Skip to content

Commit

Permalink
Merge branch 'master' into node_dns_domain
Browse files Browse the repository at this point in the history
  • Loading branch information
Daniil Muidinov committed Nov 9, 2021
2 parents 2bca0cc + 801268d commit f2f1477
Show file tree
Hide file tree
Showing 50 changed files with 364 additions and 87 deletions.
11 changes: 0 additions & 11 deletions .gitlab-ci/packet.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,6 @@ packet_centos7-flannel-containerd-addons-ha:
extends: .packet_pr
stage: deploy-part2
when: on_success
variables:
MITOGEN_ENABLE: "true"
allow_failure: true

packet_centos8-crio:
Expand All @@ -52,8 +50,6 @@ packet_ubuntu18-crio:
extends: .packet_pr
stage: deploy-part2
when: manual
variables:
MITOGEN_ENABLE: "true"

packet_ubuntu16-canal-kubeadm-ha:
stage: deploy-part2
Expand Down Expand Up @@ -89,8 +85,6 @@ packet_debian10-containerd:
stage: deploy-part2
extends: .packet_pr
when: on_success
variables:
MITOGEN_ENABLE: "true"

packet_debian11-calico:
stage: deploy-part2
Expand Down Expand Up @@ -214,31 +208,26 @@ packet_centos7-weave-upgrade-ha:
when: on_success
variables:
UPGRADE_TEST: basic
MITOGEN_ENABLE: "false"

# Calico HA Wireguard
packet_ubuntu20-calico-ha-wireguard:
stage: deploy-part2
extends: .packet_pr
when: manual
variables:
MITOGEN_ENABLE: "true"

packet_debian9-calico-upgrade:
stage: deploy-part3
extends: .packet_pr
when: on_success
variables:
UPGRADE_TEST: graceful
MITOGEN_ENABLE: "false"

packet_debian9-calico-upgrade-once:
stage: deploy-part3
extends: .packet_periodic
when: on_success
variables:
UPGRADE_TEST: graceful
MITOGEN_ENABLE: "false"

packet_ubuntu18-calico-ha-recover:
stage: deploy-part3
Expand Down
4 changes: 0 additions & 4 deletions .gitlab-ci/terraform.yml
Original file line number Diff line number Diff line change
Expand Up @@ -146,10 +146,6 @@ tf-validate-upcloud:
OS_INTERFACE: public
OS_IDENTITY_API_VERSION: "3"
TF_VAR_router_id: "ab95917c-41fb-4881-b507-3a6dfe9403df"
# Since ELASTX is in Stockholm, Mitogen helps with latency
MITOGEN_ENABLE: "false"
# Mitogen doesn't support interpreter discovery yet
ANSIBLE_PYTHON_INTERPRETER: "/usr/bin/python3"

tf-elastx_cleanup:
stage: unit-tests
Expand Down
4 changes: 3 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
mitogen:
ansible-playbook -c local mitogen.yml -vv
@echo Mitogen support is deprecated.
@echo Please run the following command manually:
@echo ansible-playbook -c local mitogen.yml -vv
clean:
rm -rf dist/
rm *.retry
1 change: 0 additions & 1 deletion ansible.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ pipelining=True
ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100 -o UserKnownHostsFile=/dev/null
#control_path = ~/.ssh/ansible-%%r@%%h:%%p
[defaults]
strategy_plugins = plugins/mitogen/ansible_mitogen/plugins/strategy
# https://github.com/ansible/ansible/issues/56930 (to ignore group names with - and .)
force_valid_group_names = ignore

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
changed_when: false

- name: "Kubernetes Apps | Deploy cluster role binding."
when: "clusterrolebinding_state.stdout | length > 0"
when: "clusterrolebinding_state.stdout | length == 0"
command: "{{ bin_dir }}/kubectl create clusterrolebinding heketi-gluster-admin --clusterrole=edit --serviceaccount=default:heketi-service-account"

- name: Get clusterrolebindings again
Expand All @@ -31,7 +31,7 @@
mode: 0644

- name: "Deploy Heketi config secret"
when: "secret_state.stdout | length > 0"
when: "secret_state.stdout | length == 0"
command: "{{ bin_dir }}/kubectl create secret generic heketi-config-secret --from-file={{ kube_config_dir }}/heketi.json"

- name: Get the heketi-config-secret secret again
Expand All @@ -41,5 +41,5 @@

- name: Make sure the heketi-config-secret secret exists now
assert:
that: "secret_state.stdout != \"\""
that: "secret_state.stdout | length > 0"
msg: "Heketi config secret is not present."
2 changes: 1 addition & 1 deletion docs/ansible.md
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ For more information about Ansible and bastion hosts, read

## Mitogen

You can use [mitogen](/docs/mitogen.md) to speed up kubespray.
Mitogen support is deprecated, please see [mitogen related docs](/docs/mitogen.md) for useage and reasons for deprecation.

## Beyond ansible 2.9

Expand Down
14 changes: 14 additions & 0 deletions docs/cert_manager.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,20 @@ Certificates issued by public ACME servers are typically trusted by client’s c
- [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/)
- [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/)

#### ACME With An Internal Certificate Authority

The ACME Issuer with an internal certificate authority requires cert-manager to trust the certificate authority. This trust must be done at the cert-manager deployment level.
To add a trusted certificate authority to cert-manager, add it's certificate to `group_vars/k8s-cluster/addons.yml`:

```yaml
cert_manager_trusted_internal_ca: |
-----BEGIN CERTIFICATE-----
[REPLACE with your CA certificate]
-----END CERTIFICATE-----
```

Once the CA is trusted, you can define your issuer normally.

### Create New TLS Root CA Certificate and Key

#### Install Cloudflare PKI/TLS `cfssl` Toolkit
Expand Down
17 changes: 17 additions & 0 deletions docs/mitogen.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# Mitogen

*Warning:* Mitogen support is now deprecated in kubespray due to upstream not releasing an updated version to support ansible 4.x (ansible-base 2.11.x) and above. The CI support has been stripped for mitogen and we are no longer validating any support or regressions for it. The supporting mitogen install playbook and integration documentation will be removed in a later version.

[Mitogen for Ansible](https://mitogen.networkgenomics.com/ansible_detailed.html) allow a 1.25x - 7x speedup and a CPU usage reduction of at least 2x, depending on network conditions, modules executed, and time already spent by targets on useful work. Mitogen cannot improve a module once it is executing, it can only ensure the module executes as quickly as possible.

## Install
Expand All @@ -8,6 +10,21 @@
ansible-playbook mitogen.yml
```

Ensure to enable mitogen use by environment varialbles:

```ShellSession
export ANSIBLE_STRATEGY=mitogen_linear
export ANSIBLE_STRATEGY_PLUGINS=plugins/mitogen/ansible_mitogen/plugins/strategy
```

... or `ansible.cfg` setup:

```ini
[defaults]
strategy_plugins = plugins/mitogen/ansible_mitogen/plugins/strategy
strategy=mitogen_linear
```

## Limitation

If you are experiencing problems, please see the [documentation](https://mitogen.networkgenomics.com/ansible_detailed.html#noteworthy-differences).
3 changes: 2 additions & 1 deletion docs/upgrades.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ You can also individually control versions of components by explicitly defining
versions. Here are all version vars for each component:

* docker_version
* containerd_version
* docker_containerd_version (relevant when `container_manager` == `docker`)
* containerd_version (relevant when `container_manager` == `containerd`)
* kube_version
* etcd_version
* calico_version
Expand Down
5 changes: 3 additions & 2 deletions docs/vars.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ Some variables of note include:
* *docker_version* - Specify version of Docker to used (should be quoted
string). Must match one of the keys defined for *docker_versioned_pkg*
in `roles/container-engine/docker/vars/*.yml`.
* *containerd_version* - Specify version of Containerd to use
* *containerd_version* - Specify version of containerd to use when setting `container_manager` to `containerd`
* *docker_containerd_version* - Specify which version of containerd to use when setting `container_manager` to `docker`
* *etcd_version* - Specify version of ETCD to use
* *ipip* - Enables Calico ipip encapsulation by default
* *kube_network_plugin* - Sets k8s network plugin (default Calico)
Expand Down Expand Up @@ -119,7 +120,7 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m
``--insecure-registry=myregistry.mydomain:5000``
* *docker_plugins* - This list can be used to define [Docker plugins](https://docs.docker.com/engine/extend/) to install.
* *containerd_default_runtime* - Sets the default Containerd runtime used by the Kubernetes CRI plugin.
* *containerd_runtimes* - Sets the Containerd runtime attributes used by the Kubernetes CRI plugin.
* *containerd_additional_runtimes* - Sets the additional Containerd runtimes used by the Kubernetes CRI plugin.
[Default config](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/container-engine/containerd/defaults/main.yml) can be overriden in inventory vars.
* *http_proxy/https_proxy/no_proxy/no_proxy_exclude_workers/additional_no_proxy* - Proxy variables for deploying behind a
proxy. Note that no_proxy defaults to all internal cluster IPs and hostnames
Expand Down
17 changes: 17 additions & 0 deletions inventory/sample/group_vars/k8s_cluster/addons.yml
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,10 @@ ingress_alb_enabled: false
# Cert manager deployment
cert_manager_enabled: false
# cert_manager_namespace: "cert-manager"
# cert_manager_trusted_internal_ca: |
# -----BEGIN CERTIFICATE-----
# [REPLACE with your CA certificate]
# -----END CERTIFICATE-----

# MetalLB deployment
metallb_enabled: false
Expand Down Expand Up @@ -176,6 +180,19 @@ metallb_speaker_enabled: true
# peer_asn: 64513
# my_asn: 4200000000


argocd_enabled: false
# argocd_version: v2.1.6
# argocd_namespace: argocd
# Default password:
# - https://argoproj.github.io/argo-cd/getting_started/#4-login-using-the-cli
# ---
# The initial password is autogenerated to be the pod name of the Argo CD API server. This can be retrieved with the command:
# kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
# ---
# Use the following var to set admin password
# argocd_admin_password: "password"

# The plugin manager for kubectl
krew_enabled: false
krew_root_dir: "/usr/local/krew"
16 changes: 9 additions & 7 deletions roles/container-engine/containerd/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,15 @@ containerd_oom_score: 0
containerd_default_runtime: "runc"
# containerd_snapshotter: "native"

containerd_runtimes:
- name: runc
type: "io.containerd.runc.v2"
engine: ""
root: ""
options:
systemdCgroup: "true"
containerd_runc_runtime:
name: runc
type: "io.containerd.runc.v2"
engine: ""
root: ""
options:
systemCgroup: "true"

containerd_additional_runtimes: []
# Example for Kata Containers as additional runtime:
# - name: kata
# type: "io.containerd.kata.v2"
Expand Down
6 changes: 6 additions & 0 deletions roles/container-engine/containerd/tasks/facts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---

- name: set kubelet_config_extra_args options when cgroupfs is used
set_fact:
containerd_runc_runtime: "{{ containerd_runc_runtime | combine({'options':{'systemCgroup':'false'}}) }}"
when: not containerd_use_systemd_cgroup
17 changes: 17 additions & 0 deletions roles/container-engine/containerd/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
---
- import_tasks: facts.yml
tags:
- facts

- name: Fail containerd setup if distribution is not supported
fail:
msg: "{{ ansible_distribution }} is not supported by containerd."
Expand Down Expand Up @@ -57,6 +61,19 @@
- --strip-components=1
notify: restart containerd

- name: containerd | Remove orphaned binary
file:
path: "/usr/bin/{{ item }}"
state: absent
when: containerd_bin_dir != "/usr/bin"
ignore_errors: true # noqa ignore-errors
with_items:
- containerd
- containerd-shim
- containerd-shim-runc-v1
- containerd-shim-runc-v2
- ctr

- name: containerd | Generate systemd service for containerd
template:
src: containerd.service.j2
Expand Down
10 changes: 9 additions & 1 deletion roles/container-engine/containerd/templates/config.toml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,15 @@ oom_score = {{ containerd_oom_score }}
default_runtime_name = "{{ containerd_default_runtime | default('runc') }}"
snapshotter = "{{ containerd_snapshotter | default('overlayfs') }}"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
{% for runtime in containerd_runtimes %}
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.{{ containerd_runc_runtime.name }}]
runtime_type = "{{ containerd_runc_runtime.type }}"
runtime_engine = "{{ containerd_runc_runtime.engine}}"
runtime_root = "{{ containerd_runc_runtime.root }}"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.{{ containerd_runc_runtime.name }}.options]
{% for key, value in containerd_runc_runtime.options.items() %}
{{ key }} = {{ value }}
{% endfor %}
{% for runtime in containerd_additional_runtimes %}
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.{{ runtime.name }}]
runtime_type = "{{ runtime.type }}"
runtime_engine = "{{ runtime.engine }}"
Expand Down
2 changes: 1 addition & 1 deletion roles/container-engine/docker/vars/debian-stretch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ docker_cli_versioned_pkg:

docker_package_info:
pkgs:
- "{{ containerd_versioned_pkg[containerd_version | string] }}"
- "{{ containerd_versioned_pkg[docker_containerd_version | string] }}"
- "{{ docker_cli_versioned_pkg[docker_cli_version | string] }}"
- "{{ docker_versioned_pkg[docker_version | string] }}"

Expand Down
2 changes: 1 addition & 1 deletion roles/container-engine/docker/vars/debian.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ docker_cli_versioned_pkg:

docker_package_info:
pkgs:
- "{{ containerd_versioned_pkg[containerd_version | string] }}"
- "{{ containerd_versioned_pkg[docker_containerd_version | string] }}"
- "{{ docker_cli_versioned_pkg[docker_cli_version | string] }}"
- "{{ docker_versioned_pkg[docker_version | string] }}"

Expand Down
2 changes: 1 addition & 1 deletion roles/container-engine/docker/vars/fedora.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,6 @@ docker_cli_versioned_pkg:
docker_package_info:
enablerepo: "docker-ce"
pkgs:
- "{{ containerd_versioned_pkg[containerd_version | string] }}"
- "{{ containerd_versioned_pkg[docker_containerd_version | string] }}"
- "{{ docker_cli_versioned_pkg[docker_cli_version | string] }}"
- "{{ docker_versioned_pkg[docker_version | string] }}"
2 changes: 1 addition & 1 deletion roles/container-engine/docker/vars/redhat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,6 @@ docker_cli_versioned_pkg:
docker_package_info:
enablerepo: "docker-ce"
pkgs:
- "{{ containerd_versioned_pkg[containerd_version | string] }}"
- "{{ containerd_versioned_pkg[docker_containerd_version | string] }}"
- "{{ docker_cli_versioned_pkg[docker_cli_version | string] }}"
- "{{ docker_versioned_pkg[docker_version | string] }}"
2 changes: 1 addition & 1 deletion roles/container-engine/docker/vars/ubuntu-16.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ docker_cli_versioned_pkg:

docker_package_info:
pkgs:
- "{{ containerd_versioned_pkg[containerd_version | string] }}"
- "{{ containerd_versioned_pkg[docker_containerd_version | string] }}"
- "{{ docker_cli_versioned_pkg[docker_cli_version | string] }}"
- "{{ docker_versioned_pkg[docker_version | string] }}"

Expand Down
2 changes: 1 addition & 1 deletion roles/container-engine/docker/vars/ubuntu.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ docker_cli_versioned_pkg:

docker_package_info:
pkgs:
- "{{ containerd_versioned_pkg[containerd_version | string] }}"
- "{{ containerd_versioned_pkg[docker_containerd_version | string] }}"
- "{{ docker_cli_versioned_pkg[docker_cli_version | string] }}"
- "{{ docker_versioned_pkg[docker_version | string] }}"

Expand Down
2 changes: 1 addition & 1 deletion roles/container-engine/runc/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---

runc_bin_dir: /usr/bin/
runc_bin_dir: "{{ bin_dir }}"

runc_package_name: runc
13 changes: 13 additions & 0 deletions roles/container-engine/runc/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,14 @@
---
- name: runc | set is_ostree
set_fact:
is_ostree: "{{ ostree.stat.exists }}"

- name: runc | Uninstall runc package managed by package manager
package:
name: "{{ runc_package_name }}"
state: absent
when:
- not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk") or (ansible_distribution == "Flatcar"))

- name: runc | Download runc binary
include_tasks: "../../../download/tasks/download_file.yml"
Expand All @@ -15,3 +21,10 @@
dest: "{{ runc_bin_dir }}/runc"
mode: 0755
remote_src: true

- name: runc | Remove orphaned binary
file:
path: /usr/bin/runc
state: absent
when: runc_bin_dir != "/usr/bin"
ignore_errors: true # noqa ignore-errors
Loading

0 comments on commit f2f1477

Please sign in to comment.