Move to Ansible 3.4.0 (#7672)

* Ansible: move to Ansible 3.4.0 which uses ansible-base 2.10.10 * Docs: add a note about ansible upgrade post 2.9.x * CI: ensure ansible is removed before ansible 3.x is installed to avoid pip failures * Ansible: use newer ansible-lint * Fix ansible-lint 5.0.11 found issues * syntax issues * risky-file-permissions * var-naming * role-name * molecule tests * Mitogen: use 0.3.0rc1 which adds support for ansible 2.10+ * Pin ansible-base to 2.10.11 to get package fix on RHEL8
2026-02-28 09:39:12 +03:00 · 2021-07-12 10:00:47 +03:00
parent b0e4c375a7
commit 7516fe142f
103 changed files with 298 additions and 129 deletions
--- a/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
@@ -12,7 +12,7 @@
    - apiserver-kubelet-client.key
    - front-proxy-client.crt
    - front-proxy-client.key
-  ignore_errors: yes
+  ignore_errors: true  # noqa ignore-errors

 - name: Backup old confs
  copy:
@@ -25,4 +25,4 @@
    - controller-manager.conf
    - kubelet.conf
    - scheduler.conf
-  ignore_errors: yes
+  ignore_errors: true  # noqa ignore-errors
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -50,18 +50,21 @@
  file:
    path: "{{ audit_policy_file | dirname }}"
    state: directory
+    mode: 0640
  when: kubernetes_audit|default(false) or kubernetes_audit_webhook|default(false)

 - name: Write api audit policy yaml
  template:
    src: apiserver-audit-policy.yaml.j2
    dest: "{{ audit_policy_file }}"
+    mode: 0640
  when: kubernetes_audit|default(false) or kubernetes_audit_webhook|default(false)

 - name: Write api audit webhook config yaml
  template:
    src: apiserver-audit-webhook-config.yaml.j2
    dest: "{{ audit_webhook_config_file }}"
+    mode: 0640
  when: kubernetes_audit_webhook|default(false)

 # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -7,12 +7,14 @@
  template:
    src: webhook-token-auth-config.yaml.j2
    dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
+    mode: 0640
  when: kube_webhook_token_auth|default(false)

 - name: Create webhook authorization config
  template:
    src: webhook-authorization-config.yaml.j2
    dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
+    mode: 0640
  when: kube_webhook_authorization|default(false)

 - name: Create kube-scheduler config
@@ -40,7 +42,7 @@
  when: ansible_os_family in ["Debian","RedHat"]
  tags:
    - kubectl
-  ignore_errors: True
+  ignore_errors: true  # noqa ignore-errors

 - name: Set kubectl bash completion file permissions
  file:
@@ -52,7 +54,7 @@
  tags:
    - kubectl
    - upgrade
-  ignore_errors: True
+  ignore_errors: true  # noqa ignore-errors

 - name: Disable SecurityContextDeny admission-controller and enable PodSecurityPolicy
  set_fact:
@@ -77,12 +79,13 @@
  template:
    src: k8s-certs-renew.sh.j2
    dest: "{{ bin_dir }}/k8s-certs-renew.sh"
-    mode: '755'
+    mode: 0755

 - name: Renew K8S control plane certificates monthly 1/2
  template:
    src: "{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
+    mode: 0644
  with_items:
    - k8s-certs-renew.service
    - k8s-certs-renew.timer