reynencourt · r3dsm0k3 · May 3, 2021 · Feb 10, 2021 · Mar 3, 2021 · Mar 3, 2021
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 # Use imutable image tags rather than mutable tags (like ubuntu:18.04)
 FROM ubuntu:bionic-20200807
 
-ENV KUBE_VERSION=v1.19.8
+ENV KUBE_VERSION=v1.19.10
 
 RUN mkdir /kubespray
 WORKDIR /kubespray

diff --git a/README.md b/README.md
@@ -108,28 +108,28 @@ vagrant up
 - **CentOS/RHEL** 7, 8 (experimental: see [centos 8 notes](docs/centos8.md))
 - **Fedora** 32, 33
 - **Fedora CoreOS** (experimental: see [fcos Note](docs/fcos.md))
-- **openSUSE** Leap 42.3/Tumbleweed
+- **openSUSE** Leap 15.x/Tumbleweed
 - **Oracle Linux** 7, 8 (experimental: [centos 8 notes](docs/centos8.md) apply)
 
 Note: Upstart/SysV init based OS types are not supported.
 
 ## Supported Components
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.19.8
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.19.10
   - [etcd](https://github.com/coreos/etcd) v3.4.13
   - [docker](https://www.docker.com/) v19.03 (see note)
   - [containerd](https://containerd.io/) v1.3.9
   - [cri-o](http://cri-o.io/) v1.19 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) v0.9.0
-  - [calico](https://github.com/projectcalico/calico) v3.16.6
+  - [calico](https://github.com/projectcalico/calico) v3.16.9
   - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-  - [cilium](https://github.com/cilium/cilium) v1.8.6
+  - [cilium](https://github.com/cilium/cilium) v1.8.8
   - [flanneld](https://github.com/coreos/flannel) v0.13.0
-  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.5.2
+  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.6.1
   - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.1.1
-  - [multus](https://github.com/intel/multus-cni) v3.6.0
+  - [multus](https://github.com/intel/multus-cni) v3.7.0
   - [ovn4nfv](https://github.com/opnfv/ovn4nfv-k8s-plugin) v1.1.0
   - [weave](https://github.com/weaveworks/weave) v2.7.0
 - Application

diff --git a/Vagrantfile b/Vagrantfile
@@ -28,7 +28,7 @@ SUPPORTED_OS = {
   "centos8-bento"       => {box: "bento/centos-8",             user: "vagrant"},
   "fedora32"            => {box: "fedora/32-cloud-base",       user: "vagrant"},
   "fedora33"            => {box: "fedora/33-cloud-base",       user: "vagrant"},
-  "opensuse"            => {box: "bento/opensuse-leap-15.1",   user: "vagrant"},
+  "opensuse"            => {box: "bento/opensuse-leap-15.2",   user: "vagrant"},
   "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
   "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
   "oraclelinux8"        => {box: "generic/oracle8",            user: "vagrant"},

diff --git a/ansible_version.yml b/ansible_version.yml
@@ -15,3 +15,18 @@
           - ansible_version.string is version(maximal_ansible_version, "<")
       tags:
         - check
+
+    - name: "Check that python netaddr is installed"
+      assert:
+        msg: "Python netaddr is not present"
+        that: "'127.0.0.1' | ipaddr"
+      tags:
+        - check
+
+    # CentOS 7 provides too old jinja version
+    - name: "Check that jinja is not too old (install via pip)"
+      assert:
+        msg: "Your Jinja version is too old, install via pip"
+        that: "{% set test %}It works{% endset %}{{ test == 'It works' }}"
+      tags:
+        - check
diff --git a/cluster.yml b/cluster.yml
@@ -100,7 +100,6 @@
   environment: "{{ proxy_disable_env }}"
   roles:
     - { role: kubespray-defaults }
-    - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
     - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"] }
 
 - hosts: kube-master

diff --git a/docs/offline-environment.md b/docs/offline-environment.md
@@ -28,6 +28,8 @@ cni_download_url: "{{ files_repo }}/kubernetes/cni/cni-plugins-linux-{{ image_ar
 crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
 # If using Calico
 calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
+# If using Calico with kdd
+calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_version }}.tar.gz"
 
 # CentOS/Redhat
 ## Docker / Containerd

diff --git a/docs/opensuse.md b/docs/opensuse.md
@@ -1,4 +1,4 @@
-# openSUSE Leap 15.0 and Tumbleweed
+# openSUSE Leap 15.2 and Tumbleweed
 
 openSUSE Leap installation Notes:
 

diff --git a/docs/upgrades.md b/docs/upgrades.md
@@ -284,20 +284,6 @@ follows:
 * kube-apiserver, kube-scheduler, and kube-controller-manager
 * Add-ons (such as KubeDNS)
 
-## Upgrade considerations
-
-Kubespray supports rotating certificates used for etcd and Kubernetes
-components, but some manual steps may be required. If you have a pod that
-requires use of a service token and is deployed in a namespace other than
-`kube-system`, you will need to manually delete the affected pods after
-rotating certificates. This is because all service account tokens are dependent
-on the apiserver token that is used to generate them. When the certificate
-rotates, all service account tokens must be rotated as well. During the
-kubernetes-apps/rotate_tokens role, only pods in kube-system are destroyed and
-recreated. All other invalidated service account tokens are cleaned up
-automatically, but other pods are not deleted out of an abundance of caution
-for impact to user deployed pods.
-
 ### Component-based upgrades
 
 A deployer may want to upgrade specific components in order to minimize risk

diff --git a/inventory/local/hosts.ini b/inventory/local/hosts.ini
@@ -12,4 +12,3 @@ node1
 [k8s-cluster:children]
 kube-node
 kube-master
-calico-rr
diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -17,7 +17,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
 kube_api_anonymous_auth: true
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.19.8
+kube_version: v1.19.10
 
 # Where the binaries will be downloaded.
 # Note: ensure that you've enough disk space (about 1G)
@@ -310,5 +310,8 @@ persistent_volumes_enabled: false
 
 ## Amount of time to retain events. (default 1h0m0s)
 event_ttl_duration: "1h0m0s"
-##  Force regeneration of kubernetes control plane certificates without the need of bumping the cluster version
-force_certificate_regeneration: false
+
+## Automatically renew K8S control plane certificates on first Monday of each month
+auto_renew_certificates: false
+# First Monday of each month
+# auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:{{ groups['kube-master'].index(inventory_hostname) }}0:00"
diff --git a/inventory/sample/group_vars/k8s-cluster/offline.yml b/inventory/sample/group_vars/k8s-cluster/offline.yml
@@ -32,6 +32,8 @@
 
 # [Optional] Calico: If using Calico network plugin
 # calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
+# [Optional] Calico with kdd: If using Calico network plugin with kdd datastore
+# calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_version }}.tar.gz"
 
 ## CentOS/Redhat
 ### For EL7, base and extras repo must be available, for EL8, baseos and appstream

diff --git a/requirements.txt b/requirements.txt
@@ -1,5 +1,6 @@
-ansible==2.9.17
-jinja2==2.11.1
+ansible==2.9.18
+cryptography==2.8
+jinja2==2.11.3
 netaddr==0.7.19
 pbr==5.4.4
 jmespath==0.9.5

diff --git a/roles/bastion-ssh-config/tasks/main.yml b/roles/bastion-ssh-config/tasks/main.yml
@@ -1,7 +1,8 @@
 ---
-- name: set bastion host IP
+- name: set bastion host IP and port
   set_fact:
     bastion_ip: "{{ hostvars[groups['bastion'][0]]['ansible_host'] | d(hostvars[groups['bastion'][0]]['ansible_ssh_host']) }}"
+    bastion_port: "{{ hostvars[groups['bastion'][0]]['ansible_port'] | d(hostvars[groups['bastion'][0]]['ansible_ssh_port']) | d(22) }}"
   delegate_to: localhost
   connection: local
 

diff --git a/roles/bastion-ssh-config/templates/ssh-bastion.conf b/roles/bastion-ssh-config/templates/ssh-bastion.conf
@@ -15,4 +15,4 @@ Host {{ bastion_ip }}
   ControlPersist 5m
 
 Host {{ vars['hosts'] }}
-  ProxyCommand ssh -F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p {{ real_user }}@{{ bastion_ip }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %}
+  ProxyCommand ssh -F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p -p {{ bastion_port }} {{ real_user }}@{{ bastion_ip }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %}
diff --git a/roles/bootstrap-os/tasks/bootstrap-centos.yml b/roles/bootstrap-os/tasks/bootstrap-centos.yml
@@ -69,6 +69,9 @@
 - name: Check presence of fastestmirror.conf
   stat:
     path: /etc/yum/pluginconf.d/fastestmirror.conf
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: fastestmirror
 
 # the fastestmirror plugin can actually slow down Ansible deployments

diff --git a/roles/bootstrap-os/tasks/bootstrap-opensuse.yml b/roles/bootstrap-os/tasks/bootstrap-opensuse.yml
@@ -4,6 +4,9 @@
 - name: Check that /etc/sysconfig/proxy file exists
   stat:
     path: /etc/sysconfig/proxy
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: stat_result
 
 - name: Create the /etc/sysconfig/proxy empty file

diff --git a/roles/bootstrap-os/tasks/bootstrap-redhat.yml b/roles/bootstrap-os/tasks/bootstrap-redhat.yml
@@ -85,6 +85,9 @@
 - name: Check presence of fastestmirror.conf
   stat:
     path: /etc/yum/pluginconf.d/fastestmirror.conf
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: fastestmirror
 
 # the fastestmirror plugin can actually slow down Ansible deployments

diff --git a/roles/container-engine/containerd/defaults/main.yml b/roles/container-engine/containerd/defaults/main.yml
@@ -65,6 +65,7 @@ containerd_default_runtime:
 #     type: io.containerd.kata.v2
 #     engine: ""
 #     root: ""
+#     privileged_without_host_devices: true
 containerd_runtimes: []
 
 containerd_untrusted_runtime_type: ''

diff --git a/roles/container-engine/containerd/tasks/main.yml b/roles/container-engine/containerd/tasks/main.yml
@@ -2,6 +2,9 @@
 - name: check if fedora coreos
   stat:
     path: /run/ostree-booted
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: ostree
 
 - name: set is_ostree

diff --git a/roles/container-engine/containerd/templates/config.toml.j2 b/roles/container-engine/containerd/templates/config.toml.j2
@@ -42,6 +42,7 @@ disabled_plugins = ["restart"]
   runtime_type = "{{ containerd_default_runtime.type }}"
   runtime_engine = "{{ containerd_default_runtime.engine }}"
   runtime_root = "{{ containerd_default_runtime.root }}"
+  privileged_without_host_devices = {{ containerd_default_runtime.privileged_without_host_devices|default(false)|lower }}
 
 {% if kata_containers_enabled %}
 [plugins.cri.containerd.runtimes.kata-qemu]
@@ -55,6 +56,7 @@ disabled_plugins = ["restart"]
   runtime_type = "{{ runtime.type }}"
   runtime_engine = "{{ runtime.engine }}"
   runtime_root = "{{ runtime.root }}"
+  privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }}
 {% endfor %}
 
 [plugins.cri.containerd.untrusted_workload_runtime]

diff --git a/roles/container-engine/cri-o/tasks/crio_repo.yml b/roles/container-engine/cri-o/tasks/crio_repo.yml
@@ -14,6 +14,7 @@
   until: apt_key_download is succeeded
   retries: 4
   delay: "{{ retry_stagger | d(3) }}"
+  environment: "{{ proxy_env }}"
 
 - name: Add CRI-O kubic apt repo
   apt_repository:

diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
@@ -2,6 +2,9 @@
 - name: check if fedora coreos
   stat:
     path: /run/ostree-booted
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: ostree
 
 - name: set is_ostree
@@ -94,6 +97,9 @@
 - name: Check if already installed
   stat:
     path: "/bin/crio"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: need_bootstrap_crio
   when: is_ostree
 

diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -293,6 +293,7 @@ pinns_path = ""
 runtime_path = "{{ runtime.path }}"
 runtime_type = "{{ runtime.type }}"
 runtime_root = "{{ runtime.root }}"
+privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }}
 {% endfor %}
 
 # Kata Containers with the Firecracker VMM

diff --git a/roles/container-engine/crun/tasks/main.yml b/roles/container-engine/crun/tasks/main.yml
@@ -9,6 +9,9 @@
 - name: Check if binary exists
   stat:
     path: "{{ crun_bin_dir }}/crun"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: crun_stat
 
 # TODO: use download_file.yml

diff --git a/roles/container-engine/docker/tasks/main.yml b/roles/container-engine/docker/tasks/main.yml
@@ -2,6 +2,9 @@
 - name: check if fedora coreos
   stat:
     path: /run/ostree-booted
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: ostree
 
 - name: set is_ostree