Merge pull request #176 from kubespray/kubernetes-v1.2.0

Kubernetes v1.2.0

.gitmodules

@@ -1,53 +0,0 @@
-[submodule "roles/apps/k8s-kube-ui"]
-	path = roles/apps/k8s-kube-ui
-	url = https://github.com/ansibl8s/k8s-kube-ui.git
-	branch = v1.0
-[submodule "roles/apps/k8s-kubedns"]
-	path = roles/apps/k8s-kubedns
-	url = https://github.com/ansibl8s/k8s-kubedns.git
-	branch = v1.0
-[submodule "roles/apps/k8s-common"]
-	path = roles/apps/k8s-common
-	url = https://github.com/ansibl8s/k8s-common.git
-	branch = v1.0
-[submodule "roles/apps/k8s-redis"]
-	path = roles/apps/k8s-redis
-	url = https://github.com/ansibl8s/k8s-redis.git
-	branch = v1.0
-[submodule "roles/apps/k8s-elasticsearch"]
-	path = roles/apps/k8s-elasticsearch
-	url = https://github.com/ansibl8s/k8s-elasticsearch.git
-[submodule "roles/apps/k8s-fabric8"]
-	path = roles/apps/k8s-fabric8
-	url = https://github.com/ansibl8s/k8s-fabric8.git
-	branch = v1.0
-[submodule "roles/apps/k8s-memcached"]
-	path = roles/apps/k8s-memcached
-	url = https://github.com/ansibl8s/k8s-memcached.git
-	branch = v1.0
-[submodule "roles/apps/k8s-postgres"]
-	path = roles/apps/k8s-postgres
-	url = https://github.com/ansibl8s/k8s-postgres.git
-	branch = v1.0
-[submodule "roles/apps/k8s-kubedash"]
-	path = roles/apps/k8s-kubedash
-	url = https://github.com/ansibl8s/k8s-kubedash.git
-[submodule "roles/apps/k8s-heapster"]
-	path = roles/apps/k8s-heapster
-	url = https://github.com/ansibl8s/k8s-heapster.git
-[submodule "roles/apps/k8s-influxdb"]
-	path = roles/apps/k8s-influxdb
-	url = https://github.com/ansibl8s/k8s-influxdb.git
-[submodule "roles/apps/k8s-kube-logstash"]
-	path = roles/apps/k8s-kube-logstash
-	url = https://github.com/ansibl8s/k8s-kube-logstash.git
-[submodule "roles/apps/k8s-etcd"]
-	path = roles/apps/k8s-etcd
-	url = https://github.com/ansibl8s/k8s-etcd.git
-[submodule "roles/apps/k8s-rabbitmq"]
-	path = roles/apps/k8s-rabbitmq
-	url = https://github.com/ansibl8s/k8s-rabbitmq.git
-[submodule "roles/apps/k8s-pgbouncer"]
-	path = roles/apps/k8s-pgbouncer
-	url = https://github.com/ansibl8s/k8s-pgbouncer.git
-	branch = v1.0

.travis.yml

@@ -1,38 +1,150 @@
-sudo: required
-dist: trusty
-language: python
-python: "2.7"
+sudo: false
 
-addons:
-  hosts:
-    - node1
+git:
+  depth: 5
 
 env:
-  - SITE=cluster.yml ANSIBLE_VERSION=2.0.0
+  global:
+    GCE_USER=travis
+    SSH_USER=$GCE_USER
+    TEST_ID=$TRAVIS_JOB_NUMBER
+    CONTAINER_ENGINE=docker
+    PRIVATE_KEY=$GCE_PRIVATE_KEY
+    ANSIBLE_KEEP_REMOTE_FILES=1
+  matrix:
+    # Debian Jessie
+    - >-
+      KUBE_NETWORK_PLUGIN=flannel
+      CLOUD_IMAGE=debian-8-kubespray
+      CLOUD_REGION=europe-west1-b
+    - >-
+      KUBE_NETWORK_PLUGIN=calico
+      CLOUD_IMAGE=debian-8-kubespray
+      CLOUD_REGION=us-central1-c
+    - >-
+      KUBE_NETWORK_PLUGIN=weave
+      CLOUD_IMAGE=debian-8-kubespray
+      CLOUD_REGION=us-east1-d
 
-install:
+    # Centos 7
+    - >-
+      KUBE_NETWORK_PLUGIN=flannel
+      CLOUD_IMAGE=centos-7-sudo
+      CLOUD_REGION=asia-east1-c
+
+    - >-
+      KUBE_NETWORK_PLUGIN=calico
+      CLOUD_IMAGE=centos-7-sudo
+      CLOUD_REGION=europe-west1-b
+
+    - >-
+      KUBE_NETWORK_PLUGIN=weave
+      CLOUD_IMAGE=centos-7-sudo
+      CLOUD_REGION=us-central1-c
+
+   # Redhat 7
+    - >-
+      KUBE_NETWORK_PLUGIN=flannel
+      CLOUD_IMAGE=rhel-7-sudo
+      CLOUD_REGION=us-east1-d
+
+    - >-
+      KUBE_NETWORK_PLUGIN=calico
+      CLOUD_IMAGE=rhel-7-sudo
+      CLOUD_REGION=asia-east1-c
+
+    - >-
+      KUBE_NETWORK_PLUGIN=weave
+      CLOUD_IMAGE=rhel-7-sudo
+      CLOUD_REGION=europe-west1-b
+
+    # Ubuntu 14.04
+    - >-
+      KUBE_NETWORK_PLUGIN=flannel
+      CLOUD_IMAGE=ubuntu-1404-trusty
+      CLOUD_REGION=us-central1-c
+    - >-
+      KUBE_NETWORK_PLUGIN=calico
+      CLOUD_IMAGE=ubuntu-1404-trusty
+      CLOUD_REGION=us-east1-d
+    - >-
+      KUBE_NETWORK_PLUGIN=weave
+      CLOUD_IMAGE=ubuntu-1404-trusty
+      CLOUD_REGION=asia-east1-c
+
+    # Ubuntu 15.10
+    - >-
+      KUBE_NETWORK_PLUGIN=flannel
+      CLOUD_IMAGE=ubuntu-1510-wily
+      CLOUD_REGION=europe-west1-b
+    - >-
+      KUBE_NETWORK_PLUGIN=calico
+      CLOUD_IMAGE=ubuntu-1510-wily
+      CLOUD_REGION=us-central1-a
+    - >-
+      KUBE_NETWORK_PLUGIN=weave
+      CLOUD_IMAGE=ubuntu-1510-wily
+      CLOUD_REGION=us-east1-d
+
+
+matrix:
+  allow_failures:
+    - env: KUBE_NETWORK_PLUGIN=weave CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=asia-east1-c
+    - env: KUBE_NETWORK_PLUGIN=calico CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=us-east1-d
+
+before_install:
   # Install Ansible.
-  - sudo -H pip install ansible==${ANSIBLE_VERSION}
-  - sudo -H pip install netaddr
+  - pip install --user boto -U
+  - pip install --user ansible
+  - pip install --user netaddr
+  - pip install --user apache-libcloud
 
 cache:
-  directories:
-    - $HOME/releases
+  - directories:
     - $HOME/.cache/pip
+    - $HOME/.local
 
 before_script:
-  - export PATH=$PATH:/usr/local/bin
+  - echo "RUN $TRAVIS_JOB_NUMBER $KUBE_NETWORK_PLUGIN $CONTAINER_ENGINE "
+  - mkdir -p $HOME/.ssh
+  - echo $PRIVATE_KEY | base64 -d > $HOME/.ssh/id_rsa
+  - echo $GCE_PEM_FILE | base64 -d > $HOME/.ssh/gce
+  - chmod 400 $HOME/.ssh/id_rsa
+  - chmod 755 $HOME/.local/bin/ansible-playbook
+  - $HOME/.local/bin/ansible-playbook --version
+  - cp tests/ansible.cfg .
+#  - "echo $HOME/.local/bin/ansible-playbook -i inventory.ini -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root -e '{\"cloud_provider\": true}'  $LOG_LEVEL -e kube_network_plugin=${KUBE_NETWORK_PLUGIN} setup-kubernetes/cluster.yml"
 
 script:
-  # Check the role/playbook's syntax.
-  - "sudo -H ansible-playbook -i inventory/local-tests.cfg $SITE --syntax-check"
-
-  # Run the role/playbook with ansible-playbook.
-  - "sudo -H ansible-playbook -i inventory/local-tests.cfg $SITE --connection=local"
-
-  # Run the role/playbook again, checking to make sure it's idempotent.
   - >
-    sudo -H ansible-playbook -i inventory/local-tests.cfg $SITE --connection=local
-    | tee /dev/stderr | grep -q 'changed=0.*failed=0'
-    && (echo 'Idempotence test: pass' && exit 0)
-    || (echo 'Idempotence test: fail' && exit 1)
+    $HOME/.local/bin/ansible-playbook tests/cloud_playbooks/create-gce.yml -i tests/local_inventory/hosts -c local $LOG_LEVEL
+    -e test_id=${TEST_ID}
+    -e kube_network_plugin=${KUBE_NETWORK_PLUGIN}
+    -e gce_project_id=${GCE_PROJECT_ID}
+    -e gce_service_account_email=${GCE_ACCOUNT}
+    -e gce_pem_file=${HOME}/.ssh/gce
+    -e cloud_image=${CLOUD_IMAGE}
+    -e inventory_path=${PWD}/inventory/inventory.ini
+    -e cloud_region=${CLOUD_REGION}
+
+    # Create cluster
+  - "$HOME/.local/bin/ansible-playbook -i inventory/inventory.ini -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root -e '{\"cloud_provider\": true}'  $LOG_LEVEL -e kube_network_plugin=${KUBE_NETWORK_PLUGIN} cluster.yml"
+    # Tests Cases
+    ## Test Master API
+  - $HOME/.local/bin/ansible-playbook -i inventory/inventory.ini tests/testcases/010_check-apiserver.yml $LOG_LEVEL
+    ## Create a POD
+  - $HOME/.local/bin/ansible-playbook -i inventory/inventory.ini -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root tests/testcases/020_check-create-pod.yml $LOG_LEVEL
+    ## Ping the between 2 pod
+  - $HOME/.local/bin/ansible-playbook -i inventory/inventory.ini -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root tests/testcases/030_check-network.yml $LOG_LEVEL
+
+after_script:
+  - >
+    $HOME/.local/bin/ansible-playbook -i inventory/inventory.ini tests/cloud_playbooks/delete-gce.yml -c local  $LOG_LEVEL
+    -e test_id=${TEST_ID}
+    -e kube_network_plugin=${KUBE_NETWORK_PLUGIN}
+    -e gce_project_id=${GCE_PROJECT_ID}
+    -e gce_service_account_email=${GCE_ACCOUNT}
+    -e gce_pem_file=${HOME}/.ssh/gce
+    -e cloud_image=${CLOUD_IMAGE}
+    -e inventory_path=${PWD}/inventory/inventory.ini
+    -e cloud_region=${CLOUD_REGION}

LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2016 Kubespray
+   
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

README.md

@@ -1,319 +1,6 @@
-[![Build Status](https://travis-ci.org/ansibl8s/setup-kubernetes.svg)](https://travis-ci.org/ansibl8s/setup-kubernetes)
-kubernetes-ansible
-========
 
-This project allows to
-- Install and configure a **Multi-Master/HA kubernetes** cluster.
-- Choose the **network plugin** to be used within the cluster
-- A **set of roles** in order to install applications over the k8s cluster
-- A **flexible method** which helps to create new roles for apps.
+![Kubespray Logo](http://s9.postimg.org/md5dyjl67/kubespray_logoandkubespray_small.png)
 
-Linux distributions tested:
-* **Debian** Wheezy, Jessie
-* **Ubuntu** 14.10, 15.04, 15.10
-* **Fedora** 23
-* **CentOS** 7 (Currently with flannel only)
+The documentation can be found [THERE](https://docs.kubespray.io)
 
-### Requirements
-* The target servers must have **access to the Internet** in order to pull docker imaqes.
-* The firewalls are not managed, you'll need to implement your own rules the way you used to.
-in order to avoid any issue during deployment you should **disable your firewall**
-* **Copy your ssh keys** to all the servers part of your inventory.
-* **Ansible v2.x and python-netaddr**
-* Base knowledge on Ansible. Please refer to [Ansible documentation](http://www.ansible.com/how-ansible-works)
-
-### Components
-* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.4
-* [etcd](https://github.com/coreos/etcd/releases) v2.2.4
-* [calicoctl](https://github.com/projectcalico/calico-docker/releases) v0.14.0
-* [flanneld](https://github.com/coreos/flannel/releases) v0.5.5
-* [docker](https://www.docker.com/) v1.9.1
-
-Quickstart
--------------------------
-The following steps will quickly setup a kubernetes cluster with default configuration.
-These defaults are good for tests purposes.
-
-Edit the inventory according to the number of servers
-```
-[kube-master]
-10.115.99.31
-
-[etcd]
-10.115.99.31
-10.115.99.32
-10.115.99.33
-
-[kube-node]
-10.115.99.32
-10.115.99.33
-
-[k8s-cluster:children]
-kube-node
-kube-master
-```
-
-Run the playbook
-```
-ansible-playbook -i inventory/inventory.cfg cluster.yml -u root
-```
-
-You can jump directly to "*Available apps, installation procedure*"
-
-
-Ansible
--------------------------
-### Variables
-The main variables to change are located in the directory ```inventory/group_vars/all.yml```.
-
-### Inventory
-Below is an example of an inventory.
-Note : The bgp vars local_as and peers are not mandatory if the var **'peer_with_router'** is set to false
-By default this variable is set to false and therefore all the nodes are configure in **'node-mesh'** mode.
-In node-mesh mode the nodes peers with all the nodes in order to exchange routes.
-
-```
-
-[kube-master]
-node1 ansible_ssh_host=10.99.0.26
-node2 ansible_ssh_host=10.99.0.27
-
-[etcd]
-node1 ansible_ssh_host=10.99.0.26
-node2 ansible_ssh_host=10.99.0.27
-node3 ansible_ssh_host=10.99.0.4
-
-[kube-node]
-node2 ansible_ssh_host=10.99.0.27
-node3 ansible_ssh_host=10.99.0.4
-node4 ansible_ssh_host=10.99.0.5
-node5 ansible_ssh_host=10.99.0.36
-node6 ansible_ssh_host=10.99.0.37
-
-[paris]
-node1 ansible_ssh_host=10.99.0.26
-node3 ansible_ssh_host=10.99.0.4 local_as=xxxxxxxx
-node4 ansible_ssh_host=10.99.0.5 local_as=xxxxxxxx
-
-[new-york]
-node2 ansible_ssh_host=10.99.0.27
-node5 ansible_ssh_host=10.99.0.36 local_as=xxxxxxxx
-node6 ansible_ssh_host=10.99.0.37 local_as=xxxxxxxx
-
-[k8s-cluster:children]
-kube-node
-kube-master
-```
-
-### Playbook
-```
----
-
-- hosts: k8s-cluster
-  roles:
-    - { role: download, tags: download }
-    - { role: kubernetes/preinstall, tags: preinstall }
-    - { role: docker, tags: docker }
-    - { role: kubernetes/node, tags: node }
-    - { role: etcd, tags: etcd }
-    - { role: dnsmasq, tags: dnsmasq }
-    - { role: network_plugin, tags: ['calico', 'flannel', 'network'] }
-
-- hosts: kube-master
-  roles:
-    - { role: kubernetes/master, tags: master }
-
-```
-
-### Run
-It is possible to define variables for different environments.
-For instance, in order to deploy the cluster on 'dev' environment run the following command.
-```
-ansible-playbook -i inventory/dev/inventory.cfg cluster.yml -u root
-```
-
-Kubernetes
--------------------------
-### Multi master notes
-* You can choose where to install the master components. If you want your master node to act both as master (api,scheduler,controller) and node (e.g. accept workloads, create pods ...),
-the server address has to be present on both groups 'kube-master' and 'kube-node'.
-
-* Almost all kubernetes components are running into pods except *kubelet*. These pods are managed by kubelet which ensure they're always running
-
-* For safety reasons, you should have at least two master nodes and 3 etcd servers
-
-* Kube-proxy doesn't support multiple apiservers on startup ([Issue 18174](https://github.com/kubernetes/kubernetes/issues/18174)). An external loadbalancer needs to be configured.
-In order to do so, some variables have to be used '**loadbalancer_apiserver**' and '**apiserver_loadbalancer_domain_name**'
-
-
-### Network Overlay
-You can choose between 2 network plugins. Only one must be chosen.
-
-* **flannel**: gre/vxlan (layer 2) networking. ([official docs](https://github.com/coreos/flannel))
-
-* **calico**: bgp (layer 3) networking. ([official docs](http://docs.projectcalico.org/en/0.13/))
-
-The choice is defined with the variable '**kube_network_plugin**'
-
-### Expose a service
-There are several loadbalancing solutions.
-The one i found suitable for kubernetes are [Vulcand](http://vulcand.io/) and [Haproxy](http://www.haproxy.org/)
-
-My cluster is working with haproxy and kubernetes services are configured with the loadbalancing type '**nodePort**'.
-eg: each node opens the same tcp port and forwards the traffic to the target pod wherever it is located.
-
-Then Haproxy can be configured to request kubernetes's api in order to loadbalance on the proper tcp port on the nodes.
-
-Please refer to the proper kubernetes documentation on [Services](https://github.com/kubernetes/kubernetes/blob/release-1.0/docs/user-guide/services.md)
-
-### Check cluster status
-
-#### Kubernetes components
-
-* Check the status of the processes
-```
-systemctl status kubelet
-```
-
-* Check the logs
-```
-journalctl -ae -u kubelet
-```
-
-* Check the NAT rules
-```
-iptables -nLv -t nat
-```
-
-For the master nodes you'll have to see the docker logs for the apiserver
-```
-docker logs [apiserver docker id]
-```
-
-
-### Available apps, installation procedure
-
-There are two ways of installing new apps
-
-#### Ansible galaxy
-
-Additionnal apps can be installed with ```ansible-galaxy```.
-
-ou'll need to edit the file '*requirements.yml*' in order to chose needed apps.
-The list of available apps are available [there](https://github.com/ansibl8s)
-
-For instance it is **strongly recommanded** to install a dns server which resolves kubernetes service names.
-In order to use this role you'll need the following entries in the file '*requirements.yml*'
-Please refer to the [k8s-kubedns readme](https://github.com/ansibl8s/k8s-kubedns) for additionnal info.
-```
-- src: https://github.com/ansibl8s/k8s-common.git
-  path: roles/apps
-  # version: v1.0
-
-- src: https://github.com/ansibl8s/k8s-kubedns.git
-  path: roles/apps
-  # version: v1.0
-```
-**Note**: the role common is required by all the apps and provides the tasks and libraries needed.
-
-And empty the apps directory
-```
-rm -rf roles/apps/*
-```
-
-Then download the roles with ansible-galaxy
-```
-ansible-galaxy install -r requirements.yml
-```
-
-Finally update the playbook ```apps.yml``` with the chosen roles, and run it
-```
-...
-- hosts: kube-master
-  roles:
-    - { role: apps/k8s-kubedns, tags: ['kubedns', 'apps']  }
-...
-```
-
-```
-ansible-playbook -i inventory/inventory.cfg apps.yml -u root
-```
-
-#### Git submodules
-Alternatively the roles can be installed as git submodules.
-That way is easier if you want to do some changes and commit them.
-
-
-### Networking
-
-#### Calico
-Check if the calico-node container is running
-```
-docker ps | grep calico
-```
-
-The **calicoctl** command allows to check the status of the network workloads.
-* Check the status of Calico nodes
-```
-calicoctl status
-```
-
-* Show the configured network subnet for containers
-```
-calicoctl pool show
-```
-
-* Show the workloads (ip addresses of containers and their located)
-```
-calicoctl endpoint show --detail
-```
-
-#### Flannel
-
-* Flannel configuration file should have been created there
-```
-cat /run/flannel/subnet.env
-FLANNEL_NETWORK=10.233.0.0/18
-FLANNEL_SUBNET=10.233.16.1/24
-FLANNEL_MTU=1450
-FLANNEL_IPMASQ=false
-```
-
-* Check if the network interface has been created
-```
-ip a show dev flannel.1
-4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
-    link/ether e2:f3:a7:0f:bf:cb brd ff:ff:ff:ff:ff:ff
-    inet 10.233.16.0/18 scope global flannel.1
-       valid_lft forever preferred_lft forever
-    inet6 fe80::e0f3:a7ff:fe0f:bfcb/64 scope link
-       valid_lft forever preferred_lft forever
-```
-
-* Docker must be configured with a bridge ip in the flannel subnet.
-```
-ps aux | grep docker
-root     20196  1.7  2.7 1260616 56840 ?       Ssl  10:18   0:07 /usr/bin/docker daemon --bip=10.233.16.1/24 --mtu=1450
-```
-
-* Try to run a container and check its ip address
-```
-kubectl run test --image=busybox --command -- tail -f /dev/null
-replicationcontroller "test" created
-
-kubectl describe po test-34ozs | grep ^IP
-IP:				10.233.16.2
-```
-
-```
-kubectl exec test-34ozs -- ip a show dev eth0
-8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1450 qdisc noqueue
-    link/ether 02:42:0a:e9:2b:03 brd ff:ff:ff:ff:ff:ff
-    inet 10.233.16.2/24 scope global eth0
-       valid_lft forever preferred_lft forever
-    inet6 fe80::42:aff:fee9:2b03/64 scope link tentative flags 08
-       valid_lft forever preferred_lft forever
-```
-
-
-Congrats ! now you can walk through [kubernetes basics](http://kubernetes.io/v1.1/basicstutorials.html)
+[![Build Status](https://travis-ci.org/kubespray/kubespray.svg)](https://travis-ci.org/kubespray/kubespray)

ansible.cfg

@@ -0,0 +1,4 @@
+[ssh_connection]
+pipelining=True
+[defaults] 
+host_key_checking=False

apps.yml

@@ -1,33 +0,0 @@
----
-- hosts: kube-master
-  roles:
-    # System
-    - { role: apps/k8s-kubedns, tags: ['kubedns', 'kube-system'] }
-
-    # Databases
-    - { role: apps/k8s-postgres, tags: 'postgres' }
-    - { role: apps/k8s-elasticsearch, tags: 'elasticsearch' }
-    - { role: apps/k8s-memcached, tags: 'memcached' }
-    - { role: apps/k8s-redis, tags: 'redis' }
-    - { role: apps/k8s-mongodb-simple, tags: 'mongodb-simple' }
-
-    # Msg Broker
-    - { role: apps/k8s-rabbitmq, tags: 'rabbitmq' }
-
-    # Monitoring
-    - { role: apps/k8s-influxdb, tags: ['influxdb', 'kube-system']}
-    - { role: apps/k8s-heapster, tags: ['heapster', 'kube-system']}
-    - { role: apps/k8s-kubedash, tags: ['kubedash', 'kube-system']}
-
-    # logging
-    - { role: apps/k8s-kube-logstash, tags: 'kube-logstash'}
-
-    # Console
-    - { role: apps/k8s-fabric8, tags: 'fabric8' }
-    - { role: apps/k8s-kube-ui, tags: ['kube-ui', 'kube-system']}
-
-    # ETCD
-    - { role: apps/k8s-etcd, tags: 'etcd'}
-
-    # Chat Apps
-    - { role: apps/k8s-rocketchat, tags: 'rocketchat'}

cluster.yml

@@ -4,12 +4,15 @@
     - { role: adduser, tags: adduser }
     - { role: download, tags: download }
     - { role: kubernetes/preinstall, tags: preinstall }
-    - { role: docker, tags: docker }
-    - { role: kubernetes/node, tags: node }
     - { role: etcd, tags: etcd }
-    - { role: dnsmasq, tags: dnsmasq }
-    - { role: network_plugin, tags: ['calico', 'flannel', 'network'] }
+    - { role: docker, tags: docker, when: ansible_os_family != "CoreOS" }
+    - { role: kubernetes/node, tags: node }
+    - { role: network_plugin, tags: network }
 
 - hosts: kube-master
   roles:
     - { role: kubernetes/master, tags: master }
+
+- hosts: k8s-cluster
+  roles:
+    - { role: dnsmasq, tags: dnsmasq }

coreos-bootstrap.yml

@@ -0,0 +1,5 @@
+---
+- hosts: k8s-cluster
+  gather_facts: False
+  roles:
+    - coreos-bootstrap

inventory/group_vars/all.yml

@@ -1,10 +1,14 @@
- # Directory where the binaries will be installed
+# Directory where the binaries will be installed
 bin_dir: /usr/local/bin
 
 # Where the binaries will be downloaded.
 # Note: ensure that you've enough disk space (about 1G)
 local_release_dir: "/tmp/releases"
 
+# Uncomment this line for CoreOS only.
+# Directory where python binary is installed
+# ansible_python_interpreter: "/opt/bin/python"
+
 # This is the group that the cert creation scripts chgrp the
 # cert files to. Not really changable...
 kube_cert_group: kube-cert
@@ -24,8 +28,30 @@ kube_users:
 # Kubernetes cluster name, also will be used as DNS domain
 cluster_name: cluster.local
 
-# set this variable to calico if needed. keep it empty if flannel is used
-kube_network_plugin: calico
+# For some environments, each node has a pubilcally accessible
+# address and an address it should bind services to.  These are
+# really inventory level variables, but described here for consistency.
+#
+# When advertising access, the access_ip will be used, but will defer to
+# ip and then the default ansible ip when unspecified.
+#
+# When binding to restrict access, the ip variable will be used, but will
+# defer to the default ansible ip when unspecified.
+#
+# The ip variable is used for specific address binding, e.g. listen address
+# for etcd.  This is use to help with environments like Vagrant or multi-nic
+# systems where one address should be preferred over another.
+# ip: 10.2.2.2
+#
+# The access_ip variable is used to define how other nodes should access
+# the node.  This is used in flannel to allow other flannel nodes to see
+# this node for example.  The access_ip is really useful AWS and Google
+# environments where the nodes are accessed remotely by the "public" ip,
+# but don't know about that address themselves.
+# access_ip: 1.1.1.1
+
+# Choose network plugin (calico, weave or flannel)
+kube_network_plugin: flannel
 
 # Kubernetes internal network for services, unused block of space.
 kube_service_addresses: 10.233.0.0/18
@@ -71,7 +97,8 @@ upstream_dns_servers:
 dns_setup: true
 dns_domain: "{{ cluster_name }}"
 #
-# # Ip address of the kubernetes dns service
+# # Ip address of the kubernetes skydns service
+skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
 dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
 
 # For multi masters architecture:

requirements.yml

@@ -1,45 +1,52 @@
 ---
-- src: https://github.com/ansibl8s/k8s-common.git
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-common.git
   path: roles/apps
-  version: v1.0
+  scm: git
 
-- src: https://github.com/ansibl8s/k8s-kubedns.git
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-kubedns.git
   path: roles/apps
-  version: v1.0
+  scm: git
 
-#- src: https://github.com/ansibl8s/k8s-kube-ui.git
-#  path: roles/apps
-#  version: v1.0
-#
-#- src: https://github.com/ansibl8s/k8s-fabric8.git
-#  path: roles/apps
-#  version: v1.0
-#
-#- src: https://github.com/ansibl8s/k8s-elasticsearch.git
-#  path: roles/apps
-#  # version: v1.0
-#
-#- src: https://github.com/ansibl8s/k8s-redis.git
-#  path: roles/apps
-#  # version: v1.0
-#
-#- src: https://github.com/ansibl8s/k8s-memcached.git
-#  path: roles/apps
-#  version: v1.0
-#
-#- src: https://github.com/ansibl8s/k8s-postgres.git
-#  path: roles/apps
-#  version: v1.0
-#
-#- src: https://github.com/ansibl8s/k8s-pgbouncer.git
-#  path: roles/apps
-#  version: v1.0
-#
-#- src: https://github.com/ansibl8s/k8s-heapster.git
-#  path: roles/apps
-#
-#- src: https://github.com/ansibl8s/k8s-influxdb.git
-#  path: roles/apps
-#
-#- src: https://github.com/ansibl8s/k8s-kubedash.git
-#  path: roles/apps
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-kube-ui.git
+  path: roles/apps
+  scm: git
+
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-fabric8.git
+  path: roles/apps
+  scm: git
+
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-elasticsearch.git
+  path: roles/apps
+  scm: git
+
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-redis.git
+  path: roles/apps
+  scm: git
+
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-memcached.git
+  path: roles/apps
+  scm: git
+
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-postgres.git
+  path: roles/apps
+  scm: git
+
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-pgbouncer.git
+  path: roles/apps
+  scm: git
+
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-heapster.git
+  path: roles/apps
+  scm: git
+
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-influxdb.git
+  path: roles/apps
+  scm: git
+
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-kubedash.git
+  path: roles/apps
+  scm: git
+
+- src: https://gitlab.com/kubespray-ansibl8s/k8s-kube-logstash.git
+  path: roles/apps
+  scm: git

roles/adduser/tasks/main.yml

@@ -1,3 +1,18 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
+      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
+      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
+      - "{{ ansible_distribution|lower }}.yml"
+      - "{{ ansible_os_family|lower }}.yml"
+      - defaults.yml
+      paths:
+      - ../vars
+      skip: true
+
 - name: User | Create User Group
   group: name={{item.group|default(item.name)}} system={{item.system|default(omit)}}
   with_items: addusers

roles/adduser/vars/coreos.yml

@@ -0,0 +1,8 @@
+---
+addusers:
+  - name: kube
+    comment: "Kubernetes user"
+    shell: /sbin/nologin
+    system: yes
+    group: "{{ kube_cert_group }}"
+    createhome: no

roles/adduser/vars/debian.yml

@@ -12,4 +12,4 @@ addusers:
     shell: /sbin/nologin
     system: yes
     group: "{{ kube_cert_group }}"
-    createhome: no
+    createhome: no

roles/adduser/vars/redhat.yml

@@ -0,0 +1,15 @@
+---
+addusers:
+  - name: etcd
+    comment: "Etcd user"
+    createhome: yes
+    home: "/var/lib/etcd"
+    system: yes
+    shell: /bin/nologin
+
+  - name: kube
+    comment: "Kubernetes user"
+    shell: /sbin/nologin
+    system: yes
+    group: "{{ kube_cert_group }}"
+    createhome: no

roles/coreos-bootstrap/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+pypy_version: 2.4.0
+pip_python_modules:
+  - httplib2

roles/coreos-bootstrap/files/bootstrap.sh

@@ -1,7 +1,7 @@
 #/bin/bash
 set -e
 
-BINDIR="/usr/local/bin"
+BINDIR="/opt/bin"
 
 cd $BINDIR
 

roles/coreos-bootstrap/files/runner

@@ -1,3 +1,3 @@
 #!/bin/bash
-BINDIR="/usr/local/bin"
+BINDIR="/opt/bin"
 LD_LIBRARY_PATH=$BINDIR/pypy/lib:$LD_LIBRARY_PATH $BINDIR/pypy/bin/$(basename $0) $@

roles/coreos-bootstrap/tasks/main.yml

@@ -1,41 +1,40 @@
 ---
-- name: Python | Check if bootstrap is needed
-  raw: stat {{ bin_dir}}/.bootstrapped
+- name: Bootstrap | Check if bootstrap is needed
+  raw: stat /opt/bin/.bootstrapped
   register: need_bootstrap
   ignore_errors: True
 
-- name: Python | Run bootstrap.sh
+- name: Bootstrap | Run bootstrap.sh
   script: bootstrap.sh
   when: need_bootstrap | failed
 
 - set_fact:
-    ansible_python_interpreter: "{{ bin_dir }}/python"
+    ansible_python_interpreter: "/opt/bin/python"
 
-- name: Python | Check if we need to install pip
+- name: Bootstrap | Check if we need to install pip
   shell: "{{ansible_python_interpreter}} -m pip --version"
   register: need_pip
   ignore_errors: True
   changed_when: false
   when: need_bootstrap | failed
 
-- name: Python | Copy get-pip.py
+- name: Bootstrap | Copy get-pip.py
   copy: src=get-pip.py dest=~/get-pip.py
   when: need_pip | failed
 
-- name: Python | Install pip
+- name: Bootstrap | Install pip
   shell: "{{ansible_python_interpreter}} ~/get-pip.py"
   when: need_pip | failed
 
-- name: Python | Remove get-pip.py
+- name: Bootstrap | Remove get-pip.py
   file: path=~/get-pip.py state=absent
   when: need_pip | failed
 
-- name: Python | Install pip launcher
-  copy: src=runner dest={{ bin_dir }}/pip mode=0755
+- name: Bootstrap | Install pip launcher
+  copy: src=runner dest=/opt/bin/pip mode=0755
   when: need_pip | failed
 
 - name: Install required python modules
   pip:
     name: "{{ item }}"
   with_items: pip_python_modules
-

roles/coreos-bootstrap/templates/python_shim.j2

@@ -0,0 +1,2 @@
+#!/bin/bash
+LD_LIBRARY_PATH={{ pypy_install_path }}/lib:$LD_LIBRARY_PATH exec {{ pypy_install_path }}/bin/{{ item.src }} "$@"

roles/dnsmasq/library/kube.py

@@ -0,0 +1,318 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+DOCUMENTATION = """
+---
+module: kube
+short_description: Manage Kubernetes Cluster
+description:
+  - Create, replace, remove, and stop resources within a Kubernetes Cluster
+version_added: "2.0"
+options:
+  name:
+    required: false
+    default: null
+    description:
+      - The name associated with resource
+  filename:
+    required: false
+    default: null
+    description:
+      - The path and filename of the resource(s) definition file.
+  kubectl:
+    required: false
+    default: null
+    description:
+      - The path to the kubectl bin
+  namespace:
+    required: false
+    default: null
+    description:
+      - The namespace associated with the resource(s)
+  resource:
+    required: false
+    default: null
+    description:
+      - The resource to perform an action on. pods (po), replicationControllers (rc), services (svc)
+  label:
+    required: false
+    default: null
+    description:
+      - The labels used to filter specific resources.
+  server:
+    required: false
+    default: null
+    description:
+      - The url for the API server that commands are executed against.
+  api_version:
+    required: false
+    choices: ['v1', 'v1beta3']
+    default: v1
+    description:
+      - The API version associated with cluster.
+  force:
+    required: false
+    default: false
+    description:
+      - A flag to indicate to force delete, replace, or stop.
+  all:
+    required: false
+    default: false
+    description:
+      - A flag to indicate delete all, stop all, or all namespaces when checking exists.
+  log_level:
+    required: false
+    default: 0
+    description:
+      - Indicates the level of verbosity of logging by kubectl.
+  state:
+    required: false
+    choices: ['present', 'absent', 'latest', 'reloaded', 'stopped']
+    default: present
+    description:
+      - present handles checking existence or creating if definition file provided,
+        absent handles deleting resource(s) based on other options,
+        latest handles creating ore updating based on existence,
+        reloaded handles updating resource(s) definition using definition file,
+        stopped handles stopping resource(s) based on other options.
+requirements:
+  - kubectl
+author: "Kenny Jones (@kenjones-cisco)"
+"""
+
+EXAMPLES = """
+- name: test nginx is present
+  kube: name=nginx resource=rc state=present
+
+- name: test nginx is stopped
+  kube: name=nginx resource=rc state=stopped
+
+- name: test nginx is absent
+  kube: name=nginx resource=rc state=absent
+
+- name: test nginx is present
+  kube: filename=/tmp/nginx.yml
+"""
+
+
+class KubeManager(object):
+
+    def __init__(self, module):
+
+        self.module = module
+
+        self.kubectl = module.params.get('kubectl')
+        if self.kubectl is None:
+            self.kubectl =  module.get_bin_path('kubectl', True)
+        self.base_cmd = [self.kubectl]
+        self.api_version = module.params.get('api_version')
+
+        if self.api_version:
+            self.base_cmd.append('--api-version=' + self.api_version)
+
+        if module.params.get('server'):
+            self.base_cmd.append('--server=' + module.params.get('server'))
+
+        if module.params.get('log_level'):
+            self.base_cmd.append('--v=' + str(module.params.get('log_level')))
+
+        if module.params.get('namespace'):
+            self.base_cmd.append('--namespace=' + module.params.get('namespace'))
+
+        self.all = module.params.get('all')
+        self.force = module.params.get('force')
+        self.name = module.params.get('name')
+        self.filename = module.params.get('filename')
+        self.resource = module.params.get('resource')
+        self.label = module.params.get('label')
+
+    def _execute(self, cmd):
+        args = self.base_cmd + cmd
+        try:
+            rc, out, err = self.module.run_command(args)
+            if rc != 0:
+                self.module.fail_json(
+                    msg='error running kubectl (%s) command (rc=%d): %s' % (' '.join(args), rc, out or err))
+        except Exception as exc:
+            self.module.fail_json(
+                msg='error running kubectl (%s) command: %s' % (' '.join(args), str(exc)))
+        return out.splitlines()
+
+    def _execute_nofail(self, cmd):
+        args = self.base_cmd + cmd
+        rc, out, err = self.module.run_command(args)
+        if rc != 0:
+            return None
+        return out.splitlines()
+
+    def create(self, check=True):
+        if check and self.exists():
+            return []
+
+        cmd = ['create']
+
+        if not self.filename:
+            self.module.fail_json(msg='filename required to create')
+
+        cmd.append('--filename=' + self.filename)
+
+        return self._execute(cmd)
+
+    def replace(self):
+
+        if not self.force and not self.exists():
+            return []
+
+        cmd = ['replace']
+        if self.api_version != 'v1':
+            cmd = ['update']
+
+        if self.force:
+            cmd.append('--force')
+
+        if not self.filename:
+            self.module.fail_json(msg='filename required to reload')
+
+        cmd.append('--filename=' + self.filename)
+
+        return self._execute(cmd)
+
+    def delete(self):
+
+        if not self.force and not self.exists():
+            return []
+
+        cmd = ['delete']
+
+        if self.filename:
+            cmd.append('--filename=' + self.filename)
+        else:
+            if not self.resource:
+                self.module.fail_json(msg='resource required to delete without filename')
+
+            cmd.append(self.resource)
+
+            if self.name:
+                cmd.append(self.name)
+
+            if self.label:
+                cmd.append('--selector=' + self.label)
+
+            if self.all:
+                cmd.append('--all')
+
+            if self.force:
+                cmd.append('--ignore-not-found')
+
+        return self._execute(cmd)
+
+    def exists(self):
+        cmd = ['get']
+
+        if not self.resource:
+            return False
+
+        cmd.append(self.resource)
+
+        if self.name:
+            cmd.append(self.name)
+
+        cmd.append('--no-headers')
+
+        if self.label:
+            cmd.append('--selector=' + self.label)
+
+        if self.all:
+            cmd.append('--all-namespaces')
+
+        result = self._execute_nofail(cmd)
+        if not result:
+            return False
+        return True
+
+    def stop(self):
+
+        if not self.force and not self.exists():
+            return []
+
+        cmd = ['stop']
+
+        if self.filename:
+            cmd.append('--filename=' + self.filename)
+        else:
+            if not self.resource:
+                self.module.fail_json(msg='resource required to stop without filename')
+
+            cmd.append(self.resource)
+
+            if self.name:
+                cmd.append(self.name)
+
+            if self.label:
+                cmd.append('--selector=' + self.label)
+
+            if self.all:
+                cmd.append('--all')
+
+            if self.force:
+                cmd.append('--ignore-not-found')
+
+        return self._execute(cmd)
+
+
+def main():
+
+    module = AnsibleModule(
+        argument_spec=dict(
+            name=dict(),
+            filename=dict(),
+            namespace=dict(),
+            resource=dict(),
+            label=dict(),
+            server=dict(),
+            kubectl=dict(),
+            api_version=dict(default='v1', choices=['v1', 'v1beta3']),
+            force=dict(default=False, type='bool'),
+            all=dict(default=False, type='bool'),
+            log_level=dict(default=0, type='int'),
+            state=dict(default='present', choices=['present', 'absent', 'latest', 'reloaded', 'stopped']),
+            )
+        )
+
+    changed = False
+
+    manager = KubeManager(module)
+    state = module.params.get('state')
+
+    if state == 'present':
+        result = manager.create()
+
+    elif state == 'absent':
+        result = manager.delete()
+
+    elif state == 'reloaded':
+        result = manager.replace()
+
+    elif state == 'stopped':
+        result = manager.stop()
+
+    elif state == 'latest':
+        if manager.exists():
+            manager.force = True
+            result = manager.replace()
+        else:
+            result = manager.create(check=False)
+
+    else:
+        module.fail_json(msg='Unrecognized state %s.' % state)
+
+    if result:
+        changed = True
+    module.exit_json(changed=changed,
+                     msg='success: %s' % (' '.join(result))
+                     )
+
+
+from ansible.module_utils.basic import *  # noqa
+if __name__ == '__main__':
+    main()

roles/dnsmasq/tasks/main.yml

@@ -31,13 +31,32 @@
     dest: /etc/dnsmasq.d/01-kube-dns.conf
     state: link
 
-- name: Create dnsmasq pod manifest
-  template: src=dnsmasq-pod.yml dest=/etc/kubernetes/manifests/dnsmasq-pod.manifest
+- name: Create dnsmasq manifests
+  template: src={{item.file}} dest=/etc/kubernetes/{{item.file}}
+  with_items:
+    - {file: dnsmasq-ds.yml, type: ds}
+    - {file: dnsmasq-svc.yml, type: svc}
+  register: manifests
+  when: inventory_hostname == groups['kube-master'][0]
+
+- name: Start Resources
+  kube:
+    name: dnsmasq
+    namespace: kube-system
+    kubectl: /usr/local/bin/kubectl
+    resource: "{{item.item.type}}"
+    filename: /etc/kubernetes/{{item.item.file}}
+    state: "{{item.changed | ternary('latest','present') }}"
+  with_items: manifests.results
+  when: inventory_hostname == groups['kube-master'][0]
 
 - name: Check for dnsmasq port (pulling image and running container)
   wait_for:
+    host: "{{dns_server}}"
     port: 53
     delay: 5
+  when: inventory_hostname == groups['kube-master'][0]
+
 
 - name: check resolvconf
   stat: path=/etc/resolvconf/resolv.conf.d/head
@@ -59,7 +78,7 @@
 
 - name: Add local dnsmasq to resolv.conf
   lineinfile:
-    line: "nameserver 127.0.0.1"
+    line: "nameserver {{dns_server}}"
     dest: "{{resolvconffile}}"
     state: present
     insertafter: "^search.*$"

roles/dnsmasq/templates/01-kube-dns.conf.j2

@@ -1,6 +1,6 @@
 #Listen on localhost
 bind-interfaces
-listen-address=127.0.0.1
+listen-address=0.0.0.0
 
 addn-hosts=/etc/hosts
 
@@ -17,4 +17,4 @@ server={{ srv }}
 {% endif %}
 
 # Forward k8s domain to kube-dns
-server=/{{ dns_domain }}/{{ dns_server }}
+server=/{{ dns_domain }}/{{ skydns_server }}

roles/dnsmasq/templates/dnsmasq-ds.yml

@@ -0,0 +1,52 @@
+---
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: dnsmasq
+  namespace: kube-system
+  labels:
+    k8s-app: dnsmasq
+spec:
+  template:
+    metadata:
+      labels:
+        k8s-app: dnsmasq
+    spec:
+      containers:
+        - name: dnsmasq
+          image: andyshinn/dnsmasq:2.72
+          command:
+            - dnsmasq
+          args:
+            - -k
+            - "-7"
+            - /etc/dnsmasq.d
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+          imagePullPolicy: Always
+          resources:
+            limits:
+              cpu: 100m
+              memory: 256M
+          ports:
+            - name: dns
+              containerPort: 53
+              protocol: UDP
+            - name: dns-tcp
+              containerPort: 53
+              protocol: TCP
+          volumeMounts:
+            - name: etcdnsmasqd
+              mountPath: /etc/dnsmasq.d
+            - name: etcdnsmasqdavailable
+              mountPath: /etc/dnsmasq.d-available
+
+      volumes:
+        - name: etcdnsmasqd
+          hostPath:
+            path: /etc/dnsmasq.d
+        - name: etcdnsmasqdavailable
+          hostPath:
+            path: /etc/dnsmasq.d-available

roles/dnsmasq/templates/dnsmasq-pod.yml

@@ -1,49 +0,0 @@
----
-apiVersion: v1
-kind: Pod
-metadata:
-  name: dnsmasq
-  namespace: kube-system
-spec:
-  hostNetwork: true
-  containers:
-    - name: dnsmasq
-      image: andyshinn/dnsmasq:2.72
-      command:
-        - dnsmasq
-      args:
-        - -k
-        - "-7"
-        - /etc/dnsmasq.d
-        - --local-service
-      securityContext:
-        capabilities:
-          add:
-            - NET_ADMIN
-      imagePullPolicy: Always
-      resources:
-        limits:
-          cpu: 100m
-          memory: 256M
-      ports:
-        - name: dns
-          containerPort: 53
-          hostPort: 53
-          protocol: UDP
-        - name: dns-tcp
-          containerPort: 53
-          hostPort: 53
-          protocol: TCP
-      volumeMounts:
-        - name: etcdnsmasqd
-          mountPath: /etc/dnsmasq.d
-        - name: etcdnsmasqdavailable
-          mountPath: /etc/dnsmasq.d-available
-
-  volumes:
-    - name: etcdnsmasqd
-      hostPath:
-        path: /etc/dnsmasq.d
-    - name: etcdnsmasqdavailable
-      hostPath:
-        path: /etc/dnsmasq.d-available

roles/dnsmasq/templates/dnsmasq-svc.yml

@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    kubernetes.io/cluster-service: 'true'
+    k8s-app: dnsmasq
+  name: dnsmasq
+  namespace: kube-system
+spec:
+  ports:
+    - port: 53
+      name: dns-tcp
+      targetPort: 53
+      protocol: TCP
+    - port: 53
+      name: dns
+      targetPort: 53
+      protocol: UDP
+  type: ClusterIP
+  clusterIP: {{dns_server}}
+  selector:
+    k8s-app: dnsmasq

roles/docker/defaults/main.yml

@@ -0,0 +1 @@
+docker_version: 1.10

roles/docker/tasks/main.yml

@@ -11,6 +11,7 @@
       - defaults.yml
       paths:
       - ../vars
+      skip: true
 
 - name: check for minimum kernel version
   fail:
@@ -33,7 +34,6 @@
   action: "{{ docker_repo_info.pkg_repo }}"
   args:
     repo: "{{item}}"
-    update_cache: yes
     state: present
   with_items: docker_repo_info.repos
   when: docker_repo_info.repos|length > 0
@@ -42,11 +42,19 @@
   action: "{{ docker_package_info.pkg_mgr }}"
   args:
     pkg: "{{item}}"
-    update_cache: yes
-    state: latest
+    state: present
   with_items: docker_package_info.pkgs
   when: docker_package_info.pkgs|length > 0
 
+- name: Centos needs xfs storage type for devicemapper if used
+  lineinfile:
+    dest: /etc/sysconfig/docker-storage
+    line: "DOCKER_STORAGE_OPTIONS='--storage-opt dm.fs=xfs'"
+    regexp: '^DOCKER_STORAGE_OPTIONS=.*$'
+    state: present
+    backup: yes
+  when: ansible_os_family == "RedHat"
+
 - meta: flush_handlers
 
 - name: ensure docker service is started and enabled

roles/docker/vars/centos-6.yml

@@ -1,5 +1,7 @@
 docker_kernel_min_version: '2.6.32-431'
 
+# versioning: docker-io itself is pinned at docker 1.5
+
 docker_package_info:
   pkg_mgr: yum
   pkgs:

roles/docker/vars/debian.yml

@@ -1,9 +1,15 @@
 docker_kernel_min_version: '3.2'
 
+# https://apt.dockerproject.org/repo/dists/debian-wheezy/main/filelist
+docker_versioned_pkg:
+  latest: docker-engine
+  1.9: docker-engine=1.9.1-0~{{ ansible_distribution_release|lower }}
+  1.10: docker-engine=1.10.3-0~{{ ansible_distribution_release|lower }}
+
 docker_package_info:
   pkg_mgr: apt
   pkgs:
-    - docker-engine
+    - "{{ docker_versioned_pkg[docker_version] }}"
 
 docker_repo_key_info:
   pkg_key: apt_key

roles/docker/vars/fedora-20.yml

@@ -1,5 +1,7 @@
 docker_kernel_min_version: '0'
 
+# versioning: docker-io itself is pinned at docker 1.5
+
 docker_package_info:
   pkg_mgr: yum
   pkgs:

roles/docker/vars/fedora.yml

@@ -1,9 +1,14 @@
 docker_kernel_min_version: '0'
 
+docker_versioned_pkg:
+  latest: docker
+  1.9: docker-1:1.9.1
+  1.10: docker-1:1.10.1
+
 docker_package_info:
   pkg_mgr: dnf
   pkgs:
-    - docker-io
+    - "{{ docker_versioned_pkg[docker_version] }}"
 
 docker_repo_key_info:
   pkg_key: ''

roles/docker/vars/ubuntu.yml

@@ -0,0 +1,27 @@
+
+docker_kernel_min_version: '3.2'
+
+# https://apt.dockerproject.org/repo/dists/ubuntu-trusty/main/filelist
+docker_versioned_pkg:
+  latest: docker-engine
+  1.9: docker-engine=1.9.0-0~{{ ansible_distribution_release|lower }}
+  1.10: docker-engine=1.10.3-0~{{ ansible_distribution_release|lower }}
+
+docker_package_info:
+  pkg_mgr: apt
+  pkgs:
+    - "{{ docker_versioned_pkg[docker_version] }}"
+
+docker_repo_key_info:
+  pkg_key: apt_key
+  keyserver: hkp://p80.pool.sks-keyservers.net:80
+  repo_keys:
+    - 58118E89F3A912897C070ADBF76221572C52609D
+
+docker_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb https://apt.dockerproject.org/repo
+       {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
+       main

roles/download/defaults/main.yml

@@ -2,65 +2,103 @@
 local_release_dir: /tmp
 
 # Versions
-kube_version: v1.1.4
-etcd_version: v2.2.4
-calico_version: v0.14.0
-calico_plugin_version: v0.7.0
+kube_version: v1.2.0
+etcd_version: v2.2.5
+calico_version: v0.17.0
+calico_cni_version: v1.0.0
+weave_version: v1.4.4
 
 # Download URL's
-kube_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kube_version }}/bin/linux/amd64"
-etcd_download_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
-calico_download_url: "https://github.com/Metaswitch/calico-docker/releases/download/{{calico_version}}/calicoctl"
-calico_plugin_download_url: "https://github.com/projectcalico/calico-kubernetes/releases/download/{{calico_plugin_version}}/calico_kubernetes"
+kubelet_download_url: "https://storage.googleapis.com/kubespray/{{kube_version}}_kubernetes-kubelet"
+apiserver_download_url: "https://storage.googleapis.com/kubespray/{{kube_version}}_kubernetes-apiserver"
+kubectl_download_url: "https://storage.googleapis.com/kubespray/{{kube_version}}_kubernetes-kubectl"
+
+etcd_download_url: "https://storage.googleapis.com/kubespray/{{etcd_version}}_etcd"
+calico_download_url: "https://storage.googleapis.com/kubespray/{{calico_version}}_calico"
+calico_cni_download_url: "https://storage.googleapis.com/kubespray/{{calico_cni_version}}_calico-cni-plugin"
+calico_cni_ipam_download_url: "https://storage.googleapis.com/kubespray/{{calico_cni_version}}_calico-cni-plugin-ipam"
+weave_download_url: "https://storage.googleapis.com/kubespray/{{weave_version}}_weave"
 
 # Checksums
-calico_checksum: "f251d7a8583233906aa6d059447c1e4fb32bf1369a51fdf96a68d50466d6a69c"
-calico_plugin_checksum: "032f582f5eeec6fb26191d2fbcbf8bca4da3b14abb579db7baa7b3504d4dffec"
-etcd_checksum: "6c4e5cdeaaac1a70b8f06b5dd6b82c37ff19993c9bca81248975610e555c4b9b"
-kubectl_checksum: "873ba19926d17a3287dc8639ea1434fe3cd0cb4e61d82101ba754922cfc7a633"
-kubelet_checksum: "f2d1eae3fa6e304f6cbc9b2621e4b86fc3bcb4e74a15d35f58bf00e45c706e0a"
-kube_apiserver_checksum: "bb3814c4df65f1587a3650140437392ce3fb4b64f51d459457456691c99f1202"
+calico_checksum: "1fa22c0ee0cc661f56aa09169a3661fb46e552b53fae5fae9aac010e0666b281"
+calico_cni_checksum: "cfbb95d4416cb65845a188f3bd991fff232bd5ce3463b2919d586ab77967aecd"
+calico_cni_ipam_checksum: "93ebf8756b26314e1e3f612f1e824418cbb0a8df2942664422e697bcb109fbb2"
+weave_checksum: "152942c330f87ab475d87d9311b91674b90f25ea685bd4e04e0495d5fe09a957"
+etcd_checksum: "aa6037406257d2a1bc48ffa769afe7a4f8a04cc1ffcd36ef84f9ee8bc4eca756"
+kubectl_checksum: "0fd51875a4783fb106f769bdbc81012066b4a2785ba88b0280870a25cab76296"
+kubelet_checksum: "a1da4b8d0965f66b7243d22f2b307227ec24bbd7ce8522cd3ce4ec1206c3a09e"
+kube_apiserver_checksum: "fe50e4014a96897a708b3c847550b4e510a390585209c2b11c02a32123570d43"
 
 downloads:
   - name: calico
     dest: calico/bin/calicoctl
+    version: "{{calico_version}}"
     sha256: "{{ calico_checksum }}"
+    source_url: "{{ calico_download_url }}"
     url: "{{ calico_download_url }}"
     owner: "root"
     mode: "0755"
 
-  - name: calico-plugin
+  - name: calico-cni-plugin
     dest: calico/bin/calico
-    sha256: "{{ calico_plugin_checksum }}"
-    url: "{{ calico_plugin_download_url }}"
+    version: "{{calico_cni_version}}"
+    sha256: "{{ calico_cni_checksum }}"
+    source_url: "{{ calico_cni_download_url }}"
+    url: "{{ calico_cni_download_url }}"
+    owner: "root"
+    mode: "0755"
+
+  - name: calico-cni-plugin-ipam
+    dest: calico/bin/calico-ipam
+    version: "{{calico_cni_version}}"
+    sha256: "{{ calico_cni_ipam_checksum }}"
+    source_url: "{{ calico_cni_ipam_download_url }}"
+    url: "{{ calico_cni_ipam_download_url }}"
+    owner: "root"
+    mode: "0755"
+
+  - name: weave
+    dest: weave/bin/weave
+    version: "{{weave_version}}"
+    source_url: "{{weave_download_url}}"
+    url: "{{weave_download_url}}"
+    sha256: "{{ weave_checksum }}"
     owner: "root"
     mode: "0755"
 
   - name: etcd
+    version: "{{etcd_version}}"
     dest: "etcd/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
     sha256: "{{ etcd_checksum }}"
+    source_url: "{{ etcd_download_url }}"
     url: "{{ etcd_download_url }}"
     unarchive: true
     owner: "etcd"
     mode: "0755"
 
   - name: kubernetes-kubelet
+    version: "{{kube_version}}"
     dest: kubernetes/bin/kubelet
     sha256: "{{kubelet_checksum}}"
-    url: "{{ kube_download_url }}/kubelet"
+    source_url: "{{ kubelet_download_url }}"
+    url: "{{ kubelet_download_url }}"
     owner: "kube"
     mode: "0755"
 
   - name: kubernetes-kubectl
     dest: kubernetes/bin/kubectl
+    version: "{{kube_version}}"
     sha256: "{{kubectl_checksum}}"
-    url: "{{ kube_download_url }}/kubectl"
+    source_url: "{{ kubectl_download_url }}"
+    url: "{{ kubectl_download_url }}"
     owner: "kube"
     mode: "0755"
 
   - name: kubernetes-apiserver
     dest: kubernetes/bin/kube-apiserver
+    version: "{{kube_version}}"
     sha256: "{{kube_apiserver_checksum}}"
-    url: "{{ kube_download_url }}/kube-apiserver"
+    source_url: "{{ apiserver_download_url }}"
+    url: "{{ apiserver_download_url }}"
     owner: "kube"
     mode: "0755"

roles/etcd/defaults/main.yml

@@ -1,3 +1,3 @@
 ---
-etcd_version: v2.2.4
+etcd_version: v2.2.5
 etcd_bin_dir: "{{ local_release_dir }}/etcd/etcd-{{ etcd_version }}-linux-amd64/"

roles/etcd/handlers/main.yml

@@ -7,7 +7,7 @@
 
 - name: reload systemd
   command: systemctl daemon-reload
-  when: init_system == "systemd"
+  when: ansible_service_mgr == "systemd"
 
 - name: reload etcd
   service:

roles/etcd/tasks/configure.yml

@@ -2,9 +2,9 @@
 - name: Configure |  Copy etcd.service systemd file
   template:
     src: etcd.service.j2
-    dest: /lib/systemd/system/etcd.service
+    dest: /etc/systemd/system/etcd.service
     backup: yes
-  when: init_system == "systemd"
+  when: ansible_service_mgr == "systemd"
   notify: restart etcd
 
 - name: Configure |  Write etcd  initd script
@@ -13,7 +13,7 @@
     dest: /etc/init.d/etcd
     owner: root
     mode: 0755
-  when: init_system == "sysvinit" and ansible_os_family == "Debian"
+  when: ansible_service_mgr in ["sysvinit","upstart"] and ansible_os_family == "Debian"
   notify: restart etcd
 
 - name: Configure |  Create etcd config file

roles/etcd/templates/deb-etcd.initd.j2

@@ -46,8 +46,8 @@ do_status()
 #
 do_start()
 {
-    start-stop-daemon --background --start --quiet --make-pidfile --pidfile $PID --user $DAEMON_USER --exec $DAEMON \
-        $DAEMON_OPTS \
+    start-stop-daemon --background --start --quiet --make-pidfile --pidfile $PID --user $DAEMON_USER --exec $DAEMON -- \
+        $DAEMON_ARGS \
         || return 2
 }
 

roles/etcd/templates/etcd.j2

@@ -6,12 +6,12 @@ ETCD_DATA_DIR="/var/lib/etcd"
 {%             set _dummy = etcd.update({'name':"etcd"+loop.index|string}) %}
 {%         endif %}
 {%     endfor %}
-ETCD_ADVERTISE_CLIENT_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address) }}:2379"
-ETCD_INITIAL_ADVERTISE_PEER_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address)  }}:2380"
+ETCD_ADVERTISE_CLIENT_URLS="http://{{ hostvars[inventory_hostname]['access_ip'] | default(hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address)) }}:2379"
+ETCD_INITIAL_ADVERTISE_PEER_URLS="http://{{ hostvars[inventory_hostname]['access_ip'] | default(hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address))  }}:2380"
 ETCD_INITIAL_CLUSTER_STATE="new"
 ETCD_INITIAL_CLUSTER_TOKEN="k8s_etcd"
 ETCD_LISTEN_PEER_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address)  }}:2380"
 ETCD_NAME="{{ etcd.name }}"
 {% endif %}
-ETCD_INITIAL_CLUSTER="{% for host in groups['etcd'] %}etcd{{ loop.index|string }}=http://{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}:2380{% if not loop.last %},{% endif %}{% endfor %}"
+ETCD_INITIAL_CLUSTER="{% for host in groups['etcd'] %}etcd{{ loop.index|string }}=http://{{ hostvars[host]['access_ip'] | default(hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address'])) }}:2380{% if not loop.last %},{% endif %}{% endfor %}"
 ETCD_LISTEN_CLIENT_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address)  }}:2379,http://127.0.0.1:2379"

roles/kubernetes/master/tasks/gen_kube_tokens.yml

@@ -1,24 +0,0 @@
----
-- name: tokens | generate tokens for master components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
-  environment:
-    TOKEN_DIR: "{{ kube_token_dir }}"
-  with_nested:
-    - [ "system:kubectl" ]
-    - "{{ groups['kube-master'] }}"
-  register: gentoken_master
-  changed_when: "'Added' in gentoken_master.stdout"
-  when: inventory_hostname == groups['kube-master'][0]
-  notify: restart kube-apiserver
-
-- name: tokens | generate tokens for node components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
-  environment:
-    TOKEN_DIR: "{{ kube_token_dir }}"
-  with_nested:
-    - [ 'system:kubelet' ]
-    - "{{ groups['kube-node'] }}"
-  register: gentoken_node
-  changed_when: "'Added' in gentoken_node.stdout"
-  when: inventory_hostname == groups['kube-master'][0]
-  notify: restart kube-apiserver

roles/kubernetes/master/tasks/main.yml

@@ -1,11 +1,9 @@
 ---
-- include: gen_kube_tokens.yml
-  tags: tokens
-
 - name: Copy kubectl bash completion
   copy:
     src: kubectl_bash_completion.sh
     dest: /etc/bash_completion.d/kubectl.sh
+  when: ansible_os_family in ["Debian","RedHat"]
 
 - name: Copy kube-apiserver binary
   command: rsync -piu "{{ local_release_dir }}/kubernetes/bin/kube-apiserver" "{{ bin_dir }}/kube-apiserver"
@@ -16,37 +14,12 @@
   command: rsync -piu "{{ local_release_dir }}/kubernetes/bin/kubectl" "{{ bin_dir }}/kubectl"
   changed_when: false
 
-- name: populate users for basic auth in API
-  lineinfile:
-    dest: "{{ kube_users_dir }}/known_users.csv"
-    create: yes
-    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
-    backup: yes
-  with_dict: "{{ kube_users }}"
-  notify: restart kube-apiserver
-
-# Sync masters
-- name: synchronize auth directories for masters
-  synchronize:
-    src: "{{ item }}"
-    dest: "{{ kube_config_dir }}"
-    recursive: yes
-    delete: yes
-    rsync_opts: [ '--one-file-system']
-    set_remote_user: false
-  with_items:
-    - "{{ kube_token_dir }}"
-    - "{{ kube_cert_dir }}"
-    - "{{ kube_users_dir }}"
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  when: inventory_hostname != "{{ groups['kube-master'][0] }}"
-
 - name: install | Write kube-apiserver systemd init file
   template:
     src: "kube-apiserver.service.j2"
     dest: "/etc/systemd/system/kube-apiserver.service"
     backup: yes
-  when: init_system == "systemd"
+  when: ansible_service_mgr == "systemd"
   notify: restart kube-apiserver
 
 - name: install | Write kube-apiserver initd script
@@ -56,7 +29,7 @@
     owner: root
     mode: 0755
     backup: yes
-  when: init_system == "sysvinit" and ansible_os_family == "Debian"
+  when: ansible_service_mgr in ["sysvinit","upstart"] and ansible_os_family == "Debian"
 
 - name: Write kube-apiserver config file
   template:
@@ -69,11 +42,6 @@
   shell: setcap cap_net_bind_service+ep {{ bin_dir }}/kube-apiserver
   changed_when: false
 
-- name: Restart apiserver
-  command: "/bin/true"
-  notify: restart kube-apiserver
-  when: is_gentoken_calico|default(false)
-
 - meta: flush_handlers
 
 - include: start.yml
@@ -87,7 +55,7 @@
   when: inventory_hostname == groups['kube-master'][0]
 
 - name: Check if kube-system exists
-  command: kubectl get ns kube-system
+  command: "{{ bin_dir }}/kubectl get ns kube-system"
   register: 'kubesystem'
   changed_when: False
   ignore_errors: yes
@@ -99,7 +67,7 @@
     timeout: 60
 
 - name: Create 'kube-system' namespace
-  command: kubectl create -f /etc/kubernetes/kube-system-ns.yml
+  command: "{{ bin_dir }}/kubectl create -f /etc/kubernetes/kube-system-ns.yml"
   changed_when: False
   when: kubesystem|failed and inventory_hostname == groups['kube-master'][0]
 
@@ -107,17 +75,12 @@
 - name: Write kube-controller-manager manifest
   template:
     src: manifests/kube-controller-manager.manifest.j2
-    dest: "{{ kube_config_dir }}/kube-controller-manager.manifest"
+    dest: "{{ kube_manifest_dir }}/kube-controller-manager.manifest"
 
 - name: Write kube-scheduler manifest
   template:
     src: manifests/kube-scheduler.manifest.j2
-    dest: "{{ kube_config_dir }}/kube-scheduler.manifest"
-
-- name: Write podmaster manifest
-  template:
-    src: manifests/kube-podmaster.manifest.j2
-    dest: "{{ kube_manifest_dir }}/kube-podmaster.manifest"
+    dest: "{{ kube_manifest_dir }}/kube-scheduler.manifest"
 
 - name: restart kubelet
   service:

roles/kubernetes/master/tasks/start.yml

@@ -4,18 +4,19 @@
 
 - name: reload systemd
   command: systemctl daemon-reload
-  when: init_system == "systemd" and restart_apimaster is defined and restart_apimaster == True
+  when: ansible_service_mgr == "systemd" and restart_apimaster is defined and restart_apimaster == True
 
 - name: reload kube-apiserver
   service:
     name: kube-apiserver
     state: restarted
     enabled: yes
-  when: restart_apimaster is defined and restart_apimaster == True
+  when: ( restart_apimaster is defined and restart_apimaster == True) or
+        secret_changed | default(false)
 
 - name: Enable apiserver
   service:
     name: kube-apiserver
     enabled: yes
     state: started
-  when: restart_apimaster is not defined or restart_apimaster == False
+  when: restart_apimaster is not defined or restart_apimaster == False

roles/kubernetes/master/templates/kube-apiserver.j2

@@ -3,7 +3,7 @@
 #
 # The following values are used to configure the kube-apiserver
 
-{% if init_system == "sysvinit" %}
+{% if ansible_service_mgr in ["sysvinit","upstart"] %}
 # Logging directory
 KUBE_LOGGING="--log-dir={{ kube_log_dir }} --logtostderr=true"
 {% else %}
@@ -24,7 +24,7 @@ KUBE_API_PORT="--insecure-port={{kube_apiserver_insecure_port}} --secure-port={{
 KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range={{ kube_service_addresses }}"
 
 # Location of the etcd cluster
-KUBE_ETCD_SERVERS="--etcd_servers={% for host in groups['etcd'] %}http://{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}:2379{% if not loop.last %},{% endif %}{% endfor %}"
+KUBE_ETCD_SERVERS="--etcd_servers={% for host in groups['etcd'] %}http://{{ hostvars[host]['access_ip'] | default(hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address'])) }}:2379{% if not loop.last %},{% endif %}{% endfor %}"
 
 # default admission control policies
 KUBE_ADMISSION_CONTROL="--admission_control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
@@ -38,7 +38,7 @@ KUBE_TLS_CONFIG="--tls_cert_file={{ kube_cert_dir }}/apiserver.pem --tls_private
 # Add you own!
 KUBE_API_ARGS="--token_auth_file={{ kube_token_dir }}/known_tokens.csv --basic-auth-file={{ kube_users_dir }}/known_users.csv --service_account_key_file={{ kube_cert_dir }}/apiserver-key.pem"
 
-{% if init_system == "sysvinit" %}
+{% if ansible_service_mgr in ["sysvinit","upstart"] %}
 DAEMON_ARGS="$KUBE_LOGGING $KUBE_LOG_LEVEL $KUBE_ALLOW_PRIV $KUBE_API_PORT $KUBE_SERVICE_ADDRESSES \
 $KUBE_ETCD_SERVERS $KUBE_ADMISSION_CONTROL $KUBE_RUNTIME_CONFIG $KUBE_TLS_CONFIG $KUBE_API_ARGS"
 {% endif %}

roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2

@@ -10,7 +10,7 @@ spec:
     command:
     - /hyperkube
     - apiserver
-    - --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %}
+    - --etcd-servers={% for srv in groups['etcd'] %}http://{{ hostvars[srv]['access_ip'] | default(hostvars[srv]['ip']|default(hostvars[srv]['ansible_default_ipv4']['address'])) }}:2379{% if not loop.last %},{% endif %}{% endfor %}
 
     - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
     - --service-cluster-ip-range={{ kube_service_addresses }}

roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2

@@ -12,6 +12,7 @@ spec:
     - /hyperkube
     - controller-manager
     - --master=http://127.0.0.1:{{kube_apiserver_insecure_port}}
+    - --leader-elect=true
     - --service-account-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
     - --root-ca-file={{ kube_cert_dir }}/ca.pem
     - --v={{ kube_log_level | default('2') }}
@@ -20,8 +21,8 @@ spec:
         host: 127.0.0.1
         path: /healthz
         port: 10252
-      initialDelaySeconds: 15
-      timeoutSeconds: 1
+      initialDelaySeconds: 30
+      timeoutSeconds: 10
     volumeMounts:
     - mountPath: {{ kube_cert_dir }}
       name: ssl-certs-kubernetes

roles/kubernetes/master/templates/manifests/kube-podmaster.manifest.j2

@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: kube-podmaster
-  namespace: kube-system
-spec:
-  hostNetwork: true
-  containers:
-  - name: scheduler-elector
-    image: gcr.io/google_containers/podmaster:1.1
-    command:
-    - /podmaster
-    - --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %}
-
-    - --key=scheduler
-    - --source-file={{ kube_config_dir}}/kube-scheduler.manifest
-    - --dest-file={{ kube_manifest_dir }}/kube-scheduler.manifest
-    volumeMounts:
-    - mountPath: {{ kube_config_dir }}
-      name: manifest-src
-      readOnly: true
-    - mountPath: {{ kube_manifest_dir }}
-      name: manifest-dst
-  - name: controller-manager-elector
-    image: gcr.io/google_containers/podmaster:1.1
-    command:
-    - /podmaster
-    - --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %}
-
-    - --key=controller
-    - --source-file={{ kube_config_dir }}/kube-controller-manager.manifest
-    - --dest-file={{ kube_manifest_dir }}/kube-controller-manager.manifest
-    terminationMessagePath: /dev/termination-log
-    volumeMounts:
-    - mountPath: {{ kube_config_dir }}
-      name: manifest-src
-      readOnly: true
-    - mountPath: {{ kube_manifest_dir }}
-      name: manifest-dst
-  volumes:
-  - hostPath:
-      path: {{ kube_config_dir }}
-    name: manifest-src
-  - hostPath:
-      path: {{ kube_manifest_dir }}
-    name: manifest-dst

roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2

@@ -11,6 +11,7 @@ spec:
     command:
     - /hyperkube
     - scheduler
+    - --leader-elect=true
     - --master=http://127.0.0.1:{{kube_apiserver_insecure_port}}
     - --v={{ kube_log_level | default('2') }}
     livenessProbe:
@@ -18,5 +19,5 @@ spec:
         host: 127.0.0.1
         path: /healthz
         port: 10251
-      initialDelaySeconds: 15
-      timeoutSeconds: 1
+      initialDelaySeconds: 30
+      timeoutSeconds: 10

roles/kubernetes/node/defaults/main.yml

@@ -31,10 +31,8 @@ dns_domain: "{{ cluster_name }}"
 
 kube_proxy_mode: userspace
 
-# Temporary image, waiting for official google release
-#  hyperkube_image_repo: gcr.io/google_containers/hyperkube
 hyperkube_image_repo: quay.io/ant31/kubernetes-hyperkube
-hyperkube_image_tag: v1.1.4
+hyperkube_image_tag: v1.2.0
 
 # IP address of the DNS server.
 # Kubernetes will create a pod with several containers, serving as the DNS
@@ -43,6 +41,6 @@ hyperkube_image_tag: v1.1.4
 # pick the 10th ip address in the kube_service_addresses range and use that.
 dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(253)|ipaddr('address') }}"
 
-kube_api_runtime_config:
-  - extensions/v1beta1/daemonsets=true
-  - extensions/v1beta1/deployments=true
+# kube_api_runtime_config:
+#   - extensions/v1beta1/daemonsets=true
+#   - extensions/v1beta1/deployments=true

roles/kubernetes/node/handlers/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: reload systemd
   command: systemctl daemon-reload
-  when: init_system == "systemd"
+  when: ansible_service_mgr == "systemd"
 
 - name: restart kubelet
   command: /bin/true
@@ -9,10 +9,6 @@
     - reload systemd
     - reload kubelet
 
-- name: set is_gentoken_calico fact
-  set_fact:
-    is_gentoken_calico: true
-
 - name: reload kubelet
   service:
     name: kubelet

roles/kubernetes/node/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+ - role: kubernetes/secrets

roles/kubernetes/node/tasks/gen_calico_tokens.yml

@@ -1,27 +0,0 @@
----
-- name: tokens | copy the token gen script
-  copy:
-    src=kube-gen-token.sh
-    dest={{ kube_script_dir }}
-    mode=u+x
-  when: inventory_hostname == groups['kube-master'][0]
-
-- name: tokens | generate tokens for calico
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
-  environment:
-    TOKEN_DIR: "{{ kube_token_dir }}"
-  with_nested:
-    - [ "system:calico" ]
-    - "{{ groups['k8s-cluster'] }}"
-  register: gentoken_calico
-  changed_when: "'Added' in gentoken_calico.stdout"
-  when: kube_network_plugin == "calico"
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  notify: set is_gentoken_calico fact
-
-- name: tokens | get the calico token values
-  slurp:
-    src: "{{ kube_token_dir }}/system:calico-{{ inventory_hostname }}.token"
-  register: calico_token
-  when: kube_network_plugin == "calico"
-  delegate_to: "{{ groups['kube-master'][0] }}"

roles/kubernetes/node/tasks/gen_certs.yml

@@ -1,28 +0,0 @@
----
-- name: certs | install cert generation script
-  copy:
-    src=make-ssl.sh
-    dest={{ kube_script_dir }}
-    mode=0500
-  changed_when: false
-
-- name: certs | write openssl config
-  template:
-    src: "openssl.conf.j2"
-    dest: "{{ kube_config_dir }}/.openssl.conf"
-
-- name: certs | run cert generation script
-  shell: >
-    {{ kube_script_dir }}/make-ssl.sh
-    -f {{ kube_config_dir }}/.openssl.conf
-    -g {{ kube_cert_group }}
-    -d {{ kube_cert_dir }}
-  args:
-    creates: "{{ kube_cert_dir }}/apiserver.pem"
-
-- name: certs | check certificate permissions
-  file:
-    path={{ kube_cert_dir }}
-    group={{ kube_cert_group }}
-    owner=kube
-    recurse=yes

roles/kubernetes/node/tasks/install.yml

@@ -1,29 +1,20 @@
 ---
 - name: install | Write kubelet systemd init file
   template: src=kubelet.service.j2 dest=/etc/systemd/system/kubelet.service backup=yes
-  when: init_system == "systemd"
+  when: ansible_service_mgr == "systemd"
   notify: restart kubelet
 
 - name: install | Write kubelet initd script
   template: src=deb-kubelet.initd.j2 dest=/etc/init.d/kubelet owner=root mode=0755 backup=yes
-  when: init_system == "sysvinit" and ansible_os_family == "Debian"
+  when: ansible_service_mgr in ["sysvinit","upstart"] and ansible_os_family == "Debian"
   notify: restart kubelet
 
 - name: install | Write kubelet initd script
   template: src=rh-kubelet.initd.j2 dest=/etc/init.d/kubelet owner=root mode=0755 backup=yes
-  when: init_system == "sysvinit" and ansible_os_family == "RedHat"
+  when: ansible_service_mgr in ["sysvinit","upstart"] and ansible_os_family == "RedHat"
   notify: restart kubelet
 
 - name: install | Install kubelet binary
   command: rsync -piu "{{ local_release_dir }}/kubernetes/bin/kubelet" "{{ bin_dir }}/kubelet"
   register: kubelet_copy
   changed_when: false
-
-- name: install | Calico-plugin | Directory
-  file: path=/usr/libexec/kubernetes/kubelet-plugins/net/exec/calico/ state=directory
-  when: kube_network_plugin == "calico"
-
-- name: install | Calico-plugin | Binary
-  command: rsync -piu "{{ local_release_dir }}/calico/bin/calico" "/usr/libexec/kubernetes/kubelet-plugins/net/exec/calico/calico"
-  when: kube_network_plugin == "calico"
-  changed_when: false

roles/kubernetes/node/tasks/main.yml

@@ -1,35 +1,13 @@
 ---
-- name: Create kubernetes config directory
-  file:
-    path: "{{ kube_config_dir }}"
-    state: directory
-    owner: kube
-
-- name: Create kubernetes script directory
-  file:
-    path: "{{ kube_script_dir }}"
-    state: directory
-    owner: kube
-
-- name: Create kubernetes manifests directory
-  file:
-    path: "{{ kube_manifest_dir }}"
-    state: directory
-    owner: kube
-
-- name: Create kubernetes logs directory
-  file:
-    path: "{{ kube_log_dir }}"
-    state: directory
-    owner: kube
-  when: init_system == "sysvinit"
-
-- include: secrets.yml
-  tags:
-    - secrets
-
 - include: install.yml
 
+- name: Write Calico cni config
+  template:
+    src: "cni-calico.conf.j2"
+    dest: "/etc/cni/net.d/10-calico.conf"
+    owner: kube
+  when: kube_network_plugin == "calico"
+
 - name: Write kubelet config file
   template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
   notify:

roles/kubernetes/node/tasks/secrets.yml

@@ -1,52 +0,0 @@
----
-- name: Secrets | certs | make sure the certificate directory exits
-  file:
-    path={{ kube_cert_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
-
-- name: Secrets | tokens | make sure the tokens directory exits
-  file:
-    path={{ kube_token_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
-
-- include: gen_certs.yml
-  when: inventory_hostname == groups['kube-master'][0]
-
-- include: gen_calico_tokens.yml
-
-# Sync certs between nodes
-- name: Secrets | create user
-  user:
-    name: '{{ansible_user_id}}'
-    generate_ssh_key: yes
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  run_once: yes
-
-- name: Secrets | 'get ssh keypair'
-  slurp: path=~/.ssh/id_rsa.pub
-  register: public_key
-  delegate_to: "{{ groups['kube-master'][0] }}"
-
-- name: Secrets | 'setup keypair on nodes'
-  authorized_key:
-    user: '{{ansible_user_id}}'
-    key: "{{public_key.content|b64decode }}"
-
-- name: Secrets | synchronize certificates for nodes
-  synchronize:
-    src: "{{ item }}"
-    dest: "{{ kube_cert_dir }}"
-    recursive: yes
-    delete: yes
-    rsync_opts: [ '--one-file-system']
-    set_remote_user: false
-  with_items:
-    - "{{ kube_cert_dir}}/ca.pem"
-    - "{{ kube_cert_dir}}/node.pem"
-    - "{{ kube_cert_dir}}/node-key.pem"
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  when: inventory_hostname not in "{{ groups['kube-master'] }}"

roles/kubernetes/node/templates/cni-calico.conf.j2

@@ -0,0 +1,9 @@
+{
+  "name": "calico-k8s-network",
+  "type": "calico",
+  "etcd_authority": "127.0.0.1:2379",
+  "log_level": "info",
+  "ipam": {
+    "type": "calico-ipam"
+  }
+}

roles/kubernetes/node/templates/kubelet.j2

@@ -1,4 +1,4 @@
-{% if init_system == "sysvinit" %}
+{% if ansible_service_mgr in ["sysvinit","upstart"] %}
 # Logging directory
 KUBE_LOGGING="--log-dir={{ kube_log_dir }} --logtostderr=true"
 {% else %}
@@ -7,7 +7,9 @@ KUBE_LOGGING="--logtostderr=true"
 {% endif %}
 KUBE_LOG_LEVEL="--v={{ kube_log_level | default('2') }}"
 KUBE_ALLOW_PRIV="--allow_privileged=true"
-KUBELET_API_SERVER="--api_servers={% for host in groups['kube-master'] %}https://{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}:{{ kube_apiserver_port }}{% if not loop.last %},{% endif %}{% endfor %}"
+{% if inventory_hostname in groups['kube-node'] %}
+KUBELET_API_SERVER="--api_servers={% for host in groups['kube-master'] %}https://{{ hostvars[host]['access_ip'] | default(hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address'])) }}:{{ kube_apiserver_port }}{% if not loop.last %},{% endif %}{% endfor %}"
+{% endif %}
 # The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
 KUBELET_ADDRESS="--address=0.0.0.0"
 # The port for the info server to serve on
@@ -24,11 +26,13 @@ KUBELET_ARGS="--cluster_dns={{ dns_server }} --cluster_domain={{ dns_domain }} -
 KUBELET_ARGS="--kubeconfig={{ kube_config_dir}}/kubelet.kubeconfig --config={{ kube_manifest_dir }}"
 {% endif %}
 {% if kube_network_plugin is defined and kube_network_plugin == "calico" %}
-KUBELET_NETWORK_PLUGIN="--network_plugin={{ kube_network_plugin }}"
+KUBELET_NETWORK_PLUGIN="--network_plugin=cni --network-plugin-dir=/etc/cni/net.d"
+{% elif kube_network_plugin is defined and kube_network_plugin == "weave" %}
+DOCKER_SOCKET="--docker-endpoint=unix:/var/run/weave/weave.sock"
 {% endif %}
 # Should this cluster be allowed to run privileged docker containers
 KUBE_ALLOW_PRIV="--allow_privileged=true"
-{% if init_system == "sysvinit" %}
+{% if ansible_service_mgr in ["sysvinit","upstart"] %}
 DAEMON_ARGS="$KUBE_LOGGING $KUBE_LOG_LEVEL $KUBE_ALLOW_PRIV $KUBELET_API_SERVER $KUBELET_ADDRESS \
-$KUBELET_HOSTNAME $KUBELET_REGISTER_NODE $KUBELET_ARGS $KUBELET_ARGS $KUBELET_NETWORK_PLUGIN"
+$KUBELET_HOSTNAME $KUBELET_REGISTER_NODE $KUBELET_ARGS $DOCKER_SOCKET $KUBELET_ARGS $KUBELET_NETWORK_PLUGIN"
 {% endif %}

roles/kubernetes/node/templates/kubelet.service.j2

@@ -10,16 +10,17 @@ After=docker.service
 [Service]
 EnvironmentFile=/etc/kubernetes/kubelet.env
 ExecStart={{ bin_dir }}/kubelet \
-	    $KUBE_LOGTOSTDERR \
-	    $KUBE_LOG_LEVEL \
-	    $KUBELET_API_SERVER \
-	    $KUBELET_ADDRESS \
-	    $KUBELET_PORT \
-	    $KUBELET_HOSTNAME \
-	    $KUBE_ALLOW_PRIV \
-	    $KUBELET_ARGS \
-	    $KUBELET_REGISTER_NODE \
-	    $KUBELET_NETWORK_PLUGIN
+		$KUBE_LOGTOSTDERR \
+		$KUBE_LOG_LEVEL \
+		$KUBELET_API_SERVER \
+		$KUBELET_ADDRESS \
+		$KUBELET_PORT \
+		$KUBELET_HOSTNAME \
+		$KUBE_ALLOW_PRIV \
+		$KUBELET_ARGS \
+		$DOCKER_SOCKET \
+		$KUBELET_REGISTER_NODE \
+		$KUBELET_NETWORK_PLUGIN
 Restart=on-failure
 
 [Install]

roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2

@@ -18,10 +18,12 @@ spec:
 {%   if loadbalancer_apiserver is defined and apiserver_loadbalancer_domain_name is defined %}
     - --master=https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port }}
 {%   else %}
-    - --master=https://{{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }}:{{ kube_apiserver_port }}
+    - --master=https://{{ hostvars[groups['kube-master'][0]]['access_ip'] | default(hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address'])) }}:{{ kube_apiserver_port }}
 {%   endif%}
     - --kubeconfig=/etc/kubernetes/node-kubeconfig.yaml
 {% endif %}
+    - --bind-address={{ ip | default(ansible_default_ipv4.address) }}
+    - --proxy-mode={{ kube_proxy_mode }}
     securityContext:
       privileged: true
     volumeMounts:

roles/kubernetes/preinstall/defaults/main.yml

@@ -6,6 +6,5 @@ common_required_pkgs:
   - openssl
   - curl
   - rsync
+  - bash-completion
 
-pypy_version: 2.4.0
-python_pypy_url: "https://bitbucket.org/pypy/pypy/downloads/pypy-{{ pypy_version }}.tar.bz2"

roles/kubernetes/preinstall/tasks/etchosts.yml

@@ -2,9 +2,10 @@
 - name: Hosts | populate inventory into hosts file
   lineinfile:
     dest: /etc/hosts
-    regexp: "^{{ hostvars[item]['ip'] | default(hostvars[item].ansible_default_ipv4.address) }} {{ item }}$"
-    line: "{{ hostvars[item]['ip'] | default(hostvars[item].ansible_default_ipv4.address) }} {{ item }}"
+    regexp: "^{{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(hostvars[item].ansible_default_ipv4.address)) }} {{ item }}$"
+    line: "{{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(hostvars[item].ansible_default_ipv4.address)) }} {{ item }}"
     state: present
+    create: yes
     backup: yes
   when: hostvars[item].ansible_default_ipv4.address is defined
   with_items: groups['all']

roles/kubernetes/preinstall/tasks/main.yml

@@ -14,24 +14,47 @@
       - defaults.yml
       paths:
       - ../vars
+      skip: true
 
-- name: "Identify init system"
-  shell: >
-    $(pgrep systemd > /dev/null && systemctl status network.target > /dev/null);
-    if [ $? -eq 0 ] ; then
-      echo systemd;
-    else
-      echo sysvinit;
-    fi
-  always_run: True
-  register: init_system_output
-  changed_when: False
-  tags: always
+- name: Force binaries directory for CoreOS
+  set_fact:
+    bin_dir: "/opt/bin"
+  when: ansible_os_family == "CoreOS"
 
-- set_fact:
-    init_system: "{{ init_system_output.stdout }}"
-  always_run: True
-  tags: always
+- name: Create kubernetes config directory
+  file:
+    path: "{{ kube_config_dir }}"
+    state: directory
+    owner: kube
+
+- name: Create kubernetes script directory
+  file:
+    path: "{{ kube_script_dir }}"
+    state: directory
+    owner: kube
+
+- name: Create kubernetes manifests directory
+  file:
+    path: "{{ kube_manifest_dir }}"
+    state: directory
+    owner: kube
+
+- name: Create kubernetes logs directory
+  file:
+    path: "{{ kube_log_dir }}"
+    state: directory
+    owner: kube
+  when: ansible_service_mgr in ["sysvinit","upstart"]
+
+- name: Create cni directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: kube
+  with_items:
+    - "/etc/cni/net.d"
+    - "/opt/cni/bin"
+  when: kube_network_plugin == "calico"
 
 - name: Update package management cache (APT)
   apt: update_cache=yes
@@ -42,22 +65,34 @@
   when: ansible_pkg_mgr == 'yum'
 
 - name: Install python-apt for Debian distribs
-  shell: apt-get install -y python-apt
+  command: apt-get install -y python-apt
   when: ansible_os_family == "Debian"
   changed_when: False
 
 - name: Install python-dnf for latest RedHat versions
-  shell: dnf install -y python-dnf yum
+  command: dnf install -y python-dnf yum
   when: ansible_distribution == "Fedora" and
         ansible_distribution_major_version > 21
   changed_when: False
 
+- name: Install epel-release on RHEL
+  command: rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
+  when: ansible_distribution == "RedHat"
+
+- name: Install epel-release on CentOS
+  action:
+    module: "{{ ansible_pkg_mgr }}"
+    name: "epel-release"
+    state: latest
+  when: ansible_distribution == "CentOS"
+
 - name: Install packages requirements
   action:
     module: "{{ ansible_pkg_mgr }}"
     name: "{{ item }}"
     state: latest
-  with_items: "{{required_pkgs | union(common_required_pkgs)}}"
+  with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}"
+  when: ansible_os_family != "CoreOS"
 
 # Todo : selinux configuration
 - name: Set selinux policy to permissive
@@ -66,6 +101,3 @@
   changed_when: False
 
 - include: etchosts.yml
-
-- include: python-bootstrap.yml
-  when: ansible_os_family not in [ "Debian", "RedHat" ]

roles/kubernetes/preinstall/vars/centos.yml

@@ -1,4 +1,3 @@
 required_pkgs:
-  - epel-release
   - libselinux-python
   - device-mapper-libs

roles/kubernetes/preinstall/vars/debian.yml

@@ -1,4 +1,5 @@
 required_pkgs:
   - python-apt
+  - aufs-tools
   - apt-transport-https
   - software-properties-common

roles/kubernetes/secrets/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: set secret_changed
+  set_fact:
+    secret_changed: true

roles/kubernetes/secrets/scripts/make-ssl.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Author: skahlouc@skahlouc-laptop
+# Author: Smana smainklh@gmail.com
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,15 +22,13 @@ usage()
     cat << EOF
 Create self signed certificates
 
-Usage : $(basename $0) -f <config> [-c <cloud_provider>] [-d <ssldir>] [-g <ssl_group>]
+Usage : $(basename $0) -f <config> [-d <ssldir>]
       -h | --help         : Show this message
       -f | --config       : Openssl configuration file
-      -c | --cloud        : Cloud provider (GCE, AWS or AZURE)
       -d | --ssldir       : Directory where the certificates will be installed
-      -g | --sslgrp       : Group of the certificates
                
                ex : 
-               $(basename $0) -f openssl.conf -c GCE -d /srv/ssl -g kube
+               $(basename $0) -f openssl.conf -d /srv/ssl
 EOF
 }
 
@@ -39,9 +37,7 @@ while (($#)); do
     case "$1" in
         -h | --help)   usage;   exit 0;;
         -f | --config) CONFIG=${2}; shift 2;;
-        -c | --cloud) CLOUD=${2}; shift 2;;
         -d | --ssldir) SSLDIR="${2}"; shift 2;; 
-        -g | --group) SSLGRP="${2}"; shift 2;;
         *)
             usage
             echo "ERROR : Unknown option"
@@ -57,28 +53,8 @@ fi
 if [ -z ${SSLDIR} ]; then
     SSLDIR="/etc/kubernetes/certs"
 fi
-if [ -z ${SSLGRP} ]; then
-    SSLGRP="kube-cert"
-fi
 
-#echo "config=$CONFIG, cloud=$CLOUD, certdir=$SSLDIR, certgroup=$SSLGRP"
-
-SUPPORTED_CLOUDS="GCE AWS AZURE"
-
-# TODO: Add support for discovery on other providers?
-if [ "${CLOUD}" == "GCE" ]; then
-  CLOUD_IP=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
-fi
-
-if [ "${CLOUD}" == "AWS" ]; then
-  CLOUD_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
-fi
-
-if [ "${CLOUD}" == "AZURE" ]; then
-  CLOUD_IP=$(uname -n | awk -F. '{ print $2 }').cloudapp.net
-fi
-
-tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
+tmpdir=$(mktemp -d /tmp/kubernetes_cacert.XXXXXX)
 trap 'rm -rf "${tmpdir}"' EXIT
 cd "${tmpdir}"
 
@@ -102,6 +78,3 @@ done
 
 # Install certs
 mv *.pem ${SSLDIR}/
-chgrp ${SSLGRP} ${SSLDIR}/*
-chmod 600 ${SSLDIR}/*-key.pem
-chown root:root ${SSLDIR}/*-key.pem

roles/kubernetes/secrets/tasks/gen_certs.yml

@@ -0,0 +1,51 @@
+---
+- name: certs | write openssl config
+  sudo: False
+  local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf"
+  run_once: yes
+
+- name: certs | run cert generation script
+  sudo: False
+  local_action: shell
+    {{ role_path }}/scripts/make-ssl.sh
+    -f {{ role_path }}/files/openssl.conf
+    -d {{ role_path }}/files/certs/
+  run_once: yes
+
+- name: certs | Copy certs on nodes
+  copy:
+    src: "certs/{{ item }}"
+    dest: "{{ kube_cert_dir }}"
+  with_items:
+    - ca.pem
+    - node.pem
+    - node-key.pem
+  when: inventory_hostname in "{{ groups['k8s-cluster'] }}"
+
+- name: certs | Copy certs on master
+  copy:
+    src: "certs/{{ item }}"
+    dest: "{{ kube_cert_dir }}"
+  with_items:
+    - ca-key.pem
+    - admin.pem
+    - admin-key.pem
+    - apiserver-key.pem
+    - apiserver.pem
+  when: inventory_hostname in "{{ groups['kube-master'] }}"
+
+- name: certs | check certificate permissions
+  file:
+    path={{ kube_cert_dir }}
+    group={{ kube_cert_group }}
+    owner=kube
+    recurse=yes
+
+- shell: ls {{ kube_cert_dir}}/*key.pem
+  register: keyfiles
+
+- name: certs | set permissions on keys
+  file:
+    path: "{{ item }}"
+    mode: 0600
+  with_items: keyfiles.stdout_lines

roles/kubernetes/secrets/tasks/gen_tokens.yml

@@ -0,0 +1,30 @@
+---
+- name: tokens | generate tokens for master components
+  sudo: False
+  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ role_path }}/files/tokens"
+  with_nested:
+    - [ "system:kubectl" ]
+    - "{{ groups['kube-master'] }}"
+  register: gentoken_master
+  changed_when: "'Added' in gentoken_master.stdout"
+  notify: set secret_changed
+
+- name: tokens | generate tokens for node components
+  sudo: False
+  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ role_path }}/files/tokens"
+  with_nested:
+    - [ 'system:kubelet' ]
+    - "{{ groups['kube-node'] }}"
+  register: gentoken_node
+  changed_when: "'Added' in gentoken_node.stdout"
+  notify: set secret_changed
+
+- name: tokens | Copy tokens on master
+  copy:
+    src: "tokens"
+    dest: "/etc/kubernetes"
+  when: inventory_hostname in "{{ groups['kube-master'] }}"

roles/kubernetes/secrets/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Make sure the certificate directory exits
+  file:
+    path={{ kube_cert_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Make sure the tokens directory exits
+  file:
+    path={{ kube_token_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Make sure the users directory exits
+  file:
+    path={{ kube_users_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Populate users for basic auth in API
+  lineinfile:
+    dest: "{{ kube_users_dir }}/known_users.csv"
+    create: yes
+    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
+    backup: yes
+  with_dict: "{{ kube_users }}"
+  when: inventory_hostname in "{{ groups['kube-master'] }}"
+  notify: set secret_changed
+
+- name: Check if a certificate already exists
+  stat:
+    path: "{{ kube_cert_dir }}/ca.pem"
+  register: kubecert
+
+- include: gen_certs.yml
+  when: not kubecert.stat.exists
+
+- include: gen_tokens.yml

roles/kubernetes/secrets/templates/openssl.conf.j2

@@ -14,7 +14,8 @@ DNS.3 = kubernetes.default.svc.{{ dns_domain }}
 DNS.4 = {{ apiserver_loadbalancer_domain_name }}
 {% endif %}
 {% for host in groups['kube-master'] %}
-IP.{{ loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
+IP.{{ 2 * loop.index - 1 }} = {{ hostvars[host]['access_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
+IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
 {% endfor %}
-{% set idx =  groups['kube-master'] | length | int + 1 %}
+{% set idx =  groups['kube-master'] | length | int * 2 + 1 %}
 IP.{{ idx | string }} = {{ kube_apiserver_ip }}

roles/network_plugin/calico/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# Enables Internet connectivity from containers
+nat_outgoing: true
+# cloud_provider: no

roles/network_plugin/calico/handlers/main.yml

@@ -0,0 +1,16 @@
+---
+- name: restart calico-node
+  command: /bin/true
+  notify:
+    - reload systemd
+    - reload calico-node
+
+- name : reload systemd
+  shell: systemctl daemon-reload
+  when: ansible_service_mgr == "systemd"
+
+- name: reload calico-node
+  service:
+    name: calico-node
+    state: restarted
+    sleep: 10

roles/network_plugin/calico/tasks/main.yml

@@ -0,0 +1,128 @@
+---
+- name: Calico | Set docker daemon options
+  template:
+    src: docker
+    dest: "/etc/default/docker"
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - restart docker
+  when: ansible_os_family != "CoreOS"
+
+- name: Calico | Write docker.service systemd file
+  template:
+    src: systemd-docker.service
+    dest: /lib/systemd/system/docker.service
+  notify: restart docker
+  when: ansible_service_mgr == "systemd" and ansible_os_family != "CoreOS"
+
+- meta: flush_handlers
+
+- name: Calico | Install calicoctl bin
+  command: rsync -piu "{{ local_release_dir }}/calico/bin/calicoctl" "{{ bin_dir }}/calicoctl"
+  register: calico_copy
+  changed_when: false
+
+- name: Calico | Install calico cni bin
+  command: rsync -piu "{{ local_release_dir }}/calico/bin/calico" "/opt/cni/bin/calico"
+  changed_when: false
+
+- name: Calico | Install calico-ipam cni bin
+  command: rsync -piu "{{ local_release_dir }}/calico/bin/calico" "/opt/cni/bin/calico-ipam"
+  changed_when: false
+
+- name: Calico | install calicoctl
+  file: path={{ bin_dir }}/calicoctl mode=0755 state=file
+
+- name: Calico | wait for etcd
+  wait_for:
+    port: 2379
+  when: inventory_hostname in groups['kube-master']
+
+- name: Calico | Check if calico network pool has already been configured
+  uri:
+    url: "http://127.0.0.1:2379/v2/keys/calico/v1/ipam/v4/pool"
+    return_content: yes
+    status_code: 200,404
+  register: calico_conf
+  run_once: true
+
+- name: Calico | Configure calico network pool
+  command: "{{ bin_dir }}/calicoctl pool add {{ kube_pods_subnet }}"
+  run_once: true
+  when: calico_conf.status == 404 and (cloud_provider is not defined or cloud_provider != True)
+        and not nat_outgoing|default(false) or
+        (nat_outgoing|default(false) and peer_with_router|default(false))
+
+- name: Calico | Configure calico network pool for cloud
+  command: "{{ bin_dir }}/calicoctl pool add {{ kube_pods_subnet }} --ipip --nat-outgoing"
+  run_once: true
+  when: calico_conf.status == 404 and cloud_provider is defined and cloud_provider == True
+
+- name: Calico | Configure calico network pool with nat outgoing
+  command: "{{ bin_dir}}/calicoctl pool add {{ kube_pods_subnet }} --nat-outgoing"
+  run_once: true
+  when: calico_conf.status == 404 and (cloud_provider is not defined or cloud_provider != True)
+        and nat_outgoing|default(false) and not peer_with_router|default(false)
+
+- name: Calico | Get calico configuration from etcd
+  uri:
+    url: "http://127.0.0.1:2379/v2/keys/calico/v1/ipam/v4/pool"
+    return_content: yes
+  register: calico_pools
+  run_once: true
+
+- name: Calico | Check if calico pool is properly configured
+  fail:
+    msg: 'Only one network pool must be configured and it must be the subnet {{ kube_pods_subnet }}.
+    Please erase calico configuration and run the playbook again ("etcdctl rm --recursive /calico/v1/ipam/v4/pool")'
+  when: ( calico_pools.json['node']['nodes'] | length > 1 ) or
+        ( not calico_pools.json['node']['nodes'][0]['key'] | search(".*{{ kube_pods_subnet | ipaddr('network') }}.*") )
+  run_once: true
+
+- name: Calico | Write /etc/network-environment
+  template: src=network-environment.j2 dest=/etc/network-environment
+  when: ansible_service_mgr in ["sysvinit","upstart"]
+
+- name: Calico | Write calico-node systemd init file
+  template: src=calico-node.service.j2 dest=/etc/systemd/system/calico-node.service
+  when: ansible_service_mgr == "systemd"
+  notify: restart calico-node
+
+- name: Calico | Write calico-node initd script
+  template: src=deb-calico.initd.j2 dest=/etc/init.d/calico-node owner=root mode=0755
+  when: ansible_service_mgr in ["sysvinit","upstart"] and ansible_os_family == "Debian"
+  notify: restart calico-node
+
+- name: Calico | Write calico-node initd script
+  template: src=rh-calico.initd.j2 dest=/etc/init.d/calico-node owner=root mode=0755
+  when: ansible_service_mgr in ["sysvinit","upstart"] and ansible_os_family == "RedHat"
+  notify: restart calico-node
+
+- meta: flush_handlers
+
+- name: Calico | Enable calico-node
+  service:
+    name: calico-node
+    state: started
+    enabled: yes
+
+- name: Calico | Restart calico if binary changed
+  service:
+    name: calico-node
+    state: restarted
+  when: calico_copy.stdout_lines
+
+- name: Calico | Disable node mesh
+  shell: "{{ bin_dir }}/calicoctl bgp node-mesh off"
+  environment:
+     ETCD_AUTHORITY: "127.0.0.1:2379"
+  when: peer_with_router|default(false) and inventory_hostname in groups['kube-node']
+
+- name: Calico | Configure peering with router(s)
+  shell: "{{ bin_dir }}/calicoctl node bgp peer add {{ item.router_id }} as {{ item.as }}"
+  environment:
+     ETCD_AUTHORITY: "127.0.0.1:2379"
+  with_items: peers
+  when: peer_with_router|default(false) and inventory_hostname in groups['kube-node']

roles/network_plugin/calico/templates/calico-node.service.j2

@@ -8,9 +8,9 @@ After=docker.service etcd.service
 User=root
 PermissionsStartOnly=true
 {% if inventory_hostname in groups['kube-node'] and peer_with_router|default(false)%}
-ExecStart={{ bin_dir }}/calicoctl node --kubernetes --ip={{ip | default(ansible_default_ipv4.address) }} --as={{ local_as }} --detach=false
+ExecStart={{ bin_dir }}/calicoctl node --ip={{ip | default(ansible_default_ipv4.address) }} --as={{ local_as }} --detach=false
 {%     else %}
-ExecStart={{ bin_dir }}/calicoctl node --kubernetes --ip={{ip | default(ansible_default_ipv4.address) }} --detach=false
+ExecStart={{ bin_dir }}/calicoctl node --ip={{ip | default(ansible_default_ipv4.address) }} --detach=false
 {%     endif %}
 Restart=always
 Restart=10

roles/network_plugin/calico/templates/deb-calico.initd.j2

@@ -10,6 +10,7 @@
 # Description:
 #   Runs calico as a docker container
 ### END INIT INFO
+set -a
 
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 DESC="Calico-node Docker"

roles/network_plugin/calico/templates/docker

@@ -0,0 +1,8 @@
+# Deployed by Ansible
+{% if ansible_service_mgr in ["sysvinit","upstart"] and kube_network_plugin == "flannel" and ansible_os_family == "Debian" %}
+DOCKER_OPTS="--bip={{ flannel_subnet }} --mtu={{ flannel_mtu }}"
+{% elif kube_network_plugin == "flannel" and ansible_os_family == "RedHat" %}
+DOCKER_NETWORK_OPTIONS="--bip={{ flannel_subnet }} --mtu={{ flannel_mtu }}"
+{% elif kube_network_plugin == "flannel" %}
+OPTIONS="--bip={{ flannel_subnet }} --mtu={{ flannel_mtu }}"
+{% endif %}

roles/network_plugin/calico/templates/network-environment.j2

@@ -0,0 +1,9 @@
+# This host's IPv4 address (the source IP address used to reach other nodes
+# in the Kubernetes cluster).
+DEFAULT_IPV4={{ip | default(ansible_default_ipv4.address) }}
+
+# The Kubernetes master IP
+KUBERNETES_MASTER={{ hostvars[groups['kube-master'][0]]['access_ip'] | default(hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address'])) }}
+
+# IP and port of etcd instance used by Calico
+ETCD_AUTHORITY=127.0.0.1:2379

roles/network_plugin/calico/templates/rh-calico.initd.j2

@@ -4,6 +4,7 @@
 #
 # chkconfig:   2345 95 95
 # description: Daemon for calico-node (http://www.projectcalico.org/)
+set -a
 
 ### BEGIN INIT INFO
 # Provides:       calico-node

roles/network_plugin/calico/templates/systemd-docker.service

@@ -0,0 +1,34 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=http://docs.docker.com
+{% if ansible_os_family == "RedHat" %}
+After=network.target
+Wants=docker-storage-setup.service
+{% elif ansible_os_family == "Debian" %}
+After=network.target docker.socket
+Requires=docker.socket
+{% endif %}
+
+[Service]
+Type=notify
+{% if ansible_os_family == "RedHat" %}
+EnvironmentFile=-/etc/sysconfig/docker
+EnvironmentFile=-/etc/sysconfig/docker-network
+EnvironmentFile=-/etc/sysconfig/docker-storage
+{% elif ansible_os_family == "Debian" %}
+EnvironmentFile=-/etc/default/docker
+{% endif %}
+Environment=GOTRACEBACK=crash
+ExecStart=/usr/bin/docker daemon \
+          $OPTIONS \
+          $DOCKER_STORAGE_OPTIONS \
+          $DOCKER_NETWORK_OPTIONS \
+          $INSECURE_REGISTRY
+LimitNOFILE=1048576
+LimitNPROC=1048576
+LimitCORE=infinity
+MountFlags=slave
+TimeoutStartSec=1min
+
+[Install]
+WantedBy=multi-user.target

roles/network_plugin/defaults/main.yml

@@ -1,6 +0,0 @@
----
-## defines the IP used to talk to the node
-# flannel_public_ip:
-
-## interface that should be used for flannel operations
-# flannel_interface:

roles/network_plugin/flannel/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+# Flannel public IP
+# The address that flannel should advertise as how to access the system
+flannel_public_ip: "{{ access_ip|default(ip|default(ansible_default_ipv4.address)) }}"
+
+## interface that should be used for flannel operations
+## This is actually an inventory node-level item
+# flannel_interface:
+
+# You can choose what type of flannel backend to use
+# please refer to flannel's docs : https://github.com/coreos/flannel/blob/master/README.md
+flannel_backend_type: "vxlan"