Merge pull request #2084 from riverzhang/devicemapper

Fix can not use devicemapper driver
Merge pull request #2229 from whereismyjetpack/etcd-quorum-read
2025-12-14 22:04:43 +03:00 · 2018-01-31 20:52:22 -06:00 · 2018-01-31 17:10:10 -05:00 · 2018-01-31 16:08:22 -05:00 · 2018-01-31 16:07:53 -05:00 · 2018-01-31 16:06:07 -05:00
310 changed files with 6502 additions and 2222 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@ temp
 *.bak
 *.tfstate
 *.tfstate.backup
 contrib/terraform/aws/credentials.tfvars
 **/*.sw[pon]
 /ssh-bastion.conf
 **/*.sw[pon]
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -20,7 +20,6 @@ variables:
 before_script:
    - pip install -r tests/requirements.txt
    - mkdir -p /.ssh
    - cp tests/ansible.cfg .
 .job: &job
  tags:
@@ -40,27 +39,20 @@ before_script:
  GCE_USER: travis
  SSH_USER: $GCE_USER
  TEST_ID: "$CI_PIPELINE_ID-$CI_BUILD_ID"
  CI_TEST_VARS: "./tests/files/${CI_JOB_NAME}.yml"
  CONTAINER_ENGINE: docker
  PRIVATE_KEY: $GCE_PRIVATE_KEY
  GS_ACCESS_KEY_ID: $GS_KEY
  GS_SECRET_ACCESS_KEY: $GS_SECRET
  CLOUD_MACHINE_TYPE: "g1-small"
  GCE_PREEMPTIBLE: "false"
  ANSIBLE_KEEP_REMOTE_FILES: "1"
  ANSIBLE_CONFIG: ./tests/ansible.cfg
  BOOTSTRAP_OS: none
  DOWNLOAD_LOCALHOST: "false"
  DOWNLOAD_RUN_ONCE: "false"
  IDEMPOT_CHECK: "false"
  RESET_CHECK: "false"
  UPGRADE_TEST: "false"
  KUBEADM_ENABLED: "false"
  RESOLVCONF_MODE: docker_dns
  LOG_LEVEL: "-vv"
  ETCD_DEPLOYMENT: "docker"
  KUBELET_DEPLOYMENT: "host"
  VAULT_DEPLOYMENT: "docker"
  WEAVE_CPU_LIMIT: "100m"
  AUTHORIZATION_MODES: "{ 'authorization_modes': [] }"
  MAGIC: "ci check this"
 .gce: &gce
@@ -81,7 +73,9 @@ before_script:
    - echo $GCE_CREDENTIALS > $HOME/.ssh/gce.json
    - chmod 400 $HOME/.ssh/id_rsa
    - ansible-playbook --version
-    - export PYPATH=$([ $BOOTSTRAP_OS = none ] && echo /usr/bin/python || echo /opt/bin/python)
+    - export PYPATH=$([[ ! "$CI_JOB_NAME" =~ "coreos" ]] && echo /usr/bin/python || echo /opt/bin/python)
    - echo "CI_JOB_NAME is $CI_JOB_NAME"
    - echo "PYPATH is $PYPATH"
  script:
    - pwd
    - ls
@@ -90,48 +84,36 @@ before_script:
    - >
      ansible-playbook tests/cloud_playbooks/create-gce.yml -i tests/local_inventory/hosts.cfg -c local
      ${LOG_LEVEL}
      -e cloud_image=${CLOUD_IMAGE}
      -e cloud_region=${CLOUD_REGION}
      -e gce_credentials_file=${HOME}/.ssh/gce.json
      -e gce_project_id=${GCE_PROJECT_ID}
      -e gce_service_account_email=${GCE_ACCOUNT}
      -e cloud_machine_type=${CLOUD_MACHINE_TYPE}
      -e inventory_path=${PWD}/inventory/inventory.ini
      -e kube_network_plugin=${KUBE_NETWORK_PLUGIN}
      -e mode=${CLUSTER_MODE}
      -e test_id=${TEST_ID}
-      -e startup_script="'${STARTUP_SCRIPT}'"
+      -e preemptible=$GCE_PREEMPTIBLE
    # Check out latest tag if testing upgrade
    # Uncomment when gitlab kargo repo has tags
    #- test "${UPGRADE_TEST}" != "false" && git fetch --all && git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
-    - test "${UPGRADE_TEST}" != "false" && git checkout 72ae7638bcc94c66afa8620dfa4ad9a9249327ea
+    - test "${UPGRADE_TEST}" != "false" && git checkout ba0a03a8ba2d97a73d06242ec4bb3c7e2012e58c
    # Checkout the CI vars file so it is available
    - test "${UPGRADE_TEST}" != "false" && git checkout "${CI_BUILD_REF}" tests/files/${CI_JOB_NAME}.yml
    # Workaround https://github.com/kubernetes-incubator/kubespray/issues/2021
    - 'sh -c "echo ignore_assert_errors: true | tee -a tests/files/${CI_JOB_NAME}.yml"'
    # Create cluster
    - >
-      ansible-playbook -i inventory/inventory.ini -b --become-user=root --private-key=${HOME}/.ssh/id_rsa -u $SSH_USER
+      ansible-playbook
      -i inventory/inventory.ini
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
      -u $SSH_USER
      ${SSH_ARGS}
      ${LOG_LEVEL}
      -e @${CI_TEST_VARS}
      -e ansible_python_interpreter=${PYPATH}
      -e ansible_ssh_user=${SSH_USER}
      -e bootstrap_os=${BOOTSTRAP_OS}
      -e cloud_provider=gce
      -e cert_management=${CERT_MGMT:-script}
      -e "{deploy_netchecker: true}"
      -e "{download_localhost: ${DOWNLOAD_LOCALHOST}}"
      -e "{download_run_once: ${DOWNLOAD_RUN_ONCE}}"
      -e etcd_deployment_type=${ETCD_DEPLOYMENT}
      -e kube_network_plugin=${KUBE_NETWORK_PLUGIN}
      -e kubedns_min_replicas=1
      -e kubelet_deployment_type=${KUBELET_DEPLOYMENT}
      -e local_release_dir=${PWD}/downloads
      -e resolvconf_mode=${RESOLVCONF_MODE}
      -e vault_deployment_type=${VAULT_DEPLOYMENT}
      -e weave_cpu_requests=${WEAVE_CPU_LIMIT}
      -e weave_cpu_limit=${WEAVE_CPU_LIMIT}
      -e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
      -e "${AUTHORIZATION_MODES}"
      --limit "all:!fake_hosts"
      cluster.yml
@@ -141,27 +123,17 @@ before_script:
      test "${UPGRADE_TEST}" == "basic" && PLAYBOOK="cluster.yml";
      test "${UPGRADE_TEST}" == "graceful" && PLAYBOOK="upgrade-cluster.yml";
      git checkout "${CI_BUILD_REF}";
-      ansible-playbook -i inventory/inventory.ini -b --become-user=root --private-key=${HOME}/.ssh/id_rsa -u $SSH_USER
+      ansible-playbook
      -i inventory/inventory.ini
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
      -u $SSH_USER
      ${SSH_ARGS}
      ${LOG_LEVEL}
      -e @${CI_TEST_VARS}
      -e ansible_python_interpreter=${PYPATH}
      -e ansible_ssh_user=${SSH_USER}
      -e bootstrap_os=${BOOTSTRAP_OS}
      -e cloud_provider=gce
      -e "{deploy_netchecker: true}"
      -e "{download_localhost: ${DOWNLOAD_LOCALHOST}}"
      -e "{download_run_once: ${DOWNLOAD_RUN_ONCE}}"
      -e etcd_deployment_type=${ETCD_DEPLOYMENT}
      -e kube_network_plugin=${KUBE_NETWORK_PLUGIN}
      -e kubedns_min_replicas=1
      -e kubelet_deployment_type=${KUBELET_DEPLOYMENT}
      -e local_release_dir=${PWD}/downloads
      -e resolvconf_mode=${RESOLVCONF_MODE}
      -e vault_deployment_type=${VAULT_DEPLOYMENT}
      -e weave_cpu_requests=${WEAVE_CPU_LIMIT}
      -e weave_cpu_limit=${WEAVE_CPU_LIMIT}
      -e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
      -e "${AUTHORIZATION_MODES}"
      --limit "all:!fake_hosts"
      $PLAYBOOK;
      fi
@@ -181,25 +153,16 @@ before_script:
    ## Idempotency checks 1/5 (repeat deployment)
    - >
      if [ "${IDEMPOT_CHECK}" = "true" ]; then
-      ansible-playbook -i inventory/inventory.ini -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS
+      ansible-playbook
-      -b --become-user=root -e cloud_provider=gce $LOG_LEVEL -e kube_network_plugin=${KUBE_NETWORK_PLUGIN}
+      -i inventory/inventory.ini
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
-      -e bootstrap_os=${BOOTSTRAP_OS}
+      -u $SSH_USER
-      -e cloud_provider=gce
+      ${SSH_ARGS}
      ${LOG_LEVEL}
      -e @${CI_TEST_VARS}
      -e ansible_python_interpreter=${PYPATH}
      -e "{deploy_netchecker: true}"
      -e "{download_localhost: ${DOWNLOAD_LOCALHOST}}"
      -e "{download_run_once: ${DOWNLOAD_RUN_ONCE}}"
      -e etcd_deployment_type=${ETCD_DEPLOYMENT}
      -e kubedns_min_replicas=1
      -e kubelet_deployment_type=${KUBELET_DEPLOYMENT}
      -e local_release_dir=${PWD}/downloads
      -e resolvconf_mode=${RESOLVCONF_MODE}
      -e vault_deployment_type=${VAULT_DEPLOYMENT}
      -e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
      -e weave_cpu_requests=${WEAVE_CPU_LIMIT}
      -e weave_cpu_limit=${WEAVE_CPU_LIMIT}
      -e "${AUTHORIZATION_MODES}"
      --limit "all:!fake_hosts"
      cluster.yml;
      fi
@@ -207,20 +170,29 @@ before_script:
    ## Idempotency checks 2/5 (Advanced DNS checks)
    - >
      if [ "${IDEMPOT_CHECK}" = "true" ]; then
-      ansible-playbook -i inventory/inventory.ini -e ansible_python_interpreter=${PYPATH}
+      ansible-playbook
-      -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root
+      -i inventory/inventory.ini
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
      -u $SSH_USER
      ${SSH_ARGS}
      ${LOG_LEVEL}
      -e @${CI_TEST_VARS}
      --limit "all:!fake_hosts"
      tests/testcases/040_check-network-adv.yml $LOG_LEVEL;
      fi
    ## Idempotency checks 3/5 (reset deployment)
    - >
-      if [ "${IDEMPOT_CHECK}" = "true" AND "${RESET_CHECK}" = "true" ]; then
+      if [ "${IDEMPOT_CHECK}" = "true" -a "${RESET_CHECK}" = "true" ]; then
-      ansible-playbook -i inventory/inventory.ini -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS
+      ansible-playbook
-      -b --become-user=root -e cloud_provider=gce $LOG_LEVEL -e kube_network_plugin=${KUBE_NETWORK_PLUGIN}
+      -i inventory/inventory.ini
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
-      -e bootstrap_os=${BOOTSTRAP_OS}
+      -u $SSH_USER
-      -e cloud_provider=gce
+      ${SSH_ARGS}
      ${LOG_LEVEL}
      -e @${CI_TEST_VARS}
      -e ansible_python_interpreter=${PYPATH}
      -e reset_confirmation=yes
      --limit "all:!fake_hosts"
@@ -229,33 +201,24 @@ before_script:
    ## Idempotency checks 4/5 (redeploy after reset)
    - >
-      if [ "${IDEMPOT_CHECK}" = "true" AND "${RESET_CHECK}" = "true" ]; then
+      if [ "${IDEMPOT_CHECK}" = "true" -a "${RESET_CHECK}" = "true" ]; then
-      ansible-playbook -i inventory/inventory.ini -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS
+      ansible-playbook
-      -b --become-user=root -e cloud_provider=gce $LOG_LEVEL -e kube_network_plugin=${KUBE_NETWORK_PLUGIN}
+      -i inventory/inventory.ini
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
-      -e bootstrap_os=${BOOTSTRAP_OS}
+      -u $SSH_USER
-      -e cloud_provider=gce
+      ${SSH_ARGS}
      ${LOG_LEVEL}
      -e @${CI_TEST_VARS}
      -e ansible_python_interpreter=${PYPATH}
      -e "{deploy_netchecker: true}"
      -e "{download_localhost: ${DOWNLOAD_LOCALHOST}}"
      -e "{download_run_once: ${DOWNLOAD_RUN_ONCE}}"
      -e etcd_deployment_type=${ETCD_DEPLOYMENT}
      -e kubedns_min_replicas=1
      -e kubelet_deployment_type=${KUBELET_DEPLOYMENT}
      -e local_release_dir=${PWD}/downloads
      -e resolvconf_mode=${RESOLVCONF_MODE}
      -e vault_deployment_type=${VAULT_DEPLOYMENT}
      -e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
      -e weave_cpu_requests=${WEAVE_CPU_LIMIT}
      -e weave_cpu_limit=${WEAVE_CPU_LIMIT}
      -e "${AUTHORIZATION_MODES}"
      --limit "all:!fake_hosts"
      cluster.yml;
      fi
    ## Idempotency checks 5/5 (Advanced DNS checks)
    - >
-      if [ "${IDEMPOT_CHECK}" = "true" AND "${RESET_CHECK}" = "true" ]; then
+      if [ "${IDEMPOT_CHECK}" = "true" -a "${RESET_CHECK}" = "true" ]; then
      ansible-playbook -i inventory/inventory.ini -e ansible_python_interpreter=${PYPATH}
      -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root
      --limit "all:!fake_hosts"
@@ -265,166 +228,77 @@ before_script:
  after_script:
    - >
      ansible-playbook -i inventory/inventory.ini tests/cloud_playbooks/delete-gce.yml -c local  $LOG_LEVEL
-      -e mode=${CLUSTER_MODE}
+      -e @${CI_TEST_VARS}
      -e test_id=${TEST_ID}
      -e kube_network_plugin=${KUBE_NETWORK_PLUGIN}
      -e gce_project_id=${GCE_PROJECT_ID}
      -e gce_service_account_email=${GCE_ACCOUNT}
      -e gce_credentials_file=${HOME}/.ssh/gce.json
      -e cloud_image=${CLOUD_IMAGE}
      -e inventory_path=${PWD}/inventory/inventory.ini
      -e cloud_region=${CLOUD_REGION}
 # Test matrix. Leave the comments for markup scripts.
 .coreos_calico_aio_variables: &coreos_calico_aio_variables
 # stage: deploy-gce-part1
-  AUTHORIZATION_MODES: "{ 'authorization_modes':  [ 'RBAC' ] }"
+  MOVED_TO_GROUP_VARS: "true"
  KUBE_NETWORK_PLUGIN: calico
  CLOUD_IMAGE: coreos-stable-1465-6-0-v20170817
  CLOUD_REGION: us-west1-b
  CLOUD_MACHINE_TYPE: "n1-standard-2"
  CLUSTER_MODE: aio
  BOOTSTRAP_OS: coreos
  RESOLVCONF_MODE: host_resolvconf # This is required as long as the CoreOS stable channel uses docker < 1.12
  ##User-data to simply turn off coreos upgrades
  STARTUP_SCRIPT: 'systemctl disable locksmithd && systemctl stop locksmithd'
-.ubuntu_canal_ha_rbac_variables: &ubuntu_canal_ha_rbac_variables
+.ubuntu_canal_ha_variables: &ubuntu_canal_ha_variables
 # stage: deploy-gce-part1
  KUBE_NETWORK_PLUGIN: canal
  AUTHORIZATION_MODES: "{ 'authorization_modes':  [ 'RBAC' ] }"
  CLOUD_IMAGE: ubuntu-1604-xenial
  CLOUD_REGION: europe-west1-b
  CLUSTER_MODE: ha
  UPGRADE_TEST: "graceful"
  STARTUP_SCRIPT: ""
 .centos_weave_kubeadm_variables: &centos_weave_kubeadm_variables
 # stage: deploy-gce-part1
  KUBE_NETWORK_PLUGIN: weave
  AUTHORIZATION_MODES: "{ 'authorization_modes':  [ 'RBAC' ] }"
  CLOUD_IMAGE: centos-7
  CLOUD_MACHINE_TYPE: "n1-standard-1"
  CLOUD_REGION: us-central1-b
  CLUSTER_MODE: ha
  KUBEADM_ENABLED: "true"
  UPGRADE_TEST: "graceful"
  STARTUP_SCRIPT: ""
 .ubuntu_canal_kubeadm_variables: &ubuntu_canal_kubeadm_variables
 # stage: deploy-gce-part1
-  KUBE_NETWORK_PLUGIN: canal
+  MOVED_TO_GROUP_VARS: "true"
-  AUTHORIZATION_MODES: "{ 'authorization_modes':  [ 'RBAC' ] }"
+
-  CLOUD_IMAGE: ubuntu-1604-xenial
+.ubuntu_contiv_sep_variables: &ubuntu_contiv_sep_variables
-  CLOUD_MACHINE_TYPE: "n1-standard-1"
+# stage: deploy-gce-special
-  CLOUD_REGION: europe-west1-b
+  MOVED_TO_GROUP_VARS: "true"
  CLUSTER_MODE: ha
  KUBEADM_ENABLED: "true"
  STARTUP_SCRIPT: ""
 .rhel7_weave_variables: &rhel7_weave_variables
 # stage: deploy-gce-part1
-  KUBE_NETWORK_PLUGIN: weave
+  MOVED_TO_GROUP_VARS: "true"
  CLOUD_IMAGE: rhel-7
  CLOUD_REGION: europe-west1-b
  CLUSTER_MODE: default
  STARTUP_SCRIPT: ""
-.centos7_flannel_variables: &centos7_flannel_variables
+.centos7_flannel_addons_variables: &centos7_flannel_addons_variables
 # stage: deploy-gce-part2
-  KUBE_NETWORK_PLUGIN: flannel
+  MOVED_TO_GROUP_VARS: "true"
  CLOUD_IMAGE: centos-7
  CLOUD_REGION: us-west1-a
  CLOUD_MACHINE_TYPE: "n1-standard-2"
  CLUSTER_MODE: default
  STARTUP_SCRIPT: ""
 .debian8_calico_variables: &debian8_calico_variables
 # stage: deploy-gce-part2
-  KUBE_NETWORK_PLUGIN: calico
+  MOVED_TO_GROUP_VARS: "true"
  CLOUD_IMAGE: debian-8-kubespray
  CLOUD_REGION: us-central1-b
  CLUSTER_MODE: default
  STARTUP_SCRIPT: ""
 .coreos_canal_variables: &coreos_canal_variables
 # stage: deploy-gce-part2
-  KUBE_NETWORK_PLUGIN: canal
+  MOVED_TO_GROUP_VARS: "true"
  CLOUD_IMAGE: coreos-stable-1465-6-0-v20170817
  CLOUD_REGION: us-east1-b
  CLUSTER_MODE: default
  BOOTSTRAP_OS: coreos
  IDEMPOT_CHECK: "true"
  RESOLVCONF_MODE: host_resolvconf # This is required as long as the CoreOS stable channel uses docker < 1.12
  STARTUP_SCRIPT: 'systemctl disable locksmithd && systemctl stop locksmithd'
 .rhel7_canal_sep_variables: &rhel7_canal_sep_variables
 # stage: deploy-gce-special
-  KUBE_NETWORK_PLUGIN: canal
+  MOVED_TO_GROUP_VARS: "true"
  CLOUD_IMAGE: rhel-7
  CLOUD_REGION: us-east1-b
  CLUSTER_MODE: separate
  STARTUP_SCRIPT: ""
 .ubuntu_weave_sep_variables: &ubuntu_weave_sep_variables
 # stage: deploy-gce-special
-  KUBE_NETWORK_PLUGIN: weave
+  MOVED_TO_GROUP_VARS: "true"
  CLOUD_IMAGE: ubuntu-1604-xenial
  CLOUD_REGION: us-central1-b
  CLUSTER_MODE: separate
  IDEMPOT_CHECK: "false"
  STARTUP_SCRIPT: ""
 .centos7_calico_ha_variables: &centos7_calico_ha_variables
 # stage: deploy-gce-special
-  KUBE_NETWORK_PLUGIN: calico
+  MOVED_TO_GROUP_VARS: "true"
  DOWNLOAD_LOCALHOST: "true"
  DOWNLOAD_RUN_ONCE: "true"
  CLOUD_IMAGE: centos-7
  CLOUD_REGION: europe-west1-b
  CLUSTER_MODE: ha-scale
  IDEMPOT_CHECK: "true"
  STARTUP_SCRIPT: ""
 .coreos_alpha_weave_ha_variables: &coreos_alpha_weave_ha_variables
 # stage: deploy-gce-special
-  KUBE_NETWORK_PLUGIN: weave
+  MOVED_TO_GROUP_VARS: "true"
  CLOUD_IMAGE: coreos-alpha-1506-0-0-v20170817
  CLOUD_REGION: us-west1-a
  CLUSTER_MODE: ha-scale
  BOOTSTRAP_OS: coreos
  RESOLVCONF_MODE: host_resolvconf # This is required as long as the CoreOS stable channel uses docker < 1.12
  STARTUP_SCRIPT: 'systemctl disable locksmithd && systemctl stop locksmithd'
 .ubuntu_rkt_sep_variables: &ubuntu_rkt_sep_variables
 # stage: deploy-gce-part1
-  KUBE_NETWORK_PLUGIN: flannel
+  MOVED_TO_GROUP_VARS: "true"
  CLOUD_IMAGE: ubuntu-1604-xenial
  CLOUD_REGION: us-central1-b
  CLUSTER_MODE: separate
  ETCD_DEPLOYMENT: rkt
  KUBELET_DEPLOYMENT: rkt
  STARTUP_SCRIPT: ""
 .ubuntu_vault_sep_variables: &ubuntu_vault_sep_variables
 # stage: deploy-gce-part1
-  AUTHORIZATION_MODES: "{ 'authorization_modes':  [ 'RBAC' ] }"
+  MOVED_TO_GROUP_VARS: "true"
  CLOUD_MACHINE_TYPE: "n1-standard-2"
  KUBE_NETWORK_PLUGIN: canal
  CERT_MGMT: vault
  CLOUD_IMAGE: ubuntu-1604-xenial
  CLOUD_REGION: us-central1-b
  CLUSTER_MODE: separate
  STARTUP_SCRIPT: ""
-.ubuntu_flannel_rbac_variables: &ubuntu_flannel_rbac_variables
+.ubuntu_flannel_variables: &ubuntu_flannel_variables
 # stage: deploy-gce-special
-  AUTHORIZATION_MODES: "{ 'authorization_modes':  [ 'RBAC' ] }"
+  MOVED_TO_GROUP_VARS: "true"
  KUBE_NETWORK_PLUGIN: flannel
  CLOUD_IMAGE: ubuntu-1604-xenial
  CLOUD_REGION: europe-west1-b
  CLUSTER_MODE: separate
  STARTUP_SCRIPT: ""
 # Builds for PRs only (premoderated by unit-tests step) and triggers (auto)
 coreos-calico-aio:
@@ -448,24 +322,24 @@ coreos-calico-sep-triggers:
  when: on_success
  only: ['triggers']
-centos7-flannel:
+centos7-flannel-addons:
  stage: deploy-gce-part2
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
-    <<: *centos7_flannel_variables
+    <<: *centos7_flannel_addons_variables
  when: on_success
  except: ['triggers']
  only: [/^pr-.*$/]
-centos7-flannel-triggers:
+centos7-flannel-addons-triggers:
  stage: deploy-gce-part1
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
-    <<: *centos7_flannel_variables
+    <<: *centos7_flannel_addons_variables
  when: on_success
  only: ['triggers']
@@ -491,28 +365,28 @@ ubuntu-weave-sep-triggers:
  only: ['triggers']
 # More builds for PRs/merges (manual) and triggers (auto)
-ubuntu-canal-ha-rbac:
+ubuntu-canal-ha:
  stage: deploy-gce-part1
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
-    <<: *ubuntu_canal_ha_rbac_variables
+    <<: *ubuntu_canal_ha_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
-ubuntu-canal-ha-rbac-triggers:
+ubuntu-canal-ha-triggers:
  stage: deploy-gce-part1
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
-    <<: *ubuntu_canal_ha_rbac_variables
+    <<: *ubuntu_canal_ha_variables
  when: on_success
  only: ['triggers']
-ubuntu-canal-kubeadm-rbac:
+ubuntu-canal-kubeadm:
  stage: deploy-gce-part1
  <<: *job
  <<: *gce
@@ -533,7 +407,7 @@ ubuntu-canal-kubeadm-triggers:
  when: on_success
  only: ['triggers']
-centos-weave-kubeadm-rbac:
+centos-weave-kubeadm:
  stage: deploy-gce-part1
  <<: *job
  <<: *gce
@@ -554,6 +428,17 @@ centos-weave-kubeadm-triggers:
  when: on_success
  only: ['triggers']
 ubuntu-contiv-sep:
  stage: deploy-gce-special
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
    <<: *ubuntu_contiv_sep_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
 rhel7-weave:
  stage: deploy-gce-part1
  <<: *job
@@ -693,13 +578,13 @@ ubuntu-vault-sep:
  except: ['triggers']
  only: ['master', /^pr-.*$/]
-ubuntu-flannel-rbac-sep:
+ubuntu-flannel-sep:
  stage: deploy-gce-special
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
-    <<: *ubuntu_flannel_rbac_variables
+    <<: *ubuntu_flannel_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 ## Deploy a production ready kubernetes cluster
-If you have questions, join us on the [kubernetes slack](https://slack.k8s.io), channel **#kubespray**.
+If you have questions, join us on the [kubernetes slack](https://kubernetes.slack.com), channel **#kubespray**.
 - Can be deployed on **AWS, GCE, Azure, OpenStack or Baremetal**
 - **High available** cluster
@@ -29,6 +29,7 @@ To deploy the cluster you can use :
 *  [Network plugins](#network-plugins)
 *  [Vagrant install](docs/vagrant.md)
 *  [CoreOS bootstrap](docs/coreos.md)
 *  [Debian Jessie setup](docs/debian.md)
 *  [Downloaded artifacts](docs/downloads.md)
 *  [Cloud providers](docs/cloud.md)
 *  [OpenStack](docs/openstack.md)
@@ -53,11 +54,12 @@ Versions of supported components
 --------------------------------
-[kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.7.3 <br>
+[kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.9.2 <br>
 [etcd](https://github.com/coreos/etcd/releases) v3.2.4 <br>
 [flanneld](https://github.com/coreos/flannel/releases) v0.8.0 <br>
 [calico](https://docs.projectcalico.org/v2.5/releases/) v2.5.0 <br>
 [canal](https://github.com/projectcalico/canal) (given calico/flannel versions) <br>
 [contiv](https://github.com/contiv/install/releases) v1.0.3 <br>
 [weave](http://weave.works/) v2.0.1 <br>
 [docker](https://www.docker.com/) v1.13 (see note)<br>
 [rkt](https://coreos.com/rkt/docs/latest/) v1.21.0 (see Note 2)<br>
@@ -72,7 +74,7 @@ plugins can be deployed for a given single cluster.
 Requirements
 --------------
-* **Ansible v2.3 (or newer) and python-netaddr is installed on the machine
+* **Ansible v2.4 (or newer) and python-netaddr is installed on the machine
  that will run Ansible commands**
 * **Jinja 2.9 (or newer) is required to run the Ansible Playbooks**
 * The target servers must have **access to the Internet** in order to pull docker images.
@@ -92,6 +94,9 @@ You can choose between 4 network plugins. (default: `calico`, except Vagrant use
 * [**canal**](https://github.com/projectcalico/canal): a composition of calico and flannel plugins.
 * [**contiv**](docs/contiv.md): supports vlan, vxlan, bgp and Cisco SDN networking. This plugin is able to
  apply firewall policies, segregate containers in multiple network and bridging pods onto physical networks.
 * [**weave**](docs/weave.md): Weave is a lightweight container overlay network that doesn't require an external K/V database cluster. <br>
 (Please refer to `weave` [troubleshooting documentation](http://docs.weave.works/weave/latest_release/troubleshooting.html)).
@@ -106,7 +111,7 @@ See also [Network checker](docs/netcheck.md).
 - [Deploy a Kubernetes Cluster with Kubespray (video)](https://www.youtube.com/watch?v=N9q51JgbWu8)
 ## Tools and projects on top of Kubespray
- - [Digital Rebar](https://github.com/digitalrebar/digitalrebar)
+ - [Digital Rebar Provision](https://github.com/digitalrebar/provision/blob/master/doc/integrations/ansible.rst)
 - [Kubespray-cli](https://github.com/kubespray/kubespray-cli)
 - [Fuel-ccp-installer](https://github.com/openstack/fuel-ccp-installer)
 - [Terraform Contrib](https://github.com/kubernetes-incubator/kubespray/tree/master/contrib/terraform)
--- a/32
+++ b/32
@@ -3,7 +3,7 @@
 require 'fileutils'
-Vagrant.require_version ">= 1.8.0"
+Vagrant.require_version ">= 1.9.0"
 CONFIG = File.join(File.dirname(__FILE__), "vagrant/config.rb")
@@ -21,16 +21,19 @@ SUPPORTED_OS = {
 $num_instances = 3
 $instance_name_prefix = "k8s"
 $vm_gui = false
-$vm_memory = 1536
+$vm_memory = 2048
 $vm_cpus = 1
 $shared_folders = {}
 $forwarded_ports = {}
 $subnet = "172.17.8"
 $os = "ubuntu"
 $network_plugin = "flannel"
 # The first three nodes are etcd servers
 $etcd_instances = $num_instances
-# The first two nodes are masters
+# The first two nodes are kube masters
 $kube_master_instances = $num_instances == 1 ? $num_instances : ($num_instances - 1)
 # All nodes are kube nodes
 $kube_node_instances = $num_instances
 $local_release_dir = "/vagrant/temp"
 host_vars = {}
@@ -39,9 +42,6 @@ if File.exist?(CONFIG)
  require CONFIG
 end
 # All nodes are kube nodes
 $kube_node_instances = $num_instances
 $box = SUPPORTED_OS[$os][:box]
 # if $inventory is not set, try to use example
 $inventory = File.join(File.dirname(__FILE__), "inventory") if ! $inventory
@@ -115,17 +115,23 @@ Vagrant.configure("2") do |config|
      ip = "#{$subnet}.#{i+100}"
      host_vars[vm_name] = {
        "ip": ip,
-        "flannel_interface": ip,
+        "bootstrap_os": SUPPORTED_OS[$os][:bootstrap_os],
        "flannel_backend_type": "host-gw",
        "local_release_dir" => $local_release_dir,
        "download_run_once": "False",
-        # Override the default 'calico' with flannel.
+        "kube_network_plugin": $network_plugin
        # inventory/group_vars/k8s-cluster.yml
        "kube_network_plugin": "flannel",
        "bootstrap_os": SUPPORTED_OS[$os][:bootstrap_os]
      }
      config.vm.network :private_network, ip: ip
      # workaround for Vagrant 1.9.1 and centos vm
      # https://github.com/hashicorp/vagrant/issues/8096
      if Vagrant::VERSION == "1.9.1" && $os == "centos"
        config.vm.provision "shell", inline: "service network restart", run: "always"
      end
      # Disable swap for each vm
      config.vm.provision "shell", inline: "swapoff -a"
      # Only execute once the Ansible provisioner,
      # when all the machines are up and ready.
      if i == $num_instances
@@ -137,7 +143,7 @@ Vagrant.configure("2") do |config|
          ansible.sudo = true
          ansible.limit = "all"
          ansible.host_key_checking = false
-          ansible.raw_arguments = ["--forks=#{$num_instances}"]
+          ansible.raw_arguments = ["--forks=#{$num_instances}", "--flush-cache"]
          ansible.host_vars = host_vars
          #ansible.tags = ['download']
          ansible.groups = {
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,7 +1,6 @@
 [ssh_connection]
 pipelining=True
-ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100
+ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100 -o UserKnownHostsFile=/dev/null
 #ssh_args = -F ./ssh-bastion.conf -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100
 #control_path = ~/.ssh/ansible-%%r@%%h:%%p
 [defaults]
 host_key_checking=False
@@ -11,4 +10,5 @@ fact_caching_connection = /tmp
 stdout_callback = skippy
 library = ./library
 callback_whitelist = profile_tasks
-roles_path = roles:$VIRTUAL_ENV/usr/local/share/kubespray/roles:$VIRTUAL_ENV/usr/local/share/ansible/roles
+roles_path = roles:$VIRTUAL_ENV/usr/local/share/kubespray/roles:$VIRTUAL_ENV/usr/local/share/ansible/roles:/usr/share/kubespray/roles
 deprecation_warnings=False
--- a/cluster.yml
+++ b/cluster.yml
@@ -26,18 +26,20 @@
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
    - { role: kernel-upgrade, tags: kernel-upgrade, when: kernel_upgrade is defined and kernel_upgrade }
    - { role: kubernetes/preinstall, tags: preinstall }
    - { role: docker, tags: docker }
    - role: rkt
      tags: rkt
      when: "'rkt' in [etcd_deployment_type, kubelet_deployment_type, vault_deployment_type]"
    - { role: download, tags: download, skip_downloads: false }
  environment: "{{proxy_env}}"
- hosts: etcd:k8s-cluster:vault
+- hosts: etcd:k8s-cluster:vault:calico-rr
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults, when: "cert_management == 'vault'" }
    - { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
  environment: "{{proxy_env}}"
 - hosts: etcd
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
@@ -45,29 +47,33 @@
    - { role: kubespray-defaults}
    - { role: etcd, tags: etcd, etcd_cluster_setup: true }
- hosts: k8s-cluster
+- hosts: k8s-cluster:calico-rr
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
    - { role: etcd, tags: etcd, etcd_cluster_setup: false }
- hosts: etcd:k8s-cluster:vault
+- hosts: etcd:k8s-cluster:vault:calico-rr
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
    - { role: vault, tags: vault, when: "cert_management == 'vault'"}
  environment: "{{proxy_env}}"
 - hosts: k8s-cluster
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
    - { role: kubernetes/node, tags: node }
  environment: "{{proxy_env}}"
 - hosts: kube-master
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
    - { role: kubernetes/master, tags: master }
    - { role: kubernetes/client, tags: client }
    - { role: kubernetes-apps/cluster_roles, tags: cluster-roles }
 - hosts: k8s-cluster
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
@@ -76,14 +82,18 @@
    - { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
    - { role: network_plugin, tags: network }
- hosts: kube-master
+- hosts: kube-master[0]
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
    - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
 - hosts: kube-master
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
    - { role: kubernetes-apps/network_plugin, tags: network }
    - { role: kubernetes-apps/policy_controller, tags: policy-controller }
    - { role: kubernetes/client, tags: client }
 - hosts: calico-rr
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
@@ -97,6 +107,7 @@
    - { role: kubespray-defaults}
    - { role: dnsmasq, when: "dns_mode == 'dnsmasq_kubedns'", tags: dnsmasq }
    - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf }
  environment: "{{proxy_env}}"
 - hosts: kube-master[0]
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
--- a/code-of-conduct.md
+++ b/code-of-conduct.md
@@ -1,58 +1,3 @@
-## Kubernetes Community Code of Conduct
+# Kubernetes Community Code of Conduct
-### Contributor Code of Conduct
+Please refer to our [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md)
 As contributors and maintainers of this project, and in the interest of fostering
 an open and welcoming community, we pledge to respect all people who contribute
 through reporting issues, posting feature requests, updating documentation,
 submitting pull requests or patches, and other activities.
 We are committed to making participation in this project a harassment-free experience for
 everyone, regardless of level of experience, gender, gender identity and expression,
 sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
 religion, or nationality.
 Examples of unacceptable behavior by participants include:
 * The use of sexualized language or imagery
 * Personal attacks
 * Trolling or insulting/derogatory comments
 * Public or private harassment
 * Publishing other's private information, such as physical or electronic addresses,
 without explicit permission
 * Other unethical or unprofessional conduct.
 Project maintainers have the right and responsibility to remove, edit, or reject
 comments, commits, code, wiki edits, issues, and other contributions that are not
 aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
 commit themselves to fairly and consistently applying these principles to every aspect
 of managing this project. Project maintainers who do not follow or enforce the Code of
 Conduct may be permanently removed from the project team.
 This code of conduct applies both within project spaces and in public spaces
 when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a Kubernetes maintainer, Sarah Novotny <sarahnovotny@google.com>, and/or Dan Kohn <dan@linuxfoundation.org>.
 This Code of Conduct is adapted from the Contributor Covenant
 (http://contributor-covenant.org), version 1.2.0, available at
 http://contributor-covenant.org/version/1/2/0/
 ### Kubernetes Events Code of Conduct
 Kubernetes events are working conferences intended for professional networking and collaboration in the
 Kubernetes community. Attendees are expected to behave according to professional standards and in accordance
 with their employer's policies on appropriate workplace behavior.
 While at Kubernetes events or related social networking opportunities, attendees should not engage in
 discriminatory or offensive speech or actions regarding gender, sexuality, race, or religion. Speakers should
 be especially aware of these concerns.
 The Kubernetes team does not condone any statements by speakers contrary to these standards.  The Kubernetes
 team reserves the right to deny entrance and/or eject from an event (without refund) any individual found to
 be engaging in discriminatory or offensive speech or actions.
 Please bring any concerns to the immediate attention of Kubernetes event staff.
 [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/code-of-conduct.md?pixel)]()
--- a/contrib/network-storage/glusterfs/glusterfs.yml
+++ b/contrib/network-storage/glusterfs/glusterfs.yml
@@ -1,8 +1,17 @@
 ---
 - hosts: gfs-cluster
  gather_facts: false
  vars:
    ansible_ssh_pipelining: false
  roles:
   - { role: bootstrap-os, tags: bootstrap-os}
 - hosts: all
  gather_facts: true
 - hosts: gfs-cluster
  vars:
    ansible_ssh_pipelining: true
  roles:
    - { role: glusterfs/server }
@@ -12,6 +21,5 @@
 - hosts: kube-master[0]
  roles:
    - { role: kubernetes-pv/lib }
    - { role: kubernetes-pv }
--- a/contrib/network-storage/glusterfs/group_vars
+++ b/contrib/network-storage/glusterfs/group_vars
@@ -0,0 +1 @@
 ../../../inventory/group_vars
--- a/contrib/network-storage/glusterfs/roles/bootstrap-os
+++ b/contrib/network-storage/glusterfs/roles/bootstrap-os
@@ -0,0 +1 @@
 ../../../../roles/bootstrap-os
--- a/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/tasks/main.yaml
+++ b/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/tasks/main.yaml
@@ -4,6 +4,7 @@
  with_items:
          - { file: glusterfs-kubernetes-endpoint.json.j2, type: ep, dest: glusterfs-kubernetes-endpoint.json}
          - { file: glusterfs-kubernetes-pv.yml.j2, type: pv, dest: glusterfs-kubernetes-pv.yml}
          - { file: glusterfs-kubernetes-endpoint-svc.json.j2, type: svc, dest: glusterfs-kubernetes-endpoint-svc.json}
  register: gluster_pv
  when: inventory_hostname == groups['kube-master'][0] and groups['gfs-cluster'] is defined and hostvars[groups['gfs-cluster'][0]].gluster_disk_size_gb is defined
--- a/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-endpoint-svc.json.j2
+++ b/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-endpoint-svc.json.j2
@@ -0,0 +1,12 @@
 {
  "kind": "Service",
  "apiVersion": "v1",
  "metadata": {
    "name": "glusterfs"
  },
  "spec": {
    "ports": [
      {"port": 1}
    ]
  }
 }
--- a/contrib/packaging/rpm/ansible-kubespray.spec
+++ b/contrib/packaging/rpm/ansible-kubespray.spec
@@ -1,60 +0,0 @@
 %global srcname ansible_kubespray
 %{!?upstream_version: %global upstream_version %{version}%{?milestone}}
 Name:           ansible-kubespray
 Version:        XXX
 Release:        XXX
 Summary:        Ansible modules for installing Kubernetes
 Group:          System Environment/Libraries
 License:        ASL 2.0
 Vendor:         Kubespray <smainklh@gmail.com>
 Url:            https://github.com/kubernetes-incubator/kubespray
 Source0:        https://github.com/kubernetes-incubator/kubespray/archive/%{upstream_version}.tar.gz
 BuildArch:      noarch
 BuildRequires:  git
 BuildRequires:  python2-devel
 BuildRequires:  python-setuptools
 BuildRequires:  python-d2to1
 BuildRequires:  python-pbr
 Requires: ansible
 Requires: python-jinja2
 Requires: python-netaddr
 %description
 Ansible-kubespray is a set of Ansible modules and playbooks for
 installing a Kubernetes cluster. If you have questions, join us
 on the https://slack.k8s.io, channel '#kubespray'.
 %prep
 %autosetup -n %{name}-%{upstream_version} -S git
 %build
 %{__python2} setup.py build
 %install
 export PBR_VERSION=%{version}
 export SKIP_PIP_INSTALL=1
 %{__python2} setup.py install --skip-build --root %{buildroot}
 %files
 %doc README.md
 %doc inventory/inventory.example
 %config /etc/kubespray/ansible.cfg
 %config /etc/kubespray/inventory/group_vars/all.yml
 %config /etc/kubespray/inventory/group_vars/k8s-cluster.yml
 %license LICENSE
 %{python2_sitelib}/%{srcname}-%{version}-py%{python2_version}.egg-info
 /usr/local/share/kubespray/roles/
 /usr/local/share/kubespray/playbooks/
 %defattr(-,root,root)
 %changelog
--- a/contrib/packaging/rpm/kubespray.spec
+++ b/contrib/packaging/rpm/kubespray.spec
@@ -0,0 +1,61 @@
 %global srcname kubespray
 %{!?upstream_version: %global upstream_version %{version}%{?milestone}}
 Name:           kubespray
 Version:        master
 Release:        %(git describe | sed -r 's/v(\S+-?)-(\S+)-(\S+)/\1.dev\2+\3/')
 Summary:        Ansible modules for installing Kubernetes
 Group:          System Environment/Libraries
 License:        ASL 2.0
 Url:            https://github.com/kubernetes-incubator/kubespray
 Source0:        https://github.com/kubernetes-incubator/kubespray/archive/%{upstream_version}.tar.gz#/%{name}-%{release}.tar.gz
 BuildArch:      noarch
 BuildRequires:  git
 BuildRequires:  python2
 BuildRequires:  python2-devel
 BuildRequires:  python2-setuptools
 BuildRequires:  python-d2to1
 BuildRequires:  python2-pbr
 Requires: ansible
 Requires: python-jinja2 >= 2.10
 Requires: python-netaddr
 %description
 Ansible-kubespray is a set of Ansible modules and playbooks for
 installing a Kubernetes cluster. If you have questions, join us
 on the https://slack.k8s.io, channel '#kubespray'.
 %prep
 %autosetup -n %{name}-%{upstream_version} -S git
 %build
 export PBR_VERSION=%{release}
 %{__python2} setup.py build bdist_rpm
 %install
 export PBR_VERSION=%{release}
 export SKIP_PIP_INSTALL=1
 %{__python2} setup.py install --skip-build --root %{buildroot} bdist_rpm
 %files
 %doc %{_docdir}/%{name}/README.md
 %doc %{_docdir}/%{name}/inventory/inventory.example
 %config %{_sysconfdir}/%{name}/ansible.cfg
 %config %{_sysconfdir}/%{name}/inventory/group_vars/all.yml
 %config %{_sysconfdir}/%{name}/inventory/group_vars/k8s-cluster.yml
 %license %{_docdir}/%{name}/LICENSE
 %{python2_sitelib}/%{srcname}-%{release}-py%{python2_version}.egg-info
 %{_datarootdir}/%{name}/roles/
 %{_datarootdir}/%{name}/playbooks/
 %defattr(-,root,root)
 %changelog
--- a/contrib/terraform/aws/README.md
+++ b/contrib/terraform/aws/README.md
@@ -24,7 +24,7 @@ export AWS_DEFAULT_REGION="zzz"
 ```
 - Rename `contrib/terraform/aws/terraform.tfvars.example` to `terraform.tfvars`
- Update `contrib/terraform/aws/terraform.tfvars` with your data
+- Update `contrib/terraform/aws/terraform.tfvars` with your data. By default, the Terraform scripts use CoreOS as base image. If you want to change this behaviour, see note "Using other distrib than CoreOs" below.
 - Allocate a new AWS Elastic IP. Use this for your `loadbalancer_apiserver_address` value (below)
 - Create an AWS EC2 SSH Key
 - Run with `terraform apply --var-file="credentials.tfvars"` or `terraform apply` depending if you exported your AWS credentials
@@ -36,9 +36,10 @@ terraform apply -var-file=credentials.tfvars -var 'loadbalancer_apiserver_addres
 - Terraform automatically creates an Ansible Inventory file called `hosts` with the created infrastructure in the directory `inventory`
- Ansible will automatically generate an ssh config file for your bastion hosts. To make use of it, make sure you have a line in your `ansible.cfg` file that looks like the following:
+- Ansible will automatically generate an ssh config file for your bastion hosts. To connect to hosts with ssh using bastion host use generated ssh-bastion.conf.
  Ansible automatically detects bastion and changes ssh_args  
 ```commandline
-ssh_args = -F ./ssh-bastion.conf -o ControlMaster=auto -o ControlPersist=30m 
+ssh -F ./ssh-bastion.conf user@$ip
 ```
 - Once the infrastructure is created, you can run the kubespray playbooks and supply inventory/hosts with the `-i` flag.
@@ -47,6 +48,60 @@ Example (this one assumes you are using CoreOS)
 ```commandline
 ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_ssh_user=core -e bootstrap_os=coreos -b --become-user=root --flush-cache
 ```
 ***Using other distrib than CoreOs***
 If you want to use another distribution than CoreOS, you can modify the search filters of the 'data "aws_ami" "distro"' in variables.tf.
 For example, to use:
 - Debian Jessie, replace 'data "aws_ami" "distro"' in variables.tf with
 data "aws_ami" "distro" {
  most_recent = true
  filter {
    name   = "name"
    values = ["debian-jessie-amd64-hvm-*"]
  }
  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
  owners = ["379101102735"]
 }
 - Ubuntu 16.04, replace 'data "aws_ami" "distro"' in variables.tf with
 data "aws_ami" "distro" {
  most_recent = true
  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-*"]
  }
  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
  owners = ["099720109477"]
 }
 - Centos 7, replace 'data "aws_ami" "distro"' in variables.tf with
 data "aws_ami" "distro" {
  most_recent = true
  filter {
    name   = "name"
    values = ["dcos-centos7-*"]
  }
  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
  owners = ["688023202711"]
 }
 **Troubleshooting**
--- a/contrib/terraform/aws/create-infrastructure.tf
+++ b/contrib/terraform/aws/create-infrastructure.tf
@@ -8,6 +8,8 @@ provider "aws" {
    region = "${var.AWS_DEFAULT_REGION}"
 }
 data "aws_availability_zones" "available" {}
 /*
 * Calling modules who create the initial AWS VPC / AWS ELB
 * and AWS IAM Roles for Kubernetes Deployment
@@ -18,10 +20,10 @@ module "aws-vpc" {
  aws_cluster_name = "${var.aws_cluster_name}"
  aws_vpc_cidr_block = "${var.aws_vpc_cidr_block}"
-  aws_avail_zones="${var.aws_avail_zones}"
+  aws_avail_zones="${slice(data.aws_availability_zones.available.names,0,2)}"
  aws_cidr_subnets_private="${var.aws_cidr_subnets_private}"
  aws_cidr_subnets_public="${var.aws_cidr_subnets_public}"
  default_tags="${var.default_tags}"
 }
@@ -31,10 +33,11 @@ module "aws-elb" {
  aws_cluster_name="${var.aws_cluster_name}"
  aws_vpc_id="${module.aws-vpc.aws_vpc_id}"
-  aws_avail_zones="${var.aws_avail_zones}"
+  aws_avail_zones="${slice(data.aws_availability_zones.available.names,0,2)}"
  aws_subnet_ids_public="${module.aws-vpc.aws_subnet_ids_public}"
  aws_elb_api_port = "${var.aws_elb_api_port}"
  k8s_secure_api_port = "${var.k8s_secure_api_port}"
  default_tags="${var.default_tags}"
 }
@@ -48,12 +51,13 @@ module "aws-iam" {
 * Create Bastion Instances in AWS
 *
 */
 resource "aws_instance" "bastion-server" {
-    ami = "${var.aws_bastion_ami}"
+    ami = "${data.aws_ami.distro.id}"
    instance_type = "${var.aws_bastion_size}"
    count = "${length(var.aws_cidr_subnets_public)}"
    associate_public_ip_address = true
-    availability_zone  = "${element(var.aws_avail_zones,count.index)}"
+    availability_zone  = "${element(slice(data.aws_availability_zones.available.names,0,2),count.index)}"
    subnet_id = "${element(module.aws-vpc.aws_subnet_ids_public,count.index)}"
@@ -61,11 +65,11 @@ resource "aws_instance" "bastion-server" {
    key_name = "${var.AWS_SSH_KEY_NAME}"
-    tags {
+    tags = "${merge(var.default_tags, map(
-        Name = "kubernetes-${var.aws_cluster_name}-bastion-${count.index}"
+      "Name", "kubernetes-${var.aws_cluster_name}-bastion-${count.index}",
-        Cluster = "${var.aws_cluster_name}"
+      "Cluster", "${var.aws_cluster_name}",
-        Role = "bastion-${var.aws_cluster_name}-${count.index}"
+      "Role", "bastion-${var.aws_cluster_name}-${count.index}"
-    }
+    ))}"
 }
@@ -75,13 +79,13 @@ resource "aws_instance" "bastion-server" {
 */
 resource "aws_instance" "k8s-master" {
-    ami = "${var.aws_cluster_ami}"
+    ami = "${data.aws_ami.distro.id}"
    instance_type = "${var.aws_kube_master_size}"
    count = "${var.aws_kube_master_num}"
-    availability_zone  = "${element(var.aws_avail_zones,count.index)}"
+    availability_zone  = "${element(slice(data.aws_availability_zones.available.names,0,2),count.index)}"
    subnet_id = "${element(module.aws-vpc.aws_subnet_ids_private,count.index)}"
@@ -92,11 +96,11 @@ resource "aws_instance" "k8s-master" {
    key_name = "${var.AWS_SSH_KEY_NAME}"
-    tags {
+    tags = "${merge(var.default_tags, map(
-        Name = "kubernetes-${var.aws_cluster_name}-master${count.index}"
+      "Name", "kubernetes-${var.aws_cluster_name}-master${count.index}",
-        Cluster = "${var.aws_cluster_name}"
+      "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
-        Role = "master"
+      "Role", "master"
-    }
+    ))}"
 }
 resource "aws_elb_attachment" "attach_master_nodes" {
@@ -107,13 +111,13 @@ resource "aws_elb_attachment" "attach_master_nodes" {
 resource "aws_instance" "k8s-etcd" {
-    ami = "${var.aws_cluster_ami}"
+    ami = "${data.aws_ami.distro.id}"
    instance_type = "${var.aws_etcd_size}"
    count = "${var.aws_etcd_num}"
-    availability_zone = "${element(var.aws_avail_zones,count.index)}"
+    availability_zone = "${element(slice(data.aws_availability_zones.available.names,0,2),count.index)}"
    subnet_id = "${element(module.aws-vpc.aws_subnet_ids_private,count.index)}"
@@ -121,23 +125,22 @@ resource "aws_instance" "k8s-etcd" {
    key_name = "${var.AWS_SSH_KEY_NAME}"
-
+    tags = "${merge(var.default_tags, map(
-    tags {
+      "Name", "kubernetes-${var.aws_cluster_name}-etcd${count.index}",
-        Name = "kubernetes-${var.aws_cluster_name}-etcd${count.index}"
+      "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
-        Cluster = "${var.aws_cluster_name}"
+      "Role", "etcd"
-        Role = "etcd"
+    ))}"
    }
 }
 resource "aws_instance" "k8s-worker" {
-    ami = "${var.aws_cluster_ami}"
+    ami = "${data.aws_ami.distro.id}"
    instance_type = "${var.aws_kube_worker_size}"
    count = "${var.aws_kube_worker_num}"
-    availability_zone  = "${element(var.aws_avail_zones,count.index)}"
+    availability_zone  = "${element(slice(data.aws_availability_zones.available.names,0,2),count.index)}"
    subnet_id = "${element(module.aws-vpc.aws_subnet_ids_private,count.index)}"
    vpc_security_group_ids = [ "${module.aws-vpc.aws_security_group}" ]
@@ -146,11 +149,11 @@ resource "aws_instance" "k8s-worker" {
    key_name = "${var.AWS_SSH_KEY_NAME}"
-    tags {
+    tags = "${merge(var.default_tags, map(
-        Name = "kubernetes-${var.aws_cluster_name}-worker${count.index}"
+      "Name", "kubernetes-${var.aws_cluster_name}-worker${count.index}",
-        Cluster = "${var.aws_cluster_name}"
+      "kubernetes.io/cluster/${var.aws_cluster_name}", "member",
-        Role = "worker"
+      "Role", "worker"
-    }
+    ))}"
 }
@@ -164,16 +167,14 @@ data "template_file" "inventory" {
    template = "${file("${path.module}/templates/inventory.tpl")}"
    vars {
-        public_ip_address_bastion = "${join("\n",formatlist("bastion ansible_ssh_host=%s" , aws_instance.bastion-server.*.public_ip))}"
+        public_ip_address_bastion = "${join("\n",formatlist("bastion ansible_host=%s" , aws_instance.bastion-server.*.public_ip))}"
-        connection_strings_master = "${join("\n",formatlist("%s ansible_ssh_host=%s",aws_instance.k8s-master.*.tags.Name, aws_instance.k8s-master.*.private_ip))}"
+        connection_strings_master = "${join("\n",formatlist("%s ansible_host=%s",aws_instance.k8s-master.*.tags.Name, aws_instance.k8s-master.*.private_ip))}"
-        connection_strings_node = "${join("\n", formatlist("%s ansible_ssh_host=%s", aws_instance.k8s-worker.*.tags.Name, aws_instance.k8s-worker.*.private_ip))}"
+        connection_strings_node = "${join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-worker.*.tags.Name, aws_instance.k8s-worker.*.private_ip))}"
-        connection_strings_etcd = "${join("\n",formatlist("%s ansible_ssh_host=%s", aws_instance.k8s-etcd.*.tags.Name, aws_instance.k8s-etcd.*.private_ip))}"
+        connection_strings_etcd = "${join("\n",formatlist("%s ansible_host=%s", aws_instance.k8s-etcd.*.tags.Name, aws_instance.k8s-etcd.*.private_ip))}"
        list_master = "${join("\n",aws_instance.k8s-master.*.tags.Name)}"
        list_node = "${join("\n",aws_instance.k8s-worker.*.tags.Name)}"
        list_etcd = "${join("\n",aws_instance.k8s-etcd.*.tags.Name)}"
        elb_api_fqdn = "apiserver_loadbalancer_domain_name=\"${module.aws-elb.aws_elb_api_fqdn}\""
        elb_api_port = "loadbalancer_apiserver.port=${var.aws_elb_api_port}"
        loadbalancer_apiserver_address = "loadbalancer_apiserver.address=${var.loadbalancer_apiserver_address}"
    }
 }
--- a/contrib/terraform/aws/modules/elb/main.tf
+++ b/contrib/terraform/aws/modules/elb/main.tf
@@ -2,9 +2,9 @@ resource "aws_security_group" "aws-elb" {
    name = "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
    vpc_id = "${var.aws_vpc_id}"
-    tags {
+    tags = "${merge(var.default_tags, map(
-        Name = "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
+      "Name", "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
-    }
+    ))}"
 }
@@ -43,7 +43,7 @@ resource "aws_elb" "aws-elb-api" {
    healthy_threshold = 2
    unhealthy_threshold = 2
    timeout = 3
-    target = "HTTP:8080/"
+    target = "TCP:${var.k8s_secure_api_port}"
    interval = 30
  }
@@ -52,7 +52,7 @@ resource "aws_elb" "aws-elb-api" {
  connection_draining = true
  connection_draining_timeout = 400
-  tags {
+  tags = "${merge(var.default_tags, map(
-    Name = "kubernetes-${var.aws_cluster_name}-elb-api"
+    "Name", "kubernetes-${var.aws_cluster_name}-elb-api"
-  }
+  ))}"
 }
--- a/contrib/terraform/aws/modules/elb/variables.tf
+++ b/contrib/terraform/aws/modules/elb/variables.tf
@@ -26,3 +26,8 @@ variable "aws_subnet_ids_public" {
    description = "IDs of Public Subnets"
    type = "list"
 }
 variable "default_tags" {
    description = "Tags for all resources"
    type = "map"
 }
--- a/contrib/terraform/aws/modules/iam/main.tf
+++ b/contrib/terraform/aws/modules/iam/main.tf
@@ -129,10 +129,10 @@ EOF
 resource "aws_iam_instance_profile" "kube-master" {
    name = "kube_${var.aws_cluster_name}_master_profile"
-    roles = ["${aws_iam_role.kube-master.name}"]
+    role = "${aws_iam_role.kube-master.name}"
 }
 resource "aws_iam_instance_profile" "kube-worker" {
    name = "kube_${var.aws_cluster_name}_node_profile"
-    roles = ["${aws_iam_role.kube-worker.name}"]
+    role = "${aws_iam_role.kube-worker.name}"
 }
--- a/contrib/terraform/aws/modules/vpc/main.tf
+++ b/contrib/terraform/aws/modules/vpc/main.tf
@@ -6,9 +6,9 @@ resource "aws_vpc" "cluster-vpc" {
    enable_dns_support = true
    enable_dns_hostnames = true
-    tags {
+    tags = "${merge(var.default_tags, map(
-        Name = "kubernetes-${var.aws_cluster_name}-vpc"
+      "Name", "kubernetes-${var.aws_cluster_name}-vpc"
-    }
+    ))}"
 }
@@ -18,13 +18,13 @@ resource "aws_eip" "cluster-nat-eip" {
 }
 resource "aws_internet_gateway" "cluster-vpc-internetgw" {
  vpc_id = "${aws_vpc.cluster-vpc.id}"
-  tags {
+
-      Name = "kubernetes-${var.aws_cluster_name}-internetgw"
+  tags = "${merge(var.default_tags, map(
-  }
+    "Name", "kubernetes-${var.aws_cluster_name}-internetgw"
  ))}"
 }
 resource "aws_subnet" "cluster-vpc-subnets-public" {
@@ -33,9 +33,10 @@ resource "aws_subnet" "cluster-vpc-subnets-public" {
    availability_zone = "${element(var.aws_avail_zones, count.index)}"
    cidr_block = "${element(var.aws_cidr_subnets_public, count.index)}"
-    tags {
+    tags = "${merge(var.default_tags, map(
-        Name = "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-public"
+      "Name", "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-public",
-    }
+      "kubernetes.io/cluster/${var.aws_cluster_name}", "member"
    ))}"
 }
 resource "aws_nat_gateway" "cluster-nat-gateway" {
@@ -51,9 +52,9 @@ resource "aws_subnet" "cluster-vpc-subnets-private" {
    availability_zone = "${element(var.aws_avail_zones, count.index)}"
    cidr_block = "${element(var.aws_cidr_subnets_private, count.index)}"
-    tags {
+    tags = "${merge(var.default_tags, map(
-        Name = "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-private"
+      "Name", "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-private"
-    }
+    ))}"
 }
 #Routing in VPC
@@ -66,9 +67,10 @@ resource "aws_route_table" "kubernetes-public" {
        cidr_block = "0.0.0.0/0"
        gateway_id = "${aws_internet_gateway.cluster-vpc-internetgw.id}"
    }
-    tags {
+
-        Name = "kubernetes-${var.aws_cluster_name}-routetable-public"
+    tags = "${merge(var.default_tags, map(
-    }
+      "Name", "kubernetes-${var.aws_cluster_name}-routetable-public"
    ))}"
 }
 resource "aws_route_table" "kubernetes-private" {
@@ -78,9 +80,11 @@ resource "aws_route_table" "kubernetes-private" {
        cidr_block = "0.0.0.0/0"
        nat_gateway_id = "${element(aws_nat_gateway.cluster-nat-gateway.*.id, count.index)}"
    }
-    tags {
+
-        Name = "kubernetes-${var.aws_cluster_name}-routetable-private-${count.index}"
+    tags = "${merge(var.default_tags, map(
-    }
+      "Name", "kubernetes-${var.aws_cluster_name}-routetable-private-${count.index}"
    ))}"
 }
 resource "aws_route_table_association" "kubernetes-public" {
@@ -104,9 +108,9 @@ resource "aws_security_group" "kubernetes" {
    name = "kubernetes-${var.aws_cluster_name}-securitygroup"
    vpc_id = "${aws_vpc.cluster-vpc.id}"
-    tags {
+    tags = "${merge(var.default_tags, map(
-        Name = "kubernetes-${var.aws_cluster_name}-securitygroup"
+      "Name", "kubernetes-${var.aws_cluster_name}-securitygroup"
-    }
+    ))}"
 }
 resource "aws_security_group_rule" "allow-all-ingress" {
--- a/contrib/terraform/aws/modules/vpc/outputs.tf
+++ b/contrib/terraform/aws/modules/vpc/outputs.tf
@@ -14,3 +14,8 @@ output "aws_security_group" {
    value = ["${aws_security_group.kubernetes.*.id}"]
 }
 output "default_tags" {
    value = "${var.default_tags}"
 }
--- a/contrib/terraform/aws/modules/vpc/variables.tf
+++ b/contrib/terraform/aws/modules/vpc/variables.tf
@@ -22,3 +22,8 @@ variable "aws_cidr_subnets_public" {
  description = "CIDR Blocks for public subnets in Availability zones"
  type    = "list"
 }
 variable "default_tags" {
  description = "Default tags for all resources"
  type = "map"
 }
--- a/contrib/terraform/aws/output.tf
+++ b/contrib/terraform/aws/output.tf
@@ -22,3 +22,7 @@ output "aws_elb_api_fqdn" {
 output "inventory" {
    value = "${data.template_file.inventory.rendered}"
 }
 output "default_tags" {
    value = "${var.default_tags}"
 }
--- a/contrib/terraform/aws/templates/inventory.tpl
+++ b/contrib/terraform/aws/templates/inventory.tpl
@@ -1,3 +1,4 @@
 [all]
 ${connection_strings_master}
 ${connection_strings_node}
 ${connection_strings_etcd}
@@ -24,5 +25,3 @@ kube-master
 [k8s-cluster:vars]
 ${elb_api_fqdn}
 ${elb_api_port}
 ${loadbalancer_apiserver_address}
--- a/contrib/terraform/aws/terraform.tfvars
+++ b/contrib/terraform/aws/terraform.tfvars
@@ -5,10 +5,8 @@ aws_cluster_name = "devtest"
 aws_vpc_cidr_block = "10.250.192.0/18"
 aws_cidr_subnets_private = ["10.250.192.0/20","10.250.208.0/20"]
 aws_cidr_subnets_public = ["10.250.224.0/20","10.250.240.0/20"]
 aws_avail_zones = ["us-west-2a","us-west-2b"]
 #Bastion Host
 aws_bastion_ami = "ami-db56b9a3"
 aws_bastion_size = "t2.medium"
@@ -23,10 +21,13 @@ aws_etcd_size = "t2.medium"
 aws_kube_worker_num = 4
 aws_kube_worker_size = "t2.medium"
 aws_cluster_ami = "ami-db56b9a3"
 #Settings AWS ELB
 aws_elb_api_port = 6443
 k8s_secure_api_port = 6443
 kube_insecure_apiserver_address = "0.0.0.0"
 default_tags = {
 #  Env = "devtest"
 #  Product = "kubernetes"
 }
--- a/contrib/terraform/aws/variables.tf
+++ b/contrib/terraform/aws/variables.tf
@@ -20,6 +20,21 @@ variable "aws_cluster_name" {
  description = "Name of AWS Cluster"
 }
 data "aws_ami" "distro" {
  most_recent = true
  filter {
    name   = "name"
    values = ["CoreOS-stable-*"]
  }
  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
  owners = ["595879546273"] #CoreOS
 }
 //AWS VPC Variables
@@ -27,11 +42,6 @@ variable "aws_vpc_cidr_block" {
  description = "CIDR Block for VPC"
 }
 variable "aws_avail_zones" {
  description = "Availability Zones Used"
  type = "list"
 }
 variable "aws_cidr_subnets_private" {
  description = "CIDR Blocks for private subnets in Availability Zones"
  type = "list"
@@ -44,10 +54,6 @@ variable "aws_cidr_subnets_public" {
 //AWS EC2 Settings
 variable "aws_bastion_ami" {
    description = "AMI ID for Bastion Host in chosen AWS Region"
 }
 variable "aws_bastion_size" {
    description = "EC2 Instance Size of Bastion Host"
 }
@@ -81,9 +87,6 @@ variable "aws_kube_worker_size" {
    description = "Instance size of Kubernetes Worker Nodes"
 }
 variable "aws_cluster_ami" {
    description = "AMI ID for Kubernetes Cluster"
 }
 /*
 * AWS ELB Settings
 *
@@ -96,6 +99,7 @@ variable "k8s_secure_api_port" {
    description = "Secure Port of K8S API Server"
 }
-variable "loadbalancer_apiserver_address" {
+variable "default_tags" {
-    description= "Bind Address for ELB of K8s API Server"
+  description = "Default tags for all resources"
  type = "map"
 }
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -5,65 +5,91 @@ Openstack.
 ## Status
-This will install a Kubernetes cluster on an Openstack Cloud. It has been tested on a
+This will install a Kubernetes cluster on an Openstack Cloud. It should work on
-OpenStack Cloud provided by [BlueBox](https://www.blueboxcloud.com/) and on OpenStack at [EMBL-EBI's](http://www.ebi.ac.uk/) [EMBASSY Cloud](http://www.embassycloud.org/). This should work on most modern installs of OpenStack that support the basic
+most modern installs of OpenStack that support the basic services.
 services.
-There are some assumptions made to try and ensure it will work on your openstack cluster.
+## Approach
 The terraform configuration inspects variables found in
 [variables.tf](variables.tf) to create resources in your OpenStack cluster.
 There is a [python script](../terraform.py) that reads the generated`.tfstate`
 file to generate a dynamic inventory that is consumed by the main ansible script
 to actually install kubernetes and stand up the cluster.
-* floating-ips are used for access, but you can have masters and nodes that don't use floating-ips if needed. You need currently at least 1 floating ip, which needs to be used on a master. If using more than one, at least one should be on a master for bastions to work fine.
+### Networking
-* you already have a suitable OS image in glance
+The configuration includes creating a private subnet with a router to the
-* you already have both an internal network and a floating-ip pool created
+external net. It will allocate floating-ips from a pool and assign them to the
-* you have security-groups enabled
+hosts where that makes sense. You have the option of creating bastion hosts
 inside the private subnet to access the nodes there.
 ### Kubernetes Nodes
 You can create many different kubernetes topologies by setting the number of
 different classes of hosts. For each class there are options for allocating
 floating ip addresses or not.
 - Master Nodes with etcd
 - Master nodes without etcd
 - Standalone etcd hosts
 - Kubernetes worker nodes
 Note that the ansible script will report an invalid configuration if you wind up
 with an even number of etcd instances since that is not a valid configuration.
 ### Gluster FS
 The terraform configuration supports provisioning of an optional GlusterFS
 shared file system based on a separate set of VMs. To enable this, you need to
 specify
 - the number of gluster hosts
 - Size of the non-ephemeral volumes to be attached to store the GlusterFS bricks
 - Other properties related to provisioning the hosts
 Even if you are using Container Linux by CoreOS for your cluster, you will still
 need the GlusterFS VMs to be based on either Debian or RedHat based images,
 Container Linux by CoreOS cannot serve GlusterFS, but can connect to it through
 binaries available on hyperkube v1.4.3_coreos.0 or higher.
 ## Requirements
 - [Install Terraform](https://www.terraform.io/intro/getting-started/install.html)
 - [Install Ansible](http://docs.ansible.com/ansible/latest/intro_installation.html)
 - you already have a suitable OS image in glance
 - you already have a floating-ip pool created
 - you have security-groups enabled
 - you have a pair of keys generated that can be used to secure the new hosts
 ## Module Architecture
 The configuration is divided into three modules:
 - Network
 - IPs
 - Compute
 The main reason for splitting the configuration up in this way is to easily
 accommodate situations where floating IPs are limited by a quota or if you have
 any external references to the floating IP (e.g. DNS) that would otherwise have
 to be updated.
 You can force your existing IPs by modifying the compute variables in
 `kubespray.tf` as
 ```
 k8s_master_fips = ["151.101.129.67"]
 k8s_node_fips = ["151.101.129.68"]
 ```
 ## Terraform
-
+Terraform will be used to provision all of the OpenStack resources. It is also
-Terraform will be used to provision all of the OpenStack resources. It is also used to deploy and provision the software
+used to deploy and provision the software requirements.
 requirements.
 ### Prep
 #### OpenStack
-Ensure your OpenStack **Identity v2** credentials are loaded in environment variables. This can be done by downloading a credentials .rc file from your OpenStack dashboard and sourcing it:
+Ensure your OpenStack **Identity v2** credentials are loaded in environment
 variables. This can be done by downloading a credentials .rc file from your
 OpenStack dashboard and sourcing it:
 ```
 $ source ~/.stackrc
 ```
 > You must set **OS_REGION_NAME** and **OS_TENANT_ID** environment variables not required by openstack CLI
 You will need two networks before installing, an internal network and
 an external (floating IP Pool) network. The internet network can be shared as
 we use security groups to provide network segregation. Due to the many
 differences between OpenStack installs the Terraform does not attempt to create
 these for you.
 By default Terraform will expect that your networks are called `internal` and
 `external`. You can change this by altering the Terraform variables `network_name` and `floatingip_pool`. This can be done on a new variables file or through environment variables.
 A full list of variables you can change can be found at [variables.tf](variables.tf).
 All OpenStack resources will use the Terraform variable `cluster_name` (
 default `example`) in their name to make it easier to track. For example the
 first compute resource will be named `example-kubernetes-1`.
 #### Terraform
 Ensure your local ssh-agent is running and your ssh key has been added. This
 step is required by the terraform provisioner:
 ```
 $ eval $(ssh-agent -s)
 $ ssh-add ~/.ssh/id_rsa
 ```
 Ensure that you have your Openstack credentials loaded into Terraform
 environment variables. Likely via a command similar to:
@@ -75,59 +101,106 @@ $ echo Setting up Terraform creds && \
  export TF_VAR_auth_url=${OS_AUTH_URL}
 ```
-##### Alternative: etcd inside masters
+### Terraform Variables
 The construction of the cluster is driven by values found in
 [variables.tf](variables.tf).
-If you want to provision master or node VMs that don't use floating ips and where etcd is inside masters, write on a `my-terraform-vars.tfvars` file, for example:
+The best way to set these values is to create a file in the project's root
 directory called something like`my-terraform-vars.tfvars`. Many of the
 variables are obvious. Here is a summary of some of the more interesting
 ones:
-```
+|Variable | Description |
-number_of_k8s_masters = "1"
+|---------|-------------|
-number_of_k8s_masters_no_floating_ip = "2"
+|`cluster_name` | All OpenStack resources will use the Terraform variable`cluster_name` (default`example`) in their name to make it easier to track. For example the first compute resource will be named`example-kubernetes-1`. |
-number_of_k8s_nodes_no_floating_ip = "1"
+|`network_name` | The name to be given to the internal network that will be generated |
-number_of_k8s_nodes = "0"
+|`dns_nameservers`| An array of DNS name server names to be used by hosts in the internal subnet. | 
-```
+|`floatingip_pool` | Name of the pool from which floating IPs will be allocated |
-This will provision one VM as master using a floating ip, two additional masters using no floating ips (these will only have private ips inside your tenancy) and one VM as node, again without a floating ip.
+|`external_net` | UUID of the external network that will be routed to |
 |`flavor_k8s_master`,`flavor_k8s_node`,`flavor_etcd`, `flavor_bastion`,`flavor_gfs_node` | Flavor depends on your openstack installation, you can get available flavor IDs through`nova flavor-list` |
 |`image`,`image_gfs` | Name of the image to use in provisioning the compute resources. Should already be loaded into glance. |
 |`ssh_user`,`ssh_user_gfs` | The username to ssh into the image with. This usually depends on the image you have selected |
 |`public_key_path` | Path on your local workstation to the public key file you wish to use in creating the key pairs |
 |`number_of_k8s_masters`, `number_of_k8s_masters_no_floating_ip` | Number of nodes that serve as both master and etcd. These can be provisioned with or without floating IP addresses|
 |`number_of_k8s_masters_no_etcd`, `number_of_k8s_masters_no_floating_ip_no_etcd` |  Number of nodes that serve as just master with no etcd. These can be provisioned with or without floating IP addresses |
 |`number_of_etcd` | Number of pure etcd nodes |
 |`number_of_k8s_nodes`, `number_of_k8s_nodes_no_floating_ip` | Kubernetes worker nodes. These can be provisioned with or without floating ip addresses. |
 |`number_of_bastions` | Number of bastion hosts to create. Scripts assume this is really just zero or one |
 |`number_of_gfs_nodes_no_floating_ip` | Number of gluster servers to provision. |
 | `gfs_volume_size_in_gb` | Size of the non-ephemeral volumes to be attached to store the GlusterFS bricks |
-##### Alternative: etcd on separate machines
+## Initializing Terraform
 Before Terraform can operate on your cluster you need to install required
 plugins. This is accomplished with the command
-If you want to provision master or node VMs that don't use floating ips and where **etcd is on separate nodes from Kubernetes masters**, write on a `my-terraform-vars.tfvars` file, for example:
+```bash
-
+$ terraform init contrib/terraform/openstack
 ```
 number_of_etcd = "3"
 number_of_k8s_masters = "0"
 number_of_k8s_masters_no_etcd = "1"
 number_of_k8s_masters_no_floating_ip = "0"
 number_of_k8s_masters_no_floating_ip_no_etcd = "2"
 number_of_k8s_nodes_no_floating_ip = "1"
 number_of_k8s_nodes = "2"
 flavor_k8s_node = "desired-flavor-id" 
 flavor_k8s_master = "desired-flavor-id"
 flavor_etcd = "desired-flavor-id"
 ```
-This will provision one VM as master using a floating ip, two additional masters using no floating ips (these will only have private ips inside your tenancy), two VMs as nodes with floating ips, one VM as node without floating ip and three VMs for etcd. 
+## Provisioning Cluster with Terraform
-
+You can apply the terraform config to your cluster with the following command
-##### Alternative: add GlusterFS
+issued from the project's root directory
-
+```bash
-Additionally, now the terraform based installation supports provisioning of a GlusterFS shared file system based on a separate set of VMs, running either a Debian or RedHat based set of VMs. To enable this, you need to add to your `my-terraform-vars.tfvars` the following variables:
+$ terraform apply -state=contrib/terraform/openstack/terraform.tfstate -var-file=my-terraform-vars.tfvars contrib/terraform/openstack
 ```
 # Flavour depends on your openstack installation, you can get available flavours through `nova flavor-list`
 flavor_gfs_node = "af659280-5b8a-42b5-8865-a703775911da"
 # This is the name of an image already available in your openstack installation.
 image_gfs = "Ubuntu 15.10"
 number_of_gfs_nodes_no_floating_ip = "3"
 # This is the size of the non-ephemeral volumes to be attached to store the GlusterFS bricks.
 gfs_volume_size_in_gb = "50"
 # The user needed for the image choosen for GlusterFS.
 ssh_user_gfs = "ubuntu"
 ```
-If these variables are provided, this will give rise to a new ansible group called `gfs-cluster`, for which we have added ansible roles to execute in the ansible provisioning step. If you are using Container Linux by CoreOS, these GlusterFS VM necessarily need to be either Debian or RedHat based VMs, Container Linux by CoreOS cannot serve GlusterFS, but can connect to it through binaries available on hyperkube v1.4.3_coreos.0 or higher.
+if you chose to create a bastion host, this script will create
 `contrib/terraform/openstack/k8s-cluster.yml` with an ssh command for ansible to
 be able to access your machines tunneling  through the bastion's ip adress. If
 you want to manually handle the ssh tunneling to these machines, please delete
 or move that file. If you want to use this, just leave it there, as ansible will
 pick it up automatically.
 # Configure Cluster variables
-Edit `inventory/group_vars/all.yml`:
+## Destroying Cluster with Terraform
 You can destroy a config deployed to your cluster with the following command
 issued from the project's root directory
 ```bash
 $ terraform destroy -state=contrib/terraform/openstack/terraform.tfstate -var-file=my-terraform-vars.tfvars contrib/terraform/openstack
 ```
 ## Debugging Cluster Provisioning
 You can enable debugging output from Terraform by setting
 `OS_DEBUG` to 1 and`TF_LOG` to`DEBUG` before runing the terraform command
 # Running the Ansible Script
 Ensure your local ssh-agent is running and your ssh key has been added. This
 step is required by the terraform provisioner:
 ```
 $ eval $(ssh-agent -s)
 $ ssh-add ~/.ssh/id_rsa
 ```
 Make sure you can connect to the hosts:
 ```
 $ ansible -i contrib/terraform/openstack/hosts -m ping all
 example-k8s_node-1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
 }
 example-etcd-1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
 }
 example-k8s-master-1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
 }
 ```
 if you are deploying a system that needs bootstrapping, like Container Linux by
 CoreOS, these might have a state`FAILED` due to Container Linux by CoreOS not
 having python. As long as the state is not`UNREACHABLE`, this is fine.
 if it fails try to connect manually via SSH ... it could be something as simple as a stale host key.
 ## Configure Cluster variables
 Edit`inventory/group_vars/all.yml`:
 - Set variable **bootstrap_os** according selected image
 ```
 # Valid bootstrap options (required): ubuntu, coreos, centos, none
@@ -145,7 +218,7 @@ bin_dir: /opt/bin
 ```
 cloud_provider: openstack
 ```
-Edit `inventory/group_vars/k8s-cluster.yml`:
+Edit`inventory/group_vars/k8s-cluster.yml`:
 - Set variable **kube_network_plugin** according selected networking
 ```
 # Choose network plugin (calico, weave or flannel)
@@ -166,63 +239,13 @@ resolvconf_mode: host_resolvconf
 For calico configure OpenStack Neutron ports: [OpenStack](/docs/openstack.md)
-# Provision a Kubernetes Cluster on OpenStack
+## Deploy kubernetes:
 If not using a tfvars file for your setup, then execute:
 ```
 terraform apply -state=contrib/terraform/openstack/terraform.tfstate contrib/terraform/openstack
 openstack_compute_secgroup_v2.k8s_master: Creating...
  description: "" => "example - Kubernetes Master"
  name:        "" => "example-k8s-master"
  rule.#:      "" => "<computed>"
 ...
 ...
 Apply complete! Resources: 9 added, 0 changed, 0 destroyed.
 The state of your infrastructure has been saved to the path
 below. This state is required to modify and destroy your
 infrastructure, so keep it safe. To inspect the complete state
 use the `terraform show` command.
 State path: contrib/terraform/openstack/terraform.tfstate
 ```
 Alternatively, if you wrote your terraform variables on a file `my-terraform-vars.tfvars`, your command would look like:
 ```
 terraform apply -state=contrib/terraform/openstack/terraform.tfstate -var-file=my-terraform-vars.tfvars contrib/terraform/openstack
 ```
 if you choose to add masters or nodes without floating ips (only internal ips on your OpenStack tenancy), this script will create as well a file `contrib/terraform/openstack/k8s-cluster.yml` with an ssh command for ansible to be able to access your machines tunneling  through the first floating ip used. If you want to manually handling the ssh tunneling to these machines, please delete or move that file. If you want to use this, just leave it there, as ansible will pick it up automatically.
 Make sure you can connect to the hosts:
 ```
 $ ansible -i contrib/terraform/openstack/hosts -m ping all
 example-k8s_node-1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
 }
 example-etcd-1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
 }
 example-k8s-master-1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
 }
 ```
 if you are deploying a system that needs bootstrapping, like Container Linux by CoreOS, these might have a state `FAILED` due to Container Linux by CoreOS not having python. As long as the state is not `UNREACHABLE`, this is fine.
 if it fails try to connect manually via SSH ... it could be somthing as simple as a stale host key.
 Deploy kubernetes:
 ```
 $ ansible-playbook --become -i contrib/terraform/openstack/hosts cluster.yml
 ```
-# Set up local kubectl
+## Set up local kubectl
 1. Install kubectl on your workstation:
 [Install and Set Up kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
 2. Add route to internal IP of master node (if needed):
@@ -243,8 +266,7 @@ ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-[cluster_name]-k8s-
 ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-[cluster_name]-k8s-master-1.pem > admin.pem
 ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/ca.pem > ca.pem
 ```
-5. Edit OpenStack Neutron master's Security Group to allow TCP connections to port 6443
+5. Configure kubectl:
 6. Configure kubectl:
 ```
 kubectl config set-cluster default-cluster --server=https://[master-internal-ip]:6443 \
    --certificate-authority=ca.pem
@@ -262,19 +284,24 @@ kubectl config use-context default-system
 kubectl version
 ```
 If you are using floating ip addresses then you may get this error:
 ```
 Unable to connect to the server: x509: certificate is valid for 10.0.0.6, 10.0.0.6, 10.233.0.1, 127.0.0.1, not 132.249.238.25
 ```
 You can tell kubectl to ignore this condition by adding the
 `--insecure-skip-tls-verify` option.
 ## GlusterFS
 GlusterFS is not deployed by the standard`cluster.yml` playbook, see the
 [glusterfs playbook documentation](../../network-storage/glusterfs/README.md)
 for instructions.
 Basically you will install gluster as
 ```bash
 $ ansible-playbook --become -i contrib/terraform/openstack/hosts ./contrib/network-storage/glusterfs/glusterfs.yml
 ```
 # What's next
 [Start Hello Kubernetes Service](https://kubernetes.io/docs/tasks/access-application-cluster/service-access-application-cluster/)
 # clean up:
 ```
 $ terraform destroy
 Do you really want to destroy?
  Terraform will delete all your managed infrastructure.
  There is no undo. Only 'yes' will be accepted to confirm.
  Enter a value: yes
 ...
 ...
 Apply complete! Resources: 0 added, 0 changed, 12 destroyed.
 ```
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -1,226 +1,55 @@
 resource "openstack_networking_floatingip_v2" "k8s_master" {
    count = "${var.number_of_k8s_masters + var.number_of_k8s_masters_no_etcd}"
    pool = "${var.floatingip_pool}"
 }
-resource "openstack_networking_floatingip_v2" "k8s_node" {
+module "network" {
-    count = "${var.number_of_k8s_nodes}"
+  source = "modules/network"
-    pool = "${var.floatingip_pool}"
+
  external_net = "${var.external_net}"
  network_name = "${var.network_name}"
  cluster_name = "${var.cluster_name}"
  dns_nameservers = "${var.dns_nameservers}"
 }
-resource "openstack_compute_keypair_v2" "k8s" {
+module "ips" {
-    name = "kubernetes-${var.cluster_name}"
+  source = "modules/ips"
-    public_key = "${file(var.public_key_path)}"
+
  number_of_k8s_masters = "${var.number_of_k8s_masters}"
  number_of_k8s_masters_no_etcd = "${var.number_of_k8s_masters_no_etcd}"
  number_of_k8s_nodes = "${var.number_of_k8s_nodes}"
  floatingip_pool = "${var.floatingip_pool}"
  number_of_bastions = "${var.number_of_bastions}"
  external_net = "${var.external_net}"
  network_name = "${var.network_name}"
  router_id = "${module.network.router_id}"
 }
-resource "openstack_compute_secgroup_v2" "k8s_master" {
+module "compute" {
-    name = "${var.cluster_name}-k8s-master"
+  source = "modules/compute"
-    description = "${var.cluster_name} - Kubernetes Master"
+
  cluster_name = "${var.cluster_name}"
  number_of_k8s_masters = "${var.number_of_k8s_masters}"
  number_of_k8s_masters_no_etcd = "${var.number_of_k8s_masters_no_etcd}"
  number_of_etcd = "${var.number_of_etcd}"
  number_of_k8s_masters_no_floating_ip = "${var.number_of_k8s_masters_no_floating_ip}"
  number_of_k8s_masters_no_floating_ip_no_etcd = "${var.number_of_k8s_masters_no_floating_ip_no_etcd}"
  number_of_k8s_nodes = "${var.number_of_k8s_nodes}"
  number_of_bastions = "${var.number_of_bastions}"
  number_of_k8s_nodes_no_floating_ip = "${var.number_of_k8s_nodes_no_floating_ip}"
  number_of_gfs_nodes_no_floating_ip = "${var.number_of_gfs_nodes_no_floating_ip}"
  gfs_volume_size_in_gb = "${var.gfs_volume_size_in_gb}"
  public_key_path = "${var.public_key_path}"
  image = "${var.image}"
  image_gfs = "${var.image_gfs}"
  ssh_user = "${var.ssh_user}"
  ssh_user_gfs = "${var.ssh_user_gfs}"
  flavor_k8s_master = "${var.flavor_k8s_master}"
  flavor_k8s_node = "${var.flavor_k8s_node}"
  flavor_etcd = "${var.flavor_etcd}"
  flavor_gfs_node = "${var.flavor_gfs_node}"
  network_name = "${var.network_name}"
  flavor_bastion = "${var.flavor_bastion}"
  k8s_master_fips = "${module.ips.k8s_master_fips}"
  k8s_node_fips = "${module.ips.k8s_node_fips}"
  bastion_fips = "${module.ips.bastion_fips}"
  network_id = "${module.network.router_id}"
 }
 resource "openstack_compute_secgroup_v2" "k8s" {
    name = "${var.cluster_name}-k8s"
    description = "${var.cluster_name} - Kubernetes"
    rule {
        ip_protocol = "tcp"
        from_port = "22"
        to_port = "22"
        cidr = "0.0.0.0/0"
    }
    rule {
        ip_protocol = "icmp"
        from_port = "-1"
        to_port = "-1"
        cidr = "0.0.0.0/0"
    }
    rule {
        ip_protocol = "tcp"
        from_port = "1"
        to_port = "65535"
        self = true
    }
    rule {
        ip_protocol = "udp"
        from_port = "1"
        to_port = "65535"
        self = true
    }
    rule {
        ip_protocol = "icmp"
        from_port = "-1"
        to_port = "-1"
        self = true
    }
 }
 resource "openstack_compute_instance_v2" "k8s_master" {
    name = "${var.cluster_name}-k8s-master-${count.index+1}"
    count = "${var.number_of_k8s_masters}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_master}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
                        "${openstack_compute_secgroup_v2.k8s.name}" ]
    floating_ip = "${element(openstack_networking_floatingip_v2.k8s_master.*.address, count.index)}"
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "etcd,kube-master,kube-node,k8s-cluster,vault"
    }
 }
 resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
    name = "${var.cluster_name}-k8s-master-ne-${count.index+1}"
    count = "${var.number_of_k8s_masters_no_etcd}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_master}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
                        "${openstack_compute_secgroup_v2.k8s.name}" ]
    floating_ip = "${element(openstack_networking_floatingip_v2.k8s_master.*.address, count.index + var.number_of_k8s_masters)}"
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "kube-master,kube-node,k8s-cluster,vault"
    }
 }
 resource "openstack_compute_instance_v2" "etcd" {
    name = "${var.cluster_name}-etcd-${count.index+1}"
    count = "${var.number_of_etcd}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_etcd}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s.name}" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "etcd,vault,no-floating"
    }
    provisioner "local-exec" {
        command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(openstack_networking_floatingip_v2.k8s_master.*.address, 0)}/ > contrib/terraform/openstack/group_vars/no-floating.yml"
    } 
 }
 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
    name = "${var.cluster_name}-k8s-master-nf-${count.index+1}"
    count = "${var.number_of_k8s_masters_no_floating_ip}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_master}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
                        "${openstack_compute_secgroup_v2.k8s.name}" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "etcd,kube-master,kube-node,k8s-cluster,vault,no-floating"
    }
    provisioner "local-exec" {
        command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(openstack_networking_floatingip_v2.k8s_master.*.address, 0)}/ > contrib/terraform/openstack/group_vars/no-floating.yml"
    }
 }
 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
    name = "${var.cluster_name}-k8s-master-ne-nf-${count.index+1}"
    count = "${var.number_of_k8s_masters_no_floating_ip_no_etcd}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_master}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
                        "${openstack_compute_secgroup_v2.k8s.name}" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "kube-master,kube-node,k8s-cluster,vault,no-floating"
    }
    provisioner "local-exec" {
        command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(openstack_networking_floatingip_v2.k8s_master.*.address, 0)}/ > contrib/terraform/openstack/group_vars/no-floating.yml"
    }
 }
 resource "openstack_compute_instance_v2" "k8s_node" {
    name = "${var.cluster_name}-k8s-node-${count.index+1}"
    count = "${var.number_of_k8s_nodes}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_node}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = ["${openstack_compute_secgroup_v2.k8s.name}" ]
    floating_ip = "${element(openstack_networking_floatingip_v2.k8s_node.*.address, count.index)}"
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "kube-node,k8s-cluster,vault"
    }
 }
 resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
    name = "${var.cluster_name}-k8s-node-nf-${count.index+1}"
    count = "${var.number_of_k8s_nodes_no_floating_ip}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_node}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = ["${openstack_compute_secgroup_v2.k8s.name}" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "kube-node,k8s-cluster,vault,no-floating"
    }
    provisioner "local-exec" {
 	command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(openstack_networking_floatingip_v2.k8s_master.*.address, 0)}/ > contrib/terraform/openstack/group_vars/no-floating.yml"        
    }
 }
 resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
  name = "${var.cluster_name}-gfs-nephe-vol-${count.index+1}"
  count = "${var.number_of_gfs_nodes_no_floating_ip}"
  description = "Non-ephemeral volume for GlusterFS"
  size = "${var.gfs_volume_size_in_gb}"
 }
 resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
    name = "${var.cluster_name}-gfs-node-nf-${count.index+1}"
    count = "${var.number_of_gfs_nodes_no_floating_ip}"
    image_name = "${var.image_gfs}"
    flavor_id = "${var.flavor_gfs_node}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = ["${openstack_compute_secgroup_v2.k8s.name}" ]
    metadata = {
        ssh_user = "${var.ssh_user_gfs}"
        kubespray_groups = "gfs-cluster,network-storage"
    }
    volume {
        volume_id = "${element(openstack_blockstorage_volume_v2.glusterfs_volume.*.id, count.index)}"
    }
    provisioner "local-exec" {
 	command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(openstack_networking_floatingip_v2.k8s_master.*.address, 0)}/ > contrib/terraform/openstack/group_vars/gfs-cluster.yml"        
    }
 }
 #output "msg" {
 #    value = "Your hosts are ready to go!\nYour ssh hosts are: ${join(", ", openstack_networking_floatingip_v2.k8s_master.*.address )}"
 #}
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -0,0 +1,280 @@
 variable user_data  {
  type    = "string"
  default = <<EOF
 #cloud-config
 manage_etc_hosts: localhost
 package_update: true
 package_upgrade: true
 EOF
 }
 resource "openstack_compute_keypair_v2" "k8s" {
    name = "kubernetes-${var.cluster_name}"
    public_key = "${chomp(file(var.public_key_path))}"
 }
 resource "openstack_compute_secgroup_v2" "k8s_master" {
    name = "${var.cluster_name}-k8s-master"
    description = "${var.cluster_name} - Kubernetes Master"
    rule {
        ip_protocol = "tcp"
        from_port = "6443"
        to_port = "6443"
        cidr = "0.0.0.0/0"
    }
 }
 resource "openstack_compute_secgroup_v2" "bastion" {
    name = "${var.cluster_name}-bastion"
    description = "${var.cluster_name} - Bastion Server"
    rule {
        ip_protocol = "tcp"
        from_port = "22"
        to_port = "22"
        cidr = "0.0.0.0/0"
    }
 }
 resource "openstack_compute_secgroup_v2" "k8s" {
    name = "${var.cluster_name}-k8s"
    description = "${var.cluster_name} - Kubernetes"
    rule {
        ip_protocol = "icmp"
        from_port = "-1"
        to_port = "-1"
        cidr = "0.0.0.0/0"
    }
    rule {
        ip_protocol = "tcp"
        from_port = "1"
        to_port = "65535"
        self = true
    }
    rule {
        ip_protocol = "udp"
        from_port = "1"
        to_port = "65535"
        self = true
    }
    rule {
        ip_protocol = "icmp"
        from_port = "-1"
        to_port = "-1"
        self = true
    }
 }
 resource "openstack_compute_instance_v2" "bastion" {
    name = "${var.cluster_name}-bastion-${count.index+1}"
    count = "${var.number_of_bastions}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_bastion}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s.name}",
                        "${openstack_compute_secgroup_v2.bastion.name}",
                        "default" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "bastion"
        depends_on = "${var.network_id}"
    }
    provisioner "local-exec" {
 	     command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${var.bastion_fips[0]}/ > contrib/terraform/openstack/group_vars/no-floating.yml"
    }
    user_data = "${var.user_data}"
 }
 resource "openstack_compute_instance_v2" "k8s_master" {
    name = "${var.cluster_name}-k8s-master-${count.index+1}"
    count = "${var.number_of_k8s_masters}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_master}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
                        "${openstack_compute_secgroup_v2.bastion.name}",
                        "${openstack_compute_secgroup_v2.k8s.name}",
                        "default" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "etcd,kube-master,kube-node,k8s-cluster,vault"
        depends_on = "${var.network_id}"
    }
    user_data = "${var.user_data}"
 }
 resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
    name = "${var.cluster_name}-k8s-master-ne-${count.index+1}"
    count = "${var.number_of_k8s_masters_no_etcd}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_master}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
                        "${openstack_compute_secgroup_v2.k8s.name}" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "kube-master,kube-node,k8s-cluster,vault"
        depends_on = "${var.network_id}"
    }
    user_data = "${var.user_data}"
 }
 resource "openstack_compute_instance_v2" "etcd" {
    name = "${var.cluster_name}-etcd-${count.index+1}"
    count = "${var.number_of_etcd}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_etcd}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s.name}" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "etcd,vault,no-floating"
        depends_on = "${var.network_id}"
    }
    user_data = "${var.user_data}"
 }
 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
    name = "${var.cluster_name}-k8s-master-nf-${count.index+1}"
    count = "${var.number_of_k8s_masters_no_floating_ip}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_master}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
                        "${openstack_compute_secgroup_v2.k8s.name}",
                        "default" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "etcd,kube-master,kube-node,k8s-cluster,vault,no-floating"
        depends_on = "${var.network_id}"
    }
    user_data = "${var.user_data}"
 }
 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
    name = "${var.cluster_name}-k8s-master-ne-nf-${count.index+1}"
    count = "${var.number_of_k8s_masters_no_floating_ip_no_etcd}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_master}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
                        "${openstack_compute_secgroup_v2.k8s.name}" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "kube-master,kube-node,k8s-cluster,vault,no-floating"
        depends_on = "${var.network_id}"
    }
    user_data = "${var.user_data}"
 }
 resource "openstack_compute_instance_v2" "k8s_node" {
    name = "${var.cluster_name}-k8s-node-${count.index+1}"
    count = "${var.number_of_k8s_nodes}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_node}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s.name}",
                        "${openstack_compute_secgroup_v2.bastion.name}",
                        "default" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "kube-node,k8s-cluster"
        depends_on = "${var.network_id}"
    }
    user_data = "${var.user_data}"
 }
 resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
    name = "${var.cluster_name}-k8s-node-nf-${count.index+1}"
    count = "${var.number_of_k8s_nodes_no_floating_ip}"
    image_name = "${var.image}"
    flavor_id = "${var.flavor_k8s_node}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = [ "${openstack_compute_secgroup_v2.k8s.name}",
                        "default" ]
    metadata = {
        ssh_user = "${var.ssh_user}"
        kubespray_groups = "kube-node,k8s-cluster,no-floating"
        depends_on = "${var.network_id}"
    }
    user_data = "${var.user_data}"
 }
 resource "openstack_compute_floatingip_associate_v2" "bastion" {
    count = "${var.number_of_bastions}"
    floating_ip = "${var.bastion_fips[count.index]}"
    instance_id = "${element(openstack_compute_instance_v2.bastion.*.id, count.index)}"
 }
 resource "openstack_compute_floatingip_associate_v2" "k8s_master" {
    count = "${var.number_of_k8s_masters}"
    instance_id = "${element(openstack_compute_instance_v2.k8s_master.*.id, count.index)}"
    floating_ip = "${var.k8s_master_fips[count.index]}"
 }
 resource "openstack_compute_floatingip_associate_v2" "k8s_node" {
    count = "${var.number_of_k8s_nodes}"
    floating_ip = "${var.k8s_node_fips[count.index]}"
    instance_id = "${element(openstack_compute_instance_v2.k8s_node.*.id, count.index)}"
 }
 resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
  name = "${var.cluster_name}-glusterfs_volume-${count.index+1}"
  count = "${var.number_of_gfs_nodes_no_floating_ip}"
  description = "Non-ephemeral volume for GlusterFS"
  size = "${var.gfs_volume_size_in_gb}"
 }
 resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
    name = "${var.cluster_name}-gfs-node-nf-${count.index+1}"
    count = "${var.number_of_gfs_nodes_no_floating_ip}"
    image_name = "${var.image_gfs}"
    flavor_id = "${var.flavor_gfs_node}"
    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
    network {
        name = "${var.network_name}"
    }
    security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
                        "default" ]
    metadata = {
        ssh_user = "${var.ssh_user_gfs}"
        kubespray_groups = "gfs-cluster,network-storage,no-floating"
        depends_on = "${var.network_id}"
    }
    user_data = "#cloud-config\nmanage_etc_hosts: localhost\npackage_update: true\npackage_upgrade: true"
 }
 resource "openstack_compute_volume_attach_v2" "glusterfs_volume" {
  count = "${var.number_of_gfs_nodes_no_floating_ip}"
  instance_id = "${element(openstack_compute_instance_v2.glusterfs_node_no_floating_ip.*.id, count.index)}"
  volume_id   = "${element(openstack_blockstorage_volume_v2.glusterfs_volume.*.id, count.index)}"
 }
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -0,0 +1,83 @@
 variable "cluster_name" {
 }
 variable "number_of_k8s_masters" {
 }
 variable "number_of_k8s_masters_no_etcd" {
 }
 variable "number_of_etcd" {
 }
 variable "number_of_k8s_masters_no_floating_ip" {
 }
 variable "number_of_k8s_masters_no_floating_ip_no_etcd" {
 }
 variable "number_of_k8s_nodes" {
 }
 variable "number_of_k8s_nodes_no_floating_ip" {
 }
 variable "number_of_bastions" {
 }
 variable "number_of_gfs_nodes_no_floating_ip" {
 }
 variable "gfs_volume_size_in_gb" {
 }
 variable "public_key_path" {
 }
 variable "image" {
 }
 variable "image_gfs" {
 }
 variable "ssh_user" {
 }
 variable "ssh_user_gfs" {
 }
 variable "flavor_k8s_master" {
 }
 variable "flavor_k8s_node" {
 }
 variable "flavor_etcd" {
 }
 variable "flavor_gfs_node" {
 }
 variable "network_name" {
 }
 variable "flavor_bastion" {
 }
 variable "network_id"{
 }
 variable "k8s_master_fips" {
  type = "list"
 }
 variable "k8s_node_fips" {
  type = "list"
 }
 variable "bastion_fips" {
  type = "list"
 }
--- a/contrib/terraform/openstack/modules/ips/main.tf
+++ b/contrib/terraform/openstack/modules/ips/main.tf
@@ -0,0 +1,24 @@
 resource "null_resource" "dummy_dependency" {
  triggers {
    dependency_id = "${var.router_id}"
  }
 }
 resource "openstack_networking_floatingip_v2" "k8s_master" {
    count = "${var.number_of_k8s_masters}"
    pool = "${var.floatingip_pool}"
    depends_on = ["null_resource.dummy_dependency"]
 }
 resource "openstack_networking_floatingip_v2" "k8s_node" {
    count = "${var.number_of_k8s_nodes}"
    pool = "${var.floatingip_pool}"
    depends_on = ["null_resource.dummy_dependency"]
 }
 resource "openstack_networking_floatingip_v2" "bastion" {
    count = "${var.number_of_bastions}"
    pool = "${var.floatingip_pool}"
    depends_on = ["null_resource.dummy_dependency"]
 }
--- a/contrib/terraform/openstack/modules/ips/outputs.tf
+++ b/contrib/terraform/openstack/modules/ips/outputs.tf
@@ -0,0 +1,11 @@
 output "k8s_master_fips" {
    value = ["${openstack_networking_floatingip_v2.k8s_master.*.address}"]
 }
 output "k8s_node_fips" {
    value = ["${openstack_networking_floatingip_v2.k8s_node.*.address}"]
 }
 output "bastion_fips" {
    value = ["${openstack_networking_floatingip_v2.bastion.*.address}"]
 }
--- a/contrib/terraform/openstack/modules/ips/variables.tf
+++ b/contrib/terraform/openstack/modules/ips/variables.tf
@@ -0,0 +1,26 @@
 variable "number_of_k8s_masters" {
 }
 variable "number_of_k8s_masters_no_etcd" {
 }
 variable "number_of_k8s_nodes" {
 }
 variable "floatingip_pool" {
 }
 variable "number_of_bastions" {
 }
 variable "external_net" {
 }
 variable "network_name" {
 }
 variable "router_id"{
 }
--- a/contrib/terraform/openstack/modules/network/main.tf
+++ b/contrib/terraform/openstack/modules/network/main.tf
@@ -0,0 +1,24 @@
 resource "openstack_networking_router_v2" "k8s" {
  name             = "${var.cluster_name}-router"
  admin_state_up   = "true"
  external_gateway = "${var.external_net}"
 }
 resource "openstack_networking_network_v2" "k8s" {
  name           = "${var.network_name}"
  admin_state_up = "true"
 }
 resource "openstack_networking_subnet_v2" "k8s" {
  name            = "${var.cluster_name}-internal-network"
  network_id      = "${openstack_networking_network_v2.k8s.id}"
  cidr            = "10.0.0.0/24"
  ip_version      = 4
  dns_nameservers = "${var.dns_nameservers}"
 }
 resource "openstack_networking_router_interface_v2" "k8s" {
  router_id = "${openstack_networking_router_v2.k8s.id}"
  subnet_id = "${openstack_networking_subnet_v2.k8s.id}"
 }
--- a/contrib/terraform/openstack/modules/network/outputs.tf
+++ b/contrib/terraform/openstack/modules/network/outputs.tf
@@ -0,0 +1,7 @@
 output "router_id" {
    value = "${openstack_networking_router_interface_v2.k8s.id}"
 }
 output "network_id" {
    value = "${openstack_networking_subnet_v2.k8s.id}"
 }
--- a/contrib/terraform/openstack/modules/network/variables.tf
+++ b/contrib/terraform/openstack/modules/network/variables.tf
@@ -0,0 +1,13 @@
 variable "external_net" {
 }
 variable "network_name" {
 }
 variable "cluster_name" {
 }
 variable "dns_nameservers"{
  type = "list"
 }
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -2,6 +2,10 @@ variable "cluster_name" {
  default = "example"
 }
 variable "number_of_bastions" {
  default = 1
 }
 variable "number_of_k8s_masters" {
  default = 2
 }
@@ -63,19 +67,28 @@ variable "ssh_user_gfs" {
  default = "ubuntu"
 }
 variable "flavor_bastion" {
  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
  default = 3
 }
 variable "flavor_k8s_master" {
  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
  default = 3
 }
 variable "flavor_k8s_node" {
  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
  default = 3
 }
 variable "flavor_etcd" {
  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
  default = 3
 }
 variable "flavor_gfs_node" {
  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
  default = 3
 }
@@ -84,11 +97,21 @@ variable "network_name" {
  default = "internal"
 }
 variable "dns_nameservers"{
  description = "An array of DNS name server names used by hosts in this subnet."
  type = "list"
  default = []
 }
 variable "floatingip_pool" {
  description = "name of the floating ip pool to use"
  default = "external"
 }
 variable "external_net" {
  description = "uuid of the external/public network"
 }
 variable "username" {
  description = "Your openstack username"
 }
--- a/contrib/terraform/terraform.py
+++ b/contrib/terraform/terraform.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python2
 #
 # Copyright 2015 Cisco Systems, Inc.
 #
@@ -70,6 +70,14 @@ def iterhosts(resources):
        yield parser(resource, module_name)
 def iterips(resources):
    '''yield ip tuples of (instance_id, ip)'''
    for module_name, key, resource in resources:
        resource_type, name = key.split('.', 1)
        if resource_type == 'openstack_compute_floatingip_associate_v2':
            yield openstack_floating_ips(resource)
 def parses(prefix):
    def inner(func):
        PARSERS[prefix] = func
@@ -298,6 +306,17 @@ def softlayer_host(resource, module_name):
    return name, attrs, groups
 def openstack_floating_ips(resource):
    raw_attrs = resource['primary']['attributes']
    attrs = {
        'ip': raw_attrs['floating_ip'],
        'instance_id': raw_attrs['instance_id'],
    }
    return attrs
 def openstack_floating_ips(resource):
    raw_attrs = resource['primary']['attributes']
    return raw_attrs['instance_id'], raw_attrs['floating_ip']
@parses('openstack_compute_instance_v2')
@calculate_mantl_vars
@@ -343,6 +362,8 @@ def openstack_host(resource, module_name):
    except (KeyError, ValueError):
        attrs.update({'ansible_ssh_host': '', 'publicly_routable': False})
    # Handling of floating IPs has changed: https://github.com/terraform-providers/terraform-provider-openstack/blob/master/CHANGELOG.md#010-june-21-2017
    # attrs specific to Ansible
    if 'metadata.ssh_user' in raw_attrs:
        attrs['ansible_ssh_user'] = raw_attrs['metadata.ssh_user']
@@ -656,6 +677,19 @@ def clc_server(resource, module_name):
    return name, attrs, groups
 def iter_host_ips(hosts, ips):
    '''Update hosts that have an entry in the floating IP list'''
    for host in hosts:
        host_id = host[1]['id']
        if host_id in ips:
            ip = ips[host_id]
            host[1].update({
                'access_ip_v4': ip,
                'public_ipv4': ip,
                'ansible_ssh_host': ip,
            })
        yield host
 ## QUERY TYPES
 def query_host(hosts, target):
@@ -727,6 +761,13 @@ def main():
        parser.exit()
    hosts = iterhosts(iterresources(tfstates(args.root)))
    # Perform a second pass on the file to pick up floating_ip entries to update the ip address of referenced hosts
    ips = dict(iterips(iterresources(tfstates(args.root))))
    if ips:
        hosts = iter_host_ips(hosts, ips)
    if args.list:
        output = query_list(hosts)
        if args.nometa:
--- a/docs/ansible.md
+++ b/docs/ansible.md
@@ -157,7 +157,7 @@ ansible-playbook -i inventory/inventory.ini cluster.yml  --tags preinstall,dnsma
 ```
 And this play only removes the K8s cluster DNS resolver IP from hosts' /etc/resolv.conf files:
 ```
-ansible-playbook -i inventory/inventory.ini -e dns_server='' cluster.yml --tags resolvconf
+ansible-playbook -i inventory/inventory.ini -e dnsmasq_dns_server='' cluster.yml --tags resolvconf
 ```
 And this prepares all container images localy (at the ansible runner node) without installing
 or upgrading related stuff or trying to upload container to K8s cluster nodes:
--- a/docs/contiv.md
+++ b/docs/contiv.md
@@ -0,0 +1,74 @@
 Contiv
 ======
 Here is the [Contiv documentation](http://contiv.github.io/documents/).
 ## Administrate Contiv
 There are two ways to manage Contiv:
 * a web UI managed by the api proxy service
 * a CLI named `netctl`
 ### Interfaces
 #### The Web Interface
 This UI is hosted on all kubernetes master nodes. The service is available at `https://<one of your master node>:10000`.
 You can configure the api proxy by overriding the following variables:
 ```yaml
 contiv_enable_api_proxy: true
 contiv_api_proxy_port: 10000
 contiv_generate_certificate: true
 ```
 The default credentials to log in are: admin/admin.
 #### The Command Line Interface
 The second way to modify the Contiv configuration is to use the CLI. To do this, you have to connect to the server and export an environment variable to tell netctl how to connect to the cluster:
 ```bash
 export NETMASTER=http://127.0.0.1:9999
 ```
 The port can be changed by overriding the following variable:
 ```yaml
 contiv_netmaster_port: 9999
 ```
 The CLI doesn't use the authentication process needed by the web interface.
 ### Network configuration
 The default configuration uses VXLAN to create an overlay. Two networks are created by default:
 * `contivh1`: an infrastructure network. It allows nodes to access the pods IPs. It is mandatory in a Kubernetes environment that uses VXLAN.
 * `default-net` : the default network that hosts pods.
 You can change the default network configuration by overriding the `contiv_networks` variable.
 The default forward mode is set to routing:
 ```yaml
 contiv_fwd_mode: routing
 ```
 The following is an example of how you can use VLAN instead of VXLAN:
 ```yaml
 contiv_fwd_mode: bridge
 contiv_vlan_interface: eth0
 contiv_networks:
  - name: default-net
    subnet: "{{ kube_pods_subnet }}"
    gateway: "{{ kube_pods_subnet|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
    encap: vlan
    pkt_tag: 10
 ```
--- a/docs/debian.md
+++ b/docs/debian.md
@@ -0,0 +1,38 @@
 Debian Jessie
 ===============
 Debian Jessie installation Notes:
 - Add 
  ```GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"```
  to /etc/default/grub. Then update with
  ```
   sudo update-grub
   sudo update-grub2
   sudo reboot
  ```
 - Add the [backports](https://backports.debian.org/Instructions/) which contain Systemd 2.30 and update Systemd.
  ```apt-get -t jessie-backports install systemd```
  (Necessary because the default Systemd version (2.15) does not support the "Delegate" directive in service files)
 - Add the Ansible repository and install Ansible to get a proper version
  ```
  sudo add-apt-repository ppa:ansible/ansible
  sudo apt-get update
  sudo apt-get install ansible
  ```
 - Install Jinja2 and Python-Netaddr
  ```sudo apt-get install python-jinja2=2.8-1~bpo8+1 python-netaddr```
 Now you can continue with [Preparing your deployment](getting-started.md#starting-custom-deployment)
--- a/docs/dns-stack.md
+++ b/docs/dns-stack.md
@@ -50,7 +50,7 @@ DNS modes supported by Kubespray
 You can modify how Kubespray sets up DNS for your cluster with the variables ``dns_mode`` and ``resolvconf_mode``.
 ## dns_mode
-``dns_mode`` configures how Kubespray will setup cluster DNS. There are three modes available:
+``dns_mode`` configures how Kubespray will setup cluster DNS. There are four modes available:
 #### dnsmasq_kubedns (default)
 This installs an additional dnsmasq DaemonSet which gives more flexibility and lifts some
@@ -62,6 +62,12 @@ other queries are forwardet to the nameservers found in ``upstream_dns_servers``
 This does not install the dnsmasq DaemonSet and instructs kubelet to directly use kubedns/skydns for
 all queries.
 #### manual
 This does not install dnsmasq or kubedns, but allows you to specify
 `manual_dns_server`, which will be configured on nodes for handling Pod DNS.
 Use this method if you plan to install your own DNS server in the cluster after
 initial deployment.
 #### none
 This does not install any of dnsmasq and kubedns/skydns. This basically disables cluster DNS completely and
 leaves you with a non functional cluster.
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -75,7 +75,7 @@ kube-apiserver via port 8080. A kubeconfig file is not necessary in this case,
 because kubectl will use http://localhost:8080 to connect. The kubeconfig files
 generated will point to localhost (on kube-masters) and kube-node hosts will
 connect either to a localhost nginx proxy or to a loadbalancer if configured.
-More details on this process are in the [HA guide](ha.md).
+More details on this process are in the [HA guide](ha-mode.md).
 Kubespray permits connecting to the cluster remotely on any IP of any 
 kube-master host on port 6443 by default. However, this requires 
@@ -93,14 +93,19 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati
 Accessing Kubernetes Dashboard
 ------------------------------
-If the variable `dashboard_enabled` is set (default is true), then you can
+As of kubernetes-dashboard v1.7.x:
-access the Kubernetes Dashboard at the following URL:
+* New login options that use apiserver auth proxying of token/basic/kubeconfig by default
 * Requires RBAC in authorization_modes
 * Only serves over https
 * No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL
-  https://kube:_kube-password_@_host_:6443/ui/
+If the variable `dashboard_enabled` is set (default is true), then you can access the Kubernetes Dashboard at the following URL, You will be prompted for credentials:
 https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
-To see the password, refer to the section above, titled *Connecting to
+Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from:
-Kubernetes*. The host can be any kube-master or kube-node or loadbalancer
+http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
-(when enabled).
+
 It is recommended to access dashboard from behind a gateway (like Ingress Controller) that enforces an authentication token. Details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
 Accessing Kubernetes API
 ------------------------
--- a/docs/ha-mode.md
+++ b/docs/ha-mode.md
@@ -27,19 +27,21 @@ non-master Kubernetes node. This is referred to as localhost loadbalancing. It
 is less efficient than a dedicated load balancer because it creates extra
 health checks on the Kubernetes apiserver, but is more practical for scenarios
 where an external LB or virtual IP management is inconvenient.  This option is
-configured by the variable `loadbalancer_apiserver_localhost` (defaults to `True`).
+configured by the variable `loadbalancer_apiserver_localhost` (defaults to
 `True`. Or `False`, if there is an external `loadbalancer_apiserver` defined).
 You may also define the port the local internal loadbalancer uses by changing,
-`nginx_kube_apiserver_port`.  This defaults to the value of `kube_apiserver_port`.
+`nginx_kube_apiserver_port`.  This defaults to the value of
-It is also important to note that Kubespray will only configure kubelet and kube-proxy
+`kube_apiserver_port`. It is also important to note that Kubespray will only
-on non-master nodes to use the local internal loadbalancer.
+configure kubelet and kube-proxy on non-master nodes to use the local internal
 loadbalancer.
-If you choose to NOT use the local internal loadbalancer, you will need to configure
+If you choose to NOT use the local internal loadbalancer, you will need to
-your own loadbalancer to achieve HA. Note that deploying a loadbalancer is up to
+configure your own loadbalancer to achieve HA. Note that deploying a
-a user and is not covered by ansible roles in Kubespray. By default, it only configures
+loadbalancer is up to a user and is not covered by ansible roles in Kubespray.
-a non-HA endpoint, which points to the `access_ip` or IP address of the first server
+By default, it only configures a non-HA endpoint, which points to the
-node in the `kube-master` group. It can also configure clients to use endpoints
+`access_ip` or IP address of the first server node in the `kube-master` group.
-for a given loadbalancer type. The following diagram shows how traffic to the
+It can also configure clients to use endpoints for a given loadbalancer type.
-apiserver is directed.
+The following diagram shows how traffic to the apiserver is directed.
 ![Image](figures/loadbalancer_localhost.png?raw=true)
@@ -66,40 +68,72 @@ listen kubernetes-apiserver-https
  balance roundrobin
 ```
-And the corresponding example global vars config:
+  Note: That's an example config managed elsewhere outside of Kubespray.
 And the corresponding example global vars for such a "cluster-aware"
 external LB with the cluster API access modes configured in Kubespray:
 ```
-apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local"
+apiserver_loadbalancer_domain_name: "my-apiserver-lb.example.com"
 loadbalancer_apiserver:
  address: <VIP>
  port: 8383
 ```
  Note: The default kubernetes apiserver configuration binds to all interfaces,
  so you will need to use a different port for the vip from that the API is
  listening on, or set the `kube_apiserver_bind_address` so that the API only
  listens on a specific interface (to avoid conflict with haproxy binding the
  port on the VIP adddress)
 This domain name, or default "lb-apiserver.kubernetes.local", will be inserted
-into the `/etc/hosts` file of all servers in the `k8s-cluster` group. Note that
+into the `/etc/hosts` file of all servers in the `k8s-cluster` group and wired
 into the generated self-signed TLS/SSL certificates as well. Note that
 the HAProxy service should as well be HA and requires a VIP management, which
-is out of scope of this doc. Specifying an external LB overrides any internal
+is out of scope of this doc.
 localhost LB configuration.
-  Note: In order to achieve HA for HAProxy instances, those must be running on
+There is a special case for an internal and an externally configured (not with
-  the each node in the `k8s-cluster` group as well, but require no VIP, thus
+Kubespray) LB used simultaneously. Keep in mind that the cluster is not aware
-  no VIP management.
+of such an external LB and you need no to specify any configuration variables
 for it.
-Access endpoints are evaluated automagically, as the following:
+  Note: TLS/SSL termination for externally accessed API endpoints' will **not**
  be covered by Kubespray for that case. Make sure your external LB provides it.
  Alternatively you may specify an externally load balanced VIPs in the
  `supplementary_addresses_in_ssl_keys` list. Then, kubespray will add them into
  the generated cluster certifactes as well.
-| Endpoint type                | kube-master   | non-master          |
+Aside of that specific case, the `loadbalancer_apiserver` considered mutually
-|------------------------------|---------------|---------------------|
+exclusive to `loadbalancer_apiserver_localhost`.
-| Local LB (default)           | http://lc:p   | https://lc:nsp      |
+
-| External LB, no internal     | https://lb:lp | https://lb:lp       |
+Access API endpoints are evaluated automagically, as the following:
-| No ext/int LB                | http://lc:p   | https://m[0].aip:sp |
+
 | Endpoint type                | kube-master    | non-master          | external            |
 |------------------------------|----------------|---------------------|---------------------|
 | Local LB (default)           | https://bip:sp | https://lc:nsp      | https://m[0].aip:sp |
 | Local LB + Unmanaged here LB | https://bip:sp | https://lc:nsp      | https://ext         |
 | External LB, no internal     | https://bip:sp | https://lb:lp       | https://lb:lp       |
 | No ext/int LB                | https://bip:sp | https://m[0].aip:sp | https://m[0].aip:sp |
 Where:
 * `m[0]` - the first node in the `kube-master` group;
 * `lb` - LB FQDN, `apiserver_loadbalancer_domain_name`;
 * `ext` - Externally load balanced VIP:port and FQDN, not managed by Kubespray;
 * `lc` - localhost;
-* `p` - insecure port, `kube_apiserver_insecure_port`
+* `bip` - a custom bind IP or localhost for the default bind IP '0.0.0.0';
-* `nsp` - nginx secure port, `nginx_kube_apiserver_port`;
+* `nsp` - nginx secure port, `nginx_kube_apiserver_port`, defers to `sp`;
 * `sp` - secure port, `kube_apiserver_port`;
 * `lp` - LB port, `loadbalancer_apiserver.port`, defers to the secure port;
 * `ip` - the node IP, defers to the ansible IP;
 * `aip` - `access_ip`, defers to the ip.
 A second and a third column represent internal cluster access modes. The last
 column illustrates an example URI to access the cluster APIs externally.
 Kubespray has nothing to do with it, this is informational only.
 As you can see, the masters' internal API endpoints are always
 contacted via the local bind IP, which is `https://bip:sp`.
 **Note** that for some cases, like healthchecks of applications deployed by
 Kubespray, the masters' APIs are accessed via the insecure endpoint, which
 consists of the local `kube_apiserver_insecure_bind_address` and
 `kube_apiserver_insecure_port`.
--- a/docs/integration.md
+++ b/docs/integration.md
@@ -35,7 +35,7 @@
 7. Modify path to library and roles in your ansible.cfg file (role naming should be uniq, you may have to rename your existent roles if they have same names as kubespray project):
   ```
   ...
-   library        = 3d/kubespray/library/
+   library       = 3d/kubespray/library/
   roles_path    = 3d/kubespray/roles/
   ...
   ```
@@ -73,7 +73,7 @@ You could rename *all.yml* config to something else, i.e. *kubespray.yml* and cr
 10. Now you can include kargo tasks in you existent playbooks by including cluster.yml file: 
     ```
     - name: Include kargo tasks
-     include: 3d/kubespray/cluster.yml
+       include: 3d/kubespray/cluster.yml
     ``` 
     Or your could copy separate tasks from cluster.yml into your ansible repository.
@@ -84,7 +84,7 @@ Other members of your team should use ```git submodule sync```, ```git submodule
 # Contributing
 If you made useful changes or fixed a bug in existent kubespray repo, use this flow for PRs to original kubespray repo.
-0. Sign the [CNCF CLA](https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ).
+0. Sign the [CNCF CLA](https://git.k8s.io/community/CLA.md).
 1. Change working directory to git submodule directory (3d/kubespray).
--- a/docs/large-deployments.md
+++ b/docs/large-deployments.md
@@ -34,6 +34,9 @@ For a large scaled deployments, consider the following configuration changes:
  ``kube_controller_pod_eviction_timeout`` for better Kubernetes reliability.
  Check out [Kubernetes Reliability](kubernetes-reliability.md)
 * Tune network prefix sizes. Those are ``kube_network_node_prefix``,
  ``kube_service_addresses`` and ``kube_pods_subnet``.
 * Add calico-rr nodes if you are deploying with Calico or Canal. Nodes recover
  from host/network interruption much quicker with calico-rr. Note that
  calico-rr role must be on a host without kube-master or kube-node role (but
--- a/docs/local-storage-provisioner.md
+++ b/docs/local-storage-provisioner.md
@@ -0,0 +1,67 @@
 # Local Storage Provisioner
 The local storage provisioner is NOT a dynamic storage provisioner as you would
 expect from a cloud provider. Instead, it simply creates PersistentVolumes for
 all manually created volumes located in the directory `local_volume_base_dir`.
 The default path is /mnt/disks and the rest of this doc will use that path as
 an example.
 ## Examples to create local storage volumes
 ### tmpfs method:
  ```
  for vol in vol1 vol2 vol3; do
    mkdir /mnt/disks/$vol
    mount -t tmpfs -o size=5G $vol /mnt/disks/$vol
  done
  ```
 The tmpfs method is not recommended for production because the mount is not
 persistent and data will be deleted on reboot.
 ### Mount physical disks
  ```
  mkdir /mnt/disks/ssd1
  mount /dev/vdb1 /mnt/disks/ssd1
  ```
 Physical disks are recommended for production environments because it offers
 complete isolation in terms of I/O and capacity.
 ### File-backed sparsefile method
  ```
  truncate /mnt/disks/disk5 --size 2G
  mkfs.ext4 /mnt/disks/disk5
  mkdir /mnt/disks/vol5
  mount /mnt/disks/disk5 /mnt/disks/vol5
  ```
 If you have a development environment and only one disk, this is the best way
 to limit the quota of persistent volumes.
 ### Simple directories
  ```
  for vol in vol6 vol7 vol8; do
    mkdir /mnt/disks/$vol
  done
  ```
 This is also acceptable in a development environment, but there is no capacity
 management.
 ## Usage notes
 The volume provisioner cannot calculate volume sizes correctly, so you should
 delete the daemonset pod on the relevant host after creating volumes. The pod
 will be recreated and read the size correctly.
 Make sure to make any mounts persist via /etc/fstab or with systemd mounts (for
 CoreOS/Container Linux). Pods with persistent volume claims will not be
 able to start if the mounts become unavailable.
 ## Further reading
 Refer to the upstream docs here: https://github.com/kubernetes-incubator/external-storage/tree/master/local-volume
--- a/docs/roadmap.md
+++ b/docs/roadmap.md
@@ -2,8 +2,9 @@ Kubespray's roadmap
 =================
 ### Kubeadm
- Propose kubeadm as an option in order to setup the kubernetes cluster.
+- Switch to kubeadm deployment as the default method after some bugs are fixed:
-That would probably improve deployment speed and certs management [#553](https://github.com/kubespray/kubespray/issues/553)
+  * Support for basic auth
  * cloudprovider cloud-config mount [#484](https://github.com/kubernetes/kubeadm/issues/484)
 ### Self deployment (pull-mode) [#320](https://github.com/kubespray/kubespray/issues/320)
 - the playbook would install and configure docker/rkt and the etcd cluster
@@ -12,60 +13,35 @@ That would probably improve deployment speed and certs management [#553](https:/
 - to be discussed, a way to provide the inventory
 - **self deployment** of the node from inside a container [#321](https://github.com/kubespray/kubespray/issues/321)
-### Provisionning and cloud providers
+### Provisioning and cloud providers
 - [ ] Terraform to provision instances on **GCE, AWS, Openstack, Digital Ocean, Azure**
 - [ ] On AWS autoscaling, multi AZ
 - [ ] On Azure autoscaling, create loadbalancer [#297](https://github.com/kubespray/kubespray/issues/297)
 - [ ] On GCE be able to create a loadbalancer automatically (IAM ?) [#280](https://github.com/kubespray/kubespray/issues/280)
- [x] **TLS boostrap** support for kubelet [#234](https://github.com/kubespray/kubespray/issues/234)
+- [x] **TLS boostrap** support for kubelet (covered by kubeadm, but not in standard deployment) [#234](https://github.com/kubespray/kubespray/issues/234)
  (related issues: https://github.com/kubernetes/kubernetes/pull/20439 <br>
   https://github.com/kubernetes/kubernetes/issues/18112)
 ### Tests
- [x] Run kubernetes e2e tests
+- [ ] Run kubernetes e2e tests
- [x] migrate to jenkins
+- [ ] Test idempotency on on single OS but for all network plugins/container engines
 (a test is currently a deployment on a 3 node cluste, testing k8s api, ping between 2 pods)
 - [x] Full tests on GCE per day (All OS's, all network plugins)
 - [x] trigger a single test per pull request
 - [ ] ~~single test with the Ansible version n-1 per day~~
 - [x] Test idempotency on on single OS but for all network plugins/container engines
 - [ ] single test on AWS per day
 - [x] test different achitectures :
           - 3 instances, 3 are members of the etcd cluster, 2 of them acting as master and node, 1 as node
           - 5 instances, 3 are etcd and nodes, 2 are masters only
           - 7 instances, 3 etcd only, 2 masters, 2 nodes
 - [ ] test scale up cluster:  +1 etcd, +1 master, +1 node
 - [ ] Reorganize CI test vars into group var files
 ### Lifecycle
 - [ ] Adopt the kubeadm tool by delegating CM tasks it is capable to accomplish well [#553](https://github.com/kubespray/kubespray/issues/553)
 - [x] Drain worker node when upgrading k8s components in a worker node. [#154](https://github.com/kubespray/kubespray/issues/154)
 - [ ] Drain worker node when shutting down/deleting an instance
 - [ ] Upgrade granularity: select components to upgrade and skip others
 ### Networking
 - [ ] romana.io support [#160](https://github.com/kubespray/kubespray/issues/160)
 - [ ] Configure network policy for Calico. [#159](https://github.com/kubespray/kubespray/issues/159)
 - [ ] Opencontrail
- [x] Canal
+- [ ] Consolidate network_plugins and kubernetes-apps/network_plugins
 - [x] Cloud Provider native networking (instead of our network plugins)
 ### High availability
 - (to be discussed) option to set a loadbalancer for the apiservers like ucarp/packemaker/keepalived
 While waiting for the issue [kubernetes/kubernetes#18174](https://github.com/kubernetes/kubernetes/issues/18174) to be fixed.
 ### Kubespray-cli
 - Delete instances
 - `kubespray vagrant` to setup a test cluster locally
 - `kubespray azure` for Microsoft Azure support
 - switch to Terraform instead of Ansible for provisionning
 - update $HOME/.kube/config when a cluster is deployed. Optionally switch to this context
 ### Kubespray API
 - Perform all actions through an **API**
 - Store inventories / configurations of mulltiple clusters
 - make sure that state of cluster is completely saved in no more than one config file beyond hosts inventory
-### Addons (with kpm)
+### Addons (helm or native ansible)
 Include optionals deployments to init the cluster:
 ##### Monitoring
 - Heapster / Grafana ....
@@ -85,10 +61,10 @@ Include optionals deployments to init the cluster:
 - Deis Workflow
 ### Others
- remove nodes  (adding is already supported)
+- remove nodes (adding is already supported)
- being able to choose any k8s version (almost done)
+- Organize and update documentation (split in categories)
- **rkt** support [#59](https://github.com/kubespray/kubespray/issues/59)
+- Refactor downloads so it all runs in the beginning of deployment
- Review documentation (split in categories)
+- Make bootstrapping OS more consistent
 - **consul** -> if officialy supported by k8s
 - flex volumes options (e.g. **torrus** support) [#312](https://github.com/kubespray/kubespray/issues/312)
 - Clusters federation option (aka **ubernetes**) [#329](https://github.com/kubespray/kubespray/issues/329)
--- a/docs/vagrant.md
+++ b/docs/vagrant.md
@@ -1,7 +1,7 @@
 Vagrant Install
 =================
-Assuming you have Vagrant (1.8+) installed with virtualbox (it may work
+Assuming you have Vagrant (1.9+) installed with virtualbox (it may work
 with vmware, but is untested) you should be able to launch a 3 node
 Kubernetes cluster by simply running `$ vagrant up`.<br />
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -28,6 +28,7 @@ Some variables of note include:
 * *kube_version* - Specify a given Kubernetes hyperkube version
 * *searchdomains* - Array of DNS domains to search when looking up hostnames
 * *nameservers* - Array of nameservers to use for DNS lookup
 * *preinstall_selinux_state* - Set selinux state, permitted values are permissive and disabled.
 #### Addressing variables
@@ -61,7 +62,7 @@ following default cluster paramters:
 * *kube_network_node_prefix* - Subnet allocated per-node for pod IPs. Remainin
  bits in kube_pods_subnet dictates how many kube-nodes can be in cluster.
 * *dns_setup* - Enables dnsmasq
-* *dns_server* - Cluster IP for dnsmasq (default is 10.233.0.2)
+* *dnsmasq_dns_server* - Cluster IP for dnsmasq (default is 10.233.0.2)
 * *skydns_server* - Cluster IP for KubeDNS (default is 10.233.0.3)
 * *cloud_provider* - Enable extra Kubelet option if operating inside GCE or
  OpenStack (default is unset)
@@ -71,9 +72,12 @@ following default cluster paramters:
  alpha/experimental Kubernetes features. (defaults is `[]`)
 * *authorization_modes* - A list of [authorization mode](
 https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module)
-  that the cluster should be configured for. Defaults to `[]` (i.e. no authorization).
+  that the cluster should be configured for. Defaults to `['Node', 'RBAC']`
-  Note: `RBAC` is currently in experimental phase, and do not support either calico or
+  (Node and RBAC authorizers).
-  vault. Upgrade from non-RBAC to RBAC is not tested.
+  Note: `Node` and `RBAC` are enabled by default. Previously deployed clusters can be
  converted to RBAC mode. However, your apps which rely on Kubernetes API will
  require a service account and cluster role bindings. You can override this
  setting by setting authorization_modes to `[]`.
 Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
 private addresses, make sure to pick another values for ``kube_service_addresses``
@@ -99,7 +103,8 @@ Stack](https://github.com/kubernetes-incubator/kubespray/blob/master/docs/dns-st
 * *docker_options* - Commonly used to set
  ``--insecure-registry=myregistry.mydomain:5000``
 * *http_proxy/https_proxy/no_proxy* - Proxy variables for deploying behind a
-  proxy
+  proxy. Note that no_proxy defaults to all internal cluster IPs and hostnames
  that correspond to each node.
 * *kubelet_deployment_type* - Controls which platform to deploy kubelet on. 
  Available options are ``host``, ``rkt``, and ``docker``. ``docker`` mode
  is unlikely to work on newer releases. Starting with Kubernetes v1.7 
--- a/docs/vault.md
+++ b/docs/vault.md
@@ -24,7 +24,7 @@ hardcoded to only create a Vault role for Etcd.
 This step is where the long-term Vault cluster is started and configured. Its
 first task, is to stop any temporary instances of Vault, to free the port for
 the long-term. At the end of this task, the entire Vault cluster should be up
-and read to go.
+and ready to go.
 Keys to the Kingdom
 -------------------
--- a/docs/vsphere.md
+++ b/docs/vsphere.md
@@ -34,10 +34,12 @@ Then, in the same file, you need to declare your vCenter credential following th
 | vsphere_datastore            | TRUE     | string  |                            |         | Datastore name to use                                                                                                                                                                         |
 | vsphere_working_dir          | TRUE     | string  |                            |         | Working directory from the view "VMs and template" in the   vCenter where VM are placed                                                                                                       |
 | vsphere_scsi_controller_type | TRUE     | string  | buslogic, pvscsi, parallel | pvscsi  | SCSI controller name. Commonly "pvscsi".                                                                                                                                                      |
-| vsphere_vm_uuid              | FALSE    | string  |                            |         | VM Instance UUID of virtual machine that host K8s master. Can be   retrieved from instanceUuid property in VmConfigInfo, or as vc.uuid in VMX   file or in `/sys/class/dmi/id/product_serial` |
+| vsphere_vm_uuid              | FALSE    | string  |                            |         | VM Instance UUID of virtual machine that host K8s master. Can be   retrieved from instanceUuid property in VmConfigInfo, or as vc.uuid in VMX   file or in `/sys/class/dmi/id/product_serial` (Optional, only used for Kubernetes <= 1.9.2) |
 | vsphere_public_network       | FALSE    | string  |                            | Blank   | Name of the   network the VMs are joined to                                                                                                                                                   |
 | vsphere_resource_pool       | FALSE    | string  |                            | Blank   | Name of the Resource pool where the VMs are located (Optional, only used for Kubernetes >= 1.9.2)                                                                                                                                                 |
 Example configuration
 ```yml
 vsphere_vcenter_ip: "myvcenter.domain.com"
 vsphere_vcenter_port: 443
@@ -48,6 +50,7 @@ vsphere_datacenter: "DATACENTER_name"
 vsphere_datastore: "DATASTORE_name"
 vsphere_working_dir: "Docker_hosts"
 vsphere_scsi_controller_type: "pvscsi"
 vsphere_resource_pool: "K8s-Pool"
 ```
 ## Deployment
--- a/docs/weave.md
+++ b/docs/weave.md
@@ -91,7 +91,7 @@ weave_peers: uninitialized
 The first variable, `weave_seed`, contains the initial nodes of the weave network
-The seconde variable, `weave_peers`, saves the IPs of all nodes joined to the weave network
+The second variable, `weave_peers`, saves the IPs of all nodes joined to the weave network
 These two variables are used to connect a new node to the weave network. The new node needs to know the firsts nodes (seed) and the list of IPs of all nodes.
--- a/extra_playbooks/upgrade-only-k8s.yml
+++ b/extra_playbooks/upgrade-only-k8s.yml
@@ -3,6 +3,7 @@
 ### * Will not upgrade etcd
 ### * Will not upgrade network plugins
 ### * Will not upgrade Docker
 ### * Will not pre-download containers or kubeadm
 ### * Currently does not support Vault deployment.
 ###
 ### In most cases, you probably want to use upgrade-cluster.yml playbook and
@@ -46,6 +47,8 @@
    - { role: upgrade/pre-upgrade, tags: pre-upgrade }
    - { role: kubernetes/node, tags: node }
    - { role: kubernetes/master, tags: master }
    - { role: kubernetes/client, tags: client }
    - { role: kubernetes-apps/cluster_roles, tags: cluster-roles }
    - { role: upgrade/post-upgrade, tags: post-upgrade }
 #Finally handle worker upgrades, based on given batch size
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@@ -56,7 +56,7 @@ bin_dir: /usr/local/bin
 ## There are some changes specific to the cloud providers
 ## for instance we need to encapsulate packets with some network plugins
-## If set the possible values are either 'gce', 'aws', 'azure', 'openstack', or 'vsphere'
+## If set the possible values are either 'gce', 'aws', 'azure', 'openstack', 'vsphere', or 'external'
 ## When openstack is used make sure to source in the openstack credentials
 ## like you would do when using nova-client before starting the playbook.
 #cloud_provider:
@@ -74,12 +74,17 @@ bin_dir: /usr/local/bin
 #azure_vnet_name:
 #azure_route_table_name:
-## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (https://github.com/kubernetes/kubernetes/issues/50461)
+## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (Fixed in 1.9: https://github.com/kubernetes/kubernetes/issues/50461)
 #openstack_blockstorage_version: "v1/v2/auto (default)"
-## When OpenStack is used, if LBaaSv2 is available you can enable it with the following variables.
+## When OpenStack is used, if LBaaSv2 is available you can enable it with the following 2 variables.
 #openstack_lbaas_enabled: True
 #openstack_lbaas_subnet_id: "Neutron subnet ID (not network ID) to create LBaaS VIP"
 ## To enable automatic floating ip provisioning, specify a subnet.
 #openstack_lbaas_floating_network_id: "Neutron network ID (not subnet ID) to get floating IP from, disabled by default"
 ## Override default LBaaS behavior
 #openstack_lbaas_use_octavia: False
 #openstack_lbaas_method: "ROUND_ROBIN"
 #openstack_lbaas_provider: "haproxy"
 #openstack_lbaas_create_monitor: "yes"
 #openstack_lbaas_monitor_delay: "1m"
 #openstack_lbaas_monitor_timeout: "30s"
@@ -91,9 +96,10 @@ bin_dir: /usr/local/bin
 #kubeadm_token_second: "{{ lookup('password', 'credentials/kubeadm_token_second length=16 chars=ascii_lowercase,digits') }}"
 #kubeadm_token: "{{ kubeadm_token_first }}.{{ kubeadm_token_second }}"
 #
-## Set these proxy values in order to update docker daemon to use proxies
+## Set these proxy values in order to update package manager and docker daemon to use proxies
 #http_proxy: ""
 #https_proxy: ""
 ## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
 #no_proxy: ""
 ## Uncomment this if you want to force overlay/overlay2 as docker storage driver
@@ -113,9 +119,6 @@ bin_dir: /usr/local/bin
 ## as a backend). Options are "script" or "vault"
 #cert_management: script
 ## Please specify true if you want to perform a kernel upgrade
 kernel_upgrade: false
 # Set to true to allow pre-checks to fail and continue deployment
 #ignore_assert_errors: false
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -8,9 +8,6 @@ kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
 kube_manifest_dir: "{{ kube_config_dir }}/manifests"
 system_namespace: kube-system
 # Logging directory (sysvinit systems)
 kube_log_dir: "/var/log/kubernetes"
 # This is where all the cert scripts and certs will be located
 kube_cert_dir: "{{ kube_config_dir }}/ssl"
@@ -20,10 +17,10 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
 # This is where to save basic auth file
 kube_users_dir: "{{ kube_config_dir }}/users"
-kube_api_anonymous_auth: false
+kube_api_anonymous_auth: true
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.7.5
+kube_version: v1.9.2
 # Where the binaries will be downloaded.
 # Note: ensure that you've enough disk space (about 1G)
@@ -50,8 +47,8 @@ kube_users:
 ## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
 #kube_oidc_auth: false
-#kube_basic_auth: true
+#kube_basic_auth: false
-#kube_token_auth: true
+#kube_token_auth: false
 ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
@@ -65,7 +62,7 @@ kube_users:
 # kube_oidc_groups_claim: groups
-# Choose network plugin (calico, weave or flannel)
+# Choose network plugin (calico, contiv, weave or flannel)
 # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
 kube_network_plugin: calico
@@ -106,21 +103,26 @@ kube_network_node_prefix: 24
 kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
 kube_apiserver_port: 6443 # (https)
 kube_apiserver_insecure_port: 8080 # (http)
 # Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
 #kube_apiserver_insecure_port: 0 # (disabled)
 # DNS configuration.
 # Kubernetes cluster name, also will be used as DNS domain
 cluster_name: cluster.local
 # Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
 ndots: 2
-# Can be dnsmasq_kubedns, kubedns or none
+# Can be dnsmasq_kubedns, kubedns, manual or none
 dns_mode: kubedns
 # Set manual server if using a custom cluster DNS server
 #manual_dns_server: 10.x.x.x
 # Can be docker_dns, host_resolvconf or none
 resolvconf_mode: docker_dns
 # Deploy netchecker app to verify DNS resolve as an HTTP service
 deploy_netchecker: false
 # Ip address of the kubernetes skydns service
 skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
-dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
+dnsmasq_dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
 dns_domain: "{{ cluster_name }}"
 # Path used to store Docker data
@@ -137,13 +139,14 @@ docker_bin_dir: "/usr/bin"
 # Settings for containerized control plane (etcd/kubelet/secrets)
 etcd_deployment_type: docker
 kubelet_deployment_type: host
 cert_management: script
 vault_deployment_type: docker
 helm_deployment_type: host
 # K8s image pull policy (imagePullPolicy)
 k8s_image_pull_policy: IfNotPresent
-# Kubernetes dashboard (available at http://first_master:6443/ui by default)
+# Kubernetes dashboard
 # RBAC required. see docs/getting-started.md for access details.
 dashboard_enabled: true
 # Monitoring apps for k8s
@@ -152,6 +155,15 @@ efk_enabled: false
 # Helm deployment
 helm_enabled: false
 # Istio deployment
 istio_enabled: false
 # Local volume provisioner deployment
 local_volumes_enabled: false
 # Add Persistent Volumes Storage Class for corresponding cloud provider ( OpenStack is only supported now )
 persistent_volumes_enabled: false
 # Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
 # kubeconfig_localhost: false
 # Download kubectl onto the host that runs Ansible in GITDIR/artifacts
@@ -166,5 +178,14 @@ helm_enabled: false
 # kubelet_cgroups_per_qos: true
 # A comma separated list of levels of node allocatable enforcement to be enforced by kubelet.
-# Acceptible options are 'pods', 'system-reserved', 'kube-reserved' and ''. Default is "".
+# Acceptable options are 'pods', 'system-reserved', 'kube-reserved' and ''. Default is "".
 # kubelet_enforce_node_allocatable: pods
 ## Supplementary addresses that can be added in kubernetes ssl keys.
 ## That can be useful for example to setup a keepalived virtual IP
 # supplementary_addresses_in_ssl_keys: [10.0.0.1, 10.0.0.2, 10.0.0.3]
 ## Running on top of openstack vms with cinder enabled may lead to unschedulable pods due to NoVolumeZoneConflict restriction in kube-scheduler.
 ## See https://github.com/kubernetes-incubator/kubespray/issues/2141
 ## Set this variable to true to get rid of this issue
 volume_cross_zone_attachment: false
--- a/library/kube.py
+++ b/library/kube.py
@@ -288,8 +288,6 @@ def main():
    else:
        module.fail_json(msg='Unrecognized state %s.' % state)
    if result:
        changed = True
    module.exit_json(changed=changed,
                     msg='success: %s' % (' '.join(result))
                     )
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,4 @@
 pbr>=1.6
-ansible>=2.3.2
+ansible>=2.4.0
 netaddr
 jinja2>=2.9.6
--- a/reset.yml
+++ b/reset.yml
@@ -1,6 +1,9 @@
 ---
 - hosts: all
  gather_facts: true
 - hosts: etcd:k8s-cluster:vault:calico-rr
  vars_prompt:
    name: "reset_confirmation"
    prompt: "Are you sure you want to reset cluster state? Type 'yes' to reset your cluster."
--- a/roles/bastion-ssh-config/tasks/main.yml
+++ b/roles/bastion-ssh-config/tasks/main.yml
@@ -3,13 +3,13 @@
    has_bastion: "{{ 'bastion' in groups['all'] }}"
 - set_fact:
-    bastion_ip: "{{ hostvars['bastion']['ansible_ssh_host'] }}"
+    bastion_ip: "{{ hostvars['bastion']['ansible_host'] }}"
  when: has_bastion
 # As we are actually running on localhost, the ansible_ssh_user is your local user when you try to use it directly
-# To figure out the real ssh user, we delegate this task to the bastion and store the ansible_ssh_user in real_user
+# To figure out the real ssh user, we delegate this task to the bastion and store the ansible_user in real_user
 - set_fact:
-    real_user: "{{ ansible_ssh_user }}"
+    real_user: "{{ ansible_user }}"
  delegate_to: bastion
  when: has_bastion
@@ -18,3 +18,4 @@
  template:
    src: ssh-bastion.conf
    dest: "{{ playbook_dir }}/ssh-bastion.conf"
  when: has_bastion
--- a/roles/bastion-ssh-config/templates/ssh-bastion.conf
+++ b/roles/bastion-ssh-config/templates/ssh-bastion.conf
@@ -16,6 +16,5 @@ Host {{ bastion_ip }}
  ControlPersist 5m
 Host {{ vars['hosts'] }}
-  ProxyCommand ssh -W %h:%p {{ real_user }}@{{ bastion_ip }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %}
+  ProxyCommand ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p {{ real_user }}@{{ bastion_ip }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %}
  StrictHostKeyChecking no
 {% endif %}
--- a/roles/bootstrap-os/defaults/main.yml
+++ b/roles/bootstrap-os/defaults/main.yml
@@ -1,5 +1,4 @@
 ---
-pypy_version: 2.4.0
+pip_python_coreos_modules:
 pip_python_modules:
  - httplib2
  - six
--- a/roles/bootstrap-os/files/bootstrap.sh
+++ b/roles/bootstrap-os/files/bootstrap.sh
@@ -1,4 +1,4 @@
-#/bin/bash
+#!/bin/bash
 set -e
 BINDIR="/opt/bin"
--- a/roles/bootstrap-os/tasks/bootstrap-centos.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-centos.yml
@@ -15,4 +15,6 @@
  when: fastestmirror.stat.exists
 - name: Install packages requirements for bootstrap
-  raw: yum -y install libselinux-python
+  yum:
    name: libselinux-python
    state: present
--- a/roles/bootstrap-os/tasks/bootstrap-coreos.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-coreos.yml
@@ -3,7 +3,9 @@
  raw: stat /opt/bin/.bootstrapped
  register: need_bootstrap
  failed_when: false
-  tags: facts
+  changed_when: false
  tags:
    - facts
 - name: Bootstrap | Run bootstrap.sh
  script: bootstrap.sh
@@ -11,7 +13,8 @@
 - set_fact:
    ansible_python_interpreter: "/opt/bin/python"
-  tags: facts
+  tags:
    - facts
 - name: Bootstrap | Check if we need to install pip
  shell: "{{ansible_python_interpreter}} -m pip --version"
@@ -20,7 +23,8 @@
  changed_when: false
  check_mode: no
  when: need_bootstrap.rc != 0
-  tags: facts
+  tags:
    - facts
 - name: Bootstrap | Copy get-pip.py
  copy:
@@ -48,4 +52,4 @@
 - name: Install required python modules
  pip:
    name: "{{ item }}"
-  with_items: "{{pip_python_modules}}"
+  with_items: "{{pip_python_coreos_modules}}"
--- a/roles/bootstrap-os/tasks/bootstrap-debian.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-debian.yml
@@ -0,0 +1,24 @@
 ---
 #  raw: cat /etc/issue.net | grep '{{ bootstrap_versions }}'
 - name: Bootstrap | Check if bootstrap is needed
  raw: which "{{ item }}"
  register: need_bootstrap
  failed_when: false
  changed_when: false
  with_items:
    - python
    - pip
    - dbus-daemon
  tags: facts
 - name: Bootstrap | Install python 2.x, pip, and dbus
  raw:
    apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y python-minimal python-pip dbus
  when:
    need_bootstrap.results | map(attribute='rc') | sort | last | bool
 - set_fact:
    ansible_python_interpreter: "/usr/bin/python"
  tags: facts
--- a/roles/bootstrap-os/tasks/bootstrap-ubuntu.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-ubuntu.yml
@@ -5,18 +5,22 @@
  raw: which "{{ item }}"
  register: need_bootstrap
  failed_when: false
  changed_when: false
  with_items:
    - python
    - pip
-  tags: facts
+    - dbus-daemon
  tags:
    - facts
 - name: Bootstrap | Install python 2.x and pip
  raw:
    apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get install -y python-minimal python-pip
+    DEBIAN_FRONTEND=noninteractive apt-get install -y python-minimal python-pip dbus
  when:
    "{{ need_bootstrap.results | map(attribute='rc') | sort | last | bool }}"
 - set_fact:
    ansible_python_interpreter: "/usr/bin/python"
-  tags: facts
+  tags:
    - facts
--- a/roles/bootstrap-os/tasks/main.yml
+++ b/roles/bootstrap-os/tasks/main.yml
@@ -1,14 +1,17 @@
 ---
- include: bootstrap-ubuntu.yml
+- import_tasks: bootstrap-ubuntu.yml
  when: bootstrap_os == "ubuntu"
- include: bootstrap-coreos.yml
+- import_tasks: bootstrap-debian.yml
  when: bootstrap_os == "debian"
 - import_tasks: bootstrap-coreos.yml
  when: bootstrap_os == "coreos"
- include: bootstrap-centos.yml
+- import_tasks: bootstrap-centos.yml
  when: bootstrap_os == "centos"
- include: setup-pipelining.yml
+- import_tasks: setup-pipelining.yml
 - name: check if atomic host
  stat:
--- a/roles/dnsmasq/meta/main.yml
+++ b/roles/dnsmasq/meta/main.yml
@@ -1,6 +0,0 @@
 ---
 dependencies:
  - role: download
    file: "{{ downloads.dnsmasq }}"
    when: dns_mode == 'dnsmasq_kubedns' and download_localhost|default(false)
    tags: [download, dnsmasq]
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@@ -3,13 +3,15 @@
  file:
    path: /etc/dnsmasq.d
    state: directory
-  tags: bootstrap-os
+  tags:
    - bootstrap-os
 - name: ensure dnsmasq.d-available directory exists
  file:
    path: /etc/dnsmasq.d-available
    state: directory
-  tags: bootstrap-os
+  tags:
    - bootstrap-os
 - name: check system nameservers
  shell: awk '/^nameserver/ {print $NF}' /etc/resolv.conf
@@ -100,7 +102,7 @@
 - name: Check for dnsmasq port (pulling image and running container)
  wait_for:
-    host: "{{dns_server}}"
+    host: "{{dnsmasq_dns_server}}"
    port: 53
    timeout: 180
  when: inventory_hostname == groups['kube-node'][0] and groups['kube-node'][0] in ansible_play_hosts
--- a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2
+++ b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2
@@ -39,7 +39,7 @@ spec:
          operator: Exists
      containers:
        - name: autoscaler
-          image: gcr.io/google_containers/cluster-proportional-autoscaler-amd64:1.1.1
+          image: "{{ dnsmasqautoscaler_image_repo }}:{{ dnsmasqautoscaler_image_tag }}"
          resources:
            requests:
              cpu: "20m"
--- a/roles/dnsmasq/templates/dnsmasq-svc.yml
+++ b/roles/dnsmasq/templates/dnsmasq-svc.yml
@@ -18,6 +18,6 @@ spec:
      targetPort: 53
      protocol: UDP
  type: ClusterIP
-  clusterIP: {{dns_server}}
+  clusterIP: {{dnsmasq_dns_server}}
  selector:
    k8s-app: dnsmasq
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-docker_version: '1.13'
+docker_version: '17.03'
 docker_package_info:
  pkgs:
@@ -16,3 +16,5 @@ docker_container_storage_setup: false
 docker_rh_repo_base_url: 'https://yum.dockerproject.org/repo/main/centos/7'
 docker_rh_repo_gpgkey: 'https://yum.dockerproject.org/gpg'
 docker_apt_repo_base_url: 'https://apt.dockerproject.org/repo'
 docker_apt_repo_gpgkey: 'https://apt.dockerproject.org/gpg'
--- a/roles/docker/docker-storage/defaults/main.yml
+++ b/roles/docker/docker-storage/defaults/main.yml
@@ -3,6 +3,9 @@ docker_container_storage_setup_version: v0.6.0
 docker_container_storage_setup_profile_name: kubespray
 docker_container_storage_setup_storage_driver: devicemapper
 docker_container_storage_setup_container_thinpool: docker-pool
 #It must be define a disk path for docker_container_storage_setup_devs.
 #Otherwise docker-storage-setup will be executed incorrectly.
 #docker_container_storage_setup_devs: /dev/vdb
 docker_container_storage_setup_data_size: 40%FREE
 docker_container_storage_setup_min_data_size: 2G
 docker_container_storage_setup_chunk_size: 512K
--- a/roles/docker/docker-storage/tasks/main.yml
+++ b/roles/docker/docker-storage/tasks/main.yml
@@ -23,7 +23,7 @@
  copy:
    dest: /etc/systemd/system/docker.service.d/override.conf
    content: |-
-      ### Thie file is managed by Ansible
+      ### This file is managed by Ansible
      [Service]
      EnvironmentFile=-/etc/sysconfig/docker-storage
@@ -31,6 +31,12 @@
    group: root
    mode: 0644
 #https://docs.docker.com/engine/installation/linux/docker-ce/centos/#install-using-the-repository
 - name: docker-storage-setup | install lvm2
  yum:
    name: lvm2
    state: present
 - name: docker-storage-setup | install and run container-storage-setup
  become: yes
  script: install_container_storage_setup.sh {{ docker_container_storage_setup_version }} {{ docker_container_storage_setup_profile_name }}
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -12,11 +12,13 @@
      paths:
        - ../vars
      skip: true
-  tags: facts
+  tags:
    - facts
- include: set_facts_dns.yml
+- include_tasks: set_facts_dns.yml
  when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
-  tags: facts
+  tags:
    - facts
 - name: check for minimum kernel version
  fail:
@@ -25,13 +27,14 @@
          {{ docker_kernel_min_version }} on
          {{ ansible_distribution }}-{{ ansible_distribution_version }}
  when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]) and (ansible_kernel|version_compare(docker_kernel_min_version, "<"))
-  tags: facts
+  tags:
    - facts
 - name: ensure docker repository public key is installed
  action: "{{ docker_repo_key_info.pkg_key }}"
  args:
    id: "{{item}}"
-    keyserver: "{{docker_repo_key_info.keyserver}}"
+    url: "{{docker_repo_key_info.url}}"
    state: present
  register: keyserver_task_result
  until: keyserver_task_result|succeeded
@@ -68,15 +71,24 @@
  notify: restart docker
  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0)
- name: check minimum docker version for docker_dns mode. You need at least docker version >= 1.12 for resolvconf_mode=docker_dns
+- name: flush handlers so we can wait for docker to come up
  meta: flush_handlers
 - name: set fact for docker_version
  command: "docker version -f '{{ '{{' }}.Client.Version{{ '}}' }}'"
-  register: docker_version
+  register: installed_docker_version
  failed_when: docker_version.stdout|version_compare('1.12', '<')
  changed_when: false
-  when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
+
 - name: check minimum docker version for docker_dns mode. You need at least docker version >= 1.12 for resolvconf_mode=docker_dns
  fail:
    msg: "You need at least docker version >= 1.12 for resolvconf_mode=docker_dns"
  when: >
        dns_mode != 'none' and
        resolvconf_mode == 'docker_dns' and
        installed_docker_version.stdout|version_compare('1.12', '<')
 - name: Set docker systemd config
-  include: systemd.yml
+  import_tasks: systemd.yml
 - name: ensure docker service is started and enabled
  service:
--- a/roles/docker/tasks/set_facts_dns.yml
+++ b/roles/docker/tasks/set_facts_dns.yml
@@ -6,7 +6,9 @@
      {%- if dns_mode == 'kubedns' -%}
        {{ [ skydns_server ] }}
      {%- elif dns_mode == 'dnsmasq_kubedns' -%}
-        {{ [ dns_server ] }}
+        {{ [ dnsmasq_dns_server ] }}
      {%- elif dns_mode == 'manual' -%}
        {{ [ manual_dns_server ] }}
      {%- endif -%}
 - name: set base docker dns facts
@@ -47,7 +49,7 @@
 - name: add system search domains to docker options
  set_fact:
-    docker_dns_search_domains: "{{ docker_dns_search_domains | union(system_search_domains.stdout.split(' ')|default([])) | unique }}"
+    docker_dns_search_domains: "{{ docker_dns_search_domains | union(system_search_domains.stdout.split()|default([])) | unique }}"
  when: system_search_domains.stdout != ""
 - name: check number of nameservers
--- a/roles/docker/tasks/systemd.yml
+++ b/roles/docker/tasks/systemd.yml
@@ -8,7 +8,8 @@
  template:
    src: http-proxy.conf.j2
    dest: /etc/systemd/system/docker.service.d/http-proxy.conf
-  when: http_proxy is defined or https_proxy is defined or no_proxy is defined
+  notify: restart docker
  when: http_proxy is defined or https_proxy is defined
 - name: get systemd version
  command: rpm -q --qf '%{V}\n' systemd
@@ -24,13 +25,6 @@
  notify: restart docker
  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic)
 - name: Write docker.service systemd file for atomic
  template:
    src: docker_atomic.service.j2
    dest: /etc/systemd/system/docker.service
  notify: restart docker
  when: is_atomic
 - name: Write docker options systemd drop-in
  template:
    src: docker-options.conf.j2
--- a/roles/docker/templates/docker.service.j2
+++ b/roles/docker/templates/docker.service.j2
@@ -18,7 +18,7 @@ Environment=GOTRACEBACK=crash
 ExecReload=/bin/kill -s HUP $MAINPID
 Delegate=yes
 KillMode=process
-ExecStart={{ docker_bin_dir }}/docker daemon \
+ExecStart={{ docker_bin_dir }}/docker{% if installed_docker_version.stdout|version_compare('17.03', '<') %} daemon{% else %}d{% endif %} \
          $DOCKER_OPTS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
--- a/roles/docker/templates/docker_atomic.service.j2
+++ b/roles/docker/templates/docker_atomic.service.j2
@@ -1,37 +0,0 @@
 [Unit]
 Description=Docker Application Container Engine
 Documentation=http://docs.docker.com
 After=network.target
 Wants=docker-storage-setup.service
 [Service]
 Type=notify
 NotifyAccess=all
 EnvironmentFile=-/etc/sysconfig/docker
 EnvironmentFile=-/etc/sysconfig/docker-storage
 Environment=GOTRACEBACK=crash
 Environment=DOCKER_HTTP_HOST_COMPAT=1
 Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
 ExecReload=/bin/kill -s HUP $MAINPID
 Delegate=yes
 KillMode=process
 ExecStart=/usr/bin/dockerd-current \
          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
          --default-runtime=docker-runc \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          $DOCKER_OPTS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $DOCKER_DNS_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY
 LimitNOFILE=1048576
 LimitNPROC=1048576
 LimitCORE=infinity
 TimeoutStartSec=1min
 Restart=on-abnormal
 [Install]
 WantedBy=multi-user.target
--- a/roles/docker/templates/http-proxy.conf.j2
+++ b/roles/docker/templates/http-proxy.conf.j2
@@ -1,2 +1,2 @@
 [Service]
-Environment={% if http_proxy %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy %}"NO_PROXY={{ no_proxy }}"{% endif %}
+Environment={% if http_proxy is defined %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy is defined %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy is defined %}"NO_PROXY={{ no_proxy }}"{% endif %}
--- a/roles/docker/vars/debian.yml
+++ b/roles/docker/vars/debian.yml
@@ -7,8 +7,9 @@ docker_versioned_pkg:
  '1.11': docker-engine=1.11.2-0~{{ ansible_distribution_release|lower }}
  '1.12': docker-engine=1.12.6-0~debian-{{ ansible_distribution_release|lower }}
  '1.13': docker-engine=1.13.1-0~debian-{{ ansible_distribution_release|lower }}
-  'stable': docker-engine=17.03.0~ce-0~debian-{{ ansible_distribution_release|lower }}
+  '17.03': docker-engine=17.03.1~ce-0~debian-{{ ansible_distribution_release|lower }}
-  'edge': docker-engine=17.03.0~ce-0~debian-{{ ansible_distribution_release|lower }}
+  'stable': docker-engine=17.03.1~ce-0~debian-{{ ansible_distribution_release|lower }}
  'edge': docker-engine=17.05.0~ce-0~debian-{{ ansible_distribution_release|lower }}
 docker_package_info:
  pkg_mgr: apt
@@ -18,7 +19,7 @@ docker_package_info:
 docker_repo_key_info:
  pkg_key: apt_key
-  keyserver: hkp://p80.pool.sks-keyservers.net:80
+  url: '{{ docker_apt_repo_gpgkey }}'
  repo_keys:
    - 58118E89F3A912897C070ADBF76221572C52609D
@@ -26,6 +27,6 @@ docker_repo_info:
  pkg_repo: apt_repository
  repos:
    - >
-       deb https://apt.dockerproject.org/repo
+       deb {{ docker_apt_repo_base_url }}
       {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
       main
--- a/roles/docker/vars/fedora.yml
+++ b/roles/docker/vars/fedora.yml
@@ -8,7 +8,9 @@ docker_kernel_min_version: '0'
 docker_versioned_pkg:
  'latest': docker
  '1.11': docker-1:1.11.2
-  '1.12': docker-1:1.12.5
+  '1.12': docker-1:1.12.6
  '1.13': docker-1.13.1
  '17.03': docker-17.03.1
  'stable': docker-ce
  'edge': docker-ce-edge
--- a/roles/docker/vars/redhat.yml
+++ b/roles/docker/vars/redhat.yml
@@ -8,8 +8,9 @@ docker_versioned_pkg:
  '1.11': docker-engine-1.11.2-1.el7.centos
  '1.12': docker-engine-1.12.6-1.el7.centos
  '1.13': docker-engine-1.13.1-1.el7.centos
-  'stable': docker-engine-17.03.0.ce-1.el7.centos
+  '17.03': docker-engine-17.03.1.ce-1.el7.centos
-  'edge': docker-engine-17.03.0.ce-1.el7.centos
+  'stable': docker-engine-17.03.1.ce-1.el7.centos
  'edge': docker-engine-17.05.0.ce-1.el7.centos
 # https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
 # https://download.docker.com/linux/centos/7/x86_64/stable/Packages/
--- a/roles/docker/vars/ubuntu.yml
+++ b/roles/docker/vars/ubuntu.yml
@@ -7,8 +7,9 @@ docker_versioned_pkg:
  '1.11': docker-engine=1.11.1-0~{{ ansible_distribution_release|lower }}
  '1.12': docker-engine=1.12.6-0~ubuntu-{{ ansible_distribution_release|lower }}
  '1.13': docker-engine=1.13.1-0~ubuntu-{{ ansible_distribution_release|lower }}
-  'stable': docker-engine=17.03.0~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
+  '17.03': docker-engine=17.03.1~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
-  'edge': docker-engine=17.03.0~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
+  'stable': docker-engine=17.03.1~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
  'edge': docker-engine=17.05.0~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
 docker_package_info:
  pkg_mgr: apt
@@ -18,7 +19,7 @@ docker_package_info:
 docker_repo_key_info:
  pkg_key: apt_key
-  keyserver: hkp://p80.pool.sks-keyservers.net:80
+  url: '{{ docker_apt_repo_gpgkey }}'
  repo_keys:
    - 58118E89F3A912897C070ADBF76221572C52609D
@@ -26,6 +27,6 @@ docker_repo_info:
  pkg_repo: apt_repository
  repos:
    - >
-       deb https://apt.dockerproject.org/repo
+       deb {{ docker_apt_repo_base_url }}
       {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
       main
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -1,6 +1,9 @@
 ---
 local_release_dir: /tmp
 # Used to only evaluate vars from download role
 skip_downloads: false
 # if this is set to true will only download files once. Doesn't work
 # on Container Linux by CoreOS unless the download_localhost is true and localhost
 # is running another OS type. Default compress level is 1 (fastest).
@@ -17,27 +20,37 @@ download_localhost: False
 # Always pull images if set to True. Otherwise check by the repo's tag/digest.
 download_always_pull: False
 # Use the first kube-master if download_localhost is not set
 download_delegate: "{% if download_localhost %}localhost{% else %}{{groups['kube-master'][0]}}{% endif %}"
 # Versions
-kube_version: v1.7.5
+kube_version: v1.9.2
-# Change to kube_version after v1.8.0 release
+kubeadm_version: "{{ kube_version }}"
 kubeadm_version: "v1.8.0-rc.1"
 etcd_version: v3.2.4
 # TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
 # after migration to container download
-calico_version: "v2.5.0"
+calico_version: "v2.6.2"
-calico_ctl_version: "v1.5.0"
+calico_ctl_version: "v1.6.1"
-calico_cni_version: "v1.10.0"
+calico_cni_version: "v1.11.0"
-calico_policy_version: "v0.7.0"
+calico_policy_version: "v1.0.0"
-weave_version: 2.0.4
+calico_rr_version: "v0.4.0"
-flannel_version: "v0.8.0"
+flannel_version: "v0.9.1"
-flannel_cni_version: "v0.2.0"
+flannel_cni_version: "v0.3.0"
 istio_version: "0.2.6"
 vault_version: 0.8.1
 weave_version: 2.1.3
 pod_infra_version: 3.0
 contiv_version: 1.1.7
 # Download URLs
 istioctl_download_url: "https://storage.googleapis.com/istio-release/releases/{{ istio_version }}/istioctl/istioctl-linux"
 kubeadm_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/amd64/kubeadm"
 vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
 # Checksums
-kubeadm_checksum: "8f6ceb26b8503bfc36a99574cf6f853be1c55405aa31669561608ad8099bf5bf"
+istioctl_checksum: fd703063c540b8c0ab943f478c05ab257d88ae27224c746a27d0526ddbf7c370
 kubeadm_checksum: 560b44a2b91747f4fb64ac8754fcf65db9a39a84c6b54d4e6483400ac6c674fc
 vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
 # Containers
 etcd_image_repo: "quay.io/coreos/etcd"
@@ -52,10 +65,10 @@ calico_node_image_repo: "quay.io/calico/node"
 calico_node_image_tag: "{{ calico_version }}"
 calico_cni_image_repo: "quay.io/calico/cni"
 calico_cni_image_tag: "{{ calico_cni_version }}"
-calico_policy_image_repo: "quay.io/calico/kube-policy-controller"
+calico_policy_image_repo: "quay.io/calico/kube-controllers"
 calico_policy_image_tag: "{{ calico_policy_version }}"
 calico_rr_image_repo: "quay.io/calico/routereflector"
-calico_rr_image_tag: "v0.3.0"
+calico_rr_image_tag: "{{ calico_rr_version }}"
 hyperkube_image_repo: "quay.io/coreos/hyperkube"
 hyperkube_image_tag: "{{ kube_version }}_coreos.0"
 pod_infra_image_repo: "gcr.io/google_containers/pause-amd64"
@@ -71,20 +84,27 @@ weave_kube_image_repo: "weaveworks/weave-kube"
 weave_kube_image_tag: "{{ weave_version }}"
 weave_npc_image_repo: "weaveworks/weave-npc"
 weave_npc_image_tag: "{{ weave_version }}"
 contiv_image_repo: "contiv/netplugin"
 contiv_image_tag: "{{ contiv_version }}"
 contiv_auth_proxy_image_repo: "contiv/auth_proxy"
 contiv_auth_proxy_image_tag: "{{ contiv_version }}"
 nginx_image_repo: nginx
-nginx_image_tag: 1.11.4-alpine
+nginx_image_tag: 1.13
-dnsmasq_version: 2.72
+dnsmasq_version: 2.78
 dnsmasq_image_repo: "andyshinn/dnsmasq"
 dnsmasq_image_tag: "{{ dnsmasq_version }}"
-kubedns_version: 1.14.2
+kubedns_version: 1.14.8
 kubedns_image_repo: "gcr.io/google_containers/k8s-dns-kube-dns-amd64"
 kubedns_image_tag: "{{ kubedns_version }}"
 dnsmasq_nanny_image_repo: "gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64"
 dnsmasq_nanny_image_tag: "{{ kubedns_version }}"
 dnsmasq_sidecar_image_repo: "gcr.io/google_containers/k8s-dns-sidecar-amd64"
 dnsmasq_sidecar_image_tag: "{{ kubedns_version }}"
-kubednsautoscaler_version: 1.1.1
+dnsmasqautoscaler_version: 1.1.2
 dnsmasqautoscaler_image_repo: "gcr.io/google_containers/cluster-proportional-autoscaler-amd64"
 dnsmasqautoscaler_image_tag: "{{ dnsmasqautoscaler_version }}"
 kubednsautoscaler_version: 1.1.2
 kubednsautoscaler_image_repo: "gcr.io/google_containers/cluster-proportional-autoscaler-amd64"
 kubednsautoscaler_image_tag: "{{ kubednsautoscaler_version }}"
 test_image_repo: busybox
@@ -99,32 +119,36 @@ kibana_version: "v4.6.1"
 kibana_image_repo: "gcr.io/google_containers/kibana"
 kibana_image_tag: "{{ kibana_version }}"
-helm_version: "v2.2.2"
+helm_version: "v2.7.2"
 helm_image_repo: "lachlanevenson/k8s-helm"
 helm_image_tag: "{{ helm_version }}"
 tiller_version: "{{ helm_version }}"
 tiller_image_repo: "gcr.io/kubernetes-helm/tiller"
-tiller_image_tag: "{{ tiller_version }}"
+tiller_image_tag: "{{ helm_version }}"
 vault_image_repo: "vault"
 vault_image_tag: "{{ vault_version }}"
 downloads:
  netcheck_server:
    enabled: "{{ deploy_netchecker }}"
    container: true
    repo: "{{ netcheck_server_img_repo }}"
    tag: "{{ netcheck_server_tag }}"
    sha256: "{{ netcheck_server_digest_checksum|default(None) }}"
    enabled: "{{ deploy_netchecker|bool }}"
  netcheck_agent:
    enabled: "{{ deploy_netchecker }}"
    container: true
    repo: "{{ netcheck_agent_img_repo }}"
    tag: "{{ netcheck_agent_tag }}"
    sha256: "{{ netcheck_agent_digest_checksum|default(None) }}"
    enabled: "{{ deploy_netchecker|bool }}"
  etcd:
    enabled: true
    container: true
    repo: "{{ etcd_image_repo }}"
    tag: "{{ etcd_image_tag }}"
    sha256: "{{ etcd_digest_checksum|default(None) }}"
  kubeadm:
    enabled: "{{ kubeadm_enabled }}"
    file: true
    version: "{{ kubeadm_version }}"
    dest: "kubeadm"
    sha256: "{{ kubeadm_checksum }}"
@@ -133,146 +157,197 @@ downloads:
    unarchive: false
    owner: "root"
    mode: "0755"
  istioctl:
    enabled: "{{ istio_enabled }}"
    file: true
    version: "{{ istio_version }}"
    dest: "istio/istioctl"
    sha256: "{{ istioctl_checksum }}"
    source_url: "{{ istioctl_download_url }}"
    url: "{{ istioctl_download_url }}"
    unarchive: false
    owner: "root"
    mode: "0755"
  hyperkube:
    enabled: true
    container: true
    repo: "{{ hyperkube_image_repo }}"
    tag: "{{ hyperkube_image_tag }}"
    sha256: "{{ hyperkube_digest_checksum|default(None) }}"
  flannel:
    enabled: "{{ kube_network_plugin == 'flannel' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ flannel_image_repo }}"
    tag: "{{ flannel_image_tag }}"
    sha256: "{{ flannel_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'flannel' or kube_network_plugin == 'canal' }}"
  flannel_cni:
    enabled: "{{ kube_network_plugin == 'flannel' }}"
    container: true
    repo: "{{ flannel_cni_image_repo }}"
    tag: "{{ flannel_cni_image_tag }}"
    sha256: "{{ flannel_cni_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'flannel' }}"
  calicoctl:
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calicoctl_image_repo }}"
    tag: "{{ calicoctl_image_tag }}"
    sha256: "{{ calicoctl_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
  calico_node:
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calico_node_image_repo }}"
    tag: "{{ calico_node_image_tag }}"
    sha256: "{{ calico_node_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
  calico_cni:
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calico_cni_image_repo }}"
    tag: "{{ calico_cni_image_tag }}"
    sha256: "{{ calico_cni_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
  calico_policy:
    enabled: "{{ enable_network_policy or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calico_policy_image_repo }}"
    tag: "{{ calico_policy_image_tag }}"
    sha256: "{{ calico_policy_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'canal' }}"
  calico_rr:
    enabled: "{{ peer_with_calico_rr is defined and peer_with_calico_rr}} and kube_network_plugin == 'calico'"
    container: true
    repo: "{{ calico_rr_image_repo }}"
    tag: "{{ calico_rr_image_tag }}"
    sha256: "{{ calico_rr_digest_checksum|default(None) }}"
    enabled: "{{ peer_with_calico_rr is defined and peer_with_calico_rr}} and kube_network_plugin == 'calico'"
  weave_kube:
    enabled: "{{ kube_network_plugin == 'weave' }}"
    container: true
    repo: "{{ weave_kube_image_repo }}"
    tag: "{{ weave_kube_image_tag }}"
    sha256: "{{ weave_kube_digest_checksum|default(None) }}"
    enabled: "{{ kube_network_plugin == 'weave' }}"
  weave_npc:
    enabled: "{{ kube_network_plugin == 'weave' }}"
    container: true
    repo: "{{ weave_npc_image_repo }}"
    tag: "{{ weave_npc_image_tag }}"
    sha256: "{{ weave_npc_digest_checksum|default(None) }}"
-    enabled: "{{ kube_network_plugin == 'weave' }}"
+  contiv:
    enabled: "{{ kube_network_plugin == 'contiv' }}"
    container: true
    repo: "{{ contiv_image_repo }}"
    tag: "{{ contiv_image_tag }}"
    sha256: "{{ contiv_digest_checksum|default(None) }}"
  contiv_auth_proxy:
    enabled: "{{ kube_network_plugin == 'contiv' }}"
    container: true
    repo: "{{ contiv_auth_proxy_image_repo }}"
    tag: "{{ contiv_auth_proxy_image_tag }}"
    sha256: "{{ contiv_auth_proxy_digest_checksum|default(None) }}"
  pod_infra:
    enabled: true
    container: true
    repo: "{{ pod_infra_image_repo }}"
    tag: "{{ pod_infra_image_tag }}"
    sha256: "{{ pod_infra_digest_checksum|default(None) }}"
  install_socat:
    enabled: "{{ ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] }}"
    container: true
    repo: "{{ install_socat_image_repo }}"
    tag: "{{ install_socat_image_tag }}"
    sha256: "{{ install_socat_digest_checksum|default(None) }}"
  nginx:
    enabled: true
    container: true
    repo: "{{ nginx_image_repo }}"
    tag: "{{ nginx_image_tag }}"
    sha256: "{{ nginx_digest_checksum|default(None) }}"
  dnsmasq:
    enabled: "{{ dns_mode == 'dnsmasq_kubedns' }}"
    container: true
    repo: "{{ dnsmasq_image_repo }}"
    tag: "{{ dnsmasq_image_tag }}"
    sha256: "{{ dnsmasq_digest_checksum|default(None) }}"
  kubedns:
    enabled: true
    container: true
    repo: "{{ kubedns_image_repo }}"
    tag: "{{ kubedns_image_tag }}"
    sha256: "{{ kubedns_digest_checksum|default(None) }}"
  dnsmasq_nanny:
    enabled: true
    container: true
    repo: "{{ dnsmasq_nanny_image_repo }}"
    tag: "{{ dnsmasq_nanny_image_tag }}"
    sha256: "{{ dnsmasq_nanny_digest_checksum|default(None) }}"
  dnsmasq_sidecar:
    enabled: true
    container: true
    repo: "{{ dnsmasq_sidecar_image_repo }}"
    tag: "{{ dnsmasq_sidecar_image_tag }}"
    sha256: "{{ dnsmasq_sidecar_digest_checksum|default(None) }}"
  kubednsautoscaler:
    enabled: true
    container: true
    repo: "{{ kubednsautoscaler_image_repo }}"
    tag: "{{ kubednsautoscaler_image_tag }}"
    sha256: "{{ kubednsautoscaler_digest_checksum|default(None) }}"
  testbox:
    enabled: true
    container: true
    repo: "{{ test_image_repo }}"
    tag: "{{ test_image_tag }}"
    sha256: "{{ testbox_digest_checksum|default(None) }}"
  elasticsearch:
    enabled: "{{ efk_enabled }}"
    container: true
    repo: "{{ elasticsearch_image_repo }}"
    tag: "{{ elasticsearch_image_tag }}"
    sha256: "{{ elasticsearch_digest_checksum|default(None) }}"
  fluentd:
    enabled: "{{ efk_enabled }}"
    container: true
    repo: "{{ fluentd_image_repo }}"
    tag: "{{ fluentd_image_tag }}"
    sha256: "{{ fluentd_digest_checksum|default(None) }}"
  kibana:
    enabled: "{{ efk_enabled }}"
    container: true
    repo: "{{ kibana_image_repo }}"
    tag: "{{ kibana_image_tag }}"
    sha256: "{{ kibana_digest_checksum|default(None) }}"
  helm:
    enabled: "{{ helm_enabled }}"
    container: true
    repo: "{{ helm_image_repo }}"
    tag: "{{ helm_image_tag }}"
    sha256: "{{ helm_digest_checksum|default(None) }}"
  tiller:
    enabled: "{{ helm_enabled }}"
    container: true
    repo: "{{ tiller_image_repo }}"
    tag: "{{ tiller_image_tag }}"
    sha256: "{{ tiller_digest_checksum|default(None) }}"
  vault:
    enabled: "{{ cert_management == 'vault' }}"
    container: "{{ vault_deployment_type != 'host' }}"
    file: "{{ vault_deployment_type == 'host' }}"
    dest: "vault/vault_{{ vault_version }}_linux_amd64.zip"
    mode: "0755"
    owner: "vault"
    repo: "{{ vault_image_repo }}"
    sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
    source_url: "{{ vault_download_url }}"
    tag: "{{ vault_image_tag }}"
    unarchive: true
    url: "{{ vault_download_url }}"
    version: "{{ vault_version }}"
-download:
+download_defaults:
-  container: "{{ file.container|default('false') }}"
+  container: false
-  repo: "{{ file.repo|default(None) }}"
+  file: false
-  tag: "{{ file.tag|default(None) }}"
+  repo: None
-  enabled: "{{ file.enabled|default('true') }}"
+  tag: None
-  dest: "{{ file.dest|default(None) }}"
+  enabled: false
-  version: "{{ file.version|default(None) }}"
+  dest: None
-  sha256: "{{ file.sha256|default(None) }}"
+  version: None
-  source_url: "{{ file.source_url|default(None) }}"
+  url: None
-  url: "{{ file.url|default(None) }}"
+  unarchive: false
-  unarchive: "{{ file.unarchive|default('false') }}"
+  owner: kube
-  owner: "{{ file.owner|default('kube') }}"
+  mode: None
  mode: "{{ file.mode|default(None) }}"
--- a/roles/download/meta/main.yml
+++ b/roles/download/meta/main.yml
@@ -0,0 +1,2 @@
 ---
 allow_duplicates: true
--- a/roles/download/tasks/download_container.yml
+++ b/roles/download/tasks/download_container.yml
@@ -0,0 +1,40 @@
 ---
 - name: container_download | Make download decision if pull is required by tag or sha256
  include_tasks: set_docker_image_facts.yml
  delegate_to: "{{ download_delegate if download_run_once or omit }}"
  delegate_facts: no
  run_once: "{{ download_run_once }}"
  when:
    - download.enabled
    - download.container
  tags:
    - facts
 # FIXME(mattymo): In Ansible 2.4 omitting download delegate is broken. Move back
 #                 to one task in the future.
 - name: container_download | Download containers if pull is required or told to always pull (delegate)
  command: "{{ docker_bin_dir }}/docker pull {{ pull_args }}"
  register: pull_task_result
  until: pull_task_result|succeeded
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  when:
    - download_run_once
    - download.enabled
    - download.container
    - pull_required|default(download_always_pull)
  delegate_to: "{{ download_delegate }}"
  delegate_facts: yes
  run_once: yes
 - name: container_download | Download containers if pull is required or told to always pull (all nodes)
  command: "{{ docker_bin_dir }}/docker pull {{ pull_args }}"
  register: pull_task_result
  until: pull_task_result|succeeded
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  when:
    - not download_run_once
    - download.enabled
    - download.container
    - pull_required|default(download_always_pull)
--- a/roles/download/tasks/download_file.yml
+++ b/roles/download/tasks/download_file.yml
@@ -0,0 +1,42 @@
 ---
 - name: file_download | Downloading...
  debug:
    msg:
      - "URL: {{ download.url }}"
      - "Dest: {{ download.dest }}"
 - name: file_download | Create dest directory
  file:
    path: "{{local_release_dir}}/{{download.dest|dirname}}"
    state: directory
    recurse: yes
  when:
    - download.enabled
    - download.file
 - name: file_download | Download item
  get_url:
    url: "{{download.url}}"
    dest: "{{local_release_dir}}/{{download.dest}}"
    sha256sum: "{{download.sha256 | default(omit)}}"
    owner: "{{ download.owner|default(omit) }}"
    mode: "{{ download.mode|default(omit) }}"
  register: get_url_result
  until: "'OK' in get_url_result.msg or 'file already exists' in get_url_result.msg"
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  when:
    - download.enabled
    - download.file
 - name: file_download | Extract archives
  unarchive:
    src: "{{ local_release_dir }}/{{download.dest}}"
    dest: "{{ local_release_dir }}/{{download.dest|dirname}}"
    owner: "{{ download.owner|default(omit) }}"
    mode: "{{ download.mode|default(omit) }}"
    copy: no
  when:
    - download.enabled
    - download.file
    - download.unarchive|default(False)
--- a/roles/download/tasks/download_prep.yml
+++ b/roles/download/tasks/download_prep.yml
@@ -0,0 +1,32 @@
 ---
 - name: Register docker images info
  raw: >-
    {{ docker_bin_dir }}/docker images -q | xargs {{ docker_bin_dir }}/docker inspect -f "{{ '{{' }} (index .RepoTags 0) {{ '}}' }},{{ '{{' }} (index .RepoDigests 0) {{ '}}' }}" | tr '\n' ','
  no_log: true
  register: docker_images
  failed_when: false
  changed_when: false
  check_mode: no
 - name: container_download | Create dest directory for saved/loaded container images
  file:
    path: "{{local_release_dir}}/containers"
    state: directory
    recurse: yes
    mode: 0755
    owner: "{{ansible_ssh_user|default(ansible_user_id)}}"
 - name: container_download | create local directory for saved/loaded container images
  file:
    path: "{{local_release_dir}}/containers"
    state: directory
    recurse: yes
  delegate_to: localhost
  delegate_facts: false
  become: false
  run_once: true
  when:
    - download_run_once
    - download_delegate == 'localhost'
  tags:
    - localhost
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -1,201 +1,24 @@
 ---
- name: file_download | Create dest directories
+- include_tasks: download_prep.yml
  file:
    path: "{{local_release_dir}}/{{download.dest|dirname}}"
    state: directory
    recurse: yes
  when:
-    - download.enabled|bool
+    - not skip_downloads|default(false)
    - not download.container|bool
  tags: bootstrap-os
- name: file_download | Download item
+- name: "Download items"
-  get_url:
+  include_tasks: "download_{% if download.container %}container{% else %}file{% endif %}.yml"
-    url: "{{download.url}}"
+  vars:
-    dest: "{{local_release_dir}}/{{download.dest}}"
+    download: "{{ download_defaults | combine(item.value) }}"
-    sha256sum: "{{download.sha256 | default(omit)}}"
+  with_dict: "{{ downloads }}"
    owner: "{{ download.owner|default(omit) }}"
    mode: "{{ download.mode|default(omit) }}"
  register: get_url_result
  until: "'OK' in get_url_result.msg or 'file already exists' in get_url_result.msg"
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  when:
-    - download.enabled|bool
+    - not skip_downloads|default(false)
-    - not download.container|bool
+    - item.value.enabled
- name: file_download | Extract archives
+- name: "Sync container"
-  unarchive:
+  include_tasks: sync_container.yml
-    src: "{{ local_release_dir }}/{{download.dest}}"
+  vars:
-    dest: "{{ local_release_dir }}/{{download.dest|dirname}}"
+    download: "{{ download_defaults | combine(item.value) }}"
-    owner: "{{ download.owner|default(omit) }}"
+  with_dict: "{{ downloads }}"
    mode: "{{ download.mode|default(omit) }}"
    copy: no
  when:
-    - download.enabled|bool
+    - not skip_downloads|default(false)
-    - not download.container|bool
+    - item.value.enabled
-    - download.unarchive|default(False)
+    - item.value.container
-
+    - download_run_once
 - name: file_download | Fix permissions
  file:
    state: file
    path: "{{local_release_dir}}/{{download.dest}}"
    owner: "{{ download.owner|default(omit) }}"
    mode: "{{ download.mode|default(omit) }}"
  when:
    - download.enabled|bool
    - not download.container|bool
    - (download.unarchive is not defined or download.unarchive == False)
 - set_fact:
    download_delegate: "{% if download_localhost|bool %}localhost{% else %}{{groups['kube-master'][0]}}{% endif %}"
  run_once: true
  tags: facts
 - name: container_download | Create dest directory for saved/loaded container images
  file:
    path: "{{local_release_dir}}/containers"
    state: directory
    recurse: yes
    mode: 0755
    owner: "{{ansible_ssh_user|default(ansible_user_id)}}"
  when:
    - download.enabled|bool
    - download.container|bool
  tags: bootstrap-os
 # This is required for the download_localhost delegate to work smooth with Container Linux by CoreOS cluster nodes
 - name: container_download | Hack python binary path for localhost
  raw: sh -c "mkdir -p /opt/bin; ln -sf /usr/bin/python /opt/bin/python"
  delegate_to: localhost
  when: download_delegate == 'localhost'
  failed_when: false
  tags: localhost
 - name: container_download | create local directory for saved/loaded container images
  file:
    path: "{{local_release_dir}}/containers"
    state: directory
    recurse: yes
  delegate_to: localhost
  become: false
  run_once: true
  when:
    - download_run_once|bool
    - download.enabled|bool
    - download.container|bool
    - download_delegate == 'localhost'
  tags: localhost
 - name: container_download | Make download decision if pull is required by tag or sha256
  include: set_docker_image_facts.yml
  when:
    - download.enabled|bool
    - download.container|bool
  delegate_to: "{{ download_delegate if download_run_once|bool or omit }}"
  run_once: "{{ download_run_once|bool }}"
  tags: facts
 - name: container_download | Download containers if pull is required or told to always pull
  command: "{{ docker_bin_dir }}/docker pull {{ pull_args }}"
  register: pull_task_result
  until: pull_task_result|succeeded
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  when:
    - download.enabled|bool
    - download.container|bool
    - pull_required|bool|default(download_always_pull)
  delegate_to: "{{ download_delegate if download_run_once|bool or omit }}"
  run_once: "{{ download_run_once|bool }}"
 - set_fact:
    fname: "{{local_release_dir}}/containers/{{download.repo|regex_replace('/|\0|:', '_')}}:{{download.tag|default(download.sha256)|regex_replace('/|\0|:', '_')}}.tar"
  run_once: true
  tags: facts
 - name: "container_download | Set default value for 'container_changed' to false"
  set_fact:
    container_changed: "{{pull_required|default(false)|bool}}"
 - name: "container_download | Update the 'container_changed' fact"
  set_fact:
    container_changed: "{{ pull_required|bool|default(false) or not 'up to date' in pull_task_result.stdout }}"
  when:
    - download.enabled|bool
    - download.container|bool
    - pull_required|bool|default(download_always_pull)
  run_once: "{{ download_run_once|bool }}"
  tags: facts
 - name: container_download | Stat saved container image
  stat:
    path: "{{fname}}"
  register: img
  changed_when: false
  when:
    - download.enabled|bool
    - download.container|bool
    - download_run_once|bool
  delegate_to: "{{ download_delegate }}"
  become: false
  run_once: true
  tags: facts
 - name: container_download | save container images
  shell: "{{ docker_bin_dir }}/docker save {{ pull_args }} | gzip -{{ download_compress }} > {{ fname }}"
  delegate_to: "{{ download_delegate }}"
  register: saved
  run_once: true
  when:
    - (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or download_delegate == "localhost")
    - download_run_once|bool
    - download.enabled|bool
    - download.container|bool
    - (container_changed|bool or not img.stat.exists)
 - name: container_download | copy container images to ansible host
  synchronize:
    src: "{{ fname }}"
    dest: "{{ fname }}"
    mode: pull
  delegate_to: localhost
  become: false
  when:
    - not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
    - inventory_hostname == groups['kube-master'][0]
    - download_delegate != "localhost"
    - download_run_once|bool
    - download.enabled|bool
    - download.container|bool
    - saved.changed
 - name: container_download | upload container images to nodes
  synchronize:
    src: "{{ fname }}"
    dest: "{{ fname }}"
    mode: push
  delegate_to: localhost
  become: false
  register: get_task
  until: get_task|succeeded
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  when:
    - (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] and
      inventory_hostname != groups['kube-master'][0] or
      download_delegate == "localhost")
    - download_run_once|bool
    - download.enabled|bool
    - download.container|bool
  tags: [upload, upgrade]
 - name: container_download | load container images
  shell: "{{ docker_bin_dir }}/docker load < {{ fname }}"
  when:
    - (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] and
      inventory_hostname != groups['kube-master'][0] or download_delegate == "localhost")
    - download_run_once|bool
    - download.enabled|bool
    - download.container|bool
  tags: [upload, upgrade]
--- a/roles/download/tasks/set_docker_image_facts.yml
+++ b/roles/download/tasks/set_docker_image_facts.yml
@@ -5,7 +5,7 @@
 - set_fact:
    pull_args: >-
-      {%- if pull_by_digest|bool %}{{download.repo}}@sha256:{{download.sha256}}{%- else -%}{{download.repo}}:{{download.tag}}{%- endif -%}
+      {%- if pull_by_digest %}{{download.repo}}@sha256:{{download.sha256}}{%- else -%}{{download.repo}}:{{download.tag}}{%- endif -%}
 - name: Register docker images info
  raw: >-
@@ -15,16 +15,16 @@
  failed_when: false
  changed_when: false
  check_mode: no
-  when: not download_always_pull|bool
+  when: not download_always_pull
 - set_fact:
    pull_required: >-
      {%- if pull_args in docker_images.stdout.split(',') %}false{%- else -%}true{%- endif -%}
-  when: not download_always_pull|bool
+  when: not download_always_pull
 - name: Check the local digest sha256 corresponds to the given image tag
  assert:
    that: "{{download.repo}}:{{download.tag}} in docker_images.stdout.split(',')"
-  when: not download_always_pull|bool and not pull_required|bool and pull_by_digest|bool
+  when: not download_always_pull and not pull_required and pull_by_digest
  tags:
    - asserts
--- a/roles/download/tasks/sync_container.yml
+++ b/roles/download/tasks/sync_container.yml
@@ -0,0 +1,125 @@
 ---
 - name: container_download | Make download decision if pull is required by tag or sha256
  include: set_docker_image_facts.yml
  delegate_to: "{{ download_delegate if download_run_once or omit }}"
  delegate_facts: no
  run_once: "{{ download_run_once }}"
  when:
    - download.enabled
    - download.container
  tags:
    - facts
 - set_fact:
    fname: "{{local_release_dir}}/containers/{{download.repo|regex_replace('/|\0|:', '_')}}:{{download.tag|default(download.sha256)|regex_replace('/|\0|:', '_')}}.tar"
  run_once: true
  when:
    - download.enabled
    - download.container
    - download_run_once
  tags:
    - facts
 - name: "container_download | Set default value for 'container_changed' to false"
  set_fact:
    container_changed: "{{pull_required|default(false)}}"
  when:
    - download.enabled
    - download.container
    - download_run_once
 - name: "container_download | Update the 'container_changed' fact"
  set_fact:
    container_changed: "{{ pull_required|default(false) or not 'up to date' in pull_task_result.stdout }}"
  when:
    - download.enabled
    - download.container
    - download_run_once
    - pull_required|default(download_always_pull)
  run_once: "{{ download_run_once }}"
  tags:
    - facts
 - name: container_download | Stat saved container image
  stat:
    path: "{{fname}}"
  register: img
  changed_when: false
  delegate_to: "{{ download_delegate }}"
  delegate_facts: no
  become: false
  run_once: true
  when:
    - download.enabled
    - download.container
    - download_run_once
  tags:
    - facts
 - name: container_download | save container images
  shell: "{{ docker_bin_dir }}/docker save {{ pull_args }} | gzip -{{ download_compress }} > {{ fname }}"
  delegate_to: "{{ download_delegate }}"
  delegate_facts: no
  register: saved
  run_once: true
  when:
    - download.enabled
    - download.container
    - download_run_once
    - (ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"] or download_delegate == "localhost")
    - (container_changed or not img.stat.exists)
 - name: container_download | copy container images to ansible host
  synchronize:
    src: "{{ fname }}"
    dest: "{{ fname }}"
    use_ssh_args: "{{ has_bastion | default(false) }}"
    mode: pull
  delegate_to: localhost
  delegate_facts: no
  run_once: true
  become: false
  when:
    - download.enabled
    - download.container
    - download_run_once
    - ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"]
    - inventory_hostname == download_delegate
    - download_delegate != "localhost"
    - saved.changed
 - name: container_download | upload container images to nodes
  synchronize:
    src: "{{ fname }}"
    dest: "{{ fname }}"
    use_ssh_args: "{{ has_bastion | default(false) }}"
    mode: push
  delegate_to: localhost
  delegate_facts: no
  become: false
  register: get_task
  until: get_task|succeeded
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  when:
    - download.enabled
    - download.container
    - download_run_once
    - (ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"] and
      inventory_hostname != download_delegate or
      download_delegate == "localhost")
  tags:
    - upload
    - upgrade
 - name: container_download | load container images
  shell: "{{ docker_bin_dir }}/docker load < {{ fname }}"
  when:
    - download.enabled
    - download.container
    - download_run_once
    - (ansible_os_family not in ["CoreOS", "Container Linux by CoreOS"] and
      inventory_hostname != download_delegate or download_delegate == "localhost")
  tags:
    - upload
    - upgrade
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -8,6 +8,13 @@ etcd_data_dir: "/var/lib/etcd"
 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
 etcd_cert_group: root
 # Note: This does not set up DNS entries. It simply adds the following DNS
 # entries to the certificate
 etcd_cert_alt_names:
  - "etcd.{{ system_namespace }}.svc.{{ dns_domain }}"
  - "etcd.{{ system_namespace }}.svc"
  - "etcd.{{ system_namespace }}"
  - "etcd"
 etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
@@ -17,7 +24,8 @@ etcd_election_timeout: "5000"
 etcd_metrics: "basic"
 # Limits
-etcd_memory_limit: 512M
+# Limit memory only if <4GB memory on host. 0=unlimited
 etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %}"
 # Uncomment to set CPU share for etcd
 # etcd_cpu_limit: 300m
@@ -29,3 +37,6 @@ etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr',
 etcd_compaction_retention: "8"
 etcd_vault_mount_path: etcd
 # Force clients like etcdctl to use TLS certs (different than peer security)
 etcd_secure_client: true
--- a/roles/etcd/handlers/backup.yml
+++ b/roles/etcd/handlers/backup.yml
@@ -48,5 +48,7 @@
      snapshot save {{ etcd_backup_directory }}/snapshot.db
  environment:
    ETCDCTL_API: 3
    ETCDCTL_CERT: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
    ETCDCTL_KEY: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
  retries: 3
  delay: "{{ retry_stagger | random + 3 }}"
--- a/roles/etcd/handlers/main.yml
+++ b/roles/etcd/handlers/main.yml
@@ -7,7 +7,7 @@
    - reload etcd
    - wait for etcd up
- include: backup.yml
+- import_tasks: backup.yml
 - name: etcd | reload systemd
  command: systemctl daemon-reload
@@ -22,6 +22,8 @@
  uri:
    url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2379/health"
    validate_certs: no
    client_cert: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem"
    client_key: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem"
  register: result
  until: result.status is defined and result.status == 200
  retries: 10
--- a/roles/etcd/meta/main.yml
+++ b/roles/etcd/meta/main.yml
@@ -3,8 +3,5 @@ dependencies:
  - role: adduser
    user: "{{ addusers.etcd }}"
    when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic)
  - role: download
    file: "{{ downloads.etcd }}"
    tags: download
 # NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"
--- a/roles/etcd/tasks/check_certs.yml
+++ b/roles/etcd/tasks/check_certs.yml
@@ -26,7 +26,7 @@
 - name: "Check_certs | Set 'gen_certs' to true"
  set_fact:
    gen_certs: true
-  when: "not '{{ item }}' in etcdcert_master.files|map(attribute='path') | list"
+  when: not item in etcdcert_master.files|map(attribute='path') | list
  run_once: true
  with_items: >-
       ['{{etcd_cert_dir}}/ca.pem',
--- a/roles/etcd/tasks/configure.yml
+++ b/roles/etcd/tasks/configure.yml
@@ -1,16 +1,16 @@
 ---
 - name: Configure | Check if member is in cluster
-  shell: "{{ bin_dir }}/etcdctl --no-sync --peers={{ etcd_access_addresses }} member list | grep -q {{ etcd_access_address }}"
+  shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_access_addresses }} member list | grep -q {{ etcd_access_address }}"
  register: etcd_member_in_cluster
  ignore_errors: true
  changed_when: false
  check_mode: no
  when: is_etcd_master
-  tags: facts
+  tags:
-
+    - facts
- name: Configure | Add member to the cluster if it is not there
+  environment:
-  when: is_etcd_master and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
-  shell: "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} member add {{ etcd_member_name }} {{ etcd_peer_url }}"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
 - name: Install etcd launch script
  template:
@@ -28,3 +28,12 @@
    backup: yes
  when: is_etcd_master
  notify: restart etcd
 - name: Configure | Join member(s) to cluster one at a time
  include_tasks: join_member.yml
  vars:
    target_node: "{{ item }}"
  loop_control:
    pause: 10
  with_items: "{{ groups['etcd'] }}"
  when: inventory_hostname == item and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -83,7 +83,8 @@
                    'node-{{ node }}-key.pem',
                    {% endfor %}]"
    my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
-  tags: facts
+  tags:
    - facts
 - name: Gen_certs | Gather etcd master certs
  shell: "tar cfz - -C {{ etcd_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`[Service]`	`[Service]`
	`Environment={% if http_proxy %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy %}"NO_PROXY={{ no_proxy }}"{% endif %}`	`Environment={% if http_proxy is defined %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy is defined %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy is defined %}"NO_PROXY={{ no_proxy }}"{% endif %}`