Cleanup and reorganize vars by environment

2025-12-25 05:36:59 +01:00 · 2019-04-09 02:43:15 +02:00 · 2019-04-09 02:43:15 +02:00 · f34742ddea
commit f34742ddea
parent 51fb76ffb6
38 changed files with 43 additions and 925 deletions
--- a/group_vars/all/traefik-account
+++ b/group_vars/all/traefik-account
@ -1,7 +0,0 @@
 traefik_serviceaccount: |
  ---
  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: traefik-ingress-controller
    namespace: kube-system
--- a/group_vars/all/traefik-daemonset
+++ b/group_vars/all/traefik-daemonset
@ -1,101 +0,0 @@
 traefik_daemonset: |
  ---
  kind: DaemonSet
  apiVersion: apps/v1
  metadata:
    name: traefik-ingress-controller
    namespace: kube-system
    labels:
      k8s-app: traefik-ingress-lb
  spec:
    selector:
      matchLabels:
        k8s-app: traefik-ingress-lb
    updateStrategy:
      type: RollingUpdate
    template:
      metadata:
        labels:
          k8s-app: traefik-ingress-lb
          name: traefik-ingress-lb
      spec:
        serviceAccountName: traefik-ingress-controller
        terminationGracePeriodSeconds: 60
        hostNetwork: true
        dnsPolicy: ClusterFirstWithHostNet
        containers:
        - image: traefik:v1.7-alpine
          name: traefik-ingress-lb
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /ping
              port: 8080
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 5
          readinessProbe:
            failureThreshold: 2
            httpGet:
              path: /ping
              port: 8080
              scheme: HTTP
            periodSeconds: 5
          resources:
            requests:
              memory: "64Mi"
              cpu: "250m"
            limits:
              memory: "64Mi"
              cpu: "250m"
          ports:
          - name: http
            containerPort: 80
            hostPort: 80
          - name: https
            containerPort: 443
            hostPort: 443
          - name: admin
            containerPort: 8080
          securityContext:
            privileged: true
          volumeMounts:
          - name: tls
            mountPath: {{k8s_conf_dir}}
            readOnly: true
          args:
          - --checknewversion=false
          - --loglevel=INFO
          - --defaultentrypoints=http,https
          - --entrypoints=Name:http Address::80 Redirect.EntryPoint:https
          - --entrypoints=Name:https Address::443 TLS
          - --etcd=true
          - --etcd.prefix=/traefik
          - --etcd.watch=true
          - --etcd.endpoint={{groups.k8s_etcd|first}}:2379
          - --etcd.tls=true
          - --etcd.tls.ca={{k8s_conf_dir}}/ca-etcd.pem
          - --etcd.tls.cert={{k8s_conf_dir}}/cert-etcd.pem
          - --etcd.tls.key={{k8s_conf_dir}}/cert-etcd-key.pem
          - --etcd.useapiv3=true
          - --kubernetes=true
          - --kubernetes.watch=true
          - --kubernetes.namespaces=default
          - --web=true
          - --web.readonly
          - --web.address=:8080
          - --acme=true
          - --acme.acmelogging=true
          - --acme.caserver=https://acme-staging.api.letsencrypt.org/directory
          - --acme.entrypoint=https
          - --acme.httpchallenge=true
          - --acme.httpChallenge.entryPoint=http
          - --acme.email=letsencrypt.account@banditlair.com
          - --acme.onhostrule
          - --acme.storage=/traefik/acme/account
        volumes:
          - name: tls
            secret:
              secretName: traefik-etcd
--- a/group_vars/all/traefik-role
+++ b/group_vars/all/traefik-role
@ -1,40 +0,0 @@
 traefik_clusterrole: |
  ---
  kind: ClusterRole
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: traefik-ingress-controller
  rules:
    - apiGroups:
        - ""
      resources:
        - services
        - endpoints
        - secrets
      verbs:
        - get
        - list
        - watch
    - apiGroups:
        - extensions
      resources:
        - ingresses
      verbs:
        - get
        - list
        - watch
 traefik_clusterrolebinding: |
  ---
  kind: ClusterRoleBinding
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: traefik-ingress-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: traefik-ingress-controller
  subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: kube-system
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -1,6 +1,8 @@
 ---
 ansible_python_interpreter: /usr/bin/python3
 kubeadm_enabled: true
 harden_linux_root_password: "{{k8s_scaleway_root_password}}"
 harden_linux_deploy_user: deploy
 harden_linux_deploy_user_password: "{{k8s_scaleway_deploy_user_password}}"
@ -23,4 +25,3 @@ harden_linux_sshguard_whitelist:
  - "212.83.165.111"
  - "10.3.0.0/24"
  - "10.200.0.0/16"
--- a/group_vars/k8s
+++ b/group_vars/k8s
@ -1,19 +0,0 @@
 ---
 ansible_user: root
 ansible_port: 22
 dashboard_subdomain: dashboard
 scaleway_ipaddr: 51.158.77.6
 scaleway_reverse_ipaddr: k8s.banditlair.com
 harden_linux_sshd_settings_user:
  "^Port ": "Port 22"
 harden_linux_ufw_rules:
  - rule: "allow"
    to_port: "22"
    protocol: "tcp"
  - rule: "allow"
    to_port: "7000"
    protocol: "udp"
 docker_version: 17.03.*
--- a/inventories/test/group_vars/all.yml
+++ b/inventories/test/group_vars/all.yml
@ -1,8 +1,9 @@
 ---
-kubeadm_enabled: true
+ip: "{{vpn_ip}}"
 kube_network_plugin: flannel
 bin_dir: /usr/local/bin
 kube_api_anonymous_auth: true
 skip_non_kubeadm_warning: false
 helm_enabled: true
 ingress_nginx_enabled: true
 ingress_nginx_host_network: true
 ingress_nginx_nodeselector:
--- a/group_vars/k8s_masters
+++ b/group_vars/k8s_masters
@ -1,2 +0,0 @@
 ---
 vpn_ip: 192.168.66.{{ 10 +( inventory_hostname|regex_replace('\D+','')|int) }}
--- a/group_vars/k8s_proxy
+++ b/group_vars/k8s_proxy
@ -1,3 +0,0 @@
 ---
 vpn_ip: 192.168.66.{{ 0 +(inventory_hostname|regex_replace('\D+','')|int) }}
 keepalived_ip: "192.168.66.254"
--- a/group_vars/k8s_workers
+++ b/group_vars/k8s_workers
@ -1,2 +0,0 @@
 ---
 vpn_ip: 192.168.66.{{ 100 +( inventory_hostname|regex_replace('\D+','')|int) }}
--- a/inventories/test/group_vars/kube-master.yml
+++ b/inventories/test/group_vars/kube-master.yml
--- a/inventories/test/group_vars/kube-node.yml
+++ b/inventories/test/group_vars/kube-node.yml
--- a/inventories/prod/group_vars/k8s-cluster.yml
+++ b/inventories/prod/group_vars/k8s-cluster.yml
@ -0,0 +1,3 @@
 ---
 cluster_name: banditlair
 dns_domain: banditlair.com
--- a/inventories/prod/groups
+++ b/inventories/prod/groups
@ -0,0 +1,17 @@
 [prod-master]
 [prod-etcd]
 [prod-node]
 [kube-master:children]
 prod-master
 [etcd:children]
 prod-etcd
 [kube-node:children]
 prod-node
 [k8s-cluster:children]
 kube-master
 etcd
 kube-node
--- a/inventories/prod/scaleway_inventory.yml
+++ b/inventories/prod/scaleway_inventory.yml
@ -0,0 +1,12 @@
 plugin: scaleway
 hostnames:
  - hostname
 regions:
  - par1
  - ams1
 tags:
  - prod-master
  - prod-etcd
  - prod-node
 variables:
  ansible_host: public_ip.address
--- a/inventories/test/group_vars/k8s-cluster.yml
+++ b/inventories/test/group_vars/k8s-cluster.yml
@ -1,6 +1,3 @@
 ---
-ip: "{{vpn_ip}}"
+cluster_name: banditlair-test
-kube_network_plugin: flannel
+dns_domain: test.k8s.banditlair.com
 bin_dir: /usr/local/bin
 cluster_name: banditlair-staging
 dns_domain: staging.k8s.banditlair.com
--- a/k8s.yml
+++ b/k8s.yml
@ -5,7 +5,7 @@
      tags: tinc
 - name: Include kubespray tasks
-  import_playbook: kubespray/cluster.yml
+  import_playbook: kubespray.yml
 # - hosts: k8s_proxy:k8s_masters:k8s_workers
 #   roles:
--- a/kubespray.yml
+++ b/kubespray.yml
@ -0,0 +1 @@
 kubespray/cluster.yml
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@ -1,13 +0,0 @@
 etcd_name: "etcd_{{ ansible_hostname }}"
 #etcd_advertise_client_urls: "http://{{ ansible_hostname }}:2379"
 etcd_advertise_client_urls: "http://{{ vpn_ip }}:2379"
 #etcd_listen_client_urls: 'http://{{ ansible_hostname }}:2379,http://127.0.0.1:2379'
 etcd_listen_client_urls: 'http://{{ vpn_ip }}:2379,http://127.0.0.1:2379'
 #etcd_initial_advertise_peer_urls: "http://{{ ansible_hostname }}:2380"
 etcd_initial_advertise_peer_urls: "http://{{ vpn_ip }}:2380"
 #etcd_listen_peer_urls: "http://{{ ansible_hostname }}:2380"
 etcd_listen_peer_urls: "http://{{ vpn_ip }}:2380"
 # Create the list of initial cluster by using a template lookup
 etcd_initial_cluster: "{{ lookup('template', 'templates/initial_cluster.j2') | replace('\n', '')}}"
 etcd_initial_cluster_token: "token_{{ hostvars[initial_master]['ansible_hostname'] }}"
 etcd_initial_cluster_state: "new"
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@ -1,29 +0,0 @@
 ---
 - name: etcd replicated and outiside of kubeadm when multimasters
  block:
    - name: Running etcd container on masters nodes
      docker_container:
        name: etcd
        image: "quay.io/coreos/etcd:v{{etcd_version}}"
        state: started
        detach: True
        ports:
          - "0.0.0.0:2380:2380"
          - "0.0.0.0:2379:2379"
        command: [
          "etcd",
          "--name {{ etcd_name }}",
          "--initial-advertise-peer-urls {{ etcd_initial_advertise_peer_urls }}",
          "--listen-peer-urls {{ etcd_listen_peer_urls }}",
          "--advertise-client-urls {{ etcd_advertise_client_urls }}",
          "--listen-client-urls {{ etcd_listen_client_urls }}",
          "--initial-cluster {{ etcd_initial_cluster }}",
          "--initial-cluster-state {{ etcd_initial_cluster_state }}",
          "--initial-cluster-token {{ etcd_initial_cluster_token }}"
        ]
        network_mode: host
        restart_policy: always
  when:
    - groups.k8s_masters|length > 1
--- a/roles/etcd/templates/initial_cluster.j2
+++ b/roles/etcd/templates/initial_cluster.j2
@ -1 +0,0 @@
 {% for svrs in ['k8s_masters'] %}{% for host in groups[svrs] %}etcd_{{ hostvars[host].ansible_hostname }}=http://{{ hostvars[host].vpn_ip }}:2380{% if not loop.last %},{% endif %}{% endfor %}{% endfor %}
--- a/roles/kubernetes/defaults/main.yml
+++ b/roles/kubernetes/defaults/main.yml
@ -1,24 +0,0 @@
 ---
 # Kubernetes
 kubernetes_apt_key: https://packages.cloud.google.com/apt/doc/apt-key.gpg
 kubernetes_apt_channel: main
 kubernetes_release: xenial
 kubernetes_version: 1.11.3
 kubernetes_version_apt: "{{kubernetes_version}}-00"
 kubernetes_port: 6443
 # kubeadm
 kubeadm_ignore_preflight_errors: ""
 kubelet_fail_swap_on: True
 # Flannel
 cni_version: v0.10.0
 # these will determine the number of pods you can run
 # cirdr should be at least /16 https://kubernetes.io/docs/admin/kubeadm/
 pod_subnet: 10.244.0.0/16
 # floating balanced ip for k8s api
 api_floating_ip: 192.168.66.253
 api_floating_mask: 24
 api_floating_port: 6443
 router_id: 66
--- a/roles/kubernetes/handlers/main.yml
+++ b/roles/kubernetes/handlers/main.yml
@ -1,6 +0,0 @@
 ---
 - name: reload systemd
  command: systemctl daemon-reload
 - name: restart kubelet
  command: systemctl restart kubelet
--- a/roles/kubernetes/tasks/cni.yml
+++ b/roles/kubernetes/tasks/cni.yml
@ -1,40 +0,0 @@
 ---
 # flannel deployment
 - name: Checking if flannel exists
  shell: "ip link | awk '$2 ~ /^(flannel|cni)/ { print $0 }' | wc -l | awk '{ print $1 }'"
  register: cni_deployment
  changed_when: False
  check_mode: False
 - block:
    - name: Determine physical interface to use with cni
      shell: "ip route get 169.254.42.42 | head -n1 | sed -E 's/.+ dev ([^ ]+).+/\\1/'"
      register: cni_interface
      changed_when: False
      check_mode: False
      failed_when: "cni_interface.stdout is not match('^[a-z][a-z0-9]+$')"
    - name: Create directories
      file:
        path: "{{ item }}"
        state: directory
        mode: 0755
      with_items:
        - /etc/kube-flannel
        - /etc/cni/net.d
        - /opt/cni/bin
    - template:
        src: kube-flannel.yml.j2
        dest: /tmp/kube-flannel.yml
    - name: Configure cni
      shell: "kubectl apply -f /tmp/kube-flannel.yml"
      register: cni_output
      # flannel has trouble unless we restart the kubelet service
      # we'll flush_handlers later
      notify: restart kubelet
    - debug: var="cni_output"
  when: "cni_deployment.stdout != '2'"
--- a/roles/kubernetes/tasks/docker-images.yml
+++ b/roles/kubernetes/tasks/docker-images.yml
@ -1,14 +0,0 @@
 ---
 - name: Pull docker images
  docker_image: name="{{ item }}"
  with_items:
    - "k8s.gcr.io/kube-apiserver-{{ kube_arch }}:{{ kubernetes_version }}"
    - "k8s.gcr.io/kube-controller-manager-{{ kube_arch }}:{{ kubernetes_version }}"
    - "k8s.gcr.io/kube-proxy-{{ kube_arch }}:{{ kubernetes_version }}"
    - "k8s.gcr.io/kube-scheduler-{{ kube_arch }}:{{ kubernetes_version }}"
    - "k8s.gcr.io/pause-{{ kube_arch }}:3.1"
    - "quay.io/coreos/flannel:{{ cni_version }}-{{ kube_arch }}"
 - name: Pull etcd if not multimaster
  docker_image: name="k8s.gcr.io/etcd-{{ kube_arch }}:{{ etcd_version }}"
  when: groups.k8s_masters | length == 1
--- a/roles/kubernetes/tasks/keepalived.yml
+++ b/roles/kubernetes/tasks/keepalived.yml
@ -1,31 +0,0 @@
 ---
 - name: Creating /etc/keepalived on master nodes
  file:
    path: /etc/keepalived
    state: directory
 - name: Templating /etc/keepalived/keepalived.conf
  template:
    src: keepalived.conf.j2
    dest: /etc/keepalived/keepalived.conf
 - name: Running keepalived container on masters nodes
  docker_container:
    name: keepalived_api
    image: "chmod666/keepalived:latest"
    state: started
    detach: True
    volumes:
      - /etc/keepalived/keepalived.conf:/usr/local/etc/keepalived/keepalived.conf
    capabilities:
      - NET_ADMIN
    network_mode: host
    restart_policy: always
 - name: Wait for keepalived to be started
  shell: 'docker ps | grep chmod666/keepalived | grep "Up"'
  register: result
  until: result.stdout.find("chmod666/keepalived") != -1
  retries: 18
  delay: 10
  changed_when: no
--- a/roles/kubernetes/tasks/kubeadm-config.yml
+++ b/roles/kubernetes/tasks/kubeadm-config.yml
@ -1,29 +0,0 @@
 ---
 # generating the kubeadm config file only on master nodes
 - name: Creating kubeadm_config file
  template:
    src: kubeadm-config.j2
    dest: /tmp/kubeadm_config
  when:
    - groups.k8s_masters | length > 1
    - "'k8s_masters' in group_names"
 # KUBELET_EXTRA_ARGS
 - name: Additional configuration
  template:
    src: local-extras.conf.j2
    dest: /etc/systemd/system/kubelet.service.d/90-local-extras.conf
    mode: 0640
  when:
    - "kubelet_fail_swap_on == False"
  notify:
    - reload systemd
    - restart kubelet
 - meta: flush_handlers
 - name: Creating .kube file in $HOME
  file:
    path: ~/.kube
    state: directory
  when: "'k8s_masters' in group_names"
--- a/roles/kubernetes/tasks/kubeadm-master.yml
+++ b/roles/kubernetes/tasks/kubeadm-master.yml
@ -1,59 +0,0 @@
 ---
 # we get kubectl output to check if we have to add the node or not
 # errors are ignored in case of the first initialization on the first master
 - name: Getting kubectl output
  shell: "kubectl get nodes"
  register: kubectl_output
  changed_when: False
  check_mode: False
  failed_when: kubectl_output.rc != 0 and not 'did you specify the right host' in kubectl_output.stderr
 - block:
    - name: Kubeadm init on first master in multimaster cluster
      shell: |
        kubeadm init \
          --config /tmp/kubeadm_config
          {%- if kubeadm_ignore_preflight_errors | length > 0 %} \
            --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors }}
          {% endif %}
      register: kubeadm_output
      failed_when: "'Your Kubernetes master has initialized successfully' not in kubeadm_output.stdout"
      when: groups.k8s_masters | length > 1
    - name: Kubeadm init on sole master
      shell: |
        kubeadm init \
          --apiserver-advertise-address={{ vpn_ip }} \
          --pod-network-cidr={{ pod_subnet }} \
          --kubernetes-version {{ kubernetes_version }}
          {%- if kubeadm_ignore_preflight_errors | length > 0 %} \
            --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors }}
          {% endif %}
      # flannel has trouble unless we restart the kubelet service
      notify: restart kubelet
      when:
        - groups.k8s_masters | length == 1
        - inventory_hostname == initial_master
    - name: Kubeadm output
      debug: var=kubeadm_output
  when: ansible_hostname not in kubectl_output.stdout
 - name: Copying /etc/kubernetes/admin.conf to ~/.kube/config
  copy:
    src: /etc/kubernetes/admin.conf
    dest: ~/.kube/config
    remote_src: yes
 - include: cni.yml
 - name: Wait for master to be ready
  shell: "kubectl get nodes $(hostname) | tail -n+2 | awk '{ print $2 }'"
  register: result
  until: result.stdout.find("Ready") == 0
  retries: 36
  delay: 10
  changed_when: no
 - meta: flush_handlers
--- a/roles/kubernetes/tasks/kubeadm-multi.yml
+++ b/roles/kubernetes/tasks/kubeadm-multi.yml
@ -1,40 +0,0 @@
 ---
 - name: Distribute /etc/kubernetes/pki to other masters
  synchronize:
    src: /etc/kubernetes/pki/
    dest: /etc/kubernetes/pki/
    recursive: True
  delegate_to: "{{ initial_master }}"
  # forward ssh agent by preserving environment variables with sudo
  become_flags: "-E"
 - block:
    - name: Initializing other masters
      shell: |
        kubeadm init \
          --config /tmp/kubeadm_config
          {%- if kubeadm_ignore_preflight_errors | length > 0 %} \
            --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors }}
          {% endif %}
      register: kubeadm_output
      failed_when: "'Your Kubernetes master has initialized successfully' not in kubeadm_output.stdout"
    - name: Kubeadm output
      debug: var=kubeadm_output
  when: ansible_hostname not in hostvars[initial_master]['kubectl_output'].stdout
 # fixing kubectl
 - name: kubectl config
  copy:
    src: /etc/kubernetes/kubelet.conf
    dest: /root/.kube/config
    remote_src: True
 - name: Wait for master to be ready
  shell: "kubectl get nodes $(hostname) | tail -n+2 | awk '{ print $2 }'"
  register: result
  until: result.stdout.find("Ready") == 0
  retries: 36
  delay: 10
  changed_when: no
--- a/roles/kubernetes/tasks/kubeadm-token.yml
+++ b/roles/kubernetes/tasks/kubeadm-token.yml
@ -1,26 +0,0 @@
 ---
 - block:
    - name: Get an existing kubeadm join token
      shell: |
        kubeadm token list 2>/dev/null \
          | awk '$4 == "authentication,signing" { print $1 }' \
          | head -n1
      register: kubeadm_token_list
      changed_when: False
      check_mode: False
      failed_when: False
    - name: Generate a new kubeadm token
      shell: "kubeadm token create 2>/dev/null || kubeadm token generate"
      register: kubeadm_token_create
      when: kubeadm_token_list.stdout | length == 0
    - set_fact:
        kubeadm_token: |-
          {%- if kubeadm_token_list.stdout | length > 0 -%}
            {{ kubeadm_token_list.stdout }}
          {%- else -%}
            {{ kubeadm_token_create.stdout }}
          {%- endif -%}
  when: kubeadm_token|default('') | length == 0
--- a/roles/kubernetes/tasks/kubeadm-worker.yml
+++ b/roles/kubernetes/tasks/kubeadm-worker.yml
@ -1,32 +0,0 @@
 ---
 - name: Checking if kube-proxy is Running
  shell: "ps -ef | grep [k]ube-proxy"
  register: kube_proxy_running
  ignore_errors: True
  changed_when: no
 - block:
    - name: Joining cluster on other nodes
      shell: |
        kubeadm join \
          --token="{{ hostvars[initial_master].kubeadm_token }}" \
          {{ item.ipv4 }}:{{ item.port }} \
          {%- if kubeadm_ignore_preflight_errors | length > 0 %}
            --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors }} \
          {% endif %}
          --discovery-token-unsafe-skip-ca-verification
      register: kubeadm_output
      failed_when: "'This node has joined the cluster' not in kubeadm_output.stdout"
      when: item.when | bool == True
      with_items:
        - ipv4: "{{ api_floating_ip }}"
          port: "{{ api_floating_port }}"
          when: "{{ groups.k8s_masters | length > 1 }}"
        - ipv4: "{{ hostvars[initial_master].vpn_ip  }}"
          port: 6443
          when: "{{ groups.k8s_masters | length == 1 }}"
    - name: Kubeadm output
      debug: var=kubeadm_output
  when: "'/usr/local/bin/kube-proxy' not in kube_proxy_running.stdout"
--- a/roles/kubernetes/tasks/main.yml
+++ b/roles/kubernetes/tasks/main.yml
@ -1,67 +0,0 @@
 ---
 - set_fact: kube_arch="{{ ansible_architecture | replace('x86_64', 'amd64') | replace('arm', 'armhf') }}"
 - include: modules.yml
 - include: keepalived.yml
  when:
  - "'k8s_masters' in group_names"
  - groups.k8s_masters | length > 1
 - name: Check all hosts can ping API floating IP
  shell: "ping {{ api_floating_ip }} -c 1"
  register: result
  until: ('100% packet loss' not in result.stdout)
  retries: 15
  delay: 10
  changed_when: no
 - include: packages.yml
 - include: kubeadm-token.yml
  when: inventory_hostname == initial_master
 - include: kubeadm-config.yml
 # add masters
 - block:
    # docker-in-docker sometimes hangs pulling images so explicitly do it here
    #- include: docker-images.yml
    - include: kubeadm-master.yml
      when: inventory_hostname == initial_master
    # then we create the other masters
    - include: kubeadm-multi.yml
      when: inventory_hostname != initial_master
  when: "'k8s_masters' in group_names"
 - name: Wait for coredns to be running
  shell: "kubectl get pods --namespace=kube-system | grep coredns | grep Running | wc -l"
  register: result
  until: ("2" in result.stdout)
  retries: 180
  delay: 10
  changed_when: no
  when: inventory_hostname == initial_master
 - include: kubeadm-token.yml
  when: inventory_hostname == initial_master
 # add non masters
 - include: kubeadm-worker.yml
  when: "'k8s_masters' not in group_names"
 # remove this wait and had a test to check all nodes are ready
 - name: Wait for all nodes to be ready
  shell: "kubectl get nodes {{ ansible_hostname }} | tail -n+2 | awk '{ print $2 }'"
  register: result
  until: ("Ready" in result.stdout)
  retries: 36
  delay: 10
  changed_when: no
  delegate_to: "{{ initial_master }}"
 - debug: var=result
--- a/roles/kubernetes/tasks/modules.yml
+++ b/roles/kubernetes/tasks/modules.yml
@ -1,30 +0,0 @@
 ---
 - name: Get the kernel revision
  shell: "uname -r"
  register: kernel
  changed_when: False
  check_mode: False
 # allow failure as the package may not exist
 - name: Try install linux-image
  apt:
    state: present
    name: "{{ 'linux-image-' + kernel.stdout }}"
  register: result
  failed_when: False
 - name: modprobe
  modprobe:
    name: "{{ item }}"
    state: present
  with_items:
  - ip_vs
  - nf_conntrack_ipv4
 - name: /etc/modules
  lineinfile:
    path: /etc/modules
    line: "{{ item }}"
  with_items:
    - ip_vs
    - nf_conntrack_ipv4
--- a/roles/kubernetes/tasks/packages.yml
+++ b/roles/kubernetes/tasks/packages.yml
@ -1,18 +0,0 @@
 ---
 - name: Adding Kubernetes official gpg key
  apt_key:
    url: "{{ kubernetes_apt_key }}"
    state: present
 - name: Adding Kubernetes repository
  apt_repository:
    repo: "deb http://apt.kubernetes.io/ kubernetes-{{ kubernetes_release }} {{ kubernetes_apt_channel }}"
    state: present
    filename: 'kubernetes'
 - name: Installing kubernetes core components (kubectl, kubelet ...)
  apt:
    name: ['kubelet={{kubernetes_version_apt}}', 'kubeadm={{kubernetes_version_apt}}', 'kubectl={{kubernetes_version_apt}}']
  register: result
  retries: 3
  until: result is success
--- a/roles/kubernetes/templates/keepalived.conf.j2
+++ b/roles/kubernetes/templates/keepalived.conf.j2
@ -1,56 +0,0 @@
 global_defs {
  default_interface {{vpn_interface}}
 }
 vrrp_instance VI_1 {
  interface {{vpn_interface}}
  track_interface {
    {{vpn_interface}}
  }
 {% if inventory_hostname == initial_master %}
  state MASTER
  priority 100
 {% else %}
  state BACKUP
  priority 50
 {% endif %}
  virtual_router_id {{ router_id }}
  nopreempt
  unicast_peer {
 {% for host in groups['k8s_masters'] %}
    {{ hostvars[host]['vpn_ip'] }}
 {% endfor %}
  }
  virtual_ipaddress {
    {{ api_floating_ip }}/{{ api_floating_mask }}
  }
  authentication {
    auth_type PASS
    auth_pass d0cker
  }
  notify "/container/service/keepalived/assets/notify.sh"
 }
 virtual_server {{ api_floating_ip }} {{ api_floating_port }} {
    delay_loop 10
    protocol TCP
    lb_algo rr
    # Use direct routing
    lb_kind DR
    persistence_timeout 7200
 {% for host in groups['k8s_masters'] %}
    real_server {{ hostvars[host]['vpn_ip'] }} {{ api_floating_port }} {
        weight 1
        TCP_CHECK {
          connect_timeout 5
          connect_port 6443
        }
    }
 {% endfor %}
 }
--- a/roles/kubernetes/templates/keepalived.yml.j2
+++ b/roles/kubernetes/templates/keepalived.yml.j2
@ -1,36 +0,0 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: keepalived
  namespace: kube-system
 spec:
  hostNetwork: true
  volumes:
    - hostPath:
        path: /etc/keepalived/keepalived.conf
        type: File
      name: keepalived-config
  containers:
  - name: keepalived
    image: chmod666/keepalived:latest
    # if tag is latest imagePullPolicy is always
    # but when keepalived is backup a proxy may have no connection to the internet
    # to avoid keepalived not starting in that case, we're putting imagePullPolicy: IfNotPresent
    # assuming the image was already be pulled at cluster creation. Neat.
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: "/usr/local/etc/keepalived/keepalived.conf"
        name: keepalived-config
    securityContext:
      capabilities:
        add:
          - NET_ADMIN
    #env:
    #  - name: KEEPALIVED_INTERFACE
    #    value: tun0
    #  - name: KEEPALIVED_UNICAST_PEERS
    #    value: "#PYTHON2BASH:['{{ groups['masters'] | map('extract', hostvars, ['vpn_ip']) | join("', '") }}']"
    #  - name: KEEPALIVED_VIRTUAL_IPS
    #    value: "#PYTHON2BASH:['{{ api_floating_ip }}/{{ api_floating_mask }}']"
    #  - name: KEEPALIVED_PRIORITY
    #    value: "{{ groups['masters'].index(inventory_hostname) + 1 }}"
--- a/roles/kubernetes/templates/kube-flannel.yml.j2
+++ b/roles/kubernetes/templates/kube-flannel.yml.j2
@ -1,160 +0,0 @@
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: flannel
 rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes/status
    verbs:
      - patch
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: flannel
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: flannel
 subjects:
 - kind: ServiceAccount
  name: flannel
  namespace: kube-system
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: flannel
  namespace: kube-system
 ---
 kind: ConfigMap
 apiVersion: v1
 metadata:
  name: kube-flannel-cfg
  namespace: kube-system
  labels:
    tier: node
    app: flannel
 data:
  cni-conf.json: |
    {
      "name": "cbr0",
      "plugins": [
        {
          "type": "flannel",
          "delegate": {
            "hairpinMode": true,
            "isDefaultGateway": true
          }
        },
        {
          "type": "portmap",
          "capabilities": {
            "portMappings": true
          }
        }
      ]
    }
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "vxlan"
      }
    }
 ---
 apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
  name: kube-flannel-ds
  namespace: kube-system
  labels:
    tier: node
    app: flannel
 spec:
  template:
    metadata:
      labels:
        tier: node
        app: flannel
    spec:
      hostNetwork: true
      nodeSelector:
        beta.kubernetes.io/arch: {{ kube_arch }}
      tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      serviceAccountName: flannel
      initContainers:
      - name: install-cni
        image: quay.io/coreos/flannel:{{ cni_version }}-{{ kube_arch }}
        command:
        - cp
        args:
        - -f
        - /etc/kube-flannel/cni-conf.json
        - /etc/cni/net.d/10-flannel.conflist
        volumeMounts:
        - name: cni
          mountPath: /etc/cni/net.d
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      containers:
      - name: kube-flannel
        image: quay.io/coreos/flannel:{{ cni_version }}-{{ kube_arch }}
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq
        - --kube-subnet-mgr
        - --iface={{ cni_interface.stdout | trim }}
        resources:
          requests:
            cpu: "100m"
            memory: "50Mi"
          limits:
            cpu: "100m"
            memory: "50Mi"
        securityContext:
          privileged: true
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        volumeMounts:
        - name: run
          mountPath: /run
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      volumes:
        - name: run
          hostPath:
            path: /run
        - name: cni
          hostPath:
            path: /etc/cni/net.d
        - name: flannel-cfg
          configMap:
            name: kube-flannel-cfg
--- a/roles/kubernetes/templates/kubeadm-config.j2
+++ b/roles/kubernetes/templates/kubeadm-config.j2
@ -1,27 +0,0 @@
 apiVersion: kubeadm.k8s.io/v1alpha2
 kind: MasterConfiguration
 api:
  advertiseAddress: {{ api_floating_ip if groups.k8s_masters | length > 1 else hostvars[initial_master].vpn_ip }}
 etcd:
  external:
    endpoints:
 {% for host in groups['k8s_masters'] %}
    - "http://{{ hostvars[host]['vpn_ip'] }}:2379"
 {% endfor %}
 networking:
  podSubnet: "{{ pod_subnet }}"
 kubernetesVersion: "v{{ kubernetes_version }}"
 apiServerCertSANs:
 {% for host in groups['k8s_masters'] %}
 - "{{ hostvars[host]['vpn_ip'] }}"
 {% endfor %}
 - "{{ api_floating_ip }}"
 - "127.0.0.1"
 bootstrapTokens:
 - groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: "{{ hostvars[initial_master].kubeadm_token }}"
  ttl: 0s
  usages:
  - signing
  - authentication
--- a/roles/kubernetes/templates/local-extras.conf.j2
+++ b/roles/kubernetes/templates/local-extras.conf.j2
@ -1,2 +0,0 @@
 [Service]
 Environment="KUBELET_EXTRA_ARGS=--fail-swap-on=false"
		`@ -1,2 +0,0 @@`
			`---`
			`vpn_ip: 192.168.66.{{ 10 +( inventory_hostname\|regex_replace('\D+','')\|int) }}`
		`@ -1,2 +0,0 @@`
			`---`
			`vpn_ip: 192.168.66.{{ 100 +( inventory_hostname\|regex_replace('\D+','')\|int) }}`
		`@ -1 +0,0 @@`
			`{% for svrs in ['k8s_masters'] %}{% for host in groups[svrs] %}etcd_{{ hostvars[host].ansible_hostname }}=http://{{ hostvars[host].vpn_ip }}:2380{% if not loop.last %},{% endif %}{% endfor %}{% endfor %}`
		`@ -1,2 +0,0 @@`
			`[Service]`
			`Environment="KUBELET_EXTRA_ARGS=--fail-swap-on=false"`