epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-28 09:39:12 +03:00
Code Issues Packages Projects Releases Wiki Activity

Improving yamllint configuration (#11389)

Browse Source 
Signed-off-by: Bas Meijer <bas.meijer@enexis.nl>
This commit is contained in:
Bas
2024-07-26 03:42:20 +02:00
committed by GitHub
parent 5394715d9b
commit 8f5f75211f
154 changed files with 342 additions and 334 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
roles/kubernetes/client/tasks/main.yml
View File

@@ -80,7 +80,7 @@
copy:
content: "{{ final_admin_kubeconfig | to_nice_yaml(indent=2) }}"
dest: "{{ artifacts_dir }}/admin.conf"
mode: 0600
mode: "0600"
delegate_to: localhost
connection: local
become: no
@@ -106,7 +106,7 @@
#!/bin/bash
${BASH_SOURCE%/*}/kubectl --kubeconfig=${BASH_SOURCE%/*}/admin.conf "$@"
dest: "{{ artifacts_dir }}/kubectl.sh"
mode: 0755
mode: "0755"
become: no
run_once: yes
delegate_to: localhost

2
roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml
View File

@@ -37,4 +37,4 @@
dest: "{{ kube_cert_dir }}/secrets_encryption.yaml"
owner: root
group: "{{ kube_cert_group }}"
mode: 0640
mode: "0640"

2
roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml
View File

@@ -25,5 +25,5 @@
path: "{{ etcd_data_dir }}"
owner: "{{ etcd_owner }}"
group: "{{ etcd_owner }}"
mode: 0700
mode: "0700"
when: etcd_deployment_type == "kubeadm"

4
roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
View File

@@ -34,7 +34,7 @@
template:
src: "kubeadm-controlplane.{{ kubeadmConfig_api_version }}.yaml.j2"
dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml"
mode: 0640
mode: "0640"
backup: yes
when:
- inventory_hostname != first_kube_control_plane
@@ -77,7 +77,7 @@
dest: "{{ kube_config_dir }}/cluster-info-discovery-kubeconfig.yaml"
content: "{{ kubeconfig_file_discovery.stdout }}"
owner: "root"
mode: 0644
mode: "0644"
when:
- inventory_hostname != first_kube_control_plane
- kubeadm_use_file_discovery

24
roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
View File

@@ -51,35 +51,35 @@
file:
path: "{{ audit_policy_file | dirname }}"
state: directory
mode: 0640
mode: "0640"
when: kubernetes_audit | default(false) or kubernetes_audit_webhook | default(false)
- name: Write api audit policy yaml
template:
src: apiserver-audit-policy.yaml.j2
dest: "{{ audit_policy_file }}"
mode: 0640
mode: "0640"
when: kubernetes_audit | default(false) or kubernetes_audit_webhook | default(false)
- name: Write api audit webhook config yaml
template:
src: apiserver-audit-webhook-config.yaml.j2
dest: "{{ audit_webhook_config_file }}"
mode: 0640
mode: "0640"
when: kubernetes_audit_webhook | default(false)
- name: Create apiserver tracing config directory
file:
path: "{{ kube_config_dir }}/tracing"
state: directory
mode: 0640
mode: "0640"
when: kube_apiserver_tracing
- name: Write apiserver tracing config yaml
template:
src: apiserver-tracing.yaml.j2
dest: "{{ kube_config_dir }}/tracing/apiserver-tracing.yaml"
mode: 0640
mode: "0640"
when: kube_apiserver_tracing
# Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
@@ -96,27 +96,27 @@
template:
src: "kubeadm-config.{{ kubeadmConfig_api_version }}.yaml.j2"
dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
mode: 0640
mode: "0640"
- name: Kubeadm | Create directory to store admission control configurations
file:
path: "{{ kube_config_dir }}/admission-controls"
state: directory
mode: 0640
mode: "0640"
when: kube_apiserver_admission_control_config_file
- name: Kubeadm | Push admission control config file
template:
src: "admission-controls.yaml.j2"
dest: "{{ kube_config_dir }}/admission-controls/admission-controls.yaml"
mode: 0640
mode: "0640"
when: kube_apiserver_admission_control_config_file
- name: Kubeadm | Push admission control config files
template:
src: "{{ item | lower }}.yaml.j2"
dest: "{{ kube_config_dir }}/admission-controls/{{ item | lower }}.yaml"
mode: 0640
mode: "0640"
when:
- kube_apiserver_admission_control_config_file
- item in kube_apiserver_admission_plugins_needs_configuration
@@ -126,7 +126,7 @@
template:
src: "podnodeselector.yaml.j2"
dest: "{{ kube_config_dir }}/admission-controls/podnodeselector.yaml"
mode: 0640
mode: "0640"
when:
- kube_apiserver_admission_plugins_podnodeselector_default_node_selector is defined
- kube_apiserver_admission_plugins_podnodeselector_default_node_selector | length > 0
@@ -178,7 +178,7 @@
file:
path: "{{ kubeadm_patches.dest_dir }}"
state: directory
mode: 0640
mode: "0640"
when: kubeadm_patches is defined and kubeadm_patches.enabled
- name: Kubeadm | Copy kubeadm patches from inventory files
@@ -186,7 +186,7 @@
src: "{{ kubeadm_patches.source_dir }}/"
dest: "{{ kubeadm_patches.dest_dir }}"
owner: "root"
mode: 0644
mode: "0644"
when: kubeadm_patches is defined and kubeadm_patches.enabled
- name: Kubeadm | Initialize first master

14
roles/kubernetes/control-plane/tasks/main.yml
View File

@@ -8,21 +8,21 @@
template:
src: webhook-token-auth-config.yaml.j2
dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
mode: 0640
mode: "0640"
when: kube_webhook_token_auth | default(false)
- name: Create webhook authorization config
template:
src: webhook-authorization-config.yaml.j2
dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
mode: 0640
mode: "0640"
when: kube_webhook_authorization | default(false)
- name: Create kube-scheduler config
template:
src: kubescheduler-config.yaml.j2
dest: "{{ kube_config_dir }}/kubescheduler-config.yaml"
mode: 0644
mode: "0644"
- name: Apply Kubernetes encrypt at rest config
import_tasks: encrypt-at-rest.yml
@@ -35,7 +35,7 @@
copy:
src: "{{ downloads.kubectl.dest }}"
dest: "{{ bin_dir }}/kubectl"
mode: 0755
mode: "0755"
remote_src: true
tags:
- kubectl
@@ -53,7 +53,7 @@
path: /etc/bash_completion.d/kubectl.sh
owner: root
group: root
mode: 0755
mode: "0755"
when: ansible_os_family in ["Debian","RedHat"]
tags:
- kubectl
@@ -101,13 +101,13 @@
template:
src: k8s-certs-renew.sh.j2
dest: "{{ bin_dir }}/k8s-certs-renew.sh"
mode: 0755
mode: "0755"
- name: Renew K8S control plane certificates monthly 1/2
template:
src: "{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
mode: "0644"
validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:{{item}}'"
# FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release)
# Remove once we drop support for systemd < 250

2
roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml
View File

@@ -8,7 +8,7 @@
template:
src: "kubeadm-client.conf.{{ kubeadmConfig_api_version }}.j2"
dest: "{{ kube_config_dir }}/kubeadm-cert-controlplane.conf"
mode: 0640
mode: "0640"
vars:
kubeadm_cert_controlplane: true

8
roles/kubernetes/kubeadm/tasks/main.yml
View File

@@ -69,7 +69,7 @@
dest: "{{ kube_config_dir }}/cluster-info-discovery-kubeconfig.yaml"
content: "{{ kubeconfig_file_discovery.stdout }}"
owner: "root"
mode: 0644
mode: "0644"
when:
- not is_kube_master
- not kubelet_conf.stat.exists
@@ -80,14 +80,14 @@
src: "kubeadm-client.conf.{{ kubeadmConfig_api_version }}.j2"
dest: "{{ kube_config_dir }}/kubeadm-client.conf"
backup: yes
mode: 0640
mode: "0640"
when: not is_kube_master
- name: Kubeadm | Create directory to store kubeadm patches
file:
path: "{{ kubeadm_patches.dest_dir }}"
state: directory
mode: 0640
mode: "0640"
when: kubeadm_patches is defined and kubeadm_patches.enabled
- name: Kubeadm | Copy kubeadm patches from inventory files
@@ -95,7 +95,7 @@
src: "{{ kubeadm_patches.source_dir }}/"
dest: "{{ kubeadm_patches.dest_dir }}"
owner: "root"
mode: 0644
mode: "0644"
when: kubeadm_patches is defined and kubeadm_patches.enabled
- name: Join to cluster if needed

4
roles/kubernetes/node/tasks/install.yml
View File

@@ -3,7 +3,7 @@
copy:
src: "{{ downloads.kubeadm.dest }}"
dest: "{{ bin_dir }}/kubeadm"
mode: 0755
mode: "0755"
remote_src: true
tags:
- kubeadm
@@ -14,7 +14,7 @@
copy:
src: "{{ downloads.kubelet.dest }}"
dest: "{{ bin_dir }}/kubelet"
mode: 0755
mode: "0755"
remote_src: true
tags:
- kubelet

6
roles/kubernetes/node/tasks/kubelet.yml
View File

@@ -12,7 +12,7 @@
dest: "{{ kube_config_dir }}/kubelet.env"
setype: "{{ (preinstall_selinux_state != 'disabled') | ternary('etc_t', omit) }}"
backup: yes
mode: 0600
mode: "0600"
notify: Node | restart kubelet
tags:
- kubelet
@@ -22,7 +22,7 @@
template:
src: "kubelet-config.{{ kubeletConfig_api_version }}.yaml.j2"
dest: "{{ kube_config_dir }}/kubelet-config.yaml"
mode: 0600
mode: "0600"
notify: Kubelet | restart kubelet
tags:
- kubelet
@@ -33,7 +33,7 @@
src: "kubelet.service.j2"
dest: "/etc/systemd/system/kubelet.service"
backup: "yes"
mode: 0600
mode: "0600"
validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:kubelet.service'"
# FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release)
# Remove once we drop support for systemd < 250

6
roles/kubernetes/node/tasks/loadbalancer/haproxy.yml
View File

@@ -8,7 +8,7 @@
file:
path: "{{ haproxy_config_dir }}"
state: directory
mode: 0755
mode: "0755"
owner: root
- name: Haproxy | Write haproxy configuration
@@ -16,7 +16,7 @@
src: "loadbalancer/haproxy.cfg.j2"
dest: "{{ haproxy_config_dir }}/haproxy.cfg"
owner: root
mode: 0755
mode: "0755"
backup: yes
- name: Haproxy | Get checksum from config
@@ -31,4 +31,4 @@
template:
src: manifests/haproxy.manifest.j2
dest: "{{ kube_manifest_dir }}/haproxy.yml"
mode: 0640
mode: "0640"

2
roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml
View File

@@ -10,4 +10,4 @@
template:
src: manifests/kube-vip.manifest.j2
dest: "{{ kube_manifest_dir }}/kube-vip.yml"
mode: 0640
mode: "0640"

6
roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml
View File

@@ -8,7 +8,7 @@
file:
path: "{{ nginx_config_dir }}"
state: directory
mode: 0700
mode: "0700"
owner: root
- name: Nginx-proxy | Write nginx-proxy configuration
@@ -16,7 +16,7 @@
src: "loadbalancer/nginx.conf.j2"
dest: "{{ nginx_config_dir }}/nginx.conf"
owner: root
mode: 0755
mode: "0755"
backup: yes
- name: Nginx-proxy | Get checksum from config
@@ -31,4 +31,4 @@
template:
src: manifests/nginx-proxy.manifest.j2
dest: "{{ kube_manifest_dir }}/nginx-proxy.yml"
mode: 0640
mode: "0640"

10
roles/kubernetes/node/tasks/main.yml
View File

@@ -14,7 +14,7 @@
file:
path: /var/lib/cni
state: directory
mode: 0755
mode: "0755"
- name: Install kubelet binary
import_tasks: install.yml
@@ -74,7 +74,7 @@
file:
path: "{{ item }}"
state: directory
mode: 0755
mode: "0755"
loop:
- /etc/modules-load.d
- /etc/modprobe.d
@@ -89,7 +89,7 @@
copy:
dest: /etc/modules-load.d/kubespray-br_netfilter.conf
content: br_netfilter
mode: 0644
mode: "0644"
when: modinfo_br_netfilter.rc == 0
# kube-proxy needs net.bridge.bridge-nf-call-iptables enabled when found if br_netfilter is not a module
@@ -162,7 +162,7 @@
content: "{{ openstack_cacert | b64decode if openstack_cacert_is_base64 else omit }}"
dest: "{{ kube_config_dir }}/openstack-cacert.pem"
group: "{{ kube_cert_group }}"
mode: 0640
mode: "0640"
when:
- cloud_provider is defined
- cloud_provider == 'openstack'
@@ -176,7 +176,7 @@
src: "cloud-configs/{{ cloud_provider }}-cloud-config.j2"
dest: "{{ kube_config_dir }}/cloud_config"
group: "{{ kube_cert_group }}"
mode: 0640
mode: "0640"
when:
- cloud_provider is defined
- cloud_provider in [ 'openstack', 'azure', 'vsphere', 'aws', 'gce' ]

10
roles/kubernetes/preinstall/tasks/0050-create_directories.yml
View File

@@ -4,7 +4,7 @@
path: "{{ item }}"
state: directory
owner: "{{ kube_owner }}"
mode: 0755
mode: "0755"
when: inventory_hostname in groups['k8s_cluster']
become: true
tags:
@@ -28,7 +28,7 @@
path: "{{ item }}"
state: directory
owner: root
mode: 0755
mode: "0755"
when: inventory_hostname in groups['k8s_cluster']
become: true
tags:
@@ -61,7 +61,7 @@
src: "{{ kube_cert_dir }}"
dest: "{{ kube_cert_compat_dir }}"
state: link
mode: 0755
mode: "0755"
when:
- inventory_hostname in groups['k8s_cluster']
- kube_cert_dir != kube_cert_compat_dir
@@ -72,7 +72,7 @@
path: "{{ item }}"
state: directory
owner: "{{ kube_owner }}"
mode: 0755
mode: "0755"
with_items:
- "/etc/cni/net.d"
- "/opt/cni/bin"
@@ -93,7 +93,7 @@
path: "{{ item }}"
state: directory
owner: "{{ kube_owner }}"
mode: 0755
mode: "0755"
with_items:
- "/var/lib/calico"
when:

4
roles/kubernetes/preinstall/tasks/0060-resolvconf.yml
View File

@@ -19,7 +19,7 @@
create: yes
backup: "{{ not resolvconf_stat.stat.islnk }}"
marker: "# Ansible entries {mark}"
mode: 0644
mode: "0644"
notify: Preinstall | propagate resolvconf to k8s components
- name: Remove search/domain/nameserver options before block
@@ -53,6 +53,6 @@
dest: "{{ resolveconf_cloud_init_conf }}"
src: resolvconf.j2
owner: root
mode: 0644
mode: "0644"
notify: Preinstall | update resolvconf for Flatcar Container Linux by Kinvolk
when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]

4
roles/kubernetes/preinstall/tasks/0061-systemd-resolved.yml
View File

@@ -3,7 +3,7 @@
file:
state: directory
name: /etc/systemd/resolved.conf.d/
mode: 0755
mode: "0755"
- name: Write Kubespray DNS settings to systemd-resolved
template:
@@ -11,5 +11,5 @@
dest: /etc/systemd/resolved.conf.d/kubespray.conf
owner: root
group: root
mode: 0644
mode: "0644"
notify: Preinstall | Restart systemd-resolved

4
roles/kubernetes/preinstall/tasks/0062-networkmanager-unmanaged-devices.yml
View File

@@ -11,7 +11,7 @@
[keyfile]
unmanaged-devices+=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:vxlan-v6.calico
dest: /etc/NetworkManager/conf.d/calico.conf
mode: 0644
mode: "0644"
when:
- kube_network_plugin == "calico"
notify: Preinstall | reload NetworkManager
@@ -24,5 +24,5 @@
[keyfile]
unmanaged-devices+=interface-name:kube-ipvs0;interface-name:nodelocaldns
dest: /etc/NetworkManager/conf.d/k8s.conf
mode: 0644
mode: "0644"
notify: Preinstall | reload NetworkManager

2
roles/kubernetes/preinstall/tasks/0070-system-packages.yml
View File

@@ -30,7 +30,7 @@
Pin-Priority: 1001
dest: "/etc/apt/preferences.d/libseccomp2"
owner: "root"
mode: 0644
mode: "0644"
- name: Update package management cache (APT)
apt:

4
roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
View File

@@ -29,7 +29,7 @@
state: present
create: yes
backup: yes
mode: 0644
mode: "0644"
when:
- disable_ipv6_dns
- not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
@@ -67,7 +67,7 @@
file:
name: "{{ sysctl_file_path | dirname }}"
state: directory
mode: 0755
mode: "0755"
- name: Enable ip forwarding
ansible.posix.sysctl:

2
roles/kubernetes/preinstall/tasks/0081-ntp-configurations.yml
View File

@@ -40,7 +40,7 @@
template:
src: "{{ ntp_config_file | basename }}.j2"
dest: "{{ ntp_config_file }}"
mode: 0644
mode: "0644"
notify: Preinstall | restart ntp
when:
- ntp_manage_config

2
roles/kubernetes/preinstall/tasks/0090-etchosts.yml
View File

@@ -23,7 +23,7 @@
backup: yes
unsafe_writes: yes
marker: "# Ansible inventory hosts {mark}"
mode: 0644
mode: "0644"
- name: Hosts | populate kubernetes loadbalancer address into hosts file
lineinfile:

6
roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml
View File

@@ -11,7 +11,7 @@
insertbefore: BOF
backup: yes
marker: "# Ansible entries {mark}"
mode: 0644
mode: "0644"
notify: Preinstall | propagate resolvconf to k8s components
- name: Configure dhclient hooks for resolv.conf (non-RH)
@@ -19,7 +19,7 @@
src: dhclient_dnsupdate.sh.j2
dest: "{{ dhclienthookfile }}"
owner: root
mode: 0755
mode: "0755"
notify: Preinstall | propagate resolvconf to k8s components
when: ansible_os_family not in [ "RedHat", "Suse" ]
@@ -28,6 +28,6 @@
src: dhclient_dnsupdate_rh.sh.j2
dest: "{{ dhclienthookfile }}"
owner: root
mode: 0755
mode: "0755"
notify: Preinstall | propagate resolvconf to k8s components
when: ansible_os_family == "RedHat"

2
roles/kubernetes/tokens/tasks/gen_tokens.yml
View File

@@ -3,7 +3,7 @@
copy:
src: "kube-gen-token.sh"
dest: "{{ kube_script_dir }}/kube-gen-token.sh"
mode: 0700
mode: "0700"
run_once: yes
delegate_to: "{{ groups['kube_control_plane'][0] }}"
when: gen_tokens | default(false)

2
roles/kubernetes/tokens/tasks/main.yml
View File

@@ -11,7 +11,7 @@
file:
path: "{{ kube_token_dir }}"
state: directory
mode: 0644
mode: "0644"
group: "{{ kube_cert_group }}"
- name: Generate tokens