Simplify usage of pre-remove role (#8334)

- Use builtin task scheduling of ansible (same task on each host)
  instead of manual looping on master

Benefits:
- One less play in remove-node.yml playbook
- Parralel node drain
- Drain parameters (timeout, grace period, retries,
  allow_ungraceful_removal) can be adjusted separately for each node
  with ansible variables

.ansible-lint

@@ -18,3 +18,13 @@ skip_list:
   # While it can be useful to have these metadata available, they are also available in the existing documentation.
   # (Disabled in May 2019)
   - '701'
+
+  # [role-name] "meta/main.yml" Role name role-name does not match ``^+$`` pattern
+  # Meta roles in Kubespray don't need proper names
+  # (Disabled in June 2021)
+  - 'role-name'
+
+  # [var-naming] "defaults/main.yml" File defines variable 'apiVersion' that violates variable naming standards
+  # In Kubespray we use variables that use camelCase to match their k8s counterparts
+  # (Disabled in June 2021)
+  - 'var-naming'

.gitignore

@@ -99,3 +99,13 @@ target/
 # virtualenv
 venv/
 ENV/
+
+# molecule
+roles/**/molecule/**/__pycache__/
+roles/**/molecule/**/*.conf
+
+# macOS
+.DS_Store
+
+# Temp location used by our scripts
+scripts/tmp/

.gitlab-ci.yml

@@ -8,7 +8,7 @@ stages:
   - deploy-special
 
 variables:
-  KUBESPRAY_VERSION: v2.14.1
+  KUBESPRAY_VERSION: v2.17.1
   FAILFASTCI_NAMESPACE: 'kargo-ci'
   GITLAB_REPOSITORY: 'kargo-ci/kubernetes-sigs-kubespray'
   ANSIBLE_FORCE_COLOR: "true"
@@ -16,6 +16,7 @@ variables:
   TEST_ID: "$CI_PIPELINE_ID-$CI_BUILD_ID"
   CI_TEST_VARS: "./tests/files/${CI_JOB_NAME}.yml"
   CI_TEST_REGISTRY_MIRROR: "./tests/common/_docker_hub_registry_mirror.yml"
+  CI_TEST_SETTING: "./tests/common/_kubespray_test_settings.yml"
   GS_ACCESS_KEY_ID: $GS_KEY
   GS_SECRET_ACCESS_KEY: $GS_SECRET
   CONTAINER_ENGINE: docker
@@ -30,12 +31,15 @@ variables:
   MITOGEN_ENABLE: "false"
   ANSIBLE_LOG_LEVEL: "-vv"
   RECOVER_CONTROL_PLANE_TEST: "false"
-  RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:],kube-master[1:]"
+  RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:],kube_control_plane[1:]"
+  TERRAFORM_VERSION: 1.0.8
+  ANSIBLE_MAJOR_VERSION: "2.10"
 
 before_script:
   - ./tests/scripts/rebase.sh
   - update-alternatives --install /usr/bin/python python /usr/bin/python3 1
-  - python -m pip install -r tests/requirements.txt
+  - python -m pip uninstall -y ansible ansible-base ansible-core
+  - python -m pip install -r tests/requirements-${ANSIBLE_MAJOR_VERSION}.txt
   - mkdir -p /.ssh
 
 .job: &job
@@ -49,6 +53,7 @@ before_script:
 
 .testcases: &testcases
   <<: *job
+  retry: 1
   before_script:
     - update-alternatives --install /usr/bin/python python /usr/bin/python3 1
     - ./tests/scripts/rebase.sh

.gitlab-ci/lint.yml

@@ -14,7 +14,7 @@ vagrant-validate:
   stage: unit-tests
   tags: [light]
   variables:
-    VAGRANT_VERSION: 2.2.10
+    VAGRANT_VERSION: 2.2.19
   script:
     - ./tests/scripts/vagrant-validate.sh
   except: ['triggers', 'master']
@@ -53,6 +53,7 @@ tox-inventory-builder:
     - ./tests/scripts/rebase.sh
     - apt-get update && apt-get install -y python3-pip
     - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
+    - python -m pip uninstall -y ansible
     - python -m pip install -r tests/requirements.txt
   script:
     - pip3 install tox

.gitlab-ci/packet.yml

@@ -2,6 +2,7 @@
 .packet:
   extends: .testcases
   variables:
+    ANSIBLE_TIMEOUT: "120"
     CI_PLATFORM: packet
     SSH_USER: kubespray
   tags:
@@ -22,25 +23,52 @@
   allow_failure: true
   extends: .packet
 
-packet_ubuntu18-calico-aio:
+# The ubuntu20-calico-aio jobs are meant as early stages to prevent running the full CI if something is horribly broken
-  stage: deploy-part1
-  extends: .packet_pr
-  when: on_success
-
-# Future AIO job
 packet_ubuntu20-calico-aio:
   stage: deploy-part1
   extends: .packet_pr
   when: on_success
+  variables:
+    RESET_CHECK: "true"
+
+# Exericse ansible variants
+packet_ubuntu20-calico-aio-ansible-2_9:
+  stage: deploy-part1
+  extends: .packet_pr
+  when: on_success
+  variables:
+    ANSIBLE_MAJOR_VERSION: "2.9"
+    RESET_CHECK: "true"
+
+packet_ubuntu20-calico-aio-ansible-2_11:
+  stage: deploy-part1
+  extends: .packet_pr
+  when: on_success
+  variables:
+    ANSIBLE_MAJOR_VERSION: "2.11"
+    RESET_CHECK: "true"
 
 # ### PR JOBS PART2
 
-packet_centos7-flannel-containerd-addons-ha:
+packet_ubuntu18-aio-docker:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
+packet_ubuntu20-aio-docker:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
+packet_ubuntu18-calico-aio:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
+packet_centos7-flannel-addons-ha:
   extends: .packet_pr
   stage: deploy-part2
   when: on_success
-  variables:
-    MITOGEN_ENABLE: "true"
 
 packet_centos8-crio:
   extends: .packet_pr
@@ -51,10 +79,13 @@ packet_ubuntu18-crio:
   extends: .packet_pr
   stage: deploy-part2
   when: manual
-  variables:
-    MITOGEN_ENABLE: "true"
 
-packet_ubuntu16-canal-kubeadm-ha:
+packet_fedora35-crio:
+  extends: .packet_pr
+  stage: deploy-part2
+  when: manual
+
+packet_ubuntu16-canal-ha:
   stage: deploy-part2
   extends: .packet_periodic
   when: on_success
@@ -84,12 +115,25 @@ packet_debian10-cilium-svc-proxy:
   extends: .packet_periodic
   when: on_success
 
-packet_debian10-containerd:
+packet_debian10-calico:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
+packet_debian10-docker:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
+packet_debian11-calico:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
+packet_debian11-docker:
   stage: deploy-part2
   extends: .packet_pr
   when: on_success
-  variables:
-    MITOGEN_ENABLE: "true"
 
 packet_centos7-calico-ha-once-localhost:
   stage: deploy-part2
@@ -111,7 +155,17 @@ packet_centos8-calico:
   extends: .packet_pr
   when: on_success
 
-packet_fedora32-weave:
+packet_centos8-docker:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
+packet_fedora34-docker-weave:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
+packet_fedora35-kube-router:
   stage: deploy-part2
   extends: .packet_pr
   when: on_success
@@ -121,14 +175,14 @@ packet_opensuse-canal:
   extends: .packet_periodic
   when: on_success
 
-packet_ubuntu18-ovn4nfv:
+packet_opensuse-docker-cilium:
   stage: deploy-part2
-  extends: .packet_periodic
+  extends: .packet_pr
-  when: on_success
+  when: manual
 
 # ### MANUAL JOBS
 
-packet_ubuntu16-weave-sep:
+packet_ubuntu16-docker-weave-sep:
   stage: deploy-part2
   extends: .packet_pr
   when: manual
@@ -138,12 +192,18 @@ packet_ubuntu18-cilium-sep:
   extends: .packet_pr
   when: manual
 
-packet_ubuntu18-flannel-containerd-ha:
+packet_ubuntu18-flannel-ha:
   stage: deploy-part2
   extends: .packet_pr
   when: manual
 
-packet_ubuntu18-flannel-containerd-ha-once:
+packet_ubuntu18-flannel-ha-once:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: manual
+
+# Calico HA eBPF
+packet_centos8-calico-ha-ebpf:
   stage: deploy-part2
   extends: .packet_pr
   when: manual
@@ -173,19 +233,34 @@ packet_oracle7-canal-ha:
   extends: .packet_pr
   when: manual
 
-packet_fedora33-calico:
+packet_fedora35-docker-calico:
   stage: deploy-part2
   extends: .packet_periodic
   when: on_success
   variables:
-    MITOGEN_ENABLE: "true"
+    RESET_CHECK: "true"
+
+packet_fedora34-calico-selinux:
+  stage: deploy-part2
+  extends: .packet_periodic
+  when: on_success
+
+packet_fedora35-calico-swap-selinux:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: manual
 
 packet_amazon-linux-2-aio:
   stage: deploy-part2
   extends: .packet_pr
   when: manual
 
-packet_fedora32-kube-ovn-containerd:
+packet_centos8-calico-nodelocaldns-secondary:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: manual
+
+packet_fedora34-kube-ovn:
   stage: deploy-part2
   extends: .packet_periodic
   when: on_success
@@ -193,29 +268,32 @@ packet_fedora32-kube-ovn-containerd:
 # ### PR JOBS PART3
 # Long jobs (45min+)
 
-packet_centos7-weave-upgrade-ha:
+packet_centos7-docker-weave-upgrade-ha:
   stage: deploy-part3
   extends: .packet_periodic
   when: on_success
   variables:
     UPGRADE_TEST: basic
-    MITOGEN_ENABLE: "false"
 
-packet_debian9-calico-upgrade:
+# Calico HA Wireguard
+packet_ubuntu20-calico-ha-wireguard:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: manual
+
+packet_debian10-calico-upgrade:
   stage: deploy-part3
   extends: .packet_pr
   when: on_success
   variables:
     UPGRADE_TEST: graceful
-    MITOGEN_ENABLE: "false"
 
-packet_debian9-calico-upgrade-once:
+packet_debian10-calico-upgrade-once:
   stage: deploy-part3
   extends: .packet_periodic
   when: on_success
   variables:
     UPGRADE_TEST: graceful
-    MITOGEN_ENABLE: "false"
 
 packet_ubuntu18-calico-ha-recover:
   stage: deploy-part3
@@ -223,7 +301,7 @@ packet_ubuntu18-calico-ha-recover:
   when: on_success
   variables:
     RECOVER_CONTROL_PLANE_TEST: "true"
-    RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:],kube-master[1:]"
+    RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:],kube_control_plane[1:]"
 
 packet_ubuntu18-calico-ha-recover-noquorum:
   stage: deploy-part3
@@ -231,4 +309,4 @@ packet_ubuntu18-calico-ha-recover-noquorum:
   when: on_success
   variables:
     RECOVER_CONTROL_PLANE_TEST: "true"
-    RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[1:],kube-master[1:]"
+    RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[1:],kube_control_plane[1:]"

.gitlab-ci/terraform.yml

@@ -12,13 +12,13 @@
     # Prepare inventory
     - cp contrib/terraform/$PROVIDER/sample-inventory/cluster.tfvars .
     - ln -s contrib/terraform/$PROVIDER/hosts
-    - terraform init contrib/terraform/$PROVIDER
+    - terraform -chdir="contrib/terraform/$PROVIDER" init
     # Copy SSH keypair
     - mkdir -p ~/.ssh
     - echo "$PACKET_PRIVATE_KEY" | base64 -d > ~/.ssh/id_rsa
     - chmod 400 ~/.ssh/id_rsa
     - echo "$PACKET_PUBLIC_KEY" | base64 -d > ~/.ssh/id_rsa.pub
-    - mkdir -p group_vars
+    - mkdir -p contrib/terraform/$PROVIDER/group_vars
     # Random subnet to avoid routing conflicts
     - export TF_VAR_subnet_cidr="10.$(( $RANDOM % 256 )).$(( $RANDOM % 256 )).0/24"
 
@@ -28,8 +28,8 @@
   tags: [light]
   only: ['master', /^pr-.*$/]
   script:
-    - terraform validate -var-file=cluster.tfvars contrib/terraform/$PROVIDER
+    - terraform -chdir="contrib/terraform/$PROVIDER" validate
-    - terraform fmt -check -diff contrib/terraform/$PROVIDER
+    - terraform -chdir="contrib/terraform/$PROVIDER" fmt -check -diff
 
 .terraform_apply:
   extends: .terraform_install
@@ -56,70 +56,48 @@
 tf-validate-openstack:
   extends: .terraform_validate
   variables:
-    TF_VERSION: 0.12.29
+    TF_VERSION: $TERRAFORM_VERSION
     PROVIDER: openstack
     CLUSTER: $CI_COMMIT_REF_NAME
 
 tf-validate-packet:
   extends: .terraform_validate
   variables:
-    TF_VERSION: 0.12.29
+    TF_VERSION: $TERRAFORM_VERSION
     PROVIDER: packet
     CLUSTER: $CI_COMMIT_REF_NAME
 
 tf-validate-aws:
   extends: .terraform_validate
   variables:
-    TF_VERSION: 0.12.29
+    TF_VERSION: $TERRAFORM_VERSION
     PROVIDER: aws
     CLUSTER: $CI_COMMIT_REF_NAME
 
-tf-0.13.x-validate-openstack:
+tf-validate-exoscale:
   extends: .terraform_validate
   variables:
-    TF_VERSION: 0.13.5
+    TF_VERSION: $TERRAFORM_VERSION
-    PROVIDER: openstack
+    PROVIDER: exoscale
+
+tf-validate-vsphere:
+  extends: .terraform_validate
+  variables:
+    TF_VERSION: $TERRAFORM_VERSION
+    PROVIDER: vsphere
     CLUSTER: $CI_COMMIT_REF_NAME
 
-tf-0.13.x-validate-packet:
+tf-validate-upcloud:
   extends: .terraform_validate
   variables:
-    TF_VERSION: 0.13.5
+    TF_VERSION: $TERRAFORM_VERSION
-    PROVIDER: packet
+    PROVIDER: upcloud
-    CLUSTER: $CI_COMMIT_REF_NAME
-
-tf-0.13.x-validate-aws:
-  extends: .terraform_validate
-  variables:
-    TF_VERSION: 0.13.5
-    PROVIDER: aws
-    CLUSTER: $CI_COMMIT_REF_NAME
-
-tf-0.14.x-validate-openstack:
-  extends: .terraform_validate
-  variables:
-    TF_VERSION: 0.14.3
-    PROVIDER: openstack
-    CLUSTER: $CI_COMMIT_REF_NAME
-
-tf-0.14.x-validate-packet:
-  extends: .terraform_validate
-  variables:
-    TF_VERSION: 0.14.3
-    PROVIDER: packet
-    CLUSTER: $CI_COMMIT_REF_NAME
-
-tf-0.14.x-validate-aws:
-  extends: .terraform_validate
-  variables:
-    TF_VERSION: 0.14.3
-    PROVIDER: aws
     CLUSTER: $CI_COMMIT_REF_NAME
 
 # tf-packet-ubuntu16-default:
 #   extends: .terraform_apply
 #   variables:
-#     TF_VERSION: 0.12.29
+#     TF_VERSION: $TERRAFORM_VERSION
 #     PROVIDER: packet
 #     CLUSTER: $CI_COMMIT_REF_NAME
 #     TF_VAR_number_of_k8s_masters: "1"
@@ -133,7 +111,7 @@ tf-0.14.x-validate-aws:
 # tf-packet-ubuntu18-default:
 #   extends: .terraform_apply
 #   variables:
-#     TF_VERSION: 0.12.29
+#     TF_VERSION: $TERRAFORM_VERSION
 #     PROVIDER: packet
 #     CLUSTER: $CI_COMMIT_REF_NAME
 #     TF_VAR_number_of_k8s_masters: "1"
@@ -168,10 +146,6 @@ tf-0.14.x-validate-aws:
   OS_INTERFACE: public
   OS_IDENTITY_API_VERSION: "3"
   TF_VAR_router_id: "ab95917c-41fb-4881-b507-3a6dfe9403df"
-  # Since ELASTX is in Stockholm, Mitogen helps with latency
-  MITOGEN_ENABLE: "false"
-  # Mitogen doesn't support interpreter discovery yet
-  ANSIBLE_PYTHON_INTERPRETER: "/usr/bin/python3"
 
 tf-elastx_cleanup:
   stage: unit-tests
@@ -188,9 +162,10 @@ tf-elastx_ubuntu18-calico:
   extends: .terraform_apply
   stage: deploy-part3
   when: on_success
+  allow_failure: true
   variables:
     <<: *elastx_variables
-    TF_VERSION: 0.12.29
+    TF_VERSION: $TERRAFORM_VERSION
     PROVIDER: openstack
     CLUSTER: $CI_COMMIT_REF_NAME
     ANSIBLE_TIMEOUT: "60"
@@ -216,44 +191,45 @@ tf-elastx_ubuntu18-calico:
     TF_VAR_image: ubuntu-18.04-server-latest
     TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
 
+# OVH voucher expired, commenting job until things are sorted  out
 
-tf-ovh_cleanup:
+# tf-ovh_cleanup:
-  stage: unit-tests
+#  stage: unit-tests
-  tags: [light]
+#  tags: [light]
-  image: python
+#  image: python
-  environment: ovh
+#  environment: ovh
-  variables:
+#  variables:
-    <<: *ovh_variables
+#    <<: *ovh_variables
-  before_script:
+#  before_script:
-    - pip install -r scripts/openstack-cleanup/requirements.txt
+#    - pip install -r scripts/openstack-cleanup/requirements.txt
-  script:
+#  script:
-    - ./scripts/openstack-cleanup/main.py
+#    - ./scripts/openstack-cleanup/main.py
 
-tf-ovh_ubuntu18-calico:
+# tf-ovh_ubuntu18-calico:
-  extends: .terraform_apply
+#  extends: .terraform_apply
-  when: on_success
+#  when: on_success
-  environment: ovh
+#  environment: ovh
-  variables:
+#  variables:
-    <<: *ovh_variables
+#    <<: *ovh_variables
-    TF_VERSION: 0.12.29
+#    TF_VERSION: $TERRAFORM_VERSION
-    PROVIDER: openstack
+#    PROVIDER: openstack
-    CLUSTER: $CI_COMMIT_REF_NAME
+#    CLUSTER: $CI_COMMIT_REF_NAME
-    ANSIBLE_TIMEOUT: "60"
+#    ANSIBLE_TIMEOUT: "60"
-    SSH_USER: ubuntu
+#    SSH_USER: ubuntu
-    TF_VAR_number_of_k8s_masters: "0"
+#    TF_VAR_number_of_k8s_masters: "0"
-    TF_VAR_number_of_k8s_masters_no_floating_ip: "1"
+#    TF_VAR_number_of_k8s_masters_no_floating_ip: "1"
-    TF_VAR_number_of_k8s_masters_no_floating_ip_no_etcd: "0"
+#    TF_VAR_number_of_k8s_masters_no_floating_ip_no_etcd: "0"
-    TF_VAR_number_of_etcd: "0"
+#    TF_VAR_number_of_etcd: "0"
-    TF_VAR_number_of_k8s_nodes: "0"
+#    TF_VAR_number_of_k8s_nodes: "0"
-    TF_VAR_number_of_k8s_nodes_no_floating_ip: "1"
+#    TF_VAR_number_of_k8s_nodes_no_floating_ip: "1"
-    TF_VAR_number_of_gfs_nodes_no_floating_ip: "0"
+#    TF_VAR_number_of_gfs_nodes_no_floating_ip: "0"
-    TF_VAR_number_of_bastions: "0"
+#    TF_VAR_number_of_bastions: "0"
-    TF_VAR_number_of_k8s_masters_no_etcd: "0"
+#    TF_VAR_number_of_k8s_masters_no_etcd: "0"
-    TF_VAR_use_neutron: "0"
+#    TF_VAR_use_neutron: "0"
-    TF_VAR_floatingip_pool: "Ext-Net"
+#    TF_VAR_floatingip_pool: "Ext-Net"
-    TF_VAR_external_net: "6011fbc9-4cbf-46a4-8452-6890a340b60b"
+#    TF_VAR_external_net: "6011fbc9-4cbf-46a4-8452-6890a340b60b"
-    TF_VAR_network_name: "Ext-Net"
+#    TF_VAR_network_name: "Ext-Net"
-    TF_VAR_flavor_k8s_master: "defa64c3-bd46-43b4-858a-d93bbae0a229"    # s1-8
+#    TF_VAR_flavor_k8s_master: "defa64c3-bd46-43b4-858a-d93bbae0a229"    # s1-8
-    TF_VAR_flavor_k8s_node: "defa64c3-bd46-43b4-858a-d93bbae0a229"      # s1-8
+#    TF_VAR_flavor_k8s_node: "defa64c3-bd46-43b4-858a-d93bbae0a229"      # s1-8
-    TF_VAR_image: "Ubuntu 18.04"
+#    TF_VAR_image: "Ubuntu 18.04"
-    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
+#    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'

.gitlab-ci/vagrant.yml

@@ -11,10 +11,17 @@ molecule_tests:
     - tests/scripts/rebase.sh
     - apt-get update && apt-get install -y python3-pip
     - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
+    - python -m pip uninstall -y ansible
     - python -m pip install -r tests/requirements.txt
     - ./tests/scripts/vagrant_clean.sh
   script:
     - ./tests/scripts/molecule_run.sh
+  after_script:
+    - chronic ./tests/scripts/molecule_logs.sh
+  artifacts:
+    when: always
+    paths:
+      - molecule_logs/
 
 .vagrant:
   extends: .testcases
@@ -31,12 +38,19 @@ molecule_tests:
   before_script:
     - apt-get update && apt-get install -y python3-pip
     - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
+    - python -m pip uninstall -y ansible
     - python -m pip install -r tests/requirements.txt
     - ./tests/scripts/vagrant_clean.sh
   script:
     - ./tests/scripts/testcases_run.sh
   after_script:
     - chronic ./tests/scripts/testcases_cleanup.sh
+  allow_failure: true
+
+vagrant_ubuntu18-calico-dual-stack:
+  stage: deploy-part2
+  extends: .vagrant
+  when: on_success
 
 vagrant_ubuntu18-flannel:
   stage: deploy-part2

CONTRIBUTING.md

@@ -6,11 +6,17 @@
 
 It is recommended to use filter to manage the GitHub email notification, see [examples for setting filters to Kubernetes Github notifications](https://github.com/kubernetes/community/blob/master/communication/best-practices.md#examples-for-setting-filters-to-kubernetes-github-notifications)
 
-To install development dependencies you can use `pip install -r tests/requirements.txt`
+To install development dependencies you can set up a python virtual env with the necessary dependencies:
+
+```ShellSession
+virtualenv venv
+source venv/bin/activate
+pip install -r tests/requirements.txt
+```
 
 #### Linting
 
-Kubespray uses `yamllint` and `ansible-lint`. To run them locally use `yamllint .` and `ansible-lint`
+Kubespray uses `yamllint` and `ansible-lint`. To run them locally use `yamllint .` and `ansible-lint`. It is a good idea to add call these tools as part of your pre-commit hook and avoid a lot of back end forth on fixing linting issues (<https://support.gitkraken.com/working-with-repositories/githooksexample/>).
 
 #### Molecule
 
@@ -29,3 +35,5 @@ Vagrant with VirtualBox or libvirt driver helps you to quickly spin test cluster
 3. Fork the desired repo, develop and test your code changes.
 4. Sign the CNCF CLA (<https://git.k8s.io/community/CLA.md#the-contributor-license-agreement>)
 5. Submit a pull request.
+6. Work with the reviewers on their suggestions.
+7. Ensure to rebase to the HEAD of your target branch and squash un-necessary commits (<https://blog.carbonfive.com/always-squash-and-rebase-your-git-commits/>) before final merger of your contribution.

Dockerfile

@@ -1,25 +1,33 @@
 # Use imutable image tags rather than mutable tags (like ubuntu:18.04)
 FROM ubuntu:bionic-20200807
 
-ENV KUBE_VERSION=v1.19.9
+RUN apt update -y \
-
+    && apt install -y \
-RUN mkdir /kubespray
-WORKDIR /kubespray
-RUN apt update -y && \
-    apt install -y \
     libssl-dev python3-dev sshpass apt-transport-https jq moreutils \
-    ca-certificates curl gnupg2 software-properties-common python3-pip rsync
+    ca-certificates curl gnupg2 software-properties-common python3-pip unzip rsync git \
-RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
+    && rm -rf /var/lib/apt/lists/*
-    add-apt-repository \
+RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - \
+    && add-apt-repository \
     "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
     $(lsb_release -cs) \
     stable" \
-    && apt update -y && apt-get install docker-ce -y
+    && apt update -y && apt-get install --no-install-recommends -y docker-ce \
-COPY . .
+    && rm -rf /var/lib/apt/lists/*
-RUN /usr/bin/python3 -m pip install pip -U && /usr/bin/python3 -m pip install -r tests/requirements.txt && python3 -m pip install -r requirements.txt && update-alternatives --install /usr/bin/python python /usr/bin/python3 1
-
-RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/amd64/kubectl \
-    && chmod a+x kubectl && cp kubectl /usr/local/bin/kubectl
 
 # Some tools like yamllint need this
+# Pip needs this as well at the moment to install ansible
+# (and potentially other packages)
+# See: https://github.com/pypa/pip/issues/10219
 ENV LANG=C.UTF-8
+
+WORKDIR /kubespray
+COPY . .
+RUN /usr/bin/python3 -m pip install --no-cache-dir pip -U \
+    && /usr/bin/python3 -m pip install --no-cache-dir -r tests/requirements.txt \
+    && python3 -m pip install --no-cache-dir -r requirements.txt \
+    && update-alternatives --install /usr/bin/python python /usr/bin/python3 1
+
+RUN KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main.yaml) \
+    && curl -LO https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/amd64/kubectl \
+    && chmod a+x kubectl \
+    && mv kubectl /usr/local/bin/kubectl

Makefile

@@ -1,5 +1,7 @@
 mitogen:
-	ansible-playbook -c local mitogen.yml -vv
+	@echo Mitogen support is deprecated.
+	@echo Please run the following command manually:
+	@echo   ansible-playbook -c local mitogen.yml -vv
 clean:
 	rm -rf dist/
 	rm *.retry

OWNERS_ALIASES

@@ -7,11 +7,14 @@ aliases:
     - woopstar
     - luckysb
     - floryut
+    - oomichi
   kubespray-reviewers:
     - holmsten
     - bozzo
     - eppo
     - oomichi
+    - jayonlau
+    - cristicalin
   kubespray-emeritus_approvers:
     - riverzhang
     - atoms

README.md

@@ -5,7 +5,7 @@
 If you have questions, check the documentation at [kubespray.io](https://kubespray.io) and join us on the [kubernetes slack](https://kubernetes.slack.com), channel **\#kubespray**.
 You can get your invite [here](http://slack.k8s.io/)
 
-- Can be deployed on **[AWS](docs/aws.md), GCE, [Azure](docs/azure.md), [OpenStack](docs/openstack.md), [vSphere](docs/vsphere.md), [Packet](docs/packet.md) (bare metal), Oracle Cloud Infrastructure (Experimental), or Baremetal**
+- Can be deployed on **[AWS](docs/aws.md), GCE, [Azure](docs/azure.md), [OpenStack](docs/openstack.md), [vSphere](docs/vsphere.md), [Equinix Metal](docs/equinix-metal.md) (bare metal), Oracle Cloud Infrastructure (Experimental), or Baremetal**
 - **Highly available** cluster
 - **Composable** (Choice of the network plugin for instance)
 - Supports most popular **Linux distributions**
@@ -32,7 +32,7 @@ CONFIG_FILE=inventory/mycluster/hosts.yaml python3 contrib/inventory_builder/inv
 
 # Review and change parameters under ``inventory/mycluster/group_vars``
 cat inventory/mycluster/group_vars/all/all.yml
-cat inventory/mycluster/group_vars/k8s-cluster/k8s-cluster.yml
+cat inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml
 
 # Deploy Kubespray with Ansible Playbook - run the playbook as root
 # The option `--become` is required, as for example writing SSL keys in /etc/,
@@ -48,11 +48,23 @@ As a consequence, `ansible-playbook` command will fail with:
 ERROR! no action detected in task. This often indicates a misspelled module name, or incorrect module path.
 ```
 
-probably pointing on a task depending on a module present in requirements.txt (i.e. "unseal vault").
+probably pointing on a task depending on a module present in requirements.txt.
 
 One way of solving this would be to uninstall the Ansible package and then, to install it via pip but it is not always possible.
 A workaround consists of setting `ANSIBLE_LIBRARY` and `ANSIBLE_MODULE_UTILS` environment variables respectively to the `ansible/modules` and `ansible/module_utils` subdirectories of pip packages installation location, which can be found in the Location field of the output of `pip show [package]` before executing `ansible-playbook`.
 
+A simple way to ensure you get all the correct version of Ansible is to use the [pre-built docker image from Quay](https://quay.io/repository/kubespray/kubespray?tab=tags).
+You will then need to use [bind mounts](https://docs.docker.com/storage/bind-mounts/) to get the inventory and ssh key into the container, like this:
+
+```ShellSession
+docker pull quay.io/kubespray/kubespray:v2.17.1
+docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
+  --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
+  quay.io/kubespray/kubespray:v2.17.1 bash
+# Inside the container you may now run the kubespray playbooks:
+ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
+```
+
 ### Vagrant
 
 For Vagrant we need to install python dependencies for provisioning tasks.
@@ -93,7 +105,7 @@ vagrant up
 - [AWS](docs/aws.md)
 - [Azure](docs/azure.md)
 - [vSphere](docs/vsphere.md)
-- [Packet Host](docs/packet.md)
+- [Equinix Metal](docs/equinix-metal.md)
 - [Large deployments](docs/large-deployments.md)
 - [Adding/replacing a node](docs/nodes.md)
 - [Upgrades basics](docs/upgrades.md)
@@ -103,51 +115,56 @@ vagrant up
 ## Supported Linux Distributions
 
 - **Flatcar Container Linux by Kinvolk**
-- **Debian** Buster, Jessie, Stretch, Wheezy
+- **Debian** Bullseye, Buster, Jessie, Stretch
 - **Ubuntu** 16.04, 18.04, 20.04
-- **CentOS/RHEL** 7, 8 (experimental: see [centos 8 notes](docs/centos8.md))
+- **CentOS/RHEL** 7, [8](docs/centos8.md)
-- **Fedora** 32, 33
+- **Fedora** 34, 35
-- **Fedora CoreOS** (experimental: see [fcos Note](docs/fcos.md))
+- **Fedora CoreOS** (see [fcos Note](docs/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
-- **Oracle Linux** 7, 8 (experimental: [centos 8 notes](docs/centos8.md) apply)
+- **Oracle Linux** 7, [8](docs/centos8.md)
+- **Alma Linux** [8](docs/centos8.md)
+- **Rocky Linux** [8](docs/centos8.md)
+- **Amazon Linux 2** (experimental: see [amazon linux notes](docs/amazonlinux.md))
 
 Note: Upstart/SysV init based OS types are not supported.
 
 ## Supported Components
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.19.9
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.22.5
-  - [etcd](https://github.com/coreos/etcd) v3.4.13
+  - [etcd](https://github.com/coreos/etcd) v3.5.0
-  - [docker](https://www.docker.com/) v19.03 (see note)
+  - [docker](https://www.docker.com/) v20.10 (see note)
-  - [containerd](https://containerd.io/) v1.3.9
+  - [containerd](https://containerd.io/) v1.5.8
-  - [cri-o](http://cri-o.io/) v1.19 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [cri-o](http://cri-o.io/) v1.22 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
-  - [cni-plugins](https://github.com/containernetworking/plugins) v0.9.0
+  - [cni-plugins](https://github.com/containernetworking/plugins) v1.0.1
-  - [calico](https://github.com/projectcalico/calico) v3.16.9
+  - [calico](https://github.com/projectcalico/calico) v3.20.3
   - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-  - [cilium](https://github.com/cilium/cilium) v1.8.8
+  - [cilium](https://github.com/cilium/cilium) v1.9.11
-  - [flanneld](https://github.com/coreos/flannel) v0.13.0
+  - [flanneld](https://github.com/flannel-io/flannel) v0.15.1
-  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.6.1
+  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.8.1
-  - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.1.1
+  - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.3.2
-  - [multus](https://github.com/intel/multus-cni) v3.7.0
+  - [multus](https://github.com/intel/multus-cni) v3.8
-  - [ovn4nfv](https://github.com/opnfv/ovn4nfv-k8s-plugin) v1.1.0
+  - [weave](https://github.com/weaveworks/weave) v2.8.1
-  - [weave](https://github.com/weaveworks/weave) v2.7.0
 - Application
-  - [ambassador](https://github.com/datawire/ambassador): v1.5
   - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
   - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
-  - [cert-manager](https://github.com/jetstack/cert-manager) v0.16.1
+  - [cert-manager](https://github.com/jetstack/cert-manager) v1.5.4
-  - [coredns](https://github.com/coredns/coredns) v1.7.0
+  - [coredns](https://github.com/coredns/coredns) v1.8.0
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.41.2
+  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.0.4
 
-Note: The list of available docker version is 18.09, 19.03 and 20.10. The recommended docker version is 19.03. The kubelet might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).
+## Container Runtime Notes
+
+- The list of available docker version is 18.09, 19.03 and 20.10. The recommended docker version is 20.10. The kubelet might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).
+- The cri-o version should be aligned with the respective kubernetes version (i.e. kube_version=1.20.x, crio_version=1.20)
 
 ## Requirements
 
-- **Minimum required version of Kubernetes is v1.18**
+- **Minimum required version of Kubernetes is v1.20**
-- **Ansible v2.9.x, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands, Ansible 2.10.x is not supported for now**
+- **Ansible v2.9.x, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands, Ansible 2.10.x is experimentally supported for now**
 - The target servers must have **access to the Internet** in order to pull docker images. Otherwise, additional configuration is required (See [Offline Environment](docs/offline-environment.md))
 - The target servers are configured to allow **IPv4 forwarding**.
+- If using IPv6 for pods and services, the target servers are configured to allow **IPv6 forwarding**.
 - The **firewalls are not managed**, you'll need to implement your own rules the way you used to.
     in order to avoid any issue during deployment you should disable your firewall.
 - If kubespray is ran from non-root user account, correct privilege escalation method
@@ -177,8 +194,6 @@ You can choose between 10 network plugins. (default: `calico`, except Vagrant us
 
 - [cilium](http://docs.cilium.io/en/latest/): layer 3/4 networking (as well as layer 7 to protect and secure application protocols), supports dynamic insertion of BPF bytecode into the Linux kernel to implement security services, networking and visibility logic.
 
-- [ovn4nfv](docs/ovn4nfv.md): [ovn4nfv-k8s-plugins](https://github.com/opnfv/ovn4nfv-k8s-plugin) is the network controller, OVS agent and CNI server to offer basic SFC and OVN overlay networking.
-
 - [weave](docs/weave.md): Weave is a lightweight container overlay network that doesn't require an external K/V database cluster.
     (Please refer to `weave` [troubleshooting documentation](https://www.weave.works/docs/net/latest/troubleshooting/)).
 
@@ -199,10 +214,10 @@ See also [Network checker](docs/netcheck.md).
 
 ## Ingress Plugins
 
-- [ambassador](docs/ambassador.md): the Ambassador Ingress Controller and API gateway.
-
 - [nginx](https://kubernetes.github.io/ingress-nginx): the NGINX Ingress Controller.
 
+- [metallb](docs/metallb.md): the MetalLB bare-metal service LoadBalancer provider.
+
 ## Community docs and resources
 
 - [kubernetes.io/docs/setup/production-environment/tools/kubespray/](https://kubernetes.io/docs/setup/production-environment/tools/kubespray/)
@@ -219,6 +234,6 @@ See also [Network checker](docs/netcheck.md).
 
 [![Build graphs](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/badges/master/pipeline.svg)](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/pipelines)
 
-CI/end-to-end tests sponsored by: [CNCF](https://cncf.io), [Packet](https://www.packet.com/), [OVHcloud](https://www.ovhcloud.com/), [ELASTX](https://elastx.se/).
+CI/end-to-end tests sponsored by: [CNCF](https://cncf.io), [Equinix Metal](https://metal.equinix.com/), [OVHcloud](https://www.ovhcloud.com/), [ELASTX](https://elastx.se/).
 
 See the [test matrix](docs/test_cases.md) for details.

Vagrantfile

@@ -26,8 +26,8 @@ SUPPORTED_OS = {
   "centos-bento"        => {box: "bento/centos-7.6",           user: "vagrant"},
   "centos8"             => {box: "centos/8",                   user: "vagrant"},
   "centos8-bento"       => {box: "bento/centos-8",             user: "vagrant"},
-  "fedora32"            => {box: "fedora/32-cloud-base",       user: "vagrant"},
+  "fedora34"            => {box: "fedora/34-cloud-base",       user: "vagrant"},
-  "fedora33"            => {box: "fedora/33-cloud-base",       user: "vagrant"},
+  "fedora35"            => {box: "fedora/35-cloud-base",       user: "vagrant"},
   "opensuse"            => {box: "bento/opensuse-leap-15.2",   user: "vagrant"},
   "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
   "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
@@ -49,12 +49,13 @@ $vm_cpus ||= 2
 $shared_folders ||= {}
 $forwarded_ports ||= {}
 $subnet ||= "172.18.8"
+$subnet_ipv6 ||= "fd3c:b398:0698:0756"
 $os ||= "ubuntu1804"
 $network_plugin ||= "flannel"
 # Setting multi_networking to true will install Multus: https://github.com/intel/multus-cni
 $multi_networking ||= false
 $download_run_once ||= "True"
-$download_force_cache ||= "True"
+$download_force_cache ||= "False"
 # The first three nodes are etcd servers
 $etcd_instances ||= $num_instances
 # The first two nodes are kube masters
@@ -85,9 +86,9 @@ $inventory = File.absolute_path($inventory, File.dirname(__FILE__))
 if ! File.exist?(File.join(File.dirname($inventory), "hosts.ini"))
   $vagrant_ansible = File.join(File.dirname(__FILE__), ".vagrant", "provisioners", "ansible")
   FileUtils.mkdir_p($vagrant_ansible) if ! File.exist?($vagrant_ansible)
-  if ! File.exist?(File.join($vagrant_ansible,"inventory"))
+  $vagrant_inventory = File.join($vagrant_ansible,"inventory")
-    FileUtils.ln_s($inventory, File.join($vagrant_ansible,"inventory"))
+  FileUtils.rm_f($vagrant_inventory)
-  end
+  FileUtils.ln_s($inventory, $vagrant_inventory)
 end
 
 if Vagrant.has_plugin?("vagrant-proxyconf")
@@ -194,11 +195,22 @@ Vagrant.configure("2") do |config|
       end
 
       ip = "#{$subnet}.#{i+100}"
-      node.vm.network :private_network, ip: ip
+      node.vm.network :private_network, ip: ip,
+        :libvirt__guest_ipv6 => 'yes',
+        :libvirt__ipv6_address => "#{$subnet_ipv6}::#{i+100}",
+        :libvirt__ipv6_prefix => "64",
+        :libvirt__forward_mode => "none",
+        :libvirt__dhcp_enabled => false
 
       # Disable swap for each vm
       node.vm.provision "shell", inline: "swapoff -a"
 
+      # ubuntu1804 and ubuntu2004 have IPv6 explicitly disabled. This undoes that.
+      if ["ubuntu1804", "ubuntu2004"].include? $os
+        node.vm.provision "shell", inline: "rm -f /etc/modprobe.d/local.conf"
+        node.vm.provision "shell", inline: "sed -i '/net.ipv6.conf.all.disable_ipv6/d' /etc/sysctl.d/99-sysctl.conf /etc/sysctl.conf"
+      end
+
       # Disable firewalld on oraclelinux/redhat vms
       if ["oraclelinux","oraclelinux8","rhel7","rhel8"].include? $os
         node.vm.provision "shell", inline: "systemctl stop firewalld; systemctl disable firewalld"
@@ -241,9 +253,9 @@ Vagrant.configure("2") do |config|
           #ansible.tags = ['download']
           ansible.groups = {
             "etcd" => ["#{$instance_name_prefix}-[1:#{$etcd_instances}]"],
-            "kube-master" => ["#{$instance_name_prefix}-[1:#{$kube_master_instances}]"],
+            "kube_control_plane" => ["#{$instance_name_prefix}-[1:#{$kube_master_instances}]"],
-            "kube-node" => ["#{$instance_name_prefix}-[1:#{$kube_node_instances}]"],
+            "kube_node" => ["#{$instance_name_prefix}-[1:#{$kube_node_instances}]"],
-            "k8s-cluster:children" => ["kube-master", "kube-node"],
+            "k8s_cluster:children" => ["kube_control_plane", "kube_node"],
           }
         end
       end

ansible.cfg

@@ -3,7 +3,6 @@ pipelining=True
 ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100 -o UserKnownHostsFile=/dev/null
 #control_path = ~/.ssh/ansible-%%r@%%h:%%p
 [defaults]
-strategy_plugins = plugins/mitogen/ansible_mitogen/plugins/strategy
 # https://github.com/ansible/ansible/issues/56930 (to ignore group names with - and .)
 force_valid_group_names = ignore
 

ansible_version.yml

@@ -4,8 +4,10 @@
   become: no
   vars:
     minimal_ansible_version: 2.9.0
-    maximal_ansible_version: 2.10.0
+    minimal_ansible_version_2_10: 2.10.11
+    maximal_ansible_version: 2.12.0
     ansible_connection: local
+  tags: always
   tasks:
     - name: "Check {{ minimal_ansible_version }} <= Ansible version < {{ maximal_ansible_version }}"
       assert:
@@ -15,3 +17,29 @@
           - ansible_version.string is version(maximal_ansible_version, "<")
       tags:
         - check
+
+    - name: "Check Ansible version > {{ minimal_ansible_version_2_10 }} when using ansible 2.10"
+      assert:
+        msg: "When using Ansible 2.10, the minimum supported version is {{ minimal_ansible_version_2_10 }}"
+        that:
+          - ansible_version.string is version(minimal_ansible_version_2_10, ">=")
+          - ansible_version.string is version(maximal_ansible_version, "<")
+      when:
+        - ansible_version.string is version('2.10.0', ">=")
+      tags:
+        - check
+
+    - name: "Check that python netaddr is installed"
+      assert:
+        msg: "Python netaddr is not present"
+        that: "'127.0.0.1' | ipaddr"
+      tags:
+        - check
+
+    # CentOS 7 provides too old jinja version
+    - name: "Check that jinja is not too old (install via pip)"
+      assert:
+        msg: "Your Jinja version is too old, install via pip"
+        that: "{% set test %}It works{% endset %}{{ test == 'It works' }}"
+      tags:
+        - check

cluster.yml

@@ -2,6 +2,9 @@
 - name: Check ansible version
   import_playbook: ansible_version.yml
 
+- name: Ensure compatibility with old groups
+  import_playbook: legacy_groups.yml
+
 - hosts: bastion[0]
   gather_facts: False
   environment: "{{ proxy_disable_env }}"
@@ -9,7 +12,7 @@
     - { role: kubespray-defaults }
     - { role: bastion-ssh-config, tags: ["localhost", "bastion"] }
 
-- hosts: k8s-cluster:etcd
+- hosts: k8s_cluster:etcd
   strategy: linear
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   gather_facts: false
@@ -22,14 +25,14 @@
   tags: always
   import_playbook: facts.yml
 
-- hosts: k8s-cluster:etcd
+- hosts: k8s_cluster:etcd
   gather_facts: False
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
     - { role: kubespray-defaults }
     - { role: kubernetes/preinstall, tags: preinstall }
-    - { role: "container-engine", tags: "container-engine", when: deploy_container_engine|default(true) }
+    - { role: "container-engine", tags: "container-engine", when: deploy_container_engine }
     - { role: download, tags: download, when: "not skip_downloads" }
 
 - hosts: etcd
@@ -45,7 +48,7 @@
         etcd_events_cluster_setup: "{{ etcd_events_cluster_enabled }}"
       when: not etcd_kubeadm_enabled| default(false)
 
-- hosts: k8s-cluster
+- hosts: k8s_cluster
   gather_facts: False
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
@@ -58,7 +61,7 @@
         etcd_events_cluster_setup: false
       when: not etcd_kubeadm_enabled| default(false)
 
-- hosts: k8s-cluster
+- hosts: k8s_cluster
   gather_facts: False
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
@@ -66,27 +69,27 @@
     - { role: kubespray-defaults }
     - { role: kubernetes/node, tags: node }
 
-- hosts: kube-master
+- hosts: kube_control_plane
   gather_facts: False
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
     - { role: kubespray-defaults }
-    - { role: kubernetes/master, tags: master }
+    - { role: kubernetes/control-plane, tags: master }
     - { role: kubernetes/client, tags: client }
     - { role: kubernetes-apps/cluster_roles, tags: cluster-roles }
 
-- hosts: k8s-cluster
+- hosts: k8s_cluster
   gather_facts: False
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
     - { role: kubespray-defaults }
     - { role: kubernetes/kubeadm, tags: kubeadm}
-    - { role: network_plugin, tags: network }
     - { role: kubernetes/node-label, tags: node-label }
+    - { role: network_plugin, tags: network }
 
-- hosts: calico-rr
+- hosts: calico_rr
   gather_facts: False
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
@@ -94,7 +97,7 @@
     - { role: kubespray-defaults }
     - { role: network_plugin/calico/rr, tags: ['network', 'calico_rr'] }
 
-- hosts: kube-master[0]
+- hosts: kube_control_plane[0]
   gather_facts: False
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
@@ -102,7 +105,7 @@
     - { role: kubespray-defaults }
     - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"] }
 
-- hosts: kube-master
+- hosts: kube_control_plane
   gather_facts: False
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
@@ -113,16 +116,9 @@
     - { role: kubernetes-apps/policy_controller, tags: policy-controller }
     - { role: kubernetes-apps/ingress_controller, tags: ingress-controller }
     - { role: kubernetes-apps/external_provisioner, tags: external-provisioner }
-
-- hosts: kube-master
-  gather_facts: False
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
     - { role: kubernetes-apps, tags: apps }
 
-- hosts: k8s-cluster
+- hosts: k8s_cluster
   gather_facts: False
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"

contrib/aws_inventory/kubespray-aws-inventory.py

@@ -35,7 +35,7 @@ class SearchEC2Tags(object):
     hosts['_meta'] = { 'hostvars': {} }
 
     ##Search ec2 three times to find nodes of each group type. Relies on kubespray-role key/value.
-    for group in ["kube-master", "kube-node", "etcd"]:
+    for group in ["kube_control_plane", "kube_node", "etcd"]:
       hosts[group] = []
       tag_key = "kubespray-role"
       tag_value = ["*"+group+"*"]
@@ -69,8 +69,8 @@ class SearchEC2Tags(object):
 
         hosts[group].append(dns_name)
         hosts['_meta']['hostvars'][dns_name] = ansible_host
-        
+
-    hosts['k8s-cluster'] = {'children':['kube-master', 'kube-node']}
+    hosts['k8s_cluster'] = {'children':['kube_control_plane', 'kube_node']}
     print(json.dumps(hosts, sort_keys=True, indent=2))
 
 SearchEC2Tags()

contrib/azurerm/roles/generate-inventory/tasks/main.yml

@@ -12,3 +12,4 @@
   template:
     src: inventory.j2
     dest: "{{ playbook_dir }}/inventory"
+    mode: 0644

contrib/azurerm/roles/generate-inventory/templates/inventory.j2

@@ -7,9 +7,9 @@
 {% endif %}
 {% endfor %}
 
-[kube-master]
+[kube_control_plane]
 {% for vm in vm_list %}
-{% if 'kube-master' in vm.tags.roles %}
+{% if 'kube_control_plane' in vm.tags.roles %}
 {{ vm.name }}
 {% endif %}
 {% endfor %}
@@ -21,13 +21,13 @@
 {% endif %}
 {% endfor %}
 
-[kube-node]
+[kube_node]
 {% for vm in vm_list %}
-{% if 'kube-node' in vm.tags.roles %}
+{% if 'kube_node' in vm.tags.roles %}
 {{ vm.name }}
 {% endif %}
 {% endfor %}
 
-[k8s-cluster:children]
+[k8s_cluster:children]
-kube-node
+kube_node
-kube-master
+kube_control_plane

contrib/azurerm/roles/generate-inventory_2/tasks/main.yml

@@ -22,8 +22,10 @@
   template:
     src: inventory.j2
     dest: "{{ playbook_dir }}/inventory"
+    mode: 0644
 
 - name: Generate Load Balancer variables
   template:
     src: loadbalancer_vars.j2
     dest: "{{ playbook_dir }}/loadbalancer_vars.yml"
+    mode: 0644

contrib/azurerm/roles/generate-inventory_2/templates/inventory.j2

@@ -7,9 +7,9 @@
 {% endif %}
 {% endfor %}
 
-[kube-master]
+[kube_control_plane]
 {% for vm in vm_roles_list %}
-{% if 'kube-master' in vm.tags.roles %}
+{% if 'kube_control_plane' in vm.tags.roles %}
 {{ vm.name }}
 {% endif %}
 {% endfor %}
@@ -21,14 +21,14 @@
 {% endif %}
 {% endfor %}
 
-[kube-node]
+[kube_node]
 {% for vm in vm_roles_list %}
-{% if 'kube-node' in vm.tags.roles %}
+{% if 'kube_node' in vm.tags.roles %}
 {{ vm.name }}
 {% endif %}
 {% endfor %}
 
-[k8s-cluster:children]
+[k8s_cluster:children]
-kube-node
+kube_node
-kube-master
+kube_control_plane
 

contrib/azurerm/roles/generate-templates/tasks/main.yml

@@ -8,11 +8,13 @@
     path: "{{ base_dir }}"
     state: directory
     recurse: true
+    mode: 0755
 
 - name: Store json files in base_dir
   template:
     src: "{{ item }}"
     dest: "{{ base_dir }}/{{ item }}"
+    mode: 0644
   with_items:
     - network.json
     - storage.json

contrib/azurerm/roles/generate-templates/templates/masters.json

@@ -144,7 +144,7 @@
         "[concat('Microsoft.Network/networkInterfaces/', 'master-{{i}}-nic')]"
       ],
       "tags": {
-        "roles": "kube-master,etcd"
+        "roles": "kube_control_plane,etcd"
       },
       "apiVersion": "{{apiVersion}}",
       "properties": {

contrib/azurerm/roles/generate-templates/templates/minions.json

@@ -61,7 +61,7 @@
         "[concat('Microsoft.Network/networkInterfaces/', 'minion-{{i}}-nic')]"
       ],
       "tags": {
-        "roles": "kube-node"
+        "roles": "kube_node"
       },
       "apiVersion": "{{apiVersion}}",
       "properties": {
@@ -112,4 +112,4 @@
     } {% if not loop.last %},{% endif %}
     {% endfor %}
   ]
-}
+}

contrib/dind/roles/dind-cluster/tasks/main.yaml

@@ -35,6 +35,7 @@
       path-exclude=/usr/share/doc/*
       path-include=/usr/share/doc/*/copyright
     dest: /etc/dpkg/dpkg.cfg.d/01_nodoc
+    mode: 0644
   when:
     - ansible_os_family == 'Debian'
 
@@ -63,6 +64,7 @@
   copy:
     content: "{{ distro_user }} ALL=(ALL) NOPASSWD:ALL"
     dest: "/etc/sudoers.d/{{ distro_user }}"
+    mode: 0640
 
 - name: Add my pubkey to "{{ distro_user }}" user authorized keys
   authorized_key:

contrib/dind/run-test-distros.sh

@@ -46,7 +46,7 @@ test_distro() {
     pass_or_fail "$prefix: netcheck" || return 1
 }
 
-NODES=($(egrep ^kube-node hosts))
+NODES=($(egrep ^kube_node hosts))
 NETCHECKER_HOST=localhost
 
 : ${OUTPUT_DIR:=./out}

contrib/inventory_builder/inventory.py

@@ -44,11 +44,11 @@ import re
 import subprocess
 import sys
 
-ROLES = ['all', 'kube-master', 'kube-node', 'etcd', 'k8s-cluster',
+ROLES = ['all', 'kube_control_plane', 'kube_node', 'etcd', 'k8s_cluster',
-         'calico-rr']
+         'calico_rr']
 PROTECTED_NAMES = ROLES
 AVAILABLE_COMMANDS = ['help', 'print_cfg', 'print_ips', 'print_hostnames',
-                      'load']
+                      'load', 'add']
 _boolean_states = {'1': True, 'yes': True, 'true': True, 'on': True,
                    '0': False, 'no': False, 'false': False, 'off': False}
 yaml = YAML()
@@ -63,7 +63,9 @@ def get_var_as_bool(name, default):
 
 
 CONFIG_FILE = os.environ.get("CONFIG_FILE", "./inventory/sample/hosts.yaml")
-KUBE_MASTERS = int(os.environ.get("KUBE_MASTERS", 2))
+# Remove the reference of KUBE_MASTERS after some deprecation cycles.
+KUBE_CONTROL_HOSTS = int(os.environ.get("KUBE_CONTROL_HOSTS",
+                         os.environ.get("KUBE_MASTERS", 2)))
 # Reconfigures cluster distribution at scale
 SCALE_THRESHOLD = int(os.environ.get("SCALE_THRESHOLD", 50))
 MASSIVE_SCALE_THRESHOLD = int(os.environ.get("MASSIVE_SCALE_THRESHOLD", 200))
@@ -80,32 +82,46 @@ class KubesprayInventory(object):
     def __init__(self, changed_hosts=None, config_file=None):
         self.config_file = config_file
         self.yaml_config = {}
-        if self.config_file:
+        loadPreviousConfig = False
+        # See whether there are any commands to process
+        if changed_hosts and changed_hosts[0] in AVAILABLE_COMMANDS:
+            if changed_hosts[0] == "add":
+                loadPreviousConfig = True
+                changed_hosts = changed_hosts[1:]
+            else:
+                self.parse_command(changed_hosts[0], changed_hosts[1:])
+                sys.exit(0)
+
+        # If the user wants to remove a node, we need to load the config anyway
+        if changed_hosts and changed_hosts[0][0] == "-":
+            loadPreviousConfig = True
+
+        if self.config_file and loadPreviousConfig:  # Load previous YAML file
             try:
                 self.hosts_file = open(config_file, 'r')
-                self.yaml_config = yaml.load_all(self.hosts_file)
+                self.yaml_config = yaml.load(self.hosts_file)
-            except OSError:
+            except OSError as e:
-                pass
+                # I am assuming we are catching "cannot open file" exceptions
-
+                print(e)
-        if changed_hosts and changed_hosts[0] in AVAILABLE_COMMANDS:
+                sys.exit(1)
-            self.parse_command(changed_hosts[0], changed_hosts[1:])
-            sys.exit(0)
 
         self.ensure_required_groups(ROLES)
 
         if changed_hosts:
             changed_hosts = self.range2ips(changed_hosts)
-            self.hosts = self.build_hostnames(changed_hosts)
+            self.hosts = self.build_hostnames(changed_hosts,
+                                              loadPreviousConfig)
             self.purge_invalid_hosts(self.hosts.keys(), PROTECTED_NAMES)
             self.set_all(self.hosts)
             self.set_k8s_cluster()
             etcd_hosts_count = 3 if len(self.hosts.keys()) >= 3 else 1
             self.set_etcd(list(self.hosts.keys())[:etcd_hosts_count])
             if len(self.hosts) >= SCALE_THRESHOLD:
-                self.set_kube_master(list(self.hosts.keys())[
+                self.set_kube_control_plane(list(self.hosts.keys())[
-                    etcd_hosts_count:(etcd_hosts_count + KUBE_MASTERS)])
+                    etcd_hosts_count:(etcd_hosts_count + KUBE_CONTROL_HOSTS)])
             else:
-                self.set_kube_master(list(self.hosts.keys())[:KUBE_MASTERS])
+                self.set_kube_control_plane(
+                  list(self.hosts.keys())[:KUBE_CONTROL_HOSTS])
             self.set_kube_node(self.hosts.keys())
             if len(self.hosts) >= SCALE_THRESHOLD:
                 self.set_calico_rr(list(self.hosts.keys())[:etcd_hosts_count])
@@ -155,17 +171,29 @@ class KubesprayInventory(object):
         except IndexError:
             raise ValueError("Host name must end in an integer")
 
-    def build_hostnames(self, changed_hosts):
+    # Keeps already specified hosts,
+    # and adds or removes the hosts provided as an argument
+    def build_hostnames(self, changed_hosts, loadPreviousConfig=False):
         existing_hosts = OrderedDict()
         highest_host_id = 0
-        try:
+        # Load already existing hosts from the YAML
-            for host in self.yaml_config['all']['hosts']:
+        if loadPreviousConfig:
-                existing_hosts[host] = self.yaml_config['all']['hosts'][host]
+            try:
-                host_id = self.get_host_id(host)
+                for host in self.yaml_config['all']['hosts']:
-                if host_id > highest_host_id:
+                    # Read configuration of an existing host
-                    highest_host_id = host_id
+                    hostConfig = self.yaml_config['all']['hosts'][host]
-        except Exception:
+                    existing_hosts[host] = hostConfig
-            pass
+                    # If the existing host seems
+                    # to have been created automatically, detect its ID
+                    if host.startswith(HOST_PREFIX):
+                        host_id = self.get_host_id(host)
+                        if host_id > highest_host_id:
+                            highest_host_id = host_id
+            except Exception as e:
+                # I am assuming we are catching automatically
+                # created hosts without IDs
+                print(e)
+                sys.exit(1)
 
         # FIXME(mattymo): Fix condition where delete then add reuses highest id
         next_host_id = highest_host_id + 1
@@ -173,6 +201,7 @@ class KubesprayInventory(object):
 
         all_hosts = existing_hosts.copy()
         for host in changed_hosts:
+            # Delete the host from config the hostname/IP has a "-" prefix
             if host[0] == "-":
                 realhost = host[1:]
                 if self.exists_hostname(all_hosts, realhost):
@@ -181,6 +210,8 @@ class KubesprayInventory(object):
                 elif self.exists_ip(all_hosts, realhost):
                     self.debug("Marked {0} for deletion.".format(realhost))
                     self.delete_host_by_ip(all_hosts, realhost)
+            # Host/Argument starts with a digit,
+            # then we assume its an IP address
             elif host[0].isdigit():
                 if ',' in host:
                     ip, access_ip = host.split(',')
@@ -200,11 +231,15 @@ class KubesprayInventory(object):
                     next_host = subprocess.check_output(cmd, shell=True)
                     next_host = next_host.strip().decode('ascii')
                 else:
+                    # Generates a hostname because we have only an IP address
                     next_host = "{0}{1}".format(HOST_PREFIX, next_host_id)
                     next_host_id += 1
+                # Uses automatically generated node name
+                # in case we dont provide it.
                 all_hosts[next_host] = {'ansible_host': access_ip,
                                         'ip': ip,
                                         'access_ip': access_ip}
+            # Host/Argument starts with a letter, then we assume its a hostname
             elif host[0].isalpha():
                 if ',' in host:
                     try:
@@ -223,6 +258,7 @@ class KubesprayInventory(object):
                                        'access_ip': access_ip}
         return all_hosts
 
+    # Expand IP ranges into individual addresses
     def range2ips(self, hosts):
         reworked_hosts = []
 
@@ -266,7 +302,7 @@ class KubesprayInventory(object):
 
     def purge_invalid_hosts(self, hostnames, protected_names=[]):
         for role in self.yaml_config['all']['children']:
-            if role != 'k8s-cluster' and self.yaml_config['all']['children'][role]['hosts']:  # noqa
+            if role != 'k8s_cluster' and self.yaml_config['all']['children'][role]['hosts']:  # noqa
                 all_hosts = self.yaml_config['all']['children'][role]['hosts'].copy()  # noqa
                 for host in all_hosts.keys():
                     if host not in hostnames and host not in protected_names:
@@ -287,52 +323,54 @@ class KubesprayInventory(object):
             if self.yaml_config['all']['hosts'] is None:
                 self.yaml_config['all']['hosts'] = {host: None}
             self.yaml_config['all']['hosts'][host] = opts
-        elif group != 'k8s-cluster:children':
+        elif group != 'k8s_cluster:children':
             if self.yaml_config['all']['children'][group]['hosts'] is None:
                 self.yaml_config['all']['children'][group]['hosts'] = {
                     host: None}
             else:
                 self.yaml_config['all']['children'][group]['hosts'][host] = None  # noqa
 
-    def set_kube_master(self, hosts):
+    def set_kube_control_plane(self, hosts):
         for host in hosts:
-            self.add_host_to_group('kube-master', host)
+            self.add_host_to_group('kube_control_plane', host)
 
     def set_all(self, hosts):
         for host, opts in hosts.items():
             self.add_host_to_group('all', host, opts)
 
     def set_k8s_cluster(self):
-        k8s_cluster = {'children': {'kube-master': None, 'kube-node': None}}
+        k8s_cluster = {'children': {'kube_control_plane': None,
-        self.yaml_config['all']['children']['k8s-cluster'] = k8s_cluster
+                                    'kube_node': None}}
+        self.yaml_config['all']['children']['k8s_cluster'] = k8s_cluster
 
     def set_calico_rr(self, hosts):
         for host in hosts:
-            if host in self.yaml_config['all']['children']['kube-master']:
+            if host in self.yaml_config['all']['children']['kube_control_plane']: # noqa
-                self.debug("Not adding {0} to calico-rr group because it "
+                self.debug("Not adding {0} to calico_rr group because it "
-                           "conflicts with kube-master group".format(host))
+                           "conflicts with kube_control_plane "
+                           "group".format(host))
                 continue
-            if host in self.yaml_config['all']['children']['kube-node']:
+            if host in self.yaml_config['all']['children']['kube_node']:
-                self.debug("Not adding {0} to calico-rr group because it "
+                self.debug("Not adding {0} to calico_rr group because it "
-                           "conflicts with kube-node group".format(host))
+                           "conflicts with kube_node group".format(host))
                 continue
-            self.add_host_to_group('calico-rr', host)
+            self.add_host_to_group('calico_rr', host)
 
     def set_kube_node(self, hosts):
         for host in hosts:
             if len(self.yaml_config['all']['hosts']) >= SCALE_THRESHOLD:
                 if host in self.yaml_config['all']['children']['etcd']['hosts']:  # noqa
-                    self.debug("Not adding {0} to kube-node group because of "
+                    self.debug("Not adding {0} to kube_node group because of "
                                "scale deployment and host is in etcd "
                                "group.".format(host))
                     continue
             if len(self.yaml_config['all']['hosts']) >= MASSIVE_SCALE_THRESHOLD:  # noqa
-                if host in self.yaml_config['all']['children']['kube-master']['hosts']:  # noqa
+                if host in self.yaml_config['all']['children']['kube_control_plane']['hosts']:  # noqa
-                    self.debug("Not adding {0} to kube-node group because of "
+                    self.debug("Not adding {0} to kube_node group because of "
-                               "scale deployment and host is in kube-master "
+                               "scale deployment and host is in "
-                               "group.".format(host))
+                               "kube_control_plane group.".format(host))
                     continue
-            self.add_host_to_group('kube-node', host)
+            self.add_host_to_group('kube_node', host)
 
     def set_etcd(self, hosts):
         for host in hosts:
@@ -389,9 +427,11 @@ help - Display this message
 print_cfg - Write inventory file to stdout
 print_ips - Write a space-delimited list of IPs from "all" group
 print_hostnames - Write a space-delimited list of Hostnames from "all" group
+add - Adds specified hosts into an already existing inventory
 
 Advanced usage:
-Add another host after initial creation: inventory.py 10.10.1.5
+Create new or overwrite old inventory file: inventory.py 10.10.1.5
+Add another host after initial creation: inventory.py add 10.10.1.6
 Add range of hosts: inventory.py 10.10.1.3-10.10.1.5
 Add hosts with different ip and access ip: inventory.py 10.0.0.1,192.168.10.1 10.0.0.2,192.168.10.2 10.0.0.3,192.168.10.3
 Add hosts with a specific hostname, ip, and optional access ip: first,10.0.0.1,192.168.10.1 second,10.0.0.2 last,10.0.0.3
@@ -402,9 +442,9 @@ Configurable env vars:
 DEBUG                   Enable debug printing. Default: True
 CONFIG_FILE             File to write config to Default: ./inventory/sample/hosts.yaml
 HOST_PREFIX             Host prefix for generated hosts. Default: node
-KUBE_MASTERS            Set the number of kube-masters. Default: 2
+KUBE_CONTROL_HOSTS      Set the number of kube-control-planes. Default: 2
 SCALE_THRESHOLD         Separate ETCD role if # of nodes >= 50
-MASSIVE_SCALE_THRESHOLD Separate K8s master and ETCD if # of nodes >= 200
+MASSIVE_SCALE_THRESHOLD Separate K8s control-plane and ETCD if # of nodes >= 200
 '''  # noqa
         print(help_text)
 
@@ -425,6 +465,7 @@ def main(argv=None):
     if not argv:
         argv = sys.argv[1:]
     KubesprayInventory(argv, CONFIG_FILE)
+    return 0
 
 
 if __name__ == "__main__":

contrib/inventory_builder/tests/test_inventory.py

@@ -13,8 +13,8 @@
 # under the License.
 
 import inventory
-import mock
 import unittest
+from unittest import mock
 
 from collections import OrderedDict
 import sys
@@ -67,23 +67,14 @@ class TestInventory(unittest.TestCase):
             self.assertRaisesRegex(ValueError, "Host name must end in an",
                                    self.inv.get_host_id, hostname)
 
-    def test_build_hostnames_add_one(self):
-        changed_hosts = ['10.90.0.2']
-        expected = OrderedDict([('node1',
-                                 {'ansible_host': '10.90.0.2',
-                                  'ip': '10.90.0.2',
-                                  'access_ip': '10.90.0.2'})])
-        result = self.inv.build_hostnames(changed_hosts)
-        self.assertEqual(expected, result)
-
     def test_build_hostnames_add_duplicate(self):
         changed_hosts = ['10.90.0.2']
-        expected = OrderedDict([('node1',
+        expected = OrderedDict([('node3',
                                  {'ansible_host': '10.90.0.2',
                                   'ip': '10.90.0.2',
                                   'access_ip': '10.90.0.2'})])
         self.inv.yaml_config['all']['hosts'] = expected
-        result = self.inv.build_hostnames(changed_hosts)
+        result = self.inv.build_hostnames(changed_hosts, True)
         self.assertEqual(expected, result)
 
     def test_build_hostnames_add_two(self):
@@ -99,6 +90,30 @@ class TestInventory(unittest.TestCase):
         result = self.inv.build_hostnames(changed_hosts)
         self.assertEqual(expected, result)
 
+    def test_build_hostnames_add_three(self):
+        changed_hosts = ['10.90.0.2', '10.90.0.3', '10.90.0.4']
+        expected = OrderedDict([
+            ('node1', {'ansible_host': '10.90.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '10.90.0.2'}),
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'}),
+            ('node3', {'ansible_host': '10.90.0.4',
+                       'ip': '10.90.0.4',
+                       'access_ip': '10.90.0.4'})])
+        result = self.inv.build_hostnames(changed_hosts)
+        self.assertEqual(expected, result)
+
+    def test_build_hostnames_add_one(self):
+        changed_hosts = ['10.90.0.2']
+        expected = OrderedDict([('node1',
+                                 {'ansible_host': '10.90.0.2',
+                                  'ip': '10.90.0.2',
+                                  'access_ip': '10.90.0.2'})])
+        result = self.inv.build_hostnames(changed_hosts)
+        self.assertEqual(expected, result)
+
     def test_build_hostnames_delete_first(self):
         changed_hosts = ['-10.90.0.2']
         existing_hosts = OrderedDict([
@@ -113,7 +128,24 @@ class TestInventory(unittest.TestCase):
             ('node2', {'ansible_host': '10.90.0.3',
                        'ip': '10.90.0.3',
                        'access_ip': '10.90.0.3'})])
-        result = self.inv.build_hostnames(changed_hosts)
+        result = self.inv.build_hostnames(changed_hosts, True)
+        self.assertEqual(expected, result)
+
+    def test_build_hostnames_delete_by_hostname(self):
+        changed_hosts = ['-node1']
+        existing_hosts = OrderedDict([
+            ('node1', {'ansible_host': '10.90.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '10.90.0.2'}),
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
+        self.inv.yaml_config['all']['hosts'] = existing_hosts
+        expected = OrderedDict([
+            ('node2', {'ansible_host': '10.90.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '10.90.0.3'})])
+        result = self.inv.build_hostnames(changed_hosts, True)
         self.assertEqual(expected, result)
 
     def test_exists_hostname_positive(self):
@@ -222,11 +254,11 @@ class TestInventory(unittest.TestCase):
             self.inv.yaml_config['all']['children'][group]['hosts'].get(host),
             None)
 
-    def test_set_kube_master(self):
+    def test_set_kube_control_plane(self):
-        group = 'kube-master'
+        group = 'kube_control_plane'
         host = 'node1'
 
-        self.inv.set_kube_master([host])
+        self.inv.set_kube_control_plane([host])
         self.assertIn(
             host, self.inv.yaml_config['all']['children'][group]['hosts'])
 
@@ -241,8 +273,8 @@ class TestInventory(unittest.TestCase):
                 self.inv.yaml_config['all']['hosts'].get(host), opt)
 
     def test_set_k8s_cluster(self):
-        group = 'k8s-cluster'
+        group = 'k8s_cluster'
-        expected_hosts = ['kube-node', 'kube-master']
+        expected_hosts = ['kube_node', 'kube_control_plane']
 
         self.inv.set_k8s_cluster()
         for host in expected_hosts:
@@ -251,7 +283,7 @@ class TestInventory(unittest.TestCase):
                 self.inv.yaml_config['all']['children'][group]['children'])
 
     def test_set_kube_node(self):
-        group = 'kube-node'
+        group = 'kube_node'
         host = 'node1'
 
         self.inv.set_kube_node([host])
@@ -275,12 +307,12 @@ class TestInventory(unittest.TestCase):
 
         self.inv.set_all(hosts)
         self.inv.set_etcd(list(hosts.keys())[0:3])
-        self.inv.set_kube_master(list(hosts.keys())[0:2])
+        self.inv.set_kube_control_plane(list(hosts.keys())[0:2])
         self.inv.set_kube_node(hosts.keys())
         for h in range(3):
             self.assertFalse(
                 list(hosts.keys())[h] in
-                self.inv.yaml_config['all']['children']['kube-node']['hosts'])
+                self.inv.yaml_config['all']['children']['kube_node']['hosts'])
 
     def test_scale_scenario_two(self):
         num_nodes = 500
@@ -291,12 +323,12 @@ class TestInventory(unittest.TestCase):
 
         self.inv.set_all(hosts)
         self.inv.set_etcd(list(hosts.keys())[0:3])
-        self.inv.set_kube_master(list(hosts.keys())[3:5])
+        self.inv.set_kube_control_plane(list(hosts.keys())[3:5])
         self.inv.set_kube_node(hosts.keys())
         for h in range(5):
             self.assertFalse(
                 list(hosts.keys())[h] in
-                self.inv.yaml_config['all']['children']['kube-node']['hosts'])
+                self.inv.yaml_config['all']['children']['kube_node']['hosts'])
 
     def test_range2ips_range(self):
         changed_hosts = ['10.90.0.2', '10.90.0.4-10.90.0.6', '10.90.0.8']
@@ -313,7 +345,7 @@ class TestInventory(unittest.TestCase):
         self.assertRaisesRegex(Exception, "Range of ip_addresses isn't valid",
                                self.inv.range2ips, host_range)
 
-    def test_build_hostnames_different_ips_add_one(self):
+    def test_build_hostnames_create_with_one_different_ips(self):
         changed_hosts = ['10.90.0.2,192.168.0.2']
         expected = OrderedDict([('node1',
                                  {'ansible_host': '192.168.0.2',
@@ -322,17 +354,7 @@ class TestInventory(unittest.TestCase):
         result = self.inv.build_hostnames(changed_hosts)
         self.assertEqual(expected, result)
 
-    def test_build_hostnames_different_ips_add_duplicate(self):
+    def test_build_hostnames_create_with_two_different_ips(self):
-        changed_hosts = ['10.90.0.2,192.168.0.2']
-        expected = OrderedDict([('node1',
-                                 {'ansible_host': '192.168.0.2',
-                                  'ip': '10.90.0.2',
-                                  'access_ip': '192.168.0.2'})])
-        self.inv.yaml_config['all']['hosts'] = expected
-        result = self.inv.build_hostnames(changed_hosts)
-        self.assertEqual(expected, result)
-
-    def test_build_hostnames_different_ips_add_two(self):
         changed_hosts = ['10.90.0.2,192.168.0.2', '10.90.0.3,192.168.0.3']
         expected = OrderedDict([
             ('node1', {'ansible_host': '192.168.0.2',
@@ -341,6 +363,210 @@ class TestInventory(unittest.TestCase):
             ('node2', {'ansible_host': '192.168.0.3',
                        'ip': '10.90.0.3',
                        'access_ip': '192.168.0.3'})])
-        self.inv.yaml_config['all']['hosts'] = OrderedDict()
         result = self.inv.build_hostnames(changed_hosts)
         self.assertEqual(expected, result)
+
+    def test_build_hostnames_create_with_three_different_ips(self):
+        changed_hosts = ['10.90.0.2,192.168.0.2',
+                         '10.90.0.3,192.168.0.3',
+                         '10.90.0.4,192.168.0.4']
+        expected = OrderedDict([
+            ('node1', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'}),
+            ('node2', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'}),
+            ('node3', {'ansible_host': '192.168.0.4',
+                       'ip': '10.90.0.4',
+                       'access_ip': '192.168.0.4'})])
+        result = self.inv.build_hostnames(changed_hosts)
+        self.assertEqual(expected, result)
+
+    def test_build_hostnames_overwrite_one_with_different_ips(self):
+        changed_hosts = ['10.90.0.2,192.168.0.2']
+        expected = OrderedDict([('node1',
+                                 {'ansible_host': '192.168.0.2',
+                                  'ip': '10.90.0.2',
+                                  'access_ip': '192.168.0.2'})])
+        existing = OrderedDict([('node5',
+                                 {'ansible_host': '192.168.0.5',
+                                  'ip': '10.90.0.5',
+                                  'access_ip': '192.168.0.5'})])
+        self.inv.yaml_config['all']['hosts'] = existing
+        result = self.inv.build_hostnames(changed_hosts)
+        self.assertEqual(expected, result)
+
+    def test_build_hostnames_overwrite_three_with_different_ips(self):
+        changed_hosts = ['10.90.0.2,192.168.0.2']
+        expected = OrderedDict([('node1',
+                                 {'ansible_host': '192.168.0.2',
+                                  'ip': '10.90.0.2',
+                                  'access_ip': '192.168.0.2'})])
+        existing = OrderedDict([
+            ('node3', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'}),
+            ('node4', {'ansible_host': '192.168.0.4',
+                       'ip': '10.90.0.4',
+                       'access_ip': '192.168.0.4'}),
+            ('node5', {'ansible_host': '192.168.0.5',
+                       'ip': '10.90.0.5',
+                       'access_ip': '192.168.0.5'})])
+        self.inv.yaml_config['all']['hosts'] = existing
+        result = self.inv.build_hostnames(changed_hosts)
+        self.assertEqual(expected, result)
+
+    def test_build_hostnames_different_ips_add_duplicate(self):
+        changed_hosts = ['10.90.0.2,192.168.0.2']
+        expected = OrderedDict([('node3',
+                                 {'ansible_host': '192.168.0.2',
+                                  'ip': '10.90.0.2',
+                                  'access_ip': '192.168.0.2'})])
+        existing = expected
+        self.inv.yaml_config['all']['hosts'] = existing
+        result = self.inv.build_hostnames(changed_hosts, True)
+        self.assertEqual(expected, result)
+
+    def test_build_hostnames_add_two_different_ips_into_one_existing(self):
+        changed_hosts = ['10.90.0.3,192.168.0.3', '10.90.0.4,192.168.0.4']
+        expected = OrderedDict([
+            ('node2', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'}),
+            ('node3', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'}),
+            ('node4', {'ansible_host': '192.168.0.4',
+                       'ip': '10.90.0.4',
+                       'access_ip': '192.168.0.4'})])
+
+        existing = OrderedDict([
+            ('node2', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'})])
+        self.inv.yaml_config['all']['hosts'] = existing
+        result = self.inv.build_hostnames(changed_hosts, True)
+        self.assertEqual(expected, result)
+
+    def test_build_hostnames_add_two_different_ips_into_two_existing(self):
+        changed_hosts = ['10.90.0.4,192.168.0.4', '10.90.0.5,192.168.0.5']
+        expected = OrderedDict([
+            ('node2', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'}),
+            ('node3', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'}),
+            ('node4', {'ansible_host': '192.168.0.4',
+                       'ip': '10.90.0.4',
+                       'access_ip': '192.168.0.4'}),
+            ('node5', {'ansible_host': '192.168.0.5',
+                       'ip': '10.90.0.5',
+                       'access_ip': '192.168.0.5'})])
+
+        existing = OrderedDict([
+            ('node2', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'}),
+            ('node3', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'})])
+        self.inv.yaml_config['all']['hosts'] = existing
+        result = self.inv.build_hostnames(changed_hosts, True)
+        self.assertEqual(expected, result)
+
+    def test_build_hostnames_add_two_different_ips_into_three_existing(self):
+        changed_hosts = ['10.90.0.5,192.168.0.5', '10.90.0.6,192.168.0.6']
+        expected = OrderedDict([
+            ('node2', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'}),
+            ('node3', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'}),
+            ('node4', {'ansible_host': '192.168.0.4',
+                       'ip': '10.90.0.4',
+                       'access_ip': '192.168.0.4'}),
+            ('node5', {'ansible_host': '192.168.0.5',
+                       'ip': '10.90.0.5',
+                       'access_ip': '192.168.0.5'}),
+            ('node6', {'ansible_host': '192.168.0.6',
+                       'ip': '10.90.0.6',
+                       'access_ip': '192.168.0.6'})])
+
+        existing = OrderedDict([
+            ('node2', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'}),
+            ('node3', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'}),
+            ('node4', {'ansible_host': '192.168.0.4',
+                       'ip': '10.90.0.4',
+                       'access_ip': '192.168.0.4'})])
+        self.inv.yaml_config['all']['hosts'] = existing
+        result = self.inv.build_hostnames(changed_hosts, True)
+        self.assertEqual(expected, result)
+
+    # Add two IP addresses into a config that has
+    # three already defined IP addresses. One of the IP addresses
+    # is a duplicate.
+    def test_build_hostnames_add_two_duplicate_one_overlap(self):
+        changed_hosts = ['10.90.0.4,192.168.0.4', '10.90.0.5,192.168.0.5']
+        expected = OrderedDict([
+            ('node2', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'}),
+            ('node3', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'}),
+            ('node4', {'ansible_host': '192.168.0.4',
+                       'ip': '10.90.0.4',
+                       'access_ip': '192.168.0.4'}),
+            ('node5', {'ansible_host': '192.168.0.5',
+                       'ip': '10.90.0.5',
+                       'access_ip': '192.168.0.5'})])
+
+        existing = OrderedDict([
+            ('node2', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'}),
+            ('node3', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'}),
+            ('node4', {'ansible_host': '192.168.0.4',
+                       'ip': '10.90.0.4',
+                       'access_ip': '192.168.0.4'})])
+        self.inv.yaml_config['all']['hosts'] = existing
+        result = self.inv.build_hostnames(changed_hosts, True)
+        self.assertEqual(expected, result)
+
+    # Add two duplicate IP addresses into a config that has
+    # three already defined IP addresses
+    def test_build_hostnames_add_two_duplicate_two_overlap(self):
+        changed_hosts = ['10.90.0.3,192.168.0.3', '10.90.0.4,192.168.0.4']
+        expected = OrderedDict([
+            ('node2', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'}),
+            ('node3', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'}),
+            ('node4', {'ansible_host': '192.168.0.4',
+                       'ip': '10.90.0.4',
+                       'access_ip': '192.168.0.4'})])
+
+        existing = OrderedDict([
+            ('node2', {'ansible_host': '192.168.0.2',
+                       'ip': '10.90.0.2',
+                       'access_ip': '192.168.0.2'}),
+            ('node3', {'ansible_host': '192.168.0.3',
+                       'ip': '10.90.0.3',
+                       'access_ip': '192.168.0.3'}),
+            ('node4', {'ansible_host': '192.168.0.4',
+                       'ip': '10.90.0.4',
+                       'access_ip': '192.168.0.4'})])
+        self.inv.yaml_config['all']['hosts'] = existing
+        result = self.inv.build_hostnames(changed_hosts, True)
+        self.assertEqual(expected, result)

contrib/kvm-setup/roles/kvm-setup/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Install required packages
-  yum:
+  package:
     name: "{{ item }}"
     state: present
   with_items:

contrib/kvm-setup/roles/kvm-setup/tasks/user.yml

@@ -11,6 +11,7 @@
     state: directory
     owner: "{{ k8s_deployment_user }}"
     group: "{{ k8s_deployment_user }}"
+    mode: 0700
 
 - name: Configure sudo for deployment user
   copy:

contrib/network-storage/glusterfs/glusterfs.yml

@@ -15,10 +15,10 @@
   roles:
     - { role: glusterfs/server }
 
-- hosts: k8s-cluster
+- hosts: k8s_cluster
   roles:
     - { role: glusterfs/client }
 
-- hosts: kube-master[0]
+- hosts: kube_control_plane[0]
   roles:
     - { role: kubernetes-pv }

contrib/network-storage/glusterfs/inventory.example

@@ -11,10 +11,10 @@
 # ## Set disk_volume_device_1 to desired device for gluster brick, if different to /dev/vdb (default).
 # ## As in the previous case, you can set ip to give direct communication on internal IPs
 # gfs_node1 ansible_ssh_host=95.54.0.18 # disk_volume_device_1=/dev/vdc  ip=10.3.0.7
-# gfs_node2 ansible_ssh_host=95.54.0.19 # disk_volume_device_1=/dev/vdc  ip=10.3.0.8 
+# gfs_node2 ansible_ssh_host=95.54.0.19 # disk_volume_device_1=/dev/vdc  ip=10.3.0.8
-# gfs_node3 ansible_ssh_host=95.54.0.20 # disk_volume_device_1=/dev/vdc  ip=10.3.0.9 
+# gfs_node3 ansible_ssh_host=95.54.0.20 # disk_volume_device_1=/dev/vdc  ip=10.3.0.9
 
-# [kube-master]
+# [kube_control_plane]
 # node1
 # node2
 
@@ -23,16 +23,16 @@
 # node2
 # node3
 
-# [kube-node]
+# [kube_node]
 # node2
 # node3
 # node4
 # node5
 # node6
 
-# [k8s-cluster:children]
+# [k8s_cluster:children]
-# kube-node
+# kube_node
-# kube-master
+# kube_control_plane
 
 # [gfs-cluster]
 # gfs_node1

contrib/network-storage/glusterfs/roles/glusterfs/README.md

@@ -8,7 +8,7 @@ Installs and configures GlusterFS on Linux.
 
 For GlusterFS to connect between servers, TCP ports `24007`, `24008`, and `24009`/`49152`+ (that port, plus an additional incremented port for each additional server in the cluster; the latter if GlusterFS is version 3.4+), and TCP/UDP port `111` must be open. You can open these using whatever firewall you wish (this can easily be configured using the `geerlingguy.firewall` role).
 
-This role performs basic installation and setup of Gluster, but it does not configure or mount bricks (volumes), since that step is easier to do in a series of plays in your own playbook. Ansible 1.9+ includes the [`gluster_volume`](https://docs.ansible.com/gluster_volume_module.html) module to ease the management of Gluster volumes.
+This role performs basic installation and setup of Gluster, but it does not configure or mount bricks (volumes), since that step is easier to do in a series of plays in your own playbook. Ansible 1.9+ includes the [`gluster_volume`](https://docs.ansible.com/ansible/latest/collections/gluster/gluster/gluster_volume_module.html) module to ease the management of Gluster volumes.
 
 ## Role Variables
 

contrib/network-storage/glusterfs/roles/glusterfs/client/tasks/setup-RedHat.yml

@@ -1,10 +1,10 @@
 ---
 - name: Install Prerequisites
-  yum: name={{ item }}  state=present
+  package: name={{ item }}  state=present
   with_items:
     - "centos-release-gluster{{ glusterfs_default_release }}"
 
 - name: Install Packages
-  yum: name={{ item }}  state=present
+  package: name={{ item }}  state=present
   with_items:
     - glusterfs-client

contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/main.yml

@@ -9,7 +9,7 @@
   when: ansible_os_family == "Debian"
 
 - name: install xfs RedHat
-  yum: name=xfsprogs state=present
+  package: name=xfsprogs state=present
   when: ansible_os_family == "RedHat"
 
 # Format external volumes in xfs
@@ -82,6 +82,7 @@
   template:
     dest: "{{ gluster_mount_dir }}/.test-file.txt"
     src: test-file.txt
+    mode: 0644
   when: groups['gfs-cluster'] is defined and inventory_hostname == groups['gfs-cluster'][0]
 
 - name: Unmount glusterfs

contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/setup-RedHat.yml

@@ -1,11 +1,11 @@
 ---
 - name: Install Prerequisites
-  yum: name={{ item }}  state=present
+  package: name={{ item }}  state=present
   with_items:
     - "centos-release-gluster{{ glusterfs_default_release }}"
 
 - name: Install Packages
-  yum: name={{ item }}  state=present
+  package: name={{ item }}  state=present
   with_items:
     - glusterfs-server
     - glusterfs-client

contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/tasks/main.yaml

@@ -8,7 +8,7 @@
     - { file: glusterfs-kubernetes-pv.yml.j2, type: pv, dest: glusterfs-kubernetes-pv.yml}
     - { file: glusterfs-kubernetes-endpoint-svc.json.j2, type: svc, dest: glusterfs-kubernetes-endpoint-svc.json}
   register: gluster_pv
-  when: inventory_hostname == groups['kube-master'][0] and groups['gfs-cluster'] is defined and hostvars[groups['gfs-cluster'][0]].gluster_disk_size_gb is defined
+  when: inventory_hostname == groups['kube_control_plane'][0] and groups['gfs-cluster'] is defined and hostvars[groups['gfs-cluster'][0]].gluster_disk_size_gb is defined
 
 - name: Kubernetes Apps | Set GlusterFS endpoint and PV
   kube:
@@ -19,4 +19,4 @@
     filename: "{{ kube_config_dir }}/{{ item.item.dest }}"
     state: "{{ item.changed | ternary('latest','present') }}"
   with_items: "{{ gluster_pv.results }}"
-  when: inventory_hostname == groups['kube-master'][0] and groups['gfs-cluster'] is defined
+  when: inventory_hostname == groups['kube_control_plane'][0] and groups['gfs-cluster'] is defined

contrib/network-storage/heketi/heketi-tear-down.yml

@@ -1,5 +1,5 @@
 ---
-- hosts: kube-master[0]
+- hosts: kube_control_plane[0]
   roles:
     - { role: tear-down }
 

contrib/network-storage/heketi/heketi.yml

@@ -3,7 +3,7 @@
   roles:
     - { role: prepare }
 
-- hosts: kube-master[0]
+- hosts: kube_control_plane[0]
   tags:
     - "provision"
   roles:

contrib/network-storage/heketi/inventory.yml.sample

@@ -2,18 +2,25 @@ all:
     vars:
         heketi_admin_key: "11elfeinhundertundelf"
         heketi_user_key: "!!einseinseins"
+        glusterfs_daemonset:
+            readiness_probe:
+                timeout_seconds: 3
+                initial_delay_seconds: 3
+            liveness_probe:
+                timeout_seconds: 3
+                initial_delay_seconds: 10
     children:
-        k8s-cluster:
+        k8s_cluster:
             vars:
                 kubelet_fail_swap_on: false
             children:
-                kube-master:
+                kube_control_plane:
                     hosts:
                         node1:
                 etcd:
                     hosts:
                         node2:
-                kube-node:
+                kube_node:
                     hosts: &kube_nodes
                         node1:
                         node2:

contrib/network-storage/heketi/roles/prepare/tasks/main.yml

@@ -11,7 +11,7 @@
 
 - name: "Install glusterfs mount utils (RedHat)"
   become: true
-  yum:
+  package:
     name: "glusterfs-fuse"
     state: "present"
   when: "ansible_os_family == 'RedHat'"

contrib/network-storage/heketi/roles/provision/tasks/bootstrap/deploy.yml

@@ -1,7 +1,10 @@
 ---
 - name: "Kubernetes Apps | Lay Down Heketi Bootstrap"
   become: true
-  template: { src: "heketi-bootstrap.json.j2", dest: "{{ kube_config_dir }}/heketi-bootstrap.json" }
+  template:
+    src: "heketi-bootstrap.json.j2"
+    dest: "{{ kube_config_dir }}/heketi-bootstrap.json"
+    mode: 0640
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Bootstrap"
   kube:

contrib/network-storage/heketi/roles/provision/tasks/bootstrap/topology.yml

@@ -10,6 +10,7 @@
   template:
     src: "topology.json.j2"
     dest: "{{ kube_config_dir }}/topology.json"
+    mode: 0644
 - name: "Copy topology configuration into container."
   changed_when: false
   command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ initial_heketi_pod_name }}:/tmp/topology.json"

contrib/network-storage/heketi/roles/provision/tasks/glusterfs.yml

@@ -1,6 +1,9 @@
 ---
 - name: "Kubernetes Apps | Lay Down GlusterFS Daemonset"
-  template: { src: "glusterfs-daemonset.json.j2", dest: "{{ kube_config_dir }}/glusterfs-daemonset.json" }
+  template:
+    src: "glusterfs-daemonset.json.j2"
+    dest: "{{ kube_config_dir }}/glusterfs-daemonset.json"
+    mode: 0644
   become: true
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure GlusterFS daemonset"
@@ -27,7 +30,10 @@
   delay: 5
 
 - name: "Kubernetes Apps | Lay Down Heketi Service Account"
-  template: { src: "heketi-service-account.json.j2", dest: "{{ kube_config_dir }}/heketi-service-account.json" }
+  template:
+    src: "heketi-service-account.json.j2"
+    dest: "{{ kube_config_dir }}/heketi-service-account.json"
+    mode: 0644
   become: true
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Service Account"

contrib/network-storage/heketi/roles/provision/tasks/heketi.yml

@@ -4,6 +4,7 @@
   template:
     src: "heketi-deployment.json.j2"
     dest: "{{ kube_config_dir }}/heketi-deployment.json"
+    mode: 0644
   register: "rendering"
 
 - name: "Kubernetes Apps | Install and configure Heketi"

contrib/network-storage/heketi/roles/provision/tasks/secret.yml

@@ -5,7 +5,7 @@
   changed_when: false
 
 - name: "Kubernetes Apps | Deploy cluster role binding."
-  when: "clusterrolebinding_state.stdout == \"\""
+  when: "clusterrolebinding_state.stdout | length == 0"
   command: "{{ bin_dir }}/kubectl create clusterrolebinding heketi-gluster-admin --clusterrole=edit --serviceaccount=default:heketi-service-account"
 
 - name: Get clusterrolebindings again
@@ -15,7 +15,7 @@
 
 - name: Make sure that clusterrolebindings are present now
   assert:
-    that: "clusterrolebinding_state.stdout != \"\""
+    that: "clusterrolebinding_state.stdout | length > 0"
     msg: "Cluster role binding is not present."
 
 - name: Get the heketi-config-secret secret
@@ -28,9 +28,10 @@
   template:
     src: "heketi.json.j2"
     dest: "{{ kube_config_dir }}/heketi.json"
+    mode: 0644
 
 - name: "Deploy Heketi config secret"
-  when: "secret_state.stdout == \"\""
+  when: "secret_state.stdout | length == 0"
   command: "{{ bin_dir }}/kubectl create secret generic heketi-config-secret --from-file={{ kube_config_dir }}/heketi.json"
 
 - name: Get the heketi-config-secret secret again
@@ -40,5 +41,5 @@
 
 - name: Make sure the heketi-config-secret secret exists now
   assert:
-    that: "secret_state.stdout != \"\""
+    that: "secret_state.stdout | length > 0"
     msg: "Heketi config secret is not present."

contrib/network-storage/heketi/roles/provision/tasks/storage.yml

@@ -2,7 +2,10 @@
 - name: "Kubernetes Apps | Lay Down Heketi Storage"
   become: true
   vars: { nodes: "{{ groups['heketi-node'] }}" }
-  template: { src: "heketi-storage.json.j2", dest: "{{ kube_config_dir }}/heketi-storage.json" }
+  template:
+    src: "heketi-storage.json.j2"
+    dest: "{{ kube_config_dir }}/heketi-storage.json"
+    mode: 0644
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Storage"
   kube:

contrib/network-storage/heketi/roles/provision/tasks/storageclass.yml

@@ -16,6 +16,7 @@
   template:
     src: "storageclass.yml.j2"
     dest: "{{ kube_config_dir }}/storageclass.yml"
+    mode: 0644
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Storace Class"
   kube:

contrib/network-storage/heketi/roles/provision/tasks/topology.yml

@@ -10,6 +10,7 @@
   template:
     src: "topology.json.j2"
     dest: "{{ kube_config_dir }}/topology.json"
+    mode: 0644
 - name: "Copy topology configuration into container."  # noqa 503
   when: "rendering.changed"
   command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ heketi_pod_name }}:/tmp/topology.json"

contrib/network-storage/heketi/roles/provision/templates/glusterfs-daemonset.json.j2

@@ -73,8 +73,8 @@
                             "privileged": true
                         },
                         "readinessProbe": {
-                            "timeoutSeconds": 3,
+                            "timeoutSeconds": {{ glusterfs_daemonset.readiness_probe.timeout_seconds }},
-                            "initialDelaySeconds": 3,
+                            "initialDelaySeconds": {{ glusterfs_daemonset.readiness_probe.initial_delay_seconds }},
                             "exec": {
                                 "command": [
                                     "/bin/bash",
@@ -84,8 +84,8 @@
                             }
                         },
                         "livenessProbe": {
-                            "timeoutSeconds": 3,
+                            "timeoutSeconds": {{ glusterfs_daemonset.liveness_probe.timeout_seconds }},
-                            "initialDelaySeconds": 10,
+                            "initialDelaySeconds": {{ glusterfs_daemonset.liveness_probe.initial_delay_seconds }},
                             "exec": {
                                 "command": [
                                     "/bin/bash",

contrib/network-storage/heketi/roles/tear-down-disks/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: "Install lvm utils (RedHat)"
   become: true
-  yum:
+  package:
     name: "lvm2"
     state: "present"
   when: "ansible_os_family == 'RedHat'"
@@ -19,7 +19,7 @@
   become: true
   shell: "pvs {{ disk_volume_device_1 }} --option vg_name | tail -n+2"
   register: "volume_groups"
-  ignore_errors: true
+  ignore_errors: true   # noqa ignore-errors
   changed_when: false
 
 - name: "Remove volume groups."  # noqa 301
@@ -35,11 +35,11 @@
     PATH: "{{ ansible_env.PATH }}:/sbin"  # Make sure we can workaround RH / CentOS conservative path management
   become: true
   command: "pvremove {{ disk_volume_device_1 }} --yes"
-  ignore_errors: true
+  ignore_errors: true   # noqa ignore-errors
 
 - name: "Remove lvm utils (RedHat)"
   become: true
-  yum:
+  package:
     name: "lvm2"
     state: "absent"
   when: "ansible_os_family == 'RedHat' and heketi_remove_lvm"

contrib/network-storage/heketi/roles/tear-down/tasks/main.yml

@@ -1,51 +1,51 @@
 ---
-- name: "Remove storage class."  # noqa 301
+- name: Remove storage class.  # noqa 301
   command: "{{ bin_dir }}/kubectl delete storageclass gluster"
-  ignore_errors: true
+  ignore_errors: true  # noqa ignore-errors
-- name: "Tear down heketi."  # noqa 301
+- name: Tear down heketi.  # noqa 301
   command: "{{ bin_dir }}/kubectl delete all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-pod\""
-  ignore_errors: true
+  ignore_errors: true  # noqa ignore-errors
-- name: "Tear down heketi."  # noqa 301
+- name: Tear down heketi.  # noqa 301
   command: "{{ bin_dir }}/kubectl delete all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-deployment\""
-  ignore_errors: true
+  ignore_errors: true  # noqa ignore-errors
-- name: "Tear down bootstrap."
+- name: Tear down bootstrap.
   include_tasks: "../../provision/tasks/bootstrap/tear-down.yml"
-- name: "Ensure there is nothing left over."  # noqa 301
+- name: Ensure there is nothing left over.  # noqa 301
   command: "{{ bin_dir }}/kubectl get all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-pod\" -o=json"
   register: "heketi_result"
   until: "heketi_result.stdout|from_json|json_query('items[*]')|length == 0"
   retries: 60
   delay: 5
-- name: "Ensure there is nothing left over."  # noqa 301
+- name: Ensure there is nothing left over.  # noqa 301
   command: "{{ bin_dir }}/kubectl get all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-deployment\" -o=json"
   register: "heketi_result"
   until: "heketi_result.stdout|from_json|json_query('items[*]')|length == 0"
   retries: 60
   delay: 5
-- name: "Tear down glusterfs."  # noqa 301
+- name: Tear down glusterfs.  # noqa 301
   command: "{{ bin_dir }}/kubectl delete daemonset.extensions/glusterfs"
-  ignore_errors: true
+  ignore_errors: true  # noqa ignore-errors
-- name: "Remove heketi storage service."  # noqa 301
+- name: Remove heketi storage service.  # noqa 301
   command: "{{ bin_dir }}/kubectl delete service heketi-storage-endpoints"
-  ignore_errors: true
+  ignore_errors: true  # noqa ignore-errors
-- name: "Remove heketi gluster role binding"  # noqa 301
+- name: Remove heketi gluster role binding  # noqa 301
   command: "{{ bin_dir }}/kubectl delete clusterrolebinding heketi-gluster-admin"
-  ignore_errors: true
+  ignore_errors: true  # noqa ignore-errors
-- name: "Remove heketi config secret"  # noqa 301
+- name: Remove heketi config secret  # noqa 301
   command: "{{ bin_dir }}/kubectl delete secret heketi-config-secret"
-  ignore_errors: true
+  ignore_errors: true  # noqa ignore-errors
-- name: "Remove heketi db backup"  # noqa 301
+- name: Remove heketi db backup  # noqa 301
   command: "{{ bin_dir }}/kubectl delete secret heketi-db-backup"
-  ignore_errors: true
+  ignore_errors: true  # noqa ignore-errors
-- name: "Remove heketi service account"  # noqa 301
+- name: Remove heketi service account  # noqa 301
   command: "{{ bin_dir }}/kubectl delete serviceaccount heketi-service-account"
-  ignore_errors: true
+  ignore_errors: true  # noqa ignore-errors
-- name: "Get secrets"
+- name: Get secrets
   command: "{{ bin_dir }}/kubectl get secrets --output=\"json\""
   register: "secrets"
   changed_when: false
-- name: "Remove heketi storage secret"
+- name: Remove heketi storage secret
   vars: { storage_query: "items[?metadata.annotations.\"kubernetes.io/service-account.name\"=='heketi-service-account'].metadata.name|[0]" }
   command: "{{ bin_dir }}/kubectl delete secret {{ secrets.stdout|from_json|json_query(storage_query) }}"
   when: "storage_query is defined"
-  ignore_errors: true
+  ignore_errors: true  # noqa ignore-errors

contrib/offline/README.md

@@ -1,4 +1,8 @@
-# Container image collecting script for offline deployment
+# Offline deployment
+
+## manage-offline-container-images.sh
+
+Container image collecting script for offline deployment
 
 This script has two features:
 (1) Get container images from an environment which is deployed online.
@@ -19,3 +23,21 @@ Step(2) can be operated with:
 ```shell
 manage-offline-container-images.sh   register
 ```
+
+## generate_list.sh
+
+This script generates the list of downloaded files and the list of container images by `roles/download/defaults/main.yml` file.
+
+Run this script will generates three files, all downloaded files url in files.list, all container images in images.list, all component version in generate.sh.
+
+```shell
+bash generate_list.sh
+tree temp
+temp
+├── files.list
+├── generate.sh
+└── images.list
+0 directories, 3 files
+```
+
+In some cases you may want to update some component version, you can edit `generate.sh` file, then run `bash generate.sh | grep 'https' > files.list` to update file.list or run `bash generate.sh | grep -v 'https'> images.list` to update images.list.

contrib/offline/generate_list.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+set -eo pipefail
+
+CURRENT_DIR=$(cd $(dirname $0); pwd)
+TEMP_DIR="${CURRENT_DIR}/temp"
+REPO_ROOT_DIR="${CURRENT_DIR%/contrib/offline}"
+
+: ${IMAGE_ARCH:="amd64"}
+: ${ANSIBLE_SYSTEM:="linux"}
+: ${ANSIBLE_ARCHITECTURE:="x86_64"}
+: ${DOWNLOAD_YML:="roles/download/defaults/main.yml"}
+: ${KUBE_VERSION_YAML:="roles/kubespray-defaults/defaults/main.yaml"}
+
+mkdir -p ${TEMP_DIR}
+
+# ARCH used in convert {%- if image_arch != 'amd64' -%}-{{ image_arch }}{%- endif -%} to {{arch}}
+if [ "${IMAGE_ARCH}" != "amd64" ]; then ARCH="${IMAGE_ARCH}"; fi
+
+cat > ${TEMP_DIR}/generate.sh << EOF
+arch=${ARCH}
+image_arch=${IMAGE_ARCH}
+ansible_system=${ANSIBLE_SYSTEM}
+ansible_architecture=${ANSIBLE_ARCHITECTURE}
+EOF
+
+# generate all component version by $DOWNLOAD_YML
+grep 'kube_version:' ${REPO_ROOT_DIR}/${KUBE_VERSION_YAML} \
+| sed 's/: /=/g' >> ${TEMP_DIR}/generate.sh
+grep '_version:' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
+| sed 's/: /=/g;s/{{/${/g;s/}}/}/g' | tr -d ' ' >> ${TEMP_DIR}/generate.sh
+sed -i 's/kube_major_version=.*/kube_major_version=${kube_version%.*}/g' ${TEMP_DIR}/generate.sh
+sed -i 's/crictl_version=.*/crictl_version=${kube_version%.*}.0/g' ${TEMP_DIR}/generate.sh
+
+# generate all download files url
+grep 'download_url:' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
+| sed 's/: /=/g;s/ //g;s/{{/${/g;s/}}/}/g;s/|lower//g;s/^.*_url=/echo /g' >> ${TEMP_DIR}/generate.sh
+
+# generate all images list
+grep -E '_repo:|_tag:' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
+| sed "s#{%- if image_arch != 'amd64' -%}-{{ image_arch }}{%- endif -%}#{{arch}}#g" \
+| sed 's/: /=/g;s/{{/${/g;s/}}/}/g' | tr -d ' ' >> ${TEMP_DIR}/generate.sh
+sed -n '/^downloads:/,/download_defaults:/p' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
+| sed -n "s/repo: //p;s/tag: //p" | tr -d ' ' | sed 's/{{/${/g;s/}}/}/g' \
+| sed 'N;s#\n# #g' | tr ' ' ':' | sed 's/^/echo /g' >> ${TEMP_DIR}/generate.sh
+
+# special handling for https://github.com/kubernetes-sigs/kubespray/pull/7570
+sed -i 's#^coredns_image_repo=.*#coredns_image_repo=${kube_image_repo}$(if printf "%s\\n%s\\n" v1.21 ${kube_version%.*} | sort --check=quiet --version-sort; then echo -n /coredns/coredns;else echo -n /coredns; fi)#' ${TEMP_DIR}/generate.sh
+sed -i 's#^coredns_image_tag=.*#coredns_image_tag=$(if printf "%s\\n%s\\n" v1.21 ${kube_version%.*} | sort --check=quiet --version-sort; then echo -n ${coredns_version};else echo -n ${coredns_version/v/}; fi)#' ${TEMP_DIR}/generate.sh
+
+# add kube-* images to images list
+KUBE_IMAGES="kube-apiserver kube-controller-manager kube-scheduler kube-proxy"
+echo "${KUBE_IMAGES}" | tr ' ' '\n' | xargs -L1 -I {} \
+echo 'echo ${kube_image_repo}/{}:${kube_version}' >> ${TEMP_DIR}/generate.sh
+
+# print files.list and images.list
+bash ${TEMP_DIR}/generate.sh | grep 'https' | sort > ${TEMP_DIR}/files.list
+bash ${TEMP_DIR}/generate.sh | grep -v 'https' | sort > ${TEMP_DIR}/images.list

contrib/offline/manage-offline-container-images.sh

@@ -100,15 +100,35 @@ function register_container_images() {
 
 	tar -zxvf ${IMAGE_TAR_FILE}
 	sudo docker load -i ${IMAGE_DIR}/registry-latest.tar
-	sudo docker run --restart=always -d -p 5000:5000 --name registry registry:latest
 	set +e
-
+	sudo docker container inspect registry >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		sudo docker run --restart=always -d -p 5000:5000 --name registry registry:latest
+	fi
 	set -e
+
 	while read -r line; do
 		file_name=$(echo ${line} | awk '{print $1}')
-		org_image=$(echo ${line} | awk '{print $2}')
+		raw_image=$(echo ${line} | awk '{print $2}')
-		new_image="${LOCALHOST_NAME}:5000/${org_image}"
+		new_image="${LOCALHOST_NAME}:5000/${raw_image}"
-		image_id=$(tar -tf ${IMAGE_DIR}/${file_name} | grep "\.json" | grep -v manifest.json | sed s/"\.json"//)
+		org_image=$(sudo docker load -i ${IMAGE_DIR}/${file_name} | head -n1 | awk '{print $3}')
+		image_id=$(sudo docker image inspect ${org_image} | grep "\"Id\":" | awk -F: '{print $3}'| sed s/'\",'//)
+		if [ -z "${file_name}" ]; then
+			echo "Failed to get file_name for line ${line}"
+			exit 1
+		fi
+		if [ -z "${raw_image}" ]; then
+			echo "Failed to get raw_image for line ${line}"
+			exit 1
+		fi
+		if [ -z "${org_image}" ]; then
+			echo "Failed to get org_image for line ${line}"
+			exit 1
+		fi
+		if [ -z "${image_id}" ]; then
+			echo "Failed to get image_id for file ${file_name}"
+			exit 1
+		fi
 		sudo docker load -i ${IMAGE_DIR}/${file_name}
 		sudo docker tag  ${image_id} ${new_image}
 		sudo docker push ${new_image}

contrib/os-services/os-services.yml

@@ -1,5 +1,4 @@
 ---
 - hosts: all
-
   roles:
-    - role_under_test
+    - { role: prepare }

contrib/os-services/roles/prepare/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+disable_service_firewall: false

contrib/os-services/roles/prepare/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- block:
+  - name: List services
+    service_facts:
+
+  - name: Disable service firewalld
+    systemd:
+      name: firewalld
+      state: stopped
+      enabled: no
+    when:
+      "'firewalld.service' in services"
+
+  - name: Disable service ufw
+    systemd:
+      name: ufw
+      state: stopped
+      enabled: no
+    when:
+      "'ufw.service' in services"
+
+  when:
+  - disable_service_firewall is defined and disable_service_firewall

contrib/packaging/rpm/kubespray.spec

@@ -9,8 +9,8 @@ Summary:        Ansible modules for installing Kubernetes
 
 Group:          System Environment/Libraries
 License:        ASL 2.0
-Url:            https://github.com/kubernetes-incubator/kubespray
+Url:            https://github.com/kubernetes-sigs/kubespray
-Source0:        https://github.com/kubernetes-incubator/kubespray/archive/%{upstream_version}.tar.gz#/%{name}-%{release}.tar.gz
+Source0:        https://github.com/kubernetes-sigs/kubespray/archive/%{upstream_version}.tar.gz#/%{name}-%{release}.tar.gz
 
 BuildArch:      noarch
 BuildRequires:  git
@@ -51,7 +51,7 @@ export SKIP_PIP_INSTALL=1
 %doc %{_docdir}/%{name}/inventory/sample/hosts.ini
 %config %{_sysconfdir}/%{name}/ansible.cfg
 %config %{_sysconfdir}/%{name}/inventory/sample/group_vars/all.yml
-%config %{_sysconfdir}/%{name}/inventory/sample/group_vars/k8s-cluster.yml
+%config %{_sysconfdir}/%{name}/inventory/sample/group_vars/k8s_cluster.yml
 %license %{_docdir}/%{name}/LICENSE
 %{python2_sitelib}/%{srcname}-%{release}-py%{python2_version}.egg-info
 %{_datarootdir}/%{name}/roles/

contrib/terraform/aws/.gitignore

@@ -1,2 +1,3 @@
 *.tfstate*
+.terraform.lock.hcl
 .terraform

contrib/terraform/aws/README.md

@@ -122,7 +122,7 @@ You can use the following set of commands to get the kubeconfig file from your n
 
 ```commandline
 # Get the controller's IP address.
-CONTROLLER_HOST_NAME=$(cat ./inventory/hosts | grep "\[kube-master\]" -A 1 | tail -n 1)
+CONTROLLER_HOST_NAME=$(cat ./inventory/hosts | grep "\[kube_control_plane\]" -A 1 | tail -n 1)
 CONTROLLER_IP=$(cat ./inventory/hosts | grep $CONTROLLER_HOST_NAME | grep ansible_host | cut -d'=' -f2)
 
 # Get the hostname of the load balancer.

contrib/terraform/aws/create-infrastructure.tf

@@ -20,7 +20,7 @@ module "aws-vpc" {
 
   aws_cluster_name         = var.aws_cluster_name
   aws_vpc_cidr_block       = var.aws_vpc_cidr_block
-  aws_avail_zones          = slice(data.aws_availability_zones.available.names, 0, 2)
+  aws_avail_zones          = slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names))
   aws_cidr_subnets_private = var.aws_cidr_subnets_private
   aws_cidr_subnets_public  = var.aws_cidr_subnets_public
   default_tags             = var.default_tags
@@ -31,7 +31,7 @@ module "aws-elb" {
 
   aws_cluster_name      = var.aws_cluster_name
   aws_vpc_id            = module.aws-vpc.aws_vpc_id
-  aws_avail_zones       = slice(data.aws_availability_zones.available.names, 0, 2)
+  aws_avail_zones       = slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names))
   aws_subnet_ids_public = module.aws-vpc.aws_subnet_ids_public
   aws_elb_api_port      = var.aws_elb_api_port
   k8s_secure_api_port   = var.k8s_secure_api_port
@@ -52,20 +52,20 @@ module "aws-iam" {
 resource "aws_instance" "bastion-server" {
   ami                         = data.aws_ami.distro.id
   instance_type               = var.aws_bastion_size
-  count                       = length(var.aws_cidr_subnets_public)
+  count                       = var.aws_bastion_num
   associate_public_ip_address = true
-  availability_zone           = element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)
+  availability_zone           = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
   subnet_id                   = element(module.aws-vpc.aws_subnet_ids_public, count.index)
 
   vpc_security_group_ids = module.aws-vpc.aws_security_group
 
   key_name = var.AWS_SSH_KEY_NAME
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-bastion-${count.index}",
+    Name    = "kubernetes-${var.aws_cluster_name}-bastion-${count.index}"
-    "Cluster", var.aws_cluster_name,
+    Cluster = var.aws_cluster_name
-    "Role", "bastion-${var.aws_cluster_name}-${count.index}"
+    Role    = "bastion-${var.aws_cluster_name}-${count.index}"
-  ))
+  }))
 }
 
 /*
@@ -79,19 +79,23 @@ resource "aws_instance" "k8s-master" {
 
   count = var.aws_kube_master_num
 
-  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)
+  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
   subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)
 
   vpc_security_group_ids = module.aws-vpc.aws_security_group
 
-  iam_instance_profile = module.aws-iam.kube-master-profile
+  root_block_device {
+    volume_size = var.aws_kube_master_disk_size
+  }
+
+  iam_instance_profile = module.aws-iam.kube_control_plane-profile
   key_name             = var.AWS_SSH_KEY_NAME
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-master${count.index}",
+    Name                                            = "kubernetes-${var.aws_cluster_name}-master${count.index}"
-    "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
+    "kubernetes.io/cluster/${var.aws_cluster_name}" = "member"
-    "Role", "master"
+    Role                                            = "master"
-  ))
+  }))
 }
 
 resource "aws_elb_attachment" "attach_master_nodes" {
@@ -106,18 +110,22 @@ resource "aws_instance" "k8s-etcd" {
 
   count = var.aws_etcd_num
 
-  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)
+  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
   subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)
 
   vpc_security_group_ids = module.aws-vpc.aws_security_group
 
+  root_block_device {
+    volume_size = var.aws_etcd_disk_size
+  }
+
   key_name = var.AWS_SSH_KEY_NAME
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-etcd${count.index}",
+    Name                                            = "kubernetes-${var.aws_cluster_name}-etcd${count.index}"
-    "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
+    "kubernetes.io/cluster/${var.aws_cluster_name}" = "member"
-    "Role", "etcd"
+    Role                                            = "etcd"
-  ))
+  }))
 }
 
 resource "aws_instance" "k8s-worker" {
@@ -126,19 +134,23 @@ resource "aws_instance" "k8s-worker" {
 
   count = var.aws_kube_worker_num
 
-  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, 2), count.index)
+  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
   subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)
 
   vpc_security_group_ids = module.aws-vpc.aws_security_group
 
+  root_block_device {
+    volume_size = var.aws_kube_worker_disk_size
+  }
+
   iam_instance_profile = module.aws-iam.kube-worker-profile
   key_name             = var.AWS_SSH_KEY_NAME
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-worker${count.index}",
+    Name                                            = "kubernetes-${var.aws_cluster_name}-worker${count.index}"
-    "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
+    "kubernetes.io/cluster/${var.aws_cluster_name}" = "member"
-    "Role", "worker"
+    Role                                            = "worker"
-  ))
+  }))
 }
 
 /*
@@ -152,10 +164,10 @@ data "template_file" "inventory" {
     public_ip_address_bastion = join("\n", formatlist("bastion ansible_host=%s", aws_instance.bastion-server.*.public_ip))
     connection_strings_master = join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-master.*.private_dns, aws_instance.k8s-master.*.private_ip))
     connection_strings_node   = join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-worker.*.private_dns, aws_instance.k8s-worker.*.private_ip))
-    connection_strings_etcd   = join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-etcd.*.private_dns, aws_instance.k8s-etcd.*.private_ip))
     list_master               = join("\n", aws_instance.k8s-master.*.private_dns)
     list_node                 = join("\n", aws_instance.k8s-worker.*.private_dns)
-    list_etcd                 = join("\n", aws_instance.k8s-etcd.*.private_dns)
+    connection_strings_etcd   = join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-etcd.*.private_dns, aws_instance.k8s-etcd.*.private_ip))
+    list_etcd                 = join("\n", ((var.aws_etcd_num > 0) ? (aws_instance.k8s-etcd.*.private_dns) : (aws_instance.k8s-master.*.private_dns)))
     elb_api_fqdn              = "apiserver_loadbalancer_domain_name=\"${module.aws-elb.aws_elb_api_fqdn}\""
   }
 }

contrib/terraform/aws/modules/elb/main.tf

@@ -2,9 +2,9 @@ resource "aws_security_group" "aws-elb" {
   name   = "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
   vpc_id = var.aws_vpc_id
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
+    Name = "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
-  ))
+  }))
 }
 
 resource "aws_security_group_rule" "aws-allow-api-access" {
@@ -51,7 +51,7 @@ resource "aws_elb" "aws-elb-api" {
   connection_draining         = true
   connection_draining_timeout = 400
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-elb-api"
+    Name = "kubernetes-${var.aws_cluster_name}-elb-api"
-  ))
+  }))
 }

contrib/terraform/aws/modules/iam/main.tf

@@ -1,6 +1,6 @@
 #Add AWS Roles for Kubernetes
 
-resource "aws_iam_role" "kube-master" {
+resource "aws_iam_role" "kube_control_plane" {
   name = "kubernetes-${var.aws_cluster_name}-master"
 
   assume_role_policy = <<EOF
@@ -40,9 +40,9 @@ EOF
 
 #Add AWS Policies for Kubernetes
 
-resource "aws_iam_role_policy" "kube-master" {
+resource "aws_iam_role_policy" "kube_control_plane" {
   name = "kubernetes-${var.aws_cluster_name}-master"
-  role = aws_iam_role.kube-master.id
+  role = aws_iam_role.kube_control_plane.id
 
   policy = <<EOF
 {
@@ -130,9 +130,9 @@ EOF
 
 #Create AWS Instance Profiles
 
-resource "aws_iam_instance_profile" "kube-master" {
+resource "aws_iam_instance_profile" "kube_control_plane" {
   name = "kube_${var.aws_cluster_name}_master_profile"
-  role = aws_iam_role.kube-master.name
+  role = aws_iam_role.kube_control_plane.name
 }
 
 resource "aws_iam_instance_profile" "kube-worker" {

contrib/terraform/aws/modules/iam/outputs.tf

@@ -1,5 +1,5 @@
-output "kube-master-profile" {
+output "kube_control_plane-profile" {
-  value = aws_iam_instance_profile.kube-master.name
+  value = aws_iam_instance_profile.kube_control_plane.name
 }
 
 output "kube-worker-profile" {

contrib/terraform/aws/modules/vpc/main.tf

@@ -5,9 +5,9 @@ resource "aws_vpc" "cluster-vpc" {
   enable_dns_support   = true
   enable_dns_hostnames = true
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-vpc"
+    Name = "kubernetes-${var.aws_cluster_name}-vpc"
-  ))
+  }))
 }
 
 resource "aws_eip" "cluster-nat-eip" {
@@ -18,9 +18,9 @@ resource "aws_eip" "cluster-nat-eip" {
 resource "aws_internet_gateway" "cluster-vpc-internetgw" {
   vpc_id = aws_vpc.cluster-vpc.id
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-internetgw"
+    Name = "kubernetes-${var.aws_cluster_name}-internetgw"
-  ))
+  }))
 }
 
 resource "aws_subnet" "cluster-vpc-subnets-public" {
@@ -29,10 +29,10 @@ resource "aws_subnet" "cluster-vpc-subnets-public" {
   availability_zone = element(var.aws_avail_zones, count.index)
   cidr_block        = element(var.aws_cidr_subnets_public, count.index)
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-public",
+    Name = "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-public"
-    "kubernetes.io/cluster/${var.aws_cluster_name}", "member"
+    "kubernetes.io/cluster/${var.aws_cluster_name}" = "member"
-  ))
+  }))
 }
 
 resource "aws_nat_gateway" "cluster-nat-gateway" {
@@ -47,9 +47,9 @@ resource "aws_subnet" "cluster-vpc-subnets-private" {
   availability_zone = element(var.aws_avail_zones, count.index)
   cidr_block        = element(var.aws_cidr_subnets_private, count.index)
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-private"
+    Name = "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-private"
-  ))
+  }))
 }
 
 #Routing in VPC
@@ -64,9 +64,9 @@ resource "aws_route_table" "kubernetes-public" {
     gateway_id = aws_internet_gateway.cluster-vpc-internetgw.id
   }
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-routetable-public"
+    Name = "kubernetes-${var.aws_cluster_name}-routetable-public"
-  ))
+  }))
 }
 
 resource "aws_route_table" "kubernetes-private" {
@@ -78,9 +78,9 @@ resource "aws_route_table" "kubernetes-private" {
     nat_gateway_id = element(aws_nat_gateway.cluster-nat-gateway.*.id, count.index)
   }
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-routetable-private-${count.index}"
+    Name = "kubernetes-${var.aws_cluster_name}-routetable-private-${count.index}"
-  ))
+  }))
 }
 
 resource "aws_route_table_association" "kubernetes-public" {
@@ -101,9 +101,9 @@ resource "aws_security_group" "kubernetes" {
   name   = "kubernetes-${var.aws_cluster_name}-securitygroup"
   vpc_id = aws_vpc.cluster-vpc.id
 
-  tags = merge(var.default_tags, map(
+  tags = merge(var.default_tags, tomap({
-    "Name", "kubernetes-${var.aws_cluster_name}-securitygroup"
+    Name = "kubernetes-${var.aws_cluster_name}-securitygroup"
-  ))
+  }))
 }
 
 resource "aws_security_group_rule" "allow-all-ingress" {

contrib/terraform/aws/output.tf

@@ -11,7 +11,7 @@ output "workers" {
 }
 
 output "etcd" {
-  value = join("\n", aws_instance.k8s-etcd.*.private_ip)
+  value = join("\n", ((var.aws_etcd_num > 0) ? (aws_instance.k8s-etcd.*.private_ip) : (aws_instance.k8s-master.*.private_ip)))
 }
 
 output "aws_elb_api_fqdn" {

contrib/terraform/aws/sample-inventory/cluster.tfvars

@@ -9,6 +9,8 @@ aws_cidr_subnets_private = ["10.250.192.0/20", "10.250.208.0/20"]
 aws_cidr_subnets_public = ["10.250.224.0/20", "10.250.240.0/20"]
 
 #Bastion Host
+aws_bastion_num = 1
+
 aws_bastion_size = "t2.medium"
 
 #Kubernetes Cluster
@@ -17,22 +19,26 @@ aws_kube_master_num = 3
 
 aws_kube_master_size = "t2.medium"
 
+aws_kube_master_disk_size = 50
+
 aws_etcd_num = 3
 
 aws_etcd_size = "t2.medium"
 
+aws_etcd_disk_size = 50
+
 aws_kube_worker_num = 4
 
 aws_kube_worker_size = "t2.medium"
 
+aws_kube_worker_disk_size = 50
+
 #Settings AWS ELB
 
 aws_elb_api_port = 6443
 
 k8s_secure_api_port = 6443
 
-kube_insecure_apiserver_address = "0.0.0.0"
-
 default_tags = {
   #  Env = "devtest"  #  Product = "kubernetes"
 }

contrib/terraform/aws/templates/inventory.tpl

@@ -7,22 +7,21 @@ ${public_ip_address_bastion}
 [bastion]
 ${public_ip_address_bastion}
 
-[kube-master]
+[kube_control_plane]
 ${list_master}
 
-
+[kube_node]
-[kube-node]
 ${list_node}
 
-
 [etcd]
 ${list_etcd}
 
+[calico_rr]
 
-[k8s-cluster:children]
+[k8s_cluster:children]
-kube-node
+kube_node
-kube-master
+kube_control_plane
+calico_rr
 
-
+[k8s_cluster:vars]
-[k8s-cluster:vars]
 ${elb_api_fqdn}

contrib/terraform/aws/terraform.tfvars

@@ -6,26 +6,34 @@ aws_vpc_cidr_block       = "10.250.192.0/18"
 aws_cidr_subnets_private = ["10.250.192.0/20", "10.250.208.0/20"]
 aws_cidr_subnets_public  = ["10.250.224.0/20", "10.250.240.0/20"]
 
-#Bastion Host
+# single AZ deployment
-aws_bastion_size = "t2.medium"
+#aws_cidr_subnets_private = ["10.250.192.0/20"]
+#aws_cidr_subnets_public  = ["10.250.224.0/20"]
 
+# 3+ AZ deployment
+#aws_cidr_subnets_private = ["10.250.192.0/24","10.250.193.0/24","10.250.194.0/24","10.250.195.0/24"]
+#aws_cidr_subnets_public  = ["10.250.224.0/24","10.250.225.0/24","10.250.226.0/24","10.250.227.0/24"]
+
+#Bastion Host
+aws_bastion_num  = 1
+aws_bastion_size = "t3.small"
 
 #Kubernetes Cluster
+aws_kube_master_num       = 3
+aws_kube_master_size      = "t3.medium"
+aws_kube_master_disk_size = 50
 
-aws_kube_master_num  = 3
+aws_etcd_num       = 0
-aws_kube_master_size = "t2.medium"
+aws_etcd_size      = "t3.medium"
+aws_etcd_disk_size = 50
 
-aws_etcd_num  = 3
+aws_kube_worker_num       = 4
-aws_etcd_size = "t2.medium"
+aws_kube_worker_size      = "t3.medium"
-
+aws_kube_worker_disk_size = 50
-aws_kube_worker_num  = 4
-aws_kube_worker_size = "t2.medium"
 
 #Settings AWS ELB
-
+aws_elb_api_port    = 6443
-aws_elb_api_port                = 6443
+k8s_secure_api_port = 6443
-k8s_secure_api_port             = 6443
-kube_insecure_apiserver_address = "0.0.0.0"
 
 default_tags = {
   #  Env = "devtest"

contrib/terraform/aws/terraform.tfvars.example

@@ -8,25 +8,26 @@ aws_cidr_subnets_public = ["10.250.224.0/20","10.250.240.0/20"]
 aws_avail_zones = ["eu-central-1a","eu-central-1b"]
 
 #Bastion Host
-aws_bastion_ami = "ami-5900cc36"
+aws_bastion_num = 1
-aws_bastion_size = "t2.small"
+aws_bastion_size = "t3.small"
-
 
 #Kubernetes Cluster
-
 aws_kube_master_num = 3
-aws_kube_master_size = "t2.medium"
+aws_kube_master_size = "t3.medium"
+aws_kube_master_disk_size = 50
 
 aws_etcd_num = 3
-aws_etcd_size = "t2.medium"
+aws_etcd_size = "t3.medium"
+aws_etcd_disk_size = 50
 
 aws_kube_worker_num = 4
-aws_kube_worker_size = "t2.medium"
+aws_kube_worker_size = "t3.medium"
-
+aws_kube_worker_disk_size = 50
-aws_cluster_ami = "ami-903df7ff"
 
 #Settings AWS ELB
-
 aws_elb_api_port = 6443
 k8s_secure_api_port = 6443
-kube_insecure_apiserver_address = 0.0.0.0
+
+default_tags = { }
+
+inventory_file = "../../../inventory/hosts"

contrib/terraform/aws/variables.tf

@@ -25,7 +25,7 @@ data "aws_ami" "distro" {
 
   filter {
     name   = "name"
-    values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
+    values = ["debian-10-amd64-*"]
   }
 
   filter {
@@ -33,7 +33,7 @@ data "aws_ami" "distro" {
     values = ["hvm"]
   }
 
-  owners = ["099720109477"] # Canonical
+  owners = ["136693071363"] # Debian-10
 }
 
 //AWS VPC Variables
@@ -63,10 +63,18 @@ variable "aws_bastion_size" {
 * The number should be divisable by the number of used
 * AWS Availability Zones without an remainder.
 */
+variable "aws_bastion_num" {
+  description = "Number of Bastion Nodes"
+}
+
 variable "aws_kube_master_num" {
   description = "Number of Kubernetes Master Nodes"
 }
 
+variable "aws_kube_master_disk_size" {
+  description = "Disk size for Kubernetes Master Nodes (in GiB)"
+}
+
 variable "aws_kube_master_size" {
   description = "Instance size of Kube Master Nodes"
 }
@@ -75,6 +83,10 @@ variable "aws_etcd_num" {
   description = "Number of etcd Nodes"
 }
 
+variable "aws_etcd_disk_size" {
+  description = "Disk size for etcd Nodes (in GiB)"
+}
+
 variable "aws_etcd_size" {
   description = "Instance size of etcd Nodes"
 }
@@ -83,6 +95,10 @@ variable "aws_kube_worker_num" {
   description = "Number of Kubernetes Worker Nodes"
 }
 
+variable "aws_kube_worker_disk_size" {
+  description = "Disk size for Kubernetes Worker Nodes (in GiB)"
+}
+
 variable "aws_kube_worker_size" {
   description = "Instance size of Kubernetes Worker Nodes"
 }

contrib/terraform/exoscale/README.md

@@ -0,0 +1,154 @@
+# Kubernetes on Exoscale with Terraform
+
+Provision a Kubernetes cluster on [Exoscale](https://www.exoscale.com/) using Terraform and Kubespray
+
+## Overview
+
+The setup looks like following
+
+```text
+                           Kubernetes cluster
+                        +-----------------------+
++---------------+       |   +--------------+    |
+|               |       |   | +--------------+  |
+| API server LB +---------> | |              |  |
+|               |       |   | | Master/etcd  |  |
++---------------+       |   | | node(s)      |  |
+                        |   +-+              |  |
+                        |     +--------------+  |
+                        |           ^           |
+                        |           |           |
+                        |           v           |
++---------------+       |   +--------------+    |
+|               |       |   | +--------------+  |
+|  Ingress LB   +---------> | |              |  |
+|               |       |   | |    Worker    |  |
++---------------+       |   | |    node(s)   |  |
+                        |   +-+              |  |
+                        |     +--------------+  |
+                        +-----------------------+
+```
+
+## Requirements
+
+* Terraform 0.13.0 or newer
+
+*0.12 also works if you modify the provider block to include version and remove all `versions.tf` files*
+
+## Quickstart
+
+NOTE: *Assumes you are at the root of the kubespray repo*
+
+Copy the sample inventory for your cluster and copy the default terraform variables.
+
+```bash
+CLUSTER=my-exoscale-cluster
+cp -r inventory/sample inventory/$CLUSTER
+cp contrib/terraform/exoscale/default.tfvars inventory/$CLUSTER/
+cd inventory/$CLUSTER
+```
+
+Edit `default.tfvars` to match your setup. You MUST, at the very least, change `ssh_public_keys`.
+
+```bash
+# Ensure $EDITOR points to your favorite editor, e.g., vim, emacs, VS Code, etc.
+$EDITOR default.tfvars
+```
+
+For authentication you can use the credentials file `~/.cloudstack.ini` or `./cloudstack.ini`.
+The file should look like something like this:
+
+```ini
+[cloudstack]
+key = <API key>
+secret = <API secret>
+```
+
+Follow the [Exoscale IAM Quick-start](https://community.exoscale.com/documentation/iam/quick-start/) to learn how to generate API keys.
+
+### Encrypted credentials
+
+To have the credentials encrypted at rest, you can use [sops](https://github.com/mozilla/sops) and only decrypt the credentials at runtime.
+
+```bash
+cat << EOF > cloudstack.ini
+[cloudstack]
+key =
+secret =
+EOF
+sops --encrypt --in-place --pgp <PGP key fingerprint> cloudstack.ini
+sops cloudstack.ini
+```
+
+Run terraform to create the infrastructure
+
+```bash
+terraform init ../../contrib/terraform/exoscale
+terraform apply -var-file default.tfvars ../../contrib/terraform/exoscale
+```
+
+If your cloudstack credentials file is encrypted using sops, run the following:
+
+```bash
+terraform init ../../contrib/terraform/exoscale
+sops exec-file -no-fifo cloudstack.ini 'CLOUDSTACK_CONFIG={} terraform apply -var-file default.tfvars ../../contrib/terraform/exoscale'
+```
+
+You should now have a inventory file named `inventory.ini` that you can use with kubespray.
+You can now copy your inventory file and use it with kubespray to set up a cluster.
+You can type `terraform output` to find out the IP addresses of the nodes, as well as control-plane and data-plane load-balancer.
+
+It is a good idea to check that you have basic SSH connectivity to the nodes. You can do that by:
+
+```bash
+ansible -i inventory.ini -m ping all
+```
+
+Example to use this with the default sample inventory:
+
+```bash
+ansible-playbook -i inventory.ini ../../cluster.yml -b -v
+```
+
+## Teardown
+
+The Kubernetes cluster cannot create any load-balancers or disks, hence, teardown is as simple as Terraform destroy:
+
+```bash
+terraform destroy -var-file default.tfvars ../../contrib/terraform/exoscale
+```
+
+## Variables
+
+### Required
+
+* `ssh_public_keys`: List of public SSH keys to install on all machines
+* `zone`: The zone where to run the cluster
+* `machines`: Machines to provision. Key of this object will be used as the name of the machine
+  * `node_type`: The role of this node *(master|worker)*
+  * `size`: The size to use
+  * `boot_disk`: The boot disk to use
+    * `image_name`: Name of the image
+    * `root_partition_size`: Size *(in GB)* for the root partition
+    * `ceph_partition_size`: Size *(in GB)* for the partition for rook to use as ceph storage. *(Set to 0 to disable)*
+    * `node_local_partition_size`: Size *(in GB)* for the partition for node-local-storage. *(Set to 0 to disable)*
+* `ssh_whitelist`: List of IP ranges (CIDR) that will be allowed to ssh to the nodes
+* `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
+* `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
+
+### Optional
+
+* `prefix`: Prefix to use for all resources, required to be unique for all clusters in the same project *(Defaults to `default`)*
+
+An example variables file can be found `default.tfvars`
+
+## Known limitations
+
+### Only single disk
+
+Since Exoscale doesn't support additional disks to be mounted onto an instance, this script has the ability to create partitions for [Rook](https://rook.io/) and [node-local-storage](https://kubernetes.io/docs/concepts/storage/volumes/#local).
+
+### No Kubernetes API
+
+The current solution doesn't use the [Exoscale Kubernetes cloud controller](https://github.com/exoscale/exoscale-cloud-controller-manager).
+This means that we need to set up a HTTP(S) loadbalancer in front of all workers and set the Ingress controller to DaemonSet mode.

contrib/terraform/exoscale/default.tfvars

@@ -0,0 +1,65 @@
+prefix = "default"
+zone   = "ch-gva-2"
+
+inventory_file = "inventory.ini"
+
+ssh_public_keys = [
+  # Put your public SSH key here
+  "ssh-rsa I-did-not-read-the-docs",
+  "ssh-rsa I-did-not-read-the-docs 2",
+]
+
+machines = {
+  "master-0" : {
+    "node_type" : "master",
+    "size" : "Medium",
+    "boot_disk" : {
+      "image_name" : "Linux Ubuntu 20.04 LTS 64-bit",
+      "root_partition_size" : 50,
+      "node_local_partition_size" : 0,
+      "ceph_partition_size" : 0
+    }
+  },
+  "worker-0" : {
+    "node_type" : "worker",
+    "size" : "Large",
+    "boot_disk" : {
+      "image_name" : "Linux Ubuntu 20.04 LTS 64-bit",
+      "root_partition_size" : 50,
+      "node_local_partition_size" : 0,
+      "ceph_partition_size" : 0
+    }
+  },
+  "worker-1" : {
+    "node_type" : "worker",
+    "size" : "Large",
+    "boot_disk" : {
+      "image_name" : "Linux Ubuntu 20.04 LTS 64-bit",
+      "root_partition_size" : 50,
+      "node_local_partition_size" : 0,
+      "ceph_partition_size" : 0
+    }
+  },
+  "worker-2" : {
+    "node_type" : "worker",
+    "size" : "Large",
+    "boot_disk" : {
+      "image_name" : "Linux Ubuntu 20.04 LTS 64-bit",
+      "root_partition_size" : 50,
+      "node_local_partition_size" : 0,
+      "ceph_partition_size" : 0
+    }
+  }
+}
+
+nodeport_whitelist = [
+  "0.0.0.0/0"
+]
+
+ssh_whitelist = [
+  "0.0.0.0/0"
+]
+
+api_server_whitelist = [
+  "0.0.0.0/0"
+]

contrib/terraform/exoscale/main.tf

@@ -0,0 +1,49 @@
+provider "exoscale" {}
+
+module "kubernetes" {
+  source = "./modules/kubernetes-cluster"
+
+  prefix = var.prefix
+
+  machines = var.machines
+
+  ssh_public_keys = var.ssh_public_keys
+
+  ssh_whitelist        = var.ssh_whitelist
+  api_server_whitelist = var.api_server_whitelist
+  nodeport_whitelist   = var.nodeport_whitelist
+}
+
+#
+# Generate ansible inventory
+#
+
+data "template_file" "inventory" {
+  template = file("${path.module}/templates/inventory.tpl")
+
+  vars = {
+    connection_strings_master = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s etcd_member_name=etcd%d",
+      keys(module.kubernetes.master_ip_addresses),
+      values(module.kubernetes.master_ip_addresses).*.public_ip,
+      values(module.kubernetes.master_ip_addresses).*.private_ip,
+    range(1, length(module.kubernetes.master_ip_addresses) + 1)))
+    connection_strings_worker = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s",
+      keys(module.kubernetes.worker_ip_addresses),
+      values(module.kubernetes.worker_ip_addresses).*.public_ip,
+    values(module.kubernetes.worker_ip_addresses).*.private_ip))
+
+    list_master       = join("\n", keys(module.kubernetes.master_ip_addresses))
+    list_worker       = join("\n", keys(module.kubernetes.worker_ip_addresses))
+    api_lb_ip_address = module.kubernetes.control_plane_lb_ip_address
+  }
+}
+
+resource "null_resource" "inventories" {
+  provisioner "local-exec" {
+    command = "echo '${data.template_file.inventory.rendered}' > ${var.inventory_file}"
+  }
+
+  triggers = {
+    template = data.template_file.inventory.rendered
+  }
+}

contrib/terraform/exoscale/modules/kubernetes-cluster/main.tf

@@ -0,0 +1,193 @@
+data "exoscale_compute_template" "os_image" {
+  for_each = var.machines
+
+  zone = var.zone
+  name = each.value.boot_disk.image_name
+}
+
+data "exoscale_compute" "master_nodes" {
+  for_each = exoscale_compute.master
+
+  id = each.value.id
+
+  # Since private IP address is not assigned until the nics are created we need this
+  depends_on = [exoscale_nic.master_private_network_nic]
+}
+
+data "exoscale_compute" "worker_nodes" {
+  for_each = exoscale_compute.worker
+
+  id = each.value.id
+
+  # Since private IP address is not assigned until the nics are created we need this
+  depends_on = [exoscale_nic.worker_private_network_nic]
+}
+
+resource "exoscale_network" "private_network" {
+  zone = var.zone
+  name = "${var.prefix}-network"
+
+  start_ip = cidrhost(var.private_network_cidr, 1)
+  # cidr -1 = Broadcast address
+  # cidr -2 = DHCP server address (exoscale specific)
+  end_ip  = cidrhost(var.private_network_cidr, -3)
+  netmask = cidrnetmask(var.private_network_cidr)
+}
+
+resource "exoscale_compute" "master" {
+  for_each = {
+    for name, machine in var.machines :
+    name => machine
+    if machine.node_type == "master"
+  }
+
+  display_name    = "${var.prefix}-${each.key}"
+  template_id     = data.exoscale_compute_template.os_image[each.key].id
+  size            = each.value.size
+  disk_size       = each.value.boot_disk.root_partition_size + each.value.boot_disk.node_local_partition_size + each.value.boot_disk.ceph_partition_size
+  state           = "Running"
+  zone            = var.zone
+  security_groups = [exoscale_security_group.master_sg.name]
+
+  user_data = templatefile(
+    "${path.module}/templates/cloud-init.tmpl",
+    {
+      eip_ip_address            = exoscale_ipaddress.ingress_controller_lb.ip_address
+      node_local_partition_size = each.value.boot_disk.node_local_partition_size
+      ceph_partition_size       = each.value.boot_disk.ceph_partition_size
+      root_partition_size       = each.value.boot_disk.root_partition_size
+      node_type                 = "master"
+      ssh_public_keys           = var.ssh_public_keys
+    }
+  )
+}
+
+resource "exoscale_compute" "worker" {
+  for_each = {
+    for name, machine in var.machines :
+    name => machine
+    if machine.node_type == "worker"
+  }
+
+  display_name    = "${var.prefix}-${each.key}"
+  template_id     = data.exoscale_compute_template.os_image[each.key].id
+  size            = each.value.size
+  disk_size       = each.value.boot_disk.root_partition_size + each.value.boot_disk.node_local_partition_size + each.value.boot_disk.ceph_partition_size
+  state           = "Running"
+  zone            = var.zone
+  security_groups = [exoscale_security_group.worker_sg.name]
+
+  user_data = templatefile(
+    "${path.module}/templates/cloud-init.tmpl",
+    {
+      eip_ip_address            = exoscale_ipaddress.ingress_controller_lb.ip_address
+      node_local_partition_size = each.value.boot_disk.node_local_partition_size
+      ceph_partition_size       = each.value.boot_disk.ceph_partition_size
+      root_partition_size       = each.value.boot_disk.root_partition_size
+      node_type                 = "worker"
+      ssh_public_keys           = var.ssh_public_keys
+    }
+  )
+}
+
+resource "exoscale_nic" "master_private_network_nic" {
+  for_each = exoscale_compute.master
+
+  compute_id = each.value.id
+  network_id = exoscale_network.private_network.id
+}
+
+resource "exoscale_nic" "worker_private_network_nic" {
+  for_each = exoscale_compute.worker
+
+  compute_id = each.value.id
+  network_id = exoscale_network.private_network.id
+}
+
+resource "exoscale_security_group" "master_sg" {
+  name        = "${var.prefix}-master-sg"
+  description = "Security group for Kubernetes masters"
+}
+
+resource "exoscale_security_group_rules" "master_sg_rules" {
+  security_group_id = exoscale_security_group.master_sg.id
+
+  # SSH
+  ingress {
+    protocol  = "TCP"
+    cidr_list = var.ssh_whitelist
+    ports     = ["22"]
+  }
+
+  # Kubernetes API
+  ingress {
+    protocol  = "TCP"
+    cidr_list = var.api_server_whitelist
+    ports     = ["6443"]
+  }
+}
+
+resource "exoscale_security_group" "worker_sg" {
+  name        = "${var.prefix}-worker-sg"
+  description = "security group for kubernetes worker nodes"
+}
+
+resource "exoscale_security_group_rules" "worker_sg_rules" {
+  security_group_id = exoscale_security_group.worker_sg.id
+
+  # SSH
+  ingress {
+    protocol  = "TCP"
+    cidr_list = var.ssh_whitelist
+    ports     = ["22"]
+  }
+
+  # HTTP(S)
+  ingress {
+    protocol  = "TCP"
+    cidr_list = ["0.0.0.0/0"]
+    ports     = ["80", "443"]
+  }
+
+  # Kubernetes Nodeport
+  ingress {
+    protocol  = "TCP"
+    cidr_list = var.nodeport_whitelist
+    ports     = ["30000-32767"]
+  }
+}
+
+resource "exoscale_ipaddress" "ingress_controller_lb" {
+  zone                     = var.zone
+  healthcheck_mode         = "http"
+  healthcheck_port         = 80
+  healthcheck_path         = "/healthz"
+  healthcheck_interval     = 10
+  healthcheck_timeout      = 2
+  healthcheck_strikes_ok   = 2
+  healthcheck_strikes_fail = 3
+}
+
+resource "exoscale_secondary_ipaddress" "ingress_controller_lb" {
+  for_each = exoscale_compute.worker
+
+  compute_id = each.value.id
+  ip_address = exoscale_ipaddress.ingress_controller_lb.ip_address
+}
+
+resource "exoscale_ipaddress" "control_plane_lb" {
+  zone                     = var.zone
+  healthcheck_mode         = "tcp"
+  healthcheck_port         = 6443
+  healthcheck_interval     = 10
+  healthcheck_timeout      = 2
+  healthcheck_strikes_ok   = 2
+  healthcheck_strikes_fail = 3
+}
+
+resource "exoscale_secondary_ipaddress" "control_plane_lb" {
+  for_each = exoscale_compute.master
+
+  compute_id = each.value.id
+  ip_address = exoscale_ipaddress.control_plane_lb.ip_address
+}

contrib/terraform/exoscale/modules/kubernetes-cluster/output.tf

@@ -0,0 +1,31 @@
+output "master_ip_addresses" {
+  value = {
+    for key, instance in exoscale_compute.master :
+    instance.name => {
+      "private_ip" = contains(keys(data.exoscale_compute.master_nodes), key) ? data.exoscale_compute.master_nodes[key].private_network_ip_addresses[0] : ""
+      "public_ip"  = exoscale_compute.master[key].ip_address
+    }
+  }
+}
+
+output "worker_ip_addresses" {
+  value = {
+    for key, instance in exoscale_compute.worker :
+    instance.name => {
+      "private_ip" = contains(keys(data.exoscale_compute.worker_nodes), key) ? data.exoscale_compute.worker_nodes[key].private_network_ip_addresses[0] : ""
+      "public_ip"  = exoscale_compute.worker[key].ip_address
+    }
+  }
+}
+
+output "cluster_private_network_cidr" {
+  value = var.private_network_cidr
+}
+
+output "ingress_controller_lb_ip_address" {
+  value = exoscale_ipaddress.ingress_controller_lb.ip_address
+}
+
+output "control_plane_lb_ip_address" {
+  value = exoscale_ipaddress.control_plane_lb.ip_address
+}

contrib/terraform/exoscale/modules/kubernetes-cluster/templates/cloud-init.tmpl

@@ -0,0 +1,52 @@
+#cloud-config
+%{ if ceph_partition_size > 0 || node_local_partition_size > 0}
+bootcmd:
+- [ cloud-init-per, once, move-second-header, sgdisk, --move-second-header, /dev/vda ]
+%{ if node_local_partition_size > 0 }
+  # Create partition for node local storage
+- [ cloud-init-per, once, create-node-local-part, parted, --script, /dev/vda, 'mkpart extended ext4 ${root_partition_size}GB %{ if ceph_partition_size == 0 }-1%{ else }${root_partition_size + node_local_partition_size}GB%{ endif }' ]
+- [ cloud-init-per, once, create-fs-node-local-part, mkfs.ext4, /dev/vda2 ]
+%{ endif }
+%{ if ceph_partition_size > 0 }
+  # Create partition for rook to use for ceph
+- [ cloud-init-per, once, create-ceph-part, parted, --script, /dev/vda, 'mkpart extended ${root_partition_size + node_local_partition_size}GB -1' ]
+%{ endif }
+%{ endif }
+
+ssh_authorized_keys:
+%{ for ssh_public_key in ssh_public_keys ~}
+  - ${ssh_public_key}
+%{ endfor ~}
+
+write_files:
+  - path: /etc/netplan/eth1.yaml
+    content: |
+      network:
+        version: 2
+        ethernets:
+          eth1:
+            dhcp4: true
+%{ if node_type == "worker" }
+  # TODO: When a VM is seen as healthy and is added to the EIP loadbalancer
+  #       pool it no longer can send traffic back to itself via the EIP IP
+  #       address.
+  #       Remove this if it ever gets solved.
+  - path: /etc/netplan/20-eip-fix.yaml
+    content: |
+      network:
+        version: 2
+        ethernets:
+          "lo:0":
+            match:
+              name: lo
+            dhcp4: false
+            addresses:
+            - ${eip_ip_address}/32
+%{ endif }
+runcmd:
+  - netplan apply
+%{ if node_local_partition_size > 0 }
+  - mkdir -p /mnt/disks/node-local-storage
+  - chown nobody:nogroup /mnt/disks/node-local-storage
+  - mount /dev/vda2 /mnt/disks/node-local-storage
+%{ endif }

contrib/terraform/exoscale/modules/kubernetes-cluster/variables.tf

@@ -0,0 +1,42 @@
+variable "zone" {
+  type = string
+  # This is currently the only zone that is supposed to be supporting
+  # so called "managed private networks".
+  # See: https://www.exoscale.com/syslog/introducing-managed-private-networks
+  default = "ch-gva-2"
+}
+
+variable "prefix" {}
+
+variable "machines" {
+  type = map(object({
+    node_type = string
+    size      = string
+    boot_disk = object({
+      image_name                = string
+      root_partition_size       = number
+      ceph_partition_size       = number
+      node_local_partition_size = number
+    })
+  }))
+}
+
+variable "ssh_public_keys" {
+  type = list(string)
+}
+
+variable "ssh_whitelist" {
+  type = list(string)
+}
+
+variable "api_server_whitelist" {
+  type = list(string)
+}
+
+variable "nodeport_whitelist" {
+  type = list(string)
+}
+
+variable "private_network_cidr" {
+  default = "172.0.10.0/24"
+}

contrib/terraform/exoscale/modules/kubernetes-cluster/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    exoscale = {
+      source = "exoscale/exoscale"
+      version = ">= 0.21"
+    }
+  }
+  required_version = ">= 0.13"
+}

contrib/terraform/exoscale/output.tf

@@ -0,0 +1,15 @@
+output "master_ips" {
+  value = module.kubernetes.master_ip_addresses
+}
+
+output "worker_ips" {
+  value = module.kubernetes.worker_ip_addresses
+}
+
+output "ingress_controller_lb_ip_address" {
+  value = module.kubernetes.ingress_controller_lb_ip_address
+}
+
+output "control_plane_lb_ip_address" {
+  value = module.kubernetes.control_plane_lb_ip_address
+}

contrib/terraform/exoscale/sample-inventory/cluster.tfvars

@@ -0,0 +1,65 @@
+prefix = "default"
+zone   = "ch-gva-2"
+
+inventory_file = "inventory.ini"
+
+ssh_public_keys = [
+  # Put your public SSH key here
+  "ssh-rsa I-did-not-read-the-docs",
+  "ssh-rsa I-did-not-read-the-docs 2",
+]
+
+machines = {
+  "master-0" : {
+    "node_type" : "master",
+    "size" : "Small",
+    "boot_disk" : {
+      "image_name" : "Linux Ubuntu 20.04 LTS 64-bit",
+      "root_partition_size" : 50,
+      "node_local_partition_size" : 0,
+      "ceph_partition_size" : 0
+    }
+  },
+  "worker-0" : {
+    "node_type" : "worker",
+    "size" : "Large",
+    "boot_disk" : {
+      "image_name" : "Linux Ubuntu 20.04 LTS 64-bit",
+      "root_partition_size" : 50,
+      "node_local_partition_size" : 0,
+      "ceph_partition_size" : 0
+    }
+  },
+  "worker-1" : {
+    "node_type" : "worker",
+    "size" : "Large",
+    "boot_disk" : {
+      "image_name" : "Linux Ubuntu 20.04 LTS 64-bit",
+      "root_partition_size" : 50,
+      "node_local_partition_size" : 0,
+      "ceph_partition_size" : 0
+    }
+  },
+  "worker-2" : {
+    "node_type" : "worker",
+    "size" : "Large",
+    "boot_disk" : {
+      "image_name" : "Linux Ubuntu 20.04 LTS 64-bit",
+      "root_partition_size" : 50,
+      "node_local_partition_size" : 0,
+      "ceph_partition_size" : 0
+    }
+  }
+}
+
+nodeport_whitelist = [
+  "0.0.0.0/0"
+]
+
+ssh_whitelist = [
+  "0.0.0.0/0"
+]
+
+api_server_whitelist = [
+  "0.0.0.0/0"
+]

contrib/terraform/exoscale/sample-inventory/group_vars

@@ -0,0 +1 @@
+../../../../inventory/sample/group_vars

contrib/terraform/exoscale/templates/inventory.tpl

@@ -0,0 +1,19 @@
+[all]
+${connection_strings_master}
+${connection_strings_worker}
+
+[kube_control_plane]
+${list_master}
+
+[kube_control_plane:vars]
+supplementary_addresses_in_ssl_keys = [ "${api_lb_ip_address}" ]
+
+[etcd]
+${list_master}
+
+[kube_node]
+${list_worker}
+
+[k8s_cluster:children]
+kube_control_plane
+kube_node

contrib/terraform/exoscale/variables.tf

@@ -0,0 +1,46 @@
+variable "zone" {
+  description = "The zone where to run the cluster"
+}
+
+variable "prefix" {
+  description = "Prefix for resource names"
+  default     = "default"
+}
+
+variable "machines" {
+  description = "Cluster machines"
+  type = map(object({
+    node_type = string
+    size      = string
+    boot_disk = object({
+      image_name                = string
+      root_partition_size       = number
+      ceph_partition_size       = number
+      node_local_partition_size = number
+    })
+  }))
+}
+
+variable "ssh_public_keys" {
+  description = "List of public SSH keys which are injected into the VMs."
+  type        = list(string)
+}
+
+variable "ssh_whitelist" {
+  description = "List of IP ranges (CIDR) to whitelist for ssh"
+  type        = list(string)
+}
+
+variable "api_server_whitelist" {
+  description = "List of IP ranges (CIDR) to whitelist for kubernetes api server"
+  type        = list(string)
+}
+
+variable "nodeport_whitelist" {
+  description = "List of IP ranges (CIDR) to whitelist for kubernetes nodeports"
+  type        = list(string)
+}
+
+variable "inventory_file" {
+  description = "Where to store the generated inventory file"
+}

contrib/terraform/exoscale/versions.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    exoscale = {
+      source  = "exoscale/exoscale"
+      version = ">= 0.21"
+    }
+    null = {
+      source = "hashicorp/null"
+    }
+    template = {
+      source = "hashicorp/template"
+    }
+  }
+  required_version = ">= 0.13"
+}

contrib/terraform/gcp/generate-inventory.sh

@@ -50,13 +50,13 @@ for name in "${WORKER_NAMES[@]}"; do
 done
 
 echo ""
-echo "[kube-master]"
+echo "[kube_control_plane]"
 for name in "${MASTER_NAMES[@]}"; do
   echo "${name}"
 done
 
 echo ""
-echo "[kube-master:vars]"
+echo "[kube_control_plane:vars]"
 echo "supplementary_addresses_in_ssl_keys = [ '${API_LB}' ]" # Add LB address to API server certificate
 echo ""
 echo "[etcd]"
@@ -65,12 +65,12 @@ for name in "${MASTER_NAMES[@]}"; do
 done
 
 echo ""
-echo "[kube-node]"
+echo "[kube_node]"
 for name in "${WORKER_NAMES[@]}"; do
   echo "${name}"
 done
 
 echo ""
-echo "[k8s-cluster:children]"
+echo "[k8s_cluster:children]"
-echo "kube-master"
+echo "kube_control_plane"
-echo "kube-node"
+echo "kube_node"

contrib/terraform/hetzner/README.md

@@ -0,0 +1,107 @@
+# Kubernetes on Hetzner with Terraform
+
+Provision a Kubernetes cluster on [Hetzner](https://www.hetzner.com/cloud) using Terraform and Kubespray
+
+## Overview
+
+The setup looks like following
+
+```text
+   Kubernetes cluster
++--------------------------+
+|      +--------------+    |
+|      | +--------------+  |
+| -->  | |              |  |
+|      | | Master/etcd  |  |
+|      | | node(s)      |  |
+|      +-+              |  |
+|        +--------------+  |
+|              ^           |
+|              |           |
+|              v           |
+|      +--------------+    |
+|      | +--------------+  |
+| -->  | |              |  |
+|      | |    Worker    |  |
+|      | |    node(s)   |  |
+|      +-+              |  |
+|        +--------------+  |
++--------------------------+
+```
+
+The nodes uses a private network for node to node communication and a public interface for all external communication.
+
+## Requirements
+
+* Terraform 0.14.0 or newer
+
+## Quickstart
+
+NOTE: Assumes you are at the root of the kubespray repo.
+
+For authentication in your cluster you can use the environment variables.
+
+```bash
+export HCLOUD_TOKEN=api-token
+```
+
+Copy the cluster configuration file.
+
+```bash
+CLUSTER=my-hetzner-cluster
+cp -r inventory/sample inventory/$CLUSTER
+cp contrib/terraform/hetzner/default.tfvars inventory/$CLUSTER/
+cd inventory/$CLUSTER
+```
+
+Edit `default.tfvars` to match your requirement.
+
+Run Terraform to create the infrastructure.
+
+```bash
+terraform init ../../contrib/terraform/hetzner
+terraform apply --var-file default.tfvars ../../contrib/terraform/hetzner/
+```
+
+You should now have a inventory file named `inventory.ini` that you can use with kubespray.
+You can use the inventory file with kubespray to set up a cluster.
+
+It is a good idea to check that you have basic SSH connectivity to the nodes. You can do that by:
+
+```bash
+ansible -i inventory.ini -m ping all
+```
+
+You can setup Kubernetes with kubespray using the generated inventory:
+
+```bash
+ansible-playbook -i inventory.ini ../../cluster.yml -b -v
+```
+
+## Cloud controller
+
+For better support with the cloud you can install the [hcloud cloud controller](https://github.com/hetznercloud/hcloud-cloud-controller-manager) and [CSI driver](https://github.com/hetznercloud/csi-driver).
+
+Please read the instructions in both repos on how to install it.
+
+## Teardown
+
+You can teardown your infrastructure using the following Terraform command:
+
+```bash
+terraform destroy --var-file default.tfvars ../../contrib/terraform/hetzner
+```
+
+## Variables
+
+* `prefix`: Prefix to add to all resources, if set to "" don't set any prefix
+* `ssh_public_keys`: List of public SSH keys to install on all machines
+* `zone`: The zone where to run the cluster
+* `machines`: Machines to provision. Key of this object will be used as the name of the machine
+  * `node_type`: The role of this node *(master|worker)*
+  * `size`: Size of the VM
+  * `image`: The image to use for the VM
+* `ssh_whitelist`: List of IP ranges (CIDR) that will be allowed to ssh to the nodes
+* `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
+* `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
+* `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to kubernetes workers on port 80 and 443

contrib/terraform/hetzner/default.tfvars

@@ -0,0 +1,44 @@
+prefix = "default"
+zone   = "hel1"
+
+inventory_file = "inventory.ini"
+
+ssh_public_keys = [
+  # Put your public SSH key here
+  "ssh-rsa I-did-not-read-the-docs",
+  "ssh-rsa I-did-not-read-the-docs 2",
+]
+
+machines = {
+  "master-0" : {
+    "node_type" : "master",
+    "size" : "cx21",
+    "image" : "ubuntu-20.04",
+  },
+  "worker-0" : {
+    "node_type" : "worker",
+    "size" : "cx21",
+    "image" : "ubuntu-20.04",
+  },
+  "worker-1" : {
+    "node_type" : "worker",
+    "size" : "cx21",
+    "image" : "ubuntu-20.04",
+  }
+}
+
+nodeport_whitelist = [
+  "0.0.0.0/0"
+]
+
+ingress_whitelist = [
+  "0.0.0.0/0"
+]
+
+ssh_whitelist = [
+  "0.0.0.0/0"
+]
+
+api_server_whitelist = [
+  "0.0.0.0/0"
+]

contrib/terraform/hetzner/main.tf

@@ -0,0 +1,51 @@
+provider "hcloud" {}
+
+module "kubernetes" {
+  source = "./modules/kubernetes-cluster"
+
+  prefix = var.prefix
+
+  zone = var.zone
+
+  machines = var.machines
+
+  ssh_public_keys = var.ssh_public_keys
+
+  ssh_whitelist        = var.ssh_whitelist
+  api_server_whitelist = var.api_server_whitelist
+  nodeport_whitelist   = var.nodeport_whitelist
+  ingress_whitelist    = var.ingress_whitelist
+}
+
+#
+# Generate ansible inventory
+#
+
+data "template_file" "inventory" {
+  template = file("${path.module}/templates/inventory.tpl")
+
+  vars = {
+    connection_strings_master = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s etcd_member_name=etcd%d",
+      keys(module.kubernetes.master_ip_addresses),
+      values(module.kubernetes.master_ip_addresses).*.public_ip,
+      values(module.kubernetes.master_ip_addresses).*.private_ip,
+    range(1, length(module.kubernetes.master_ip_addresses) + 1)))
+    connection_strings_worker = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s",
+      keys(module.kubernetes.worker_ip_addresses),
+      values(module.kubernetes.worker_ip_addresses).*.public_ip,
+    values(module.kubernetes.worker_ip_addresses).*.private_ip))
+
+    list_master = join("\n", keys(module.kubernetes.master_ip_addresses))
+    list_worker = join("\n", keys(module.kubernetes.worker_ip_addresses))
+  }
+}
+
+resource "null_resource" "inventories" {
+  provisioner "local-exec" {
+    command = "echo '${data.template_file.inventory.rendered}' > ${var.inventory_file}"
+  }
+
+  triggers = {
+    template = data.template_file.inventory.rendered
+  }
+}

contrib/terraform/hetzner/modules/kubernetes-cluster/main.tf

@@ -0,0 +1,122 @@
+resource "hcloud_network" "kubernetes" {
+  name     = "${var.prefix}-network"
+  ip_range = var.private_network_cidr
+}
+
+resource "hcloud_network_subnet" "kubernetes" {
+  type         = "cloud"
+  network_id   = hcloud_network.kubernetes.id
+  network_zone = "eu-central"
+  ip_range     = var.private_subnet_cidr
+}
+
+resource "hcloud_server" "master" {
+  for_each = {
+    for name, machine in var.machines :
+    name => machine
+    if machine.node_type == "master"
+  }
+
+  name        = "${var.prefix}-${each.key}"
+  image       = each.value.image
+  server_type = each.value.size
+  location    = var.zone
+
+  user_data = templatefile(
+    "${path.module}/templates/cloud-init.tmpl",
+    {
+      ssh_public_keys = var.ssh_public_keys
+    }
+  )
+
+  firewall_ids = [hcloud_firewall.master.id]
+}
+
+resource "hcloud_server_network" "master" {
+  for_each = hcloud_server.master
+
+  server_id = each.value.id
+
+  subnet_id = hcloud_network_subnet.kubernetes.id
+}
+
+resource "hcloud_server" "worker" {
+  for_each = {
+    for name, machine in var.machines :
+    name => machine
+    if machine.node_type == "worker"
+  }
+
+  name        = "${var.prefix}-${each.key}"
+  image       = each.value.image
+  server_type = each.value.size
+  location    = var.zone
+
+  user_data = templatefile(
+    "${path.module}/templates/cloud-init.tmpl",
+    {
+      ssh_public_keys = var.ssh_public_keys
+    }
+  )
+
+  firewall_ids = [hcloud_firewall.worker.id]
+
+}
+
+resource "hcloud_server_network" "worker" {
+  for_each = hcloud_server.worker
+
+  server_id = each.value.id
+
+  subnet_id = hcloud_network_subnet.kubernetes.id
+}
+
+resource "hcloud_firewall" "master" {
+  name = "${var.prefix}-master-firewall"
+
+  rule {
+   direction = "in"
+   protocol = "tcp"
+   port = "22"
+   source_ips = var.ssh_whitelist
+  }
+
+  rule {
+   direction = "in"
+   protocol = "tcp"
+   port = "6443"
+   source_ips = var.api_server_whitelist
+  }
+}
+
+resource "hcloud_firewall" "worker" {
+  name = "${var.prefix}-worker-firewall"
+
+  rule {
+   direction = "in"
+   protocol = "tcp"
+   port = "22"
+   source_ips = var.ssh_whitelist
+  }
+
+  rule {
+   direction = "in"
+   protocol = "tcp"
+   port = "80"
+   source_ips = var.ingress_whitelist
+  }
+
+  rule {
+   direction = "in"
+   protocol = "tcp"
+   port = "443"
+   source_ips = var.ingress_whitelist
+  }
+
+  rule {
+   direction = "in"
+   protocol = "tcp"
+   port = "30000-32767"
+   source_ips = var.nodeport_whitelist
+  }
+}

contrib/terraform/hetzner/modules/kubernetes-cluster/output.tf

@@ -0,0 +1,23 @@
+output "master_ip_addresses" {
+  value = {
+    for key, instance in hcloud_server.master :
+    instance.name => {
+      "private_ip" = hcloud_server_network.master[key].ip
+      "public_ip"  = hcloud_server.master[key].ipv4_address
+    }
+  }
+}
+
+output "worker_ip_addresses" {
+  value = {
+    for key, instance in hcloud_server.worker :
+    instance.name => {
+      "private_ip" = hcloud_server_network.worker[key].ip
+      "public_ip"  = hcloud_server.worker[key].ipv4_address
+    }
+  }
+}
+
+output "cluster_private_network_cidr" {
+  value = var.private_subnet_cidr
+}

contrib/terraform/hetzner/modules/kubernetes-cluster/templates/cloud-init.tmpl

@@ -0,0 +1,17 @@
+#cloud-config
+
+users:
+  - default
+  - name: ubuntu
+    shell: /bin/bash
+    sudo: "ALL=(ALL) NOPASSWD:ALL"
+    ssh_authorized_keys:
+    %{ for ssh_public_key in ssh_public_keys ~}
+      - ${ssh_public_key}
+    %{ endfor ~}
+
+ssh_authorized_keys:
+%{ for ssh_public_key in ssh_public_keys ~}
+  - ${ssh_public_key}
+%{ endfor ~}
+

contrib/terraform/hetzner/modules/kubernetes-cluster/variables.tf

@@ -0,0 +1,41 @@
+variable "zone" {
+  type = string
+}
+
+variable "prefix" {}
+
+variable "machines" {
+  type = map(object({
+    node_type = string
+    size      = string
+    image     = string
+  }))
+}
+
+variable "ssh_public_keys" {
+  type = list(string)
+}
+
+variable "ssh_whitelist" {
+  type = list(string)
+}
+
+variable "api_server_whitelist" {
+  type = list(string)
+}
+
+variable "nodeport_whitelist" {
+  type = list(string)
+}
+
+variable "ingress_whitelist" {
+  type = list(string)
+}
+
+variable "private_network_cidr" {
+  default = "10.0.0.0/16"
+}
+
+variable "private_subnet_cidr" {
+  default = "10.0.10.0/24"
+}

contrib/terraform/hetzner/modules/kubernetes-cluster/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source = "hetznercloud/hcloud"
+      version = "1.31.1"
+    }
+  }
+  required_version = ">= 0.14"
+}

contrib/terraform/hetzner/output.tf

@@ -0,0 +1,7 @@
+output "master_ips" {
+  value = module.kubernetes.master_ip_addresses
+}
+
+output "worker_ips" {
+  value = module.kubernetes.worker_ip_addresses
+}

contrib/terraform/hetzner/templates/inventory.tpl

@@ -0,0 +1,16 @@
+[all]
+${connection_strings_master}
+${connection_strings_worker}
+
+[kube-master]
+${list_master}
+
+[etcd]
+${list_master}
+
+[kube-node]
+${list_worker}
+
+[k8s-cluster:children]
+kube-master
+kube-node

contrib/terraform/hetzner/variables.tf

@@ -0,0 +1,46 @@
+variable "zone" {
+  description = "The zone where to run the cluster"
+}
+
+variable "prefix" {
+  description = "Prefix for resource names"
+  default     = "default"
+}
+
+variable "machines" {
+  description = "Cluster machines"
+  type = map(object({
+    node_type = string
+    size      = string
+    image     = string
+  }))
+}
+
+variable "ssh_public_keys" {
+  description = "Public SSH key which are injected into the VMs."
+  type        = list(string)
+}
+
+variable "ssh_whitelist" {
+  description = "List of IP ranges (CIDR) to whitelist for ssh"
+  type        = list(string)
+}
+
+variable "api_server_whitelist" {
+  description = "List of IP ranges (CIDR) to whitelist for kubernetes api server"
+  type        = list(string)
+}
+
+variable "nodeport_whitelist" {
+  description = "List of IP ranges (CIDR) to whitelist for kubernetes nodeports"
+  type        = list(string)
+}
+
+variable "ingress_whitelist" {
+  description = "List of IP ranges (CIDR) to whitelist for HTTP"
+  type        = list(string)
+}
+
+variable "inventory_file" {
+  description = "Where to store the generated inventory file"
+}

contrib/terraform/hetzner/versions.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = "1.31.1"
+    }
+    null = {
+      source = "hashicorp/null"
+    }
+    template = {
+      source = "hashicorp/template"
+    }
+  }
+  required_version = ">= 0.14"
+}

contrib/terraform/openstack/README.md

@@ -251,6 +251,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`dns_nameservers`| An array of DNS name server names to be used by hosts in the internal subnet. |
 |`floatingip_pool` | Name of the pool from which floating IPs will be allocated |
 |`k8s_master_fips` | A list of floating IPs that you have already pre-allocated; they will be attached to master nodes instead of creating new random floating IPs. |
+|`bastion_fips` | A list of floating IPs that you have already pre-allocated; they will be attached to bastion node instead of creating new random floating IPs. |
 |`external_net` | UUID of the external network that will be routed to |
 |`flavor_k8s_master`,`flavor_k8s_node`,`flavor_etcd`, `flavor_bastion`,`flavor_gfs_node` | Flavor depends on your openstack installation, you can get available flavor IDs through `openstack flavor list` |
 |`image`,`image_gfs` | Name of the image to use in provisioning the compute resources. Should already be loaded into glance. |
@@ -263,25 +264,30 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`number_of_bastions` | Number of bastion hosts to create. Scripts assume this is really just zero or one |
 |`number_of_gfs_nodes_no_floating_ip` | Number of gluster servers to provision. |
 | `gfs_volume_size_in_gb` | Size of the non-ephemeral volumes to be attached to store the GlusterFS bricks |
-|`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. |
+|`supplementary_master_groups` | To add ansible groups to the masters, such as `kube_node` for tainting them as nodes, empty by default. |
-|`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. |
+|`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube_ingress` for running ingress controller pods, empty by default. |
 |`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
 |`master_allowed_remote_ips` | List of CIDR blocks allowed to initiate an API connection, `["0.0.0.0/0"]` by default |
 |`k8s_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, empty by default |
 |`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
+|`master_allowed_ports` | List of ports to open on master nodes, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "0.0.0.0/0"}]`, empty by default |
 |`wait_for_floatingip` | Let Terraform poll the instance until the floating IP has been associated, `false` by default. |
 |`node_root_volume_size_in_gb` | Size of the root volume for nodes, 0 to use ephemeral storage |
 |`master_root_volume_size_in_gb` | Size of the root volume for masters, 0 to use ephemeral storage |
+|`master_volume_type` | Volume type of the root volume for control_plane, 'Default' by default |
+|`node_volume_type` | Volume type of the root volume for nodes, 'Default' by default |
 |`gfs_root_volume_size_in_gb` | Size of the root volume for gluster, 0 to use ephemeral storage |
 |`etcd_root_volume_size_in_gb` | Size of the root volume for etcd nodes, 0 to use ephemeral storage |
 |`bastion_root_volume_size_in_gb` | Size of the root volume for bastions, 0 to use ephemeral storage |
-|`use_server_group` | Create and use openstack nova servergroups, default: false |
+|`master_server_group_policy` | Enable and use openstack nova servergroups for masters with set policy, default: "" (disabled) |
+|`node_server_group_policy` | Enable and use openstack nova servergroups for nodes with set policy, default: "" (disabled) |
+|`etcd_server_group_policy` | Enable and use openstack nova servergroups for etcd with set policy, default: "" (disabled) |
 |`use_access_ip` | If 1, nodes with floating IPs will transmit internal cluster traffic via floating IPs; if 0 private IPs will be used instead. Default value is 1. |
 |`k8s_nodes` | Map containing worker node definition, see explanation below |
 
 ##### k8s_nodes
 
-Allows a custom defintion of worker nodes giving the operator full control over individual node flavor and
+Allows a custom definition of worker nodes giving the operator full control over individual node flavor and
 availability zone placement. To enable the use of this mode set the `number_of_k8s_nodes` and
 `number_of_k8s_nodes_no_floating_ip` variables to 0. Then define your desired worker node configuration
 using the `k8s_nodes` variable.
@@ -420,7 +426,7 @@ terraform apply -var-file=cluster.tfvars ../../contrib/terraform/openstack
 ```
 
 if you chose to create a bastion host, this script will create
-`contrib/terraform/openstack/k8s-cluster.yml` with an ssh command for Ansible to
+`contrib/terraform/openstack/k8s_cluster.yml` with an ssh command for Ansible to
 be able to access your machines tunneling through the bastion's IP address. If
 you want to manually handle the ssh tunneling to these machines, please delete
 or move that file. If you want to use this, just leave it there, as ansible will
@@ -545,7 +551,7 @@ bin_dir: /opt/bin
 cloud_provider: openstack
 ```
 
-Edit `inventory/$CLUSTER/group_vars/k8s-cluster/k8s-cluster.yml`:
+Edit `inventory/$CLUSTER/group_vars/k8s_cluster/k8s_cluster.yml`:
 
 - Set variable **kube_network_plugin** to your desired networking plugin.
   - **flannel** works out-of-the-box