Release 2.15 #35
Merged
Release 2.15 #35
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
By default Ansible stat module compute checksum, list extended attributes and find mime type To find all stat invocations that really use one of those: git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)' Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit de1d9df) Conflicts: roles/etcd/tasks/check_certs.yml
On CentOS 8 they seem to be ignored by default, but better be extra safe This also make it easy to exclude other network plugin interfaces Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit e442b1d)
Using `kubeadm init phase kubeconfig all` breaks kubelet client certificate rotation as we are missing `kubeadm init phase kubelet-finalize all` to point to `kubelet-client-current.pem` kubeconfig format is stable so let's just use lineinfile, this will avoid other future breakage This revert to the logic before 6fe2248 Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit c9c0c01)
According to [etcd's docs](https://etcd.io/docs/v3.4.0/op-guide/configuration/#--log-package-levels), argument 'log-package-levels' should not contain underscores. (cherry picked from commit b7c2265)
apiserver.pem is not used since ddffdb6 Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit fedd671) Conflicts: roles/kubernetes/master/tasks/kubeadm-cleanup-old-certs.yml roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit a6e1f5e)
kubeadm is the default for a long time now, and admin.conf is created by it, so let kubeadm handle it Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit 280036f)
kubeadm never rotates sa.key/sa.pub, so there is no need to delete tokens/restart pods Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit 8800b5c)
There are no reasons not to backup during upgrade Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit 53e5ef6) Conflicts: roles/kubernetes/master/tasks/kubeadm-backup.yml roles/kubernetes/master/tasks/kubeadm-certificate.yml
The important action in kubeadm-version.yml is the templating of the configuration, not finding / setting the version Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit a9c97e5) Conflicts: roles/kubernetes/master/tasks/kubeadm-version.yml
When privileged is enabled for a container, all the `/dev/*` block devices from the host are mounted into the guest. The `privileged_without_host_devices` flag prevents host devices from being passed to privileged containers. More information: * containerd/cri#1225 * cri-o/cri-o@1d0f681 (cherry picked from commit dc5df57)
* Update ansible to v2.9.18 Signed-off-by: Maciej Wereski <[email protected]> * Update jinja2 to v2.11.3 Signed-off-by: Maciej Wereski <[email protected]> (cherry picked from commit b07c596)
c9c0c01 only fix the problem for new clusters Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit 14b63ed) Conflicts: roles/kubernetes/master/tasks/kubelet-fix-client-cert-rotation.yml
The dummy module is needed for nodelocaldns. (cherry picked from commit 5a54db2)
"The error was: 'proxy_disable_env' is undefined\n\nThe error appears to be in '<censored>scale.yml': line 72, column 7" Fixes 067db68 Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit 057e8b4)
15.1 has reached EOL on 2021-02-02. Signed-off-by: Maciej Wereski <[email protected]> (cherry picked from commit 69d11da)
(cherry picked from commit edc4bb4)
(cherry picked from commit de46f86)
(cherry picked from commit 5f2c8ac)
* Download Calico KDD CRDs * Replace kustomize with lineinfile and use ansible assemble module * Replace find+lineinfile by sed in shell module to avoid nested loop * add condition on sed * use block for kdd tasks + remove supernumerary kdd manifest apply in start "Start Calico resources" (cherry picked from commit 1c62af0) Conflicts: roles/network_plugin/calico/tasks/install.yml
(cherry picked from commit 05f132c)
(cherry picked from commit ead8a4e)
(cherry picked from commit 6d3dbb4)
Signed-off-by: Etienne Champetier <[email protected]>
While at it remove force_certificate_regeneration This boolean only forced the renewal of the apiserver certs Either manually use k8s-certs-renew.sh or set auto_renew_certificates Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit efa1803) Conflicts: roles/kubernetes/master/templates/k8s-certs-renew.service.j2 roles/kubernetes/master/templates/k8s-certs-renew.sh.j2 roles/kubernetes/master/templates/k8s-certs-renew.timer.j2
* Allow connecting to bastion via non-standard port * Fix bastion connection when ansible_port is not provided (cherry picked from commit 6fa3565)
`-%` causes `etcd-unsupported-arch: arm64` to print on COL 1 instead of COL 6. Signed-off-by: anthr76 <[email protected]> (cherry picked from commit edfa3e9)
Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit 2d1597b)
* Remove ignore_errors from drain tasks and enable retires * Fix lint error by checking if stdout length is not 0, ie string is not empty. (cherry picked from commit ccd3aee)
Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit 36a3a78)
Signed-off-by: Etienne Champetier <[email protected]>
Co-authored-by: Samuel Liu <[email protected]>
fix undefinedElse (cherry picked from commit cce9d31)
(cherry picked from commit 7f52c1d)
(cherry picked from commit 596d028) Conflicts: inventory/local/hosts.ini
(cherry picked from commit 6479e26)
(cherry picked from commit 7e75d48)
(cherry picked from commit 7340a16)
* kubelet absolute path * kubelet absolute path (cherry picked from commit e2a7f3e)
* add CI test for auto_renew_certificates * change timer value fix typo error in rotate cert script (cherry picked from commit cce0940) Conflicts: roles/kubernetes/master/templates/k8s-certs-renew.timer.j2
(cherry picked from commit aa086e5)
(cherry picked from commit 90c643f)
We were regenerating only the cert of the first node While at it speed up the check step Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit e444b3c) Conflicts: roles/kubernetes/master/tasks/kubeadm-setup.yml
This allow to configure when K8S certificates renewal runs Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit bf6a39e) Conflicts: inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml roles/kubernetes/master/defaults/main/main.yml roles/kubernetes/master/templates/k8s-certs-renew.timer.j2
CentOS 7 provides up to date Ansible with really old jinja version Signed-off-by: Etienne Champetier <[email protected]> (cherry picked from commit 332cc1c)
(cherry picked from commit 2a2fb68)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pulling the upstream changes of 2.15.1