb8 v1.30.1: c45049b829af876588ec1a30def3884ce77c2c175cd77485d49c78d2064a38fb @@ -125,6 +127,7 @@ kubelet_checksums: v1.28.1: 9b7fa64b2785da4a38768377961e227f8da629c56a5df43ca1b665dd07b56f3c v1.28.0: 05dd12e35783cab4960e885ec0e7d0e461989b94297e7bea9018ccbd15c4dce9 amd64: + v1.30.4: 0c02c0f997b3e9769eae7ca051856054411fca947b3d5409d991ce1964dd0e69 v1.30.3: 9a37ddd5ea026639b7d85e98fa742e392df7aa5ec917bed0711a451613de3c1c v1.30.2: 6923abe67ef069afca61c71c585023840426e802b198298055af3a82e11a4e52 v1.30.1: 87bd6e5de9c0769c605da5fedb77a35c8b764e3bda1632447883c935dcf219d3 @@ -151,6 +154,7 @@ kubelet_checksums: v1.28.1: 2bc22332f44f8fcd3fce57879fd873f977949ebd261571fbae31fbb2713a5dd3 v1.28.0: bfb6b977100963f2879a33e5fbaa59a5276ba829a957a6819c936e9c1465f981 ppc64le: + v1.30.4: 50ea965747f3f8c69288aa9268e5c2cc1eb6c3f0b3efa7eba862258bd225d98d v1.30.3: c48df46a72ff9764fd1bc54e99b6154772031b1e66c36b0ac5764a5801eadfc0 v1.30.2: 268dfbb7ee3abcb8ff9fd0a88f81204e40dd33d177f7878941c9ff6b7cca0474 v1.30.1: 1ac58eae0aa02fefad47d2318bfa5846ae0d7d11a5b691850cd86b2b614ceffe @@ -178,6 +182,7 @@ kubelet_checksums: v1.28.0: 22de59965f2d220afa24bf04f4c6d6b65a4bb1cd80756c13381973b1ac3b4578 kubectl_checksums: arm: + v1.30.4: a31676f522cc745f241b1fd5755b9965558e4f1f5db5149319439a15f49806d1 v1.30.3: f9147ca81cbcb7b1cf41b75d95a0fd3597defb7c0e6db8c54e6ca7f493929c71 v1.30.2: 2dab982920d87bc9a17c539bfa4f94b758afc454bb044029dee06144e8dbee08 v1.30.1: b05c4c4b1c440e8797445b8b15e9f4a00010f1365533a2420b9e68428da19d89 @@ -204,6 +209,7 @@ kubectl_checksums: v1.28.1: eaa05dab1bffb8593d8e5caa612530ee5c914ee2be73429b7ce36c3becad893f v1.28.0: 372c4e7bbe98c7067c4b7820c4a440c931ad77f7cb83d3237b439ca3c14d3d37 arm64: + v1.30.4: 1d8b4e6443c7df8e92a065d88d146142a202fea5ec694135b83d9668529ea3b1 v1.30.3: c6f9568f930b16101089f1036677bb15a3185e9ed9b8dbce2f518fb5a52b6787 v1.30.2: 56becf07105fbacd2b70f87f3f696cfbed226cb48d6d89ed7f65ba4acae3f2f8 v1.30.1: d90446719b815e3abfe7b2c46ddf8b3fda17599f03ab370d6e47b1580c0e869e @@ -230,6 +236,7 @@ kubectl_checksums: v1.28.1: 46954a604b784a8b0dc16754cfc3fa26aabca9fd4ffd109cd028bfba99d492f6 v1.28.0: f5484bd9cac66b183c653abed30226b561f537d15346c605cc81d98095f1717c amd64: + v1.30.4: 2ffd023712bbc1a9390dbd8c0c15201c165a69d394787ef03eda3eccb4b9ac06 v1.30.3: abd83816bd236b266c3643e6c852b446f068fe260f3296af1a25b550854ec7e5 v1.30.2: c6e9c45ce3f82c90663e3c30db3b27c167e8b19d83ed4048b61c1013f6a7c66e v1.30.1: 5b86f0b06e1a5ba6f8f00e2b01e8ed39407729c4990aeda961f83a586f975e8a @@ -256,6 +263,7 @@ kubectl_checksums: v1.28.1: e7a7d6f9d06fab38b4128785aa80f65c54f6675a0d2abef655259ddd852274e1 v1.28.0: 4717660fd1466ec72d59000bb1d9f5cdc91fac31d491043ca62b34398e0799ce ppc64le: + v1.30.4: a913b4b8573d356483d5c7f14d2cecb290b41ab3b58812567b54ce09e763aad9 v1.30.3: 3f2ba2216e43b833251a570b1218cba61d43ef2734c0a7751d281656066ab30b v1.30.2: 738bc1bad45df79fc4313d167a68ed5a1cf747f1f94e4434f0733e3126989f2e v1.30.1: ef01ae21e91600469db3df01172144fac6c61083e7d3282bef72ce732d76d0d8 @@ -283,6 +291,7 @@ kubectl_checksums: v1.28.0: 7a9dcb4c75b33b9dac497c1a756b1f12c7c63f86fc0f321452360fbe1a79ce0f kubeadm_checksums: arm: + v1.30.4: 0 v1.30.3: 0 v1.30.2: 0 v1.30.1: 0 @@ -309,6 +318,7 @@ kubeadm_checksums: v1.28.1: 0 v1.28.0: 0 arm64: + v1.30.4: 609afad8590afb39b500cc5175c64b17690f7bf0b0eebcf1d347656d262e5c8c v1.30.3: 6590f2447c87346aac29e2ab42fe4f29873f9bf154ee878f00da4c81bfdb8ea2 v1.30.2: 7268762b7afd44bf07619985dd52c376b63e47d73b8f9a3b08cc49624a8fbd55 v1.30.1: bda423cb4b9d056f99a2ef116bdf227fadbc1c3309fa3d76da571427a7f41478 @@ -335,6 +345,7 @@ kubeadm_checksums: v1.28.1: 7d2f68917470a5d66bd2a7d62897f59cb4afaeffb2f26c028afa119acd8c3fc8 v1.28.0: b9b473d2d9136559b19eb465006af77df45c09862cd7ce6673a33aae517ff5ab amd64: + v1.30.4: 6c6053fb8b31030ef7fffe146eb29489f7bf53d7a5ca10e0b10c907bf4b7e281 v1.30.3: bb78c2a27027278ee644d523f583ed7fdba48b4fbf31e3cfb0e309b6457dda69 v1.30.2: 672b0cae2accce5eac10a1fe4ea6b166e5b518c79ccf71a2fbe7b53c2ca74062 v1.30.1: 651faa3bbbfb368ed00460e4d11732614310b690b767c51810a7b638cc0961a2 @@ -361,6 +372,7 @@ kubeadm_checksums: v1.28.1: 6134dbc92dcb83c3bae1a8030f7bb391419b5d13ea94badd3a79b7ece75b2736 v1.28.0: 12ea68bfef0377ccedc1a7c98a05ea76907decbcf1e1ec858a60a7b9b73211bb ppc64le: + v1.30.4: df0a42a57e69f3080871736d0953f1f287f63def0ed514324aca2469463efd7a v1.30.3: 76a58a7389365295fb4ea1163c2644c3700f066a8e8cb1b7897ad83576e43ce2 v1.30.2: 8aee71554003411470a5933cdff7896736ae1182055c0de6bb3782d0a7581c71 v1.30.1: dc529fae8227422a23a8d4f70e28161fa207a4da7cb24d340aae0592dd729ea5 @@ -454,6 +466,8 @@ cni_binary_checksums: v1.0.0: 1a055924b1b859c54a97dc14894ecaa9b81d6d949530b9544f0af4173f5a8f2a calicoctl_binary_checksums: arm: + v3.28.1: 0 + v3.28.0: 0 v3.27.3: 0 v3.27.2: 0 v3.27.1: 0 @@ -476,6 +490,8 @@ calicoctl_binary_checksums: v3.23.5: 0 v3.23.4: 0 arm64: + v3.28.1: c062d13534498a427c793a4a9190be4df3cf796a3feb29e4a501e1d6f48daa7c + v3.28.0: c4ca8563d2a920729116a3a30171c481580c8c447938ce974ce14d7ce25a31bf v3.27.3: 1fc5f58a18d8b1c487b4663fc5cbe23b45bd9d31617debd309f6dfac7c11a8ef v3.27.2: 0fd1f65a511338cf9940835987d420c94ab95b5386288ba9673b736a4d347463 v3.27.1: 0 @@ -498,6 +514,8 @@ calicoctl_binary_checksums: v3.23.5: 0941ad0deeb03d8fda96340948cdbc15d14062086438150cf3ec5ee2767b22c3 v3.23.4: c54b7d122d9315bbab1a88707b7168a0934a80c4f2a94c9e871bcc8a8cf11c11 amd64: + v3.28.1: 22ec5727c38dbe19001792b4ca64ac760a6e2985d5c1a231d919dbebe5bca171 + v3.28.0: 4ea270699e67ca29e5533ddb0a68d370cb0005475796c7e841f83047da6297b6 v3.27.3: e22b8bb41684f8ffb5143b50bf3b2ab76985604d774d397cfb6fb11d8a19f326 v3.27.2: 692f69dc656e41cd35e23e24f56c98c4aeeb723fed129985b46f71e6eb5e1594 v3.27.1: 0 @@ -520,6 +538,8 @@ calicoctl_binary_checksums: v3.23.5: 4c777881709ddaabcf4b56dcbe683125d7ed5743c036fee9273c5295e522082f v3.23.4: 1ea0d3b6543645612e8239978878b6adefdb7619a16ecbdb8e6dc2687538f689 ppc64le: + v3.28.1: 985caad36fed7b883a2cd4cf91e556974bcca95fe4e6b7ff4cb64d8d8fbe9223 + v3.28.0: 0789cb0d1478ec3f0a44db265b19042be9dfc18bc1776343c7ea8d246561d12b v3.27.3: 5f2ac510c0ec31ec4c02ff2660f2502b68b655616d5b766a51bd99d2e3604fbc v3.27.2: f918bb88de1d01de3d143e1e75d0ee1256f247c5cbabec7d665aaf8d1fd3cc6c v3.27.1: 0 @@ -587,6 +607,8 @@ ciliumcli_binary_checksums: v0.15.16: 0 v0.15.15: 0 calico_crds_archive_checksums: + v3.28.1: c56f1530e7ded9d5b4afb9d83a7a24da6d2959ef7ad38521813f1c2bf138182d + v3.28.0: ee721337db0cd847e91aae1cdfd420596896ebcb865575fd913c2f12ac2cdb76 v3.27.3: d11a32919bff389f642af5df8180ad3cec586030decd35adb2a7d4a8aa3b298e v3.27.2: 8154bb4aad887f2a5500b505fe203a918f72c4e602b04c688c4b94f76a26e925 v3.27.1: 76abb0db222af279e3514cfae02be9259097b565bbb2ffcb776ca00566480edb @@ -650,37 +672,49 @@ krew_archive_checksums: v0.4.3: 0 helm_archive_checksums: arm: + v3.15.4: aa3fb3014d147e5dcf8bfe4f6d5fe8677029ed720d4a4bcc64e54cb745a72206 + v3.15.3: 77a9c9699c836dd34fca3d9e783f9e70e0ddbe1a4b44aa13fac82f6193da452f + v3.15.2: 2b28fda1d8c6f087011bc7ec820051a13409dadce8385529f306476632e24e85 + v3.15.1: fa7a8b472c8f311ac618a231218511efeafad306781d11ad68976e0461074b0e + v3.15.0: 614d53ab1192667facce7e8d4e884ff067e5684199a7e5223e8808abc43e927f + v3.14.4: 962297c944c06e1f275111a6e3d80e37c9e9e8fed967d4abec8efcf7fc9fb260 + v3.14.3: d4ff88f02d6731ec5dbde86a67bf391e673d0d9e87901727fbf62372aff106ec v3.14.2: b70fb6fa2cdf0a5c782320c9d7e7b155fcaec260169218c98316bb3cf0d431d9 v3.14.1: f50c00c262b74435530e677bcec07637aaeda1ed92ef809b49581a4e6182cbbe v3.14.0: cf38dfdead7266ae56662743bda0c78655814f0adeca382d1b07a812bb1a599a - v3.13.3: 0170b15f3951be399e27e0cfdc21edb211d3b6b2698e078f993d9558d9446e3f - v3.13.2: 06e8436bde78d53ddb5095ba146fe6c7001297c7dceb9ef6b68992c3ecfde770 - v3.13.1: a9c188c1a79d2eb1721aece7c4e7cfcd56fa76d1e37bd7c9c05d3969bb0499b4 - v3.13.0: bb2cdde0d12c55f65e88e7c398e67463e74bc236f68b7f307a73174b35628c2e arm64: + v3.15.4: fa419ecb139442e8a594c242343fafb7a46af3af34041c4eac1efcc49d74e626 + v3.15.3: bd57697305ba46fef3299b50168a34faa777dd2cf5b43b50df92cca7ed118cce + v3.15.2: adcf07b08484b52508e5cbc8b5f4b0b0db50342f7bc487ecd88b8948b680e6a7 + v3.15.1: b4c5519b18f01dd2441f5e09497913dc1da1a1eec209033ae792a8d45b9e0e86 + v3.15.0: c3b0281fca4c030548211dd6e9b032ee0a9fc53eab614f6acbaff631682ce808 + v3.14.4: 113ccc53b7c57c2aba0cd0aa560b5500841b18b5210d78641acfddc53dac8ab2 + v3.14.3: 85e1573e76fa60af14ba7e9ec75db2129b6884203be866893fa0b3f7e41ccd5e v3.14.2: c65d6a9557bb359abc2c0d26670de850b52327dc3976ad6f9e14c298ea3e1b61 v3.14.1: f865b8ad4228fd0990bbc5b50615eb6cb9eb31c9a9ca7238401ed897bbbe9033 v3.14.0: b29e61674731b15f6ad3d1a3118a99d3cc2ab25a911aad1b8ac8c72d5a9d2952 - v3.13.3: 44aaa094ae24d01e8c36e327e1837fd3377a0f9152626da088384c5bc6d94562 - v3.13.2: f5654aaed63a0da72852776e1d3f851b2ea9529cb5696337202703c2e1ed2321 - v3.13.1: 8c4a0777218b266a7b977394aaf0e9cef30ed2df6e742d683e523d75508d6efe - v3.13.0: d12a0e73a7dbff7d89d13e0c6eb73f5095f72d70faea30531941d320678904d2 amd64: + v3.15.4: 11400fecfc07fd6f034863e4e0c4c4445594673fd2a129e701fe41f31170cfa9 + v3.15.3: ad871aecb0c9fd96aa6702f6b79e87556c8998c2e714a4959bf71ee31282ac9c + v3.15.2: 2694b91c3e501cff57caf650e639604a274645f61af2ea4d601677b746b44fe2 + v3.15.1: 7b20e7791c04ea71e7fe0cbe11f1a8be4a55a692898b57d9db28f3b0c1d52f11 + v3.15.0: a74747ac40777b86d3ff6f1be201504bba65ca46cd68b5fe25d3c394d0dcf745 + v3.14.4: a5844ef2c38ef6ddf3b5a8f7d91e7e0e8ebc39a38bb3fc8013d629c1ef29c259 + v3.14.3: 3c90f24e180f8c207b8a18e5ec82cb0fa49858a7a0a86e4ed52a98398681e00b v3.14.2: 0885a501d586c1e949e9b113bf3fb3290b0bbf74db9444a1d8c2723a143006a5 v3.14.1: 75496ea824f92305ff7d28af37f4af57536bf5138399c824dff997b9d239dd42 v3.14.0: f43e1c3387de24547506ab05d24e5309c0ce0b228c23bd8aa64e9ec4b8206651 - v3.13.3: bbb6e7c6201458b235f335280f35493950dcd856825ddcfd1d3b40ae757d5c7d - v3.13.2: 55a8e6dce87a1e52c61e0ce7a89bf85b38725ba3e8deb51d4a08ade8a2c70b2d - v3.13.1: 98c363564d00afd0cc3088e8f830f2a0eeb5f28755b3d8c48df89866374a1ed0 - v3.13.0: 138676351483e61d12dfade70da6c03d471bbdcac84eaadeb5e1d06fa114a24f ppc64le: + v3.15.4: e4efce93723f52dd858e9046ea836c9c75f346facce1b87b8cf78c817b97e6ac + v3.15.3: fac86a8a0515e1f4593d6288426c99f2b3edac946b7f118fcfe03e4a09523f25 + v3.15.2: 9d95528fb797f6429f7f9b6dee0cf87bf8c71f6470e1db4a51e844c169c285a3 + v3.15.1: 0bfe2ff8b29c1f26b0484261c0fe0d041188b2e1aa5da8e461e44083bbf655a3 + v3.15.0: bcec19cdad95cae99edce046ccd8090f275e63381ccb6accb4304819fc26e004 + v3.14.4: d0d625b43f6650ad376428520b2238baa2400bfedb43b2e0f24ad7247f0f59b5 + v3.14.3: aab121ca470e2a502cda849a9b3e92eeb9a32e213b0f0a79a95a04e375d26ce7 v3.14.2: f3bc8582ff151e619cd285d9cdf9fef1c5733ee5522d8bed2ef680ef07f87223 v3.14.1: 4d853ab8fe3462287c7272fbadd5f73531ecdd6fa0db37d31630e41ae1ae21de v3.14.0: f1f9d3561724863edd4c06d89acb2e2fd8ae0f1b72058ceb891fa1c346ce5dbc - v3.13.3: 85afc540af42ebbb6e6a4fe270b04ce1fa27fa72845cd1d352feea0f55df1ffc - v3.13.2: 11d96134cc4ec106c23cd8c163072e9aed6cd73e36a3da120e5876d426203f37 - v3.13.1: f0d4ae95b4db25d03ced987e30d424564bd4727af6a4a0b7fca41f14203306fb - v3.13.0: d9be0057c21ce5994885630340b4f2725a68510deca6e3c455030d83336e4797 cri_dockerd_archive_checksums: arm: 0.3.11: 0 @@ -951,6 +985,7 @@ nerdctl_archive_checksums: 1.6.1: 3924467d9430df991ebdf4e78211bac2b29e9a066d5000d98f8d4ebde2bb7b4c containerd_archive_checksums: arm: + 1.7.21: 0 1.7.20: 0 1.7.19: 0 1.7.18: 0 @@ -994,6 +1029,7 @@ containerd_archive_checksums: 1.6.15: 0 1.6.14: 0 arm64: + 1.7.21: 7b6b67d998eb86856d23df5d57269c054539072bbb27677975cf78269b2c5c10 1.7.20: cf80cd305f7d1c23aaf0c57bc1c1e37089cad9130d533db6fe968cdebd16c759 1.7.19: 1839e6f7cd7c62d9df3ef3deac3f404cdd5cd47bbdf8acfeb0b0f3776eb20002 1.7.18: e80ce87b469af03b3bdcf68b95f0f4a303787ae247581bcd42f04acf1ad4c24d @@ -1037,6 +1073,7 @@ containerd_archive_checksums: 1.6.15: d63e4d27c51e33cd10f8b5621c559f09ece8a65fec66d80551b36cac9e61a07d 1.6.14: 3ccb61218e60cbba0e1bbe1e5e2bf809ac1ead8eafbbff36c3195d3edd0e4809 amd64: + 1.7.21: 3d1fcdfd0b141f4dc4916b7aee7f9a7773dc344baffc8954e1ca66b1adc5c120 1.7.20: e09410787b6f392748959177a84e024424f75d7aff33ea1c5b783f2260edce67 1.7.19: 97f75e60f0ad19d335b1d23385835df721cad4492740d50576997f2717dc3f94 1.7.18: a24b05b341c155a0ec367d3d0fd1d437c09a0261dffdecc0e44e9abbf2d02aca @@ -1080,6 +1117,7 @@ containerd_archive_checksums: 1.6.15: 191bb4f6e4afc237efc5c85b5866b6fdfed731bde12cceaa6017a9c7f8aeda02 1.6.14: 7da626d46c4edcae1eefe6d48dc6521db3e594a402715afcddc6ac9e67e1bfcd ppc64le: + 1.7.21: 5ce0c1125e8d9ca04e2b524a2bac8b1eb97876c073023d5e083f7da64fcd8207 1.7.20: dc611df0baa90509dda35e0be993da52f42b067514329fcf538d000b110364e8 1.7.19: f41c2f28ee933a9ca24ff02cca159099fbcf798850e56cf0b7a6047ebe21fa86 1.7.18: d6cfb3bc8fbdead7d435d5f3f6b1913b5896f7f97102c1bbad206f9123c2a5d3 diff --git a/roles/kubespray-defaults/defaults/main/download.yml b/roles/kubespray-defaults/defaults/main/download.yml index 301af6d84f7..55c7e47257f 100644 --- a/roles/kubespray-defaults/defaults/main/download.yml +++ b/roles/kubespray-defaults/defaults/main/download.yml @@ -74,13 +74,12 @@ image_info_command_on_localhost: "{{ lookup('vars', image_command_tool_on_localh image_arch: "{{ host_architecture | default('amd64') }}" # Versions -kubeadm_version: "{{ kube_version }}" crun_version: 1.14.4 runc_version: v1.1.13 kata_containers_version: 3.1.3 youki_version: 0.1.0 gvisor_version: 20240305 -containerd_version: 1.7.20 +containerd_version: 1.7.21 cri_dockerd_version: 0.3.11 # this is relevant when container_manager == 'docker' @@ -101,7 +100,7 @@ github_image_repo: "ghcr.io" # TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults # after migration to container download -calico_version: "v3.27.3" +calico_version: "v3.28.1" calico_ctl_version: "{{ calico_version }}" calico_cni_version: "{{ calico_version }}" calico_flexvol_version: "{{ calico_version }}" @@ -113,18 +112,18 @@ calico_apiserver_enabled: false flannel_version: "v0.22.0" flannel_cni_version: "v1.1.2" -cni_version: "v1.3.0" weave_version: 2.8.7 +cni_version: "v1.4.0" cilium_version: "v1.15.4" cilium_cli_version: "v0.16.0" cilium_enable_hubble: false -kube_ovn_version: "v1.11.5" +kube_ovn_version: "v1.12.21" kube_ovn_dpdk_version: "19.11-{{ kube_ovn_version }}" kube_router_version: "v2.0.0" multus_version: "v4.1.0" -helm_version: "v3.14.2" +helm_version: "v3.15.4" nerdctl_version: "1.7.4" krew_version: "v0.4.4" skopeo_version: "v1.15.0" @@ -173,7 +172,7 @@ get_helm_url: https://get.helm.sh # Download URLs kubelet_download_url: "{{ dl_k8s_io_url }}/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubelet" kubectl_download_url: "{{ dl_k8s_io_url }}/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubectl" -kubeadm_download_url: "{{ dl_k8s_io_url }}/release/{{ kubeadm_version }}/bin/linux/{{ image_arch }}/kubeadm" +kubeadm_download_url: "{{ dl_k8s_io_url }}/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubeadm" etcd_download_url: "{{ github_url }}/etcd-io/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-{{ image_arch }}.tar.gz" cni_download_url: "{{ github_url }}/containernetworking/plugins/releases/download/{{ cni_version }}/cni-plugins-linux-{{ image_arch }}-{{ cni_version }}.tgz" calicoctl_download_url: "{{ github_url }}/projectcalico/calico/releases/download/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}" @@ -200,7 +199,7 @@ etcd_binary_checksum: "{{ etcd_binary_checksums[image_arch][etcd_version] }}" cni_binary_checksum: "{{ cni_binary_checksums[image_arch][cni_version] }}" kubelet_binary_checksum: "{{ kubelet_checksums[image_arch][kube_version] }}" kubectl_binary_checksum: "{{ kubectl_checksums[image_arch][kube_version] }}" -kubeadm_binary_checksum: "{{ kubeadm_checksums[image_arch][kubeadm_version] }}" +kubeadm_binary_checksum: "{{ kubeadm_checksums[image_arch][kube_version] }}" yq_binary_checksum: "{{ yq_checksums[image_arch][yq_version] }}" calicoctl_binary_checksum: "{{ calicoctl_binary_checksums[image_arch][calico_ctl_version] }}" calico_crds_archive_checksum: "{{ calico_crds_archive_checksums[calico_version] }}" @@ -275,6 +274,8 @@ cilium_hubble_envoy_image_repo: "{{ docker_image_repo }}/envoyproxy/envoy" cilium_hubble_envoy_image_tag: "v1.22.5" kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn" kube_ovn_container_image_tag: "{{ kube_ovn_version }}" +kube_ovn_vpc_container_image_repo: "{{ docker_image_repo }}/kubeovn/vpc-nat-gateway" +kube_ovn_vpc_container_image_tag: "{{ kube_ovn_version }}" kube_ovn_dpdk_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn-dpdk" kube_ovn_dpdk_container_image_tag: "{{ kube_ovn_dpdk_version }}" kube_router_image_repo: "{{ docker_image_repo }}/cloudnativelabs/kube-router" @@ -331,13 +332,13 @@ rbd_provisioner_image_tag: "{{ rbd_provisioner_version }}" local_path_provisioner_version: "v0.0.24" local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner" local_path_provisioner_image_tag: "{{ local_path_provisioner_version }}" -ingress_nginx_version: "v1.10.1" +ingress_nginx_version: "v1.11.2" ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller" ingress_nginx_opentelemetry_image_repo: "{{ kube_image_repo }}/ingress-nginx/opentelemetry" ingress_nginx_controller_image_tag: "{{ ingress_nginx_version }}" ingress_nginx_opentelemetry_image_tag: "v20230721-3e2062ee5" ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen" -ingress_nginx_kube_webhook_certgen_image_tag: "v1.4.1" +ingress_nginx_kube_webhook_certgen_image_tag: "v1.4.3" alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller" alb_ingress_image_tag: "v1.1.9" cert_manager_version: "v1.14.7" @@ -407,7 +408,7 @@ metallb_speaker_image_repo: "{{ quay_image_repo }}/metallb/speaker" metallb_controller_image_repo: "{{ quay_image_repo }}/metallb/controller" metallb_version: v0.13.9 -node_feature_discovery_version: v0.14.2 +node_feature_discovery_version: v0.16.4 node_feature_discovery_image_repo: "{{ kube_image_repo }}/nfd/node-feature-discovery" node_feature_discovery_image_tag: "{{ node_feature_discovery_version }}" @@ -464,8 +465,8 @@ downloads: kubeadm: enabled: true file: true - version: "{{ kubeadm_version }}" - dest: "{{ local_release_dir }}/kubeadm-{{ kubeadm_version }}-{{ image_arch }}" + version: "{{ kube_version }}" + dest: "{{ local_release_dir }}/kubeadm-{{ kube_version }}-{{ image_arch }}" sha256: "{{ kubeadm_binary_checksum }}" url: "{{ kubeadm_download_url }}" unarchive: false diff --git a/roles/kubespray-defaults/defaults/main/main.yml b/roles/kubespray-defaults/defaults/main/main.yml index b6899111111..c648bcc7230 100644 --- a/roles/kubespray-defaults/defaults/main/main.yml +++ b/roles/kubespray-defaults/defaults/main/main.yml @@ -18,7 +18,7 @@ kubelet_fail_swap_on: true kubelet_swap_behavior: LimitedSwap ## Change this to use another Kubernetes version, e.g. a current beta release -kube_version: v1.30.3 +kube_version: v1.30.4 ## The minimum version working kube_version_min_required: v1.28.0 diff --git a/roles/kubespray-defaults/tasks/fallback_ips.yml b/roles/kubespray-defaults/tasks/fallback_ips.yml index a1aff37eefa..ae3b1515054 100644 --- a/roles/kubespray-defaults/tasks/fallback_ips.yml +++ b/roles/kubespray-defaults/tasks/fallback_ips.yml @@ -8,10 +8,10 @@ gather_subset: '!all,network' filter: "ansible_default_ipv4" delegate_to: "{{ item }}" - delegate_facts: yes + delegate_facts: true when: hostvars[item].ansible_default_ipv4 is not defined loop: "{{ (ansible_play_hosts_all + [groups['kube_control_plane'][0]]) | unique if ansible_limit is defined else (groups['k8s_cluster'] | default([]) + groups['etcd'] | default([]) + groups['calico_rr'] | default([])) | unique }}" - run_once: yes + run_once: true ignore_unreachable: true tags: always @@ -26,9 +26,9 @@ {% endfor %} delegate_to: localhost connection: local - delegate_facts: yes - become: no - run_once: yes + delegate_facts: true + become: false + run_once: true - name: Set fallback_ips set_fact: diff --git a/roles/kubespray-defaults/tasks/no_proxy.yml b/roles/kubespray-defaults/tasks/no_proxy.yml index d2d5cc6d1e1..adec886f4a3 100644 --- a/roles/kubespray-defaults/tasks/no_proxy.yml +++ b/roles/kubespray-defaults/tasks/no_proxy.yml @@ -26,9 +26,9 @@ 127.0.0.1,localhost,{{ kube_service_addresses }},{{ kube_pods_subnet }},svc,svc.{{ dns_domain }} delegate_to: localhost connection: local - delegate_facts: yes - become: no - run_once: yes + delegate_facts: true + become: false + run_once: true - name: Populates no_proxy to all hosts set_fact: diff --git a/roles/network_plugin/calico/rr/tasks/pre.yml b/roles/network_plugin/calico/rr/tasks/pre.yml index d8dbd807280..f8a9de6118b 100644 --- a/roles/network_plugin/calico/rr/tasks/pre.yml +++ b/roles/network_plugin/calico/rr/tasks/pre.yml @@ -3,7 +3,7 @@ service: name: calico-rr state: stopped - enabled: no + enabled: false failed_when: false - name: Calico-rr | Delete obsolete files diff --git a/roles/network_plugin/calico/tasks/check.yml b/roles/network_plugin/calico/tasks/check.yml index 95dcfa6731a..7f73a08c4cb 100644 --- a/roles/network_plugin/calico/tasks/check.yml +++ b/roles/network_plugin/calico/tasks/check.yml @@ -4,7 +4,7 @@ that: - ipip is not defined msg: "'ipip' configuration variable is deprecated, please configure your inventory with 'calico_ipip_mode' set to 'Always' or 'CrossSubnet' according to your specific needs" - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: Stop if legacy encapsulation variables are detected (ipip_mode) @@ -12,7 +12,7 @@ that: - ipip_mode is not defined msg: "'ipip_mode' configuration variable is deprecated, please configure your inventory with 'calico_ipip_mode' set to 'Always' or 'CrossSubnet' according to your specific needs" - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: Stop if legacy encapsulation variables are detected (calcio_ipam_autoallocateblocks) @@ -20,7 +20,7 @@ that: - calcio_ipam_autoallocateblocks is not defined msg: "'calcio_ipam_autoallocateblocks' configuration variable is deprecated, it's a typo, please configure your inventory with 'calico_ipam_autoallocateblocks' set to 'true' or 'false' according to your specific needs" - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" @@ -32,7 +32,7 @@ msg: "When using cloud_provider azure and network_plugin calico calico_ipip_mode must be 'Never' and calico_vxlan_mode 'Always' or 'CrossSubnet'" when: - cloud_provider is defined and cloud_provider == 'azure' - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: Stop if supported Calico versions @@ -40,21 +40,21 @@ that: - "calico_version in calico_crds_archive_checksums.keys()" msg: "Calico version not supported {{ calico_version }} not in {{ calico_crds_archive_checksums.keys() }}" - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: Check if calicoctl.sh exists stat: path: "{{ bin_dir }}/calicoctl.sh" register: calicoctl_sh_exists - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: Check if calico ready command: "{{ bin_dir }}/calicoctl.sh get ClusterInformation default" register: calico_ready - run_once: True - ignore_errors: True + run_once: true + ignore_errors: true retries: 5 delay: 10 until: calico_ready.rc == 0 @@ -62,7 +62,7 @@ when: calicoctl_sh_exists.stat.exists - name: Check that current calico version is enough for upgrade - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" when: calicoctl_sh_exists.stat.exists and calico_ready.rc == 0 block: @@ -91,7 +91,7 @@ when: - peer_with_calico_rr - inventory_hostname == groups['kube_control_plane'][0] - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: "Check that calico_rr nodes are in k8s_cluster group" @@ -101,7 +101,7 @@ msg: "calico_rr must be a child group of k8s_cluster group" when: - '"calico_rr" in group_names' - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: "Check vars defined correctly" @@ -110,7 +110,7 @@ - "calico_pool_name is defined" - "calico_pool_name is match('^[a-zA-Z0-9-_\\\\.]{2,63}$')" msg: "calico_pool_name contains invalid characters" - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: "Check calico network backend defined correctly" @@ -118,11 +118,11 @@ that: - "calico_network_backend in ['bird', 'vxlan', 'none']" msg: "calico network backend is not 'bird', 'vxlan' or 'none'" - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: "Check ipip and vxlan mode defined correctly" - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" assert: that: @@ -137,7 +137,7 @@ msg: "IP in IP and VXLAN mode is mutualy exclusive modes" when: - "calico_ipip_mode in ['Always', 'CrossSubnet']" - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: "Check ipip and vxlan mode if simultaneously enabled" @@ -147,23 +147,23 @@ msg: "IP in IP and VXLAN mode is mutualy exclusive modes" when: - "calico_vxlan_mode in ['Always', 'CrossSubnet']" - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: "Get Calico {{ calico_pool_name }} configuration" command: "{{ bin_dir }}/calicoctl.sh get ipPool {{ calico_pool_name }} -o json" - failed_when: False - changed_when: False - check_mode: no + failed_when: false + changed_when: false + check_mode: false register: calico - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: "Set calico_pool_conf" set_fact: calico_pool_conf: '{{ calico.stdout | from_json }}' when: calico.rc == 0 and calico.stdout - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: "Check if inventory match current cluster configuration" @@ -176,7 +176,7 @@ msg: "Your inventory doesn't match the current cluster configuration" when: - calico_pool_conf is defined - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: "Check kdd calico_datastore if calico_apiserver_enabled" @@ -185,7 +185,7 @@ msg: "When using calico apiserver you need to use the kubernetes datastore" when: - calico_apiserver_enabled - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: "Check kdd calico_datastore if typha_enabled" @@ -194,7 +194,7 @@ msg: "When using typha you need to use the kubernetes datastore" when: - typha_enabled - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" - name: "Check ipip mode is Never for calico ipv6" @@ -204,5 +204,5 @@ msg: "Calico doesn't support ipip tunneling for the IPv6" when: - enable_dual_stack_networks - run_once: True + run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" diff --git a/roles/network_plugin/calico/tasks/install.yml b/roles/network_plugin/calico/tasks/install.yml index 7f895b55502..1d3b02339c2 100644 --- a/roles/network_plugin/calico/tasks/install.yml +++ b/roles/network_plugin/calico/tasks/install.yml @@ -14,7 +14,7 @@ src: "{{ downloads.calicoctl.dest }}" dest: "{{ bin_dir }}/calicoctl" mode: "0755" - remote_src: yes + remote_src: true - name: Calico | Create calico certs directory file: @@ -31,7 +31,7 @@ dest: "{{ calico_cert_dir }}/{{ item.d }}" state: hard mode: "0640" - force: yes + force: true with_items: - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"} - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"} @@ -61,7 +61,7 @@ - name: Calico | wait for etcd uri: url: "{{ etcd_access_addresses.split(',') | first }}/health" - validate_certs: no + validate_certs: false client_cert: "{{ calico_cert_dir }}/cert.crt" client_key: "{{ calico_cert_dir }}/key.pem" register: result @@ -165,8 +165,8 @@ - name: Calico | Get existing FelixConfiguration command: "{{ bin_dir }}/calicoctl.sh get felixconfig default -o json" register: _felix_cmd - ignore_errors: True - changed_when: False + ignore_errors: true + changed_when: false - name: Calico | Set kubespray FelixConfiguration set_fact: @@ -201,7 +201,7 @@ command: cmd: "{{ bin_dir }}/calicoctl.sh apply -f -" stdin: "{{ _felix_config is string | ternary(_felix_config, _felix_config | to_json) }}" - changed_when: False + changed_when: false - name: Calico | Configure Calico IP Pool when: @@ -210,8 +210,8 @@ - name: Calico | Get existing calico network pool command: "{{ bin_dir }}/calicoctl.sh get ippool {{ calico_pool_name }} -o json" register: _calico_pool_cmd - ignore_errors: True - changed_when: False + ignore_errors: true + changed_when: false - name: Calico | Set kubespray calico network pool set_fact: @@ -251,7 +251,7 @@ command: cmd: "{{ bin_dir }}/calicoctl.sh apply -f -" stdin: "{{ _calico_pool is string | ternary(_calico_pool, _calico_pool | to_json) }}" - changed_when: False + changed_when: false - name: Calico | Configure Calico IPv6 Pool when: @@ -261,8 +261,8 @@ - name: Calico | Get existing calico ipv6 network pool command: "{{ bin_dir }}/calicoctl.sh get ippool {{ calico_pool_name }}-ipv6 -o json" register: _calico_pool_ipv6_cmd - ignore_errors: True - changed_when: False + ignore_errors: true + changed_when: false - name: Calico | Set kubespray calico network pool set_fact: @@ -302,19 +302,19 @@ command: cmd: "{{ bin_dir }}/calicoctl.sh apply -f -" stdin: "{{ _calico_pool_ipv6 is string | ternary(_calico_pool_ipv6, _calico_pool_ipv6 | to_json) }}" - changed_when: False + changed_when: false - name: Populate Service External IPs set_fact: _service_external_ips: "{{ _service_external_ips | default([]) + [{'cidr': item}] }}" with_items: "{{ calico_advertise_service_external_ips }}" - run_once: yes + run_once: true - name: Populate Service LoadBalancer IPs set_fact: _service_loadbalancer_ips: "{{ _service_loadbalancer_ips | default([]) + [{'cidr': item}] }}" with_items: "{{ calico_advertise_service_loadbalancer_ips }}" - run_once: yes + run_once: true - name: "Determine nodeToNodeMesh needed state" set_fact: @@ -322,7 +322,7 @@ when: - peer_with_router | default(false) or peer_with_calico_rr | default(false) - inventory_hostname in groups['k8s_cluster'] - run_once: yes + run_once: true - name: Calico | Configure Calico BGP when: @@ -331,8 +331,8 @@ - name: Calico | Get existing BGP Configuration command: "{{ bin_dir }}/calicoctl.sh get bgpconfig default -o json" register: _bgp_config_cmd - ignore_errors: True - changed_when: False + ignore_errors: true + changed_when: false - name: Calico | Set kubespray BGP Configuration set_fact: @@ -366,7 +366,7 @@ command: cmd: "{{ bin_dir }}/calicoctl.sh apply -f -" stdin: "{{ _bgp_config is string | ternary(_bgp_config, _bgp_config | to_json) }}" - changed_when: False + changed_when: false - name: Calico | Create calico manifests template: diff --git a/roles/network_plugin/calico/tasks/repos.yml b/roles/network_plugin/calico/tasks/repos.yml index dd29f452072..7eba916bbab 100644 --- a/roles/network_plugin/calico/tasks/repos.yml +++ b/roles/network_plugin/calico/tasks/repos.yml @@ -10,11 +10,11 @@ file: _copr:copr.fedorainfracloud.org:jdoss:wireguard description: Copr repo for wireguard owned by jdoss baseurl: "{{ calico_wireguard_repo }}" - gpgcheck: yes + gpgcheck: true gpgkey: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/pubkey.gpg - skip_if_unavailable: yes - enabled: yes - repo_gpgcheck: no + skip_if_unavailable: true + enabled: true + repo_gpgcheck: false when: - ansible_os_family in ['RedHat'] - ansible_distribution not in ['Fedora'] diff --git a/roles/network_plugin/calico/tasks/reset.yml b/roles/network_plugin/calico/tasks/reset.yml index 8dab21462d7..16c85097710 100644 --- a/roles/network_plugin/calico/tasks/reset.yml +++ b/roles/network_plugin/calico/tasks/reset.yml @@ -2,9 +2,9 @@ - name: Reset | check vxlan.calico network device stat: path: /sys/class/net/vxlan.calico - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: vxlan - name: Reset | remove the network vxlan.calico device created by calico @@ -14,9 +14,9 @@ - name: Reset | check dummy0 network device stat: path: /sys/class/net/dummy0 - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: dummy0 - name: Reset | remove the network device created by calico diff --git a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 index ca25eeb21be..769c78cff60 100644 --- a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 @@ -72,6 +72,15 @@ spec: initialDelaySeconds: 90 periodSeconds: 10 name: calico-apiserver +{% if calico_version is version('v3.28.0', '>=') %} + readinessProbe: + httpGet: + path: /readyz + port: 5443 + scheme: HTTPS + timeoutSeconds: 5 + periodSeconds: 60 +{% else %} readinessProbe: exec: command: @@ -79,6 +88,7 @@ spec: failureThreshold: 5 initialDelaySeconds: 5 periodSeconds: 10 +{% endif %} securityContext: privileged: false runAsUser: 0 @@ -173,7 +183,16 @@ rules: - create - update - delete - +{% if calico_version is version('v3.28.0', '>=') %} +- apiGroups: + - policy + resourceNames: + - calico-apiserver + resources: + - podsecuritypolicies + verbs: + - use +{% endif %} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2 index 6642ef2f689..ff85a5123df 100644 --- a/roles/network_plugin/calico/templates/calico-node.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-node.yml.j2 @@ -411,9 +411,11 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + type: DirectoryOrCreate - name: var-lib-calico hostPath: path: /var/lib/calico + type: DirectoryOrCreate # Used to install CNI. - name: cni-net-dir hostPath: @@ -421,6 +423,7 @@ spec: - name: cni-bin-dir hostPath: path: /opt/cni/bin + type: DirectoryOrCreate {% if calico_datastore == "etcd" %} # Mount in the etcd TLS secrets. - name: etcd-certs diff --git a/roles/network_plugin/cilium/tasks/install.yml b/roles/network_plugin/cilium/tasks/install.yml index 1039953a007..7da39644b72 100644 --- a/roles/network_plugin/cilium/tasks/install.yml +++ b/roles/network_plugin/cilium/tasks/install.yml @@ -22,7 +22,7 @@ dest: "{{ cilium_cert_dir }}/{{ item.d }}" mode: "0644" state: hard - force: yes + force: true loop: - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"} - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"} @@ -94,4 +94,4 @@ src: "{{ local_release_dir }}/cilium" dest: "{{ bin_dir }}/cilium" mode: "0755" - remote_src: yes + remote_src: true diff --git a/roles/network_plugin/cilium/tasks/reset_iface.yml b/roles/network_plugin/cilium/tasks/reset_iface.yml index e2f7c14af51..57a2d5765e4 100644 --- a/roles/network_plugin/cilium/tasks/reset_iface.yml +++ b/roles/network_plugin/cilium/tasks/reset_iface.yml @@ -2,9 +2,9 @@ - name: "Reset | check if network device {{ iface }} is present" stat: path: "/sys/class/net/{{ iface }}" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: device_remains - name: "Reset | remove network device {{ iface }}" diff --git a/roles/network_plugin/cni/tasks/main.yml b/roles/network_plugin/cni/tasks/main.yml index 8ac0dc53a3e..28376bd7605 100644 --- a/roles/network_plugin/cni/tasks/main.yml +++ b/roles/network_plugin/cni/tasks/main.yml @@ -13,4 +13,4 @@ dest: "/opt/cni/bin" mode: "0755" owner: "{{ cni_bin_owner }}" - remote_src: yes + remote_src: true diff --git a/roles/network_plugin/flannel/tasks/reset.yml b/roles/network_plugin/flannel/tasks/reset.yml index 03d40a0c13a..c4b1b881581 100644 --- a/roles/network_plugin/flannel/tasks/reset.yml +++ b/roles/network_plugin/flannel/tasks/reset.yml @@ -2,9 +2,9 @@ - name: Reset | check cni network device stat: path: /sys/class/net/cni0 - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: cni - name: Reset | remove the network device created by the flannel @@ -14,9 +14,9 @@ - name: Reset | check flannel network device stat: path: /sys/class/net/flannel.1 - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: flannel - name: Reset | remove the network device created by the flannel diff --git a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 index 8040cc77bd3..c531ffcbb1a 100644 --- a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 +++ b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 @@ -39,6 +39,10 @@ spec: type: string subnet: type: string + replicas: + type: integer + minimum: 1 + maximum: 3 status: type: object properties: @@ -129,6 +133,10 @@ spec: items: type: string type: array + endpoints: + items: + type: string + type: array status: type: object properties: @@ -165,10 +173,317 @@ spec: name: v1 served: true storage: true + subresources: + status: {} schema: openAPIV3Schema: type: object properties: + status: + type: object + properties: + externalSubnets: + items: + type: string + type: array + selector: + type: array + items: + type: string + qosPolicy: + type: string + tolerations: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + enum: + - Equal + - Exists + value: + type: string + effect: + type: string + enum: + - NoExecute + - NoSchedule + - PreferNoSchedule + tolerationSeconds: + type: integer + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object spec: type: object properties: @@ -176,12 +491,18 @@ spec: type: string subnet: type: string + externalSubnets: + items: + type: string + type: array vpc: type: string selector: type: array items: type: string + qosPolicy: + type: string tolerations: type: array items: @@ -191,12 +512,289 @@ spec: type: string operator: type: string + enum: + - Equal + - Exists value: type: string effect: type: string + enum: + - NoExecute + - NoSchedule + - PreferNoSchedule tolerationSeconds: type: integer + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -249,6 +847,8 @@ spec: type: string redo: type: string + qosPolicy: + type: string conditions: type: array items: @@ -277,6 +877,10 @@ spec: type: string natGwDp: type: string + qosPolicy: + type: string + externalSubnet: + type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -334,6 +938,8 @@ spec: type: string redo: type: string + internalIp: + type: string conditions: type: array items: @@ -519,6 +1125,8 @@ spec: type: string redo: type: string + internalCIDR: + type: string conditions: type: array items: @@ -565,15 +1173,24 @@ spec: subresources: status: {} additionalPrinterColumns: - - jsonPath: .spec.v4ip - name: IP + - jsonPath: .status.v4Ip + name: V4IP type: string - - jsonPath: .spec.macAddress + - jsonPath: .status.v6Ip + name: V6IP + type: string + - jsonPath: .status.macAddress name: Mac type: string - - jsonPath: .spec.type + - jsonPath: .status.type name: Type type: string + - jsonPath: .status.nat + name: Nat + type: string + - jsonPath: .status.ready + name: Ready + type: boolean schema: openAPIV3Schema: type: object @@ -581,8 +1198,16 @@ spec: status: type: object properties: + type: + type: string + nat: + type: string + ready: + type: boolean v4Ip: type: string + v6Ip: + type: string macAddress: type: string conditions: @@ -609,7 +1234,9 @@ spec: type: string type: type: string - v4ip: + v4Ip: + type: string + v6Ip: type: string macAddress: type: string @@ -647,6 +1274,12 @@ spec: - jsonPath: .status.ready name: Ready type: boolean + - jsonPath: .spec.ipType + name: IpType + type: string + - jsonPath: .spec.ipName + name: IpName + type: string schema: openAPIV3Schema: type: object @@ -660,8 +1293,6 @@ spec: type: string v4Ip: type: string - macAddress: - type: string vpc: type: string conditions: @@ -686,8 +1317,14 @@ spec: properties: ovnEip: type: string + ipType: + type: string ipName: type: string + vpc: + type: string + v4Ip: + type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -716,8 +1353,8 @@ spec: - jsonPath: .status.v4Eip name: V4Eip type: string - - jsonPath: .status.v4ipCidr - name: V4Ip + - jsonPath: .status.v4IpCidr + name: V4IpCidr type: string - jsonPath: .status.ready name: Ready @@ -733,7 +1370,7 @@ spec: type: boolean v4Eip: type: string - v4ipCidr: + v4IpCidr: type: string vpc: type: string @@ -763,6 +1400,118 @@ spec: type: string ipName: type: string + vpc: + type: string + v4IpCidr: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ovn-dnat-rules.kubeovn.io +spec: + group: kubeovn.io + names: + plural: ovn-dnat-rules + singular: ovn-dnat-rule + shortNames: + - odnat + kind: OvnDnatRule + listKind: OvnDnatRuleList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.vpc + name: Vpc + type: string + - jsonPath: .spec.ovnEip + name: Eip + type: string + - jsonPath: .status.protocol + name: Protocol + type: string + - jsonPath: .status.v4Eip + name: V4Eip + type: string + - jsonPath: .status.v4Ip + name: V4Ip + type: string + - jsonPath: .status.internalPort + name: InternalPort + type: string + - jsonPath: .status.externalPort + name: ExternalPort + type: string + - jsonPath: .spec.ipName + name: IpName + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + ready: + type: boolean + v4Eip: + type: string + v4Ip: + type: string + vpc: + type: string + externalPort: + type: string + internalPort: + type: string + protocol: + type: string + ipName: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + ovnEip: + type: string + ipType: + type: string + ipName: + type: string + externalPort: + type: string + internalPort: + type: string + protocol: + type: string + vpc: + type: string + v4Ip: + type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -775,12 +1524,18 @@ spec: - jsonPath: .status.enableExternal name: EnableExternal type: boolean + - jsonPath: .status.enableBfd + name: EnableBfd + type: boolean - jsonPath: .status.standby name: Standby type: boolean - jsonPath: .status.subnets name: Subnets type: string + - jsonPath: .status.extraExternalSubnets + name: ExtraExternalSubnets + type: string - jsonPath: .spec.namespaces name: Namespaces type: string @@ -792,10 +1547,16 @@ spec: properties: enableExternal: type: boolean + enableBfd: + type: boolean namespaces: items: type: string type: array + extraExternalSubnets: + items: + type: string + type: array staticRoutes: items: properties: @@ -805,6 +1566,12 @@ spec: type: string nextHopIP: type: string + ecmpMode: + type: string + bfdId: + type: string + routeTable: + type: string type: object type: array policyRoutes: @@ -859,10 +1626,16 @@ spec: type: boolean enableExternal: type: boolean + enableBfd: + type: boolean subnets: items: type: string type: array + extraExternalSubnets: + items: + type: string + type: array vpcPeerings: items: type: string @@ -989,27 +1762,24 @@ spec: - name: V4IP type: string jsonPath: .status.v4ip - - name: PV4IP + - name: V6IP type: string - jsonPath: .spec.parentV4ip + jsonPath: .status.v6ip - name: Mac type: string jsonPath: .status.mac - name: PMac type: string jsonPath: .spec.parentMac - - name: V6IP - type: string - jsonPath: .status.v6ip - - name: PV6IP - type: string - jsonPath: .spec.parentV6ip - name: Subnet type: string jsonPath: .spec.subnet - jsonPath: .status.ready name: Ready type: boolean + - jsonPath: .status.type + name: Type + type: string schema: openAPIV3Schema: type: object @@ -1017,6 +1787,8 @@ spec: status: type: object properties: + type: + type: string ready: type: boolean v4ip: @@ -1055,6 +1827,8 @@ spec: type: string subnet: type: string + type: + type: string attachSubnets: type: array items: @@ -1131,6 +1905,12 @@ spec: openAPIV3Schema: type: object properties: + metadata: + type: object + properties: + name: + type: string + pattern: ^[^0-9] status: type: object properties: @@ -1150,6 +1930,35 @@ spec: type: string u2oInterconnectionIP: type: string + u2oInterconnectionVPC: + type: string + v4usingIPrange: + type: string + v4availableIPrange: + type: string + v6usingIPrange: + type: string + v6availableIPrange: + type: string + natOutgoingPolicyRules: + type: array + items: + type: object + properties: + ruleID: + type: string + action: + type: string + enum: + - nat + - forward + match: + type: object + properties: + srcIPs: + type: string + dstIPs: + type: string conditions: type: array items: @@ -1208,8 +2017,6 @@ spec: type: string natOutgoing: type: boolean - u2oRouting: - type: boolean externalEgressGateway: type: string policyRoutingPriority: @@ -1226,6 +2033,10 @@ spec: - 253 # default - 254 # main - 255 # local + mtu: + type: integer + minimum: 68 + maximum: 65535 private: type: boolean vlan: @@ -1270,8 +2081,35 @@ spec: - allow - drop - reject + natOutgoingPolicyRules: + type: array + items: + type: object + properties: + action: + type: string + enum: + - nat + - forward + match: + type: object + properties: + srcIPs: + type: string + dstIPs: + type: string u2oInterconnection: type: boolean + u2oInterconnectionIP: + type: string + enableLb: + type: boolean + enableEcmp: + type: boolean + enableMulticastSnoop: + type: boolean + routeTable: + type: string scope: Cluster names: plural: subnets @@ -1282,6 +2120,113 @@ spec: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + name: ippools.kubeovn.io +spec: + group: kubeovn.io + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Subnet + type: string + jsonPath: .spec.subnet + - name: IPs + type: string + jsonPath: .spec.ips + - name: V4Used + type: number + jsonPath: .status.v4UsingIPs + - name: V4Available + type: number + jsonPath: .status.v4AvailableIPs + - name: V6Used + type: number + jsonPath: .status.v6UsingIPs + - name: V6Available + type: number + jsonPath: .status.v6AvailableIPs + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + subnet: + type: string + x-kubernetes-validations: + - rule: "self == oldSelf" + message: "This field is immutable." + namespaces: + type: array + x-kubernetes-list-type: set + items: + type: string + ips: + type: array + minItems: 1 + x-kubernetes-list-type: set + items: + type: string + anyOf: + - format: ipv4 + - format: ipv6 + - format: cidr + - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.\.(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ + - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))\.\.((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ + required: + - subnet + - ips + status: + type: object + properties: + v4AvailableIPs: + type: number + v4UsingIPs: + type: number + v6AvailableIPs: + type: number + v6UsingIPs: + type: number + v4AvailableIPRange: + type: string + v4UsingIPRange: + type: string + v6AvailableIPRange: + type: string + v6UsingIPRange: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ippool +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: vlans.kubeovn.io spec: @@ -1360,7 +2305,6 @@ spec: not: enum: - int - - external spec: type: object properties: @@ -1531,3 +2475,113 @@ spec: status: {} conversion: strategy: None +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: qos-policies.kubeovn.io +spec: + group: kubeovn.io + names: + plural: qos-policies + singular: qos-policy + shortNames: + - qos + kind: QoSPolicy + listKind: QoSPolicyList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .spec.shared + name: Shared + type: string + - jsonPath: .spec.bindingType + name: BindingType + type: string + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + shared: + type: boolean + bindingType: + type: string + bandwidthLimitRules: + type: array + items: + type: object + properties: + name: + type: string + interface: + type: string + rateMax: + type: string + burstMax: + type: string + priority: + type: integer + direction: + type: string + matchType: + type: string + matchValue: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + shared: + type: boolean + bindingType: + type: string + bandwidthLimitRules: + type: array + items: + type: object + properties: + name: + type: string + interface: + type: string + rateMax: + type: string + burstMax: + type: string + priority: + type: integer + direction: + type: string + matchType: + type: string + matchValue: + type: string + required: + - name + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map diff --git a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 index 60344ea0c77..f4acdedac10 100644 --- a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 +++ b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 @@ -1,4 +1,190 @@ --- +kind: ConfigMap +apiVersion: v1 +metadata: + name: ovn-vpc-nat-config + namespace: kube-system + annotations: + kubernetes.io/description: | + kube-ovn vpc-nat common config +data: + image: {{ kube_ovn_vpc_container_image_repo }}:{{ kube_ovn_vpc_container_image_tag }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: ovn-vpc-nat-gw-config + namespace: kube-system +data: + enable-vpc-nat-gw: "true" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-ovn-cni + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + name: system:kube-ovn-cni +rules: + - apiGroups: + - "kubeovn.io" + resources: + - subnets + - vlans + - provider-networks + verbs: + - get + - list + - watch + - apiGroups: + - "" + - "kubeovn.io" + resources: + - ovn-eips + - ovn-eips/status + - nodes + - pods + - vlans + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "kubeovn.io" + resources: + - ips + verbs: + - get + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-ovn-cni +roleRef: + name: system:kube-ovn-cni + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: kube-ovn-cni + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kube-ovn-cni + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: kube-ovn-cni + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-ovn-app + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + name: system:kube-ovn-app +rules: + - apiGroups: + - "" + resources: + - pods + - nodes + verbs: + - get + - list + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-ovn-app +roleRef: + name: system:kube-ovn-app + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: kube-ovn-app + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kube-ovn-app + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: kube-ovn-app + namespace: kube-system +--- kind: Deployment apiVersion: apps/v1 metadata: @@ -25,8 +211,20 @@ spec: type: infra spec: tolerations: - - operator: Exists + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: "ovn.kubernetes.io/ic-gw" + operator: NotIn + values: + - "true" + weight: 100 podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: @@ -67,7 +265,12 @@ spec: - --log_file_max_size=0 - --enable-lb-svc=false - --keep-vm-ip={{ kube_ovn_keep_vm_ip }} - - --pod-default-fip-type="" + securityContext: + runAsUser: 0 + privileged: false + capabilities: + add: + - NET_BIND_SERVICE env: - name: ENABLE_SSL value: "{{ kube_ovn_enable_ssl | lower }}" @@ -85,6 +288,10 @@ spec: fieldPath: spec.nodeName - name: OVN_DB_IPS value: "{{ kube_ovn_central_ips }}" + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP - name: POD_IPS valueFrom: fieldRef: @@ -96,18 +303,24 @@ spec: name: localtime - mountPath: /var/log/kube-ovn name: kube-ovn-log + - mountPath: /var/log/ovn + name: ovn-log - mountPath: /var/run/tls name: kube-ovn-tls readinessProbe: exec: command: - - /kube-ovn/kube-ovn-controller-healthcheck + - /kube-ovn/kube-ovn-healthcheck + - --port=10660 + - --tls=false periodSeconds: 3 timeoutSeconds: 45 livenessProbe: exec: command: - - /kube-ovn/kube-ovn-controller-healthcheck + - /kube-ovn/kube-ovn-healthcheck + - --port=10660 + - --tls=false initialDelaySeconds: 300 periodSeconds: 7 failureThreshold: 5 @@ -128,6 +341,9 @@ spec: - name: kube-ovn-log hostPath: path: /var/log/kube-ovn + - name: ovn-log + hostPath: + path: /var/log/ovn - name: kube-ovn-tls secret: optional: true @@ -161,7 +377,7 @@ spec: - key: CriticalAddonsOnly operator: Exists priorityClassName: system-node-critical - serviceAccountName: ovn + serviceAccountName: kube-ovn-cni hostNetwork: true hostPID: true initContainers: @@ -202,7 +418,13 @@ spec: - --log_file_max_size=0 securityContext: runAsUser: 0 - privileged: true + privileged: false + capabilities: + add: + - NET_ADMIN + - NET_BIND_SERVICE + - NET_RAW + - SYS_ADMIN env: - name: ENABLE_SSL value: "{{ kube_ovn_enable_ssl | lower }}" @@ -231,14 +453,15 @@ spec: mountPath: /lib/modules readOnly: true - name: shared-dir - mountPath: /var/lib/kubelet/pods + mountPath: $KUBELET_DIR/pods - mountPath: /etc/openvswitch name: systemid + readOnly: true - mountPath: /etc/cni/net.d name: cni-conf - mountPath: /run/openvswitch name: host-run-ovs - mountPropagation: Bidirectional + mountPropagation: HostToContainer - mountPath: /run/ovn name: host-run-ovn - mountPath: /host/var/run/dbus @@ -255,6 +478,7 @@ spec: name: host-log-ovn - mountPath: /etc/localtime name: localtime + readOnly: true - mountPath: /tmp name: tmp livenessProbe: @@ -262,17 +486,22 @@ spec: initialDelaySeconds: 30 periodSeconds: 7 successThreshold: 1 - tcpSocket: - port: 10665 - timeoutSeconds: 3 + exec: + command: + - /kube-ovn/kube-ovn-healthcheck + - --port=10665 + - --tls=false + timeoutSeconds: 5 readinessProbe: failureThreshold: 3 - initialDelaySeconds: 30 periodSeconds: 7 successThreshold: 1 - tcpSocket: - port: 10665 - timeoutSeconds: 3 + exec: + command: + - /kube-ovn/kube-ovn-healthcheck + - --port=10665 + - --tls=false + timeoutSeconds: 5 resources: requests: cpu: {{ kube_ovn_cni_server_cpu_request }} @@ -389,28 +618,23 @@ spec: fieldRef: fieldPath: spec.nodeName volumeMounts: - - mountPath: /lib/modules - name: host-modules - readOnly: true - - mountPath: /run/openvswitch - name: host-run-ovs - mountPath: /var/run/openvswitch name: host-run-ovs - mountPath: /var/run/ovn name: host-run-ovn - - mountPath: /sys - name: host-sys - readOnly: true - mountPath: /etc/openvswitch name: host-config-openvswitch - mountPath: /var/log/openvswitch name: host-log-ovs + readOnly: true - mountPath: /var/log/ovn name: host-log-ovn + readOnly: true - mountPath: /var/log/kube-ovn name: kube-ovn-log - mountPath: /etc/localtime name: localtime + readOnly: true - mountPath: /var/run/tls name: kube-ovn-tls resources: @@ -423,18 +647,12 @@ spec: nodeSelector: kubernetes.io/os: "linux" volumes: - - name: host-modules - hostPath: - path: /lib/modules - name: host-run-ovs hostPath: path: /run/openvswitch - name: host-run-ovn hostPath: path: /run/ovn - - name: host-sys - hostPath: - path: /sys - name: host-config-openvswitch hostPath: path: /etc/origin/openvswitch @@ -500,6 +718,12 @@ spec: image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} command: ["/kube-ovn/start-ovn-monitor.sh"] + args: + - --secure-serving=false + - --log_file=/var/log/kube-ovn/kube-ovn-monitor.log + - --logtostderr=false + - --alsologtostderr=true + - --log_file_max_size=200 securityContext: runAsUser: 0 privileged: false @@ -510,6 +734,10 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP - name: POD_IPS valueFrom: fieldRef: @@ -532,30 +760,38 @@ spec: name: host-config-openvswitch - mountPath: /etc/ovn name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - mountPath: /var/log/ovn name: host-log-ovn + readOnly: true - mountPath: /etc/localtime name: localtime + readOnly: true - mountPath: /var/run/tls name: kube-ovn-tls - readinessProbe: - exec: - command: - - cat - - /var/run/ovn/ovn-controller.pid - periodSeconds: 10 - timeoutSeconds: 45 + - mountPath: /var/log/kube-ovn + name: kube-ovn-log livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 7 + successThreshold: 1 exec: command: - - cat - - /var/run/ovn/ovn-controller.pid + - /kube-ovn/kube-ovn-healthcheck + - --port=10661 + - --tls=false + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 3 initialDelaySeconds: 30 - periodSeconds: 10 - failureThreshold: 5 - timeoutSeconds: 45 + periodSeconds: 7 + successThreshold: 1 + exec: + command: + - /kube-ovn/kube-ovn-healthcheck + - --port=10661 + - --tls=false + timeoutSeconds: 5 nodeSelector: kubernetes.io/os: "linux" kube-ovn/role: "master" @@ -585,6 +821,9 @@ spec: secret: optional: true secretName: kube-ovn-tls + - name: kube-ovn-log + hostPath: + path: /var/log/kube-ovn --- kind: Service apiVersion: v1 diff --git a/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 index d632f3b8f4e..453ac60722d 100644 --- a/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 +++ b/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 @@ -1,6 +1,54 @@ --- apiVersion: v1 kind: ServiceAccount +metadata: + name: ovn-ovs + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + name: system:ovn-ovs +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - patch + - apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - apiGroups: + - apps + resources: + - controllerrevisions + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovn-ovs +roleRef: + name: system:ovn-ovs + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovn-ovs + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount metadata: name: ovn namespace: kube-system @@ -18,8 +66,11 @@ rules: - vpcs - vpcs/status - vpc-nat-gateways + - vpc-nat-gateways/status - subnets - subnets/status + - ippools + - ippools/status - ips - vips - vips/status @@ -43,59 +94,98 @@ rules: - ovn-eips/status - ovn-fips/status - ovn-snat-rules/status + - ovn-dnat-rules + - ovn-dnat-rules/status - switch-lb-rules - switch-lb-rules/status - vpc-dnses - vpc-dnses/status + - qos-policies + - qos-policies/status verbs: - "*" - apiGroups: - "" resources: - pods - - pods/exec - namespaces - - nodes - - configmaps verbs: - - create - get - list + - patch - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list - patch - update + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create - apiGroups: - "k8s.cni.cncf.io" resources: - network-attachment-definitions verbs: - - create - - delete - get - - list - - update - apiGroups: - "" - networking.k8s.io - - apps - - extensions resources: - networkpolicies + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - apiGroups: + - "" + resources: - services - services/status + verbs: + - get + - list + - update + - create + - delete + - watch + - apiGroups: + - "" + resources: - endpoints + verbs: + - create + - update + - get + - list + - watch + - apiGroups: + - apps + resources: - statefulsets - - daemonsets - deployments - deployments/scale verbs: + - get + - list - create - delete - update - - patch - - get - - list - - watch - apiGroups: - "" resources: @@ -118,6 +208,18 @@ rules: verbs: - get - list + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -132,6 +234,20 @@ subjects: name: ovn namespace: kube-system --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovn + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: ovn + namespace: kube-system +--- kind: Service apiVersion: v1 metadata: @@ -218,7 +334,12 @@ spec: type: infra spec: tolerations: - - operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + - key: CriticalAddonsOnly + operator: Exists affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -227,7 +348,7 @@ spec: app: ovn-central topologyKey: kubernetes.io/hostname priorityClassName: system-cluster-critical - serviceAccountName: ovn + serviceAccountName: ovn-ovs hostNetwork: true containers: - name: ovn-central @@ -236,7 +357,9 @@ spec: command: ["/kube-ovn/start-db.sh"] securityContext: capabilities: - add: ["SYS_NICE"] + add: + - NET_BIND_SERVICE + - SYS_NICE env: - name: ENABLE_SSL value: "{{ kube_ovn_enable_ssl | lower }}" @@ -260,6 +383,12 @@ spec: fieldPath: status.podIPs - name: ENABLE_BIND_LOCAL_IP value: "{{ kube_ovn_bind_local_ip_enabled }}" + - name: PROBE_INTERVAL + value: "180000" + - name: OVN_NORTHD_PROBE_INTERVAL + value: "5000" + - name: OVN_LEADER_PROBE_INTERVAL + value: "5" resources: requests: cpu: {{ kube_ovn_db_cpu_request }} @@ -349,7 +478,10 @@ spec: matchLabels: app: ovs updateStrategy: - type: OnDelete + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 template: metadata: labels: @@ -358,9 +490,14 @@ spec: type: infra spec: tolerations: - - operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + - key: CriticalAddonsOnly + operator: Exists priorityClassName: system-node-critical - serviceAccountName: ovn + serviceAccountName: ovn-ovs hostNetwork: true hostPID: true containers: @@ -371,7 +508,13 @@ spec: command: [{% if kube_ovn_dpdk_enabled %}"/kube-ovn/start-ovs-dpdk.sh"{% else %}"/kube-ovn/start-ovs.sh"{% endif %}] securityContext: runAsUser: 0 - privileged: true + privileged: false + capabilities: + add: + - NET_ADMIN + - NET_BIND_SERVICE + - SYS_MODULE + - SYS_NICE env: - name: ENABLE_SSL value: "{{ kube_ovn_enable_ssl | lower }}" @@ -379,6 +522,14 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace {% if not kube_ovn_dpdk_enabled %} - name: HW_OFFLOAD value: "{{ kube_ovn_hw_offload | string | lower }}" @@ -425,6 +576,9 @@ spec: name: localtime - mountPath: /var/run/tls name: kube-ovn-tls + - mountPath: /var/run/containerd + name: cruntime + readOnly: true readinessProbe: exec: command: @@ -511,6 +665,9 @@ spec: - name: localtime hostPath: path: /etc/localtime + - name: cruntime + hostPath: + path: /var/run/containerd - name: kube-ovn-tls secret: optional: true diff --git a/roles/network_plugin/kube-router/tasks/reset.yml b/roles/network_plugin/kube-router/tasks/reset.yml index ae9ee55c7b7..32f707591e4 100644 --- a/roles/network_plugin/kube-router/tasks/reset.yml +++ b/roles/network_plugin/kube-router/tasks/reset.yml @@ -2,9 +2,9 @@ - name: Reset | check kube-dummy-if network device stat: path: /sys/class/net/kube-dummy-if - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: kube_dummy_if - name: Reset | remove the network device created by kube-router @@ -14,9 +14,9 @@ - name: Check kube-bridge exists stat: path: /sys/class/net/kube-bridge - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: kube_bridge_if - name: Reset | donw the network bridge create by kube-router diff --git a/roles/network_plugin/macvlan/tasks/main.yml b/roles/network_plugin/macvlan/tasks/main.yml index 165030d592c..6ffe3348cd0 100644 --- a/roles/network_plugin/macvlan/tasks/main.yml +++ b/roles/network_plugin/macvlan/tasks/main.yml @@ -104,7 +104,7 @@ ansible.posix.sysctl: name: net.ipv4.conf.all.arp_notify value: 1 - sysctl_set: yes + sysctl_set: true sysctl_file: "{{ sysctl_file_path }}" state: present - reload: yes + reload: true diff --git a/roles/recover_control_plane/etcd/tasks/main.yml b/roles/recover_control_plane/etcd/tasks/main.yml index 599f56b1506..6291ea36f79 100644 --- a/roles/recover_control_plane/etcd/tasks/main.yml +++ b/roles/recover_control_plane/etcd/tasks/main.yml @@ -4,7 +4,7 @@ register: etcd_endpoint_health ignore_errors: true # noqa ignore-errors changed_when: false - check_mode: no + check_mode: false environment: ETCDCTL_API: "3" ETCDCTL_ENDPOINTS: "{{ etcd_access_addresses }}" @@ -64,7 +64,7 @@ command: "{{ bin_dir }}/etcdctl member list" register: member_list changed_when: false - check_mode: no + check_mode: false environment: ETCDCTL_API: "3" ETCDCTL_ENDPOINTS: "{{ etcd_access_addresses }}" diff --git a/roles/remove-node/remove-etcd-node/tasks/main.yml b/roles/remove-node/remove-etcd-node/tasks/main.yml index 0279018d4fd..70e33251a0f 100644 --- a/roles/remove-node/remove-etcd-node/tasks/main.yml +++ b/roles/remove-node/remove-etcd-node/tasks/main.yml @@ -32,7 +32,7 @@ register: etcd_member_id ignore_errors: true # noqa ignore-errors changed_when: false - check_mode: no + check_mode: false tags: - facts environment: diff --git a/roles/reset/defaults/main.yml b/roles/reset/defaults/main.yml index a9539c7e00a..1e84da77dcc 100644 --- a/roles/reset/defaults/main.yml +++ b/roles/reset/defaults/main.yml @@ -6,7 +6,7 @@ reset_restart_network_service_name: >- {% if ansible_os_family == "RedHat" -%} {%- if ansible_distribution_major_version | int >= 8 - or is_fedora_coreos or ansible_distribution == "Fedora" or ansible_distribution == "Kylin Linux Advanced Server" -%} + or is_fedora_coreos or ansible_distribution in ["Fedora", "Kylin Linux Advanced Server", "TencentOS"] -%} NetworkManager {%- else -%} network diff --git a/roles/reset/tasks/main.yml b/roles/reset/tasks/main.yml index 6b5379e103f..acafb5a760e 100644 --- a/roles/reset/tasks/main.yml +++ b/roles/reset/tasks/main.yml @@ -50,9 +50,9 @@ - name: Reset | check if crictl is present stat: path: "{{ bin_dir }}/crictl" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: crictl - name: Reset | stop all cri containers @@ -161,7 +161,7 @@ shell: set -o pipefail && mount | grep /var/lib/kubelet/ | awk '{print $3}' | tac args: executable: /bin/bash - check_mode: no + check_mode: false register: mounted_dirs failed_when: false changed_when: false @@ -182,7 +182,7 @@ - name: Flush iptables iptables: table: "{{ item }}" - flush: yes + flush: true with_items: - filter - nat @@ -195,7 +195,7 @@ - name: Flush ip6tables iptables: table: "{{ item }}" - flush: yes + flush: true ip_version: ipv6 with_items: - filter @@ -215,9 +215,9 @@ - name: Reset | check kube-ipvs0 network device stat: path: /sys/class/net/kube-ipvs0 - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: kube_ipvs0 - name: Reset | Remove kube-ipvs0 @@ -229,9 +229,9 @@ - name: Reset | check nodelocaldns network device stat: path: /sys/class/net/nodelocaldns - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: nodelocaldns_device - name: Reset | Remove nodelocaldns @@ -243,9 +243,9 @@ - name: Reset | Check whether /var/lib/kubelet directory exists stat: path: /var/lib/kubelet - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: var_lib_kubelet_directory - name: Reset | Find files/dirs with immutable flag in /var/lib/kubelet @@ -300,6 +300,7 @@ - /etc/etcd.env - /etc/calico - /etc/NetworkManager/conf.d/calico.conf + - /etc/NetworkManager/conf.d/dns.conf - /etc/NetworkManager/conf.d/k8s.conf - /etc/weave.env - /opt/cni diff --git a/roles/upgrade/post-upgrade/tasks/main.yml b/roles/upgrade/post-upgrade/tasks/main.yml index d82fe8d33c4..467ff05e184 100644 --- a/roles/upgrade/post-upgrade/tasks/main.yml +++ b/roles/upgrade/post-upgrade/tasks/main.yml @@ -13,7 +13,7 @@ - name: Confirm node uncordon pause: - echo: yes + echo: true prompt: "Ready to uncordon node?" when: - upgrade_node_post_upgrade_confirm diff --git a/roles/upgrade/pre-upgrade/tasks/main.yml b/roles/upgrade/pre-upgrade/tasks/main.yml index 8d5d99c937d..6e3cdd2b859 100644 --- a/roles/upgrade/pre-upgrade/tasks/main.yml +++ b/roles/upgrade/pre-upgrade/tasks/main.yml @@ -2,7 +2,7 @@ # Wait for upgrade - name: Confirm node upgrade pause: - echo: yes + echo: true prompt: "Ready to upgrade node? (Press Enter to continue or Ctrl+C for other options)" when: - upgrade_node_confirm diff --git a/roles/win_nodes/kubernetes_patch/tasks/main.yml b/roles/win_nodes/kubernetes_patch/tasks/main.yml index 880c58cf8e2..1dd504e1673 100644 --- a/roles/win_nodes/kubernetes_patch/tasks/main.yml +++ b/roles/win_nodes/kubernetes_patch/tasks/main.yml @@ -4,7 +4,7 @@ file: path: "{{ kubernetes_user_manifests_path }}/kubernetes" state: directory - recurse: yes + recurse: true tags: [init, cni] - name: Apply kube-proxy nodeselector diff --git a/scripts/collect-info.yaml b/scripts/collect-info.yaml index 0234c073361..272fb724b24 100644 --- a/scripts/collect-info.yaml +++ b/scripts/collect-info.yaml @@ -2,7 +2,7 @@ - name: Collect debug info hosts: all become: true - gather_facts: no + gather_facts: false vars: docker_bin_dir: /usr/bin @@ -118,7 +118,7 @@ failed_when: false with_items: "{{ commands }}" when: item.when | default(True) - no_log: True + no_log: true - name: Fetch results fetch: diff --git a/tests/cloud_playbooks/cleanup-packet.yml b/tests/cloud_playbooks/cleanup-packet.yml index 009071ec2b9..2ba5e30210a 100644 --- a/tests/cloud_playbooks/cleanup-packet.yml +++ b/tests/cloud_playbooks/cleanup-packet.yml @@ -2,7 +2,7 @@ - name: Cleanup packet vms hosts: localhost - gather_facts: no + gather_facts: false become: true roles: - { role: cleanup-packet-ci } diff --git a/tests/cloud_playbooks/create-packet.yml b/tests/cloud_playbooks/create-packet.yml index 8212fb6c836..2cd08b54d18 100644 --- a/tests/cloud_playbooks/create-packet.yml +++ b/tests/cloud_playbooks/create-packet.yml @@ -2,7 +2,7 @@ - name: Provision Packet VMs hosts: localhost - gather_facts: no + gather_facts: false become: true vars: ci_job_name: "{{ lookup('env', 'CI_JOB_NAME') }}" diff --git a/tests/cloud_playbooks/delete-packet.yml b/tests/cloud_playbooks/delete-packet.yml index 7d0c9003c7a..7320da62238 100644 --- a/tests/cloud_playbooks/delete-packet.yml +++ b/tests/cloud_playbooks/delete-packet.yml @@ -2,7 +2,7 @@ - name: Terminate Packet VMs hosts: localhost - gather_facts: no + gather_facts: false become: true vars: ci_job_name: "{{ lookup('env', 'CI_JOB_NAME') }}" diff --git a/tests/cloud_playbooks/roles/packet-ci/tasks/delete-vms.yml b/tests/cloud_playbooks/roles/packet-ci/tasks/delete-vms.yml index 98bd05a61d4..75156584a89 100644 --- a/tests/cloud_playbooks/roles/packet-ci/tasks/delete-vms.yml +++ b/tests/cloud_playbooks/roles/packet-ci/tasks/delete-vms.yml @@ -3,9 +3,9 @@ - name: Check if temp directory for {{ test_name }} exists stat: path: "/tmp/{{ test_name }}" - get_attributes: no - get_checksum: no - get_mime: no + get_attributes: false + get_checksum: false + get_mime: false register: temp_dir_details - name: "Cleanup temp directory for {{ test_name }}" diff --git a/tests/cloud_playbooks/wait-for-ssh.yml b/tests/cloud_playbooks/wait-for-ssh.yml index 0e09c9f04cd..54b2682737b 100644 --- a/tests/cloud_playbooks/wait-for-ssh.yml +++ b/tests/cloud_playbooks/wait-for-ssh.yml @@ -1,8 +1,8 @@ --- - name: Wait until SSH is available hosts: all - become: False - gather_facts: False + become: false + gather_facts: false tasks: - name: Wait until SSH is available diff --git a/tests/files/packet_ubuntu20-all-in-one-docker.yml b/tests/files/packet_ubuntu20-all-in-one-docker.yml index 2ed6307d8c2..0116eae42c8 100644 --- a/tests/files/packet_ubuntu20-all-in-one-docker.yml +++ b/tests/files/packet_ubuntu20-all-in-one-docker.yml @@ -8,7 +8,7 @@ auto_renew_certificates: true # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko kube_proxy_mode: iptables -enable_nodelocaldns: False +enable_nodelocaldns: false # Use docker container_manager: docker diff --git a/tests/files/packet_ubuntu20-calico-all-in-one-hardening.yml b/tests/files/packet_ubuntu20-calico-all-in-one-hardening.yml index c494810cf07..5dafe23bfc8 100644 --- a/tests/files/packet_ubuntu20-calico-all-in-one-hardening.yml +++ b/tests/files/packet_ubuntu20-calico-all-in-one-hardening.yml @@ -8,7 +8,7 @@ auto_renew_certificates: true # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko kube_proxy_mode: iptables -enable_nodelocaldns: False +enable_nodelocaldns: false # The followings are for hardening ## kube-apiserver diff --git a/tests/files/packet_ubuntu20-calico-all-in-one.yml b/tests/files/packet_ubuntu20-calico-all-in-one.yml index 3cfc99c96d5..f59e72a3ca1 100644 --- a/tests/files/packet_ubuntu20-calico-all-in-one.yml +++ b/tests/files/packet_ubuntu20-calico-all-in-one.yml @@ -8,4 +8,4 @@ auto_renew_certificates: true # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko kube_proxy_mode: iptables -enable_nodelocaldns: False +enable_nodelocaldns: false diff --git a/tests/files/packet_ubuntu20-calico-etcd-kubeadm-upgrade-ha.yml b/tests/files/packet_ubuntu20-calico-etcd-kubeadm-upgrade-ha.yml index 57187a8dd46..425ce75b816 100644 --- a/tests/files/packet_ubuntu20-calico-etcd-kubeadm-upgrade-ha.yml +++ b/tests/files/packet_ubuntu20-calico-etcd-kubeadm-upgrade-ha.yml @@ -10,7 +10,7 @@ upgrade_cluster_setup: true # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko kube_proxy_mode: iptables -enable_nodelocaldns: False +enable_nodelocaldns: false # Pin disabling ipip mode to ensure proper upgrade ipip: false diff --git a/tests/files/packet_ubuntu20-calico-etcd-kubeadm.yml b/tests/files/packet_ubuntu20-calico-etcd-kubeadm.yml index ba9d7b34b8d..ddc5cb5561e 100644 --- a/tests/files/packet_ubuntu20-calico-etcd-kubeadm.yml +++ b/tests/files/packet_ubuntu20-calico-etcd-kubeadm.yml @@ -8,7 +8,7 @@ etcd_deployment_type: kubeadm # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko kube_proxy_mode: iptables -enable_nodelocaldns: False +enable_nodelocaldns: false # Remove anonymous access to cluster remove_anonymous_access: true diff --git a/tests/files/packet_ubuntu22-all-in-one-docker.yml b/tests/files/packet_ubuntu22-all-in-one-docker.yml index 16ae4598629..fcdd8f3ccfa 100644 --- a/tests/files/packet_ubuntu22-all-in-one-docker.yml +++ b/tests/files/packet_ubuntu22-all-in-one-docker.yml @@ -9,7 +9,7 @@ auto_renew_certificates: true # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko kube_proxy_mode: iptables -enable_nodelocaldns: False +enable_nodelocaldns: false # Use docker container_manager: docker diff --git a/tests/files/packet_ubuntu22-calico-all-in-one-upgrade.yml b/tests/files/packet_ubuntu22-calico-all-in-one-upgrade.yml new file mode 100644 index 00000000000..61553010753 --- /dev/null +++ b/tests/files/packet_ubuntu22-calico-all-in-one-upgrade.yml @@ -0,0 +1,24 @@ +--- +# Instance settings +cloud_image: ubuntu-2204 +mode: all-in-one +vm_memory: 1600 + +# Kubespray settings +auto_renew_certificates: true + +# Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko +kube_proxy_mode: iptables +enable_nodelocaldns: false + +containerd_registries_mirrors: + - prefix: docker.io + mirrors: + - host: https://mirror.gcr.io + capabilities: ["pull", "resolve"] + skip_verify: false + - prefix: 172.19.16.11:5000 + mirrors: + - host: http://172.19.16.11:5000 + capabilities: ["pull", "resolve", "push"] + skip_verify: true diff --git a/tests/files/packet_ubuntu22-calico-all-in-one.yml b/tests/files/packet_ubuntu22-calico-all-in-one.yml index 2c666f8e33d..61553010753 100644 --- a/tests/files/packet_ubuntu22-calico-all-in-one.yml +++ b/tests/files/packet_ubuntu22-calico-all-in-one.yml @@ -9,7 +9,7 @@ auto_renew_certificates: true # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko kube_proxy_mode: iptables -enable_nodelocaldns: False +enable_nodelocaldns: false containerd_registries_mirrors: - prefix: docker.io diff --git a/tests/files/packet_ubuntu24-all-in-one-docker.yml b/tests/files/packet_ubuntu24-all-in-one-docker.yml index d4a0adccb64..8b1da4ac0cb 100644 --- a/tests/files/packet_ubuntu24-all-in-one-docker.yml +++ b/tests/files/packet_ubuntu24-all-in-one-docker.yml @@ -9,7 +9,7 @@ auto_renew_certificates: true # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=noble&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko kube_proxy_mode: iptables -enable_nodelocaldns: False +enable_nodelocaldns: false # Use docker container_manager: docker diff --git a/tests/files/packet_ubuntu24-calico-all-in-one.yml b/tests/files/packet_ubuntu24-calico-all-in-one.yml index 4b9e403ca12..5d7f55878ad 100644 --- a/tests/files/packet_ubuntu24-calico-all-in-one.yml +++ b/tests/files/packet_ubuntu24-calico-all-in-one.yml @@ -9,7 +9,7 @@ auto_renew_certificates: true # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=noble&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko kube_proxy_mode: iptables -enable_nodelocaldns: False +enable_nodelocaldns: false containerd_registries_mirrors: - prefix: docker.io diff --git a/tests/files/packet_ubuntu24-calico-etcd-datastore.yml b/tests/files/packet_ubuntu24-calico-etcd-datastore.yml index 2805fa731a3..4f35d2f8763 100644 --- a/tests/files/packet_ubuntu24-calico-etcd-datastore.yml +++ b/tests/files/packet_ubuntu24-calico-etcd-datastore.yml @@ -9,7 +9,7 @@ auto_renew_certificates: true # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=noble&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko kube_proxy_mode: iptables -enable_nodelocaldns: False +enable_nodelocaldns: false containerd_registries: "docker.io": "https://mirror.gcr.io" diff --git a/tests/requirements.txt b/tests/requirements.txt index fda1ba5c24c..ac68e51990f 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -3,10 +3,10 @@ ansible-lint==24.7.0 apache-libcloud==3.8.0 ara[server]==1.7.1 dopy==0.3.7 -molecule==24.7.0 +molecule==24.8.0 molecule-plugins[vagrant]==23.5.3 pytest-testinfra==10.1.1 python-vagrant==1.0.0 -tox==4.16.0 +tox==4.18.0 tzdata==2024.1 yamllint==1.35.1 diff --git a/tests/scripts/check-templates.py b/tests/scripts/check-templates.py index 1092a0d3efc..3c94dfb29cb 100755 --- a/tests/scripts/check-templates.py +++ b/tests/scripts/check-templates.py @@ -1,9 +1,20 @@ #!/usr/bin/env python import sys +import traceback from jinja2 import Environment +from jinja2.exceptions import TemplateSyntaxError + env = Environment() +errors = False for template in sys.argv[1:]: - with open(template) as t: - env.parse(t.read()) + try: + with open(template) as t: + env.parse(t.read()) + except TemplateSyntaxError as e: + print (template) + traceback.print_exc() + errors = True +if errors: + exit (1) diff --git a/tests/scripts/testcases_run.sh b/tests/scripts/testcases_run.sh index a1c09be66ce..6e01fb5bb4f 100755 --- a/tests/scripts/testcases_run.sh +++ b/tests/scripts/testcases_run.sh @@ -42,12 +42,13 @@ if [[ "$CI_JOB_NAME" =~ "opensuse" ]]; then fi # Check out latest tag if testing upgrade -test "${UPGRADE_TEST}" != "false" && git fetch --all && git checkout "$KUBESPRAY_VERSION" -# Checkout the CI vars file so it is available -test "${UPGRADE_TEST}" != "false" && git checkout "${CI_COMMIT_SHA}" tests/files/${CI_JOB_NAME}.yml -test "${UPGRADE_TEST}" != "false" && git checkout "${CI_COMMIT_SHA}" ${CI_TEST_REGISTRY_MIRROR} -test "${UPGRADE_TEST}" != "false" && git checkout "${CI_COMMIT_SHA}" ${CI_TEST_SETTING} - +if [ "${UPGRADE_TEST}" != "false" ]; then + git fetch --all && git checkout "$KUBESPRAY_VERSION" + # Checkout the CI vars file so it is available + git checkout "${CI_COMMIT_SHA}" tests/files/${CI_JOB_NAME}.yml + git checkout "${CI_COMMIT_SHA}" ${CI_TEST_REGISTRY_MIRROR} + git checkout "${CI_COMMIT_SHA}" ${CI_TEST_SETTING} +fi run_playbook () { playbook=$1 @@ -67,8 +68,10 @@ ansible-playbook --limit "all:!fake_hosts" \ run_playbook cluster.yml # Repeat deployment if testing upgrade -case "${UPGRADE_TEST}" in +if [ "${UPGRADE_TEST}" != "false" ]; then + git checkout "${CI_COMMIT_SHA}" + case "${UPGRADE_TEST}" in "basic") run_playbook cluster.yml ;; @@ -77,7 +80,8 @@ case "${UPGRADE_TEST}" in ;; *) ;; -esac + esac +fi # Test control plane recovery if [ "${RECOVER_CONTROL_PLANE_TEST}" != "false" ]; then diff --git a/tests/testcases/010_check-apiserver.yml b/tests/testcases/010_check-apiserver.yml index 0d20bda0298..081a2a31ed2 100644 --- a/tests/testcases/010_check-apiserver.yml +++ b/tests/testcases/010_check-apiserver.yml @@ -6,7 +6,7 @@ - name: Check the API servers are responding uri: url: "https://{{ access_ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port | default(6443) }}/version" - validate_certs: no + validate_certs: false status_code: 200 register: apiserver_response retries: 12 diff --git a/tests/testcases/030_check-network.yml b/tests/testcases/030_check-network.yml index 9b7eacfc1e9..e13128dd9ce 100644 --- a/tests/testcases/030_check-network.yml +++ b/tests/testcases/030_check-network.yml @@ -153,13 +153,13 @@ - name: Get running pods command: "{{ bin_dir }}/kubectl get pods -n test -o jsonpath='{range .items[?(.status.phase==\"Running\")]}{.metadata.name} {.status.podIP} {.status.containerStatuses} {end}'" - changed_when: False + changed_when: false register: running_pods no_log: true - name: Check kubectl output command: "{{ bin_dir }}/kubectl get pods --all-namespaces -owide" - changed_when: False + changed_when: false register: get_pods no_log: true diff --git a/tests/testcases/040_check-network-adv.yml b/tests/testcases/040_check-network-adv.yml index 4fc70eb07ad..45cf6db284b 100644 --- a/tests/testcases/040_check-network-adv.yml +++ b/tests/testcases/040_check-network-adv.yml @@ -69,7 +69,7 @@ - name: Get netchecker agents uri: url: "http://{{ ansible_default_ipv4.address }}:{{ netchecker_port }}/api/v1/agents/" - return_content: yes + return_content: true run_once: true delegate_to: "{{ groups['kube_control_plane'][0] }}" register: agents @@ -85,7 +85,7 @@ uri: url: "http://{{ ansible_default_ipv4.address }}:{{ netchecker_port }}/api/v1/connectivity_check" status_code: 200 - return_content: yes + return_content: true delegate_to: "{{ groups['kube_control_plane'][0] }}" run_once: true register: connectivity_check diff --git a/tests/testcases/100_check-k8s-conformance.yml b/tests/testcases/100_check-k8s-conformance.yml index 3c07ffe46da..3e0f17109dd 100644 --- a/tests/testcases/100_check-k8s-conformance.yml +++ b/tests/testcases/100_check-k8s-conformance.yml @@ -24,7 +24,7 @@ unarchive: src: /tmp/sonobuoy.tar.gz dest: /usr/local/bin/ - copy: no + copy: false - name: Run sonobuoy command: "{{ sonobuoy_path }} run --mode {{ sonobuoy_mode }} --e2e-parallel {{ sonobuoy_parallel }} --wait"