Upgrade to Ansible >2.7.0 (#4471 )

Don't create security groups for a bastion host on openstack, if doesn't exist (#4291 )
Update kube-router to 0.2.5 (#4469 )
2025-12-14 13:54:37 +03:00 · 2019-04-09 04:21:07 -07:00 · 2019-04-09 04:01:09 -07:00 · 2019-04-09 03:37:04 -07:00 · 2019-04-09 02:45:07 -07:00 · 2019-04-09 02:19:06 -07:00
560 changed files with 8959 additions and 24302 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,9 +1,6 @@
 .vagrant
 *.retry
 **/vagrant_ansible_inventory
-inventory/credentials/
-inventory/group_vars/fake_hosts.yml
-inventory/host_vars/
 temp
 .idea
 .tox
@@ -11,12 +8,19 @@ temp
 *.bak
 *.tfstate
 *.tfstate.backup
+.terraform/
 contrib/terraform/aws/credentials.tfvars
 /ssh-bastion.conf
 **/*.sw[pon]
 *~
 vagrant/

+# Ansible inventory
+inventory/*
+!inventory/local
+!inventory/sample
+inventory/*/artifacts/
+
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]
@@ -24,7 +28,6 @@ __pycache__/

 # Distribution / packaging
 .Python
-inventory/*/artifacts/
 env/
 build/
 credentials/
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,3 +1,4 @@
+---
 stages:
  - unit-tests
  - moderator
@@ -7,8 +8,8 @@ stages:

 variables:
  FAILFASTCI_NAMESPACE: 'kargo-ci'
-  GITLAB_REPOSITORY: 'kargo-ci/kubernetes-incubator__kubespray'
-#  DOCKER_HOST: tcp://localhost:2375
+  GITLAB_REPOSITORY: 'kargo-ci/kubernetes-sigs-kubespray'
+  # DOCKER_HOST: tcp://localhost:2375
  ANSIBLE_FORCE_COLOR: "true"
  MAGIC: "ci check this"
  TEST_ID: "$CI_PIPELINE_ID-$CI_BUILD_ID"
@@ -24,7 +25,6 @@ variables:
  IDEMPOT_CHECK: "false"
  RESET_CHECK: "false"
  UPGRADE_TEST: "false"
-  KUBEADM_ENABLED: "false"
  LOG_LEVEL: "-vv"

 # asia-east1-a
@@ -42,7 +42,7 @@ before_script:
  tags:
    - kubernetes
    - docker
-  image: quay.io/kubespray/kubespray:latest
+  image: quay.io/kubespray/kubespray:v2.8

 .docker_service: &docker_service
  services:
@@ -91,12 +91,10 @@ before_script:
    - cd tests && make create-${CI_PLATFORM} -s ; cd -

    # Check out latest tag if testing upgrade
-    # Uncomment when gitlab kubespray repo has tags
-    #- test "${UPGRADE_TEST}" != "false" && git fetch --all && git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
-    - test "${UPGRADE_TEST}" != "false" && git checkout 8b3ce6e418ccf48171eb5b3888ee1af84f8d71ba
+    - test "${UPGRADE_TEST}" != "false" && git fetch --all && git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
    # Checkout the CI vars file so it is available
    - test "${UPGRADE_TEST}" != "false" && git checkout "${CI_BUILD_REF}" tests/files/${CI_JOB_NAME}.yml
-    # Workaround https://github.com/kubernetes-incubator/kubespray/issues/2021
+    # Workaround https://github.com/kubernetes-sigs/kubespray/issues/2021
    - 'sh -c "echo ignore_assert_errors: true | tee -a tests/files/${CI_JOB_NAME}.yml"'


@@ -137,9 +135,7 @@ before_script:

    # Tests Cases
    ## Test Master API
-    - >
-      ansible-playbook -i ${ANSIBLE_INVENTORY} -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/010_check-apiserver.yml $LOG_LEVEL
-      -e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
+    - ansible-playbook -i ${ANSIBLE_INVENTORY} -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/010_check-apiserver.yml $LOG_LEVEL

    ## Ping the between 2 pod
    - ansible-playbook -i ${ANSIBLE_INVENTORY} -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/030_check-network.yml $LOG_LEVEL
@@ -237,98 +233,107 @@ before_script:

 # Test matrix. Leave the comments for markup scripts.
 .coreos_calico_aio_variables: &coreos_calico_aio_variables
-# stage: deploy-part1
+  # stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"

 .ubuntu18_flannel_aio_variables: &ubuntu18_flannel_aio_variables
-# stage: deploy-part1
+  # stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"

-.ubuntu_canal_ha_variables: &ubuntu_canal_ha_variables
-# stage: deploy-part1
-  UPGRADE_TEST: "graceful"
-
 .centos_weave_kubeadm_variables: &centos_weave_kubeadm_variables
-# stage: deploy-part1
+  # stage: deploy-part1
  UPGRADE_TEST: "graceful"

 .ubuntu_canal_kubeadm_variables: &ubuntu_canal_kubeadm_variables
-# stage: deploy-part1
+  # stage: deploy-part1
+  MOVED_TO_GROUP_VARS: "true"
+
+.ubuntu_canal_ha_variables: &ubuntu_canal_ha_variables
+  # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .ubuntu_contiv_sep_variables: &ubuntu_contiv_sep_variables
-# stage: deploy-special
+  # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .coreos_cilium_variables: &coreos_cilium_variables
-# stage: deploy-special
+  # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .ubuntu_cilium_sep_variables: &ubuntu_cilium_sep_variables
-# stage: deploy-special
+  # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .rhel7_weave_variables: &rhel7_weave_variables
-# stage: deploy-part1
+  # stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"

 .centos7_flannel_addons_variables: &centos7_flannel_addons_variables
-# stage: deploy-part2
+  # stage: deploy-part2
  MOVED_TO_GROUP_VARS: "true"

-.debian8_calico_variables: &debian8_calico_variables
-# stage: deploy-part2
+.debian9_calico_variables: &debian9_calico_variables
+  # stage: deploy-part2
  MOVED_TO_GROUP_VARS: "true"

 .coreos_canal_variables: &coreos_canal_variables
-# stage: deploy-part2
+  # stage: deploy-part2
  MOVED_TO_GROUP_VARS: "true"

 .rhel7_canal_sep_variables: &rhel7_canal_sep_variables
-# stage: deploy-special
+  # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .ubuntu_weave_sep_variables: &ubuntu_weave_sep_variables
-# stage: deploy-special
+  # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .centos7_calico_ha_variables: &centos7_calico_ha_variables
-# stage: deploy-special
+  # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

+.centos7_kube_router_variables: &centos7_kube_router_variables
+  # stage: deploy-special
+  MOVED_TO_GROUP_VARS: "true"
+
+.centos7_multus_calico_variables: &centos7_multus_calico_variables
+  # stage: deploy-part2
+  UPGRADE_TEST: "graceful"
+
 .coreos_alpha_weave_ha_variables: &coreos_alpha_weave_ha_variables
-# stage: deploy-special
+  # stage: deploy-special
+  MOVED_TO_GROUP_VARS: "true"
+
+.coreos_kube_router_variables: &coreos_kube_router_variables
+  # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .ubuntu_rkt_sep_variables: &ubuntu_rkt_sep_variables
-# stage: deploy-part1
+  # stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"

-.ubuntu_vault_sep_variables: &ubuntu_vault_sep_variables
-# stage: deploy-part1
-  MOVED_TO_GROUP_VARS: "true"
-
-.coreos_vault_upgrade_variables: &coreos_vault_upgrade_variables
-# stage: deploy-part1
-  UPGRADE_TEST: "basic"
-
 .ubuntu_flannel_variables: &ubuntu_flannel_variables
-# stage: deploy-special
+  # stage: deploy-part2
+  MOVED_TO_GROUP_VARS: "true"
+
+.ubuntu_kube_router_variables: &ubuntu_kube_router_variables
+  # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .opensuse_canal_variables: &opensuse_canal_variables
-# stage: deploy-part2
+  # stage: deploy-part2
  MOVED_TO_GROUP_VARS: "true"


 # Builds for PRs only (premoderated by unit-tests step) and triggers (auto)
 ### PR JOBS PART1
-gce_coreos-calico-aio:
+
+gce_ubuntu18-flannel-aio:
  stage: deploy-part1
  <<: *job
  <<: *gce
  variables:
-    <<: *coreos_calico_aio_variables
+    <<: *ubuntu18_flannel_aio_variables
    <<: *gce_variables
  when: on_success
  except: ['triggers']
@@ -336,14 +341,14 @@ gce_coreos-calico-aio:

 ### PR JOBS PART2

-gce_ubuntu18-flannel-aio:
+gce_coreos-calico-aio:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
-    <<: *ubuntu18_flannel_aio_variables
+    <<: *coreos_calico_aio_variables
    <<: *gce_variables
-  when: manual
+  when: on_success
  except: ['triggers']
  only: [/^pr-.*$/]

@@ -358,7 +363,9 @@ gce_centos7-flannel-addons:
  except: ['triggers']
  only: [/^pr-.*$/]

-gce_centos-weave-kubeadm:
+### MANUAL JOBS
+
+gce_centos-weave-kubeadm-sep:
  stage: deploy-part2
  <<: *job
  <<: *gce
@@ -366,8 +373,7 @@ gce_centos-weave-kubeadm:
    <<: *gce_variables
    <<: *centos_weave_kubeadm_variables
  when: on_success
-  except: ['triggers']
-  only: [/^pr-.*$/]
+  only: ['triggers']

 gce_ubuntu-weave-sep:
  stage: deploy-part2
@@ -376,11 +382,9 @@ gce_ubuntu-weave-sep:
  variables:
    <<: *gce_variables
    <<: *ubuntu_weave_sep_variables
-  when: on_success
-  except: ['triggers']
-  only: [/^pr-.*$/]
+  when: manual
+  only: ['triggers']

-### MANUAL JOBS
 gce_coreos-calico-sep-triggers:
  stage: deploy-part2
  <<: *job
@@ -392,7 +396,7 @@ gce_coreos-calico-sep-triggers:
  only: ['triggers']

 gce_ubuntu-canal-ha-triggers:
-  stage: deploy-part2
+  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
@@ -411,7 +415,6 @@ gce_centos7-flannel-addons-triggers:
  when: on_success
  only: ['triggers']

-
 gce_ubuntu-weave-sep-triggers:
  stage: deploy-part2
  <<: *job
@@ -434,7 +437,7 @@ do_ubuntu-canal-ha:
  only: ['master', /^pr-.*$/]

 gce_ubuntu-canal-ha:
-  stage: deploy-part2
+  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
@@ -465,6 +468,16 @@ gce_ubuntu-canal-kubeadm-triggers:
  when: on_success
  only: ['triggers']

+gce_ubuntu-flannel-ha:
+  stage: deploy-part2
+  <<: *job
+  <<: *gce
+  variables:
+    <<: *gce_variables
+    <<: *ubuntu_flannel_variables
+  when: manual
+  except: ['triggers']
+
 gce_centos-weave-kubeadm-triggers:
  stage: deploy-part2
  <<: *job
@@ -529,24 +542,24 @@ gce_rhel7-weave-triggers:
  when: on_success
  only: ['triggers']

-gce_debian8-calico-upgrade:
+gce_debian9-calico-upgrade:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
-    <<: *debian8_calico_variables
+    <<: *debian9_calico_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-gce_debian8-calico-triggers:
+gce_debian9-calico-triggers:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
-    <<: *debian8_calico_variables
+    <<: *debian9_calico_variables
  when: on_success
  only: ['triggers']

@@ -613,6 +626,28 @@ gce_centos7-calico-ha-triggers:
  when: on_success
  only: ['triggers']

+gce_centos7-kube-router:
+  stage: deploy-special
+  <<: *job
+  <<: *gce
+  variables:
+    <<: *gce_variables
+    <<: *centos7_kube_router_variables
+  when: manual
+  except: ['triggers']
+  only: ['master', /^pr-.*$/]
+
+gce_centos7-multus-calico:
+  stage: deploy-part2
+  <<: *job
+  <<: *gce
+  variables:
+    <<: *gce_variables
+    <<: *centos7_multus_calico_variables
+  when: manual
+  except: ['triggers']
+  only: ['master', /^pr-.*$/]
+
 gce_opensuse-canal:
  stage: deploy-part2
  <<: *job
@@ -636,6 +671,17 @@ gce_coreos-alpha-weave-ha:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

+gce_coreos-kube-router:
+  stage: deploy-special
+  <<: *job
+  <<: *gce
+  variables:
+    <<: *gce_variables
+    <<: *coreos_kube_router_variables
+  when: manual
+  except: ['triggers']
+  only: ['master', /^pr-.*$/]
+
 gce_ubuntu-rkt-sep:
  stage: deploy-part2
  <<: *job
@@ -647,35 +693,13 @@ gce_ubuntu-rkt-sep:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-gce_ubuntu-vault-sep:
-  stage: deploy-part2
-  <<: *job
-  <<: *gce
-  variables:
-    <<: *gce_variables
-    <<: *ubuntu_vault_sep_variables
-  when: manual
-  except: ['triggers']
-  only: ['master', /^pr-.*$/]
-
-gce_coreos-vault-upgrade:
-  stage: deploy-part2
-  <<: *job
-  <<: *gce
-  variables:
-    <<: *gce_variables
-    <<: *coreos_vault_upgrade_variables
-  when: manual
-  except: ['triggers']
-  only: ['master', /^pr-.*$/]
-
-gce_ubuntu-flannel-sep:
+gce_ubuntu-kube-router-sep:
  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
-    <<: *ubuntu_flannel_variables
+    <<: *ubuntu_kube_router_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
@@ -704,7 +728,7 @@ yamllint:
  <<: *job
  stage: unit-tests
  script:
-    - yamllint roles
+    - yamllint .
  except: ['triggers', 'master']

 tox-inventory-builder:
@@ -715,3 +739,73 @@ tox-inventory-builder:
    - cd contrib/inventory_builder && tox
  when: manual
  except: ['triggers', 'master']
+
+
+# Tests for contrib/terraform/
+.terraform_install: &terraform_install
+  <<: *job
+  before_script:
+    # Set Ansible config
+    - cp ansible.cfg ~/.ansible.cfg
+    # Install Terraform
+    - apt-get install -y unzip
+    - curl https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip > /tmp/terraform.zip
+    - unzip /tmp/terraform.zip && mv ./terraform /usr/local/bin/ && terraform --version
+    # Prepare inventory
+    - cp -LRp contrib/terraform/$PROVIDER/sample-inventory inventory/$CLUSTER
+    - cd inventory/$CLUSTER
+    - ln -s ../../contrib/terraform/$PROVIDER/hosts
+    - terraform init ../../contrib/terraform/$PROVIDER
+    # Copy SSH keypair
+    - mkdir -p ~/.ssh
+    - echo "$PACKET_PRIVATE_KEY" | base64 -d > ~/.ssh/id_rsa
+    - chmod 400 ~/.ssh/id_rsa
+    - echo "$PACKET_PUBLIC_KEY" | base64 -d > ~/.ssh/id_rsa.pub
+    - export TF_VAR_public_key_path=""
+  only: ['master', /^pr-.*$/]
+
+.terraform_validate: &terraform_validate
+  <<: *terraform_install
+  stage: unit-tests
+  script:
+    - terraform validate -var-file=cluster.tf ../../contrib/terraform/$PROVIDER
+    - terraform fmt -check -diff ../../contrib/terraform/$PROVIDER
+
+.terraform_apply: &terraform_apply
+  <<: *terraform_install
+  stage: deploy-part2
+  when: manual
+  script:
+    - terraform apply -auto-approve ../../contrib/terraform/$PROVIDER
+    - ansible-playbook -i hosts ../../cluster.yml
+  after_script:
+    # Cleanup regardless of exit code
+    - cd inventory/$CLUSTER
+    - terraform destroy -auto-approve ../../contrib/terraform/$PROVIDER
+
+tf-validate-openstack:
+  <<: *terraform_validate
+  variables:
+    TF_VERSION: 0.11.11
+    PROVIDER: openstack
+    CLUSTER: $CI_COMMIT_REF_NAME
+
+tf-validate-packet:
+  <<: *terraform_validate
+  variables:
+    TF_VERSION: 0.11.11
+    PROVIDER: packet
+    CLUSTER: $CI_COMMIT_REF_NAME
+
+tf-apply-packet:
+  <<: *terraform_apply
+  variables:
+    TF_VERSION: 0.11.11
+    PROVIDER: packet
+    CLUSTER: $CI_COMMIT_REF_NAME
+    TF_VAR_cluster_name: $CI_COMMIT_REF_NAME
+    TF_VAR_number_of_k8s_masters: "1"
+    TF_VAR_number_of_k8s_nodes: "1"
+    TF_VAR_plan_k8s_masters: t1.small.x86
+    TF_VAR_plan_k8s_nodes: t1.small.x86
+    TF_VAR_facility: "ewr1"
--- a/roles/kubernetes/secrets/files/certs/.gitkeep
+++ b/roles/kubernetes/secrets/files/certs/.gitkeep
--- a/1
+++ b/1
@@ -0,0 +1 @@
+kubespray.io
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -7,4 +7,5 @@
 1. Submit an issue describing your proposed change to the repo in question.
 2. The [repo owners](OWNERS) will respond to your issue promptly.
 3. Fork the desired repo, develop and test your code changes.
-4. Submit a pull request.
+4. Sign the CNCF CLA (https://git.k8s.io/community/CLA.md#the-contributor-license-agreement)
+5. Submit a pull request.
--- a/5
+++ b/5
@@ -4,7 +4,7 @@ RUN mkdir /kubespray
 WORKDIR /kubespray
 RUN apt update -y && \
    apt install -y \
-    libssl-dev python-dev sshpass apt-transport-https \
+    libssl-dev python-dev sshpass apt-transport-https jq \
    ca-certificates curl gnupg2 software-properties-common python-pip
 RUN  curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
     add-apt-repository \
@@ -14,3 +14,6 @@ RUN  curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - &&
     && apt update -y && apt-get install docker-ce -y
 COPY . .
 RUN /usr/bin/python -m pip install pip -U && /usr/bin/python -m pip install -r tests/requirements.txt && python -m pip install -r requirements.txt
+RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.11.3/bin/linux/amd64/kubectl \
+    && chmod a+x kubectl && cp kubectl /usr/local/bin/kubectl
+
--- a/5
+++ b/5
@@ -0,0 +1,5 @@
+mitogen:
+	ansible-playbook -c local mitogen.yaml -vv
+clean:
+	rm -rf dist/
+	rm *.retry
--- a/3
+++ b/3
@@ -1,5 +1,4 @@
-# See the OWNERS file documentation:
-# https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
+# See the OWNERS docs at https://go.k8s.io/owners

 approvers:
  - kubespray-approvers
--- a/2
+++ b/2
@@ -11,8 +11,10 @@ aliases:
    - riverzhang
    - holser
    - smana
+    - verwilst
  kubespray-reviewers:
    - jjungnickel
    - archifleks
    - chapsuk
    - mirwan
+    - miouge1
--- a/README.md
+++ b/README.md
@@ -1,12 +1,12 @@
-![Kubernetes Logo](https://raw.githubusercontent.com/kubernetes-incubator/kubespray/master/docs/img/kubernetes-logo.png)
+![Kubernetes Logo](https://raw.githubusercontent.com/kubernetes-sigs/kubespray/master/docs/img/kubernetes-logo.png)

 Deploy a Production Ready Kubernetes Cluster
 ============================================

-If you have questions, join us on the [kubernetes slack](https://kubernetes.slack.com), channel **\#kubespray**.
+If you have questions, check the [documentation](https://kubespray.io) and join us on the [kubernetes slack](https://kubernetes.slack.com), channel **\#kubespray**.
 You can get your invite [here](http://slack.k8s.io/)

-   Can be deployed on **AWS, GCE, Azure, OpenStack, vSphere, Oracle Cloud Infrastructure (Experimental), or Baremetal**
+-   Can be deployed on **AWS, GCE, Azure, OpenStack, vSphere, Packet (bare metal), Oracle Cloud Infrastructure (Experimental), or Baremetal**
 -   **Highly available** cluster
 -   **Composable** (Choice of the network plugin for instance)
 -   Supports most popular **Linux distributions**
@@ -19,11 +19,13 @@ To deploy the cluster you can use :

 ### Ansible

+#### Usage
+
    # Install dependencies from ``requirements.txt``
    sudo pip install -r requirements.txt

    # Copy ``inventory/sample`` as ``inventory/mycluster``
-    cp -rfp inventory/sample/* inventory/mycluster
+    cp -rfp inventory/sample inventory/mycluster

    # Update Ansible inventory file with inventory builder
    declare -a IPS=(10.10.1.3 10.10.1.4 10.10.1.5)
@@ -33,8 +35,11 @@ To deploy the cluster you can use :
    cat inventory/mycluster/group_vars/all/all.yml
    cat inventory/mycluster/group_vars/k8s-cluster/k8s-cluster.yml

-    # Deploy Kubespray with Ansible Playbook
-    ansible-playbook -i inventory/mycluster/hosts.ini cluster.yml
+    # Deploy Kubespray with Ansible Playbook - run the playbook as root
+    # The option `-b` is required, as for example writing SSL keys in /etc/,
+    # installing packages and interacting with various systemd daemons.
+    # Without -b the playbook will fail to run!
+    ansible-playbook -i inventory/mycluster/hosts.ini --become --become-user=root cluster.yml

 Note: When Ansible is already installed via system packages on the control machine, other python packages installed via `sudo pip install -r requirements.txt` will go to a different directory tree (e.g. `/usr/local/lib/python2.7/dist-packages` on Ubuntu) from Ansible's (e.g. `/usr/lib/python2.7/dist-packages/ansible` still on Ubuntu).
 As a consequence, `ansible-playbook` command will fail with:
@@ -81,6 +86,7 @@ Documents
 -   [AWS](docs/aws.md)
 -   [Azure](docs/azure.md)
 -   [vSphere](docs/vsphere.md)
+-   [Packet Host](docs/packet.md)
 -   [Large deployments](docs/large-deployments.md)
 -   [Upgrades basics](docs/upgrades.md)
 -   [Roadmap](docs/roadmap.md)
@@ -89,7 +95,7 @@ Supported Linux Distributions
 -----------------------------

 -   **Container Linux by CoreOS**
-   **Debian** Jessie, Stretch, Wheezy
+-   **Debian** Buster, Jessie, Stretch, Wheezy
 -   **Ubuntu** 16.04, 18.04
 -   **CentOS/RHEL** 7
 -   **Fedora** 28
@@ -102,25 +108,27 @@ Supported Components
 --------------------

 -   Core
-    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.11.3
-    -   [etcd](https://github.com/coreos/etcd) v3.2.18
-    -   [docker](https://www.docker.com/) v17.03 (see note)
+    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.13.5
+    -   [etcd](https://github.com/coreos/etcd) v3.2.26
+    -   [docker](https://www.docker.com/) v18.06 (see note)
    -   [rkt](https://github.com/rkt/rkt) v1.21.0 (see Note 2)
    -   [cri-o](http://cri-o.io/) v1.11.5 (experimental: see [CRI-O Note](docs/cri-o.md). Only on centos based OS)
 -   Network Plugin
-    -   [calico](https://github.com/projectcalico/calico) v3.1.3
+    -   [calico](https://github.com/projectcalico/calico) v3.4.0
    -   [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-    -   [cilium](https://github.com/cilium/cilium) v1.2.0
-    -   [contiv](https://github.com/contiv/install) v1.1.7
-    -   [flanneld](https://github.com/coreos/flannel) v0.10.0
-    -   [weave](https://github.com/weaveworks/weave) v2.4.1
+    -   [cilium](https://github.com/cilium/cilium) v1.3.0
+    -   [contiv](https://github.com/contiv/install) v1.2.1
+    -   [flanneld](https://github.com/coreos/flannel) v0.11.0
+    -   [kube-router](https://github.com/cloudnativelabs/kube-router) v0.2.5
+    -   [multus](https://github.com/intel/multus-cni) v3.1.autoconf
+    -   [weave](https://github.com/weaveworks/weave) v2.5.1
 -   Application
    -   [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
-    -   [cert-manager](https://github.com/jetstack/cert-manager) v0.5.0
-    -   [coredns](https://github.com/coredns/coredns) v1.2.2
-    -   [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.19.0
+    -   [cert-manager](https://github.com/jetstack/cert-manager) v0.5.2
+    -   [coredns](https://github.com/coredns/coredns) v1.4.0
+    -   [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.21.0

-Note: kubernetes doesn't support newer docker versions ("Version 17.03 is recommended... Versions 17.06+ might work, but have not yet been tested and verified by the Kubernetes node team" cf. [Bootstrapping Clusters with kubeadm](https://kubernetes.io/docs/setup/independent/install-kubeadm/#installing-docker)). Among other things kubelet currently breaks on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin). 
+Note: The list of validated [docker versions](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.13.md) was updated to 1.11.1, 1.12.1, 1.13.1, 17.03, 17.06, 17.09, 18.06. kubeadm now properly recognizes Docker 18.09.0 and newer, but still treats 18.06 as the default supported version. The kubelet might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).

 Note 2: rkt support as docker alternative is limited to control plane (etcd and
 kubelet). Docker is still used for Kubernetes cluster workloads and network
@@ -130,10 +138,10 @@ plugins can be deployed for a given single cluster.
 Requirements
 ------------

-   **Ansible v2.4 (or newer) and python-netaddr is installed on the machine
+-   **Ansible v2.7.6 (or newer) and python-netaddr is installed on the machine
    that will run Ansible commands**
 -   **Jinja 2.9 (or newer) is required to run the Ansible Playbooks**
-   The target servers must have **access to the Internet** in order to pull docker images.
+-   The target servers must have **access to the Internet** in order to pull docker images. Otherwise, additional configuration is required (See [Offline Environment](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/downloads.md#offline-environment))
 -   The target servers are configured to allow **IPv4 forwarding**.
 -   **Your ssh key must be copied** to all the servers part of your inventory.
 -   The **firewalls are not managed**, you'll need to implement your own rules the way you used to.
@@ -142,6 +150,14 @@ Requirements
    should be configured in the target servers. Then the `ansible_become` flag
    or command parameters `--become or -b` should be specified.

+Hardware:        
+These limits are safe guarded by Kubespray. Actual requirements for your workload can differ. For a sizing guide go to the [Building Large Clusters](https://kubernetes.io/docs/setup/cluster-large/#size-of-master-and-master-components) guide.
+
+-   Master
+    - Memory: 1500 MB
+-   Node
+    - Memory: 1024 MB
+
 Network Plugins
 ---------------

@@ -161,6 +177,13 @@ You can choose between 6 network plugins. (default: `calico`, except Vagrant use
 -   [weave](docs/weave.md): Weave is a lightweight container overlay network that doesn't require an external K/V database cluster.
    (Please refer to `weave` [troubleshooting documentation](http://docs.weave.works/weave/latest_release/troubleshooting.html)).

+-   [kube-router](docs/kube-router.md): Kube-router is a L3 CNI for Kubernetes networking aiming to provide operational
+    simplicity and high performance: it uses IPVS to provide Kube Services Proxy (if setup to replace kube-proxy),
+    iptables for network policies, and BGP for ods L3 networking (with optionally BGP peering with out-of-cluster BGP peers).
+    It can also optionally advertise routes to Kubernetes cluster Pods CIDRs, ClusterIPs, ExternalIPs and LoadBalancerIPs.
+
+-   [multus](docs/multus.md): Multus is a meta CNI plugin that provides multiple network interface support to pods. For each interface Multus delegates CNI calls to secondary CNI plugins such as Calico, macvlan, etc.
+
 The choice is defined with the variable `kube_network_plugin`. There is also an
 option to leverage built-in cloud provider networking instead.
 See also [Network checker](docs/netcheck.md).
@@ -177,8 +200,7 @@ Tools and projects on top of Kubespray
 --------------------------------------

 -   [Digital Rebar Provision](https://github.com/digitalrebar/provision/blob/master/doc/integrations/ansible.rst)
-   [Fuel-ccp-installer](https://github.com/openstack/fuel-ccp-installer)
-   [Terraform Contrib](https://github.com/kubernetes-incubator/kubespray/tree/master/contrib/terraform)
+-   [Terraform Contrib](https://github.com/kubernetes-sigs/kubespray/tree/master/contrib/terraform)

 CI Tests
 --------
--- a/159
+++ b/159
@@ -1,6 +1,8 @@
 # -*- mode: ruby -*-
 # # vi: set ft=ruby :

+# For help on using kubespray with vagrant, check out docs/vagrant.md
+
 require 'fileutils'

 Vagrant.require_version ">= 2.0.0"
@@ -13,14 +15,16 @@ COREOS_URL_TEMPLATE = "https://storage.googleapis.com/%s.release.core-os.net/amd
 DISK_UUID = Time.now.utc.to_i

 SUPPORTED_OS = {
-  "coreos-stable" => {box: "coreos-stable",      bootstrap_os: "coreos", user: "core", box_url: COREOS_URL_TEMPLATE % ["stable"]},
-  "coreos-alpha"  => {box: "coreos-alpha",       bootstrap_os: "coreos", user: "core", box_url: COREOS_URL_TEMPLATE % ["alpha"]},
-  "coreos-beta"   => {box: "coreos-beta",        bootstrap_os: "coreos", user: "core", box_url: COREOS_URL_TEMPLATE % ["beta"]},
-  "ubuntu"        => {box: "bento/ubuntu-16.04", bootstrap_os: "ubuntu", user: "vagrant"},
-  "centos"        => {box: "centos/7",           bootstrap_os: "centos", user: "vagrant"},
-  "fedora"        => {box: "fedora/28-cloud-base", bootstrap_os: "fedora", user: "vagrant"},
-  "opensuse"      => {box: "opensuse/openSUSE-42.3-x86_64", bootstrap_os: "opensuse", use: "vagrant"},
-  "opensuse-tumbleweed" => {box: "opensuse/openSUSE-Tumbleweed-x86_64", bootstrap_os: "opensuse", use: "vagrant"},
+  "coreos-stable"       => {box: "coreos-stable",      user: "core", box_url: COREOS_URL_TEMPLATE % ["stable"]},
+  "coreos-alpha"        => {box: "coreos-alpha",       user: "core", box_url: COREOS_URL_TEMPLATE % ["alpha"]},
+  "coreos-beta"         => {box: "coreos-beta",        user: "core", box_url: COREOS_URL_TEMPLATE % ["beta"]},
+  "ubuntu1604"          => {box: "generic/ubuntu1604", user: "vagrant"},
+  "ubuntu1804"          => {box: "generic/ubuntu1804", user: "vagrant"},
+  "centos"              => {box: "centos/7",           user: "vagrant"},
+  "centos-bento"        => {box: "bento/centos-7.5",   user: "vagrant"},
+  "fedora"              => {box: "fedora/28-cloud-base",                user: "vagrant"},
+  "opensuse"            => {box: "opensuse/openSUSE-15.0-x86_64",       user: "vagrant"},
+  "opensuse-tumbleweed" => {box: "opensuse/openSUSE-Tumbleweed-x86_64", user: "vagrant"},
 }

 # Defaults for config options defined in CONFIG
@@ -32,8 +36,10 @@ $vm_cpus = 1
 $shared_folders = {}
 $forwarded_ports = {}
 $subnet = "172.17.8"
-$os = "ubuntu"
+$os = "ubuntu1804"
 $network_plugin = "flannel"
+# Setting multi_networking to true will install Multus: https://github.com/intel/multus-cni
+$multi_networking = false
 # The first three nodes are etcd servers
 $etcd_instances = $num_instances
 # The first two nodes are kube masters
@@ -44,11 +50,13 @@ $kube_node_instances = $num_instances
 $kube_node_instances_with_disks = false
 $kube_node_instances_with_disks_size = "20G"
 $kube_node_instances_with_disks_number = 2
+$override_disk_size = false
+$disk_size = "20GB"
+$local_path_provisioner_enabled = false
+$local_path_provisioner_claim_root = "/opt/local-path-provisioner/"

 $playbook = "cluster.yml"

-$local_release_dir = "/vagrant/temp"
-
 host_vars = {}

 if File.exist?(CONFIG)
@@ -57,13 +65,13 @@ end

 $box = SUPPORTED_OS[$os][:box]
 # if $inventory is not set, try to use example
-$inventory = File.join(File.dirname(__FILE__), "inventory", "sample") if ! $inventory
+$inventory = "inventory/sample" if ! $inventory
+$inventory = File.absolute_path($inventory, File.dirname(__FILE__))

-# if $inventory has a hosts file use it, otherwise copy over vars etc
-# to where vagrant expects dynamic inventory to be.
-if ! File.exist?(File.join(File.dirname($inventory), "hosts"))
-  $vagrant_ansible = File.join(File.dirname(__FILE__), ".vagrant",
-                       "provisioners", "ansible")
+# if $inventory has a hosts.ini file use it, otherwise copy over
+# vars etc to where vagrant expects dynamic inventory to be
+if ! File.exist?(File.join(File.dirname($inventory), "hosts.ini"))
+  $vagrant_ansible = File.join(File.dirname(__FILE__), ".vagrant", "provisioners", "ansible")
  FileUtils.mkdir_p($vagrant_ansible) if ! File.exist?($vagrant_ansible)
  if ! File.exist?(File.join($vagrant_ansible,"inventory"))
    FileUtils.ln_s($inventory, File.join($vagrant_ansible,"inventory"))
@@ -78,80 +86,68 @@ if Vagrant.has_plugin?("vagrant-proxyconf")
 end

 Vagrant.configure("2") do |config|
-  # always use Vagrants insecure key
-  config.ssh.insert_key = false
+
  config.vm.box = $box
  if SUPPORTED_OS[$os].has_key? :box_url
    config.vm.box_url = SUPPORTED_OS[$os][:box_url]
  end
  config.ssh.username = SUPPORTED_OS[$os][:user]
+
  # plugin conflict
  if Vagrant.has_plugin?("vagrant-vbguest") then
    config.vbguest.auto_update = false
  end
+
+  # always use Vagrants insecure key
+  config.ssh.insert_key = false
+
+  if ($override_disk_size)
+    unless Vagrant.has_plugin?("vagrant-disksize")
+      system "vagrant plugin install vagrant-disksize"
+    end
+    config.disksize.size = $disk_size
+  end
+
  (1..$num_instances).each do |i|
-    config.vm.define vm_name = "%s-%02d" % [$instance_name_prefix, i] do |config|
-      config.vm.hostname = vm_name
+    config.vm.define vm_name = "%s-%01d" % [$instance_name_prefix, i] do |node|
+
+      node.vm.hostname = vm_name

      if Vagrant.has_plugin?("vagrant-proxyconf")
-        config.proxy.http     = ENV['HTTP_PROXY'] || ENV['http_proxy'] || ""
-        config.proxy.https    = ENV['HTTPS_PROXY'] || ENV['https_proxy'] ||  ""
-        config.proxy.no_proxy = $no_proxy
-      end
-
-      if $expose_docker_tcp
-        config.vm.network "forwarded_port", guest: 2375, host: ($expose_docker_tcp + i - 1), auto_correct: true
-      end
-
-      $forwarded_ports.each do |guest, host|
-        config.vm.network "forwarded_port", guest: guest, host: host, auto_correct: true
+        node.proxy.http     = ENV['HTTP_PROXY'] || ENV['http_proxy'] || ""
+        node.proxy.https    = ENV['HTTPS_PROXY'] || ENV['https_proxy'] ||  ""
+        node.proxy.no_proxy = $no_proxy
      end

      ["vmware_fusion", "vmware_workstation"].each do |vmware|
-        config.vm.provider vmware do |v|
+        node.vm.provider vmware do |v|
          v.vmx['memsize'] = $vm_memory
          v.vmx['numvcpus'] = $vm_cpus
        end
      end

-      config.vm.synced_folder ".", "/vagrant", type: "rsync", rsync__args: ['--verbose', '--archive', '--delete', '-z']
-
-      $shared_folders.each do |src, dst|
-        config.vm.synced_folder src, dst, type: "rsync", rsync__args: ['--verbose', '--archive', '--delete', '-z']
-      end
-
-      config.vm.provider :virtualbox do |vb|
-        vb.gui = $vm_gui
+      node.vm.provider :virtualbox do |vb|
        vb.memory = $vm_memory
        vb.cpus = $vm_cpus
+        vb.gui = $vm_gui
+        vb.linked_clone = true
+        vb.customize ["modifyvm", :id, "--vram", "8"] # ubuntu defaults to 256 MB which is a waste of precious RAM
      end

-     config.vm.provider :libvirt do |lv|
+      node.vm.provider :libvirt do |lv|
        lv.memory = $vm_memory
+        lv.cpus = $vm_cpus
+        lv.default_prefix = 'kubespray'
        # Fix kernel panic on fedora 28
        if $os == "fedora"
          lv.cpu_mode = "host-passthrough"
        end
      end

-      ip = "#{$subnet}.#{i+100}"
-      host_vars[vm_name] = {
-        "ip": ip,
-        "bootstrap_os": SUPPORTED_OS[$os][:bootstrap_os],
-        "local_release_dir" => $local_release_dir,
-        "download_run_once": "False",
-        "kube_network_plugin": $network_plugin
-      }
-
-      config.vm.network :private_network, ip: ip
-
-      # Disable swap for each vm
-      config.vm.provision "shell", inline: "swapoff -a"
-
      if $kube_node_instances_with_disks
        # Libvirt
        driverletters = ('a'..'z').to_a
-        config.vm.provider :libvirt do |lv|
+        node.vm.provider :libvirt do |lv|
          # always make /dev/sd{a/b/c} so that CI can ensure that
          # virtualbox and libvirt will have the same devices to use for OSDs
          (1..$kube_node_instances_with_disks_number).each do |d|
@@ -160,24 +156,55 @@ Vagrant.configure("2") do |config|
        end
      end

-      # Only execute once the Ansible provisioner,
-      # when all the machines are up and ready.
+      if $expose_docker_tcp
+        node.vm.network "forwarded_port", guest: 2375, host: ($expose_docker_tcp + i - 1), auto_correct: true
+      end
+
+      $forwarded_ports.each do |guest, host|
+        node.vm.network "forwarded_port", guest: guest, host: host, auto_correct: true
+      end
+
+      node.vm.synced_folder ".", "/vagrant", disabled: false, type: "rsync", rsync__args: ['--verbose', '--archive', '--delete', '-z'] , rsync__exclude: ['.git','venv']
+      $shared_folders.each do |src, dst|
+        node.vm.synced_folder src, dst, type: "rsync", rsync__args: ['--verbose', '--archive', '--delete', '-z']
+      end
+
+      ip = "#{$subnet}.#{i+100}"
+      node.vm.network :private_network, ip: ip
+
+      # Disable swap for each vm
+      node.vm.provision "shell", inline: "swapoff -a"
+
+      host_vars[vm_name] = {
+        "ip": ip,
+        "flannel_interface": "eth1",
+        "kube_network_plugin": $network_plugin,
+        "kube_network_plugin_multus": $multi_networking,
+        "docker_keepcache": "1",
+        "download_run_once": "False",
+        "download_localhost": "False",
+        "local_path_provisioner_enabled": "#{$local_path_provisioner_enabled}",
+        "local_path_provisioner_claim_root": "#{$local_path_provisioner_claim_root}"
+      }
+
+      # Only execute the Ansible provisioner once, when all the machines are up and ready.
      if i == $num_instances
-        config.vm.provision "ansible" do |ansible|
+        node.vm.provision "ansible" do |ansible|
          ansible.playbook = $playbook
-          if File.exist?(File.join(File.dirname($inventory), "hosts"))
-            ansible.inventory_path = $inventory
+          $ansible_inventory_path = File.join( $inventory, "hosts.ini")
+          if File.exist?($ansible_inventory_path)
+            ansible.inventory_path = $ansible_inventory_path
          end
          ansible.become = true
          ansible.limit = "all"
          ansible.host_key_checking = false
-          ansible.raw_arguments = ["--forks=#{$num_instances}", "--flush-cache"]
+          ansible.raw_arguments = ["--forks=#{$num_instances}", "--flush-cache", "-e ansible_become_pass=vagrant"]
          ansible.host_vars = host_vars
          #ansible.tags = ['download']
          ansible.groups = {
-            "etcd" => ["#{$instance_name_prefix}-0[1:#{$etcd_instances}]"],
-            "kube-master" => ["#{$instance_name_prefix}-0[1:#{$kube_master_instances}]"],
-            "kube-node" => ["#{$instance_name_prefix}-0[1:#{$kube_node_instances}]"],
+            "etcd" => ["#{$instance_name_prefix}-[1:#{$etcd_instances}]"],
+            "kube-master" => ["#{$instance_name_prefix}-[1:#{$kube_master_instances}]"],
+            "kube-node" => ["#{$instance_name_prefix}-[1:#{$kube_node_instances}]"],
            "k8s-cluster:children" => ["kube-master", "kube-node"],
          }
        end
--- a/_config.yml
+++ b/_config.yml
@@ -0,0 +1,2 @@
+---
+theme: jekyll-theme-slate
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -3,6 +3,8 @@ pipelining=True
 ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100 -o UserKnownHostsFile=/dev/null
 #control_path = ~/.ssh/ansible-%%r@%%h:%%p
 [defaults]
+strategy_plugins = plugins/mitogen/ansible_mitogen/plugins/strategy
+
 host_key_checking=False
 gathering = smart
 fact_caching = jsonfile
--- a/cluster.yml
+++ b/cluster.yml
@@ -1,5 +1,19 @@
 ---
 - hosts: localhost
+  gather_facts: false
+  become: no
+  tasks:
+    - name: "Check ansible version >=2.7.6"
+      assert:
+        msg: "Ansible must be v2.7.6 or higher"
+        that:
+          - ansible_version.string is version("2.7.6", ">=")
+      tags:
+        - check
+  vars:
+    ansible_connection: local
+
+- hosts: bastion[0]
  gather_facts: False
  roles:
    - { role: kubespray-defaults}
@@ -20,34 +34,24 @@
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  vars:
    ansible_ssh_pipelining: true
-  gather_facts: true
+  gather_facts: false
  pre_tasks:
    - name: gather facts from all instances
      setup:
      delegate_to: "{{item}}"
-      delegate_facts: True
+      delegate_facts: true
      with_items: "{{ groups['k8s-cluster'] + groups['etcd'] + groups['calico-rr']|default([]) }}"
+      run_once: true

 - hosts: k8s-cluster:etcd:calico-rr
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
    - { role: kubernetes/preinstall, tags: preinstall }
-    - { role: docker, tags: docker, when: container_manager == 'docker' }
-    - { role: cri-o, tags: crio, when: container_manager == 'crio' }
-    - role: rkt
-      tags: rkt
-      when: "'rkt' in [etcd_deployment_type, kubelet_deployment_type, vault_deployment_type]"
+    - { role: "container-engine", tags: "container-engine", when: deploy_container_engine|default(true) }
    - { role: download, tags: download, when: "not skip_downloads" }
  environment: "{{proxy_env}}"

- hosts: etcd:k8s-cluster:vault:calico-rr
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults, when: "cert_management == 'vault'" }
-    - { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
-  environment: "{{proxy_env}}"
-
 - hosts: etcd
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
@@ -60,13 +64,6 @@
    - { role: kubespray-defaults}
    - { role: etcd, tags: etcd, etcd_cluster_setup: false, etcd_events_cluster_setup: false }

- hosts: etcd:k8s-cluster:vault:calico-rr
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults}
-    - { role: vault, tags: vault, when: "cert_management == 'vault'"}
-  environment: "{{proxy_env}}"
-
 - hosts: k8s-cluster
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
@@ -86,7 +83,7 @@
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
-    - { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
+    - { role: kubernetes/kubeadm, tags: kubeadm}
    - { role: network_plugin, tags: network }

 - hosts: kube-master[0]
@@ -94,7 +91,7 @@
  roles:
    - { role: kubespray-defaults}
    - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
-    - { role: win_nodes/kubernetes_patch, tags: win_nodes, when: "kubeadm_enabled" }
+    - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"]}

 - hosts: kube-master
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
@@ -111,16 +108,10 @@
    - { role: kubespray-defaults}
    - { role: network_plugin/calico/rr, tags: network }

- hosts: k8s-cluster
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults}
-    - { role: dnsmasq, when: "dns_mode == 'dnsmasq_kubedns'", tags: dnsmasq }
-    - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf }
-  environment: "{{proxy_env}}"
-
 - hosts: kube-master
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
    - { role: kubernetes-apps, tags: apps }
+    - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf, dns_late: true }
+  environment: "{{proxy_env}}"
--- a/contrib/aws_inventory/kubespray-aws-inventory.py
+++ b/contrib/aws_inventory/kubespray-aws-inventory.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python

+from __future__ import print_function
 import boto3
 import os
 import argparse
@@ -13,7 +14,7 @@ class SearchEC2Tags(object):
      self.search_tags()
    if self.args.host:
      data = {}
-      print json.dumps(data, indent=2)
+      print(json.dumps(data, indent=2))

  def parse_args(self):

@@ -44,18 +45,29 @@ class SearchEC2Tags(object):

      instances = ec2.instances.filter(Filters=[{'Name': 'tag:'+tag_key, 'Values': tag_value}, {'Name': 'instance-state-name', 'Values': ['running']}])
      for instance in instances:
-        if self.vpc_visibility == "public":
-          hosts[group].append(instance.public_dns_name)
-          hosts['_meta']['hostvars'][instance.public_dns_name] = {
-             'ansible_ssh_host': instance.public_ip_address
-          }
-        else:
-          hosts[group].append(instance.private_dns_name)
-          hosts['_meta']['hostvars'][instance.private_dns_name] = {
+
+        ##Suppose default vpc_visibility is private
+        dns_name = instance.private_dns_name
+        ansible_host = {
          'ansible_ssh_host': instance.private_ip_address
        }

+        ##Override when vpc_visibility actually is public
+        if self.vpc_visibility == "public":
+          dns_name = instance.public_dns_name
+          ansible_host = {
+            'ansible_ssh_host': instance.public_ip_address
+          }
+
+        ##Set when instance actually has node_labels
+        node_labels_tag = list(filter(lambda t: t['Key'] == 'kubespray-node-labels', instance.tags))
+        if node_labels_tag:
+          ansible_host['node_labels'] = dict([ label.strip().split('=') for label in node_labels_tag[0]['Value'].split(',') ])
+
+        hosts[group].append(dns_name)
+        hosts['_meta']['hostvars'][dns_name] = ansible_host
+        
    hosts['k8s-cluster'] = {'children':['kube-master', 'kube-node']}
-    print json.dumps(hosts, sort_keys=True, indent=2)
+    print(json.dumps(hosts, sort_keys=True, indent=2))

 SearchEC2Tags()
--- a/contrib/azurerm/group_vars/all
+++ b/contrib/azurerm/group_vars/all
@@ -7,6 +7,10 @@ cluster_name: example
 # node that can be used to access the masters and minions
 use_bastion: false

+# Set this to a prefered name that will be used as the first part of the dns name for your bastotion host. For example: k8s-bastion.<azureregion>.cloudapp.azure.com.
+# This is convenient when exceptions have to be configured on a firewall to allow ssh to the given bastion host.
+# bastion_domain_prefix: k8s-bastion
+
 number_of_k8s_masters: 3
 number_of_k8s_nodes: 3

@@ -20,7 +24,8 @@ admin_username: devops
 admin_password: changeme

 # MAKE SURE TO CHANGE THIS TO YOUR PUBLIC KEY to access your azure machines
-ssh_public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLRzcxbsFDdEibiyXCSdIFh7bKbXso1NqlKjEyPTptf3aBXHEhVil0lJRjGpTlpfTy7PHvXFbXIOCdv9tOmeH1uxWDDeZawgPFV6VSZ1QneCL+8bxzhjiCn8133wBSPZkN8rbFKd9eEUUBfx8ipCblYblF9FcidylwtMt5TeEmXk8yRVkPiCuEYuDplhc2H0f4PsK3pFb5aDVdaDT3VeIypnOQZZoUxHWqm6ThyHrzLJd3SrZf+RROFWW1uInIDf/SZlXojczUYoffxgT1lERfOJCHJXsqbZWugbxQBwqsVsX59+KPxFFo6nV88h3UQr63wbFx52/MXkX4WrCkAHzN ablock-vwfs@dell-lappy"
+ssh_public_keys:
+ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLRzcxbsFDdEibiyXCSdIFh7bKbXso1NqlKjEyPTptf3aBXHEhVil0lJRjGpTlpfTy7PHvXFbXIOCdv9tOmeH1uxWDDeZawgPFV6VSZ1QneCL+8bxzhjiCn8133wBSPZkN8rbFKd9eEUUBfx8ipCblYblF9FcidylwtMt5TeEmXk8yRVkPiCuEYuDplhc2H0f4PsK3pFb5aDVdaDT3VeIypnOQZZoUxHWqm6ThyHrzLJd3SrZf+RROFWW1uInIDf/SZlXojczUYoffxgT1lERfOJCHJXsqbZWugbxQBwqsVsX59+KPxFFo6nV88h3UQr63wbFx52/MXkX4WrCkAHzN ablock-vwfs@dell-lappy"

 # Disable using ssh using password. Change it to false to allow to connect to ssh by password
 disablePasswordAuthentication: true
--- a/contrib/azurerm/roles/generate-templates/defaults/main.yml
+++ b/contrib/azurerm/roles/generate-templates/defaults/main.yml
@@ -1,3 +1,4 @@
+---
 apiVersion: "2015-06-15"

 virtualNetworkName: "{{ azure_virtual_network_name | default('KubeVNET') }}"
@@ -34,4 +35,3 @@ imageReferenceJson: "{{imageReference|to_json}}"

 storageAccountName: "sa{{nameSuffix | replace('-', '')}}"
 storageAccountType: "{{ azure_storage_account_type | default('Standard_LRS') }}"
-
--- a/contrib/azurerm/roles/generate-templates/tasks/main.yml
+++ b/contrib/azurerm/roles/generate-templates/tasks/main.yml
@@ -1,3 +1,4 @@
+---
 - set_fact:
    base_dir: "{{playbook_dir}}/.generated/"

--- a/contrib/azurerm/roles/generate-templates/templates/bastion.json
+++ b/contrib/azurerm/roles/generate-templates/templates/bastion.json
@@ -15,7 +15,12 @@
      "name": "{{bastionIPAddressName}}",
      "location": "[resourceGroup().location]",
      "properties": {
-        "publicIPAllocationMethod": "Static"
+        "publicIPAllocationMethod": "Static",
+        "dnsSettings": {
+          {% if bastion_domain_prefix %}
+          "domainNameLabel": "{{ bastion_domain_prefix }}"
+          {% endif %}
+        }
      }
    },
    {
@@ -66,10 +71,12 @@
            "disablePasswordAuthentication": "true",
            "ssh": {
              "publicKeys": [
+                {% for key in ssh_public_keys %}
                {
                  "path": "{{sshKeyPath}}",
-                  "keyData": "{{ssh_public_key}}"
-                }
+                  "keyData": "{{key}}"
+                }{% if loop.index < ssh_public_keys | length %},{% endif %}
+                {% endfor %}
              ]
            }
          }
--- a/contrib/azurerm/roles/generate-templates/templates/masters.json
+++ b/contrib/azurerm/roles/generate-templates/templates/masters.json
@@ -162,10 +162,12 @@
            "disablePasswordAuthentication": "{{disablePasswordAuthentication}}",
            "ssh": {
              "publicKeys": [
+                {% for key in ssh_public_keys %}
                {
                  "path": "{{sshKeyPath}}",
-                  "keyData": "{{ssh_public_key}}"
-                }
+                  "keyData": "{{key}}"
+                }{% if loop.index < ssh_public_keys | length %},{% endif %}
+                {% endfor %}
              ]
            }
          }
--- a/contrib/azurerm/roles/generate-templates/templates/minions.json
+++ b/contrib/azurerm/roles/generate-templates/templates/minions.json
@@ -79,10 +79,12 @@
            "disablePasswordAuthentication": "{{disablePasswordAuthentication}}",
            "ssh": {
              "publicKeys": [
+                {% for key in ssh_public_keys %}
                {
                  "path": "{{sshKeyPath}}",
-                  "keyData": "{{ssh_public_key}}"
-                }
+                  "keyData": "{{key}}"
+                }{% if loop.index < ssh_public_keys | length %},{% endif %}
+                {% endfor %}
              ]
            }
          }
--- a/contrib/dind/README.md
+++ b/contrib/dind/README.md
@@ -0,0 +1,176 @@
+# Kubespray DIND experimental setup
+
+This ansible playbook creates local docker containers
+to serve as Kubernetes "nodes", which in turn will run
+"normal" Kubernetes docker containers, a mode usually
+called DIND (Docker-IN-Docker).
+
+The playbook has two roles:
+- dind-host: creates the "nodes" as containers in localhost, with
+  appropriate settings for DIND (privileged, volume mapping for dind
+  storage, etc).
+- dind-cluster: customizes each node container to have required
+  system packages installed, and some utils (swapoff, lsattr)
+  symlinked to /bin/true to ease mimicking a real node.
+
+This playbook has been test with Ubuntu 16.04 as host and ubuntu:16.04
+as docker images (note that dind-cluster has specific customization
+for these images).
+
+The playbook also creates a `/tmp/kubespray.dind.inventory_builder.sh`
+helper (wraps up running `contrib/inventory_builder/inventory.py` with
+node containers IPs and prefix).
+
+## Deploying
+
+See below for a complete successful run:
+
+1. Create the node containers
+
+~~~~
+# From the kubespray root dir
+cd contrib/dind
+pip install -r requirements.txt
+
+ansible-playbook -i hosts dind-cluster.yaml
+
+# Back to kubespray root
+cd ../..
+~~~~
+
+NOTE: if the playbook run fails with something like below error
+message, you may need to specifically set `ansible_python_interpreter`,
+see `./hosts` file for an example expanded localhost entry.
+
+~~~
+failed: [localhost] (item=kube-node1) => {"changed": false, "item": "kube-node1", "msg": "Failed to import docker or docker-py - No module named requests.exceptions. Try `pip install docker` or `pip install docker-py` (Python 2.6)"}
+~~~
+
+2. Customize kubespray-dind.yaml
+
+Note that there's coupling between above created node containers
+and `kubespray-dind.yaml` settings, in particular regarding selected `node_distro`
+(as set in `group_vars/all/all.yaml`), and docker settings.
+
+~~~
+$EDITOR contrib/dind/kubespray-dind.yaml
+~~~
+
+3. Prepare the inventory and run the playbook
+
+~~~
+INVENTORY_DIR=inventory/local-dind
+mkdir -p ${INVENTORY_DIR}
+rm -f ${INVENTORY_DIR}/hosts.ini
+CONFIG_FILE=${INVENTORY_DIR}/hosts.ini /tmp/kubespray.dind.inventory_builder.sh
+
+ansible-playbook --become -e ansible_ssh_user=debian -i ${INVENTORY_DIR}/hosts.ini cluster.yml --extra-vars @contrib/dind/kubespray-dind.yaml
+~~~
+
+NOTE: You could also test other distros without editing files by
+passing `--extra-vars` as per below commandline,
+replacing `DISTRO` by either `debian`, `ubuntu`, `centos`, `fedora`:
+
+~~~
+cd contrib/dind
+ansible-playbook -i hosts dind-cluster.yaml --extra-vars node_distro=DISTRO
+
+cd ../..
+CONFIG_FILE=inventory/local-dind/hosts.ini /tmp/kubespray.dind.inventory_builder.sh
+ansible-playbook --become -e ansible_ssh_user=DISTRO -i inventory/local-dind/hosts.ini cluster.yml --extra-vars @contrib/dind/kubespray-dind.yaml --extra-vars bootstrap_os=DISTRO
+~~~
+
+## Resulting deployment
+
+See below to get an idea on how a completed deployment looks like,
+from the host where you ran kubespray playbooks.
+
+### node_distro: debian
+
+Running from an Ubuntu Xenial host:
+
+~~~
+$ uname -a
+Linux ip-xx-xx-xx-xx 4.4.0-1069-aws #79-Ubuntu SMP Mon Sep 24
+15:01:41 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+
+$ docker ps
+CONTAINER ID        IMAGE               COMMAND CREATED             STATUS              PORTS               NAMES
+1835dd183b75        debian:9.5          "sh -c 'apt-get -qy …"   43 minutes ago      Up 43 minutes                           kube-node5
+30b0af8d2924        debian:9.5          "sh -c 'apt-get -qy …"   43 minutes ago      Up 43 minutes                           kube-node4
+3e0d1510c62f        debian:9.5          "sh -c 'apt-get -qy …"   43 minutes ago      Up 43 minutes                           kube-node3
+738993566f94        debian:9.5          "sh -c 'apt-get -qy …"   44 minutes ago      Up 44 minutes                           kube-node2
+c581ef662ed2        debian:9.5          "sh -c 'apt-get -qy …"   44 minutes ago      Up 44 minutes                           kube-node1
+
+$ docker exec kube-node1 kubectl get node
+NAME         STATUS   ROLES         AGE   VERSION
+kube-node1   Ready    master,node   18m   v1.12.1
+kube-node2   Ready    master,node   17m   v1.12.1
+kube-node3   Ready    node          17m   v1.12.1
+kube-node4   Ready    node          17m   v1.12.1
+kube-node5   Ready    node          17m   v1.12.1
+
+$ docker exec kube-node1 kubectl get pod --all-namespaces
+NAMESPACE     NAME                                    READY   STATUS    RESTARTS   AGE
+default       netchecker-agent-67489                  1/1     Running   0          2m51s
+default       netchecker-agent-6qq6s                  1/1     Running   0          2m51s
+default       netchecker-agent-fsw92                  1/1     Running   0          2m51s
+default       netchecker-agent-fw6tl                  1/1     Running   0          2m51s
+default       netchecker-agent-hostnet-8f2zb          1/1     Running   0          3m
+default       netchecker-agent-hostnet-gq7ml          1/1     Running   0          3m
+default       netchecker-agent-hostnet-jfkgv          1/1     Running   0          3m
+default       netchecker-agent-hostnet-kwfwx          1/1     Running   0          3m
+default       netchecker-agent-hostnet-r46nm          1/1     Running   0          3m
+default       netchecker-agent-lxdrn                  1/1     Running   0          2m51s
+default       netchecker-server-864bd4c897-9vstl      1/1     Running   0          2m40s
+default       sh-68fcc6db45-qf55h                     1/1     Running   1          12m
+kube-system   coredns-7598f59475-6vknq                1/1     Running   0          14m
+kube-system   coredns-7598f59475-l5q5x                1/1     Running   0          14m
+kube-system   kube-apiserver-kube-node1               1/1     Running   0          17m
+kube-system   kube-apiserver-kube-node2               1/1     Running   0          18m
+kube-system   kube-controller-manager-kube-node1      1/1     Running   0          18m
+kube-system   kube-controller-manager-kube-node2      1/1     Running   0          18m
+kube-system   kube-proxy-5xx9d                        1/1     Running   0          17m
+kube-system   kube-proxy-cdqq4                        1/1     Running   0          17m
+kube-system   kube-proxy-n64ls                        1/1     Running   0          17m
+kube-system   kube-proxy-pswmj                        1/1     Running   0          18m
+kube-system   kube-proxy-x89qw                        1/1     Running   0          18m
+kube-system   kube-scheduler-kube-node1               1/1     Running   4          17m
+kube-system   kube-scheduler-kube-node2               1/1     Running   4          18m
+kube-system   kubernetes-dashboard-5db4d9f45f-548rl   1/1     Running   0          14m
+kube-system   nginx-proxy-kube-node3                  1/1     Running   4          17m
+kube-system   nginx-proxy-kube-node4                  1/1     Running   4          17m
+kube-system   nginx-proxy-kube-node5                  1/1     Running   4          17m
+kube-system   weave-net-42bfr                         2/2     Running   0          16m
+kube-system   weave-net-6gt8m                         2/2     Running   0          16m
+kube-system   weave-net-88nnc                         2/2     Running   0          16m
+kube-system   weave-net-shckr                         2/2     Running   0          16m
+kube-system   weave-net-xr46t                         2/2     Running   0          16m
+
+$ docker exec kube-node1 curl -s http://localhost:31081/api/v1/connectivity_check
+{"Message":"All 10 pods successfully reported back to the server","Absent":null,"Outdated":null}
+~~~
+
+## Using ./run-test-distros.sh
+
+You can use `./run-test-distros.sh` to run a set of tests via DIND,
+and excerpt from this script, to get an idea:
+
+~~~
+# The SPEC file(s) must have two arrays as e.g.
+# DISTROS=(debian centos)
+# EXTRAS=(
+#     'kube_network_plugin=calico'
+#     'kube_network_plugin=flannel'
+#     'kube_network_plugin=weave'
+# )
+# that will be tested in a "combinatory" way (e.g. from above there'll be
+# be 6 test runs), creating a sequenced <spec_filename>-nn.out with each output.
+#
+# Each $EXTRAS element will be whitespace split, and passed as --extra-vars
+# to main kubespray ansible-playbook run.
+~~~
+
+See e.g. `test-some_distros-most_CNIs.env` and
+`test-some_distros-kube_router_combo.env` in particular for a richer
+set of CNI specific `--extra-vars` combo.
--- a/contrib/dind/dind-cluster.yaml
+++ b/contrib/dind/dind-cluster.yaml
@@ -0,0 +1,9 @@
+---
+- hosts: localhost
+  gather_facts: False
+  roles:
+    - { role: dind-host }
+
+- hosts: containers
+  roles:
+    - { role: dind-cluster }
--- a/contrib/dind/group_vars/all/all.yaml
+++ b/contrib/dind/group_vars/all/all.yaml
@@ -0,0 +1,3 @@
+---
+# See distro.yaml for supported node_distro images
+node_distro: debian
--- a/contrib/dind/group_vars/all/distro.yaml
+++ b/contrib/dind/group_vars/all/distro.yaml
@@ -0,0 +1,41 @@
+---
+distro_settings:
+  debian: &DEBIAN
+    image: "debian:9.5"
+    user: "debian"
+    pid1_exe: /lib/systemd/systemd
+    init: |
+      sh -c "apt-get -qy update && apt-get -qy install systemd-sysv dbus && exec /sbin/init"
+    raw_setup: apt-get -qy update && apt-get -qy install dbus python sudo iproute2
+    raw_setup_done: test -x /usr/bin/sudo
+    agetty_svc: getty@*
+    ssh_service: ssh
+    extra_packages: []
+  ubuntu:
+    <<: *DEBIAN
+    image: "ubuntu:16.04"
+    user: "ubuntu"
+    init: |
+      /sbin/init
+  centos: &CENTOS
+    image: "centos:7"
+    user: "centos"
+    pid1_exe: /usr/lib/systemd/systemd
+    init: |
+      /sbin/init
+    raw_setup: yum -qy install policycoreutils dbus python sudo iproute iptables
+    raw_setup_done: test -x /usr/bin/sudo
+    agetty_svc: getty@* serial-getty@*
+    ssh_service: sshd
+    extra_packages: []
+  fedora:
+    <<: *CENTOS
+    image: "fedora:latest"
+    user: "fedora"
+    raw_setup: yum -qy install policycoreutils dbus python sudo iproute iptables; mkdir -p /etc/modules-load.d
+    extra_packages:
+      - hostname
+      - procps
+      - findutils
+      - kmod
+      - iputils
--- a/contrib/dind/hosts
+++ b/contrib/dind/hosts
@@ -0,0 +1,15 @@
+[local]
+# If you created a virtualenv for ansible, you may need to specify running the
+# python binary from there instead:
+#localhost ansible_connection=local ansible_python_interpreter=/home/user/kubespray/.venv/bin/python
+localhost ansible_connection=local
+
+[containers]
+kube-node1
+kube-node2
+kube-node3
+kube-node4
+kube-node5
+
+[containers:vars]
+ansible_connection=docker
--- a/contrib/dind/kubespray-dind.yaml
+++ b/contrib/dind/kubespray-dind.yaml
@@ -0,0 +1,22 @@
+---
+# kubespray-dind.yaml: minimal kubespray ansible playbook usable for DIND
+# See contrib/dind/README.md
+kube_api_anonymous_auth: true
+
+kubelet_fail_swap_on: false
+
+# Docker nodes need to have been created with same "node_distro: debian"
+# at contrib/dind/group_vars/all/all.yaml
+bootstrap_os: debian
+
+docker_version: latest
+
+docker_storage_options: -s overlay2 --storage-opt overlay2.override_kernel_check=true -g /dind/docker
+
+dns_mode: coredns
+
+deploy_netchecker: True
+netcheck_agent_image_repo: quay.io/l23network/k8s-netchecker-agent
+netcheck_server_image_repo: quay.io/l23network/k8s-netchecker-server
+netcheck_agent_image_tag: v1.0
+netcheck_server_image_tag: v1.0
--- a/contrib/dind/requirements.txt
+++ b/contrib/dind/requirements.txt
@@ -0,0 +1 @@
+docker
--- a/contrib/dind/roles/dind-cluster/tasks/main.yaml
+++ b/contrib/dind/roles/dind-cluster/tasks/main.yaml
@@ -0,0 +1,71 @@
+---
+- name: set_fact distro_setup
+  set_fact:
+    distro_setup: "{{ distro_settings[node_distro] }}"
+
+- name: set_fact other distro settings
+  set_fact:
+    distro_user: "{{ distro_setup['user'] }}"
+    distro_ssh_service: "{{ distro_setup['ssh_service'] }}"
+    distro_extra_packages: "{{ distro_setup['extra_packages'] }}"
+
+- name: Null-ify some linux tools to ease DIND
+  file:
+    src: "/bin/true"
+    dest: "{{item}}"
+    state: link
+    force: yes
+  with_items:
+    # DIND box may have swap enable, don't bother
+    - /sbin/swapoff
+    # /etc/hosts handling would fail on trying to copy file attributes on edit,
+    # void it by successfully returning nil output
+    - /usr/bin/lsattr
+    # disable selinux-isms, sp needed if running on non-Selinux host
+    - /usr/sbin/semodule
+
+- name: Void installing dpkg docs and man pages on Debian based distros
+  copy:
+    content: |
+      # Delete locales
+      path-exclude=/usr/share/locale/*
+      # Delete man pages
+      path-exclude=/usr/share/man/*
+      # Delete docs
+      path-exclude=/usr/share/doc/*
+      path-include=/usr/share/doc/*/copyright
+    dest: /etc/dpkg/dpkg.cfg.d/01_nodoc
+  when:
+    - ansible_os_family == 'Debian'
+
+- name: Install system packages to better match a full-fledge node
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ distro_extra_packages }} + [ 'rsyslog', 'openssh-server' ]"
+
+- name: Start needed services
+  service:
+    name: "{{ item }}"
+    state: started
+  with_items:
+    - rsyslog
+    - "{{ distro_ssh_service }}"
+
+- name: Create distro user "{{distro_user}}"
+  user:
+    name: "{{ distro_user }}"
+    uid: 1000
+    # groups: sudo
+    append: yes
+
+- name: Allow password-less sudo to "{{ distro_user }}"
+  copy:
+    content: "{{ distro_user }} ALL=(ALL) NOPASSWD:ALL"
+    dest: "/etc/sudoers.d/{{ distro_user }}"
+
+- name: Add my pubkey to "{{ distro_user }}" user authorized keys
+  authorized_key:
+    user: "{{ distro_user }}"
+    state: present
+    key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
--- a/contrib/dind/roles/dind-host/tasks/main.yaml
+++ b/contrib/dind/roles/dind-host/tasks/main.yaml
@@ -0,0 +1,87 @@
+---
+- name: set_fact distro_setup
+  set_fact:
+    distro_setup: "{{ distro_settings[node_distro] }}"
+
+- name: set_fact other distro settings
+  set_fact:
+    distro_image: "{{ distro_setup['image'] }}"
+    distro_init: "{{ distro_setup['init'] }}"
+    distro_pid1_exe: "{{ distro_setup['pid1_exe'] }}"
+    distro_raw_setup: "{{ distro_setup['raw_setup'] }}"
+    distro_raw_setup_done: "{{ distro_setup['raw_setup_done'] }}"
+    distro_agetty_svc: "{{ distro_setup['agetty_svc'] }}"
+
+- name: Create dind node containers from "containers" inventory section
+  docker_container:
+    image: "{{ distro_image }}"
+    name: "{{ item }}"
+    state: started
+    hostname: "{{ item }}"
+    command: "{{ distro_init }}"
+    # recreate: yes
+    privileged: true
+    tmpfs:
+      - /sys/module/nf_conntrack/parameters
+    volumes:
+      - /boot:/boot
+      - /lib/modules:/lib/modules
+      - "{{ item }}:/dind/docker"
+  register: containers
+  with_items: "{{groups.containers}}"
+  tags:
+    - addresses
+
+- name: Gather list of containers IPs
+  set_fact:
+    addresses: "{{ containers.results | map(attribute='ansible_facts') | map(attribute='docker_container') | map(attribute='NetworkSettings') | map(attribute='IPAddress') | list }}"
+  tags:
+    - addresses
+
+- name: Create inventory_builder helper already set with the list of node containers' IPs
+  template:
+    src: inventory_builder.sh.j2
+    dest: /tmp/kubespray.dind.inventory_builder.sh
+    mode: 0755
+  tags:
+    - addresses
+
+- name: Install needed packages into node containers via raw, need to wait for possible systemd packages to finish installing
+  raw: |
+    # agetty processes churn a lot of cpu time failing on inexistent ttys, early STOP them, to rip them in below task
+    pkill -STOP agetty || true
+    {{ distro_raw_setup_done }}  && echo SKIPPED && exit 0
+    until [ "$(readlink /proc/1/exe)" = "{{ distro_pid1_exe }}" ] ; do sleep 1; done
+    {{ distro_raw_setup }}
+  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
+  with_items: "{{ containers.results }}"
+  register: result
+  changed_when: result.stdout.find("SKIPPED") < 0
+
+- name: Remove gettys from node containers
+  raw: |
+    until test -S /var/run/dbus/system_bus_socket; do sleep 1; done
+    systemctl disable {{ distro_agetty_svc }}
+    systemctl stop {{ distro_agetty_svc }}
+  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
+  with_items: "{{ containers.results }}"
+  changed_when: false
+
+# Running systemd-machine-id-setup doesn't create a unique id for each node container on Debian,
+# handle manually
+- name: Re-create unique machine-id (as we may just get what comes in the docker image), needed by some CNIs for mac address seeding (notably weave)
+  raw: |
+    echo {{ item | hash('sha1') }} > /etc/machine-id.new
+    mv -b /etc/machine-id.new /etc/machine-id
+    cmp /etc/machine-id /etc/machine-id~ || true
+    systemctl daemon-reload
+  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
+  with_items: "{{ containers.results }}"
+
+- name: Early hack image install to adapt for DIND
+  raw: |
+    rm -fv /usr/bin/udevadm /usr/sbin/udevadm
+  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
+  with_items: "{{ containers.results }}"
+  register: result
+  changed_when: result.stdout.find("removed") >= 0
--- a/contrib/dind/roles/dind-host/templates/inventory_builder.sh.j2
+++ b/contrib/dind/roles/dind-host/templates/inventory_builder.sh.j2
@@ -0,0 +1,3 @@
+#!/bin/bash
+# NOTE: if you change HOST_PREFIX, you also need to edit ./hosts [containers] section
+HOST_PREFIX=kube-node python3 contrib/inventory_builder/inventory.py {% for ip in addresses %} {{ ip }} {% endfor %}
--- a/contrib/dind/run-test-distros.sh
+++ b/contrib/dind/run-test-distros.sh
@@ -0,0 +1,93 @@
+#!/bin/bash
+# Q&D test'em all: creates full DIND kubespray deploys
+# for each distro, verifying it via netchecker.
+
+info() {
+    local msg="$*"
+    local date="$(date -Isec)"
+    echo "INFO: [$date] $msg"
+}
+pass_or_fail() {
+    local rc="$?"
+    local msg="$*"
+    local date="$(date -Isec)"
+    [ $rc -eq 0 ] && echo "PASS: [$date] $msg" || echo "FAIL: [$date] $msg"
+    return $rc
+}
+test_distro() {
+    local distro=${1:?};shift
+    local extra="${*:-}"
+    local prefix="$distro[${extra}]}"
+    ansible-playbook -i hosts dind-cluster.yaml -e node_distro=$distro
+    pass_or_fail "$prefix: dind-nodes" || return 1
+    (cd ../..
+        INVENTORY_DIR=inventory/local-dind
+        mkdir -p ${INVENTORY_DIR}
+        rm -f ${INVENTORY_DIR}/hosts.ini
+        CONFIG_FILE=${INVENTORY_DIR}/hosts.ini /tmp/kubespray.dind.inventory_builder.sh
+        # expand $extra with -e in front of each word
+        extra_args=""; for extra_arg in $extra; do extra_args="$extra_args -e $extra_arg"; done
+        ansible-playbook --become -e ansible_ssh_user=$distro -i \
+            ${INVENTORY_DIR}/hosts.ini cluster.yml \
+            -e @contrib/dind/kubespray-dind.yaml -e bootstrap_os=$distro ${extra_args}
+        pass_or_fail "$prefix: kubespray"
+    ) || return 1
+    local node0=${NODES[0]}
+    docker exec ${node0} kubectl get pod --all-namespaces
+    pass_or_fail "$prefix: kube-api" || return 1
+    let retries=60
+    while ((retries--)); do
+        # Some CNI may set NodePort on "main" node interface address (thus no localhost NodePort)
+        # e.g. kube-router: https://github.com/cloudnativelabs/kube-router/pull/217
+        docker exec ${node0} curl -m2 -s http://${NETCHECKER_HOST:?}:31081/api/v1/connectivity_check | grep successfully && break
+        sleep 2
+    done
+    [ $retries -ge 0 ]
+    pass_or_fail "$prefix: netcheck" || return 1
+}
+
+NODES=($(egrep ^kube-node hosts))
+NETCHECKER_HOST=localhost
+
+: ${OUTPUT_DIR:=./out}
+mkdir -p ${OUTPUT_DIR}
+
+# The SPEC file(s) must have two arrays as e.g.
+# DISTROS=(debian centos)
+# EXTRAS=(
+#     'kube_network_plugin=calico'
+#     'kube_network_plugin=flannel'
+#     'kube_network_plugin=weave'
+# )
+# that will be tested in a "combinatory" way (e.g. from above there'll be
+# be 6 test runs), creating a sequenced <spec_filename>-nn.out with each output.
+#
+# Each $EXTRAS element will be whitespace split, and passed as --extra-vars
+# to main kubespray ansible-playbook run.
+
+SPECS=${*:?Missing SPEC files, e.g. test-most_distros-some_CNIs.env}
+for spec in ${SPECS}; do
+    unset DISTROS EXTRAS
+    echo "Loading file=${spec} ..."
+    . ${spec} || continue
+    : ${DISTROS:?} || continue
+    echo "DISTROS=${DISTROS[@]}"
+    echo "EXTRAS->"
+    printf "  %s\n" "${EXTRAS[@]}"
+    let n=1
+    for distro in ${DISTROS[@]}; do
+        for extra in "${EXTRAS[@]:-NULL}"; do
+            # Magic value to let this for run once:
+            [[ ${extra} == NULL ]] && unset extra
+            docker rm -f ${NODES[@]}
+            printf -v file_out "%s/%s-%02d.out" ${OUTPUT_DIR} ${spec} $((n++))
+            {
+                info "${distro}[${extra}] START: file_out=${file_out}"
+                time test_distro ${distro} ${extra}
+            } |& tee ${file_out}
+            # sleeping for the sake of the human to verify if they want
+            sleep 2m
+        done
+    done
+done
+egrep -H '^(....:|real)' $(ls -tr ${OUTPUT_DIR}/*.out)
--- a/contrib/dind/test-most_distros-some_CNIs.env
+++ b/contrib/dind/test-most_distros-some_CNIs.env
@@ -0,0 +1,11 @@
+# Test spec file: used from ./run-test-distros.sh, will run
+# each distro in $DISTROS overloading main kubespray ansible-playbook run
+# Get all DISTROS from distro.yaml (shame no yaml parsing, but nuff anyway)
+# DISTROS="${*:-$(egrep -o '^  \w+' group_vars/all/distro.yaml|paste -s)}"
+DISTROS=(debian ubuntu centos fedora)
+
+# Each line below will be added as --extra-vars to main playbook run
+EXTRAS=(
+    'kube_network_plugin=calico'
+    'kube_network_plugin=weave'
+)
--- a/contrib/dind/test-some_distros-kube_router_combo.env
+++ b/contrib/dind/test-some_distros-kube_router_combo.env
@@ -0,0 +1,6 @@
+DISTROS=(debian centos)
+NETCHECKER_HOST=${NODES[0]}
+EXTRAS=(
+  'kube_network_plugin=kube-router {"kube_router_run_service_proxy":false}'
+  'kube_network_plugin=kube-router {"kube_router_run_service_proxy":true}'
+)
--- a/contrib/dind/test-some_distros-most_CNIs.env
+++ b/contrib/dind/test-some_distros-most_CNIs.env
@@ -0,0 +1,8 @@
+DISTROS=(debian centos)
+EXTRAS=(
+  'kube_network_plugin=calico {}'
+  'kube_network_plugin=canal {}'
+  'kube_network_plugin=cilium {}'
+  'kube_network_plugin=flannel {}'
+  'kube_network_plugin=weave {}'
+)
--- a/contrib/inventory_builder/inventory.py
+++ b/contrib/inventory_builder/inventory.py
@@ -17,6 +17,9 @@
 #
 # Advanced usage:
 # Add another host after initial creation: inventory.py 10.10.1.5
+# Add range of hosts: inventory.py 10.10.1.3-10.10.1.5
+# Add hosts with different ip and access ip:
+# inventory.py 10.0.0.1,192.168.10.1 10.0.0.2,192.168.10.2 10.0.0.3,192.168.1.3
 # Delete a host: inventory.py -10.10.1.3
 # Delete a host by id: inventory.py -node1
 #
@@ -31,21 +34,21 @@
 #        ip: X.X.X.X

 from collections import OrderedDict
-try:
-    import configparser
-except ImportError:
-    import ConfigParser as configparser
+from ipaddress import ip_address
+from ruamel.yaml import YAML

 import os
 import re
 import sys

-ROLES = ['all', 'kube-master', 'kube-node', 'etcd', 'k8s-cluster:children',
-         'calico-rr', 'vault']
+ROLES = ['all', 'kube-master', 'kube-node', 'etcd', 'k8s-cluster',
+         'calico-rr']
 PROTECTED_NAMES = ROLES
 AVAILABLE_COMMANDS = ['help', 'print_cfg', 'print_ips', 'load']
 _boolean_states = {'1': True, 'yes': True, 'true': True, 'on': True,
                   '0': False, 'no': False, 'false': False, 'off': False}
+yaml = YAML()
+yaml.Representer.add_representer(OrderedDict, yaml.Representer.represent_dict)


 def get_var_as_bool(name, default):
@@ -54,7 +57,8 @@ def get_var_as_bool(name, default):

 # Configurable as shell vars start

-CONFIG_FILE = os.environ.get("CONFIG_FILE", "./inventory/sample/hosts.ini")
+
+CONFIG_FILE = os.environ.get("CONFIG_FILE", "./inventory/sample/hosts.yaml")
 # Reconfigures cluster distribution at scale
 SCALE_THRESHOLD = int(os.environ.get("SCALE_THRESHOLD", 50))
 MASSIVE_SCALE_THRESHOLD = int(os.environ.get("SCALE_THRESHOLD", 200))
@@ -68,11 +72,14 @@ HOST_PREFIX = os.environ.get("HOST_PREFIX", "node")
 class KubesprayInventory(object):

    def __init__(self, changed_hosts=None, config_file=None):
-        self.config = configparser.ConfigParser(allow_no_value=True,
-                                                delimiters=('\t', ' '))
        self.config_file = config_file
+        self.yaml_config = {}
        if self.config_file:
-            self.config.read(self.config_file)
+            try:
+                self.hosts_file = open(config_file, 'r')
+                self.yaml_config = yaml.load(self.hosts_file)
+            except FileNotFoundError:
+                pass

        if changed_hosts and changed_hosts[0] in AVAILABLE_COMMANDS:
            self.parse_command(changed_hosts[0], changed_hosts[1:])
@@ -81,6 +88,7 @@ class KubesprayInventory(object):
        self.ensure_required_groups(ROLES)

        if changed_hosts:
+            changed_hosts = self.range2ips(changed_hosts)
            self.hosts = self.build_hostnames(changed_hosts)
            self.purge_invalid_hosts(self.hosts.keys(), PROTECTED_NAMES)
            self.set_all(self.hosts)
@@ -101,8 +109,9 @@ class KubesprayInventory(object):

    def write_config(self, config_file):
        if config_file:
-            with open(config_file, 'w') as f:
-                self.config.write(f)
+            with open(self.config_file, 'w') as f:
+                yaml.dump(self.yaml_config, f)
+
        else:
            print("WARNING: Unable to save config. Make sure you set "
                  "CONFIG_FILE env var.")
@@ -112,28 +121,29 @@ class KubesprayInventory(object):
            print("DEBUG: {0}".format(msg))

    def get_ip_from_opts(self, optstring):
-        opts = optstring.split(' ')
-        for opt in opts:
-            if '=' not in opt:
-                continue
-            k, v = opt.split('=')
-            if k == "ip":
-                return v
+        if 'ip' in optstring:
+            return optstring['ip']
+        else:
            raise ValueError("IP parameter not found in options")

    def ensure_required_groups(self, groups):
        for group in groups:
-            try:
+            if group == 'all':
                self.debug("Adding group {0}".format(group))
-                self.config.add_section(group)
-            except configparser.DuplicateSectionError:
-                pass
+                if group not in self.yaml_config:
+                    all_dict = OrderedDict([('hosts', OrderedDict({})),
+                                            ('children', OrderedDict({}))])
+                    self.yaml_config = {'all': all_dict}
+            else:
+                self.debug("Adding group {0}".format(group))
+                if group not in self.yaml_config['all']['children']:
+                    self.yaml_config['all']['children'][group] = {'hosts': {}}

    def get_host_id(self, host):
        '''Returns integer host ID (without padding) from a given hostname.'''
        try:
            short_hostname = host.split('.')[0]
-            return int(re.findall("\d+$", short_hostname)[-1])
+            return int(re.findall("\\d+$", short_hostname)[-1])
        except IndexError:
            raise ValueError("Host name must end in an integer")

@@ -141,12 +151,12 @@ class KubesprayInventory(object):
        existing_hosts = OrderedDict()
        highest_host_id = 0
        try:
-            for host, opts in self.config.items('all'):
-                existing_hosts[host] = opts
+            for host in self.yaml_config['all']['hosts']:
+                existing_hosts[host] = self.yaml_config['all']['hosts'][host]
                host_id = self.get_host_id(host)
                if host_id > highest_host_id:
                    highest_host_id = host_id
-        except configparser.NoSectionError:
+        except Exception:
            pass

        # FIXME(mattymo): Fix condition where delete then add reuses highest id
@@ -163,22 +173,53 @@ class KubesprayInventory(object):
                    self.debug("Marked {0} for deletion.".format(realhost))
                    self.delete_host_by_ip(all_hosts, realhost)
            elif host[0].isdigit():
+                if ',' in host:
+                    ip, access_ip = host.split(',')
+                else:
+                    ip = host
+                    access_ip = host
                if self.exists_hostname(all_hosts, host):
                    self.debug("Skipping existing host {0}.".format(host))
                    continue
-                elif self.exists_ip(all_hosts, host):
-                    self.debug("Skipping existing host {0}.".format(host))
+                elif self.exists_ip(all_hosts, ip):
+                    self.debug("Skipping existing host {0}.".format(ip))
                    continue

                next_host = "{0}{1}".format(HOST_PREFIX, next_host_id)
                next_host_id += 1
-                all_hosts[next_host] = "ansible_host={0} ip={1}".format(
-                    host, host)
+                all_hosts[next_host] = {'ansible_host': access_ip,
+                                        'ip': ip,
+                                        'access_ip': access_ip}
            elif host[0].isalpha():
                raise Exception("Adding hosts by hostname is not supported.")

        return all_hosts

+    def range2ips(self, hosts):
+        reworked_hosts = []
+
+        def ips(start_address, end_address):
+            try:
+                # Python 3.x
+                start = int(ip_address(start_address))
+                end   = int(ip_address(end_address))
+            except:
+                # Python 2.7
+                start = int(ip_address(unicode(start_address)))
+                end   = int(ip_address(unicode(end_address)))
+            return [ip_address(ip).exploded for ip in range(start, end + 1)]
+
+        for host in hosts:
+            if '-' in host and not host.startswith('-'):
+                start, end = host.strip().split('-')
+                try:
+                    reworked_hosts.extend(ips(start, end))
+                except ValueError:
+                    raise Exception("Range of ip_addresses isn't valid")
+            else:
+                reworked_hosts.append(host)
+        return reworked_hosts
+
    def exists_hostname(self, existing_hosts, hostname):
        return hostname in existing_hosts.keys()

@@ -196,16 +237,34 @@ class KubesprayInventory(object):
        raise ValueError("Unable to find host by IP: {0}".format(ip))

    def purge_invalid_hosts(self, hostnames, protected_names=[]):
-        for role in self.config.sections():
-            for host, _ in self.config.items(role):
+        for role in self.yaml_config['all']['children']:
+            if role != 'k8s-cluster' and self.yaml_config['all']['children'][role]['hosts']:  # noqa
+                all_hosts = self.yaml_config['all']['children'][role]['hosts'].copy()  # noqa
+                for host in all_hosts.keys():
                    if host not in hostnames and host not in protected_names:
-                    self.debug("Host {0} removed from role {1}".format(host,
-                               role))
-                    self.config.remove_option(role, host)
+                        self.debug(
+                            "Host {0} removed from role {1}".format(host, role))  # noqa
+                        del self.yaml_config['all']['children'][role]['hosts'][host]  # noqa
+        # purge from all
+        if self.yaml_config['all']['hosts']:
+            all_hosts = self.yaml_config['all']['hosts'].copy()
+            for host in all_hosts.keys():
+                if host not in hostnames and host not in protected_names:
+                    self.debug("Host {0} removed from role all".format(host))
+                    del self.yaml_config['all']['hosts'][host]

    def add_host_to_group(self, group, host, opts=""):
        self.debug("adding host {0} to group {1}".format(host, group))
-        self.config.set(group, host, opts)
+        if group == 'all':
+            if self.yaml_config['all']['hosts'] is None:
+                self.yaml_config['all']['hosts'] = {host: None}
+            self.yaml_config['all']['hosts'][host] = opts
+        elif group != 'k8s-cluster:children':
+            if self.yaml_config['all']['children'][group]['hosts'] is None:
+                self.yaml_config['all']['children'][group]['hosts'] = {
+                    host: None}
+            else:
+                self.yaml_config['all']['children'][group]['hosts'][host] = None  # noqa

    def set_kube_master(self, hosts):
        for host in hosts:
@@ -216,16 +275,16 @@ class KubesprayInventory(object):
            self.add_host_to_group('all', host, opts)

    def set_k8s_cluster(self):
-        self.add_host_to_group('k8s-cluster:children', 'kube-node')
-        self.add_host_to_group('k8s-cluster:children', 'kube-master')
+        k8s_cluster = {'children': {'kube-master': None, 'kube-node': None}}
+        self.yaml_config['all']['children']['k8s-cluster'] = k8s_cluster

    def set_calico_rr(self, hosts):
        for host in hosts:
-            if host in self.config.items('kube-master'):
+            if host in self.yaml_config['all']['children']['kube-master']:
                self.debug("Not adding {0} to calico-rr group because it "
                           "conflicts with kube-master group".format(host))
                continue
-            if host in self.config.items('kube-node'):
+            if host in self.yaml_config['all']['children']['kube-node']:
                self.debug("Not adding {0} to calico-rr group because it "
                           "conflicts with kube-node group".format(host))
                continue
@@ -233,14 +292,14 @@ class KubesprayInventory(object):

    def set_kube_node(self, hosts):
        for host in hosts:
-            if len(self.config['all']) >= SCALE_THRESHOLD:
-                if self.config.has_option('etcd', host):
+            if len(self.yaml_config['all']['hosts']) >= SCALE_THRESHOLD:
+                if host in self.yaml_config['all']['children']['etcd']['hosts']:  # noqa
                    self.debug("Not adding {0} to kube-node group because of "
                               "scale deployment and host is in etcd "
                               "group.".format(host))
                    continue
-            if len(self.config['all']) >= MASSIVE_SCALE_THRESHOLD:
-                if self.config.has_option('kube-master', host):
+            if len(self.yaml_config['all']['hosts']) >= MASSIVE_SCALE_THRESHOLD:  # noqa
+                if host in self.yaml_config['all']['children']['kube-master']['hosts']:  # noqa
                    self.debug("Not adding {0} to kube-node group because of "
                               "scale deployment and host is in kube-master "
                               "group.".format(host))
@@ -250,42 +309,31 @@ class KubesprayInventory(object):
    def set_etcd(self, hosts):
        for host in hosts:
            self.add_host_to_group('etcd', host)
-            self.add_host_to_group('vault', host)

    def load_file(self, files=None):
-        '''Directly loads JSON, or YAML file to inventory.'''
+        '''Directly loads JSON to inventory.'''

        if not files:
            raise Exception("No input file specified.")

        import json
-        import yaml

        for filename in list(files):
-            # Try JSON, then YAML
+            # Try JSON
            try:
                with open(filename, 'r') as f:
                    data = json.load(f)
            except ValueError:
-                try:
-                    with open(filename, 'r') as f:
-                        data = yaml.load(f)
-                        print("yaml")
-                except ValueError:
-                    raise Exception("Cannot read %s as JSON, YAML, or CSV",
-                                    filename)
+                raise Exception("Cannot read %s as JSON, or CSV", filename)

            self.ensure_required_groups(ROLES)
            self.set_k8s_cluster()
            for group, hosts in data.items():
                self.ensure_required_groups([group])
                for host, opts in hosts.items():
-                    optstring = "ansible_host={0} ip={0}".format(opts['ip'])
-                    for key, val in opts.items():
-                        if key == "ip":
-                            continue
-                        optstring += " {0}={1}".format(key, val)
-
+                    optstring = {'ansible_host': opts['ip'],
+                                 'ip': opts['ip'],
+                                 'access_ip': opts['ip']}
                    self.add_host_to_group('all', host, optstring)
                    self.add_host_to_group(group, host)
            self.write_config(self.config_file)
@@ -313,24 +361,26 @@ print_ips - Write a space-delimited list of IPs from "all" group

 Advanced usage:
 Add another host after initial creation: inventory.py 10.10.1.5
+Add range of hosts: inventory.py 10.10.1.3-10.10.1.5
+Add hosts with different ip and access ip: inventory.py 10.0.0.1,192.168.10.1 10.0.0.2,192.168.10.2 10.0.0.3,192.168.10.3
 Delete a host: inventory.py -10.10.1.3
 Delete a host by id: inventory.py -node1

 Configurable env vars:
 DEBUG                   Enable debug printing. Default: True
-CONFIG_FILE             File to write config to Default: ./inventory/sample/hosts.ini
+CONFIG_FILE             File to write config to Default: ./inventory/sample/hosts.yaml
 HOST_PREFIX             Host prefix for generated hosts. Default: node
 SCALE_THRESHOLD         Separate ETCD role if # of nodes >= 50
 MASSIVE_SCALE_THRESHOLD Separate K8s master and ETCD if # of nodes >= 200
-'''
+'''  # noqa
        print(help_text)

    def print_config(self):
-        self.config.write(sys.stdout)
+        yaml.dump(self.yaml_config, sys.stdout)

    def print_ips(self):
        ips = []
-        for host, opts in self.config.items('all'):
+        for host, opts in self.yaml_config['all']['hosts'].items():
            ips.append(self.get_ip_from_opts(opts))
        print(' '.join(ips))

@@ -340,5 +390,6 @@ def main(argv=None):
        argv = sys.argv[1:]
    KubesprayInventory(argv, CONFIG_FILE)

+
 if __name__ == "__main__":
    sys.exit(main())
--- a/contrib/inventory_builder/requirements.txt
+++ b/contrib/inventory_builder/requirements.txt
@@ -1 +1,3 @@
 configparser>=3.3.0
+ruamel.yaml>=0.15.88
+ipaddress
--- a/contrib/inventory_builder/tests/test_inventory.py
+++ b/contrib/inventory_builder/tests/test_inventory.py
@@ -34,7 +34,9 @@ class TestInventory(unittest.TestCase):
        self.inv = inventory.KubesprayInventory()

    def test_get_ip_from_opts(self):
-        optstring = "ansible_host=10.90.3.2 ip=10.90.3.2"
+        optstring = {'ansible_host': '10.90.3.2',
+                     'ip': '10.90.3.2',
+                     'access_ip': '10.90.3.2'}
        expected = "10.90.3.2"
        result = self.inv.get_ip_from_opts(optstring)
        self.assertEqual(expected, result)
@@ -48,7 +50,7 @@ class TestInventory(unittest.TestCase):
        groups = ['group1', 'group2']
        self.inv.ensure_required_groups(groups)
        for group in groups:
-            self.assertTrue(group in self.inv.config.sections())
+            self.assertTrue(group in self.inv.yaml_config['all']['children'])

    def test_get_host_id(self):
        hostnames = ['node99', 'no99de01', '01node01', 'node1.domain',
@@ -67,35 +69,49 @@ class TestInventory(unittest.TestCase):
    def test_build_hostnames_add_one(self):
        changed_hosts = ['10.90.0.2']
        expected = OrderedDict([('node1',
-                               'ansible_host=10.90.0.2 ip=10.90.0.2')])
+                                 {'ansible_host': '10.90.0.2',
+                                  'ip': '10.90.0.2',
+                                  'access_ip': '10.90.0.2'})])
        result = self.inv.build_hostnames(changed_hosts)
        self.assertEqual(expected, result)

    def test_build_hostnames_add_duplicate(self):
        changed_hosts = ['10.90.0.2']
        expected = OrderedDict([('node1',
-                               'ansible_host=10.90.0.2 ip=10.90.0.2')])
-        self.inv.config['all'] = expected
+                                 {'ansible_host': '10.90.0.2',
+                                  'ip': '10.90.0.2',
+                                  'access_ip': '10.90.0.2'})])
+        self.inv.yaml_config['all']['hosts'] = expected
        result = self.inv.build_hostnames(changed_hosts)
        self.assertEqual(expected, result)

    def test_build_hostnames_add_two(self):
        changed_hosts = ['10.90.0.2', '10.90.0.3']
        expected = OrderedDict([
-            ('node1', 'ansible_host=10.90.0.2 ip=10.90.0.2'),
-            ('node2', 'ansible_host=10.90.0.3 ip=10.90.0.3')])
-        self.inv.config['all'] = OrderedDict()
+            ('node1', {'ansible_host': '10.90.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '10.90.0.2'}),
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
+        self.inv.yaml_config['all']['hosts'] = OrderedDict()
        result = self.inv.build_hostnames(changed_hosts)
        self.assertEqual(expected, result)

    def test_build_hostnames_delete_first(self):
        changed_hosts = ['-10.90.0.2']
        existing_hosts = OrderedDict([
-            ('node1', 'ansible_host=10.90.0.2 ip=10.90.0.2'),
-            ('node2', 'ansible_host=10.90.0.3 ip=10.90.0.3')])
-        self.inv.config['all'] = existing_hosts
+            ('node1', {'ansible_host': '10.90.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '10.90.0.2'}),
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
+        self.inv.yaml_config['all']['hosts'] = existing_hosts
        expected = OrderedDict([
-            ('node2', 'ansible_host=10.90.0.3 ip=10.90.0.3')])
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
        result = self.inv.build_hostnames(changed_hosts)
        self.assertEqual(expected, result)

@@ -103,8 +119,12 @@ class TestInventory(unittest.TestCase):
        hostname = 'node1'
        expected = True
        existing_hosts = OrderedDict([
-            ('node1', 'ansible_host=10.90.0.2 ip=10.90.0.2'),
-            ('node2', 'ansible_host=10.90.0.3 ip=10.90.0.3')])
+            ('node1', {'ansible_host': '10.90.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '10.90.0.2'}),
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
        result = self.inv.exists_hostname(existing_hosts, hostname)
        self.assertEqual(expected, result)

@@ -112,8 +132,12 @@ class TestInventory(unittest.TestCase):
        hostname = 'node99'
        expected = False
        existing_hosts = OrderedDict([
-            ('node1', 'ansible_host=10.90.0.2 ip=10.90.0.2'),
-            ('node2', 'ansible_host=10.90.0.3 ip=10.90.0.3')])
+            ('node1', {'ansible_host': '10.90.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '10.90.0.2'}),
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
        result = self.inv.exists_hostname(existing_hosts, hostname)
        self.assertEqual(expected, result)

@@ -121,8 +145,12 @@ class TestInventory(unittest.TestCase):
        ip = '10.90.0.2'
        expected = True
        existing_hosts = OrderedDict([
-            ('node1', 'ansible_host=10.90.0.2 ip=10.90.0.2'),
-            ('node2', 'ansible_host=10.90.0.3 ip=10.90.0.3')])
+            ('node1', {'ansible_host': '10.90.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '10.90.0.2'}),
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
        result = self.inv.exists_ip(existing_hosts, ip)
        self.assertEqual(expected, result)

@@ -130,26 +158,40 @@ class TestInventory(unittest.TestCase):
        ip = '10.90.0.200'
        expected = False
        existing_hosts = OrderedDict([
-            ('node1', 'ansible_host=10.90.0.2 ip=10.90.0.2'),
-            ('node2', 'ansible_host=10.90.0.3 ip=10.90.0.3')])
+            ('node1', {'ansible_host': '10.90.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '10.90.0.2'}),
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
        result = self.inv.exists_ip(existing_hosts, ip)
        self.assertEqual(expected, result)

    def test_delete_host_by_ip_positive(self):
        ip = '10.90.0.2'
        expected = OrderedDict([
-            ('node2', 'ansible_host=10.90.0.3 ip=10.90.0.3')])
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
        existing_hosts = OrderedDict([
-            ('node1', 'ansible_host=10.90.0.2 ip=10.90.0.2'),
-            ('node2', 'ansible_host=10.90.0.3 ip=10.90.0.3')])
+            ('node1', {'ansible_host': '10.90.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '10.90.0.2'}),
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
        self.inv.delete_host_by_ip(existing_hosts, ip)
        self.assertEqual(expected, existing_hosts)

    def test_delete_host_by_ip_negative(self):
        ip = '10.90.0.200'
        existing_hosts = OrderedDict([
-            ('node1', 'ansible_host=10.90.0.2 ip=10.90.0.2'),
-            ('node2', 'ansible_host=10.90.0.3 ip=10.90.0.3')])
+            ('node1', {'ansible_host': '10.90.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '10.90.0.2'}),
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
        self.assertRaisesRegexp(ValueError, "Unable to find host",
                                self.inv.delete_host_by_ip, existing_hosts, ip)

@@ -157,59 +199,71 @@ class TestInventory(unittest.TestCase):
        proper_hostnames = ['node1', 'node2']
        bad_host = 'doesnotbelong2'
        existing_hosts = OrderedDict([
-            ('node1', 'ansible_host=10.90.0.2 ip=10.90.0.2'),
-            ('node2', 'ansible_host=10.90.0.3 ip=10.90.0.3'),
-            ('doesnotbelong2', 'whateveropts=ilike')])
-        self.inv.config['all'] = existing_hosts
+            ('node1', {'ansible_host': '10.90.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '10.90.0.2'}),
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'}),
+            ('doesnotbelong2', {'whateveropts=ilike'})])
+        self.inv.yaml_config['all']['hosts'] = existing_hosts
        self.inv.purge_invalid_hosts(proper_hostnames)
-        self.assertTrue(bad_host not in self.inv.config['all'].keys())
+        self.assertTrue(
+            bad_host not in self.inv.yaml_config['all']['hosts'].keys())

    def test_add_host_to_group(self):
        group = 'etcd'
        host = 'node1'
-        opts = 'ip=10.90.0.2'
+        opts = {'ip': '10.90.0.2'}

        self.inv.add_host_to_group(group, host, opts)
-        self.assertEqual(self.inv.config[group].get(host), opts)
+        self.assertEqual(
+            self.inv.yaml_config['all']['children'][group]['hosts'].get(host),
+            None)

    def test_set_kube_master(self):
        group = 'kube-master'
        host = 'node1'

        self.inv.set_kube_master([host])
-        self.assertTrue(host in self.inv.config[group])
+        self.assertTrue(
+            host in self.inv.yaml_config['all']['children'][group]['hosts'])

    def test_set_all(self):
-        group = 'all'
        hosts = OrderedDict([
            ('node1', 'opt1'),
            ('node2', 'opt2')])

        self.inv.set_all(hosts)
        for host, opt in hosts.items():
-            self.assertEqual(self.inv.config[group].get(host), opt)
+            self.assertEqual(
+                self.inv.yaml_config['all']['hosts'].get(host), opt)

    def test_set_k8s_cluster(self):
-        group = 'k8s-cluster:children'
+        group = 'k8s-cluster'
        expected_hosts = ['kube-node', 'kube-master']

        self.inv.set_k8s_cluster()
        for host in expected_hosts:
-            self.assertTrue(host in self.inv.config[group])
+            self.assertTrue(
+                host in
+                self.inv.yaml_config['all']['children'][group]['children'])

    def test_set_kube_node(self):
        group = 'kube-node'
        host = 'node1'

        self.inv.set_kube_node([host])
-        self.assertTrue(host in self.inv.config[group])
+        self.assertTrue(
+            host in self.inv.yaml_config['all']['children'][group]['hosts'])

    def test_set_etcd(self):
        group = 'etcd'
        host = 'node1'

        self.inv.set_etcd([host])
-        self.assertTrue(host in self.inv.config[group])
+        self.assertTrue(
+            host in self.inv.yaml_config['all']['children'][group]['hosts'])

    def test_scale_scenario_one(self):
        num_nodes = 50
@@ -219,11 +273,13 @@ class TestInventory(unittest.TestCase):
            hosts["node" + str(hostid)] = ""

        self.inv.set_all(hosts)
-        self.inv.set_etcd(hosts.keys()[0:3])
-        self.inv.set_kube_master(hosts.keys()[0:2])
+        self.inv.set_etcd(list(hosts.keys())[0:3])
+        self.inv.set_kube_master(list(hosts.keys())[0:2])
        self.inv.set_kube_node(hosts.keys())
        for h in range(3):
-            self.assertFalse(hosts.keys()[h] in self.inv.config['kube-node'])
+            self.assertFalse(
+                list(hosts.keys())[h] in
+                self.inv.yaml_config['all']['children']['kube-node']['hosts'])

    def test_scale_scenario_two(self):
        num_nodes = 500
@@ -233,8 +289,57 @@ class TestInventory(unittest.TestCase):
            hosts["node" + str(hostid)] = ""

        self.inv.set_all(hosts)
-        self.inv.set_etcd(hosts.keys()[0:3])
-        self.inv.set_kube_master(hosts.keys()[3:5])
+        self.inv.set_etcd(list(hosts.keys())[0:3])
+        self.inv.set_kube_master(list(hosts.keys())[3:5])
        self.inv.set_kube_node(hosts.keys())
        for h in range(5):
-            self.assertFalse(hosts.keys()[h] in self.inv.config['kube-node'])
+            self.assertFalse(
+                list(hosts.keys())[h] in
+                self.inv.yaml_config['all']['children']['kube-node']['hosts'])
+
+    def test_range2ips_range(self):
+        changed_hosts = ['10.90.0.2', '10.90.0.4-10.90.0.6', '10.90.0.8']
+        expected = ['10.90.0.2',
+                    '10.90.0.4',
+                    '10.90.0.5',
+                    '10.90.0.6',
+                    '10.90.0.8']
+        result = self.inv.range2ips(changed_hosts)
+        self.assertEqual(expected, result)
+
+    def test_range2ips_incorrect_range(self):
+        host_range = ['10.90.0.4-a.9b.c.e']
+        self.assertRaisesRegexp(Exception, "Range of ip_addresses isn't valid",
+                                self.inv.range2ips, host_range)
+
+    def test_build_hostnames_different_ips_add_one(self):
+        changed_hosts = ['10.90.0.2,192.168.0.2']
+        expected = OrderedDict([('node1',
+                                 {'ansible_host': '192.168.0.2',
+                                  'ip': '10.90.0.2',
+                                  'access_ip': '192.168.0.2'})])
+        result = self.inv.build_hostnames(changed_hosts)
+        self.assertEqual(expected, result)
+
+    def test_build_hostnames_different_ips_add_duplicate(self):
+        changed_hosts = ['10.90.0.2,192.168.0.2']
+        expected = OrderedDict([('node1',
+                                 {'ansible_host': '192.168.0.2',
+                                  'ip': '10.90.0.2',
+                                  'access_ip': '192.168.0.2'})])
+        self.inv.yaml_config['all']['hosts'] = expected
+        result = self.inv.build_hostnames(changed_hosts)
+        self.assertEqual(expected, result)
+
+    def test_build_hostnames_different_ips_add_two(self):
+        changed_hosts = ['10.90.0.2,192.168.0.2', '10.90.0.3,192.168.0.3']
+        expected = OrderedDict([
+            ('node1', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'}),
+            ('node2', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'})])
+        self.inv.yaml_config['all']['hosts'] = OrderedDict()
+        result = self.inv.build_hostnames(changed_hosts)
+        self.assertEqual(expected, result)
--- a/contrib/metallb/README.md
+++ b/contrib/metallb/README.md
@@ -6,5 +6,5 @@ This playbook aims to automate [this](https://metallb.universe.tf/tutorial/layer

 ## Install
 ```
-ansible-playbook --ask-become -i inventory/sample/k8s_heketi_inventory.yml contrib/metallb/metallb.yml
+ansible-playbook --ask-become -i inventory/sample/hosts.ini contrib/metallb/metallb.yml
 ```
--- a/contrib/metallb/library
+++ b/contrib/metallb/library
@@ -0,0 +1 @@
+../../library
--- a/contrib/metallb/roles/provision/defaults/main.yml
+++ b/contrib/metallb/roles/provision/defaults/main.yml
@@ -5,3 +5,4 @@ metallb:
    cpu: "100m"
    memory: "100Mi"
  port: "7472"
+  version: v0.7.3
--- a/contrib/metallb/roles/provision/tasks/main.yml
+++ b/contrib/metallb/roles/provision/tasks/main.yml
@@ -12,6 +12,7 @@
    kubectl: "{{bin_dir}}/kubectl"
    filename: "{{ kube_config_dir }}/{{ item.item }}"
    state: "{{ item.changed | ternary('latest','present') }}"
+  become: true
  with_items: "{{ rendering.results }}"
  when:
    - "inventory_hostname == groups['kube-master'][0]"
--- a/contrib/metallb/roles/provision/templates/metallb.yml.j2
+++ b/contrib/metallb/roles/provision/templates/metallb.yml.j2
@@ -53,22 +53,6 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
-metadata:
-  namespace: metallb-system
-  name: leader-election
-  labels:
-    app: metallb
-rules:
- apiGroups: [""]
-  resources: ["endpoints"]
-  resourceNames: ["metallb-speaker"]
-  verbs: ["get", "update"]
- apiGroups: [""]
-  resources: ["endpoints"]
-  verbs: ["create"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
 metadata:
  namespace: metallb-system
  name: config-watcher
@@ -131,21 +115,6 @@ roleRef:
  kind: Role
  name: config-watcher
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  namespace: metallb-system
-  name: leader-election
-  labels:
-    app: metallb
-subjects:
- kind: ServiceAccount
-  name: speaker
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: leader-election
---
 apiVersion: apps/v1beta2
 kind: DaemonSet
 metadata:
@@ -173,7 +142,7 @@ spec:
      hostNetwork: true
      containers:
      - name: speaker
-        image: metallb/speaker:v0.6.2
+        image: metallb/speaker:{{ metallb.version }}
        imagePullPolicy: IfNotPresent
        args:
        - --port={{ metallb.port }}
@@ -230,7 +199,7 @@ spec:
        runAsUser: 65534 # nobody
      containers:
      - name: controller
-        image: metallb/controller:v0.6.2
+        image: metallb/controller:{{ metallb.version }}
        imagePullPolicy: IfNotPresent
        args:
        - --port={{ metallb.port }}
@@ -250,5 +219,3 @@ spec:
          readOnlyRootFilesystem: true

 ---
-
-
--- a/contrib/network-storage/glusterfs/glusterfs.yml
+++ b/contrib/network-storage/glusterfs/glusterfs.yml
@@ -22,4 +22,3 @@
 - hosts: kube-master[0]
  roles:
    - { role: kubernetes-pv }
-
--- a/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/main.yml
+++ b/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/main.yml
@@ -79,4 +79,3 @@
    src: "{{ ip|default(ansible_default_ipv4['address']) }}:/gluster"
    state: unmounted
  when: groups['gfs-cluster'] is defined and inventory_hostname == groups['gfs-cluster'][0]
-
--- a/contrib/network-storage/glusterfs/roles/kubernetes-pv/meta/main.yaml
+++ b/contrib/network-storage/glusterfs/roles/kubernetes-pv/meta/main.yaml
@@ -1,2 +1,3 @@
+---
 dependencies:
  - {role: kubernetes-pv/ansible, tags: apps}
--- a/contrib/network-storage/heketi/roles/provision/tasks/bootstrap.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/bootstrap.yml
@@ -1,3 +1,4 @@
+---
 # Bootstrap heketi
 - name: "Get state of heketi service, deployment and pods."
  register: "initial_heketi_state"
--- a/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/volumes.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/volumes.yml
@@ -38,4 +38,4 @@
  vars: { volume: "{{ volume_information.stdout|from_json }}" }
  when: "volume.name == 'heketidbstorage'"
 - name: "Ensure heketi database volume exists."
-  assert: { that: "heketi_database_volume_created is defined" , msg: "Heketi database volume does not exist." }
+  assert: { that: "heketi_database_volume_created is defined", msg: "Heketi database volume does not exist." }
--- a/contrib/network-storage/heketi/roles/provision/tasks/secret.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/secret.yml
@@ -8,7 +8,9 @@
 - register: "clusterrolebinding_state"
  command: "{{bin_dir}}/kubectl get clusterrolebinding heketi-gluster-admin -o=name --ignore-not-found=true"
  changed_when: false
- assert: { that: "clusterrolebinding_state.stdout != \"\"", message: "Cluster role binding is not present." }
+- assert:
+    that: "clusterrolebinding_state.stdout != \"\""
+    msg: "Cluster role binding is not present."

 - register: "secret_state"
  command: "{{bin_dir}}/kubectl get secret heketi-config-secret -o=name --ignore-not-found=true"
@@ -24,4 +26,6 @@
 - register: "secret_state"
  command: "{{bin_dir}}/kubectl get secret heketi-config-secret -o=name --ignore-not-found=true"
  changed_when: false
- assert: { that: "secret_state.stdout != \"\"", message: "Heketi config secret is not present." }
+- assert:
+    that: "secret_state.stdout != \"\""
+    msg: "Heketi config secret is not present."
--- a/contrib/packaging/rpm/kubespray.spec
+++ b/contrib/packaging/rpm/kubespray.spec
@@ -20,7 +20,7 @@ BuildRequires:  python2-setuptools
 BuildRequires:  python-d2to1
 BuildRequires:  python2-pbr

-Requires: ansible >= 2.4.0
+Requires: ansible >= 2.5.0
 Requires: python-jinja2 >= 2.10
 Requires: python-netaddr
 Requires: python-pbr
--- a/contrib/terraform/OWNERS
+++ b/contrib/terraform/OWNERS
@@ -0,0 +1,5 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - holmsten
+  - miouge1
--- a/contrib/terraform/aws/README.md
+++ b/contrib/terraform/aws/README.md
@@ -43,7 +43,7 @@ ssh -F ./ssh-bastion.conf user@$ip

 Example (this one assumes you are using CoreOS)
 ```commandline
-ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_user=core -e bootstrap_os=coreos -b --become-user=root --flush-cache
+ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_user=core -b --become-user=root --flush-cache
 ```
 ***Using other distrib than CoreOs***
 If you want to use another distribution than CoreOS, you can modify the search filters of the 'data "aws_ami" "distro"' in variables.tf.
@@ -111,9 +111,9 @@ the `AWS CLI` with the following command:
 aws iam delete-instance-profile --region <region_name> --instance-profile-name <profile_name>
 ```

-***Ansible Inventory doesnt get created:***
+***Ansible Inventory doesn't get created:***

-It could happen that Terraform doesnt create an Ansible Inventory file automatically. If this is the case copy the output after `inventory=` and create a file named `hosts`in the directory `inventory` and paste the inventory into the file.
+It could happen that Terraform doesn't create an Ansible Inventory file automatically. If this is the case copy the output after `inventory=` and create a file named `hosts`in the directory `inventory` and paste the inventory into the file.

 **Architecture**

--- a/contrib/terraform/aws/create-infrastructure.tf
+++ b/contrib/terraform/aws/create-infrastructure.tf
@@ -20,31 +20,28 @@ module "aws-vpc" {

  aws_cluster_name         = "${var.aws_cluster_name}"
  aws_vpc_cidr_block       = "${var.aws_vpc_cidr_block}"
-  aws_avail_zones="${slice(data.aws_availability_zones.available.names,0,2)}"
-  aws_cidr_subnets_private="${var.aws_cidr_subnets_private}"
-  aws_cidr_subnets_public="${var.aws_cidr_subnets_public}"
-  default_tags="${var.default_tags}"
-
+  aws_avail_zones          = "${slice(data.aws_availability_zones.available.names,0,2)}"
+  aws_cidr_subnets_private = "${var.aws_cidr_subnets_private}"
+  aws_cidr_subnets_public  = "${var.aws_cidr_subnets_public}"
+  default_tags             = "${var.default_tags}"
 }

-
 module "aws-elb" {
  source = "modules/elb"

-  aws_cluster_name="${var.aws_cluster_name}"
-  aws_vpc_id="${module.aws-vpc.aws_vpc_id}"
-  aws_avail_zones="${slice(data.aws_availability_zones.available.names,0,2)}"
-  aws_subnet_ids_public="${module.aws-vpc.aws_subnet_ids_public}"
+  aws_cluster_name      = "${var.aws_cluster_name}"
+  aws_vpc_id            = "${module.aws-vpc.aws_vpc_id}"
+  aws_avail_zones       = "${slice(data.aws_availability_zones.available.names,0,2)}"
+  aws_subnet_ids_public = "${module.aws-vpc.aws_subnet_ids_public}"
  aws_elb_api_port      = "${var.aws_elb_api_port}"
  k8s_secure_api_port   = "${var.k8s_secure_api_port}"
-  default_tags="${var.default_tags}"
-
+  default_tags          = "${var.default_tags}"
 }

 module "aws-iam" {
  source = "modules/iam"

-  aws_cluster_name="${var.aws_cluster_name}"
+  aws_cluster_name = "${var.aws_cluster_name}"
 }

 /*
@@ -60,8 +57,7 @@ resource "aws_instance" "bastion-server" {
  availability_zone           = "${element(slice(data.aws_availability_zones.available.names,0,2),count.index)}"
  subnet_id                   = "${element(module.aws-vpc.aws_subnet_ids_public,count.index)}"

-
-    vpc_security_group_ids = [ "${module.aws-vpc.aws_security_group}" ]
+  vpc_security_group_ids = ["${module.aws-vpc.aws_security_group}"]

  key_name = "${var.AWS_SSH_KEY_NAME}"

@@ -72,7 +68,6 @@ resource "aws_instance" "bastion-server" {
    ))}"
 }

-
 /*
 * Create K8s Master and worker nodes and etcd instances
 *
@@ -84,18 +79,14 @@ resource "aws_instance" "k8s-master" {

  count = "${var.aws_kube_master_num}"

-
  availability_zone = "${element(slice(data.aws_availability_zones.available.names,0,2),count.index)}"
  subnet_id         = "${element(module.aws-vpc.aws_subnet_ids_private,count.index)}"

-
-    vpc_security_group_ids = [ "${module.aws-vpc.aws_security_group}" ]
-
+  vpc_security_group_ids = ["${module.aws-vpc.aws_security_group}"]

  iam_instance_profile = "${module.aws-iam.kube-master-profile}"
  key_name             = "${var.AWS_SSH_KEY_NAME}"

-
  tags = "${merge(var.default_tags, map(
      "Name", "kubernetes-${var.aws_cluster_name}-master${count.index}",
      "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
@@ -109,19 +100,16 @@ resource "aws_elb_attachment" "attach_master_nodes" {
  instance = "${element(aws_instance.k8s-master.*.id,count.index)}"
 }

-
 resource "aws_instance" "k8s-etcd" {
  ami           = "${data.aws_ami.distro.id}"
  instance_type = "${var.aws_etcd_size}"

  count = "${var.aws_etcd_num}"

-
  availability_zone = "${element(slice(data.aws_availability_zones.available.names,0,2),count.index)}"
  subnet_id         = "${element(module.aws-vpc.aws_subnet_ids_private,count.index)}"

-
-    vpc_security_group_ids = [ "${module.aws-vpc.aws_security_group}" ]
+  vpc_security_group_ids = ["${module.aws-vpc.aws_security_group}"]

  key_name = "${var.AWS_SSH_KEY_NAME}"

@@ -130,10 +118,8 @@ resource "aws_instance" "k8s-etcd" {
      "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
      "Role", "etcd"
    ))}"
-
 }

-
 resource "aws_instance" "k8s-worker" {
  ami           = "${data.aws_ami.distro.id}"
  instance_type = "${var.aws_kube_worker_size}"
@@ -143,22 +129,18 @@ resource "aws_instance" "k8s-worker" {
  availability_zone = "${element(slice(data.aws_availability_zones.available.names,0,2),count.index)}"
  subnet_id         = "${element(module.aws-vpc.aws_subnet_ids_private,count.index)}"

-    vpc_security_group_ids = [ "${module.aws-vpc.aws_security_group}" ]
+  vpc_security_group_ids = ["${module.aws-vpc.aws_security_group}"]

  iam_instance_profile = "${module.aws-iam.kube-worker-profile}"
  key_name             = "${var.AWS_SSH_KEY_NAME}"

-
  tags = "${merge(var.default_tags, map(
      "Name", "kubernetes-${var.aws_cluster_name}-worker${count.index}",
      "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
      "Role", "worker"
    ))}"
-
 }

-
-
 /*
 * Create Kubespray Inventory File
 *
@@ -176,7 +158,6 @@ data "template_file" "inventory" {
    list_etcd                 = "${join("\n",aws_instance.k8s-etcd.*.tags.Name)}"
    elb_api_fqdn              = "apiserver_loadbalancer_domain_name=\"${module.aws-elb.aws_elb_api_fqdn}\""
  }
-
 }

 resource "null_resource" "inventories" {
@@ -187,5 +168,4 @@ resource "null_resource" "inventories" {
  triggers {
    template = "${data.template_file.inventory.rendered}"
  }
-
 }
--- a/contrib/terraform/aws/modules/elb/main.tf
+++ b/contrib/terraform/aws/modules/elb/main.tf
@@ -7,7 +7,6 @@ resource "aws_security_group" "aws-elb" {
    ))}"
 }

-
 resource "aws_security_group_rule" "aws-allow-api-access" {
  type              = "ingress"
  from_port         = "${var.aws_elb_api_port}"
--- a/contrib/terraform/aws/modules/elb/variables.tf
+++ b/contrib/terraform/aws/modules/elb/variables.tf
@@ -14,14 +14,11 @@ variable "k8s_secure_api_port" {
  description = "Secure Port of K8S API Server"
 }

-
-
 variable "aws_avail_zones" {
  description = "Availability Zones Used"
  type        = "list"
 }

-
 variable "aws_subnet_ids_public" {
  description = "IDs of Public Subnets"
  type        = "list"
--- a/contrib/terraform/aws/modules/iam/main.tf
+++ b/contrib/terraform/aws/modules/iam/main.tf
@@ -2,6 +2,7 @@

 resource "aws_iam_role" "kube-master" {
  name = "kubernetes-${var.aws_cluster_name}-master"
+
  assume_role_policy = <<EOF
 {
  "Version": "2012-10-17",
@@ -20,6 +21,7 @@ EOF

 resource "aws_iam_role" "kube-worker" {
  name = "kubernetes-${var.aws_cluster_name}-node"
+
  assume_role_policy = <<EOF
 {
  "Version": "2012-10-17",
@@ -41,6 +43,7 @@ EOF
 resource "aws_iam_role_policy" "kube-master" {
  name = "kubernetes-${var.aws_cluster_name}-master"
  role = "${aws_iam_role.kube-master.id}"
+
  policy = <<EOF
 {
  "Version": "2012-10-17",
@@ -75,6 +78,7 @@ EOF
 resource "aws_iam_role_policy" "kube-worker" {
  name = "kubernetes-${var.aws_cluster_name}-node"
  role = "${aws_iam_role.kube-worker.id}"
+
  policy = <<EOF
 {
  "Version": "2012-10-17",
@@ -124,7 +128,6 @@ resource "aws_iam_role_policy" "kube-worker" {
 EOF
 }

-
 #Create AWS Instance Profiles

 resource "aws_iam_instance_profile" "kube-master" {
--- a/contrib/terraform/aws/modules/vpc/main.tf
+++ b/contrib/terraform/aws/modules/vpc/main.tf
@@ -1,4 +1,3 @@
-
 resource "aws_vpc" "cluster-vpc" {
  cidr_block = "${var.aws_vpc_cidr_block}"

@@ -11,17 +10,14 @@ resource "aws_vpc" "cluster-vpc" {
    ))}"
 }

-
 resource "aws_eip" "cluster-nat-eip" {
  count = "${length(var.aws_cidr_subnets_public)}"
  vpc   = true
 }

-
 resource "aws_internet_gateway" "cluster-vpc-internetgw" {
  vpc_id = "${aws_vpc.cluster-vpc.id}"

-
  tags = "${merge(var.default_tags, map(
    "Name", "kubernetes-${var.aws_cluster_name}-internetgw"
  ))}"
@@ -29,7 +25,7 @@ resource "aws_internet_gateway" "cluster-vpc-internetgw" {

 resource "aws_subnet" "cluster-vpc-subnets-public" {
  vpc_id            = "${aws_vpc.cluster-vpc.id}"
-    count="${length(var.aws_avail_zones)}"
+  count             = "${length(var.aws_avail_zones)}"
  availability_zone = "${element(var.aws_avail_zones, count.index)}"
  cidr_block        = "${element(var.aws_cidr_subnets_public, count.index)}"

@@ -43,12 +39,11 @@ resource "aws_nat_gateway" "cluster-nat-gateway" {
  count         = "${length(var.aws_cidr_subnets_public)}"
  allocation_id = "${element(aws_eip.cluster-nat-eip.*.id, count.index)}"
  subnet_id     = "${element(aws_subnet.cluster-vpc-subnets-public.*.id, count.index)}"
-
 }

 resource "aws_subnet" "cluster-vpc-subnets-private" {
  vpc_id            = "${aws_vpc.cluster-vpc.id}"
-    count="${length(var.aws_avail_zones)}"
+  count             = "${length(var.aws_avail_zones)}"
  availability_zone = "${element(var.aws_avail_zones, count.index)}"
  cidr_block        = "${element(var.aws_cidr_subnets_private, count.index)}"

@@ -63,6 +58,7 @@ resource "aws_subnet" "cluster-vpc-subnets-private" {

 resource "aws_route_table" "kubernetes-public" {
  vpc_id = "${aws_vpc.cluster-vpc.id}"
+
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = "${aws_internet_gateway.cluster-vpc-internetgw.id}"
@@ -76,6 +72,7 @@ resource "aws_route_table" "kubernetes-public" {
 resource "aws_route_table" "kubernetes-private" {
  count  = "${length(var.aws_cidr_subnets_private)}"
  vpc_id = "${aws_vpc.cluster-vpc.id}"
+
  route {
    cidr_block     = "0.0.0.0/0"
    nat_gateway_id = "${element(aws_nat_gateway.cluster-nat-gateway.*.id, count.index)}"
@@ -84,24 +81,20 @@ resource "aws_route_table" "kubernetes-private" {
  tags = "${merge(var.default_tags, map(
      "Name", "kubernetes-${var.aws_cluster_name}-routetable-private-${count.index}"
    ))}"
-
 }

 resource "aws_route_table_association" "kubernetes-public" {
  count          = "${length(var.aws_cidr_subnets_public)}"
  subnet_id      = "${element(aws_subnet.cluster-vpc-subnets-public.*.id,count.index)}"
  route_table_id = "${aws_route_table.kubernetes-public.id}"
-
 }

 resource "aws_route_table_association" "kubernetes-private" {
  count          = "${length(var.aws_cidr_subnets_private)}"
  subnet_id      = "${element(aws_subnet.cluster-vpc-subnets-private.*.id,count.index)}"
  route_table_id = "${element(aws_route_table.kubernetes-private.*.id,count.index)}"
-
 }

-
 #Kubernetes Security Groups

 resource "aws_security_group" "kubernetes" {
@@ -118,7 +111,7 @@ resource "aws_security_group_rule" "allow-all-ingress" {
  from_port         = 0
  to_port           = 65535
  protocol          = "-1"
-    cidr_blocks= ["${var.aws_vpc_cidr_block}"]
+  cidr_blocks       = ["${var.aws_vpc_cidr_block}"]
  security_group_id = "${aws_security_group.kubernetes.id}"
 }

@@ -131,7 +124,6 @@ resource "aws_security_group_rule" "allow-all-egress" {
  security_group_id = "${aws_security_group.kubernetes.id}"
 }

-
 resource "aws_security_group_rule" "allow-ssh-connections" {
  type              = "ingress"
  from_port         = 22
--- a/contrib/terraform/aws/modules/vpc/outputs.tf
+++ b/contrib/terraform/aws/modules/vpc/outputs.tf
@@ -12,10 +12,8 @@ output "aws_subnet_ids_public" {

 output "aws_security_group" {
  value = ["${aws_security_group.kubernetes.*.id}"]
-
 }

 output "default_tags" {
  value = "${var.default_tags}"
-
 }
--- a/contrib/terraform/aws/modules/vpc/variables.tf
+++ b/contrib/terraform/aws/modules/vpc/variables.tf
@@ -2,12 +2,10 @@ variable "aws_vpc_cidr_block" {
  description = "CIDR Blocks for AWS VPC"
 }

-
 variable "aws_cluster_name" {
  description = "Name of Cluster"
 }

-
 variable "aws_avail_zones" {
  description = "AWS Availability Zones Used"
  type        = "list"
--- a/contrib/terraform/aws/output.tf
+++ b/contrib/terraform/aws/output.tf
@@ -14,7 +14,6 @@ output "etcd" {
  value = "${join("\n", aws_instance.k8s-etcd.*.private_ip)}"
 }

-
 output "aws_elb_api_fqdn" {
  value = "${module.aws-elb.aws_elb_api_fqdn}:${var.aws_elb_api_port}"
 }
--- a/contrib/terraform/aws/templates/inventory.tpl
+++ b/contrib/terraform/aws/templates/inventory.tpl
@@ -2,8 +2,9 @@
 ${connection_strings_master}
 ${connection_strings_node}
 ${connection_strings_etcd}
+${public_ip_address_bastion}

-
+[bastion]
 ${public_ip_address_bastion}

 [kube-master]
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -8,6 +8,23 @@ Openstack.
 This will install a Kubernetes cluster on an Openstack Cloud. It should work on
 most modern installs of OpenStack that support the basic services.

+### Known compatible public clouds
+- [Auro](https://auro.io/)
+- [Betacloud](https://www.betacloud.io/)
+- [CityCloud](https://www.citycloud.com/)
+- [DreamHost](https://www.dreamhost.com/cloud/computing/)
+- [ELASTX](https://elastx.se/)
+- [EnterCloudSuite](https://www.entercloudsuite.com/)
+- [FugaCloud](https://fuga.cloud/)
+- [OVH](https://www.ovh.com/)
+- [Rackspace](https://www.rackspace.com/)
+- [Ultimum](https://ultimum.io/)
+- [VexxHost](https://vexxhost.com/)
+- [Zetta](https://www.zetta.io/)
+
+### Known incompatible public clouds
+- T-Systems / Open Telekom Cloud: requires `wait_until_associated`
+
 ## Approach
 The terraform configuration inspects variables found in
 [variables.tf](variables.tf) to create resources in your OpenStack cluster.
@@ -92,6 +109,7 @@ Create an inventory directory for your cluster by copying the existing sample an
 $ cp -LRp contrib/terraform/openstack/sample-inventory inventory/$CLUSTER
 $ cd inventory/$CLUSTER
 $ ln -s ../../contrib/terraform/openstack/hosts
+$ ln -s ../../contrib
 ```

 This will be the base for subsequent Terraform commands.
@@ -211,7 +229,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tf`.
 |`dns_nameservers`| An array of DNS name server names to be used by hosts in the internal subnet. |
 |`floatingip_pool` | Name of the pool from which floating IPs will be allocated |
 |`external_net` | UUID of the external network that will be routed to |
-|`flavor_k8s_master`,`flavor_k8s_node`,`flavor_etcd`, `flavor_bastion`,`flavor_gfs_node` | Flavor depends on your openstack installation, you can get available flavor IDs through`nova flavor-list` |
+|`flavor_k8s_master`,`flavor_k8s_node`,`flavor_etcd`, `flavor_bastion`,`flavor_gfs_node` | Flavor depends on your openstack installation, you can get available flavor IDs through `openstack flavor list` |
 |`image`,`image_gfs` | Name of the image to use in provisioning the compute resources. Should already be loaded into glance. |
 |`ssh_user`,`ssh_user_gfs` | The username to ssh into the image with. This usually depends on the image you have selected |
 |`public_key_path` | Path on your local workstation to the public key file you wish to use in creating the key pairs |
@@ -225,6 +243,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tf`.
 |`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. |
 |`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. |
 |`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
+|`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |

 #### Terraform state files

@@ -340,12 +359,7 @@ If it fails try to connect manually via SSH.  It could be something as simple as

 ### Configure cluster variables

-Edit `inventory/$CLUSTER/group_vars/all.yml`:
- Set variable **bootstrap_os** appropriately for your desired image:
-```
-# Valid bootstrap options (required): ubuntu, coreos, centos, none
-bootstrap_os: coreos
-```
+Edit `inventory/$CLUSTER/group_vars/all/all.yml`:
 - **bin_dir**:
 ```
 # Directory where the binaries will be installed
@@ -358,7 +372,7 @@ bin_dir: /opt/bin
 ```
 cloud_provider: openstack
 ```
-Edit `inventory/$CLUSTER/group_vars/k8s-cluster.yml`:
+Edit `inventory/$CLUSTER/group_vars/k8s-cluster/k8s-cluster.yml`:
 - Set variable **kube_network_plugin** to your desired networking plugin.
  - **flannel** works out-of-the-box
  - **calico** requires [configuring OpenStack Neutron ports](/docs/openstack.md) to allow service and pod subnets
@@ -402,8 +416,8 @@ ssh [os-user]@[master-ip] sudo ls /etc/kubernetes/ssl/
 ```
 4. Get `admin`'s certificates and keys:
 ```
-ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-[cluster_name]-k8s-master-1-key.pem > admin-key.pem
-ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-[cluster_name]-k8s-master-1.pem > admin.pem
+ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-kube-master-1-key.pem > admin-key.pem
+ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-kube-master-1.pem > admin.pem
 ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/ca.pem > ca.pem
 ```
 5. Configure kubectl:
@@ -424,14 +438,6 @@ $ kubectl config use-context default-system
 kubectl version
 ```

-If you are using floating ip addresses then you may get this error:
-```
-Unable to connect to the server: x509: certificate is valid for 10.0.0.6, 10.0.0.6, 10.233.0.1, 127.0.0.1, not 132.249.238.25
-```
-
-You can tell kubectl to ignore this condition by adding the
-`--insecure-skip-tls-verify` option.
-
 ## GlusterFS
 GlusterFS is not deployed by the standard`cluster.yml` playbook, see the
 [GlusterFS playbook documentation](../../network-storage/glusterfs/README.md)
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -6,6 +6,7 @@ module "network" {
  subnet_cidr     = "${var.subnet_cidr}"
  cluster_name    = "${var.cluster_name}"
  dns_nameservers = "${var.dns_nameservers}"
+  use_neutron     = "${var.use_neutron}"
 }

 module "ips" {
@@ -53,6 +54,7 @@ module "compute" {
  bastion_allowed_remote_ips                   = "${var.bastion_allowed_remote_ips}"
  supplementary_master_groups                  = "${var.supplementary_master_groups}"
  supplementary_node_groups                    = "${var.supplementary_node_groups}"
+  worker_allowed_ports                         = "${var.worker_allowed_ports}"

  network_id = "${module.network.router_id}"
 }
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -20,11 +20,12 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master" {

 resource "openstack_networking_secgroup_v2" "bastion" {
  name        = "${var.cluster_name}-bastion"
+  count       = "${var.number_of_bastions ? 1 : 0}"
  description = "${var.cluster_name} - Bastion Server"
 }

 resource "openstack_networking_secgroup_rule_v2" "bastion" {
-  count = "${length(var.bastion_allowed_remote_ips)}"
+  count             = "${var.number_of_bastions ? length(var.bastion_allowed_remote_ips) : 0}"
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
@@ -52,12 +53,13 @@ resource "openstack_networking_secgroup_v2" "worker" {
 }

 resource "openstack_networking_secgroup_rule_v2" "worker" {
+  count             = "${length(var.worker_allowed_ports)}"
  direction         = "ingress"
  ethertype         = "IPv4"
-  protocol = "tcp"
-  port_range_min = "30000"
-  port_range_max = "32767"
-  remote_ip_prefix = "0.0.0.0/0"
+  protocol          = "${lookup(var.worker_allowed_ports[count.index], "protocol", "tcp")}"
+  port_range_min    = "${lookup(var.worker_allowed_ports[count.index], "port_range_min")}"
+  port_range_max    = "${lookup(var.worker_allowed_ports[count.index], "port_range_max")}"
+  remote_ip_prefix  = "${lookup(var.worker_allowed_ports[count.index], "remote_ip_prefix", "0.0.0.0/0")}"
  security_group_id = "${openstack_networking_secgroup_v2.worker.id}"
 }

@@ -86,7 +88,6 @@ resource "openstack_compute_instance_v2" "bastion" {
  provisioner "local-exec" {
    command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${var.bastion_fips[0]}/ > contrib/terraform/group_vars/no-floating.yml"
  }
-
 }

 resource "openstack_compute_instance_v2" "k8s_master" {
@@ -101,22 +102,23 @@ resource "openstack_compute_instance_v2" "k8s_master" {
    name = "${var.network_name}"
  }

-  security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
-    "${openstack_networking_secgroup_v2.bastion.name}",
-    "${openstack_networking_secgroup_v2.k8s.name}",
-    "default",
-  ]
+  # The join() hack is described here: https://github.com/hashicorp/terraform/issues/11566
+  # As a workaround for creating "dynamic" lists (when, for example, no bastion host is created)

+  security_groups = ["${compact(list(
+    openstack_networking_secgroup_v2.k8s_master.name,
+    join(" ", openstack_networking_secgroup_v2.bastion.*.id),
+    openstack_networking_secgroup_v2.k8s.name,
+    "default",
+   ))}"]
  metadata = {
    ssh_user         = "${var.ssh_user}"
    kubespray_groups = "etcd,kube-master,${var.supplementary_master_groups},k8s-cluster,vault"
    depends_on       = "${var.network_id}"
  }
-
  provisioner "local-exec" {
    command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element( concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > contrib/terraform/group_vars/no-floating.yml"
  }
-
 }

 resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
@@ -131,10 +133,11 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
    name = "${var.network_name}"
  }

-  security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
-    "${openstack_networking_secgroup_v2.bastion.name}",
-    "${openstack_networking_secgroup_v2.k8s.name}",
-  ]
+  security_groups = ["${compact(list(
+    openstack_networking_secgroup_v2.k8s_master.name,
+    join(" ", openstack_networking_secgroup_v2.bastion.*.id),
+    openstack_networking_secgroup_v2.k8s.name,
+   ))}"]

  metadata = {
    ssh_user         = "${var.ssh_user}"
@@ -145,7 +148,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
  provisioner "local-exec" {
    command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element( concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > contrib/terraform/group_vars/no-floating.yml"
  }
-
 }

 resource "openstack_compute_instance_v2" "etcd" {
@@ -167,7 +169,6 @@ resource "openstack_compute_instance_v2" "etcd" {
    kubespray_groups = "etcd,vault,no-floating"
    depends_on       = "${var.network_id}"
  }
-
 }

 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
@@ -192,7 +193,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
    kubespray_groups = "etcd,kube-master,${var.supplementary_master_groups},k8s-cluster,vault,no-floating"
    depends_on       = "${var.network_id}"
  }
-
 }

 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
@@ -216,7 +216,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
    kubespray_groups = "kube-master,${var.supplementary_master_groups},k8s-cluster,vault,no-floating"
    depends_on       = "${var.network_id}"
  }
-
 }

 resource "openstack_compute_instance_v2" "k8s_node" {
@@ -231,11 +230,12 @@ resource "openstack_compute_instance_v2" "k8s_node" {
    name = "${var.network_name}"
  }

-  security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
-    "${openstack_networking_secgroup_v2.bastion.name}",
-    "${openstack_networking_secgroup_v2.worker.name}",
+  security_groups = ["${compact(list(
+    openstack_networking_secgroup_v2.k8s_master.name,
+    join(" ", openstack_networking_secgroup_v2.bastion.*.id),
+    openstack_networking_secgroup_v2.k8s.name,
    "default",
-  ]
+   ))}"]

  metadata = {
    ssh_user         = "${var.ssh_user}"
@@ -246,7 +246,6 @@ resource "openstack_compute_instance_v2" "k8s_node" {
  provisioner "local-exec" {
    command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element( concat(var.bastion_fips, var.k8s_node_fips), 0)}/ > contrib/terraform/group_vars/no-floating.yml"
  }
-
 }

 resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
@@ -271,7 +270,6 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
    kubespray_groups = "kube-node,k8s-cluster,no-floating,${var.supplementary_node_groups}"
    depends_on       = "${var.network_id}"
  }
-
 }

 resource "openstack_compute_floatingip_associate_v2" "bastion" {
@@ -320,7 +318,6 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
    kubespray_groups = "gfs-cluster,network-storage,no-floating"
    depends_on       = "${var.network_id}"
  }
-
 }

 resource "openstack_compute_volume_attach_v2" "glusterfs_volume" {
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -46,7 +46,9 @@ variable "network_name" {}

 variable "flavor_bastion" {}

-variable "network_id" {}
+variable "network_id" {
+  default = ""
+}

 variable "k8s_master_fips" {
  type = "list"
@@ -71,3 +73,7 @@ variable "supplementary_master_groups" {
 variable "supplementary_node_groups" {
  default = ""
 }
+
+variable "worker_allowed_ports" {
+  type = "list"
+}
--- a/contrib/terraform/openstack/modules/ips/variables.tf
+++ b/contrib/terraform/openstack/modules/ips/variables.tf
@@ -12,4 +12,6 @@ variable "external_net" {}

 variable "network_name" {}

-variable "router_id" {}
+variable "router_id" {
+  default = ""
+}
--- a/contrib/terraform/openstack/modules/network/main.tf
+++ b/contrib/terraform/openstack/modules/network/main.tf
@@ -1,16 +1,19 @@
 resource "openstack_networking_router_v2" "k8s" {
  name                = "${var.cluster_name}-router"
+  count               = "${var.use_neutron}"
  admin_state_up      = "true"
  external_network_id = "${var.external_net}"
 }

 resource "openstack_networking_network_v2" "k8s" {
  name           = "${var.network_name}"
+  count          = "${var.use_neutron}"
  admin_state_up = "true"
 }

 resource "openstack_networking_subnet_v2" "k8s" {
  name            = "${var.cluster_name}-internal-network"
+  count           = "${var.use_neutron}"
  network_id      = "${openstack_networking_network_v2.k8s.id}"
  cidr            = "${var.subnet_cidr}"
  ip_version      = 4
@@ -18,6 +21,7 @@ resource "openstack_networking_subnet_v2" "k8s" {
 }

 resource "openstack_networking_router_interface_v2" "k8s" {
+  count     = "${var.use_neutron}"
  router_id = "${openstack_networking_router_v2.k8s.id}"
  subnet_id = "${openstack_networking_subnet_v2.k8s.id}"
 }
--- a/contrib/terraform/openstack/modules/network/outputs.tf
+++ b/contrib/terraform/openstack/modules/network/outputs.tf
@@ -1,11 +1,11 @@
 output "router_id" {
-  value = "${openstack_networking_router_v2.k8s.id}"
+  value = "${element(concat(openstack_networking_router_v2.k8s.*.id, list("")), 0)}"
 }

 output "router_internal_port_id" {
-  value = "${openstack_networking_router_interface_v2.k8s.id}"
+  value = "${element(concat(openstack_networking_router_interface_v2.k8s.*.id, list("")), 0)}"
 }

 output "subnet_id" {
-  value = "${openstack_networking_subnet_v2.k8s.id}"
+  value = "${element(concat(openstack_networking_subnet_v2.k8s.*.id, list("")), 0)}"
 }
--- a/contrib/terraform/openstack/modules/network/variables.tf
+++ b/contrib/terraform/openstack/modules/network/variables.tf
@@ -9,3 +9,5 @@ variable "dns_nameservers" {
 }

 variable "subnet_cidr" {}
+
+variable "use_neutron" {}
--- a/contrib/terraform/openstack/sample-inventory/cluster.tf
+++ b/contrib/terraform/openstack/sample-inventory/cluster.tf
@@ -6,11 +6,13 @@ public_key_path = "~/.ssh/id_rsa.pub"

 # image to use for bastion, masters, standalone etcd instances, and nodes
 image = "<image name>"
+
 # user on the node (ex. core on Container Linux, ubuntu on Ubuntu, etc.)
 ssh_user = "<cloud-provisioned user>"

 # 0|1 bastion nodes
 number_of_bastions = 0
+
 #flavor_bastion = "<UUID>"

 # standalone etcds
@@ -18,14 +20,20 @@ number_of_etcd = 0

 # masters
 number_of_k8s_masters = 1
+
 number_of_k8s_masters_no_etcd = 0
+
 number_of_k8s_masters_no_floating_ip = 0
+
 number_of_k8s_masters_no_floating_ip_no_etcd = 0
+
 flavor_k8s_master = "<UUID>"

 # nodes
 number_of_k8s_nodes = 2
+
 number_of_k8s_nodes_no_floating_ip = 4
+
 #flavor_k8s_node = "<UUID>"

 # GlusterFS
@@ -40,7 +48,11 @@ number_of_k8s_nodes_no_floating_ip = 4

 # networking
 network_name = "<network>"
+
 external_net = "<UUID>"
+
 subnet_cidr = "<cidr>"
+
 floatingip_pool = "<pool>"
+
 bastion_allowed_remote_ips = ["0.0.0.0/0"]
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -74,27 +74,27 @@ variable "ssh_user_gfs" {
 }

 variable "flavor_bastion" {
-  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
+  description = "Use 'openstack flavor list' command to see what your OpenStack instance uses for IDs"
  default     = 3
 }

 variable "flavor_k8s_master" {
-  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
+  description = "Use 'openstack flavor list' command to see what your OpenStack instance uses for IDs"
  default     = 3
 }

 variable "flavor_k8s_node" {
-  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
+  description = "Use 'openstack flavor list' command to see what your OpenStack instance uses for IDs"
  default     = 3
 }

 variable "flavor_etcd" {
-  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
+  description = "Use 'openstack flavor list' command to see what your OpenStack instance uses for IDs"
  default     = 3
 }

 variable "flavor_gfs_node" {
-  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
+  description = "Use 'openstack flavor list' command to see what your OpenStack instance uses for IDs"
  default     = 3
 }

@@ -103,6 +103,11 @@ variable "network_name" {
  default     = "internal"
 }

+variable "use_neutron" {
+  description = "Use neutron"
+  default     = 1
+}
+
 variable "subnet_cidr" {
  description = "Subnet CIDR block."
  type        = "string"
@@ -139,3 +144,16 @@ variable "bastion_allowed_remote_ips" {
  type        = "list"
  default     = ["0.0.0.0/0"]
 }
+
+variable "worker_allowed_ports" {
+  type = "list"
+
+  default = [
+    {
+      "protocol"         = "tcp"
+      "port_range_min"   = 30000
+      "port_range_max"   = 32767
+      "remote_ip_prefix" = "0.0.0.0/0"
+    },
+  ]
+}
--- a/contrib/terraform/packet/README.md
+++ b/contrib/terraform/packet/README.md
@@ -0,0 +1,231 @@
+# Kubernetes on Packet with Terraform
+
+Provision a Kubernetes cluster with [Terraform](https://www.terraform.io) on
+[Packet](https://www.packet.com).
+
+## Status
+
+This will install a Kubernetes cluster on Packet bare metal. It should work in all locations and on most server types.
+
+## Approach
+The terraform configuration inspects variables found in
+[variables.tf](variables.tf) to create resources in your Packet project.
+There is a [python script](../terraform.py) that reads the generated`.tfstate`
+file to generate a dynamic inventory that is consumed by [cluster.yml](../../..//cluster.yml)
+to actually install Kubernetes with Kubespray.
+
+### Kubernetes Nodes
+You can create many different kubernetes topologies by setting the number of
+different classes of hosts.
+- Master nodes with etcd: `number_of_k8s_masters` variable
+- Master nodes without etcd: `number_of_k8s_masters_no_etcd` variable
+- Standalone etcd hosts: `number_of_etcd` variable
+- Kubernetes worker nodes: `number_of_k8s_nodes` variable
+
+Note that the Ansible script will report an invalid configuration if you wind up
+with an *even number* of etcd instances since that is not a valid configuration. This
+restriction includes standalone etcd nodes that are deployed in a cluster along with
+master nodes with etcd replicas. As an example, if you have three master nodes with
+etcd replicas and three standalone etcd nodes, the script will fail since there are
+now six total etcd replicas.
+
+## Requirements
+
+- [Install Terraform](https://www.terraform.io/intro/getting-started/install.html)
+- Install dependencies: `sudo pip install -r requirements.txt`
+- Account with Packet Host
+- An SSH key pair
+
+## SSH Key Setup
+
+An SSH keypair is required so Ansible can access the newly provisioned nodes (bare metal Packet hosts). By default, the public SSH key defined in cluster.tf will be installed in authorized_key on the newly provisioned nodes (~/.ssh/id_rsa.pub). Terraform will upload this public key and then it will be distributed out to all the nodes. If you have already set this public key in Packet (i.e. via the portal), then set the public keyfile name in cluster.tf to blank to prevent the duplicate key from being uploaded which will cause an error.
+
+If you don't already have a keypair generated (~/.ssh/id_rsa and ~/.ssh/id_rsa.pub), then a new keypair can be generated with the command:
+
+```ShellSession
+ssh-keygen -f ~/.ssh/id_rsa
+```
+
+## Terraform
+Terraform will be used to provision all of the Packet resources with base software as appropriate.
+
+### Configuration
+
+#### Inventory files
+
+Create an inventory directory for your cluster by copying the existing sample and linking the `hosts` script (used to build the inventory based on Terraform state):
+
+```ShellSession
+$ cp -LRp contrib/terraform/packet/sample-inventory inventory/$CLUSTER
+$ cd inventory/$CLUSTER
+$ ln -s ../../contrib/terraform/packet/hosts
+```
+
+This will be the base for subsequent Terraform commands.
+
+#### Packet API access
+
+Your Packet API key must be available in the `PACKET_AUTH_TOKEN` environment variable.
+This key is typically stored outside of the code repo since it is considered secret.
+If someone gets this key, they can startup/shutdown hosts in your project!
+
+For more information on how to generate an API key or find your project ID, please see:
+https://support.packet.com/kb/articles/api-integrations
+
+The Packet Project ID associated with the key will be set later in cluster.tf.
+
+For more information about the API, please see:
+https://www.packet.com/developers/api/
+
+Example:
+```ShellSession
+$ export PACKET_AUTH_TOKEN="Example-API-Token"
+```
+
+Note that to deploy several clusters within the same project you need to use [terraform workspace](https://www.terraform.io/docs/state/workspaces.html#using-workspaces).
+
+#### Cluster variables
+The construction of the cluster is driven by values found in
+[variables.tf](variables.tf).
+
+For your cluster, edit `inventory/$CLUSTER/cluster.tf`.
+
+The `cluster_name` is used to set a tag on each server deployed as part of this cluster.
+This helps when identifying which hosts are associated with each cluster.
+
+While the defaults in variables.tf will successfully deploy a cluster, it is recommended to set the following values:
+
+* cluster_name = the name of the inventory directory created above as $CLUSTER
+* packet_project_id = the Packet Project ID associated with the Packet API token above
+
+#### Enable localhost access
+Kubespray will pull down a Kubernetes configuration file to access this cluster by enabling the 
+`kubeconfig_localhost: true` in the Kubespray configuration.
+
+Edit `inventory/$CLUSTER/group_vars/k8s-cluster/k8s-cluster.yml` and comment back in the following line and change from `false` to `true`:
+`\# kubeconfig_localhost: false`
+becomes:
+`kubeconfig_localhost: true`
+
+Once the Kubespray playbooks are run, a Kubernetes configuration file will be written to the local host at `inventory/$CLUSTER/artifacts/admin.conf`
+
+#### Terraform state files
+
+In the cluster's inventory folder, the following files might be created (either by Terraform
+or manually), to prevent you from pushing them accidentally they are in a
+`.gitignore` file in the `terraform/packet` directory :
+
+* `.terraform`
+* `.tfvars`
+* `.tfstate`
+* `.tfstate.backup`
+
+You can still add them manually if you want to.
+
+### Initialization
+
+Before Terraform can operate on your cluster you need to install the required
+plugins. This is accomplished as follows:
+
+```ShellSession
+$ cd inventory/$CLUSTER
+$ terraform init ../../contrib/terraform/packet
+```
+
+This should finish fairly quickly telling you Terraform has successfully initialized and loaded necessary modules.
+
+### Provisioning cluster
+You can apply the Terraform configuration to your cluster with the following command
+issued from your cluster's inventory directory (`inventory/$CLUSTER`):
+```ShellSession
+$ terraform apply -var-file=cluster.tf ../../contrib/terraform/packet
+$ export ANSIBLE_HOST_KEY_CHECKING=False
+$ ansible-playbook -i hosts ../../cluster.yml
+```
+
+### Destroying cluster
+You can destroy your new cluster with the following command issued from the cluster's inventory directory:
+
+```ShellSession
+$ terraform destroy -var-file=cluster.tf ../../contrib/terraform/packet
+```
+
+If you've started the Ansible run, it may also be a good idea to do some manual cleanup:
+
+* remove SSH keys from the destroyed cluster from your `~/.ssh/known_hosts` file
+* clean up any temporary cache files: `rm /tmp/$CLUSTER-*`
+
+### Debugging
+You can enable debugging output from Terraform by setting `TF_LOG` to `DEBUG` before running the Terraform command.
+
+## Ansible
+
+### Node access
+
+#### SSH
+
+Ensure your local ssh-agent is running and your ssh key has been added. This
+step is required by the terraform provisioner:
+
+```
+$ eval $(ssh-agent -s)
+$ ssh-add ~/.ssh/id_rsa
+```
+
+If you have deployed and destroyed a previous iteration of your cluster, you will need to clear out any stale keys from your SSH "known hosts" file ( `~/.ssh/known_hosts`).
+
+#### Test access
+
+Make sure you can connect to the hosts.  Note that Container Linux by CoreOS will have a state `FAILED` due to Python not being present.  This is okay, because Python will be installed during bootstrapping, so long as the hosts are not `UNREACHABLE`.
+
+```
+$ ansible -i inventory/$CLUSTER/hosts -m ping all
+example-k8s_node-1 | SUCCESS => {
+    "changed": false,
+    "ping": "pong"
+}
+example-etcd-1 | SUCCESS => {
+    "changed": false,
+    "ping": "pong"
+}
+example-k8s-master-1 | SUCCESS => {
+    "changed": false,
+    "ping": "pong"
+}
+```
+
+If it fails try to connect manually via SSH.  It could be something as simple as a stale host key.
+
+### Deploy Kubernetes
+
+```
+$ ansible-playbook --become -i inventory/$CLUSTER/hosts cluster.yml
+```
+
+This will take some time as there are many tasks to run.
+
+## Kubernetes
+
+### Set up kubectl
+
+* [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on the localhost.
+
+* Verify that Kubectl runs correctly
+```
+kubectl version
+```
+
+* Verify that the Kubernetes configuration file has been copied over
+```
+cat inventory/alpha/$CLUSTER/admin.conf
+```
+
+* Verify that all the nodes are running correctly.
+```
+kubectl version
+kubectl --kubeconfig=inventory/$CLUSTER/artifacts/admin.conf  get nodes
+```
+
+## What's next
+
+Try out your new Kubernetes cluster with the [Hello Kubernetes service](https://kubernetes.io/docs/tasks/access-application-cluster/service-access-application-cluster/).
--- a/contrib/terraform/packet/hosts
+++ b/contrib/terraform/packet/hosts
@@ -0,0 +1 @@
+../terraform.py
--- a/contrib/terraform/packet/kubespray.tf
+++ b/contrib/terraform/packet/kubespray.tf
@@ -0,0 +1,60 @@
+# Configure the Packet Provider
+provider "packet" {}
+
+resource "packet_ssh_key" "k8s" {
+  count      = "${var.public_key_path != "" ? 1 : 0}"
+  name       = "kubernetes-${var.cluster_name}"
+  public_key = "${chomp(file(var.public_key_path))}"
+}
+
+resource "packet_device" "k8s_master" {
+  depends_on = ["packet_ssh_key.k8s"]
+
+  count            = "${var.number_of_k8s_masters}"
+  hostname         = "${var.cluster_name}-k8s-master-${count.index+1}"
+  plan             = "${var.plan_k8s_masters}"
+  facility         = "${var.facility}"
+  operating_system = "${var.operating_system}"
+  billing_cycle    = "${var.billing_cycle}"
+  project_id       = "${var.packet_project_id}"
+  tags             = ["cluster-${var.cluster_name}", "k8s-cluster", "kube-master", "etcd", "kube-node"]
+}
+
+resource "packet_device" "k8s_master_no_etcd" {
+  depends_on = ["packet_ssh_key.k8s"]
+
+  count            = "${var.number_of_k8s_masters_no_etcd}"
+  hostname         = "${var.cluster_name}-k8s-master-${count.index+1}"
+  plan             = "${var.plan_k8s_masters_no_etcd}"
+  facility         = "${var.facility}"
+  operating_system = "${var.operating_system}"
+  billing_cycle    = "${var.billing_cycle}"
+  project_id       = "${var.packet_project_id}"
+  tags             = ["cluster-${var.cluster_name}", "k8s-cluster", "kube-master"]
+}
+
+resource "packet_device" "k8s_etcd" {
+  depends_on = ["packet_ssh_key.k8s"]
+
+  count            = "${var.number_of_etcd}"
+  hostname         = "${var.cluster_name}-etcd-${count.index+1}"
+  plan             = "${var.plan_etcd}"
+  facility         = "${var.facility}"
+  operating_system = "${var.operating_system}"
+  billing_cycle    = "${var.billing_cycle}"
+  project_id       = "${var.packet_project_id}"
+  tags             = ["cluster-${var.cluster_name}", "etcd"]
+}
+
+resource "packet_device" "k8s_node" {
+  depends_on = ["packet_ssh_key.k8s"]
+
+  count            = "${var.number_of_k8s_nodes}"
+  hostname         = "${var.cluster_name}-k8s-node-${count.index+1}"
+  plan             = "${var.plan_k8s_nodes}"
+  facility         = "${var.facility}"
+  operating_system = "${var.operating_system}"
+  billing_cycle    = "${var.billing_cycle}"
+  project_id       = "${var.packet_project_id}"
+  tags             = ["cluster-${var.cluster_name}", "k8s-cluster", "kube-node"]
+}
--- a/contrib/terraform/packet/output.tf
+++ b/contrib/terraform/packet/output.tf
@@ -0,0 +1,15 @@
+output "k8s_masters" {
+  value = "${packet_device.k8s_master.*.access_public_ipv4}"
+}
+
+output "k8s_masters_no_etc" {
+  value = "${packet_device.k8s_master_no_etcd.*.access_public_ipv4}"
+}
+
+output "k8s_etcds" {
+  value = "${packet_device.k8s_etcd.*.access_public_ipv4}"
+}
+
+output "k8s_nodes" {
+  value = "${packet_device.k8s_node.*.access_public_ipv4}"
+}
--- a/contrib/terraform/packet/sample-inventory/cluster.tf
+++ b/contrib/terraform/packet/sample-inventory/cluster.tf
@@ -0,0 +1,32 @@
+# your Kubernetes cluster name here
+cluster_name = "mycluster"
+
+# Your Packet project ID. See https://support.packet.com/kb/articles/api-integrations
+packet_project_id = "Example-API-Token"
+
+# The public SSH key to be uploaded into authorized_keys in bare metal Packet nodes provisioned
+# leave this value blank if the public key is already setup in the Packet project
+# Terraform will complain if the public key is setup in Packet
+public_key_path = "~/.ssh/id_rsa.pub"
+
+# cluster location
+facility = "ewr1"
+
+# standalone etcds
+number_of_etcd = 0
+
+plan_etcd = "t1.small.x86"
+
+# masters
+number_of_k8s_masters = 1
+
+number_of_k8s_masters_no_etcd = 0
+
+plan_k8s_masters = "t1.small.x86"
+
+plan_k8s_masters_no_etcd = "t1.small.x86"
+
+# nodes
+number_of_k8s_nodes = 2
+
+plan_k8s_nodes = "t1.small.x86"
--- a/contrib/terraform/packet/sample-inventory/group_vars
+++ b/contrib/terraform/packet/sample-inventory/group_vars
@@ -0,0 +1 @@
+../../../../inventory/sample/group_vars
--- a/contrib/terraform/packet/variables.tf
+++ b/contrib/terraform/packet/variables.tf
@@ -0,0 +1,56 @@
+variable "cluster_name" {
+  default = "kubespray"
+}
+
+variable "packet_project_id" {
+  description = "Your Packet project ID. See https://support.packet.com/kb/articles/api-integrations"
+}
+
+variable "operating_system" {
+  default = "ubuntu_16_04"
+}
+
+variable "public_key_path" {
+  description = "The path of the ssh pub key"
+  default     = "~/.ssh/id_rsa.pub"
+}
+
+variable "billing_cycle" {
+  default = "hourly"
+}
+
+variable "facility" {
+  default = "dfw2"
+}
+
+variable "plan_k8s_masters" {
+  default = "c2.medium.x86"
+}
+
+variable "plan_k8s_masters_no_etcd" {
+  default = "c2.medium.x86"
+}
+
+variable "plan_etcd" {
+  default = "c2.medium.x86"
+}
+
+variable "plan_k8s_nodes" {
+  default = "c2.medium.x86"
+}
+
+variable "number_of_k8s_masters" {
+  default = 0
+}
+
+variable "number_of_k8s_masters_no_etcd" {
+  default = 0
+}
+
+variable "number_of_etcd" {
+  default = 0
+}
+
+variable "number_of_k8s_nodes" {
+  default = 0
+}
--- a/contrib/terraform/terraform.py
+++ b/contrib/terraform/terraform.py
@@ -218,6 +218,47 @@ def triton_machine(resource, module_name):
    return name, attrs, groups


+@parses('packet_device')
+def packet_device(resource, tfvars=None):
+    raw_attrs = resource['primary']['attributes']
+    name = raw_attrs['hostname']
+    groups = []
+
+    attrs = {
+        'id': raw_attrs['id'],
+        'facility': raw_attrs['facility'],
+        'hostname': raw_attrs['hostname'],
+        'operating_system': raw_attrs['operating_system'],
+        'locked': parse_bool(raw_attrs['locked']),
+        'tags': parse_list(raw_attrs, 'tags'),
+        'plan': raw_attrs['plan'],
+        'project_id': raw_attrs['project_id'],
+        'state': raw_attrs['state'],
+        # ansible
+        'ansible_ssh_host': raw_attrs['network.0.address'],
+        'ansible_ssh_user': 'root',  # it's always "root" on Packet
+        # generic
+        'ipv4_address': raw_attrs['network.0.address'],
+        'public_ipv4': raw_attrs['network.0.address'],
+        'ipv6_address': raw_attrs['network.1.address'],
+        'public_ipv6': raw_attrs['network.1.address'],
+        'private_ipv4': raw_attrs['network.2.address'],
+        'provider': 'packet',
+    }
+
+    # add groups based on attrs
+    groups.append('packet_facility=' + attrs['facility'])
+    groups.append('packet_operating_system=' + attrs['operating_system'])
+    groups.append('packet_locked=%s' % attrs['locked'])
+    groups.append('packet_state=' + attrs['state'])
+    groups.append('packet_plan=' + attrs['plan'])
+
+    # groups specific to kubespray
+    groups = groups + attrs['tags']
+
+    return name, attrs, groups
+
+
@parses('digitalocean_droplet')
@calculate_mantl_vars
 def digitalocean_host(resource, tfvars=None):
@@ -328,6 +369,7 @@ def openstack_host(resource, module_name):
    attrs = {
        'access_ip_v4': raw_attrs['access_ip_v4'],
        'access_ip_v6': raw_attrs['access_ip_v6'],
+        'access_ip': raw_attrs['access_ip_v4'],
        'ip': raw_attrs['network.0.fixed_ip_v4'],
        'flavor': parse_dict(raw_attrs, 'flavor',
                             sep='_'),
@@ -685,6 +727,7 @@ def iter_host_ips(hosts, ips):
            ip = ips[host_id]
            host[1].update({
                'access_ip_v4': ip,
+                'access_ip': ip,
                'public_ipv4': ip,
                'ansible_ssh_host': ip,
            })
--- a/contrib/vault/groups_vars/vault.yaml
+++ b/contrib/vault/groups_vars/vault.yaml
@@ -0,0 +1,32 @@
+---
+vault_deployment_type: docker
+vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
+vault_version: 0.10.1
+vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
+vault_image_repo: "vault"
+vault_image_tag: "{{ vault_version }}"
+vault_downloads:
+  vault:
+    enabled: "{{ cert_management == 'vault' }}"
+    container: "{{ vault_deployment_type != 'host' }}"
+    file: "{{ vault_deployment_type == 'host' }}"
+    dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
+    mode: "0755"
+    owner: "vault"
+    repo: "{{ vault_image_repo }}"
+    sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
+    tag: "{{ vault_image_tag }}"
+    unarchive: true
+    url: "{{ vault_download_url }}"
+    version: "{{ vault_version }}"
+    groups:
+      - vault
+
+# Vault data dirs.
+vault_base_dir: /etc/vault
+vault_cert_dir: "{{ vault_base_dir }}/ssl"
+vault_config_dir: "{{ vault_base_dir }}/config"
+vault_roles_dir: "{{ vault_base_dir }}/roles"
+vault_secrets_dir: "{{ vault_base_dir }}/secrets"
+kube_vault_mount_path: "/kube"
+etcd_vault_mount_path: "/etcd"
--- a/contrib/vault/requirements.txt
+++ b/contrib/vault/requirements.txt
@@ -0,0 +1 @@
+ansible-modules-hashivault>=3.9.4
--- a/contrib/vault/roles/etcd/vault/tasks/gen_certs_vault.yml
+++ b/contrib/vault/roles/etcd/vault/tasks/gen_certs_vault.yml
--- a/contrib/vault/roles/etcd/vault/tasks/sync_etcd_master_certs.yml
+++ b/contrib/vault/roles/etcd/vault/tasks/sync_etcd_master_certs.yml
--- a/contrib/vault/roles/etcd/vault/tasks/sync_etcd_node_certs.yml
+++ b/contrib/vault/roles/etcd/vault/tasks/sync_etcd_node_certs.yml
--- a/contrib/vault/roles/kubernetes/vault-secrets/tasks/gen_certs_vault.yml
+++ b/contrib/vault/roles/kubernetes/vault-secrets/tasks/gen_certs_vault.yml
--- a/contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_master_certs.yml
+++ b/contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_master_certs.yml
--- a/contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_node_certs.yml
+++ b/contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_node_certs.yml
--- a/contrib/vault/roles/vault/defaults/main.yml
+++ b/contrib/vault/roles/vault/defaults/main.yml
@@ -23,6 +23,9 @@ vault_version: 0.10.1
 vault_binary_checksum: 66f0f1b0b221d664dd5913f8697409d7401df4bb2a19c7277e8fbad152063fae
 vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"

+# hvac==0.7.0 is broken at the moment
+hvac_version: 0.6.4
+
 # Arch of Docker images and needed packages
 image_arch: "{{host_architecture}}"

--- a/contrib/vault/roles/vault/handlers/main.yml
+++ b/contrib/vault/roles/vault/handlers/main.yml
@@ -12,7 +12,7 @@
    headers: "{{ vault_client_headers }}"
    status_code: "{{ vault_successful_http_codes | join(',') }}"
  register: vault_health_check
-  until: vault_health_check|succeeded
+  until: vault_health_check is succeeded
  retries: 10
  delay: "{{ retry_stagger | random + 3 }}"
  run_once: yes
--- a/contrib/vault/roles/vault/meta/main.yml
+++ b/contrib/vault/roles/vault/meta/main.yml
--- a/contrib/vault/roles/vault/tasks/bootstrap/ca_trust.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/ca_trust.yml
--- a/contrib/vault/roles/vault/tasks/bootstrap/create_mounts.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/create_mounts.yml
--- a/contrib/vault/roles/vault/tasks/bootstrap/create_roles.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/create_roles.yml
--- a/contrib/vault/roles/vault/tasks/bootstrap/gen_vault_certs.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/gen_vault_certs.yml
--- a/contrib/vault/roles/vault/tasks/bootstrap/main.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/main.yml
--- a/contrib/vault/roles/vault/tasks/bootstrap/start_vault_temp.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/start_vault_temp.yml
@@ -20,7 +20,7 @@
    url: "http://localhost:{{ vault_port }}/"
    secret_shares: 1
    secret_threshold: 1
-  until: "vault_temp_init|succeeded"
+  until: "vault_temp_init is succeeded"
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  register: vault_temp_init
--- a/contrib/vault/roles/vault/tasks/bootstrap/sync_etcd_certs.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/sync_etcd_certs.yml
--- a/contrib/vault/roles/vault/tasks/bootstrap/sync_secrets.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/sync_secrets.yml
--- a/contrib/vault/roles/vault/tasks/bootstrap/sync_vault_certs.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/sync_vault_certs.yml
--- a/contrib/vault/roles/vault/tasks/cluster/binary.yml
+++ b/contrib/vault/roles/vault/tasks/cluster/binary.yml
--- a/Show More
+++ b/Show More