Check kube-apiserver up on all masters before upgrade (#7193 ) (#7197 )

Only checking the kubernetes api on the first master when upgrading is not enough. Each master needs to be checked before it's upgrade. Signed-off-by: Rick Haan <rickhaan94@gmail.com>
update hashes for 1.18 and 1.19 for kubespray-2.14 (#7207 )
2025-12-14 13:54:37 +03:00 · 2021-01-29 02:33:40 -08:00 · 2021-01-27 03:53:40 -08:00 · 2021-01-27 03:47:40 -08:00 · 2021-01-26 07:18:34 -08:00 · 2020-12-22 04:54:26 -08:00
792 changed files with 40359 additions and 6387 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -2,15 +2,8 @@
 parseable: true
 skip_list:
  # see https://docs.ansible.com/ansible-lint/rules/default_rules.html for a list of all default rules
-  # The following rules throw errors.
-  # These either still need to be corrected in the repository and the rules re-enabled or documented why they are skipped on purpose.
-  - '301'
-  - '302'
-  - '303'
-  - '305'
-  - '306'
-  - '404'
-  - '503'
+
+  # DO NOT add any other rules to this skip_list, instead use local `# noqa` with a comment explaining WHY it is necessary

  # These rules are intentionally skipped:
  #
--- a/.editorconfig
+++ b/.editorconfig
@@ -0,0 +1,15 @@
+root = true
+
+[*.{yaml,yml,yml.j2,yaml.j2}]
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+insert_final_newline = true
+charset = utf-8
+
+[{Dockerfile}]
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+insert_final_newline = true
+charset = utf-8
--- a/.github/ISSUE_TEMPLATE/bug-report.md
+++ b/.github/ISSUE_TEMPLATE/bug-report.md
@@ -18,6 +18,8 @@ explain why.

 - **Version of Ansible** (`ansible --version`):

+- **Version of Python** (`python --version`):
+

 **Kubespray version (commit) (`git rev-parse --short HEAD`):**

@@ -25,8 +27,8 @@ explain why.
 **Network plugin used**:


-**Copy of your inventory file:**
-
+**Full inventory with variables (`ansible -i inventory/sample/inventory.ini all -m debug -a "var=hostvars[inventory_hostname]"`):**
+<!-- We recommend using snippets services like https://gist.github.com/ etc. -->

 **Command used to invoke ansible**:

--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,9 +1,9 @@
 <!--  Thanks for sending a pull request!  Here are some tips for you:

-1. If this is your first time, please read our contributor guidelines: https://git.k8s.io/community/contributors/guide#your-first-contribution and developer guide https://git.k8s.io/community/contributors/devel/development.md#development-guide
+1. If this is your first time, please read our contributor guidelines: https://git.k8s.io/community/contributors/guide/first-contribution.md and developer guide https://git.k8s.io/community/contributors/devel/development.md
 2. Please label this pull request according to what type of issue you are addressing, especially if this is a release targeted pull request. For reference on required PR/issue labels, read here:
-https://git.k8s.io/community/contributors/devel/release.md#issue-kind-label
-3. Ensure you have added or ran the appropriate tests for your PR: https://git.k8s.io/community/contributors/devel/testing.md
+https://git.k8s.io/community/contributors/devel/sig-release/release.md#issuepr-kind-label
+3. Ensure you have added or ran the appropriate tests for your PR: https://git.k8s.io/community/contributors/devel/sig-testing/testing.md
 4. If you want *faster* PR reviews, read how: https://git.k8s.io/community/contributors/guide/pull-requests.md#best-practices-for-faster-reviews
 5. Follow the instructions for writing a release note: https://git.k8s.io/community/contributors/guide/release-notes.md
 6. If the PR is unfinished, see how to mark it: https://git.k8s.io/community/contributors/guide/pull-requests.md#marking-unfinished-pull-requests
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 .vagrant
 *.retry
 **/vagrant_ansible_inventory
+*.iml
 temp
 .idea
 .tox
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,17 +4,18 @@ stages:
  - deploy-part1
  - moderator
  - deploy-part2
-  - deploy-gce
+  - deploy-part3
  - deploy-special

 variables:
+  KUBESPRAY_VERSION: v2.13.3
  FAILFASTCI_NAMESPACE: 'kargo-ci'
  GITLAB_REPOSITORY: 'kargo-ci/kubernetes-sigs-kubespray'
-  # DOCKER_HOST: tcp://localhost:2375
  ANSIBLE_FORCE_COLOR: "true"
  MAGIC: "ci check this"
  TEST_ID: "$CI_PIPELINE_ID-$CI_BUILD_ID"
  CI_TEST_VARS: "./tests/files/${CI_JOB_NAME}.yml"
+  CI_TEST_REGISTRY_MIRROR: "./tests/common/_docker_hub_registry_mirror.yml"
  GS_ACCESS_KEY_ID: $GS_KEY
  GS_SECRET_ACCESS_KEY: $GS_SECRET
  CONTAINER_ENGINE: docker
@@ -26,7 +27,10 @@ variables:
  IDEMPOT_CHECK: "false"
  RESET_CHECK: "false"
  UPGRADE_TEST: "false"
-  LOG_LEVEL: "-vv"
+  MITOGEN_ENABLE: "false"
+  ANSIBLE_LOG_LEVEL: "-vv"
+  RECOVER_CONTROL_PLANE_TEST: "false"
+  RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:],kube-master[1:]"

 before_script:
  - ./tests/scripts/rebase.sh
@@ -37,14 +41,14 @@ before_script:
 .job: &job
  tags:
    - packet
-  variables:
-    KUBESPRAY_VERSION: v2.11.0
  image: quay.io/kubespray/kubespray:$KUBESPRAY_VERSION
+  artifacts:
+    when: always
+    paths:
+      - cluster-dump/

 .testcases: &testcases
  <<: *job
-  services:
-    - docker:dind
  before_script:
    - update-alternatives --install /usr/bin/python python /usr/bin/python3 1
    - ./tests/scripts/rebase.sh
@@ -52,7 +56,7 @@ before_script:
  script:
    - ./tests/scripts/testcases_run.sh
  after_script:
-    - ./tests/scripts/testcases_cleanup.sh
+    - chronic ./tests/scripts/testcases_cleanup.sh

 # For failfast, at least 1 job must be defined in .gitlab-ci.yml
 # Premoderated with manual actions
@@ -70,3 +74,4 @@ include:
  - .gitlab-ci/shellcheck.yml
  - .gitlab-ci/terraform.yml
  - .gitlab-ci/packet.yml
+  - .gitlab-ci/vagrant.yml
--- a/.gitlab-ci/gce.yml
+++ b/.gitlab-ci/gce.yml
@@ -1,247 +0,0 @@
---
-.gce_variables: &gce_variables
-  GCE_USER: travis
-  SSH_USER: $GCE_USER
-  CLOUD_MACHINE_TYPE: "g1-small"
-  CI_PLATFORM: "gce"
-  PRIVATE_KEY: $GCE_PRIVATE_KEY
-
-.cache: &cache
-  cache:
-    key: "$CI_BUILD_REF_NAME"
-    paths:
-      - downloads/
-      - $HOME/.cache
-
-.gce: &gce
-  extends: .testcases
-  <<: *cache
-  variables:
-    <<: *gce_variables
-  tags:
-    - gce
-  except: ['triggers']
-  only: [/^pr-.*$/]
-
-.centos_weave_kubeadm_variables: &centos_weave_kubeadm_variables
-  # stage: deploy-part1
-  UPGRADE_TEST: "graceful"
-
-.centos7_multus_calico_variables: &centos7_multus_calico_variables
-  # stage: deploy-gce
-  UPGRADE_TEST: "graceful"
-
-# Builds for PRs only (premoderated by unit-tests step) and triggers (auto)
-### PR JOBS PART1
-
-gce_ubuntu18-flannel-aio:
-  stage: deploy-part1
-  <<: *gce
-  when: manual
-
-### PR JOBS PART2
-
-gce_coreos-calico-aio:
-  stage: deploy-gce
-  <<: *gce
-  when: on_success
-
-gce_centos7-flannel-addons:
-  stage: deploy-gce
-  <<: *gce
-  when: manual
-
-### MANUAL JOBS
-
-gce_centos-weave-kubeadm-sep:
-  stage: deploy-gce
-  extends: .gce
-  variables:
-    <<: *centos_weave_kubeadm_variables
-  when: on_success
-  only: ['triggers']
-  except: []
-
-gce_ubuntu-weave-sep:
-  stage: deploy-gce
-  <<: *gce
-  when: manual
-  only: ['triggers']
-  except: []
-
-gce_coreos-calico-sep-triggers:
-  stage: deploy-gce
-  <<: *gce
-  when: on_success
-  only: ['triggers']
-  except: []
-
-gce_ubuntu-canal-ha-triggers:
-  stage: deploy-special
-  <<: *gce
-  when: on_success
-  only: ['triggers']
-  except: []
-
-gce_centos7-flannel-addons-triggers:
-  stage: deploy-gce
-  <<: *gce
-  when: on_success
-  only: ['triggers']
-  except: []
-
-gce_ubuntu-weave-sep-triggers:
-  stage: deploy-gce
-  <<: *gce
-  when: on_success
-  only: ['triggers']
-  except: []
-
-# More builds for PRs/merges (manual) and triggers (auto)
-
-
-gce_ubuntu-canal-ha:
-  stage: deploy-special
-  <<: *gce
-  when: manual
-
-gce_ubuntu-canal-kubeadm:
-  stage: deploy-gce
-  <<: *gce
-  when: manual
-
-gce_ubuntu-canal-kubeadm-triggers:
-  stage: deploy-gce
-  <<: *gce
-  when: on_success
-  only: ['triggers']
-  except: []
-
-gce_ubuntu-flannel-ha:
-  stage: deploy-gce
-  <<: *gce
-  when: manual
-
-gce_centos-weave-kubeadm-triggers:
-  stage: deploy-gce
-  extends: .gce
-  variables:
-    <<: *centos_weave_kubeadm_variables
-  when: on_success
-  only: ['triggers']
-  except: []
-
-gce_ubuntu-contiv-sep:
-  stage: deploy-special
-  <<: *gce
-  when: manual
-
-gce_coreos-cilium:
-  stage: deploy-special
-  <<: *gce
-  when: manual
-
-gce_ubuntu18-cilium-sep:
-  stage: deploy-special
-  <<: *gce
-  when: manual
-
-gce_rhel7-weave:
-  stage: deploy-gce
-  <<: *gce
-  when: manual
-
-gce_rhel7-weave-triggers:
-  stage: deploy-gce
-  <<: *gce
-  when: on_success
-  only: ['triggers']
-  except: []
-
-gce_debian9-calico-upgrade:
-  stage: deploy-gce
-  <<: *gce
-  when: manual
-
-gce_debian9-calico-triggers:
-  stage: deploy-gce
-  <<: *gce
-  when: on_success
-  only: ['triggers']
-  except: []
-
-gce_coreos-canal:
-  stage: deploy-gce
-  <<: *gce
-  when: manual
-
-gce_coreos-canal-triggers:
-  stage: deploy-gce
-  <<: *gce
-  when: on_success
-  only: ['triggers']
-  except: []
-
-gce_rhel7-canal-sep:
-  stage: deploy-special
-  <<: *gce
-  when: manual
-
-gce_rhel7-canal-sep-triggers:
-  stage: deploy-gce
-  <<: *gce
-  when: on_success
-  only: ['triggers']
-  except: []
-
-gce_centos7-calico-ha:
-  stage: deploy-special
-  <<: *gce
-  when: manual
-
-gce_centos7-calico-ha-triggers:
-  stage: deploy-gce
-  <<: *gce
-  when: on_success
-  only: ['triggers']
-  except: []
-
-gce_centos7-kube-router:
-  stage: deploy-special
-  <<: *gce
-  when: manual
-
-gce_centos7-multus-calico:
-  stage: deploy-gce
-  extends: .gce
-  variables:
-    <<: *centos7_multus_calico_variables
-  when: manual
-
-gce_oracle-canal:
-  stage: deploy-gce
-  <<: *gce
-  when: manual
-  except: ['triggers']
-  only: ['master', /^pr-.*$/]
-
-gce_opensuse-canal:
-  stage: deploy-gce
-  <<: *gce
-  when: manual
-
-# no triggers yet https://github.com/kubernetes-incubator/kargo/issues/613
-gce_coreos-alpha-weave-ha:
-  stage: deploy-special
-  <<: *gce
-  when: manual
-
-gce_coreos-kube-router:
-  stage: deploy-special
-  <<: *gce
-  when: manual
-
-gce_ubuntu-kube-router-sep:
-  stage: deploy-special
-  <<: *gce
-  when: manual
--- a/.gitlab-ci/lint.yml
+++ b/.gitlab-ci/lint.yml
@@ -2,6 +2,7 @@
 yamllint:
  extends: .job
  stage: unit-tests
+  tags: [light]
  variables:
    LANG: C.UTF-8
  script:
@@ -11,15 +12,17 @@ yamllint:
 vagrant-validate:
  extends: .job
  stage: unit-tests
+  tags: [light]
+  variables:
+    VAGRANT_VERSION: 2.2.4
  script:
-    - curl -sL https://releases.hashicorp.com/vagrant/2.2.4/vagrant_2.2.4_x86_64.deb -o /tmp/vagrant_2.2.4_x86_64.deb
-    - dpkg -i /tmp/vagrant_2.2.4_x86_64.deb
-    - vagrant validate --ignore-provider
+    - ./tests/scripts/vagrant-validate.sh
  except: ['triggers', 'master']

 ansible-lint:
  extends: .job
  stage: unit-tests
+  tags: [light]
  # lint every yml/yaml file that looks like it contains Ansible plays
  script: |-
    grep -Rl '^- hosts: \|^  hosts: ' --include \*.yml --include \*.yaml . | xargs -P 4 -n 25 ansible-lint -v
@@ -28,6 +31,7 @@ ansible-lint:
 syntax-check:
  extends: .job
  stage: unit-tests
+  tags: [light]
  variables:
    ANSIBLE_INVENTORY: inventory/local-tests.cfg
    ANSIBLE_REMOTE_USER: root
@@ -43,6 +47,7 @@ syntax-check:

 tox-inventory-builder:
  stage: unit-tests
+  tags: [light]
  extends: .job
  before_script:
    - ./tests/scripts/rebase.sh
@@ -56,8 +61,16 @@ tox-inventory-builder:

 markdownlint:
  stage: unit-tests
+  tags: [light]
  image: node
  before_script:
    - npm install -g markdownlint-cli
  script:
    - markdownlint README.md docs --ignore docs/_sidebar.md
+
+ci-matrix:
+  stage: unit-tests
+  tags: [light]
+  image: python:3
+  script:
+    - tests/scripts/md-table/test.sh
--- a/.gitlab-ci/packet.yml
+++ b/.gitlab-ci/packet.yml
@@ -14,87 +14,145 @@ packet_ubuntu18-calico-aio:
  extends: .packet
  when: on_success

+# Future AIO job
+packet_ubuntu20-calico-aio:
+  stage: deploy-part1
+  extends: .packet
+  when: on_success
+
 # ### PR JOBS PART2

-packet_centos7-flannel-addons:
+packet_centos7-flannel-containerd-addons-ha:
  extends: .packet
  stage: deploy-part2
  when: on_success
-
-# ### MANUAL JOBS
-
-packet_centos-weave-kubeadm-sep:
-  stage: deploy-part2
-  extends: .packet
-  when: on_success
  variables:
-    UPGRADE_TEST: basic
+    MITOGEN_ENABLE: "true"

-packet_ubuntu-weave-sep:
+packet_centos7-crio:
+  extends: .packet
+  stage: deploy-part2
+  when: on_success
+  variables:
+    MITOGEN_ENABLE: "true"
+
+packet_ubuntu18-crio:
+  extends: .packet
+  stage: deploy-part2
+  when: manual
+  variables:
+    MITOGEN_ENABLE: "true"
+
+packet_ubuntu16-canal-kubeadm-ha:
  stage: deploy-part2
  extends: .packet
-  when: manual
+  when: on_success

-# # More builds for PRs/merges (manual) and triggers (auto)
-
-packet_ubuntu-canal-ha:
+packet_ubuntu16-canal-sep:
  stage: deploy-special
  extends: .packet
  when: manual

-packet_ubuntu-canal-kubeadm:
-  stage: deploy-part2
-  extends: .packet
-  when: on_success
-
-packet_ubuntu-flannel-ha:
+packet_ubuntu16-flannel-ha:
  stage: deploy-part2
  extends: .packet
  when: manual

+packet_ubuntu16-kube-router-sep:
+  stage: deploy-part2
+  extends: .packet
+  when: manual
+
+packet_ubuntu16-kube-router-svc-proxy:
+  stage: deploy-part2
+  extends: .packet
+  when: manual
+
+packet_debian10-cilium-svc-proxy:
+  stage: deploy-part2
+  extends: .packet
+  when: manual
+
+packet_debian10-containerd:
+  stage: deploy-part2
+  extends: .packet
+  when: on_success
+  variables:
+    MITOGEN_ENABLE: "true"
+
+packet_centos7-calico-ha-once-localhost:
+  stage: deploy-part2
+  extends: .packet
+  when: on_success
+  variables:
+    # This will instruct Docker not to start over TLS.
+    DOCKER_TLS_CERTDIR: ""
+  services:
+    - docker:19.03.9-dind
+
+packet_centos8-kube-ovn:
+  stage: deploy-part2
+  extends: .packet
+  when: on_success
+
+packet_centos8-calico:
+  stage: deploy-part2
+  extends: .packet
+  when: on_success
+
+packet_fedora32-weave:
+  stage: deploy-part2
+  extends: .packet
+  when: on_success
+
+packet_opensuse-canal:
+  stage: deploy-part2
+  extends: .packet
+  when: on_success
+
+packet_ubuntu18-ovn4nfv:
+  stage: deploy-part2
+  extends: .packet
+  when: on_success
+
 # Contiv does not work in k8s v1.16
-# packet_ubuntu-contiv-sep:
+# packet_ubuntu16-contiv-sep:
 #   stage: deploy-part2
 #   extends: .packet
 #   when: on_success

+# ### MANUAL JOBS
+
+packet_ubuntu16-weave-sep:
+  stage: deploy-part2
+  extends: .packet
+  when: manual
+
 packet_ubuntu18-cilium-sep:
  stage: deploy-special
  extends: .packet
  when: manual

-packet_ubuntu18-flannel-containerd:
+packet_ubuntu18-flannel-containerd-ha:
  stage: deploy-part2
  extends: .packet
  when: manual

-packet_debian9-macvlan-sep:
+packet_ubuntu18-flannel-containerd-ha-once:
  stage: deploy-part2
  extends: .packet
  when: manual

-packet_debian9-calico-upgrade:
+packet_debian9-macvlan:
  stage: deploy-part2
  extends: .packet
-  when: on_success
-  variables:
-    UPGRADE_TEST: graceful
-
-packet_debian10-containerd:
-  stage: deploy-part2
-  extends: .packet
-  when: on_success
+  when: manual

 packet_centos7-calico-ha:
  stage: deploy-part2
  extends: .packet
  when: manual

-packet_centos7-kube-ovn:
-  stage: deploy-part2
-  extends: .packet
-  when: on_success
-
 packet_centos7-kube-router:
  stage: deploy-part2
  extends: .packet
@@ -105,22 +163,67 @@ packet_centos7-multus-calico:
  extends: .packet
  when: manual

-packet_opensuse-canal:
+packet_oracle7-canal-ha:
  stage: deploy-part2
  extends: .packet
  when: manual

-packet_oracle-7-canal:
+packet_fedora31-flannel:
  stage: deploy-part2
  extends: .packet
-  when: manual
-
-packet_ubuntu-kube-router-sep:
-  stage: deploy-part2
-  extends: .packet
-  when: manual
+  when: on_success
+  variables:
+    MITOGEN_ENABLE: "true"

 packet_amazon-linux-2-aio:
  stage: deploy-part2
  extends: .packet
  when: manual
+
+packet_fedora32-kube-ovn-containerd:
+  stage: deploy-part2
+  extends: .packet
+  when: on_success
+
+# ### PR JOBS PART3
+# Long jobs (45min+)
+
+packet_centos7-weave-upgrade-ha:
+  stage: deploy-part3
+  extends: .packet
+  when: on_success
+  variables:
+    UPGRADE_TEST: basic
+    MITOGEN_ENABLE: "false"
+
+packet_debian9-calico-upgrade:
+  stage: deploy-part3
+  extends: .packet
+  when: on_success
+  variables:
+    UPGRADE_TEST: graceful
+    MITOGEN_ENABLE: "false"
+
+packet_debian9-calico-upgrade-once:
+  stage: deploy-part3
+  extends: .packet
+  when: on_success
+  variables:
+    UPGRADE_TEST: graceful
+    MITOGEN_ENABLE: "false"
+
+packet_ubuntu18-calico-ha-recover:
+  stage: deploy-part3
+  extends: .packet
+  when: on_success
+  variables:
+    RECOVER_CONTROL_PLANE_TEST: "true"
+    RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:],kube-master[1:]"
+
+packet_ubuntu18-calico-ha-recover-noquorum:
+  stage: deploy-part3
+  extends: .packet
+  when: on_success
+  variables:
+    RECOVER_CONTROL_PLANE_TEST: "true"
+    RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[1:],kube-master[1:]"
--- a/.gitlab-ci/shellcheck.yml
+++ b/.gitlab-ci/shellcheck.yml
@@ -2,14 +2,15 @@
 shellcheck:
  extends: .job
  stage: unit-tests
+  tags: [light]
  variables:
    SHELLCHECK_VERSION: v0.6.0
  before_script:
    - ./tests/scripts/rebase.sh
-    - curl --silent "https://storage.googleapis.com/shellcheck/shellcheck-"${SHELLCHECK_VERSION}".linux.x86_64.tar.xz" | tar -xJv
+    - curl --silent --location "https://github.com/koalaman/shellcheck/releases/download/"${SHELLCHECK_VERSION}"/shellcheck-"${SHELLCHECK_VERSION}".linux.x86_64.tar.xz" | tar -xJv
    - cp shellcheck-"${SHELLCHECK_VERSION}"/shellcheck /usr/bin/
    - shellcheck --version
  script:
    # Run shellcheck for all *.sh except contrib/
-    - find . -name '*.sh' -not -path './contrib/*' | xargs shellcheck --severity error
+    - find . -name '*.sh' -not -path './contrib/*' -not -path './.git/*' | xargs shellcheck --severity error
  except: ['triggers', 'master']
--- a/.gitlab-ci/terraform.yml
+++ b/.gitlab-ci/terraform.yml
@@ -18,10 +18,14 @@
    - echo "$PACKET_PRIVATE_KEY" | base64 -d > ~/.ssh/id_rsa
    - chmod 400 ~/.ssh/id_rsa
    - echo "$PACKET_PUBLIC_KEY" | base64 -d > ~/.ssh/id_rsa.pub
+    - mkdir -p group_vars
+    # Random subnet to avoid routing conflicts
+    - export TF_VAR_subnet_cidr="10.$(( $RANDOM % 256 )).$(( $RANDOM % 256 )).0/24"

 .terraform_validate:
  extends: .terraform_install
  stage: unit-tests
+  tags: [light]
  only: ['master', /^pr-.*$/]
  script:
    - terraform validate -var-file=cluster.tfvars contrib/terraform/$PROVIDER
@@ -29,9 +33,14 @@

 .terraform_apply:
  extends: .terraform_install
-  stage: deploy-part2
+  tags: [light]
+  stage: deploy-part3
  when: manual
  only: [/^pr-.*$/]
+  artifacts:
+    when: always
+    paths:
+      - cluster-dump/
  variables:
    ANSIBLE_INVENTORY_UNPARSED_FAILED: "true"
    ANSIBLE_INVENTORY: hosts
@@ -42,33 +51,33 @@
    - tests/scripts/testcases_run.sh
  after_script:
    # Cleanup regardless of exit code
-    - ./tests/scripts/testcases_cleanup.sh
+    - chronic ./tests/scripts/testcases_cleanup.sh

 tf-validate-openstack:
  extends: .terraform_validate
  variables:
-    TF_VERSION: 0.12.12
+    TF_VERSION: 0.12.24
    PROVIDER: openstack
    CLUSTER: $CI_COMMIT_REF_NAME

 tf-validate-packet:
  extends: .terraform_validate
  variables:
-    TF_VERSION: 0.12.12
+    TF_VERSION: 0.12.24
    PROVIDER: packet
    CLUSTER: $CI_COMMIT_REF_NAME

 tf-validate-aws:
  extends: .terraform_validate
  variables:
-    TF_VERSION: 0.12.12
+    TF_VERSION: 0.12.24
    PROVIDER: aws
    CLUSTER: $CI_COMMIT_REF_NAME

 # tf-packet-ubuntu16-default:
 #   extends: .terraform_apply
 #   variables:
-#     TF_VERSION: 0.12.12
+#     TF_VERSION: 0.12.24
 #     PROVIDER: packet
 #     CLUSTER: $CI_COMMIT_REF_NAME
 #     TF_VAR_number_of_k8s_masters: "1"
@@ -82,7 +91,7 @@ tf-validate-aws:
 # tf-packet-ubuntu18-default:
 #   extends: .terraform_apply
 #   variables:
-#     TF_VERSION: 0.12.12
+#     TF_VERSION: 0.12.24
 #     PROVIDER: packet
 #     CLUSTER: $CI_COMMIT_REF_NAME
 #     TF_VAR_number_of_k8s_masters: "1"
@@ -104,12 +113,87 @@ tf-validate-aws:
  OS_INTERFACE: public
  OS_IDENTITY_API_VERSION: "3"

+# Elastx is generously donating resources for Kubespray on Openstack CI
+# Contacts: @gix @bl0m1
+.elastx_variables: &elastx_variables
+  OS_AUTH_URL: https://ops.elastx.cloud:5000
+  OS_PROJECT_ID: 564c6b461c6b44b1bb19cdb9c2d928e4
+  OS_PROJECT_NAME: kubespray_ci
+  OS_USER_DOMAIN_NAME: Default
+  OS_PROJECT_DOMAIN_ID: default
+  OS_USERNAME: kubespray@root314.com
+  OS_REGION_NAME: se-sto
+  OS_INTERFACE: public
+  OS_IDENTITY_API_VERSION: "3"
+  TF_VAR_router_id: "ab95917c-41fb-4881-b507-3a6dfe9403df"
+  # Since ELASTX is in Stockholm, Mitogen helps with latency
+  MITOGEN_ENABLE: "false"
+  # Mitogen doesn't support interpreter discovery yet
+  ANSIBLE_PYTHON_INTERPRETER: "/usr/bin/python3"
+
+tf-elastx_cleanup:
+  stage: unit-tests
+  tags: [light]
+  image: python
+  variables:
+    <<: *elastx_variables
+  before_script:
+    - pip install -r scripts/openstack-cleanup/requirements.txt
+  script:
+    - ./scripts/openstack-cleanup/main.py
+
+tf-elastx_ubuntu18-calico:
+  extends: .terraform_apply
+  stage: deploy-part3
+  when: on_success
+  variables:
+    <<: *elastx_variables
+    TF_VERSION: 0.12.24
+    PROVIDER: openstack
+    CLUSTER: $CI_COMMIT_REF_NAME
+    ANSIBLE_TIMEOUT: "60"
+    SSH_USER: ubuntu
+    TF_VAR_number_of_k8s_masters: "1"
+    TF_VAR_number_of_k8s_masters_no_floating_ip: "0"
+    TF_VAR_number_of_k8s_masters_no_floating_ip_no_etcd: "0"
+    TF_VAR_number_of_etcd: "0"
+    TF_VAR_number_of_k8s_nodes: "1"
+    TF_VAR_number_of_k8s_nodes_no_floating_ip: "0"
+    TF_VAR_number_of_gfs_nodes_no_floating_ip: "0"
+    TF_VAR_number_of_bastions: "0"
+    TF_VAR_number_of_k8s_masters_no_etcd: "0"
+    TF_VAR_floatingip_pool: "elx-public1"
+    TF_VAR_dns_nameservers: '["1.1.1.1", "8.8.8.8", "8.8.4.4"]'
+    TF_VAR_use_access_ip: "0"
+    TF_VAR_external_net: "600b8501-78cb-4155-9c9f-23dfcba88828"
+    TF_VAR_network_name: "ci-$CI_JOB_ID"
+    TF_VAR_az_list: '["sto1"]'
+    TF_VAR_az_list_node: '["sto1"]'
+    TF_VAR_flavor_k8s_master: 3f73fc93-ec61-4808-88df-2580d94c1a9b    # v1-standard-2
+    TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
+    TF_VAR_image: ubuntu-18.04-server-latest
+    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
+
+
+tf-ovh_cleanup:
+  stage: unit-tests
+  tags: [light]
+  image: python
+  environment: ovh
+  variables:
+    <<: *ovh_variables
+  before_script:
+    - pip install -r scripts/openstack-cleanup/requirements.txt
+  script:
+    - ./scripts/openstack-cleanup/main.py
+
 tf-ovh_ubuntu18-calico:
  extends: .terraform_apply
  when: on_success
+  environment: ovh
  variables:
    <<: *ovh_variables
-    TF_VERSION: 0.12.12
+    TF_VERSION: 0.12.24
    PROVIDER: openstack
    CLUSTER: $CI_COMMIT_REF_NAME
    ANSIBLE_TIMEOUT: "60"
@@ -131,31 +215,3 @@ tf-ovh_ubuntu18-calico:
    TF_VAR_flavor_k8s_node: "defa64c3-bd46-43b4-858a-d93bbae0a229"      # s1-8
    TF_VAR_image: "Ubuntu 18.04"
    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
-
-tf-ovh_coreos-calico:
-  extends: .terraform_apply
-  when: on_success
-  variables:
-    <<: *ovh_variables
-    TF_VERSION: 0.12.12
-    PROVIDER: openstack
-    CLUSTER: $CI_COMMIT_REF_NAME
-    ANSIBLE_TIMEOUT: "60"
-    SSH_USER: core
-    TF_VAR_number_of_k8s_masters: "0"
-    TF_VAR_number_of_k8s_masters_no_floating_ip: "1"
-    TF_VAR_number_of_k8s_masters_no_floating_ip_no_etcd: "0"
-    TF_VAR_number_of_etcd: "0"
-    TF_VAR_number_of_k8s_nodes: "0"
-    TF_VAR_number_of_k8s_nodes_no_floating_ip: "1"
-    TF_VAR_number_of_gfs_nodes_no_floating_ip: "0"
-    TF_VAR_number_of_bastions: "0"
-    TF_VAR_number_of_k8s_masters_no_etcd: "0"
-    TF_VAR_use_neutron: "0"
-    TF_VAR_floatingip_pool: "Ext-Net"
-    TF_VAR_external_net: "6011fbc9-4cbf-46a4-8452-6890a340b60b"
-    TF_VAR_network_name: "Ext-Net"
-    TF_VAR_flavor_k8s_master: "4d4fd037-9493-4f2b-9afe-b542b5248eac"    # b2-7
-    TF_VAR_flavor_k8s_node: "4d4fd037-9493-4f2b-9afe-b542b5248eac"      # b2-7
-    TF_VAR_image: "CoreOS Stable"
-    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
--- a/.gitlab-ci/vagrant.yml
+++ b/.gitlab-ci/vagrant.yml
@@ -0,0 +1,54 @@
+---
+
+molecule_tests:
+  tags: [c3.small.x86]
+  only: [/^pr-.*$/]
+  except: ['triggers']
+  image: quay.io/kubespray/vagrant:$KUBESPRAY_VERSION
+  services: []
+  stage: deploy-part1
+  before_script:
+    - tests/scripts/rebase.sh
+    - apt-get update && apt-get install -y python3-pip
+    - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
+    - python -m pip install -r tests/requirements.txt
+    - ./tests/scripts/vagrant_clean.sh
+  script:
+    - ./tests/scripts/molecule_run.sh
+
+.vagrant:
+  extends: .testcases
+  variables:
+    CI_PLATFORM: "vagrant"
+    SSH_USER: "vagrant"
+    VAGRANT_DEFAULT_PROVIDER: "libvirt"
+    KUBESPRAY_VAGRANT_CONFIG: tests/files/${CI_JOB_NAME}.rb
+  tags: [c3.small.x86]
+  only: [/^pr-.*$/]
+  except: ['triggers']
+  image: quay.io/kubespray/vagrant:$KUBESPRAY_VERSION
+  services: []
+  before_script:
+    - apt-get update && apt-get install -y python3-pip
+    - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
+    - python -m pip install -r tests/requirements.txt
+    - ./tests/scripts/vagrant_clean.sh
+  script:
+    - ./tests/scripts/testcases_run.sh
+  after_script:
+    - chronic ./tests/scripts/testcases_cleanup.sh
+
+vagrant_ubuntu18-flannel:
+  stage: deploy-part2
+  extends: .vagrant
+  when: on_success
+
+vagrant_ubuntu18-weave-medium:
+  stage: deploy-part2
+  extends: .vagrant
+  when: manual
+
+vagrant_ubuntu20-flannel:
+  stage: deploy-part2
+  extends: .vagrant
+  when: on_success
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,10 +2,30 @@

 ## How to become a contributor and submit your own code

+### Environment setup
+
+It is recommended to use filter to manage the GitHub email notification, see [examples for setting filters to Kubernetes Github notifications](https://github.com/kubernetes/community/blob/master/communication/best-practices.md#examples-for-setting-filters-to-kubernetes-github-notifications)
+
+To install development dependencies you can use `pip install -r tests/requirements.txt`
+
+#### Linting
+
+Kubespray uses `yamllint` and `ansible-lint`. To run them locally use `yamllint .` and `./tests/scripts/ansible-lint.sh`
+
+#### Molecule
+
+[molecule](https://github.com/ansible-community/molecule) is designed to help the development and testing of Ansible roles. In Kubespray you can run it all for all roles with `./tests/scripts/molecule_run.sh` or for a specific role (that you are working with) with `molecule test` from the role directory (`cd roles/my-role`).
+
+When developing or debugging a role it can be useful to run `molecule create` and `molecule converge` separately. Then you can use `molecule login` to SSH into the test environment.
+
+#### Vagrant
+
+Vagrant with VirtualBox or libvirt driver helps you to quickly spin test clusters to test things end to end. See [README.md#vagrant](README.md)
+
 ### Contributing A Patch

 1. Submit an issue describing your proposed change to the repo in question.
 2. The [repo owners](OWNERS) will respond to your issue promptly.
 3. Fork the desired repo, develop and test your code changes.
-4. Sign the CNCF CLA (https://git.k8s.io/community/CLA.md#the-contributor-license-agreement)
+4. Sign the CNCF CLA (<https://git.k8s.io/community/CLA.md#the-contributor-license-agreement>)
 5. Submit a pull request.
--- a/19
+++ b/19
@@ -4,15 +4,18 @@ RUN mkdir /kubespray
 WORKDIR /kubespray
 RUN apt update -y && \
    apt install -y \
-    libssl-dev python3-dev sshpass apt-transport-https jq \
+    libssl-dev python3-dev sshpass apt-transport-https jq moreutils \
    ca-certificates curl gnupg2 software-properties-common python3-pip rsync
-RUN  curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
-     add-apt-repository \
-     "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
-     $(lsb_release -cs) \
-     stable" \
-     && apt update -y && apt-get install docker-ce -y
+RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
+    add-apt-repository \
+    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+    $(lsb_release -cs) \
+    stable" \
+    && apt update -y && apt-get install docker-ce -y
 COPY . .
 RUN /usr/bin/python3 -m pip install pip -U && /usr/bin/python3 -m pip install -r tests/requirements.txt && python3 -m pip install -r requirements.txt && update-alternatives --install /usr/bin/python python /usr/bin/python3 1
-RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.14.4/bin/linux/amd64/kubectl \
+RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.5/bin/linux/amd64/kubectl \
    && chmod a+x kubectl && cp kubectl /usr/local/bin/kubectl
+
+# Some tools like yamllint need this
+ENV LANG=C.UTF-8
--- a/2
+++ b/2
@@ -1,5 +1,5 @@
 mitogen:
-	ansible-playbook -c local mitogen.yaml -vv
+	ansible-playbook -c local mitogen.yml -vv
 clean:
 	rm -rf dist/
 	rm *.retry
--- a/4
+++ b/4
@@ -9,7 +9,11 @@ aliases:
    - riverzhang
    - verwilst
    - woopstar
+    - luckysb
  kubespray-reviewers:
    - jjungnickel
    - archifleks
    - holmsten
+    - bozzo
+    - floryut
+    - eppo
--- a/README.md
+++ b/README.md
@@ -2,10 +2,10 @@

 ![Kubernetes Logo](https://raw.githubusercontent.com/kubernetes-sigs/kubespray/master/docs/img/kubernetes-logo.png)

-If you have questions, check the [documentation](https://kubespray.io) and join us on the [kubernetes slack](https://kubernetes.slack.com), channel **\#kubespray**.
+If you have questions, check the documentation at [kubespray.io](https://kubespray.io) and join us on the [kubernetes slack](https://kubernetes.slack.com), channel **\#kubespray**.
 You can get your invite [here](http://slack.k8s.io/)

- Can be deployed on **AWS, GCE, Azure, OpenStack, vSphere, Packet (bare metal), Oracle Cloud Infrastructure (Experimental), or Baremetal**
+- Can be deployed on **[AWS](docs/aws.md), GCE, [Azure](docs/azure.md), [OpenStack](docs/openstack.md), [vSphere](docs/vsphere.md), [Packet](docs/packet.md) (bare metal), Oracle Cloud Infrastructure (Experimental), or Baremetal**
 - **Highly available** cluster
 - **Composable** (Choice of the network plugin for instance)
 - Supports most popular **Linux distributions**
@@ -21,14 +21,14 @@ To deploy the cluster you can use :

 ```ShellSession
 # Install dependencies from ``requirements.txt``
-sudo pip install -r requirements.txt
+sudo pip3 install -r requirements.txt

 # Copy ``inventory/sample`` as ``inventory/mycluster``
 cp -rfp inventory/sample inventory/mycluster

 # Update Ansible inventory file with inventory builder
 declare -a IPS=(10.10.1.3 10.10.1.4 10.10.1.5)
-CONFIG_FILE=inventory/mycluster/inventory.ini python3 contrib/inventory_builder/inventory.py ${IPS[@]}
+CONFIG_FILE=inventory/mycluster/hosts.yaml python3 contrib/inventory_builder/inventory.py ${IPS[@]}

 # Review and change parameters under ``inventory/mycluster/group_vars``
 cat inventory/mycluster/group_vars/all/all.yml
@@ -38,7 +38,7 @@ cat inventory/mycluster/group_vars/k8s-cluster/k8s-cluster.yml
 # The option `--become` is required, as for example writing SSL keys in /etc/,
 # installing packages and interacting with various systemd daemons.
 # Without --become the playbook will fail to run!
-ansible-playbook -i inventory/mycluster/inventory.ini --become --become-user=root cluster.yml
+ansible-playbook -i inventory/mycluster/hosts.yaml  --become --become-user=root cluster.yml
 ```

 Note: When Ansible is already installed via system packages on the control machine, other python packages installed via `sudo pip install -r requirements.txt` will go to a different directory tree (e.g. `/usr/local/lib/python2.7/dist-packages` on Ubuntu) from Ansible's (e.g. `/usr/lib/python2.7/dist-packages/ansible` still on Ubuntu).
@@ -75,6 +75,7 @@ vagrant up
 - [Requirements](#requirements)
 - [Kubespray vs ...](docs/comparisons.md)
 - [Getting started](docs/getting-started.md)
+- [Setting up your first cluster](docs/setting-up-your-first-cluster.md)
 - [Ansible inventory and tags](docs/ansible.md)
 - [Integration with existing ansible repo](docs/integration.md)
 - [Deployment data variables](docs/vars.md)
@@ -82,7 +83,8 @@ vagrant up
 - [HA mode](docs/ha-mode.md)
 - [Network plugins](#network-plugins)
 - [Vagrant install](docs/vagrant.md)
- [CoreOS bootstrap](docs/coreos.md)
+- [Flatcar Container Linux bootstrap](docs/flatcar.md)
+- [Fedora CoreOS bootstrap](docs/fcos.md)
 - [Debian Jessie setup](docs/debian.md)
 - [openSUSE setup](docs/opensuse.md)
 - [Downloaded artifacts](docs/downloads.md)
@@ -93,54 +95,59 @@ vagrant up
 - [vSphere](docs/vsphere.md)
 - [Packet Host](docs/packet.md)
 - [Large deployments](docs/large-deployments.md)
+- [Adding/replacing a node](docs/nodes.md)
 - [Upgrades basics](docs/upgrades.md)
+- [Air-Gap installation](docs/offline-environment.md)
 - [Roadmap](docs/roadmap.md)

 ## Supported Linux Distributions

- **Container Linux by CoreOS**
+- **Flatcar Container Linux by Kinvolk**
 - **Debian** Buster, Jessie, Stretch, Wheezy
- **Ubuntu** 16.04, 18.04
- **CentOS/RHEL** 7
- **Fedora** 28
- **Fedora/CentOS** Atomic
+- **Ubuntu** 16.04, 18.04, 20.04
+- **CentOS/RHEL** 7, 8 (experimental: see [centos 8 notes](docs/centos8.md))
+- **Fedora** 31, 32
+- **Fedora CoreOS** (experimental: see [fcos Note](docs/fcos.md))
 - **openSUSE** Leap 42.3/Tumbleweed
- **Oracle Linux** 7
+- **Oracle Linux** 7, 8 (experimental: [centos 8 notes](docs/centos8.md) apply)

 Note: Upstart/SysV init based OS types are not supported.

 ## Supported Components

 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.16.7
-  - [etcd](https://github.com/coreos/etcd) v3.3.10
-  - [docker](https://www.docker.com/) v18.06 (see note)
-  - [cri-o](http://cri-o.io/) v1.14.0 (experimental: see [CRI-O Note](docs/cri-o.md). Only on centos based OS)
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.18.10
+  - [etcd](https://github.com/coreos/etcd) v3.4.3
+  - [docker](https://www.docker.com/) v19.03 (see note)
+  - [containerd](https://containerd.io/) v1.2.13
+  - [cri-o](http://cri-o.io/) v1.17 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
-  - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.1
-  - [calico](https://github.com/projectcalico/calico) v3.7.3
+  - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.6
+  - [calico](https://github.com/projectcalico/calico) v3.15.2
  - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-  - [cilium](https://github.com/cilium/cilium) v1.5.5
+  - [cilium](https://github.com/cilium/cilium) v1.8.3
  - [contiv](https://github.com/contiv/install) v1.2.1
-  - [flanneld](https://github.com/coreos/flannel) v0.11.0
-  - [kube-router](https://github.com/cloudnativelabs/kube-router) v0.2.5
-  - [multus](https://github.com/intel/multus-cni) v3.2.1
-  - [weave](https://github.com/weaveworks/weave) v2.5.2
+  - [flanneld](https://github.com/coreos/flannel) v0.12.0
+  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.3.0
+  - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.0.1
+  - [multus](https://github.com/intel/multus-cni) v3.6.0
+  - [ovn4nfv](https://github.com/opnfv/ovn4nfv-k8s-plugin) v1.1.0
+  - [weave](https://github.com/weaveworks/weave) v2.7.0
 - Application
+  - [ambassador](https://github.com/datawire/ambassador): v1.5
  - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
  - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
-  - [cert-manager](https://github.com/jetstack/cert-manager) v0.11.0
-  - [coredns](https://github.com/coredns/coredns) v1.6.0
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.26.1
+  - [cert-manager](https://github.com/jetstack/cert-manager) v0.16.1
+  - [coredns](https://github.com/coredns/coredns) v1.6.7
+  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.35.0

-Note: The list of validated [docker versions](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.16.md) was updated to 1.13.1, 17.03, 17.06, 17.09, 18.06, 18.09. kubeadm now properly recognizes Docker 18.09.0 and newer, but still treats 18.06 as the default supported version. The kubelet might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).
+Note: The list of validated [docker versions](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#docker) is 1.13.1, 17.03, 17.06, 17.09, 18.06, 18.09 and 19.03. The recommended docker version is 19.03. The kubelet might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).

 ## Requirements

- **Minimum required version of Kubernetes is v1.15**
- **Ansible v2.7.8 and python-netaddr is installed on the machine that will run Ansible commands**
- **Jinja 2.9 (or newer) is required to run the Ansible Playbooks**
- The target servers must have **access to the Internet** in order to pull docker images. Otherwise, additional configuration is required (See [Offline Environment](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/downloads.md#offline-environment))
+- **Minimum required version of Kubernetes is v1.17**
+- **Ansible v2.9+, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands**
+- The target servers must have **access to the Internet** in order to pull docker images. Otherwise, additional configuration is required (See [Offline Environment](docs/offline-environment.md))
 - The target servers are configured to allow **IPv4 forwarding**.
 - **Your ssh key must be copied** to all the servers part of your inventory.
 - The **firewalls are not managed**, you'll need to implement your own rules the way you used to.
@@ -163,7 +170,10 @@ You can choose between 10 network plugins. (default: `calico`, except Vagrant us

 - [flannel](docs/flannel.md): gre/vxlan (layer 2) networking.

- [calico](docs/calico.md): bgp (layer 3) networking.
+- [Calico](https://docs.projectcalico.org/latest/introduction/) is a networking and network policy provider. Calico supports a flexible set of networking options
+    designed to give you the most efficient networking across a range of situations, including non-overlay
+    and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts,
+    pods, and (if using Istio and Envoy) applications at the service mesh layer.

 - [canal](https://github.com/projectcalico/canal): a composition of calico and flannel plugins.

@@ -172,6 +182,8 @@ You can choose between 10 network plugins. (default: `calico`, except Vagrant us
 - [contiv](docs/contiv.md): supports vlan, vxlan, bgp and Cisco SDN networking. This plugin is able to
    apply firewall policies, segregate containers in multiple network and bridging pods onto physical networks.

+- [ovn4nfv](docs/ovn4nfv.md): [ovn4nfv-k8s-plugins](https://github.com/opnfv/ovn4nfv-k8s-plugin) is the network controller, OVS agent and CNI server to offer basic SFC and OVN overlay networking.
+
 - [weave](docs/weave.md): Weave is a lightweight container overlay network that doesn't require an external K/V database cluster.
    (Please refer to `weave` [troubleshooting documentation](https://www.weave.works/docs/net/latest/troubleshooting/)).

@@ -190,12 +202,18 @@ The choice is defined with the variable `kube_network_plugin`. There is also an
 option to leverage built-in cloud provider networking instead.
 See also [Network checker](docs/netcheck.md).

+## Ingress Plugins
+
+- [ambassador](docs/ambassador.md): the Ambassador Ingress Controller and API gateway.
+
+- [nginx](https://kubernetes.github.io/ingress-nginx): the NGINX Ingress Controller.
+
 ## Community docs and resources

 - [kubernetes.io/docs/setup/production-environment/tools/kubespray/](https://kubernetes.io/docs/setup/production-environment/tools/kubespray/)
 - [kubespray, monitoring and logging](https://github.com/gregbkr/kubernetes-kargo-logging-monitoring) by @gregbkr
 - [Deploy Kubernetes w/ Ansible & Terraform](https://rsmitty.github.io/Terraform-Ansible-Kubernetes/) by @rsmitty
- [Deploy a Kubernetes Cluster with Kubespray (video)](https://www.youtube.com/watch?v=N9q51JgbWu8)
+- [Deploy a Kubernetes Cluster with Kubespray (video)](https://www.youtube.com/watch?v=CJ5G4GpqDy0)

 ## Tools and projects on top of Kubespray

@@ -204,7 +222,8 @@ See also [Network checker](docs/netcheck.md).

 ## CI Tests

-[![Build graphs](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/badges/master/build.svg)](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/pipelines)
+[![Build graphs](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/badges/master/pipeline.svg)](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/pipelines)
+
+CI/end-to-end tests sponsored by: [CNCF](https://cncf.io), [Packet](https://www.packet.com/), [OVHcloud](https://www.ovhcloud.com/), [ELASTX](https://elastx.se/).

-CI/end-to-end tests sponsored by Google (GCE)
 See the [test matrix](docs/test_cases.md) for details.
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -4,40 +4,45 @@ The Kubespray Project is released on an as-needed basis. The process is as follo

 1. An issue is proposing a new release with a changelog since the last release
 2. At least one of the [approvers](OWNERS_ALIASES) must approve this release
-3. An approver creates [new release in GitHub](https://github.com/kubernetes-sigs/kubespray/releases/new) using a version and tag name like `vX.Y.Z` and attaching the release notes
-4. An approver creates a release branch in the form `release-vX.Y`
-5. The corresponding version of [quay.io/kubespray/kubespray:vX.Y.Z](https://quay.io/repository/kubespray/kubespray) docker image is built and tagged
-6. The `KUBESPRAY_VERSION` variable is updated in `.gitlab-ci.yml`
-7. The release issue is closed
-8. An announcement email is sent to `kubernetes-dev@googlegroups.com` with the subject `[ANNOUNCE] Kubespray $VERSION is released`
+3. The `kube_version_min_required` variable is set to `n-1`
+4. Remove hashes for [EOL versions](https://github.com/kubernetes/sig-release/blob/master/releases/patch-releases.md) of kubernetes from `*_checksums` variables.
+5. An approver creates [new release in GitHub](https://github.com/kubernetes-sigs/kubespray/releases/new) using a version and tag name like `vX.Y.Z` and attaching the release notes
+6. An approver creates a release branch in the form `release-X.Y`
+7. The corresponding version of [quay.io/kubespray/kubespray:vX.Y.Z](https://quay.io/repository/kubespray/kubespray) and [quay.io/kubespray/vagrant:vX.Y.Z](https://quay.io/repository/kubespray/vagrant) docker images are built and tagged
+8. The `KUBESPRAY_VERSION` variable is updated in `.gitlab-ci.yml`
+9. The release issue is closed
+10. An announcement email is sent to `kubernetes-dev@googlegroups.com` with the subject `[ANNOUNCE] Kubespray $VERSION is released`
+11. The topic of the #kubespray channel is updated with `vX.Y.Z is released! | ...`

-## Major/minor releases, merge freezes and milestones
+## Major/minor releases and milestones

-* Kubespray maintains one branch for major releases (vX.Y). Minor releases are available only as tags.
+* For major releases (vX.Y) Kubespray maintains one branch (`release-X.Y`). Minor releases (vX.Y.Z) are available only as tags.

 * Security patches and bugs might be backported.

-* Fixes for major releases (vX.x.0) and minor releases (vX.Y.x) are delivered
+* Fixes for major releases (vX.Y) and minor releases (vX.Y.Z) are delivered
  via maintenance releases (vX.Y.Z) and assigned to the corresponding open
-  milestone (vX.Y). That milestone remains open for the major/minor releases
-  support lifetime, which ends once the milestone closed. Then only a next major
-  or minor release can be done.
+  [GitHub milestone](https://github.com/kubernetes-sigs/kubespray/milestones).
+  That milestone remains open for the major/minor releases support lifetime,
+  which ends once the milestone is closed. Then only a next major or minor release
+  can be done.

-* Kubespray major and minor releases are bound to the given ``kube_version`` major/minor
+* Kubespray major and minor releases are bound to the given `kube_version` major/minor
  version numbers and other components' arbitrary versions, like etcd or network plugins.
-  Older or newer versions are not supported and not tested for the given release.
+  Older or newer component versions are not supported and not tested for the given
+  release (even if included in the checksum variables, like `kubeadm_checksums`).

 * There is no unstable releases and no APIs, thus Kubespray doesn't follow
-  [semver](http://semver.org/). Every version describes only a stable release.
+  [semver](https://semver.org/). Every version describes only a stable release.
  Breaking changes, if any introduced by changed defaults or non-contrib ansible roles'
  playbooks, shall be described in the release notes. Other breaking changes, if any in
  the contributed addons or bound versions of Kubernetes and other components, are
  considered out of Kubespray scope and are up to the components' teams to deal with and
  document.

-* Minor releases can change components' versions, but not the major ``kube_version``.
-  Greater ``kube_version`` requires a new major or minor release. For example, if Kubespray v2.0.0
-  is bound to ``kube_version: 1.4.x``, ``calico_version: 0.22.0``, ``etcd_version: v3.0.6``,
-  then Kubespray v2.1.0 may be bound to only minor changes to ``kube_version``, like v1.5.1
+* Minor releases can change components' versions, but not the major `kube_version`.
+  Greater `kube_version` requires a new major or minor release. For example, if Kubespray v2.0.0
+  is bound to `kube_version: 1.4.x`, `calico_version: 0.22.0`, `etcd_version: v3.0.6`,
+  then Kubespray v2.1.0 may be bound to only minor changes to `kube_version`, like v1.5.1
  and *any* changes to other components, like etcd v4, or calico 1.2.3.
-  And Kubespray v3.x.x shall be bound to ``kube_version: 2.x.x`` respectively.
+  And Kubespray v3.x.x shall be bound to `kube_version: 2.x.x` respectively.
--- a/6
+++ b/6
@@ -1,13 +1,13 @@
 # Defined below are the security contacts for this repo.
 #
-# They are the contact point for the Product Security Team to reach out
+# They are the contact point for the Product Security Committee to reach out
 # to for triaging and handling of incoming issues.
 #
 # The below names agree to abide by the
-# [Embargo Policy](https://github.com/kubernetes/sig-release/blob/master/security-release-process-documentation/security-release-process.md#embargo-policy)
+# [Embargo Policy](https://git.k8s.io/security/private-distributors-list.md#embargo-policy)
 # and will be removed and replaced if they violate that agreement.
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
 # INSTRUCTIONS AT https://kubernetes.io/security/
 atoms
-mattymo
+mattymo
--- a/112
+++ b/112
@@ -7,63 +7,72 @@ require 'fileutils'

 Vagrant.require_version ">= 2.0.0"

-CONFIG = File.join(File.dirname(__FILE__), "vagrant/config.rb")
+CONFIG = File.join(File.dirname(__FILE__), ENV['KUBESPRAY_VAGRANT_CONFIG'] || 'vagrant/config.rb')

-COREOS_URL_TEMPLATE = "https://storage.googleapis.com/%s.release.core-os.net/amd64-usr/current/coreos_production_vagrant.json"
+FLATCAR_URL_TEMPLATE = "https://%s.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vagrant.json"

 # Uniq disk UUID for libvirt
 DISK_UUID = Time.now.utc.to_i

 SUPPORTED_OS = {
-  "coreos-stable"       => {box: "coreos-stable",      user: "core", box_url: COREOS_URL_TEMPLATE % ["stable"]},
-  "coreos-alpha"        => {box: "coreos-alpha",       user: "core", box_url: COREOS_URL_TEMPLATE % ["alpha"]},
-  "coreos-beta"         => {box: "coreos-beta",        user: "core", box_url: COREOS_URL_TEMPLATE % ["beta"]},
-  "ubuntu1604"          => {box: "generic/ubuntu1604", user: "vagrant"},
-  "ubuntu1804"          => {box: "generic/ubuntu1804", user: "vagrant"},
-  "centos"              => {box: "centos/7",           user: "vagrant"},
-  "centos-bento"        => {box: "bento/centos-7.6",   user: "vagrant"},
-  "fedora"              => {box: "fedora/28-cloud-base",                user: "vagrant"},
-  "opensuse"            => {box: "opensuse/openSUSE-15.0-x86_64",       user: "vagrant"},
-  "opensuse-tumbleweed" => {box: "opensuse/openSUSE-Tumbleweed-x86_64", user: "vagrant"},
-  "oraclelinux"         => {box: "generic/oracle7", user: "vagrant"},
+  "flatcar-stable"      => {box: "flatcar-stable",             user: "core", box_url: FLATCAR_URL_TEMPLATE % ["stable"]},
+  "flatcar-beta"        => {box: "flatcar-beta",               user: "core", box_url: FLATCAR_URL_TEMPLATE % ["beta"]},
+  "flatcar-alpha"       => {box: "flatcar-alpha",              user: "core", box_url: FLATCAR_URL_TEMPLATE % ["alpha"]},
+  "flatcar-edge"        => {box: "flatcar-edge",               user: "core", box_url: FLATCAR_URL_TEMPLATE % ["edge"]},
+  "ubuntu1604"          => {box: "generic/ubuntu1604",         user: "vagrant"},
+  "ubuntu1804"          => {box: "generic/ubuntu1804",         user: "vagrant"},
+  "ubuntu2004"          => {box: "generic/ubuntu2004",         user: "vagrant"},
+  "centos"              => {box: "centos/7",                   user: "vagrant"},
+  "centos-bento"        => {box: "bento/centos-7.6",           user: "vagrant"},
+  "centos8"             => {box: "centos/8",                   user: "vagrant"},
+  "centos8-bento"       => {box: "bento/centos-8",             user: "vagrant"},
+  "fedora31"            => {box: "fedora/31-cloud-base",       user: "vagrant"},
+  "fedora32"            => {box: "fedora/32-cloud-base",       user: "vagrant"},
+  "opensuse"            => {box: "bento/opensuse-leap-15.1",   user: "vagrant"},
+  "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
+  "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
+  "oraclelinux8"        => {box: "generic/oracle8",            user: "vagrant"},
 }

-# Defaults for config options defined in CONFIG
-$num_instances = 3
-$instance_name_prefix = "k8s"
-$vm_gui = false
-$vm_memory = 2048
-$vm_cpus = 1
-$shared_folders = {}
-$forwarded_ports = {}
-$subnet = "172.17.8"
-$os = "ubuntu1804"
-$network_plugin = "flannel"
-# Setting multi_networking to true will install Multus: https://github.com/intel/multus-cni
-$multi_networking = false
-# The first three nodes are etcd servers
-$etcd_instances = $num_instances
-# The first two nodes are kube masters
-$kube_master_instances = $num_instances == 1 ? $num_instances : ($num_instances - 1)
-# All nodes are kube nodes
-$kube_node_instances = $num_instances
-# The following only works when using the libvirt provider
-$kube_node_instances_with_disks = false
-$kube_node_instances_with_disks_size = "20G"
-$kube_node_instances_with_disks_number = 2
-$override_disk_size = false
-$disk_size = "20GB"
-$local_path_provisioner_enabled = false
-$local_path_provisioner_claim_root = "/opt/local-path-provisioner/"
-
-$playbook = "cluster.yml"
-
-host_vars = {}
-
 if File.exist?(CONFIG)
  require CONFIG
 end

+# Defaults for config options defined in CONFIG
+$num_instances ||= 3
+$instance_name_prefix ||= "k8s"
+$vm_gui ||= false
+$vm_memory ||= 2048
+$vm_cpus ||= 2
+$shared_folders ||= {}
+$forwarded_ports ||= {}
+$subnet ||= "172.18.8"
+$os ||= "ubuntu1804"
+$network_plugin ||= "flannel"
+# Setting multi_networking to true will install Multus: https://github.com/intel/multus-cni
+$multi_networking ||= false
+$download_run_once ||= "True"
+$download_force_cache ||= "True"
+# The first three nodes are etcd servers
+$etcd_instances ||= $num_instances
+# The first two nodes are kube masters
+$kube_master_instances ||= $num_instances == 1 ? $num_instances : ($num_instances - 1)
+# All nodes are kube nodes
+$kube_node_instances ||= $num_instances
+# The following only works when using the libvirt provider
+$kube_node_instances_with_disks ||= false
+$kube_node_instances_with_disks_size ||= "20G"
+$kube_node_instances_with_disks_number ||= 2
+$override_disk_size ||= false
+$disk_size ||= "20GB"
+$local_path_provisioner_enabled ||= false
+$local_path_provisioner_claim_root ||= "/opt/local-path-provisioner/"
+$libvirt_nested ||= false
+
+$playbook ||= "cluster.yml"
+
+host_vars = {}
+
 $box = SUPPORTED_OS[$os][:box]
 # if $inventory is not set, try to use example
 $inventory = "inventory/sample" if ! $inventory
@@ -136,6 +145,8 @@ Vagrant.configure("2") do |config|
      end

      node.vm.provider :libvirt do |lv|
+        lv.nested = $libvirt_nested
+        lv.cpu_mode = "host-model"
        lv.memory = $vm_memory
        lv.cpus = $vm_cpus
        lv.default_prefix = 'kubespray'
@@ -176,19 +187,24 @@ Vagrant.configure("2") do |config|
      # Disable swap for each vm
      node.vm.provision "shell", inline: "swapoff -a"

+      # Disable firewalld on oraclelinux vms
+      if ["oraclelinux","oraclelinux8"].include? $os
+        node.vm.provision "shell", inline: "systemctl stop firewalld; systemctl disable firewalld"
+      end
+
      host_vars[vm_name] = {
        "ip": ip,
        "flannel_interface": "eth1",
        "kube_network_plugin": $network_plugin,
        "kube_network_plugin_multus": $multi_networking,
-        "download_run_once": "True",
+        "download_run_once": $download_run_once,
        "download_localhost": "False",
        "download_cache_dir": ENV['HOME'] + "/kubespray_cache",
        # Make kubespray cache even when download_run_once is false
-        "download_force_cache": "True",
+        "download_force_cache": $download_force_cache,
        # Keeping the cache on the nodes can improve provisioning speed while debugging kubespray
        "download_keep_remote_cache": "False",
-        "docker_keepcache": "1",
+        "docker_rpm_keepcache": "1",
        # These two settings will put kubectl and admin.config in $inventory/artifacts
        "kubeconfig_localhost": "True",
        "kubectl_localhost": "True",
--- a/_config.yml
+++ b/_config.yml
@@ -1,2 +1,2 @@
 ---
-theme: jekyll-theme-slate
+theme: jekyll-theme-slate
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -11,7 +11,9 @@ host_key_checking=False
 gathering = smart
 fact_caching = jsonfile
 fact_caching_connection = /tmp
-stdout_callback = skippy
+fact_caching_timeout = 7200
+stdout_callback = default
+display_skipped_hosts = no
 library = ./library
 callback_whitelist = profile_tasks
 roles_path = roles:$VIRTUAL_ENV/usr/local/share/kubespray/roles:$VIRTUAL_ENV/usr/local/share/ansible/roles:/usr/share/kubespray/roles
--- a/ansible_version.yml
+++ b/ansible_version.yml
@@ -0,0 +1,15 @@
+---
+- hosts: localhost
+  gather_facts: false
+  become: no
+  vars:
+    minimal_ansible_version: 2.8.0
+    ansible_connection: local
+  tasks:
+    - name: "Check ansible version >={{ minimal_ansible_version }}"
+      assert:
+        msg: "Ansible must be {{ minimal_ansible_version }} or higher"
+        that:
+          - ansible_version.string is version(minimal_ansible_version, ">=")
+      tags:
+        - check
--- a/cluster.yml
+++ b/cluster.yml
@@ -1,44 +1,55 @@
 ---
- hosts: localhost
+- name: Check ansible version
+  import_playbook: ansible_version.yml
+
+- hosts: all
  gather_facts: false
-  become: no
+  tags: always
  tasks:
-    - name: "Check ansible version >=2.7.8"
-      assert:
-        msg: "Ansible must be v2.7.8 or higher"
-        that:
-          - ansible_version.string is version("2.7.8", ">=")
-      tags:
-        - check
-  vars:
-    ansible_connection: local
+    - name: "Set up proxy environment"
+      set_fact:
+        proxy_env:
+          http_proxy: "{{ http_proxy | default ('') }}"
+          HTTP_PROXY: "{{ http_proxy | default ('') }}"
+          https_proxy: "{{ https_proxy | default ('') }}"
+          HTTPS_PROXY: "{{ https_proxy | default ('') }}"
+          no_proxy: "{{ no_proxy | default ('') }}"
+          NO_PROXY: "{{ no_proxy | default ('') }}"
+      no_log: true

 - hosts: bastion[0]
  gather_facts: False
  roles:
-    - { role: kubespray-defaults}
-    - { role: bastion-ssh-config, tags: ["localhost", "bastion"]}
+    - { role: kubespray-defaults }
+    - { role: bastion-ssh-config, tags: ["localhost", "bastion"] }

 - hosts: k8s-cluster:etcd
+  strategy: linear
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  gather_facts: false
  roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray-defaults }
    - { role: bootstrap-os, tags: bootstrap-os}

+- name: Gather facts
+  tags: always
+  import_playbook: facts.yml
+
 - hosts: k8s-cluster:etcd
+  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray-defaults }
    - { role: kubernetes/preinstall, tags: preinstall }
    - { role: "container-engine", tags: "container-engine", when: deploy_container_engine|default(true) }
    - { role: download, tags: download, when: "not skip_downloads" }
  environment: "{{ proxy_env }}"

 - hosts: etcd
+  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray-defaults }
    - role: etcd
      tags: etcd
      vars:
@@ -47,9 +58,10 @@
      when: not etcd_kubeadm_enabled| default(false)

 - hosts: k8s-cluster
+  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray-defaults }
    - role: etcd
      tags: etcd
      vars:
@@ -58,59 +70,68 @@
      when: not etcd_kubeadm_enabled| default(false)

 - hosts: k8s-cluster
+  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray-defaults }
    - { role: kubernetes/node, tags: node }
  environment: "{{ proxy_env }}"

 - hosts: kube-master
+  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray-defaults }
    - { role: kubernetes/master, tags: master }
    - { role: kubernetes/client, tags: client }
    - { role: kubernetes-apps/cluster_roles, tags: cluster-roles }

 - hosts: k8s-cluster
+  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray-defaults }
    - { role: kubernetes/kubeadm, tags: kubeadm}
    - { role: network_plugin, tags: network }
-    - { role: kubernetes/node-label }
+    - { role: kubernetes/node-label, tags: node-label }

 - hosts: calico-rr
+  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
-    - { role: kubespray-defaults}
-    - { role: network_plugin/calico/rr, tags: ['network', 'calico_rr']}
+    - { role: kubespray-defaults }
+    - { role: network_plugin/calico/rr, tags: ['network', 'calico_rr'] }

 - hosts: kube-master[0]
+  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray-defaults }
    - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
-    - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"]}
+    - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"] }

 - hosts: kube-master
+  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray-defaults }
+    - { role: kubernetes-apps/external_cloud_controller, tags: external-cloud-controller }
    - { role: kubernetes-apps/network_plugin, tags: network }
    - { role: kubernetes-apps/policy_controller, tags: policy-controller }
    - { role: kubernetes-apps/ingress_controller, tags: ingress-controller }
    - { role: kubernetes-apps/external_provisioner, tags: external-provisioner }

 - hosts: kube-master
+  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray-defaults }
    - { role: kubernetes-apps, tags: apps }
  environment: "{{ proxy_env }}"

 - hosts: k8s-cluster
+  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray-defaults }
    - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf, dns_late: true }
--- a/contrib/azurerm/README.md
+++ b/contrib/azurerm/README.md
@@ -15,8 +15,9 @@ Resource Group. It will not install Kubernetes itself, this has to be done in a

 ## Configuration through group_vars/all

-You have to modify at least one variable in group_vars/all, which is the **cluster_name** variable. It must be globally
-unique due to some restrictions in Azure. Most other variables should be self explanatory if you have some basic Kubernetes
+You have to modify at least two variables in group_vars/all. The one is the **cluster_name** variable, it must be globally
+unique due to some restrictions in Azure. The other one is the **ssh_public_keys** variable, it must be your ssh public
+key to access your azure virtual machines. Most other variables should be self explanatory if you have some basic Kubernetes
 experience.

 ## Bastion host
@@ -59,6 +60,7 @@ It will create the file ./inventory which can then be used with kubespray, e.g.:

 ```shell
 $ cd kubespray-root-dir
-$ ansible-playbook -i contrib/azurerm/inventory -u devops --become -e "@inventory/sample/group_vars/all.yml" cluster.yml
+$ sudo pip3 install -r requirements.txt
+$ ansible-playbook -i contrib/azurerm/inventory -u devops --become -e "@inventory/sample/group_vars/all/all.yml" cluster.yml
 ```

--- a/contrib/azurerm/apply-rg.sh
+++ b/contrib/azurerm/apply-rg.sh
@@ -9,18 +9,11 @@ if [ "$AZURE_RESOURCE_GROUP" == "" ]; then
    exit 1
 fi

-if az &>/dev/null; then
-    echo "azure cli 2.0 found, using it instead of 1.0"
-    ./apply-rg_2.sh "$AZURE_RESOURCE_GROUP"
-elif azure &>/dev/null; then 
-    ansible-playbook generate-templates.yml
-    
-    azure group deployment create -f ./.generated/network.json -g $AZURE_RESOURCE_GROUP
-    azure group deployment create -f ./.generated/storage.json -g $AZURE_RESOURCE_GROUP
-    azure group deployment create -f ./.generated/availability-sets.json -g $AZURE_RESOURCE_GROUP
-    azure group deployment create -f ./.generated/bastion.json -g $AZURE_RESOURCE_GROUP
-    azure group deployment create -f ./.generated/masters.json -g $AZURE_RESOURCE_GROUP
-    azure group deployment create -f ./.generated/minions.json -g $AZURE_RESOURCE_GROUP
-else 
-    echo "Azure cli not found"
-fi
+ansible-playbook generate-templates.yml
+
+az deployment group create --template-file ./.generated/network.json -g $AZURE_RESOURCE_GROUP
+az deployment group create --template-file ./.generated/storage.json -g $AZURE_RESOURCE_GROUP
+az deployment group create --template-file ./.generated/availability-sets.json -g $AZURE_RESOURCE_GROUP
+az deployment group create --template-file ./.generated/bastion.json -g $AZURE_RESOURCE_GROUP
+az deployment group create --template-file ./.generated/masters.json -g $AZURE_RESOURCE_GROUP
+az deployment group create --template-file ./.generated/minions.json -g $AZURE_RESOURCE_GROUP
--- a/contrib/azurerm/apply-rg_2.sh
+++ b/contrib/azurerm/apply-rg_2.sh
@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-AZURE_RESOURCE_GROUP="$1"
-
-if [ "$AZURE_RESOURCE_GROUP" == "" ]; then
-    echo "AZURE_RESOURCE_GROUP is missing"
-    exit 1
-fi
-
-ansible-playbook generate-templates.yml
-
-az group deployment create --template-file ./.generated/network.json -g $AZURE_RESOURCE_GROUP
-az group deployment create --template-file ./.generated/storage.json -g $AZURE_RESOURCE_GROUP
-az group deployment create --template-file ./.generated/availability-sets.json -g $AZURE_RESOURCE_GROUP
-az group deployment create --template-file ./.generated/bastion.json -g $AZURE_RESOURCE_GROUP
-az group deployment create --template-file ./.generated/masters.json -g $AZURE_RESOURCE_GROUP
-az group deployment create --template-file ./.generated/minions.json -g $AZURE_RESOURCE_GROUP
--- a/contrib/azurerm/clear-rg.sh
+++ b/contrib/azurerm/clear-rg.sh
@@ -9,10 +9,6 @@ if [ "$AZURE_RESOURCE_GROUP" == "" ]; then
    exit 1
 fi

-if az &>/dev/null; then
-    echo "azure cli 2.0 found, using it instead of 1.0"
-    ./clear-rg_2.sh "$AZURE_RESOURCE_GROUP"
-else
-    ansible-playbook generate-templates.yml
-    azure group deployment create -g "$AZURE_RESOURCE_GROUP" -f ./.generated/clear-rg.json -m Complete
-fi
+ansible-playbook generate-templates.yml
+
+az group deployment create -g "$AZURE_RESOURCE_GROUP" --template-file ./.generated/clear-rg.json --mode Complete
--- a/contrib/azurerm/clear-rg_2.sh
+++ b/contrib/azurerm/clear-rg_2.sh
@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-AZURE_RESOURCE_GROUP="$1"
-
-if [ "$AZURE_RESOURCE_GROUP" == "" ]; then
-    echo "AZURE_RESOURCE_GROUP is missing"
-    exit 1
-fi
-
-ansible-playbook generate-templates.yml
-
-az group deployment create -g "$AZURE_RESOURCE_GROUP" --template-file ./.generated/clear-rg.json --mode Complete
--- a/contrib/azurerm/roles/generate-inventory/tasks/main.yml
+++ b/contrib/azurerm/roles/generate-inventory/tasks/main.yml
@@ -1,6 +1,6 @@
 ---

- name: Query Azure VMs
+- name: Query Azure VMs  # noqa 301
  command: azure vm list-ip-address --json {{ azure_resource_group }}
  register: vm_list_cmd

--- a/contrib/azurerm/roles/generate-inventory_2/tasks/main.yml
+++ b/contrib/azurerm/roles/generate-inventory_2/tasks/main.yml
@@ -1,14 +1,14 @@
 ---

- name: Query Azure VMs IPs
+- name: Query Azure VMs IPs  # noqa 301
  command: az vm list-ip-addresses -o json --resource-group {{ azure_resource_group }}
  register: vm_ip_list_cmd

- name: Query Azure VMs Roles
+- name: Query Azure VMs Roles  # noqa 301
  command: az vm list -o json --resource-group {{ azure_resource_group }}
  register: vm_list_cmd

- name: Query Azure Load Balancer Public IP
+- name: Query Azure Load Balancer Public IP  # noqa 301
  command: az network public-ip show -o json -g {{ azure_resource_group }} -n kubernetes-api-pubip
  register: lb_pubip_cmd

--- a/contrib/dind/roles/dind-host/tasks/main.yaml
+++ b/contrib/dind/roles/dind-host/tasks/main.yaml
@@ -69,7 +69,7 @@

 # Running systemd-machine-id-setup doesn't create a unique id for each node container on Debian,
 # handle manually
- name: Re-create unique machine-id (as we may just get what comes in the docker image), needed by some CNIs for mac address seeding (notably weave)
+- name: Re-create unique machine-id (as we may just get what comes in the docker image), needed by some CNIs for mac address seeding (notably weave)  # noqa 301
  raw: |
    echo {{ item | hash('sha1') }} > /etc/machine-id.new
    mv -b /etc/machine-id.new /etc/machine-id
--- a/contrib/inventory_builder/inventory.py
+++ b/contrib/inventory_builder/inventory.py
@@ -41,6 +41,7 @@ from ruamel.yaml import YAML

 import os
 import re
+import subprocess
 import sys

 ROLES = ['all', 'kube-master', 'kube-node', 'etcd', 'k8s-cluster',
@@ -69,6 +70,7 @@ MASSIVE_SCALE_THRESHOLD = int(os.environ.get("SCALE_THRESHOLD", 200))

 DEBUG = get_var_as_bool("DEBUG", True)
 HOST_PREFIX = os.environ.get("HOST_PREFIX", "node")
+USE_REAL_HOSTNAME = get_var_as_bool("USE_REAL_HOSTNAME", False)

 # Configurable as shell vars end

@@ -81,7 +83,7 @@ class KubesprayInventory(object):
        if self.config_file:
            try:
                self.hosts_file = open(config_file, 'r')
-                self.yaml_config = yaml.load(self.hosts_file)
+                self.yaml_config = yaml.load_all(self.hosts_file)
            except OSError:
                pass

@@ -167,6 +169,7 @@ class KubesprayInventory(object):

        # FIXME(mattymo): Fix condition where delete then add reuses highest id
        next_host_id = highest_host_id + 1
+        next_host = ""

        all_hosts = existing_hosts.copy()
        for host in changed_hosts:
@@ -191,8 +194,14 @@ class KubesprayInventory(object):
                    self.debug("Skipping existing host {0}.".format(ip))
                    continue

-                next_host = "{0}{1}".format(HOST_PREFIX, next_host_id)
-                next_host_id += 1
+                if USE_REAL_HOSTNAME:
+                    cmd = ("ssh -oStrictHostKeyChecking=no "
+                           + access_ip + " 'hostname -s'")
+                    next_host = subprocess.check_output(cmd, shell=True)
+                    next_host = next_host.strip().decode('ascii')
+                else:
+                    next_host = "{0}{1}".format(HOST_PREFIX, next_host_id)
+                    next_host_id += 1
                all_hosts[next_host] = {'ansible_host': access_ip,
                                        'ip': ip,
                                        'access_ip': access_ip}
@@ -229,7 +238,7 @@ class KubesprayInventory(object):
            return [ip_address(ip).exploded for ip in range(start, end + 1)]

        for host in hosts:
-            if '-' in host and not host.startswith('-'):
+            if '-' in host and not (host.startswith('-') or host[0].isalpha()):
                start, end = host.strip().split('-')
                try:
                    reworked_hosts.extend(ips(start, end))
--- a/contrib/inventory_builder/tests/test_inventory.py
+++ b/contrib/inventory_builder/tests/test_inventory.py
@@ -51,7 +51,7 @@ class TestInventory(unittest.TestCase):
        groups = ['group1', 'group2']
        self.inv.ensure_required_groups(groups)
        for group in groups:
-            self.assertTrue(group in self.inv.yaml_config['all']['children'])
+            self.assertIn(group, self.inv.yaml_config['all']['children'])

    def test_get_host_id(self):
        hostnames = ['node99', 'no99de01', '01node01', 'node1.domain',
@@ -209,8 +209,8 @@ class TestInventory(unittest.TestCase):
            ('doesnotbelong2', {'whateveropts=ilike'})])
        self.inv.yaml_config['all']['hosts'] = existing_hosts
        self.inv.purge_invalid_hosts(proper_hostnames)
-        self.assertTrue(
-            bad_host not in self.inv.yaml_config['all']['hosts'].keys())
+        self.assertNotIn(
+            bad_host, self.inv.yaml_config['all']['hosts'].keys())

    def test_add_host_to_group(self):
        group = 'etcd'
@@ -227,8 +227,8 @@ class TestInventory(unittest.TestCase):
        host = 'node1'

        self.inv.set_kube_master([host])
-        self.assertTrue(
-            host in self.inv.yaml_config['all']['children'][group]['hosts'])
+        self.assertIn(
+            host, self.inv.yaml_config['all']['children'][group]['hosts'])

    def test_set_all(self):
        hosts = OrderedDict([
@@ -246,8 +246,8 @@ class TestInventory(unittest.TestCase):

        self.inv.set_k8s_cluster()
        for host in expected_hosts:
-            self.assertTrue(
-                host in
+            self.assertIn(
+                host,
                self.inv.yaml_config['all']['children'][group]['children'])

    def test_set_kube_node(self):
@@ -255,16 +255,16 @@ class TestInventory(unittest.TestCase):
        host = 'node1'

        self.inv.set_kube_node([host])
-        self.assertTrue(
-            host in self.inv.yaml_config['all']['children'][group]['hosts'])
+        self.assertIn(
+            host, self.inv.yaml_config['all']['children'][group]['hosts'])

    def test_set_etcd(self):
        group = 'etcd'
        host = 'node1'

        self.inv.set_etcd([host])
-        self.assertTrue(
-            host in self.inv.yaml_config['all']['children'][group]['hosts'])
+        self.assertIn(
+            host, self.inv.yaml_config['all']['children'][group]['hosts'])

    def test_scale_scenario_one(self):
        num_nodes = 50
--- a/contrib/metallb/README.md
+++ b/contrib/metallb/README.md
@@ -1,12 +0,0 @@
-# Deploy MetalLB into Kubespray/Kubernetes
-```
-MetalLB hooks into your Kubernetes cluster, and provides a network load-balancer implementation. In short, it allows you to create Kubernetes services of type “LoadBalancer” in clusters that don’t run on a cloud provider, and thus cannot simply hook into paid products to provide load-balancers.
-```
-This playbook aims to automate [this](https://metallb.universe.tf/concepts/layer2/). It deploys MetalLB into kubernetes and sets up a layer 2 loadbalancer.
-
-## Install
-```
-Defaults can be found in contrib/metallb/roles/provision/defaults/main.yml. You can override the defaults by copying the contents of this file to somewhere in inventory/mycluster/group_vars such as inventory/mycluster/groups_vars/k8s-cluster/addons.yml and making any adjustments as required.
-
-ansible-playbook --ask-become -i inventory/sample/hosts.ini contrib/metallb/metallb.yml
-```
--- a/contrib/metallb/library
+++ b/contrib/metallb/library
@@ -1 +0,0 @@
-../../library
--- a/contrib/metallb/metallb.yml
+++ b/contrib/metallb/metallb.yml
@@ -1,6 +0,0 @@
---
- hosts: kube-master[0]
-  tags:
-    - "provision"
-  roles:
-    - { role: provision }
--- a/contrib/metallb/roles/provision/defaults/main.yml
+++ b/contrib/metallb/roles/provision/defaults/main.yml
@@ -1,14 +0,0 @@
---
-metallb:
-  ip_range: "10.5.0.50-10.5.0.99"
-  protocol: "layer2"
-  # additional_address_pools:
-  #   kube_service_pool:
-  #     ip_range: "10.5.1.50-10.5.1.99"
-  #     protocol: "layer2"
-  #     auto_assign: false
-  limits:
-    cpu: "100m"
-    memory: "100Mi"
-  port: "7472"
-  version: v0.7.3
--- a/contrib/metallb/roles/provision/tasks/main.yml
+++ b/contrib/metallb/roles/provision/tasks/main.yml
@@ -1,23 +0,0 @@
---
- name: "Kubernetes Apps | Check cluster settings for MetalLB"
-  fail:
-    msg: "MetalLB require kube_proxy_strict_arp = true, see https://github.com/danderson/metallb/issues/153#issuecomment-518651132"
-  when:
-    - "kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp"
- name: "Kubernetes Apps | Lay Down MetalLB"
-  become: true
-  template: { src: "{{ item }}.j2", dest: "{{ kube_config_dir }}/{{ item }}" }
-  with_items: ["metallb.yml", "metallb-config.yml"]
-  register: "rendering"
-  when:
-    - "inventory_hostname == groups['kube-master'][0]"
- name: "Kubernetes Apps | Install and configure MetalLB"
-  kube:
-    name: "MetalLB"
-    kubectl: "{{ bin_dir }}/kubectl"
-    filename: "{{ kube_config_dir }}/{{ item.item }}"
-    state: "{{ item.changed | ternary('latest','present') }}"
-  become: true
-  with_items: "{{ rendering.results }}"
-  when:
-    - "inventory_hostname == groups['kube-master'][0]"
--- a/contrib/metallb/roles/provision/templates/metallb-config.yml.j2
+++ b/contrib/metallb/roles/provision/templates/metallb-config.yml.j2
@@ -1,21 +0,0 @@
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  namespace: metallb-system
-  name: config
-data:
-  config: |
-    address-pools:
-    - name: loadbalanced
-      protocol: {{ metallb.protocol }}
-      addresses:
-      - {{ metallb.ip_range }}
-{% if metallb.additional_address_pools is defined %}{% for pool in metallb.additional_address_pools %}
-    - name: {{ pool }}
-      protocol: {{ metallb.additional_address_pools[pool].protocol }}
-      addresses:
-      - {{ metallb.additional_address_pools[pool].ip_range }}
-      auto-assign: {{ metallb.additional_address_pools[pool].auto_assign }}
-{% endfor %}
-{% endif %}
--- a/contrib/metallb/roles/provision/templates/metallb.yml.j2
+++ b/contrib/metallb/roles/provision/templates/metallb.yml.j2
@@ -1,221 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: metallb-system
-  labels:
-    app: metallb
---
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: metallb-system
-  name: controller
-  labels:
-    app: metallb
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: metallb-system
-  name: speaker
-  labels:
-    app: metallb
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: metallb-system:controller
-  labels:
-    app: metallb
-rules:
- apiGroups: [""]
-  resources: ["services"]
-  verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
-  resources: ["services/status"]
-  verbs: ["update"]
- apiGroups: [""]
-  resources: ["events"]
-  verbs: ["create", "patch"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: metallb-system:speaker
-  labels:
-    app: metallb
-rules:
- apiGroups: [""]
-  resources: ["services", "endpoints", "nodes"]
-  verbs: ["get", "list", "watch"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: metallb-system
-  name: config-watcher
-  labels:
-    app: metallb
-rules:
- apiGroups: [""]
-  resources: ["configmaps"]
-  verbs: ["get", "list", "watch"]
- apiGroups: [""]
-  resources: ["events"]
-  verbs: ["create"]
---
-
-## Role bindings
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: metallb-system:controller
-  labels:
-    app: metallb
-subjects:
- kind: ServiceAccount
-  name: controller
-  namespace: metallb-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: metallb-system:controller
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: metallb-system:speaker
-  labels:
-    app: metallb
-subjects:
- kind: ServiceAccount
-  name: speaker
-  namespace: metallb-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: metallb-system:speaker
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  namespace: metallb-system
-  name: config-watcher
-  labels:
-    app: metallb
-subjects:
- kind: ServiceAccount
-  name: controller
- kind: ServiceAccount
-  name: speaker
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: config-watcher
---
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  namespace: metallb-system
-  name: speaker
-  labels:
-    app: metallb
-    component: speaker
-spec:
-  selector:
-    matchLabels:
-      app: metallb
-      component: speaker
-  template:
-    metadata:
-      labels:
-        app: metallb
-        component: speaker
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "{{ metallb.port }}"
-    spec:
-      serviceAccountName: speaker
-      terminationGracePeriodSeconds: 0
-      hostNetwork: true
-      containers:
-      - name: speaker
-        image: metallb/speaker:{{ metallb.version }}
-        imagePullPolicy: IfNotPresent
-        args:
-        - --port={{ metallb.port }}
-        - --config=config
-        env:
-        - name: METALLB_NODE_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: spec.nodeName
-        ports:
-        - name: monitoring
-          containerPort: {{ metallb.port }}
-        resources:
-          limits:
-            cpu: {{ metallb.limits.cpu }}
-            memory: {{ metallb.limits.memory }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          capabilities:
-            drop:
-            - all
-            add:
-            - net_raw
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  namespace: metallb-system
-  name: controller
-  labels:
-    app: metallb
-    component: controller
-spec:
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      app: metallb
-      component: controller
-  template:
-    metadata:
-      labels:
-        app: metallb
-        component: controller
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "{{ metallb.port }}"
-    spec:
-      serviceAccountName: controller
-      terminationGracePeriodSeconds: 0
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534 # nobody
-      containers:
-      - name: controller
-        image: metallb/controller:{{ metallb.version }}
-        imagePullPolicy: IfNotPresent
-        args:
-        - --port={{ metallb.port }}
-        - --config=config
-        ports:
-        - name: monitoring
-          containerPort: {{ metallb.port }}
-        resources:
-          limits:
-            cpu: {{ metallb.limits.cpu }}
-            memory: {{ metallb.limits.memory }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - all
-          readOnlyRootFilesystem: true
-
---
--- a/contrib/misc/clusteradmin-rbac.yml
+++ b/contrib/misc/clusteradmin-rbac.yml
@@ -1,5 +1,5 @@
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kubernetes-dashboard
--- a/contrib/network-storage/glusterfs/roles/glusterfs/client/tasks/setup-Debian.yml
+++ b/contrib/network-storage/glusterfs/roles/glusterfs/client/tasks/setup-Debian.yml
@@ -7,7 +7,7 @@
  register: glusterfs_ppa_added
  when: glusterfs_ppa_use

- name: Ensure GlusterFS client will reinstall if the PPA was just added.
+- name: Ensure GlusterFS client will reinstall if the PPA was just added.  # noqa 503
  apt:
    name: "{{ item }}"
    state: absent
@@ -18,7 +18,7 @@
 - name: Ensure GlusterFS client is installed.
  apt:
    name: "{{ item }}"
-    state: installed
+    state: present
    default_release: "{{ glusterfs_default_release }}"
  with_items:
    - glusterfs-client
--- a/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/setup-Debian.yml
+++ b/contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/setup-Debian.yml
@@ -7,7 +7,7 @@
  register: glusterfs_ppa_added
  when: glusterfs_ppa_use

- name: Ensure GlusterFS will reinstall if the PPA was just added.
+- name: Ensure GlusterFS will reinstall if the PPA was just added.  # noqa 503
  apt:
    name: "{{ item }}"
    state: absent
@@ -19,7 +19,7 @@
 - name: Ensure GlusterFS is installed.
  apt:
    name: "{{ item }}"
-    state: installed
+    state: present
    default_release: "{{ glusterfs_default_release }}"
  with_items:
    - glusterfs-server
--- a/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-endpoint.json.j2
+++ b/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-endpoint.json.j2
@@ -8,7 +8,7 @@
    {% for host in groups['gfs-cluster'] %}
    {
      "addresses": [
-        { 
+        {
          "ip": "{{hostvars[host]['ip']|default(hostvars[host].ansible_default_ipv4['address'])}}"
        }
      ],
--- a/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-pv.yml.j2
+++ b/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-pv.yml.j2
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: glusterfs 
+  name: glusterfs
 spec:
  capacity:
      storage: "{{ hostvars[groups['gfs-cluster'][0]].gluster_disk_size_gb }}Gi"
--- a/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/tear-down.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/tear-down.yml
@@ -6,7 +6,7 @@
 - name: "Delete bootstrap Heketi."
  command: "{{ bin_dir }}/kubectl delete all,service,jobs,deployment,secret --selector=\"deploy-heketi\""
  when: "heketi_resources.stdout|from_json|json_query('items[*]')|length > 0"
- name: "Ensure there is nothing left over."
+- name: "Ensure there is nothing left over."  # noqa 301
  command: "{{ bin_dir }}/kubectl get all,service,jobs,deployment,secret --selector=\"deploy-heketi\" -o=json"
  register: "heketi_result"
  until: "heketi_result.stdout|from_json|json_query('items[*]')|length == 0"
--- a/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/topology.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/topology.yml
@@ -13,7 +13,7 @@
 - name: "Copy topology configuration into container."
  changed_when: false
  command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ initial_heketi_pod_name }}:/tmp/topology.json"
- name: "Load heketi topology."
+- name: "Load heketi topology."  # noqa 503
  when: "render.changed"
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology load --json=/tmp/topology.json"
  register: "load_heketi"
--- a/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/volumes.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/volumes.yml
@@ -18,7 +18,7 @@
 - name: "Provision database volume."
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} setup-openshift-heketi-storage"
  when: "heketi_database_volume_exists is undefined"
- name: "Copy configuration from pod."
+- name: "Copy configuration from pod."  # noqa 301
  become: true
  command: "{{ bin_dir }}/kubectl cp {{ initial_heketi_pod_name }}:/heketi-storage.json {{ kube_config_dir }}/heketi-storage-bootstrap.json"
 - name: "Get heketi volume ids."
--- a/contrib/network-storage/heketi/roles/provision/tasks/topology.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/topology.yml
@@ -10,10 +10,10 @@
  template:
    src: "topology.json.j2"
    dest: "{{ kube_config_dir }}/topology.json"
- name: "Copy topology configuration into container."
+- name: "Copy topology configuration into container."  # noqa 503
  when: "rendering.changed"
  command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ heketi_pod_name }}:/tmp/topology.json"
- name: "Load heketi topology."
+- name: "Load heketi topology."  # noqa 503
  when: "rendering.changed"
  command: "{{ bin_dir }}/kubectl exec {{ heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology load --json=/tmp/topology.json"
 - name: "Get heketi topology."
--- a/contrib/network-storage/heketi/roles/provision/templates/glusterfs-daemonset.json.j2
+++ b/contrib/network-storage/heketi/roles/provision/templates/glusterfs-daemonset.json.j2
@@ -12,6 +12,11 @@
        }
    },
    "spec": {
+        "selector": {
+            "matchLabels": {
+                "glusterfs-node": "daemonset"
+            }
+        },
        "template": {
            "metadata": {
                "name": "glusterfs",
--- a/contrib/network-storage/heketi/roles/provision/templates/heketi-bootstrap.json.j2
+++ b/contrib/network-storage/heketi/roles/provision/templates/heketi-bootstrap.json.j2
@@ -42,6 +42,11 @@
        }
      },
      "spec": {
+        "selector": {
+          "matchLabels": {
+            "name": "deploy-heketi"
+          }
+        },
        "replicas": 1,
        "template": {
          "metadata": {
--- a/contrib/network-storage/heketi/roles/provision/templates/heketi-deployment.json.j2
+++ b/contrib/network-storage/heketi/roles/provision/templates/heketi-deployment.json.j2
@@ -55,6 +55,11 @@
        }
      },
      "spec": {
+        "selector": {
+          "matchLabels": {
+            "name": "heketi"
+          }
+        },
        "replicas": 1,
        "template": {
          "metadata": {
--- a/contrib/network-storage/heketi/roles/tear-down-disks/tasks/main.yml
+++ b/contrib/network-storage/heketi/roles/tear-down-disks/tasks/main.yml
@@ -22,7 +22,7 @@
  ignore_errors: true
  changed_when: false

- name: "Remove volume groups."
+- name: "Remove volume groups."  # noqa 301
  environment:
    PATH: "{{ ansible_env.PATH }}:/sbin"  # Make sure we can workaround RH / CentOS conservative path management
  become: true
@@ -30,7 +30,7 @@
  with_items: "{{ volume_groups.stdout_lines }}"
  loop_control: { loop_var: "volume_group" }

- name: "Remove physical volume from cluster disks."
+- name: "Remove physical volume from cluster disks."  # noqa 301
  environment:
    PATH: "{{ ansible_env.PATH }}:/sbin"  # Make sure we can workaround RH / CentOS conservative path management
  become: true
--- a/contrib/network-storage/heketi/roles/tear-down/tasks/main.yml
+++ b/contrib/network-storage/heketi/roles/tear-down/tasks/main.yml
@@ -1,43 +1,43 @@
 ---
- name: "Remove storage class."
+- name: "Remove storage class."  # noqa 301
  command: "{{ bin_dir }}/kubectl delete storageclass gluster"
  ignore_errors: true
- name: "Tear down heketi."
+- name: "Tear down heketi."  # noqa 301
  command: "{{ bin_dir }}/kubectl delete all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-pod\""
  ignore_errors: true
- name: "Tear down heketi."
+- name: "Tear down heketi."  # noqa 301
  command: "{{ bin_dir }}/kubectl delete all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-deployment\""
  ignore_errors: true
 - name: "Tear down bootstrap."
-  include_tasks: "../provision/tasks/bootstrap/tear-down.yml"
- name: "Ensure there is nothing left over."
+  include_tasks: "../../provision/tasks/bootstrap/tear-down.yml"
+- name: "Ensure there is nothing left over."  # noqa 301
  command: "{{ bin_dir }}/kubectl get all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-pod\" -o=json"
  register: "heketi_result"
  until: "heketi_result.stdout|from_json|json_query('items[*]')|length == 0"
  retries: 60
  delay: 5
- name: "Ensure there is nothing left over."
+- name: "Ensure there is nothing left over."  # noqa 301
  command: "{{ bin_dir }}/kubectl get all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-deployment\" -o=json"
  register: "heketi_result"
  until: "heketi_result.stdout|from_json|json_query('items[*]')|length == 0"
  retries: 60
  delay: 5
- name: "Tear down glusterfs."
+- name: "Tear down glusterfs."  # noqa 301
  command: "{{ bin_dir }}/kubectl delete daemonset.extensions/glusterfs"
  ignore_errors: true
- name: "Remove heketi storage service."
+- name: "Remove heketi storage service."  # noqa 301
  command: "{{ bin_dir }}/kubectl delete service heketi-storage-endpoints"
  ignore_errors: true
- name: "Remove heketi gluster role binding"
+- name: "Remove heketi gluster role binding"  # noqa 301
  command: "{{ bin_dir }}/kubectl delete clusterrolebinding heketi-gluster-admin"
  ignore_errors: true
- name: "Remove heketi config secret"
+- name: "Remove heketi config secret"  # noqa 301
  command: "{{ bin_dir }}/kubectl delete secret heketi-config-secret"
  ignore_errors: true
- name: "Remove heketi db backup"
+- name: "Remove heketi db backup"  # noqa 301
  command: "{{ bin_dir }}/kubectl delete secret heketi-db-backup"
  ignore_errors: true
- name: "Remove heketi service account"
+- name: "Remove heketi service account"  # noqa 301
  command: "{{ bin_dir }}/kubectl delete serviceaccount heketi-service-account"
  ignore_errors: true
 - name: "Get secrets"
--- a/contrib/terraform/aws/README.md
+++ b/contrib/terraform/aws/README.md
@@ -22,7 +22,7 @@ export TF_VAR_AWS_SECRET_ACCESS_KEY ="xxx"
 export TF_VAR_AWS_SSH_KEY_NAME="yyy"
 export TF_VAR_AWS_DEFAULT_REGION="zzz"
 ```
- Update `contrib/terraform/aws/terraform.tfvars` with your data. By default, the Terraform scripts use CoreOS as base image. If you want to change this behaviour, see note "Using other distrib than CoreOs" below.
+- Update `contrib/terraform/aws/terraform.tfvars` with your data. By default, the Terraform scripts use Ubuntu 18.04 LTS (Bionic) as base image. If you want to change this behaviour, see note "Using other distrib than Ubuntu" below.
 - Create an AWS EC2 SSH Key
 - Run with `terraform apply --var-file="credentials.tfvars"` or `terraform apply` depending if you exported your AWS credentials

@@ -41,12 +41,12 @@ ssh -F ./ssh-bastion.conf user@$ip

 - Once the infrastructure is created, you can run the kubespray playbooks and supply inventory/hosts with the `-i` flag.

-Example (this one assumes you are using CoreOS)
+Example (this one assumes you are using Ubuntu)
 ```commandline
-ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_user=core -b --become-user=root --flush-cache
+ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_user=ubuntu -b --become-user=root --flush-cache
 ```
-***Using other distrib than CoreOs***
-If you want to use another distribution than CoreOS, you can modify the search filters of the 'data "aws_ami" "distro"' in variables.tf.
+***Using other distrib than Ubuntu***
+If you want to use another distribution than Ubuntu 18.04 (Bionic) LTS, you can modify the search filters of the 'data "aws_ami" "distro"' in variables.tf.

 For example, to use:
 - Debian Jessie, replace 'data "aws_ami" "distro"' in variables.tf with
--- a/contrib/terraform/aws/create-infrastructure.tf
+++ b/contrib/terraform/aws/create-infrastructure.tf
@@ -3,9 +3,9 @@ terraform {
 }

 provider "aws" {
-  access_key = "${var.AWS_ACCESS_KEY_ID}"
-  secret_key = "${var.AWS_SECRET_ACCESS_KEY}"
-  region     = "${var.AWS_DEFAULT_REGION}"
+  access_key = var.AWS_ACCESS_KEY_ID
+  secret_key = var.AWS_SECRET_ACCESS_KEY
+  region     = var.AWS_DEFAULT_REGION
 }

 data "aws_availability_zones" "available" {}
@@ -18,30 +18,30 @@ data "aws_availability_zones" "available" {}
 module "aws-vpc" {
  source = "./modules/vpc"

-  aws_cluster_name         = "${var.aws_cluster_name}"
-  aws_vpc_cidr_block       = "${var.aws_vpc_cidr_block}"
-  aws_avail_zones          = "${slice(data.aws_availability_zones.available.names, 0, 2)}"
-  aws_cidr_subnets_private = "${var.aws_cidr_subnets_private}"
-  aws_cidr_subnets_public  = "${var.aws_cidr_subnets_public}"
-  default_tags             = "${var.default_tags}"
+  aws_cluster_name         = var.aws_cluster_name
+  aws_vpc_cidr_block       = var.aws_vpc_cidr_block
+  aws_avail_zones          = slice(data.aws_availability_zones.available.names, 0, 2)
+  aws_cidr_subnets_private = var.aws_cidr_subnets_private
+  aws_cidr_subnets_public  = var.aws_cidr_subnets_public
+  default_tags             = var.default_tags
 }

 module "aws-elb" {
  source = "./modules/elb"

-  aws_cluster_name      = "${var.aws_cluster_name}"
-  aws_vpc_id            = "${module.aws-vpc.aws_vpc_id}"
-  aws_avail_zones       = "${slice(data.aws_availability_zones.available.names, 0, 2)}"
-  aws_subnet_ids_public = "${module.aws-vpc.aws_subnet_ids_public}"
-  aws_elb_api_port      = "${var.aws_elb_api_port}"
-  k8s_secure_api_port   = "${var.k8s_secure_api_port}"
-  default_tags          = "${var.default_tags}"
+  aws_cluster_name      = var.aws_cluster_name
+  aws_vpc_id            = module.aws-vpc.aws_vpc_id
+  aws_avail_zones       = slice(data.aws_availability_zones.available.names, 0, 2)
+  aws_subnet_ids_public = module.aws-vpc.aws_subnet_ids_public
+  aws_elb_api_port      = var.aws_elb_api_port
+  k8s_secure_api_port   = var.k8s_secure_api_port
+  default_tags          = var.default_tags
 }

 module "aws-iam" {
  source = "./modules/iam"

-  aws_cluster_name = "${var.aws_cluster_name}"
+  aws_cluster_name = var.aws_cluster_name
 }

 /*
@@ -50,22 +50,22 @@ module "aws-iam" {
 */

 resource "aws_instance" "bastion-server" {
-  ami                         = "${data.aws_ami.distro.id}"
-  instance_type               = "${var.aws_bastion_size}"
-  count                       = "${length(var.aws_cidr_subnets_public)}"
+  ami                         = data.aws_ami.distro.id
+  instance_type               = var.aws_bastion_size
+  count                       = length(var.aws_cidr_subnets_public)
  associate_public_ip_address = true
-  availability_zone           = "${element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)}"
-  subnet_id                   = "${element(module.aws-vpc.aws_subnet_ids_public, count.index)}"
+  availability_zone           = element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)
+  subnet_id                   = element(module.aws-vpc.aws_subnet_ids_public, count.index)

-  vpc_security_group_ids = "${module.aws-vpc.aws_security_group}"
+  vpc_security_group_ids = module.aws-vpc.aws_security_group

-  key_name = "${var.AWS_SSH_KEY_NAME}"
+  key_name = var.AWS_SSH_KEY_NAME

-  tags = "${merge(var.default_tags, map(
+  tags = merge(var.default_tags, map(
    "Name", "kubernetes-${var.aws_cluster_name}-bastion-${count.index}",
    "Cluster", "${var.aws_cluster_name}",
    "Role", "bastion-${var.aws_cluster_name}-${count.index}"
-  ))}"
+  ))
 }

 /*
@@ -74,71 +74,71 @@ resource "aws_instance" "bastion-server" {
 */

 resource "aws_instance" "k8s-master" {
-  ami           = "${data.aws_ami.distro.id}"
-  instance_type = "${var.aws_kube_master_size}"
+  ami           = data.aws_ami.distro.id
+  instance_type = var.aws_kube_master_size

-  count = "${var.aws_kube_master_num}"
+  count = var.aws_kube_master_num

-  availability_zone = "${element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)}"
-  subnet_id         = "${element(module.aws-vpc.aws_subnet_ids_private, count.index)}"
+  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)
+  subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)

-  vpc_security_group_ids = "${module.aws-vpc.aws_security_group}"
+  vpc_security_group_ids = module.aws-vpc.aws_security_group

-  iam_instance_profile = "${module.aws-iam.kube-master-profile}"
-  key_name             = "${var.AWS_SSH_KEY_NAME}"
+  iam_instance_profile = module.aws-iam.kube-master-profile
+  key_name             = var.AWS_SSH_KEY_NAME

-  tags = "${merge(var.default_tags, map(
+  tags = merge(var.default_tags, map(
    "Name", "kubernetes-${var.aws_cluster_name}-master${count.index}",
    "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
    "Role", "master"
-  ))}"
+  ))
 }

 resource "aws_elb_attachment" "attach_master_nodes" {
-  count    = "${var.aws_kube_master_num}"
-  elb      = "${module.aws-elb.aws_elb_api_id}"
-  instance = "${element(aws_instance.k8s-master.*.id, count.index)}"
+  count    = var.aws_kube_master_num
+  elb      = module.aws-elb.aws_elb_api_id
+  instance = element(aws_instance.k8s-master.*.id, count.index)
 }

 resource "aws_instance" "k8s-etcd" {
-  ami           = "${data.aws_ami.distro.id}"
-  instance_type = "${var.aws_etcd_size}"
+  ami           = data.aws_ami.distro.id
+  instance_type = var.aws_etcd_size

-  count = "${var.aws_etcd_num}"
+  count = var.aws_etcd_num

-  availability_zone = "${element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)}"
-  subnet_id         = "${element(module.aws-vpc.aws_subnet_ids_private, count.index)}"
+  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)
+  subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)

-  vpc_security_group_ids = "${module.aws-vpc.aws_security_group}"
+  vpc_security_group_ids = module.aws-vpc.aws_security_group

-  key_name = "${var.AWS_SSH_KEY_NAME}"
+  key_name = var.AWS_SSH_KEY_NAME

-  tags = "${merge(var.default_tags, map(
+  tags = merge(var.default_tags, map(
    "Name", "kubernetes-${var.aws_cluster_name}-etcd${count.index}",
    "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
    "Role", "etcd"
-  ))}"
+  ))
 }

 resource "aws_instance" "k8s-worker" {
-  ami           = "${data.aws_ami.distro.id}"
-  instance_type = "${var.aws_kube_worker_size}"
+  ami           = data.aws_ami.distro.id
+  instance_type = var.aws_kube_worker_size

-  count = "${var.aws_kube_worker_num}"
+  count = var.aws_kube_worker_num

-  availability_zone = "${element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)}"
-  subnet_id         = "${element(module.aws-vpc.aws_subnet_ids_private, count.index)}"
+  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)
+  subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)

-  vpc_security_group_ids = "${module.aws-vpc.aws_security_group}"
+  vpc_security_group_ids = module.aws-vpc.aws_security_group

-  iam_instance_profile = "${module.aws-iam.kube-worker-profile}"
-  key_name             = "${var.AWS_SSH_KEY_NAME}"
+  iam_instance_profile = module.aws-iam.kube-worker-profile
+  key_name             = var.AWS_SSH_KEY_NAME

-  tags = "${merge(var.default_tags, map(
+  tags = merge(var.default_tags, map(
    "Name", "kubernetes-${var.aws_cluster_name}-worker${count.index}",
    "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
    "Role", "worker"
-  ))}"
+  ))
 }

 /*
@@ -146,16 +146,16 @@ resource "aws_instance" "k8s-worker" {
 *
 */
 data "template_file" "inventory" {
-  template = "${file("${path.module}/templates/inventory.tpl")}"
+  template = file("${path.module}/templates/inventory.tpl")

  vars = {
-    public_ip_address_bastion = "${join("\n", formatlist("bastion ansible_host=%s", aws_instance.bastion-server.*.public_ip))}"
-    connection_strings_master = "${join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-master.*.tags.Name, aws_instance.k8s-master.*.private_ip))}"
-    connection_strings_node   = "${join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-worker.*.tags.Name, aws_instance.k8s-worker.*.private_ip))}"
-    connection_strings_etcd   = "${join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-etcd.*.tags.Name, aws_instance.k8s-etcd.*.private_ip))}"
-    list_master               = "${join("\n", aws_instance.k8s-master.*.tags.Name)}"
-    list_node                 = "${join("\n", aws_instance.k8s-worker.*.tags.Name)}"
-    list_etcd                 = "${join("\n", aws_instance.k8s-etcd.*.tags.Name)}"
+    public_ip_address_bastion = join("\n", formatlist("bastion ansible_host=%s", aws_instance.bastion-server.*.public_ip))
+    connection_strings_master = join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-master.*.private_dns, aws_instance.k8s-master.*.private_ip))
+    connection_strings_node   = join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-worker.*.private_dns, aws_instance.k8s-worker.*.private_ip))
+    connection_strings_etcd   = join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-etcd.*.private_dns, aws_instance.k8s-etcd.*.private_ip))
+    list_master               = join("\n", aws_instance.k8s-master.*.private_dns)
+    list_node                 = join("\n", aws_instance.k8s-worker.*.private_dns)
+    list_etcd                 = join("\n", aws_instance.k8s-etcd.*.private_dns)
    elb_api_fqdn              = "apiserver_loadbalancer_domain_name=\"${module.aws-elb.aws_elb_api_fqdn}\""
  }
 }
@@ -166,6 +166,6 @@ resource "null_resource" "inventories" {
  }

  triggers = {
-    template = "${data.template_file.inventory.rendered}"
+    template = data.template_file.inventory.rendered
  }
 }
--- a/contrib/terraform/aws/modules/elb/main.tf
+++ b/contrib/terraform/aws/modules/elb/main.tf
@@ -1,19 +1,19 @@
 resource "aws_security_group" "aws-elb" {
  name   = "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
-  vpc_id = "${var.aws_vpc_id}"
+  vpc_id = var.aws_vpc_id

-  tags = "${merge(var.default_tags, map(
-      "Name", "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
-    ))}"
+  tags = merge(var.default_tags, map(
+    "Name", "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
+  ))
 }

 resource "aws_security_group_rule" "aws-allow-api-access" {
  type              = "ingress"
-  from_port         = "${var.aws_elb_api_port}"
-  to_port           = "${var.k8s_secure_api_port}"
+  from_port         = var.aws_elb_api_port
+  to_port           = var.k8s_secure_api_port
  protocol          = "TCP"
  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = "${aws_security_group.aws-elb.id}"
+  security_group_id = aws_security_group.aws-elb.id
 }

 resource "aws_security_group_rule" "aws-allow-api-egress" {
@@ -22,19 +22,19 @@ resource "aws_security_group_rule" "aws-allow-api-egress" {
  to_port           = 65535
  protocol          = "TCP"
  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = "${aws_security_group.aws-elb.id}"
+  security_group_id = aws_security_group.aws-elb.id
 }

 # Create a new AWS ELB for K8S API
 resource "aws_elb" "aws-elb-api" {
  name            = "kubernetes-elb-${var.aws_cluster_name}"
  subnets         = var.aws_subnet_ids_public
-  security_groups = ["${aws_security_group.aws-elb.id}"]
+  security_groups = [aws_security_group.aws-elb.id]

  listener {
-    instance_port     = "${var.k8s_secure_api_port}"
+    instance_port     = var.k8s_secure_api_port
    instance_protocol = "tcp"
-    lb_port           = "${var.aws_elb_api_port}"
+    lb_port           = var.aws_elb_api_port
    lb_protocol       = "tcp"
  }

@@ -51,7 +51,7 @@ resource "aws_elb" "aws-elb-api" {
  connection_draining         = true
  connection_draining_timeout = 400

-  tags = "${merge(var.default_tags, map(
+  tags = merge(var.default_tags, map(
    "Name", "kubernetes-${var.aws_cluster_name}-elb-api"
-  ))}"
+  ))
 }
--- a/contrib/terraform/aws/modules/elb/outputs.tf
+++ b/contrib/terraform/aws/modules/elb/outputs.tf
@@ -1,7 +1,7 @@
 output "aws_elb_api_id" {
-  value = "${aws_elb.aws-elb-api.id}"
+  value = aws_elb.aws-elb-api.id
 }

 output "aws_elb_api_fqdn" {
-  value = "${aws_elb.aws-elb-api.dns_name}"
+  value = aws_elb.aws-elb-api.dns_name
 }
--- a/contrib/terraform/aws/modules/iam/main.tf
+++ b/contrib/terraform/aws/modules/iam/main.tf
@@ -42,7 +42,7 @@ EOF

 resource "aws_iam_role_policy" "kube-master" {
  name = "kubernetes-${var.aws_cluster_name}-master"
-  role = "${aws_iam_role.kube-master.id}"
+  role = aws_iam_role.kube-master.id

  policy = <<EOF
 {
@@ -77,7 +77,7 @@ EOF

 resource "aws_iam_role_policy" "kube-worker" {
  name = "kubernetes-${var.aws_cluster_name}-node"
-  role = "${aws_iam_role.kube-worker.id}"
+  role = aws_iam_role.kube-worker.id

  policy = <<EOF
 {
@@ -132,10 +132,10 @@ EOF

 resource "aws_iam_instance_profile" "kube-master" {
  name = "kube_${var.aws_cluster_name}_master_profile"
-  role = "${aws_iam_role.kube-master.name}"
+  role = aws_iam_role.kube-master.name
 }

 resource "aws_iam_instance_profile" "kube-worker" {
  name = "kube_${var.aws_cluster_name}_node_profile"
-  role = "${aws_iam_role.kube-worker.name}"
+  role = aws_iam_role.kube-worker.name
 }
--- a/contrib/terraform/aws/modules/iam/outputs.tf
+++ b/contrib/terraform/aws/modules/iam/outputs.tf
@@ -1,7 +1,7 @@
 output "kube-master-profile" {
-  value = "${aws_iam_instance_profile.kube-master.name }"
+  value = aws_iam_instance_profile.kube-master.name
 }

 output "kube-worker-profile" {
-  value = "${aws_iam_instance_profile.kube-worker.name }"
+  value = aws_iam_instance_profile.kube-worker.name
 }
--- a/contrib/terraform/aws/modules/vpc/main.tf
+++ b/contrib/terraform/aws/modules/vpc/main.tf
@@ -1,55 +1,55 @@
 resource "aws_vpc" "cluster-vpc" {
-  cidr_block = "${var.aws_vpc_cidr_block}"
+  cidr_block = var.aws_vpc_cidr_block

  #DNS Related Entries
  enable_dns_support   = true
  enable_dns_hostnames = true

-  tags = "${merge(var.default_tags, map(
-      "Name", "kubernetes-${var.aws_cluster_name}-vpc"
-    ))}"
+  tags = merge(var.default_tags, map(
+    "Name", "kubernetes-${var.aws_cluster_name}-vpc"
+  ))
 }

 resource "aws_eip" "cluster-nat-eip" {
-  count = "${length(var.aws_cidr_subnets_public)}"
+  count = length(var.aws_cidr_subnets_public)
  vpc   = true
 }

 resource "aws_internet_gateway" "cluster-vpc-internetgw" {
-  vpc_id = "${aws_vpc.cluster-vpc.id}"
+  vpc_id = aws_vpc.cluster-vpc.id

-  tags = "${merge(var.default_tags, map(
+  tags = merge(var.default_tags, map(
    "Name", "kubernetes-${var.aws_cluster_name}-internetgw"
-  ))}"
+  ))
 }

 resource "aws_subnet" "cluster-vpc-subnets-public" {
-  vpc_id            = "${aws_vpc.cluster-vpc.id}"
-  count             = "${length(var.aws_avail_zones)}"
-  availability_zone = "${element(var.aws_avail_zones, count.index)}"
-  cidr_block        = "${element(var.aws_cidr_subnets_public, count.index)}"
+  vpc_id            = aws_vpc.cluster-vpc.id
+  count             = length(var.aws_avail_zones)
+  availability_zone = element(var.aws_avail_zones, count.index)
+  cidr_block        = element(var.aws_cidr_subnets_public, count.index)

-  tags = "${merge(var.default_tags, map(
-      "Name", "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-public",
-      "kubernetes.io/cluster/${var.aws_cluster_name}", "member"
-    ))}"
+  tags = merge(var.default_tags, map(
+    "Name", "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-public",
+    "kubernetes.io/cluster/${var.aws_cluster_name}", "member"
+  ))
 }

 resource "aws_nat_gateway" "cluster-nat-gateway" {
-  count         = "${length(var.aws_cidr_subnets_public)}"
-  allocation_id = "${element(aws_eip.cluster-nat-eip.*.id, count.index)}"
-  subnet_id     = "${element(aws_subnet.cluster-vpc-subnets-public.*.id, count.index)}"
+  count         = length(var.aws_cidr_subnets_public)
+  allocation_id = element(aws_eip.cluster-nat-eip.*.id, count.index)
+  subnet_id     = element(aws_subnet.cluster-vpc-subnets-public.*.id, count.index)
 }

 resource "aws_subnet" "cluster-vpc-subnets-private" {
-  vpc_id            = "${aws_vpc.cluster-vpc.id}"
-  count             = "${length(var.aws_avail_zones)}"
-  availability_zone = "${element(var.aws_avail_zones, count.index)}"
-  cidr_block        = "${element(var.aws_cidr_subnets_private, count.index)}"
+  vpc_id            = aws_vpc.cluster-vpc.id
+  count             = length(var.aws_avail_zones)
+  availability_zone = element(var.aws_avail_zones, count.index)
+  cidr_block        = element(var.aws_cidr_subnets_private, count.index)

-  tags = "${merge(var.default_tags, map(
-      "Name", "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-private"
-    ))}"
+  tags = merge(var.default_tags, map(
+    "Name", "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-private"
+  ))
 }

 #Routing in VPC
@@ -57,53 +57,53 @@ resource "aws_subnet" "cluster-vpc-subnets-private" {
 #TODO: Do we need two routing tables for each subnet for redundancy or is one enough?

 resource "aws_route_table" "kubernetes-public" {
-  vpc_id = "${aws_vpc.cluster-vpc.id}"
+  vpc_id = aws_vpc.cluster-vpc.id

  route {
    cidr_block = "0.0.0.0/0"
-    gateway_id = "${aws_internet_gateway.cluster-vpc-internetgw.id}"
+    gateway_id = aws_internet_gateway.cluster-vpc-internetgw.id
  }

-  tags = "${merge(var.default_tags, map(
-      "Name", "kubernetes-${var.aws_cluster_name}-routetable-public"
-    ))}"
+  tags = merge(var.default_tags, map(
+    "Name", "kubernetes-${var.aws_cluster_name}-routetable-public"
+  ))
 }

 resource "aws_route_table" "kubernetes-private" {
-  count  = "${length(var.aws_cidr_subnets_private)}"
-  vpc_id = "${aws_vpc.cluster-vpc.id}"
+  count  = length(var.aws_cidr_subnets_private)
+  vpc_id = aws_vpc.cluster-vpc.id

  route {
    cidr_block     = "0.0.0.0/0"
-    nat_gateway_id = "${element(aws_nat_gateway.cluster-nat-gateway.*.id, count.index)}"
+    nat_gateway_id = element(aws_nat_gateway.cluster-nat-gateway.*.id, count.index)
  }

-  tags = "${merge(var.default_tags, map(
-      "Name", "kubernetes-${var.aws_cluster_name}-routetable-private-${count.index}"
-    ))}"
+  tags = merge(var.default_tags, map(
+    "Name", "kubernetes-${var.aws_cluster_name}-routetable-private-${count.index}"
+  ))
 }

 resource "aws_route_table_association" "kubernetes-public" {
-  count          = "${length(var.aws_cidr_subnets_public)}"
-  subnet_id      = "${element(aws_subnet.cluster-vpc-subnets-public.*.id,count.index)}"
-  route_table_id = "${aws_route_table.kubernetes-public.id}"
+  count          = length(var.aws_cidr_subnets_public)
+  subnet_id      = element(aws_subnet.cluster-vpc-subnets-public.*.id, count.index)
+  route_table_id = aws_route_table.kubernetes-public.id
 }

 resource "aws_route_table_association" "kubernetes-private" {
-  count          = "${length(var.aws_cidr_subnets_private)}"
-  subnet_id      = "${element(aws_subnet.cluster-vpc-subnets-private.*.id,count.index)}"
-  route_table_id = "${element(aws_route_table.kubernetes-private.*.id,count.index)}"
+  count          = length(var.aws_cidr_subnets_private)
+  subnet_id      = element(aws_subnet.cluster-vpc-subnets-private.*.id, count.index)
+  route_table_id = element(aws_route_table.kubernetes-private.*.id, count.index)
 }

 #Kubernetes Security Groups

 resource "aws_security_group" "kubernetes" {
  name   = "kubernetes-${var.aws_cluster_name}-securitygroup"
-  vpc_id = "${aws_vpc.cluster-vpc.id}"
+  vpc_id = aws_vpc.cluster-vpc.id

-  tags = "${merge(var.default_tags, map(
-      "Name", "kubernetes-${var.aws_cluster_name}-securitygroup"
-    ))}"
+  tags = merge(var.default_tags, map(
+    "Name", "kubernetes-${var.aws_cluster_name}-securitygroup"
+  ))
 }

 resource "aws_security_group_rule" "allow-all-ingress" {
@@ -111,8 +111,8 @@ resource "aws_security_group_rule" "allow-all-ingress" {
  from_port         = 0
  to_port           = 65535
  protocol          = "-1"
-  cidr_blocks       = ["${var.aws_vpc_cidr_block}"]
-  security_group_id = "${aws_security_group.kubernetes.id}"
+  cidr_blocks       = [var.aws_vpc_cidr_block]
+  security_group_id = aws_security_group.kubernetes.id
 }

 resource "aws_security_group_rule" "allow-all-egress" {
@@ -121,7 +121,7 @@ resource "aws_security_group_rule" "allow-all-egress" {
  to_port           = 65535
  protocol          = "-1"
  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = "${aws_security_group.kubernetes.id}"
+  security_group_id = aws_security_group.kubernetes.id
 }

 resource "aws_security_group_rule" "allow-ssh-connections" {
@@ -130,5 +130,5 @@ resource "aws_security_group_rule" "allow-ssh-connections" {
  to_port           = 22
  protocol          = "TCP"
  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = "${aws_security_group.kubernetes.id}"
+  security_group_id = aws_security_group.kubernetes.id
 }
--- a/contrib/terraform/aws/modules/vpc/outputs.tf
+++ b/contrib/terraform/aws/modules/vpc/outputs.tf
@@ -1,5 +1,5 @@
 output "aws_vpc_id" {
-  value = "${aws_vpc.cluster-vpc.id}"
+  value = aws_vpc.cluster-vpc.id
 }

 output "aws_subnet_ids_private" {
@@ -15,5 +15,5 @@ output "aws_security_group" {
 }

 output "default_tags" {
-  value = "${var.default_tags}"
+  value = var.default_tags
 }
--- a/contrib/terraform/aws/output.tf
+++ b/contrib/terraform/aws/output.tf
@@ -1,17 +1,17 @@
 output "bastion_ip" {
-  value = "${join("\n", aws_instance.bastion-server.*.public_ip)}"
+  value = join("\n", aws_instance.bastion-server.*.public_ip)
 }

 output "masters" {
-  value = "${join("\n", aws_instance.k8s-master.*.private_ip)}"
+  value = join("\n", aws_instance.k8s-master.*.private_ip)
 }

 output "workers" {
-  value = "${join("\n", aws_instance.k8s-worker.*.private_ip)}"
+  value = join("\n", aws_instance.k8s-worker.*.private_ip)
 }

 output "etcd" {
-  value = "${join("\n", aws_instance.k8s-etcd.*.private_ip)}"
+  value = join("\n", aws_instance.k8s-etcd.*.private_ip)
 }

 output "aws_elb_api_fqdn" {
@@ -19,9 +19,9 @@ output "aws_elb_api_fqdn" {
 }

 output "inventory" {
-  value = "${data.template_file.inventory.rendered}"
+  value = data.template_file.inventory.rendered
 }

 output "default_tags" {
-  value = "${var.default_tags}"
+  value = var.default_tags
 }
--- a/contrib/terraform/aws/variables.tf
+++ b/contrib/terraform/aws/variables.tf
@@ -25,7 +25,7 @@ data "aws_ami" "distro" {

  filter {
    name   = "name"
-    values = ["CoreOS-stable-*"]
+    values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
  }

  filter {
@@ -33,7 +33,7 @@ data "aws_ami" "distro" {
    values = ["hvm"]
  }

-  owners = ["595879546273"] #CoreOS
+  owners = ["099720109477"] # Canonical
 }

 //AWS VPC Variables
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -1,11 +1,11 @@
-# Kubernetes on Openstack with Terraform
+# Kubernetes on OpenStack with Terraform

 Provision a Kubernetes cluster with [Terraform](https://www.terraform.io) on
-Openstack.
+OpenStack.

 ## Status

-This will install a Kubernetes cluster on an Openstack Cloud. It should work on
+This will install a Kubernetes cluster on an OpenStack Cloud. It should work on
 most modern installs of OpenStack that support the basic services.

 ### Known compatible public clouds
@@ -38,6 +38,16 @@ hosts where that makes sense. You have the option of creating bastion hosts
 inside the private subnet to access the nodes there.  Alternatively, a node with
 a floating IP can be used as a jump host to nodes without.

+#### Using an existing router
+It is possible to use an existing router instead of creating one. To use an
+existing router set the router\_id variable to the uuid of the router you wish
+to use.
+
+For example:
+```
+router_id = "00c542e7-6f46-4535-ae95-984c7f0391a3"
+```
+
 ### Kubernetes Nodes
 You can create many different kubernetes topologies by setting the number of
 different classes of hosts. For each class there are options for allocating
@@ -62,9 +72,9 @@ specify:
 - Size of the non-ephemeral volumes to be attached to store the GlusterFS bricks
 - Other properties related to provisioning the hosts

-Even if you are using Container Linux by CoreOS for your cluster, you will still
+Even if you are using Flatcar Container Linux by Kinvolk for your cluster, you will still
 need the GlusterFS VMs to be based on either Debian or RedHat based images.
-Container Linux by CoreOS cannot serve GlusterFS, but can connect to it through
+Flatcar Container Linux by Kinvolk cannot serve GlusterFS, but can connect to it through
 binaries available on hyperkube v1.4.3_coreos.0 or higher.

 ## Requirements
@@ -254,6 +264,107 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`etcd_root_volume_size_in_gb` | Size of the root volume for etcd nodes, 0 to use ephemeral storage |
 |`bastion_root_volume_size_in_gb` | Size of the root volume for bastions, 0 to use ephemeral storage |
 |`use_server_group` | Create and use openstack nova servergroups, default: false |
+|`k8s_nodes` | Map containing worker node definition, see explanation below |
+
+##### k8s_nodes
+Allows a custom defintion of worker nodes giving the operator full control over individual node flavor and
+availability zone placement. To enable the use of this mode set the `number_of_k8s_nodes` and
+`number_of_k8s_nodes_no_floating_ip` variables to 0. Then define your desired worker node configuration
+using the `k8s_nodes` variable.
+
+For example:
+```
+k8s_nodes = {
+  "1" = {
+    "az" = "sto1"
+    "flavor" = "83d8b44a-26a0-4f02-a981-079446926445"
+    "floating_ip" = true
+  },
+  "2" = {
+    "az" = "sto2"
+    "flavor" = "83d8b44a-26a0-4f02-a981-079446926445"
+    "floating_ip" = true
+  },
+  "3" = {
+    "az" = "sto3"
+    "flavor" = "83d8b44a-26a0-4f02-a981-079446926445"
+    "floating_ip" = true
+  }
+}
+```
+
+Would result in the same configuration as:
+```
+number_of_k8s_nodes = 3
+flavor_k8s_node = "83d8b44a-26a0-4f02-a981-079446926445"
+az_list = ["sto1", "sto2", "sto3"]
+```
+
+And:
+```
+k8s_nodes = {
+  "ing-1" = {
+    "az" = "sto1"
+    "flavor" = "83d8b44a-26a0-4f02-a981-079446926445"
+    "floating_ip" = true
+  },
+  "ing-2" = {
+    "az" = "sto2"
+    "flavor" = "83d8b44a-26a0-4f02-a981-079446926445"
+    "floating_ip" = true
+  },
+  "ing-3" = {
+    "az" = "sto3"
+    "flavor" = "83d8b44a-26a0-4f02-a981-079446926445"
+    "floating_ip" = true
+  },
+  "big-1" = {
+    "az" = "sto1"
+    "flavor" = "3f73fc93-ec61-4808-88df-2580d94c1a9b"
+    "floating_ip" = false
+  },
+  "big-2" = {
+    "az" = "sto2"
+    "flavor" = "3f73fc93-ec61-4808-88df-2580d94c1a9b"
+    "floating_ip" = false
+  },
+  "big-3" = {
+    "az" = "sto3"
+    "flavor" = "3f73fc93-ec61-4808-88df-2580d94c1a9b"
+    "floating_ip" = false
+  },
+  "small-1" = {
+    "az" = "sto1"
+    "flavor" = "7a6a998f-ac7f-4fb8-a534-2175b254f75e"
+    "floating_ip" = false
+  },
+  "small-2" = {
+    "az" = "sto2"
+    "flavor" = "7a6a998f-ac7f-4fb8-a534-2175b254f75e"
+    "floating_ip" = false
+  },
+  "small-3" = {
+    "az" = "sto3"
+    "flavor" = "7a6a998f-ac7f-4fb8-a534-2175b254f75e"
+    "floating_ip" = false
+  }
+}
+```
+
+Would result in three nodes in each availability zone each with their own separate naming,
+flavor and floating ip configuration.
+
+The "schema":
+```
+k8s_nodes = {
+  "key | node name suffix, must be unique" = {
+    "az" = string
+    "flavor" = string
+    "floating_ip" = bool
+  },
+}
+```
+All values are required.

 #### Terraform state files

@@ -371,7 +482,7 @@ So, either a bastion host, or at least master/node with a floating IP are requir

 #### Test access

-Make sure you can connect to the hosts.  Note that Container Linux by CoreOS will have a state `FAILED` due to Python not being present.  This is okay, because Python will be installed during bootstrapping, so long as the hosts are not `UNREACHABLE`.
+Make sure you can connect to the hosts.  Note that Flatcar Container Linux by Kinvolk will have a state `FAILED` due to Python not being present.  This is okay, because Python will be installed during bootstrapping, so long as the hosts are not `UNREACHABLE`.

 ```
 $ ansible -i inventory/$CLUSTER/hosts -m ping all
@@ -399,7 +510,7 @@ Edit `inventory/$CLUSTER/group_vars/all/all.yml`:
 # Directory where the binaries will be installed
 # Default:
 # bin_dir: /usr/local/bin
-# For Container Linux by CoreOS:
+# For Flatcar Container Linux by Kinvolk:
 bin_dir: /opt/bin
 ```
 - and **cloud_provider**:
@@ -420,7 +531,7 @@ kube_network_plugin: flannel
 # Can be docker_dns, host_resolvconf or none
 # Default:
 # resolvconf_mode: docker_dns
-# For Container Linux by CoreOS:
+# For Flatcar Container Linux by Kinvolk:
 resolvconf_mode: host_resolvconf
 ```
 - Set max amount of attached cinder volume per host (default 256)
@@ -494,3 +605,81 @@ $ ansible-playbook --become -i inventory/$CLUSTER/hosts ./contrib/network-storag
 ## What's next

 Try out your new Kubernetes cluster with the [Hello Kubernetes service](https://kubernetes.io/docs/tasks/access-application-cluster/service-access-application-cluster/).
+
+## Appendix
+
+### Migration from `number_of_k8s_nodes*` to `k8s_nodes`
+If you currently have a cluster defined using the `number_of_k8s_nodes*` variables and wish
+to migrate to the `k8s_nodes` style you can do it like so:
+
+```ShellSession
+$ terraform state list
+module.compute.data.openstack_images_image_v2.gfs_image
+module.compute.data.openstack_images_image_v2.vm_image
+module.compute.openstack_compute_floatingip_associate_v2.k8s_master[0]
+module.compute.openstack_compute_floatingip_associate_v2.k8s_node[0]
+module.compute.openstack_compute_floatingip_associate_v2.k8s_node[1]
+module.compute.openstack_compute_floatingip_associate_v2.k8s_node[2]
+module.compute.openstack_compute_instance_v2.k8s_master[0]
+module.compute.openstack_compute_instance_v2.k8s_node[0]
+module.compute.openstack_compute_instance_v2.k8s_node[1]
+module.compute.openstack_compute_instance_v2.k8s_node[2]
+module.compute.openstack_compute_keypair_v2.k8s
+module.compute.openstack_compute_servergroup_v2.k8s_etcd[0]
+module.compute.openstack_compute_servergroup_v2.k8s_master[0]
+module.compute.openstack_compute_servergroup_v2.k8s_node[0]
+module.compute.openstack_networking_secgroup_rule_v2.bastion[0]
+module.compute.openstack_networking_secgroup_rule_v2.egress[0]
+module.compute.openstack_networking_secgroup_rule_v2.k8s
+module.compute.openstack_networking_secgroup_rule_v2.k8s_allowed_remote_ips[0]
+module.compute.openstack_networking_secgroup_rule_v2.k8s_allowed_remote_ips[1]
+module.compute.openstack_networking_secgroup_rule_v2.k8s_allowed_remote_ips[2]
+module.compute.openstack_networking_secgroup_rule_v2.k8s_master[0]
+module.compute.openstack_networking_secgroup_rule_v2.worker[0]
+module.compute.openstack_networking_secgroup_rule_v2.worker[1]
+module.compute.openstack_networking_secgroup_rule_v2.worker[2]
+module.compute.openstack_networking_secgroup_rule_v2.worker[3]
+module.compute.openstack_networking_secgroup_rule_v2.worker[4]
+module.compute.openstack_networking_secgroup_v2.bastion[0]
+module.compute.openstack_networking_secgroup_v2.k8s
+module.compute.openstack_networking_secgroup_v2.k8s_master
+module.compute.openstack_networking_secgroup_v2.worker
+module.ips.null_resource.dummy_dependency
+module.ips.openstack_networking_floatingip_v2.k8s_master[0]
+module.ips.openstack_networking_floatingip_v2.k8s_node[0]
+module.ips.openstack_networking_floatingip_v2.k8s_node[1]
+module.ips.openstack_networking_floatingip_v2.k8s_node[2]
+module.network.openstack_networking_network_v2.k8s[0]
+module.network.openstack_networking_router_interface_v2.k8s[0]
+module.network.openstack_networking_router_v2.k8s[0]
+module.network.openstack_networking_subnet_v2.k8s[0]
+$ terraform state mv 'module.compute.openstack_compute_floatingip_associate_v2.k8s_node[0]' 'module.compute.openstack_compute_floatingip_associate_v2.k8s_nodes["1"]'
+Move "module.compute.openstack_compute_floatingip_associate_v2.k8s_node[0]" to "module.compute.openstack_compute_floatingip_associate_v2.k8s_nodes[\"1\"]"
+Successfully moved 1 object(s).
+$ terraform state mv 'module.compute.openstack_compute_floatingip_associate_v2.k8s_node[1]' 'module.compute.openstack_compute_floatingip_associate_v2.k8s_nodes["2"]'
+Move "module.compute.openstack_compute_floatingip_associate_v2.k8s_node[1]" to "module.compute.openstack_compute_floatingip_associate_v2.k8s_nodes[\"2\"]"
+Successfully moved 1 object(s).
+$ terraform state mv 'module.compute.openstack_compute_floatingip_associate_v2.k8s_node[2]' 'module.compute.openstack_compute_floatingip_associate_v2.k8s_nodes["3"]'
+Move "module.compute.openstack_compute_floatingip_associate_v2.k8s_node[2]" to "module.compute.openstack_compute_floatingip_associate_v2.k8s_nodes[\"3\"]"
+Successfully moved 1 object(s).
+$ terraform state mv 'module.compute.openstack_compute_instance_v2.k8s_node[0]' 'module.compute.openstack_compute_instance_v2.k8s_node["1"]'
+Move "module.compute.openstack_compute_instance_v2.k8s_node[0]" to "module.compute.openstack_compute_instance_v2.k8s_node[\"1\"]"
+Successfully moved 1 object(s).
+$ terraform state mv 'module.compute.openstack_compute_instance_v2.k8s_node[1]' 'module.compute.openstack_compute_instance_v2.k8s_node["2"]'
+Move "module.compute.openstack_compute_instance_v2.k8s_node[1]" to "module.compute.openstack_compute_instance_v2.k8s_node[\"2\"]"
+Successfully moved 1 object(s).
+$ terraform state mv 'module.compute.openstack_compute_instance_v2.k8s_node[2]' 'module.compute.openstack_compute_instance_v2.k8s_node["3"]'
+Move "module.compute.openstack_compute_instance_v2.k8s_node[2]" to "module.compute.openstack_compute_instance_v2.k8s_node[\"3\"]"
+Successfully moved 1 object(s).
+$ terraform state mv 'module.ips.openstack_networking_floatingip_v2.k8s_node[0]' 'module.ips.openstack_networking_floatingip_v2.k8s_node["1"]'
+Move "module.ips.openstack_networking_floatingip_v2.k8s_node[0]" to "module.ips.openstack_networking_floatingip_v2.k8s_node[\"1\"]"
+Successfully moved 1 object(s).
+$ terraform state mv 'module.ips.openstack_networking_floatingip_v2.k8s_node[1]' 'module.ips.openstack_networking_floatingip_v2.k8s_node["2"]'
+Move "module.ips.openstack_networking_floatingip_v2.k8s_node[1]" to "module.ips.openstack_networking_floatingip_v2.k8s_node[\"2\"]"
+Successfully moved 1 object(s).
+$ terraform state mv 'module.ips.openstack_networking_floatingip_v2.k8s_node[2]' 'module.ips.openstack_networking_floatingip_v2.k8s_node["3"]'
+Move "module.ips.openstack_networking_floatingip_v2.k8s_node[2]" to "module.ips.openstack_networking_floatingip_v2.k8s_node[\"3\"]"
+Successfully moved 1 object(s).
+```
+
+Of course for nodes without floating ips those steps can be omitted.
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -5,97 +5,104 @@ provider "openstack" {
 module "network" {
  source = "./modules/network"

-  external_net       = "${var.external_net}"
-  network_name       = "${var.network_name}"
-  subnet_cidr        = "${var.subnet_cidr}"
-  cluster_name       = "${var.cluster_name}"
-  dns_nameservers    = "${var.dns_nameservers}"
-  network_dns_domain = "${var.network_dns_domain}"
-  use_neutron        = "${var.use_neutron}"
+  external_net       = var.external_net
+  network_name       = var.network_name
+  subnet_cidr        = var.subnet_cidr
+  cluster_name       = var.cluster_name
+  dns_nameservers    = var.dns_nameservers
+  network_dns_domain = var.network_dns_domain
+  use_neutron        = var.use_neutron
+  router_id          = var.router_id
 }

 module "ips" {
  source = "./modules/ips"

-  number_of_k8s_masters         = "${var.number_of_k8s_masters}"
-  number_of_k8s_masters_no_etcd = "${var.number_of_k8s_masters_no_etcd}"
-  number_of_k8s_nodes           = "${var.number_of_k8s_nodes}"
-  floatingip_pool               = "${var.floatingip_pool}"
-  number_of_bastions            = "${var.number_of_bastions}"
-  external_net                  = "${var.external_net}"
-  network_name                  = "${var.network_name}"
-  router_id                     = "${module.network.router_id}"
+  number_of_k8s_masters         = var.number_of_k8s_masters
+  number_of_k8s_masters_no_etcd = var.number_of_k8s_masters_no_etcd
+  number_of_k8s_nodes           = var.number_of_k8s_nodes
+  floatingip_pool               = var.floatingip_pool
+  number_of_bastions            = var.number_of_bastions
+  external_net                  = var.external_net
+  network_name                  = var.network_name
+  router_id                     = module.network.router_id
+  k8s_nodes                     = var.k8s_nodes
 }

 module "compute" {
  source = "./modules/compute"

-  cluster_name                                 = "${var.cluster_name}"
-  az_list                                      = "${var.az_list}"
-  number_of_k8s_masters                        = "${var.number_of_k8s_masters}"
-  number_of_k8s_masters_no_etcd                = "${var.number_of_k8s_masters_no_etcd}"
-  number_of_etcd                               = "${var.number_of_etcd}"
-  number_of_k8s_masters_no_floating_ip         = "${var.number_of_k8s_masters_no_floating_ip}"
-  number_of_k8s_masters_no_floating_ip_no_etcd = "${var.number_of_k8s_masters_no_floating_ip_no_etcd}"
-  number_of_k8s_nodes                          = "${var.number_of_k8s_nodes}"
-  number_of_bastions                           = "${var.number_of_bastions}"
-  number_of_k8s_nodes_no_floating_ip           = "${var.number_of_k8s_nodes_no_floating_ip}"
-  number_of_gfs_nodes_no_floating_ip           = "${var.number_of_gfs_nodes_no_floating_ip}"
-  bastion_root_volume_size_in_gb               = "${var.bastion_root_volume_size_in_gb}"
-  etcd_root_volume_size_in_gb                  = "${var.etcd_root_volume_size_in_gb}"
-  master_root_volume_size_in_gb                = "${var.master_root_volume_size_in_gb}"
-  node_root_volume_size_in_gb                  = "${var.node_root_volume_size_in_gb}"
-  gfs_root_volume_size_in_gb                   = "${var.gfs_root_volume_size_in_gb}"
-  gfs_volume_size_in_gb                        = "${var.gfs_volume_size_in_gb}"
-  public_key_path                              = "${var.public_key_path}"
-  image                                        = "${var.image}"
-  image_gfs                                    = "${var.image_gfs}"
-  ssh_user                                     = "${var.ssh_user}"
-  ssh_user_gfs                                 = "${var.ssh_user_gfs}"
-  flavor_k8s_master                            = "${var.flavor_k8s_master}"
-  flavor_k8s_node                              = "${var.flavor_k8s_node}"
-  flavor_etcd                                  = "${var.flavor_etcd}"
-  flavor_gfs_node                              = "${var.flavor_gfs_node}"
-  network_name                                 = "${var.network_name}"
-  flavor_bastion                               = "${var.flavor_bastion}"
-  k8s_master_fips                              = "${module.ips.k8s_master_fips}"
-  k8s_master_no_etcd_fips                      = "${module.ips.k8s_master_no_etcd_fips}"
-  k8s_node_fips                                = "${module.ips.k8s_node_fips}"
-  bastion_fips                                 = "${module.ips.bastion_fips}"
-  bastion_allowed_remote_ips                   = "${var.bastion_allowed_remote_ips}"
-  master_allowed_remote_ips                    = "${var.master_allowed_remote_ips}"
-  k8s_allowed_remote_ips                       = "${var.k8s_allowed_remote_ips}"
-  k8s_allowed_egress_ips                       = "${var.k8s_allowed_egress_ips}"
-  supplementary_master_groups                  = "${var.supplementary_master_groups}"
-  supplementary_node_groups                    = "${var.supplementary_node_groups}"
-  worker_allowed_ports                         = "${var.worker_allowed_ports}"
-  wait_for_floatingip                          = "${var.wait_for_floatingip}"
-  use_access_ip                                = "${var.use_access_ip}"
-  use_server_groups                            = "${var.use_server_groups}"
+  cluster_name                                 = var.cluster_name
+  az_list                                      = var.az_list
+  az_list_node                                 = var.az_list_node
+  number_of_k8s_masters                        = var.number_of_k8s_masters
+  number_of_k8s_masters_no_etcd                = var.number_of_k8s_masters_no_etcd
+  number_of_etcd                               = var.number_of_etcd
+  number_of_k8s_masters_no_floating_ip         = var.number_of_k8s_masters_no_floating_ip
+  number_of_k8s_masters_no_floating_ip_no_etcd = var.number_of_k8s_masters_no_floating_ip_no_etcd
+  number_of_k8s_nodes                          = var.number_of_k8s_nodes
+  number_of_bastions                           = var.number_of_bastions
+  number_of_k8s_nodes_no_floating_ip           = var.number_of_k8s_nodes_no_floating_ip
+  number_of_gfs_nodes_no_floating_ip           = var.number_of_gfs_nodes_no_floating_ip
+  k8s_nodes                                    = var.k8s_nodes
+  bastion_root_volume_size_in_gb               = var.bastion_root_volume_size_in_gb
+  etcd_root_volume_size_in_gb                  = var.etcd_root_volume_size_in_gb
+  master_root_volume_size_in_gb                = var.master_root_volume_size_in_gb
+  node_root_volume_size_in_gb                  = var.node_root_volume_size_in_gb
+  gfs_root_volume_size_in_gb                   = var.gfs_root_volume_size_in_gb
+  gfs_volume_size_in_gb                        = var.gfs_volume_size_in_gb
+  master_volume_type                           = var.master_volume_type
+  public_key_path                              = var.public_key_path
+  image                                        = var.image
+  image_gfs                                    = var.image_gfs
+  ssh_user                                     = var.ssh_user
+  ssh_user_gfs                                 = var.ssh_user_gfs
+  flavor_k8s_master                            = var.flavor_k8s_master
+  flavor_k8s_node                              = var.flavor_k8s_node
+  flavor_etcd                                  = var.flavor_etcd
+  flavor_gfs_node                              = var.flavor_gfs_node
+  network_name                                 = var.network_name
+  flavor_bastion                               = var.flavor_bastion
+  k8s_master_fips                              = module.ips.k8s_master_fips
+  k8s_master_no_etcd_fips                      = module.ips.k8s_master_no_etcd_fips
+  k8s_node_fips                                = module.ips.k8s_node_fips
+  k8s_nodes_fips                               = module.ips.k8s_nodes_fips
+  bastion_fips                                 = module.ips.bastion_fips
+  bastion_allowed_remote_ips                   = var.bastion_allowed_remote_ips
+  master_allowed_remote_ips                    = var.master_allowed_remote_ips
+  k8s_allowed_remote_ips                       = var.k8s_allowed_remote_ips
+  k8s_allowed_egress_ips                       = var.k8s_allowed_egress_ips
+  supplementary_master_groups                  = var.supplementary_master_groups
+  supplementary_node_groups                    = var.supplementary_node_groups
+  master_allowed_ports                         = var.master_allowed_ports
+  worker_allowed_ports                         = var.worker_allowed_ports
+  wait_for_floatingip                          = var.wait_for_floatingip
+  use_access_ip                                = var.use_access_ip
+  use_server_groups                            = var.use_server_groups

-  network_id = "${module.network.router_id}"
+  network_id = module.network.router_id
 }

 output "private_subnet_id" {
-  value = "${module.network.subnet_id}"
+  value = module.network.subnet_id
 }

 output "floating_network_id" {
-  value = "${var.external_net}"
+  value = var.external_net
 }

 output "router_id" {
-  value = "${module.network.router_id}"
+  value = module.network.router_id
 }

 output "k8s_master_fips" {
-  value = "${concat(module.ips.k8s_master_fips, module.ips.k8s_master_no_etcd_fips)}"
+  value = concat(module.ips.k8s_master_fips, module.ips.k8s_master_no_etcd_fips)
 }

 output "k8s_node_fips" {
-  value = "${module.ips.k8s_node_fips}"
+  value = var.number_of_k8s_nodes > 0 ? module.ips.k8s_node_fips : [for key, value in module.ips.k8s_nodes_fips : value.address]
 }

 output "bastion_fips" {
-  value = "${module.ips.bastion_fips}"
+  value = module.ips.bastion_fips
 }
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -1,7 +1,11 @@
 variable "cluster_name" {}

 variable "az_list" {
-  type = "list"
+  type = list(string)
+}
+
+variable "az_list_node" {
+  type = list(string)
 }

 variable "number_of_k8s_masters" {}
@@ -34,6 +38,8 @@ variable "gfs_root_volume_size_in_gb" {}

 variable "gfs_volume_size_in_gb" {}

+variable "master_volume_type" {}
+
 variable "public_key_path" {}

 variable "image" {}
@@ -61,37 +67,43 @@ variable "network_id" {
 }

 variable "k8s_master_fips" {
-  type = "list"
+  type = list
 }

 variable "k8s_master_no_etcd_fips" {
-  type = "list"
+  type = list
 }

 variable "k8s_node_fips" {
-  type = "list"
+  type = list
+}
+
+variable "k8s_nodes_fips" {
+  type = map
 }

 variable "bastion_fips" {
-  type = "list"
+  type = list
 }

 variable "bastion_allowed_remote_ips" {
-  type = "list"
+  type = list
 }

 variable "master_allowed_remote_ips" {
-  type = "list"
+  type = list
 }

 variable "k8s_allowed_remote_ips" {
-  type = "list"
+  type = list
 }

 variable "k8s_allowed_egress_ips" {
-  type = "list"
+  type = list
 }

+variable "k8s_nodes" {}
+
 variable "wait_for_floatingip" {}

 variable "supplementary_master_groups" {
@@ -102,12 +114,16 @@ variable "supplementary_node_groups" {
  default = ""
 }

+variable "master_allowed_ports" {
+  type = list
+}
+
 variable "worker_allowed_ports" {
-  type = "list"
+  type = list
 }

 variable "use_access_ip" {}

 variable "use_server_groups" {
  type = bool
-}
+}
--- a/contrib/terraform/openstack/modules/ips/main.tf
+++ b/contrib/terraform/openstack/modules/ips/main.tf
@@ -1,29 +1,36 @@
 resource "null_resource" "dummy_dependency" {
  triggers = {
-    dependency_id = "${var.router_id}"
+    dependency_id = var.router_id
  }
 }

 resource "openstack_networking_floatingip_v2" "k8s_master" {
-  count      = "${var.number_of_k8s_masters}"
-  pool       = "${var.floatingip_pool}"
-  depends_on = ["null_resource.dummy_dependency"]
+  count      = var.number_of_k8s_masters
+  pool       = var.floatingip_pool
+  depends_on = [null_resource.dummy_dependency]
 }

 resource "openstack_networking_floatingip_v2" "k8s_master_no_etcd" {
-  count      = "${var.number_of_k8s_masters_no_etcd}"
-  pool       = "${var.floatingip_pool}"
-  depends_on = ["null_resource.dummy_dependency"]
+  count      = var.number_of_k8s_masters_no_etcd
+  pool       = var.floatingip_pool
+  depends_on = [null_resource.dummy_dependency]
 }

 resource "openstack_networking_floatingip_v2" "k8s_node" {
-  count      = "${var.number_of_k8s_nodes}"
-  pool       = "${var.floatingip_pool}"
-  depends_on = ["null_resource.dummy_dependency"]
+  count      = var.number_of_k8s_nodes
+  pool       = var.floatingip_pool
+  depends_on = [null_resource.dummy_dependency]
 }

 resource "openstack_networking_floatingip_v2" "bastion" {
-  count      = "${var.number_of_bastions}"
-  pool       = "${var.floatingip_pool}"
-  depends_on = ["null_resource.dummy_dependency"]
+  count      = var.number_of_bastions
+  pool       = var.floatingip_pool
+  depends_on = [null_resource.dummy_dependency]
 }
+
+resource "openstack_networking_floatingip_v2" "k8s_nodes" {
+  for_each   = var.number_of_k8s_nodes == 0 ? { for key, value in var.k8s_nodes : key => value if value.floating_ip } : {}
+  pool       = var.floatingip_pool
+  depends_on = [null_resource.dummy_dependency]
+}
+
--- a/contrib/terraform/openstack/modules/ips/outputs.tf
+++ b/contrib/terraform/openstack/modules/ips/outputs.tf
@@ -1,15 +1,19 @@
 output "k8s_master_fips" {
-  value = "${openstack_networking_floatingip_v2.k8s_master[*].address}"
+  value = openstack_networking_floatingip_v2.k8s_master[*].address
 }

 output "k8s_master_no_etcd_fips" {
-  value = "${openstack_networking_floatingip_v2.k8s_master_no_etcd[*].address}"
+  value = openstack_networking_floatingip_v2.k8s_master_no_etcd[*].address
 }

 output "k8s_node_fips" {
-  value = "${openstack_networking_floatingip_v2.k8s_node[*].address}"
+  value = openstack_networking_floatingip_v2.k8s_node[*].address
+}
+
+output "k8s_nodes_fips" {
+  value = openstack_networking_floatingip_v2.k8s_nodes
 }

 output "bastion_fips" {
-  value = "${openstack_networking_floatingip_v2.bastion[*].address}"
+  value = openstack_networking_floatingip_v2.bastion[*].address
 }
--- a/contrib/terraform/openstack/modules/ips/variables.tf
+++ b/contrib/terraform/openstack/modules/ips/variables.tf
@@ -14,4 +14,6 @@ variable "network_name" {}

 variable "router_id" {
  default = ""
-}
+}
+
+variable "k8s_nodes" {}
--- a/contrib/terraform/openstack/modules/network/main.tf
+++ b/contrib/terraform/openstack/modules/network/main.tf
@@ -1,28 +1,33 @@
 resource "openstack_networking_router_v2" "k8s" {
  name                = "${var.cluster_name}-router"
-  count               = "${var.use_neutron}"
+  count               = var.use_neutron == 1 && var.router_id == null ? 1 : 0
  admin_state_up      = "true"
-  external_network_id = "${var.external_net}"
+  external_network_id = var.external_net
+}
+
+data "openstack_networking_router_v2" "k8s" {
+  router_id = var.router_id
+  count     = var.use_neutron == 1 && var.router_id != null ? 1 : 0
 }

 resource "openstack_networking_network_v2" "k8s" {
-  name           = "${var.network_name}"
-  count          = "${var.use_neutron}"
-  dns_domain     = var.network_dns_domain != null ? "${var.network_dns_domain}" : null
+  name           = var.network_name
+  count          = var.use_neutron
+  dns_domain     = var.network_dns_domain != null ? var.network_dns_domain : null
  admin_state_up = "true"
 }

 resource "openstack_networking_subnet_v2" "k8s" {
  name            = "${var.cluster_name}-internal-network"
-  count           = "${var.use_neutron}"
-  network_id      = "${openstack_networking_network_v2.k8s[count.index].id}"
-  cidr            = "${var.subnet_cidr}"
+  count           = var.use_neutron
+  network_id      = openstack_networking_network_v2.k8s[count.index].id
+  cidr            = var.subnet_cidr
  ip_version      = 4
-  dns_nameservers = "${var.dns_nameservers}"
+  dns_nameservers = var.dns_nameservers
 }

 resource "openstack_networking_router_interface_v2" "k8s" {
-  count     = "${var.use_neutron}"
-  router_id = "${openstack_networking_router_v2.k8s[count.index].id}"
-  subnet_id = "${openstack_networking_subnet_v2.k8s[count.index].id}"
+  count     = var.use_neutron
+  router_id = "%{if openstack_networking_router_v2.k8s != []}${openstack_networking_router_v2.k8s[count.index].id}%{else}${var.router_id}%{endif}"
+  subnet_id = openstack_networking_subnet_v2.k8s[count.index].id
 }
--- a/contrib/terraform/openstack/modules/network/outputs.tf
+++ b/contrib/terraform/openstack/modules/network/outputs.tf
@@ -1,11 +1,11 @@
 output "router_id" {
-  value = "${element(concat(openstack_networking_router_v2.k8s.*.id, list("")), 0)}"
+  value = "%{if var.use_neutron == 1} ${var.router_id == null ? element(concat(openstack_networking_router_v2.k8s.*.id, [""]), 0) : var.router_id} %{else} %{endif}"
 }

 output "router_internal_port_id" {
-  value = "${element(concat(openstack_networking_router_interface_v2.k8s.*.id, list("")), 0)}"
+  value = element(concat(openstack_networking_router_interface_v2.k8s.*.id, [""]), 0)
 }

 output "subnet_id" {
-  value = "${element(concat(openstack_networking_subnet_v2.k8s.*.id, list("")), 0)}"
+  value = element(concat(openstack_networking_subnet_v2.k8s.*.id, [""]), 0)
 }
--- a/contrib/terraform/openstack/modules/network/variables.tf
+++ b/contrib/terraform/openstack/modules/network/variables.tf
@@ -7,9 +7,11 @@ variable "network_dns_domain" {}
 variable "cluster_name" {}

 variable "dns_nameservers" {
-  type = "list"
+  type = list
 }

 variable "subnet_cidr" {}

 variable "use_neutron" {}
+
+variable "router_id" {}
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -3,8 +3,14 @@ variable "cluster_name" {
 }

 variable "az_list" {
-  description = "List of Availability Zones available in your OpenStack cluster"
-  type        = "list"
+  description = "List of Availability Zones to use for masters in your OpenStack cluster"
+  type        = list(string)
+  default     = ["nova"]
+}
+
+variable "az_list_node" {
+  description = "List of Availability Zones to use for nodes in your OpenStack cluster"
+  type        = list(string)
  default     = ["nova"]
 }

@@ -68,6 +74,10 @@ variable "gfs_volume_size_in_gb" {
  default = 75
 }

+variable "master_volume_type" {
+  default = "Default"
+}
+
 variable "public_key_path" {
  description = "The path of the ssh pub key"
  default     = "~/.ssh/id_rsa.pub"
@@ -125,7 +135,7 @@ variable "network_name" {

 variable "network_dns_domain" {
  description = "dns_domain for the internal network"
-  type        = "string"
+  type        = string
  default     = null
 }

@@ -136,13 +146,13 @@ variable "use_neutron" {

 variable "subnet_cidr" {
  description = "Subnet CIDR block."
-  type        = "string"
+  type        = string
  default     = "10.0.0.0/24"
 }

 variable "dns_nameservers" {
  description = "An array of DNS name server names used by hosts in this subnet."
-  type        = "list"
+  type        = list
  default     = []
 }

@@ -172,30 +182,36 @@ variable "supplementary_node_groups" {

 variable "bastion_allowed_remote_ips" {
  description = "An array of CIDRs allowed to SSH to hosts"
-  type        = "list"
+  type        = list(string)
  default     = ["0.0.0.0/0"]
 }

 variable "master_allowed_remote_ips" {
  description = "An array of CIDRs allowed to access API of masters"
-  type        = "list"
+  type        = list(string)
  default     = ["0.0.0.0/0"]
 }

 variable "k8s_allowed_remote_ips" {
  description = "An array of CIDRs allowed to SSH to hosts"
-  type        = "list"
+  type        = list(string)
  default     = []
 }

 variable "k8s_allowed_egress_ips" {
  description = "An array of CIDRs allowed for egress traffic"
-  type        = "list"
+  type        = list(string)
  default     = ["0.0.0.0/0"]
 }

+variable "master_allowed_ports" {
+  type = list
+
+  default = []
+}
+
 variable "worker_allowed_ports" {
-  type = "list"
+  type = list

  default = [
    {
@@ -213,4 +229,14 @@ variable "use_access_ip" {

 variable "use_server_groups" {
  default = false
-}
+}
+
+variable "router_id" {
+  description = "uuid of an externally defined router to use"
+  default     = null
+}
+
+variable "k8s_nodes" {
+  default = {}
+}
+
--- a/contrib/terraform/packet/README.md
+++ b/contrib/terraform/packet/README.md
@@ -176,7 +176,7 @@ If you have deployed and destroyed a previous iteration of your cluster, you wil

 #### Test access

-Make sure you can connect to the hosts.  Note that Container Linux by CoreOS will have a state `FAILED` due to Python not being present.  This is okay, because Python will be installed during bootstrapping, so long as the hosts are not `UNREACHABLE`.
+Make sure you can connect to the hosts.  Note that Flatcar Container Linux by Kinvolk will have a state `FAILED` due to Python not being present.  This is okay, because Python will be installed during bootstrapping, so long as the hosts are not `UNREACHABLE`.

 ```
 $ ansible -i inventory/$CLUSTER/hosts -m ping all
--- a/contrib/terraform/terraform.py
+++ b/contrib/terraform/terraform.py
@@ -223,8 +223,8 @@ def packet_device(resource, tfvars=None):
        'provider': 'packet',
    }

-    if raw_attrs['operating_system'] == 'coreos_stable':
-        # For CoreOS set the ssh_user to core
+    if raw_attrs['operating_system'] == 'flatcar_stable':
+        # For Flatcar set the ssh_user to core
        attrs.update({'ansible_ssh_user': 'core'})

    # add groups based on attrs
@@ -319,9 +319,7 @@ def openstack_host(resource, module_name):

    # attrs specific to Mantl
    attrs.update({
-        'consul_dc': _clean_dc(attrs['metadata'].get('dc', module_name)),
-        'role': attrs['metadata'].get('role', 'none'),
-        'ansible_python_interpreter': attrs['metadata'].get('python_bin','python')
+        'role': attrs['metadata'].get('role', 'none')
    })

    # add groups based on attrs
@@ -331,10 +329,6 @@ def openstack_host(resource, module_name):
                  for item in list(attrs['metadata'].items()))
    groups.append('os_region=' + attrs['region'])

-    # groups specific to Mantl
-    groups.append('role=' + attrs['metadata'].get('role', 'none'))
-    groups.append('dc=' + attrs['consul_dc'])
-
    # groups specific to kubespray
    for group in attrs['metadata'].get('kubespray_groups', "").split(","):
        groups.append(group)
--- a/contrib/vault/roles/vault/tasks/bootstrap/ca_trust.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/ca_trust.yml
@@ -13,7 +13,7 @@
      /usr/local/share/ca-certificates/vault-ca.crt
      {%- elif ansible_os_family == "RedHat" -%}
      /etc/pki/ca-trust/source/anchors/vault-ca.crt
-      {%- elif ansible_os_family in ["Coreos", "Container Linux by CoreOS"] -%}
+      {%- elif ansible_os_family in ["Flatcar Container Linux by Kinvolk"] -%}
      /etc/ssl/certs/vault-ca.pem
      {%- endif %}

@@ -23,9 +23,9 @@
    dest: "{{ ca_cert_path }}"
  register: vault_ca_cert

- name: bootstrap/ca_trust | update ca-certificates (Debian/Ubuntu/CoreOS)
+- name: bootstrap/ca_trust | update ca-certificates (Debian/Ubuntu/Flatcar)
  command: update-ca-certificates
-  when: vault_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Coreos", "Container Linux by CoreOS"]
+  when: vault_ca_cert.changed and ansible_os_family in ["Debian", "Flatcar Container Linux by Kinvolk"]

 - name: bootstrap/ca_trust | update ca-certificates (RedHat)
  command: update-ca-trust extract
--- a/contrib/vault/roles/vault/tasks/bootstrap/start_vault_temp.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/start_vault_temp.yml
@@ -6,11 +6,11 @@

 - name: bootstrap/start_vault_temp | Start single node Vault with file backend
  command: >
-           docker run -d --cap-add=IPC_LOCK --name {{ vault_temp_container_name }}
-           -p {{ vault_port }}:{{ vault_port }}
-           -e 'VAULT_LOCAL_CONFIG={{ vault_temp_config|to_json }}'
-           -v /etc/vault:/etc/vault
-           {{ vault_image_repo }}:{{ vault_version }} server
+          docker run -d --cap-add=IPC_LOCK --name {{ vault_temp_container_name }}
+          -p {{ vault_port }}:{{ vault_port }}
+          -e 'VAULT_LOCAL_CONFIG={{ vault_temp_config|to_json }}'
+          -v /etc/vault:/etc/vault
+          {{ vault_image_repo }}:{{ vault_version }} server

 - name: bootstrap/start_vault_temp | Start again single node Vault with file backend
  command: docker start {{ vault_temp_container_name }}
--- a/contrib/vault/roles/vault/tasks/bootstrap/sync_secrets.yml
+++ b/contrib/vault/roles/vault/tasks/bootstrap/sync_secrets.yml
@@ -21,9 +21,9 @@
 - name: bootstrap/sync_secrets | Print out warning message if secrets are not available and vault is initialized
  pause:
    prompt: >
-         Vault orchestration may not be able to proceed. The Vault cluster is initialized, but
-         'root_token' or 'unseal_keys' were not found in {{ vault_secrets_dir }}. These are
-         needed for many vault orchestration steps.
+          Vault orchestration may not be able to proceed. The Vault cluster is initialized, but
+          'root_token' or 'unseal_keys' were not found in {{ vault_secrets_dir }}. These are
+          needed for many vault orchestration steps.
  when: vault_cluster_is_initialized and not vault_secrets_available

 - name: bootstrap/sync_secrets | Cat root_token from a vault host
--- a/contrib/vault/roles/vault/tasks/shared/check_etcd.yml
+++ b/contrib/vault/roles/vault/tasks/shared/check_etcd.yml
@@ -25,6 +25,6 @@
 - name: check_etcd | Fail if etcd is not available and needed
  fail:
    msg: >
-         Unable to start Vault cluster! Etcd is not available at
-         {{ vault_etcd_url.split(',') | first }} however it is needed by Vault as a backend.
+        Unable to start Vault cluster! Etcd is not available at
+        {{ vault_etcd_url.split(',') | first }} however it is needed by Vault as a backend.
  when: vault_etcd_needed|d() and not vault_etcd_available
--- a/contrib/vault/roles/vault/tasks/shared/check_vault.yml
+++ b/contrib/vault/roles/vault/tasks/shared/check_vault.yml
@@ -36,6 +36,7 @@
      {{ etcd_access_addresses.split(',') | first }}/v3alpha/kv/range
  register: vault_etcd_exists
  retries: 4
+  until: vault_etcd_exists.status == 200
  delay: "{{ retry_stagger | random + 3 }}"
  run_once: true
  when: not vault_is_running and vault_etcd_available
@@ -45,7 +46,7 @@
  set_fact:
    vault_cluster_is_initialized: >-
      {{ vault_is_initialized or
-         hostvars[item]['vault_is_initialized'] or
-         ('value' in vault_etcd_exists.stdout|default('')) }}
+        hostvars[item]['vault_is_initialized'] or
+        ('value' in vault_etcd_exists.stdout|default('')) }}
  with_items: "{{ groups.vault }}"
  run_once: true
--- a/contrib/vault/roles/vault/tasks/shared/create_role.yml
+++ b/contrib/vault/roles/vault/tasks/shared/create_role.yml
@@ -6,9 +6,9 @@
    ca_cert: "{{ vault_cert_dir }}/ca.pem"
    name: "{{ create_role_name }}"
    rules: >-
-           {%- if create_role_policy_rules|d("default") == "default" -%}
-           {{
-           { 'path': {
+            {%- if create_role_policy_rules|d("default") == "default" -%}
+            {{
+            { 'path': {
                create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},
                create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}
            }} | to_json + '\n'
@@ -24,13 +24,13 @@
    ca_cert: "{{ vault_cert_dir }}/ca.pem"
    secret: "{{ create_role_mount_path }}/roles/{{ create_role_name }}"
    data: |
-     {%- if create_role_options|d("default") == "default" -%}
-     {
-     allow_any_name: true
-     }
-     {%- else -%}
-     {{ create_role_options | to_json }}
-     {%- endif -%}
+      {%- if create_role_options|d("default") == "default" -%}
+      {
+      allow_any_name: true
+      }
+      {%- else -%}
+      {{ create_role_options | to_json }}
+      {%- endif -%}

 ## Userpass based auth method

--- a/contrib/vault/roles/vault/tasks/shared/gen_userpass.yml
+++ b/contrib/vault/roles/vault/tasks/shared/gen_userpass.yml
@@ -18,8 +18,8 @@
 - name: shared/gen_userpass | Copy credentials to all hosts in the group
  copy:
    content: >
-             {{
-             {'username': gen_userpass_username,
-              'password': gen_userpass_password} | to_nice_json(indent=4)
-             }}
+            {{
+            {'username': gen_userpass_username,
+            'password': gen_userpass_password} | to_nice_json(indent=4)
+            }}
    dest: "{{ vault_roles_dir }}/{{ gen_userpass_role }}/userpass"
--- a/contrib/vault/roles/vault/templates/http-proxy.conf.j2
+++ b/contrib/vault/roles/vault/templates/http-proxy.conf.j2
@@ -1,2 +1,2 @@
 [Service]
-Environment={% if http_proxy %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy %}"NO_PROXY={{ no_proxy }}"{% endif %}
+Environment={% if http_proxy %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy %}"NO_PROXY={{ no_proxy }}"{% endif %}
--- a/docs/_sidebar.md
+++ b/docs/_sidebar.md
@@ -7,7 +7,9 @@
  * [Integration](docs/integration.md)
  * [Upgrades](/docs/upgrades.md)
  * [HA Mode](docs/ha-mode.md)
+  * [Adding/replacing a node](docs/nodes.md)
  * [Large deployments](docs/large-deployments.md)
+  * [Air-Gap Installation](docs/offline-environment.md)
 * CNI
  * [Calico](docs/calico.md)
  * [Contiv](docs/contiv.md)
@@ -15,6 +17,8 @@
  * [Kube Router](docs/kube-router.md)
  * [Weave](docs/weave.md)
  * [Multus](docs/multus.md)
+* Ingress
+  * [Ambassador](docs/ambassador.md)
 * [Cloud providers](docs/cloud.md)
  * [AWS](docs/aws.md)
  * [Azure](docs/azure.md)
@@ -22,9 +26,9 @@
  * [Packet](/docs/packet.md)
  * [vSphere](/docs/vsphere.md)
 * Operating Systems
-  * [Atomic](docs/atomic.md)
  * [Debian](docs/debian.md)
-  * [Coreos](docs/coreos.md)
+  * [Flatcar Container Linux](docs/flatcar.md)
+  * [Fedora CoreOS](docs/fcos.md)
  * [OpenSUSE](docs/opensuse.md)
 * Advanced
  * [Proxy](/docs/proxy.md)
@@ -36,4 +40,6 @@
 * Developers
  * [Test cases](docs/test_cases.md)
  * [Vagrant](docs/vagrant.md)
+  * [CI Matrix](docs/ci.md)
+  * [CI Setup](docs/ci-setup.md)
 * [Roadmap](docs/roadmap.md)
--- a/docs/ambassador.md
+++ b/docs/ambassador.md
@@ -0,0 +1,87 @@
+
+# Ambassador
+
+The [Ambassador API Gateway](https://github.com/datawire/ambassador) provides all the functionality of a traditional ingress controller
+(e.g., path-based routing) while exposing many additional capabilities such as authentication,
+URL rewriting, CORS, rate limiting, and automatic metrics collection.
+
+## Installation
+
+### Configuration
+
+* `ingress_ambassador_namespace` (default `ambassador`): namespace for installing Ambassador.
+* `ingress_ambassador_update_window` (default `0 0 * * SUN`): _crontab_-like expression
+  for specifying when the Operator should try to update the Ambassador API Gateway.
+* `ingress_ambassador_version` (defaulkt: `*`): SemVer rule for versions allowed for
+  installation/updates.
+* `ingress_ambassador_secure_port` (default: 443): HTTPS port to listen at.
+* `ingress_ambassador_insecure_port` (default: 80): HTTP port to listen at.
+
+### Ambassador Operator
+
+This Ambassador addon deploys the Ambassador Operator, which in turn will install
+the [Ambassador API Gateway](https://github.com/datawire/ambassador) in
+a Kubernetes cluster.
+
+The Ambassador Operator is a Kubernetes Operator that controls Ambassador's complete lifecycle
+in your cluster, automating many of the repeatable tasks you would otherwise have to perform
+yourself.  Once installed, the Operator will complete installations and seamlessly upgrade to new
+versions of Ambassador as they become available.
+
+## Usage
+
+The following example creates simple http-echo services and an `Ingress` object
+to route to these services.
+
+Note well that the [Ambassador API Gateway](https://github.com/datawire/ambassador) will automatically load balance `Ingress` resources
+that include the annotation `kubernetes.io/ingress.class=ambassador`. All the other
+resources will be just ignored.
+
+```yaml
+kind: Pod
+apiVersion: v1
+metadata:
+  name: foo-app
+  labels:
+    app: foo
+spec:
+  containers:
+  - name: foo-app
+    image: hashicorp/http-echo
+    args:
+    - "-text=foo"
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: foo-service
+spec:
+  selector:
+    app: foo
+  ports:
+  # Default port used by the image
+  - port: 5678
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: example-ingress
+  annotations:
+    kubernetes.io/ingress.class: ambassador
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /foo
+        backend:
+          serviceName: foo-service
+          servicePort: 5678
+```
+
+Now you can test that the ingress is working with curl:
+
+```console
+$ export AMB_IP=$(kubectl get service ambassador -n ambassador -o 'go-template={{range .status.loadBalancer.ingress}}{{print .ip "\n"}}{{end}}')
+$ curl $AMB_IP/foo
+foo
+```
--- a/docs/ansible.md
+++ b/docs/ansible.md
@@ -68,7 +68,7 @@ Optional variables are located in the `inventory/sample/group_vars/all.yml`.
 Mandatory variables that are common for at least one role (or a node group) can be found in the
 `inventory/sample/group_vars/k8s-cluster.yml`.
 There are also role vars for docker, kubernetes preinstall and master roles.
-According to the [ansible docs](http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable),
+According to the [ansible docs](https://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable),
 those cannot be overridden from the group vars. In order to override, one should use
 the `-e` runtime flags (most simple way) or other layers described in the docs.

@@ -137,6 +137,8 @@ The following tags are defined in playbooks:
 |                  upgrade | Upgrading, f.e. container images/binaries
 |                   upload | Distributing images/binaries across hosts
 |                    weave | Network plugin Weave
+|              ingress_alb | AWS ALB Ingress Controller
+|              ambassador  | Ambassador Ingress Controller

 Note: Use the ``bash scripts/gen_tags.sh`` command to generate a list of all
 tags found in the codebase. New tags will be listed with the empty "Used for"
@@ -181,4 +183,8 @@ bastion ansible_host=x.x.x.x
 ```

 For more information about Ansible and bastion hosts, read
-[Running Ansible Through an SSH Bastion Host](http://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host/)
+[Running Ansible Through an SSH Bastion Host](https://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host/)
+
+## Mitogen
+
+You can use [mitogen](mitogen.md) to speed up kubespray.
--- a/docs/atomic.md
+++ b/docs/atomic.md
@@ -1,22 +0,0 @@
-# Atomic host bootstrap
-
-Atomic host testing has been done with the network plugin flannel. Change the inventory var `kube_network_plugin: flannel`.
-
-Note: Flannel is the only plugin that has currently been tested with atomic
-
-## Vagrant
-
-* For bootstrapping with Vagrant, use box centos/atomic-host or fedora/atomic-host
-* Update VagrantFile variable `local_release_dir` to `/var/vagrant/temp`.
-* Update `vm_memory = 2048` and `vm_cpus = 2`
-* Networking on vagrant hosts has to be brought up manually once they are booted.
-
-    ```ShellSession
-    vagrant ssh
-    sudo /sbin/ifup enp0s8
-    ```
-
-* For users of vagrant-libvirt download centos/atomic-host qcow2 format from <https://wiki.centos.org/SpecialInterestGroup/Atomic/Download/>
-* For users of vagrant-libvirt download fedora/atomic-host qcow2 format from <https://dl.fedoraproject.org/pub/alt/atomic/stable/>
-
-Then you can proceed to [cluster deployment](#run-deployment)
--- a/docs/aws-ebs-csi.md
+++ b/docs/aws-ebs-csi.md
@@ -0,0 +1,87 @@
+# AWS EBS CSI Driver
+
+AWS EBS CSI driver allows you to provision EBS volumes for pods in EC2 instances. The old in-tree AWS cloud provider is deprecated and will be removed in future versions of Kubernetes. So transitioning to the CSI driver is advised.
+
+To enable AWS EBS CSI driver, uncomment the `aws_ebs_csi_enabled` option in `group_vars/all/aws.yml` and set it to `true`.
+
+To set the number of replicas for the AWS CSI controller, you can change `aws_ebs_csi_controller_replicas` option in `group_vars/all/aws.yml`.
+
+Make sure to add a role, for your EC2 instances hosting Kubernetes, that allows it to do the actions necessary to request a volume and attach it: [AWS CSI Policy](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/example-iam-policy.json)
+
+If you want to deploy the AWS EBS storage class used with the CSI Driver, you should set `persistent_volumes_enabled` in `group_vars/k8s-cluster/k8s-cluster.yml` to `true`.
+
+You can now run the kubespray playbook (cluster.yml) to deploy Kubernetes over AWS EC2 with EBS CSI Driver enabled.
+
+## Usage example
+
+To check if AWS EBS CSI Driver is deployed properly, check that the ebs-csi pods are running:
+
+```ShellSession
+$ kubectl -n kube-system get pods | grep ebs
+ebs-csi-controller-85d86bccc5-8gtq5                                  4/4     Running   4          40s
+ebs-csi-node-n4b99                                                   3/3     Running   3          40s
+```
+
+Check the associated storage class (if you enabled persistent_volumes):
+
+```ShellSession
+$ kubectl get storageclass
+NAME         PROVISIONER                AGE
+ebs-sc   ebs.csi.aws.com   45s
+```
+
+You can run a PVC and an example Pod using this file `ebs-pod.yml`:
+
+```yml
+--
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ebs-claim
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: ebs-sc
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: app
+spec:
+  containers:
+  - name: app
+    image: centos
+    command: ["/bin/sh"]
+    args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"]
+    volumeMounts:
+    - name: persistent-storage
+      mountPath: /data
+  volumes:
+  - name: persistent-storage
+    persistentVolumeClaim:
+      claimName: ebs-claim
+```
+
+Apply this conf to your cluster: ```kubectl apply -f ebs-pod.yml```
+
+You should see the PVC provisioned and bound:
+
+```ShellSession
+$ kubectl get pvc
+NAME                   STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
+ebs-claim   Bound    pvc-0034cb9e-1ddd-4b3f-bb9e-0b5edbf5194c   1Gi        RWO            ebs-sc         50s
+```
+
+And the volume mounted to the example Pod (wait until the Pod is Running):
+
+```ShellSession
+$ kubectl exec -it app -- df -h | grep data
+/dev/nvme1n1   1014M   34M  981M   4% /data
+```
+
+## More info
+
+For further information about the AWS EBS CSI Driver, you can refer to this page: [AWS EBS Driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/).
--- a/docs/azure-csi.md
+++ b/docs/azure-csi.md
@@ -0,0 +1,119 @@
+# Azure Disk CSI Driver
+
+The Azure Disk CSI driver allows you to provision volumes for pods with a Kubernetes deployment over Azure Cloud. The CSI driver replaces to volume provioning done by the in-tree azure cloud provider which is deprecated.
+
+This documentation is an updated version of the in-tree Azure cloud provider documentation (azure.md).
+
+To deploy Azure Disk CSI driver, uncomment the `azure_csi_enabled` option in `group_vars/all/azure.yml` and set it to `true`.
+
+## Azure Disk CSI Storage Class
+
+If you want to deploy the Azure Disk storage class to provision volumes dynamically, you should set `persistent_volumes_enabled` in `group_vars/k8s-cluster/k8s-cluster.yml` to `true`.
+
+## Parameters
+
+Before creating the instances you must first set the `azure_csi_` variables in the `group_vars/all.yml` file.
+
+All of the values can be retrieved using the azure cli tool which can be downloaded here: <https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest>
+
+After installation you have to run `az login` to get access to your account.
+
+### azure\_csi\_tenant\_id + azure\_csi\_subscription\_id
+
+Run `az account show` to retrieve your subscription id and tenant id:
+`azure_csi_tenant_id` -> tenantId field
+`azure_csi_subscription_id` -> id field
+
+### azure\_csi\_location
+
+The region your instances are located in, it can be something like `francecentral` or `norwayeast`. A full list of region names can be retrieved via `az account list-locations`
+
+### azure\_csi\_resource\_group
+
+The name of the resource group your instances are in, a list of your resource groups can be retrieved via `az group list`
+
+Or you can do `az vm list | grep resourceGroup` and get the resource group corresponding to the VMs of your cluster.
+
+The resource group name is not case sensitive.
+
+### azure\_csi\_vnet\_name
+
+The name of the virtual network your instances are in, can be retrieved via `az network vnet list`
+
+### azure\_csi\_vnet\_resource\_group
+
+The name of the resource group your vnet is in, can be retrieved via `az network vnet list | grep resourceGroup` and get the resource group corresponding to the vnet of your cluster.
+
+### azure\_csi\_subnet\_name
+
+The name of the subnet your instances are in, can be retrieved via `az network vnet subnet list --resource-group RESOURCE_GROUP --vnet-name VNET_NAME`
+
+### azure\_csi\_security\_group\_name
+
+The name of the network security group your instances are in, can be retrieved via `az network nsg list`
+
+### azure\_csi\_aad\_client\_id + azure\_csi\_aad\_client\_secret
+
+These will have to be generated first:
+
+- Create an Azure AD Application with:
+`az ad app create --display-name kubespray --identifier-uris http://kubespray --homepage http://kubespray.com --password CLIENT_SECRET`
+
+Display name, identifier-uri, homepage and the password can be chosen
+
+Note the AppId in the output.
+
+- Create Service principal for the application with:
+`az ad sp create --id AppId`
+
+This is the AppId from the last command
+
+- Create the role assignment with:
+`az role assignment create --role "Owner" --assignee http://kubespray --subscription SUBSCRIPTION_ID`
+
+azure\_csi\_aad\_client\_id must be set to the AppId, azure\_csi\_aad\_client\_secret is your chosen secret.
+
+### azure\_csi\_use\_instance\_metadata
+
+Use instance metadata service where possible. Boolean value.
+
+## Test the Azure Disk CSI driver
+
+To test the dynamic provisioning using Azure CSI driver, make sure to have the storage class deployed (through persistent volumes), and apply the following manifest:
+
+```yml
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc-azuredisk
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: disk.csi.azure.com
+---
+kind: Pod
+apiVersion: v1
+metadata:
+  name: nginx-azuredisk
+spec:
+  nodeSelector:
+    kubernetes.io/os: linux
+  containers:
+    - image: nginx
+      name: nginx-azuredisk
+      command:
+        - "/bin/sh"
+        - "-c"
+        - while true; do echo $(date) >> /mnt/azuredisk/outfile; sleep 1; done
+      volumeMounts:
+        - name: azuredisk
+          mountPath: "/mnt/azuredisk"
+  volumes:
+    - name: azuredisk
+      persistentVolumeClaim:
+        claimName: pvc-azuredisk
+```
--- a/docs/azure.md
+++ b/docs/azure.md
@@ -1,57 +1,84 @@
 # Azure

-To deploy Kubernetes on [Azure](https://azure.microsoft.com) uncomment the `cloud_provider` option in `group_vars/all.yml` and set it to `'azure'`.
+To deploy Kubernetes on [Azure](https://azure.microsoft.com) uncomment the `cloud_provider` option in `group_vars/all/all.yml` and set it to `'azure'`.

 All your instances are required to run in a resource group and a routing table has to be attached to the subnet your instances are in.

-Not all features are supported yet though, for a list of the current status have a look [here](https://github.com/colemickens/azure-kubernetes-status)
+Not all features are supported yet though, for a list of the current status have a look [here](https://github.com/Azure/AKS)

 ## Parameters

-Before creating the instances you must first set the `azure_` variables in the `group_vars/all.yml` file.
+Before creating the instances you must first set the `azure_` variables in the `group_vars/all/all.yml` file.

 All of the values can be retrieved using the azure cli tool which can be downloaded here: <https://docs.microsoft.com/en-gb/azure/xplat-cli-install>
-After installation you have to run `azure login` to get access to your account.
+After installation you have to run `az login` to get access to your account.
+
+### azure_cloud
+
+Azure Stack has different API endpoints, depending on the Azure Stack deployment. These need to be provided to the Azure SDK.
+Possible values are: `AzureChinaCloud`, `AzureGermanCloud`, `AzurePublicCloud` and `AzureUSGovernmentCloud`.
+The full list of existing settings for the AzureChinaCloud, AzureGermanCloud, AzurePublicCloud and AzureUSGovernmentCloud
+is available in the source code [here](https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/docs/cloud-provider-config.md)

 ### azure\_tenant\_id + azure\_subscription\_id

-run `azure account show` to retrieve your subscription id and tenant id:
+run `az account show` to retrieve your subscription id and tenant id:
 `azure_tenant_id` -> Tenant ID field
 `azure_subscription_id` -> ID field

 ### azure\_location

-The region your instances are located, can be something like `westeurope` or `westcentralus`. A full list of region names can be retrieved via `azure location list`
+The region your instances are located, can be something like `westeurope` or `westcentralus`. A full list of region names can be retrieved via `az account list-locations`

 ### azure\_resource\_group

-The name of the resource group your instances are in, can be retrieved via `azure group list`
+The name of the resource group your instances are in, can be retrieved via `az group list`
+
+### azure\_vmtype
+
+The type of the vm. Supported values are `standard` or `vmss`. If vm is type of `Virtal Machines` then value is `standard`. If vm is part of `Virtaul Machine Scale Sets` then value is `vmss`

 ### azure\_vnet\_name

-The name of the virtual network your instances are in, can be retrieved via `azure network vnet list`
+The name of the virtual network your instances are in, can be retrieved via `az network vnet list`
+
+### azure\_vnet\_resource\_group
+
+The name of the resource group that contains the vnet.

 ### azure\_subnet\_name

-The name of the subnet your instances are in, can be retrieved via `azure network vnet subnet list --resource-group RESOURCE_GROUP --vnet-name VNET_NAME`
+The name of the subnet your instances are in, can be retrieved via `az network vnet subnet list --resource-group RESOURCE_GROUP --vnet-name VNET_NAME`

 ### azure\_security\_group\_name

-The name of the network security group your instances are in, can be retrieved via `azure network nsg list`
+The name of the network security group your instances are in, can be retrieved via `az network nsg list`
+
+### azure\_security\_group\_resource\_group
+
+The name of the resource group that contains the network security group.  Defaults to `azure_vnet_resource_group`
+
+### azure\_route\_table\_name
+
+The name of the route table used with your instances.
+
+### azure\_route\_table\_resource\_group
+
+The name of the resource group that contains the route table.  Defaults to `azure_vnet_resource_group`

 ### azure\_aad\_client\_id + azure\_aad\_client\_secret

 These will have to be generated first:

 - Create an Azure AD Application with:
-`azure ad app create --display-name kubernetes --identifier-uris http://kubernetes --homepage http://example.com --password CLIENT_SECRET`
+`az ad app create --display-name kubernetes --identifier-uris http://kubernetes --homepage http://example.com --password CLIENT_SECRET`
 display name, identifier-uri, homepage and the password can be chosen
 Note the AppId in the output.
 - Create Service principal for the application with:
-`azure ad sp create --id AppId`
+`az ad sp create --id AppId`
 This is the AppId from the last command
 - Create the role assignment with:
-`azure role assignment create --role "Owner" --assignee http://kubernetes --subscription SUBSCRIPTION_ID`
+`az role assignment create --role "Owner" --assignee http://kubernetes --subscription SUBSCRIPTION_ID`

 azure\_aad\_client\_id must be set to the AppId, azure\_aad\_client\_secret is your chosen secret.

--- a/docs/calico.md
+++ b/docs/calico.md
@@ -12,55 +12,55 @@ Check if the calico-node container is running
 docker ps | grep calico
 ```

-The **calicoctl** command allows to check the status of the network workloads.
+The **calicoctl.sh** is wrap script with configured acces credentials for command calicoctl allows to check the status of the network workloads.

 * Check the status of Calico nodes

 ```ShellSession
-calicoctl node status
+calicoctl.sh node status
 ```

 or for versions prior to *v1.0.0*:

 ```ShellSession
-calicoctl status
+calicoctl.sh status
 ```

 * Show the configured network subnet for containers

 ```ShellSession
-calicoctl get ippool -o wide
+calicoctl.sh get ippool -o wide
 ```

 or for versions prior to *v1.0.0*:

 ```ShellSession
-calicoctl pool show
+calicoctl.sh pool show
 ```

-* Show the workloads (ip addresses of containers and their located)
+* Show the workloads (ip addresses of containers and their location)

 ```ShellSession
-calicoctl get workloadEndpoint -o wide
+calicoctl.sh get workloadEndpoint -o wide
 ```

 and

 ```ShellSession
-calicoctl get hostEndpoint -o wide
+calicoctl.sh get hostEndpoint -o wide
 ```

 or for versions prior *v1.0.0*:

 ```ShellSession
-calicoctl endpoint show --detail
+calicoctl.sh endpoint show --detail
 ```

 ## Configuration

 ### Optional : Define network backend

-In some cases you may want to define Calico network backend. Allowed values are 'bird', 'gobgp' or 'none'. Bird is a default value.
+In some cases you may want to define Calico network backend. Allowed values are `bird`, `vxlan` or `none`. Bird is a default value.

 To re-define you need to edit the inventory and add a group variable `calico_network_backend`

@@ -199,9 +199,29 @@ To re-define health host please set the following variable in your inventory:
 calico_healthhost: "0.0.0.0"
 ```

+## Config encapsulation for cross server traffic
+
+Calico supports two types of encapsulation: [VXLAN and IP in IP](https://docs.projectcalico.org/v3.11/networking/vxlan-ipip). VXLAN is supported in some environments where IP in IP is not (for example, Azure).
+
+*IP in IP* and *VXLAN* is mutualy exclusive modes.
+
+Configure Ip in Ip mode. Possible values is `Always`, `CrossSubnet`, `Never`.
+
+```yml
+calico_ipip_mode: 'Always'
+```
+
+Configure VXLAN mode. Possible values is `Always`, `CrossSubnet`, `Never`.
+
+```yml
+calico_vxlan_mode: 'Never'
+```
+
+If you use VXLAN mode, BGP networking is not required. You can disable BGP to reduce the moving parts in your cluster by `calico_network_backend: vxlan`
+
 ## Cloud providers configuration

-Please refer to the official documentation, for example [GCE configuration](http://docs.projectcalico.org/v1.5/getting-started/docker/installation/gce) requires a security rule for calico ip-ip tunnels. Note, calico is always configured with ``ipip: true`` if the cloud provider was defined.
+Please refer to the official documentation, for example [GCE configuration](http://docs.projectcalico.org/v1.5/getting-started/docker/installation/gce) requires a security rule for calico ip-ip tunnels. Note, calico is always configured with ``calico_ipip_mode: Always`` if the cloud provider was defined.

 ### Optional : Ignore kernel's RPF check setting

@@ -215,6 +235,15 @@ Note that in OpenStack you must allow `ipip` traffic in your security groups,
 otherwise you will experience timeouts.
 To do this you must add a rule which allows it, for example:

+### Optional : Felix configuration via extraenvs of calico node
+
+Possible environment variable parameters for [configuring Felix](https://docs.projectcalico.org/reference/felix/configuration)
+
+```yml
+calico_node_extra_envs:
+    FELIX_DEVICEROUTESOURCEADDRESS: 172.17.0.1
+```
+
 ```ShellSession
 neutron  security-group-rule-create  --protocol 4  --direction egress  k8s-a0tp4t
 neutron  security-group-rule-create  --protocol 4  --direction igress  k8s-a0tp4t
--- a/docs/centos8.md
+++ b/docs/centos8.md
@@ -0,0 +1,9 @@
+# RHEL / CentOS 8
+
+RHEL / CentOS 8 ships only with iptables-nft (ie without iptables-legacy)
+The only tested configuration for now is using Calico CNI
+You need to use K8S 1.17+ and to add `calico_iptables_backend: "NFT"` or `calico_iptables_backend: "Auto"` to your configuration
+
+If you have containers that are using iptables in the host network namespace (`hostNetwork=true`),
+you need to ensure they are using iptables-nft.
+An example how k8s do the autodetection can be found [in this PR](https://github.com/kubernetes/kubernetes/pull/82966)
--- a/docs/ci-setup.md
+++ b/docs/ci-setup.md
@@ -0,0 +1,20 @@
+# CI Setup
+
+## Pipeline
+
+1. unit-tests: fast jobs for fast feedback (linting, etc...)
+2. deploy-part1: small number of jobs to test if the PR works with default settings
+3. deploy-part2: slow jobs testing different platforms, OS, settings, CNI, etc...
+4. deploy-part3: very slow jobs (upgrades, etc...)
+
+## Runners
+
+Kubespray has 3 types of GitLab runners:
+
+- packet runners: used for E2E jobs (usually long)
+- light runners: used for short lived jobs
+- auto scaling runners: used for on-demand resources, see [GitLab docs](https://docs.gitlab.com/runner/configuration/autoscale.html) for more info
+
+## Vagrant
+
+Vagrant jobs are using the [quay.io/kubespray/vagrant](/test-infra/vagrant-docker/Dockerfile) docker image with `/var/run/libvirt/libvirt-sock` exposed from the host, allowing the container to boot VMs on the host.
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -0,0 +1,54 @@
+# CI test coverage
+
+To generate this Matrix run `./tests/scripts/md-table/main.py`
+
+## docker
+
+| OS / CNI | calico | canal | cilium | contiv | flannel | kube-ovn | kube-router | macvlan | ovn4nfv | weave |
+|---| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
+amazon |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+centos7 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: |
+centos8 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: |
+debian10 |  :x: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+debian9 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: |
+fedora31 |  :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
+fedora32 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: |
+opensuse |  :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+oracle7 |  :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu16 |  :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: |
+ubuntu18 |  :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :x: | :white_check_mark: | :white_check_mark: |
+ubuntu20 |  :white_check_mark: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
+
+## crio
+
+| OS / CNI | calico | canal | cilium | contiv | flannel | kube-ovn | kube-router | macvlan | ovn4nfv | weave |
+|---| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
+amazon |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+centos7 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+centos8 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+debian10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+debian9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora31 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora32 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+opensuse |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+oracle7 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu16 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu18 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu20 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+
+## containerd
+
+| OS / CNI | calico | canal | cilium | contiv | flannel | kube-ovn | kube-router | macvlan | ovn4nfv | weave |
+|---| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
+amazon |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+centos7 |  :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
+centos8 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+debian10 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+debian9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora31 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora32 |  :x: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: |
+opensuse |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+oracle7 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu16 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu18 |  :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
+ubuntu20 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
--- a/docs/cilium.md
+++ b/docs/cilium.md
@@ -0,0 +1,13 @@
+# Cilium
+
+## Kube-proxy replacement with Cilium
+
+Cilium can run without kube-proxy by setting `cilium_kube_proxy_replacement`
+to `strict`.
+
+Without kube-proxy, cilium needs to know the address of the kube-apiserver
+and this must be set globally for all cilium components (agents and operators).
+Hence, in this configuration in Kubespray, Cilium will always contact
+the external loadbalancer (even from a node in the control plane)
+and if there is no external load balancer It will ignore any local load
+balancer deployed by Kubespray and **only contacts the first master**.
--- a/docs/comparisons.md
+++ b/docs/comparisons.md
@@ -1,4 +1,4 @@
-# Comparaison
+# Comparison

 ## Kubespray vs [Kops](https://github.com/kubernetes/kops)

--- a/docs/containerd.md
+++ b/docs/containerd.md
@@ -0,0 +1,31 @@
+# conrainerd
+
+[containerd] An industry-standard container runtime with an emphasis on simplicity, robustness and portability
+Kubespray supports basic functionality for using containerd as the default container runtime in a cluster.
+
+_To use the containerd container runtime set the following variables:_
+
+## k8s-cluster.yml
+
+```yaml
+container_manager: containerd
+```
+
+## Containerd config
+
+Example: define registry mirror for docker hub
+
+```yaml
+containerd_config:
+  grpc:
+    max_recv_message_size: 16777216
+    max_send_message_size: 16777216
+  debug:
+    level: ""
+  registries:
+    "docker.io":
+      - "https://mirror.gcr.io"
+      - "https://registry-1.docker.io"
+```
+
+[containerd]: https://containerd.io/
--- a/Show More
+++ b/Show More