Merge pull request #1 from jamroks/kube-1.11.1

Kube 1.11.1

Vagrantfile

@@ -112,6 +112,6 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     trigger.name = "Cleanup generated ressources"
     trigger.ignore = [:up, :halt, :resume, :provision, :reload]
     trigger.info = "Deleting resource folder ./provisioning/pki"
-    trigger.run  = {inline: "rm -rf ./provisioning/pki && rm ./kubectl ./kubeconfig.kubectl"}
+    trigger.run  = {inline: "rm -rf ./provisioning/pki && rm ./kubectl ./kubectl.kubeconfig"}
   end
 end

clustervars.yml

@@ -40,7 +40,7 @@ vagrant:
 cluster:
     name: "local"
     domain: "cluster.local"
-    kubernetes_version: 'v1.10.0'
+    kubernetes_version: 'v1.11.1'
     networking:
           pod_cidr_address: "172.16.0.0/16"
           service_cidr_address: "172.20.0.0/16"
@@ -53,13 +53,15 @@ ingress:
       address: 192.168.32.8
       vagrant_enabled: false
       nodename: node02
+
 apps:
-  dashboard:
-    enabled: false
-  traefik:
-    enabled: true
-  spinnaker:
-    enabled: true
+    dashboard:
+      enbaled: false
+    traefik:
+      enaled: true
+    spinnaker:
+      enabled: true
+
 ### -- kubernetes / ansible extra vars / vagrant vmbox variables
 server:
     etcd: ## etcd is for ansible only. etcd is on same vm as master

provisioning/clusterapps.yml

@@ -17,20 +17,27 @@
     import_role:
         name: rok.kube-apps/heapster
         tasks_from: heapStart
+    when: apps.dashboard.enabled |default(false) | bool == true
 
 
   - name: start <Role> | Deploy Dashboard
     tags: ['dashboard']
     import_role:
         name: rok.kube-apps/dashboard
         tasks_from: kubeDash
+    when: apps.dashboard.enabled |default(false) | bool == true
 
   - name: Deploy Traefik Ingress Controler
     tags: ['traefik']
     import_role:
          name: rok.kube-apps/traefik
+    when: apps.traefik.enabled |default(true) | bool == true
 
-
+  # - name: Deploy Spinnaker Continuous Delivery Platform
+  #   tags: ['traefik']
+  #   import_role:
+  #        name: rok.kube-apps/spinnaker
+  #   when: kubeapps.spinnaker.enabled |default(false) | bool == true
 
 # spinnaker.apps.roklab.ops
 # dashboard.apps.roklab.ops

provisioning/group_vars/all.yml

@@ -2,17 +2,12 @@
 
 etcd_version: 'v3.2.11'
 kube_version: "{{ cluster.kubernetes_version | default('v1.10.0') }}"
-helm_version: 'helm-v2.8.0'
-istio_version: '0.7.1'
 
 platform_arch: "{{ (ansible_architecture == 'armv6l') | ternary('aarch','amd64') }}"
 kube_mirror_url: 'https://storage.googleapis.com/kubernetes-release/release'
 etcd_mirror_url: 'https://storage.googleapis.com/etcd'
 istio_mirror_url: 'https://storage.googleapis.com/istio-release/releases'
 
-helm_mirror_url: 'https://storage.googleapis.com/kubernetes-helm'
-helm_pkg_sha256sum: "{% if ansible_system == 'Darwin' %}{{ sha256_darwin }}{% else %}{{ sha256_linux }}{% endif %}"
-
 etcd_cluster_list: "https://{{ server.etcd.nodes[0].nodename }}:2379"
 kube_master_apiserver_count: "{{ groups['controlplane'] | length }}"
 
@@ -89,7 +84,3 @@ images:
     traefik:
         name: traefik
         version: v1.6-alpine
-
-    haproxy:
-       name: quay.io/jcmoraisjr/haproxy-ingress
-       version: v0.5-beta.1

provisioning/roles/rok.kube-controlplane/apiserver/defaults/main.yml

@@ -9,13 +9,13 @@ admission_plugins:
    - NamespaceLifecycle
    - LimitRanger
    - ServiceAccount
-   - PersistentVolumeLabel
-   - DefaultStorageClass
-   - ResourceQuota
    - NodeRestriction
+   - DefaultStorageClass
    - DefaultTolerationSeconds
+   - PersistentVolumeLabel
    - MutatingAdmissionWebhook
    - ValidatingAdmissionWebhook
+   - ResourceQuota
    - Priority
 
 #--enable-admission-plugins
@@ -28,7 +28,7 @@ apiserver_opts:
   "profiling": "false"
   "bind-address": "0.0.0.0"
   "anonymous-auth": "false"
-  "client-ca-file": /etc/kubernetes/certs/ca.pem
+  "client-ca-file": "/etc/kubernetes/certs/ca.pem"
   "enable-swagger-ui": "true"
   "etcd-cafile": /etc/kubernetes/certs/ca.pem
   "etcd-certfile": /etc/kubernetes/certs/etcd-client.pem
@@ -37,9 +37,10 @@ apiserver_opts:
   "event-ttl": "1h"
   "external-hostname": "{{ server.controlplane.nodes[0].fqdn }}"
   "secure-port": "{{ kube_master_secure_port }}"
+  "kubelet-certificate-authority": "/etc/kubernetes/certs/ca.pem"
   "kubelet-client-certificate": "/etc/kubernetes/certs/apiserver-kubelet-client.pem"
   "kubelet-client-key": "/etc/kubernetes/certs/apiserver-kubelet-client-key.pem"
-  "kubelet-preferred-address-types": "InternalDNS,InternalIP,Hostname,ExternalIP,ExternalDNS"
+  "kubelet-preferred-address-types": "InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP"
   "runtime-config": "extensions/v1beta1=true,extensions/v1beta1/networkpolicies=true,authentication.k8s.io/v1beta1=true"
   "service-account-lookup": "true"
   "service-account-key-file": /etc/kubernetes/certs/apiserver.pem
@@ -53,6 +54,7 @@ apiserver_opts:
 
 
 
+## This was for kubernetes <= 1.9 api
   # apiserver_opts:
   #   "admission-control": "{{ admission_plugins | join(',') }}"
   #   "advertise-address": "{{ prefered_iface }}"

provisioning/roles/rok.kube-controlplane/scheduler/templates/scheduler-config.yml

@@ -0,0 +1,6 @@
+apiVersion: componentconfig/v1alpha1
+kind: KubeSchedulerConfiguration
+clientConnection:
+  kubeconfig: "/var/lib/kubernetes/kube-scheduler.kubeconfig"
+leaderElection:
+  leaderElect: true

provisioning/roles/rok.kube-controlplane/scheduler/templates/scheduler.systemd.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Kubernetes Scheduler
+Documentation=https://github.com/kubernetes/kubernetes
+
+[Service]
+ExecStart=/usr/local/bin/kube-scheduler \\
+  --config=/etc/kubernetes/config/kube-scheduler.yaml \\
+  --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

provisioning/roles/rok.kube-network/calico/templates/calico.yml.j2

@@ -227,8 +227,8 @@ spec:
 # Calico policy and networking mode.
 ---
 
+# description: Calico Felix Configuration
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico Felix Configuration
 kind: CustomResourceDefinition
 metadata:
    name: felixconfigurations.crd.projectcalico.org
@@ -242,9 +242,8 @@ spec:
     singular: felixconfiguration
 
 ---
-
+# description: Calico BGP Peers
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico BGP Peers
 kind: CustomResourceDefinition
 metadata:
   name: bgppeers.crd.projectcalico.org
@@ -258,9 +257,8 @@ spec:
     singular: bgppeer
 
 ---
-
+# description: Calico BGP Configuration
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico BGP Configuration
 kind: CustomResourceDefinition
 metadata:
   name: bgpconfigurations.crd.projectcalico.org
@@ -274,9 +272,8 @@ spec:
     singular: bgpconfiguration
 
 ---
-
+# description: Calico IP Pools
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico IP Pools
 kind: CustomResourceDefinition
 metadata:
   name: ippools.crd.projectcalico.org
@@ -290,9 +287,8 @@ spec:
     singular: ippool
 
 ---
-
+# description: Calico HostEndpoints
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico HostEndpoints
 kind: CustomResourceDefinition
 metadata:
   name: hostendpoints.crd.projectcalico.org
@@ -306,9 +302,8 @@ spec:
     singular: hostendpoint
 
 ---
-
+# description: Calico Cluster Information
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico Cluster Information
 kind: CustomResourceDefinition
 metadata:
   name: clusterinformations.crd.projectcalico.org
@@ -322,9 +317,8 @@ spec:
     singular: clusterinformation
 
 ---
-
+# description: Calico Global Network Policies
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico Global Network Policies
 kind: CustomResourceDefinition
 metadata:
   name: globalnetworkpolicies.crd.projectcalico.org
@@ -339,8 +333,8 @@ spec:
 
 ---
 
+# description: Calico Global Network Sets
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico Global Network Sets
 kind: CustomResourceDefinition
 metadata:
   name: globalnetworksets.crd.projectcalico.org
@@ -354,9 +348,8 @@ spec:
     singular: globalnetworkset
 
 ---
-
+# description: Calico Network Policies
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico Network Policies
 kind: CustomResourceDefinition
 metadata:
   name: networkpolicies.crd.projectcalico.org

provisioning/roles/rok.kube-node/kube-proxy/templates/kube-proxy.systemd.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Kubernetes Kube Proxy
+Documentation=https://github.com/kubernetes/kubernetes
+
+[Service]
+ExecStart=/usr/local/bin/kube-proxy \\
+  --config=/var/lib/kube-proxy/kube-proxy-config.yaml
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

provisioning/roles/rok.kube-node/kubelet/defaults/main.yml

@@ -5,7 +5,7 @@ kubelet_schedulable: '{% if "worker" in group_names %}true{% else %}false{% endi
 kubelet_master_only: '{% if inventory_hostname in groups["controlplane"] and inventory_hostname not in groups["worker"] %}true{% else %}false{% endif %}'
 
 kubelet_overrides:
-    'fail-swap-on': 'false'
+    'fail-swap-on': 'true'
 
 kubelet_opts:
   'allow-privileged': 'true'
@@ -24,9 +24,9 @@ kubelet_opts:
   'alsologtostderr': 'true'
   'fail-swap-on': 'false'
   'kubeconfig': '{{ kube_config.kubelet }}'
-  'node-labels': '{%  if "controlplane" in group_names %},node-role.kubernetes.io/master=
-                  {%-   if not kubelet_master_only|bool %},node-role.kubernetes.io/node={% endif %}
-                  {%- else %}node-role.kubernetes.io/node=
+  'node-labels': '{%  if "controlplane" in group_names %},node-role.kubernetes.io/master
+                  {%-   if not kubelet_master_only|bool %},node-role.kubernetes.io/node{% endif %}
+                  {%- else %}node-role.kubernetes.io/node
                   {%- endif %}'
   'node-ip': '{{ prefered_iface }}'
   'pod-infra-container-image': '{{ images.pause.name }}:{{ images.pause.version }}'

provisioning/roles/rok.kube-node/kubelet/templates/kubelet-config.yml

@@ -0,0 +1,18 @@
+kind: KubeletConfiguration
+apiVersion: kubelet.config.k8s.io/v1beta1
+authentication:
+  anonymous:
+    enabled: false
+  webhook:
+    enabled: true
+  x509:
+    clientCAFile: "/var/lib/kubernetes/ca.pem"
+authorization:
+  mode: Webhook
+clusterDomain: "cluster.local"
+clusterDNS:
+  - "10.32.0.10"
+podCIDR: "${POD_CIDR}"
+runtimeRequestTimeout: "15m"
+tlsCertFile: "/var/lib/kubelet/${HOSTNAME}.pem"
+tlsPrivateKeyFile: "/var/lib/kubelet/${HOSTNAME}-key.pem"

provisioning/roles/rok.kube-node/kubelet/templates/kubelet-systemd.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Kubernetes Kubelet
+Documentation=https://github.com/kubernetes/kubernetes
+After=containerd.service
+Requires=containerd.service
+
+[Service]
+ExecStart=/usr/local/bin/kubelet \\
+  --config=/var/lib/kubelet/kubelet-config.yaml \\
+  --container-runtime=remote \\
+  --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock \\
+  --image-pull-progress-deadline=2m \\
+  --kubeconfig=/var/lib/kubelet/kubeconfig \\
+  --network-plugin=cni \\
+  --register-node=true \\
+  --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target