Weave limits (#2660 )

* Raise limits for weave * Adjust weave limits
Merge pull request #2654 from ganeshmaharaj/fix-vagrant-default-inventory
2025-12-14 13:54:37 +03:00 · 2018-04-15 18:32:49 +03:00 · 2018-04-13 19:10:42 +03:00 · 2018-04-13 18:53:39 +03:00 · 2018-04-13 17:23:10 +03:00 · 2018-04-13 09:10:21 +03:00
365 changed files with 6300 additions and 1803 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 .vagrant
 *.retry
 inventory/vagrant_ansible_inventory
+inventory/credentials/
 inventory/group_vars/fake_hosts.yml
 inventory/host_vars/
 temp
@@ -23,7 +24,7 @@ __pycache__/

 # Distribution / packaging
 .Python
-artifacts/
+inventory/*/artifacts/
 env/
 build/
 credentials/
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,14 +1,31 @@
 stages:
-  - moderator
  - unit-tests
-  - deploy-gce-part1
-  - deploy-gce-part2
-  - deploy-gce-special
+  - moderator
+  - deploy-part1
+  - deploy-part2
+  - deploy-special

 variables:
  FAILFASTCI_NAMESPACE: 'kargo-ci'
+  GITLAB_REPOSITORY: 'kargo-ci/kubernetes-incubator__kubespray'
 #  DOCKER_HOST: tcp://localhost:2375
  ANSIBLE_FORCE_COLOR: "true"
+  MAGIC: "ci check this"
+  TEST_ID: "$CI_PIPELINE_ID-$CI_BUILD_ID"
+  CI_TEST_VARS: "./tests/files/${CI_JOB_NAME}.yml"
+  GS_ACCESS_KEY_ID: $GS_KEY
+  GS_SECRET_ACCESS_KEY: $GS_SECRET
+  CONTAINER_ENGINE: docker
+  SSH_USER: root
+  GCE_PREEMPTIBLE: "false"
+  ANSIBLE_KEEP_REMOTE_FILES: "1"
+  ANSIBLE_CONFIG: ./tests/ansible.cfg
+  ANSIBLE_INVENTORY: ./inventory/sample/${CI_JOB_NAME}-${BUILD_NUMBER}.ini
+  IDEMPOT_CHECK: "false"
+  RESET_CHECK: "false"
+  UPGRADE_TEST: "false"
+  KUBEADM_ENABLED: "false"
+  LOG_LEVEL: "-vv"

 # asia-east1-a
 # asia-northeast1-a
@@ -18,14 +35,14 @@ variables:
 # us-west1-a

 before_script:
-    - pip install -r tests/requirements.txt
+    - /usr/bin/python -m pip install -r tests/requirements.txt
    - mkdir -p /.ssh

 .job: &job
  tags:
    - kubernetes
    - docker
-  image: quay.io/ant31/kargo:master
+  image: quay.io/kubespray/kubespray:latest

 .docker_service: &docker_service
  services:
@@ -38,24 +55,17 @@ before_script:
 .gce_variables: &gce_variables
  GCE_USER: travis
  SSH_USER: $GCE_USER
-  TEST_ID: "$CI_PIPELINE_ID-$CI_BUILD_ID"
-  CI_TEST_VARS: "./tests/files/${CI_JOB_NAME}.yml"
-  CONTAINER_ENGINE: docker
-  PRIVATE_KEY: $GCE_PRIVATE_KEY
-  GS_ACCESS_KEY_ID: $GS_KEY
-  GS_SECRET_ACCESS_KEY: $GS_SECRET
  CLOUD_MACHINE_TYPE: "g1-small"
-  GCE_PREEMPTIBLE: "false"
-  ANSIBLE_KEEP_REMOTE_FILES: "1"
-  ANSIBLE_CONFIG: ./tests/ansible.cfg
-  IDEMPOT_CHECK: "false"
-  RESET_CHECK: "false"
-  UPGRADE_TEST: "false"
-  KUBEADM_ENABLED: "false"
-  LOG_LEVEL: "-vv"
-  MAGIC: "ci check this"
+  CI_PLATFORM: "gce"
+  PRIVATE_KEY: $GCE_PRIVATE_KEY

-.gce: &gce
+.do_variables: &do_variables
+  PRIVATE_KEY: $DO_PRIVATE_KEY
+  CI_PLATFORM: "do"
+  SSH_USER: root
+
+
+.testcases: &testcases
  <<: *job
  <<: *docker_service
  cache:
@@ -65,13 +75,10 @@ before_script:
      - $HOME/.cache
  before_script:
    - docker info
-    - pip install -r tests/requirements.txt
+    - /usr/bin/python -m pip install -r requirements.txt
+    - /usr/bin/python -m pip install -r tests/requirements.txt
    - mkdir -p /.ssh
    - mkdir -p $HOME/.ssh
-    - echo $PRIVATE_KEY | base64 -d > $HOME/.ssh/id_rsa
-    - echo $GCE_PEM_FILE | base64 -d > $HOME/.ssh/gce
-    - echo $GCE_CREDENTIALS > $HOME/.ssh/gce.json
-    - chmod 400 $HOME/.ssh/id_rsa
    - ansible-playbook --version
    - export PYPATH=$([[ ! "$CI_JOB_NAME" =~ "coreos" ]] && echo /usr/bin/python || echo /opt/bin/python)
    - echo "CI_JOB_NAME is $CI_JOB_NAME"
@@ -81,20 +88,12 @@ before_script:
    - ls
    - echo ${PWD}
    - echo "${STARTUP_SCRIPT}"
-    - >
-      ansible-playbook tests/cloud_playbooks/create-gce.yml -i tests/local_inventory/hosts.cfg -c local
-      ${LOG_LEVEL}
-      -e gce_credentials_file=${HOME}/.ssh/gce.json
-      -e gce_project_id=${GCE_PROJECT_ID}
-      -e gce_service_account_email=${GCE_ACCOUNT}
-      -e inventory_path=${PWD}/inventory/inventory.ini
-      -e test_id=${TEST_ID}
-      -e preemptible=$GCE_PREEMPTIBLE
+    - cd tests && make create-${CI_PLATFORM} -s ; cd -

    # Check out latest tag if testing upgrade
-    # Uncomment when gitlab kargo repo has tags
+    # Uncomment when gitlab kubespray repo has tags
    #- test "${UPGRADE_TEST}" != "false" && git fetch --all && git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
-    - test "${UPGRADE_TEST}" != "false" && git checkout ba0a03a8ba2d97a73d06242ec4bb3c7e2012e58c
+    - test "${UPGRADE_TEST}" != "false" && git checkout f7d52564aad2ff8e337634951beb4a881c0e8aa6
    # Checkout the CI vars file so it is available
    - test "${UPGRADE_TEST}" != "false" && git checkout "${CI_BUILD_REF}" tests/files/${CI_JOB_NAME}.yml
    # Workaround https://github.com/kubernetes-incubator/kubespray/issues/2021
@@ -104,14 +103,13 @@ before_script:
    # Create cluster
    - >
      ansible-playbook
-      -i inventory/inventory.ini
+      -i ${ANSIBLE_INVENTORY}
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
      -u $SSH_USER
      ${SSH_ARGS}
      ${LOG_LEVEL}
      -e @${CI_TEST_VARS}
-      -e ansible_python_interpreter=${PYPATH}
      -e ansible_ssh_user=${SSH_USER}
      -e local_release_dir=${PWD}/downloads
      --limit "all:!fake_hosts"
@@ -124,14 +122,13 @@ before_script:
      test "${UPGRADE_TEST}" == "graceful" && PLAYBOOK="upgrade-cluster.yml";
      git checkout "${CI_BUILD_REF}";
      ansible-playbook
-      -i inventory/inventory.ini
+      -i ${ANSIBLE_INVENTORY}
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
      -u $SSH_USER
      ${SSH_ARGS}
      ${LOG_LEVEL}
      -e @${CI_TEST_VARS}
-      -e ansible_python_interpreter=${PYPATH}
      -e ansible_ssh_user=${SSH_USER}
      -e local_release_dir=${PWD}/downloads
      --limit "all:!fake_hosts"
@@ -141,20 +138,20 @@ before_script:
    # Tests Cases
    ## Test Master API
    - >
-      ansible-playbook -i inventory/inventory.ini -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/010_check-apiserver.yml $LOG_LEVEL
+      ansible-playbook -i ${ANSIBLE_INVENTORY} -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/010_check-apiserver.yml $LOG_LEVEL
      -e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"

    ## Ping the between 2 pod
-    - ansible-playbook -i inventory/inventory.ini -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/030_check-network.yml $LOG_LEVEL
+    - ansible-playbook -i ${ANSIBLE_INVENTORY} -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/030_check-network.yml $LOG_LEVEL

    ## Advanced DNS checks
-    - ansible-playbook -i inventory/inventory.ini -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/040_check-network-adv.yml $LOG_LEVEL
+    - ansible-playbook -i ${ANSIBLE_INVENTORY} -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/040_check-network-adv.yml $LOG_LEVEL

    ## Idempotency checks 1/5 (repeat deployment)
    - >
      if [ "${IDEMPOT_CHECK}" = "true" ]; then
      ansible-playbook
-      -i inventory/inventory.ini
+      -i ${ANSIBLE_INVENTORY}
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
      -u $SSH_USER
@@ -171,7 +168,7 @@ before_script:
    - >
      if [ "${IDEMPOT_CHECK}" = "true" ]; then
      ansible-playbook
-      -i inventory/inventory.ini
+      -i ${ANSIBLE_INVENTORY}
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
      -u $SSH_USER
@@ -186,7 +183,7 @@ before_script:
    - >
      if [ "${IDEMPOT_CHECK}" = "true" -a "${RESET_CHECK}" = "true" ]; then
      ansible-playbook
-      -i inventory/inventory.ini
+      -i ${ANSIBLE_INVENTORY}
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
      -u $SSH_USER
@@ -203,7 +200,7 @@ before_script:
    - >
      if [ "${IDEMPOT_CHECK}" = "true" -a "${RESET_CHECK}" = "true" ]; then
      ansible-playbook
-      -i inventory/inventory.ini
+      -i ${ANSIBLE_INVENTORY}
      -b --become-user=root
      --private-key=${HOME}/.ssh/id_rsa
      -u $SSH_USER
@@ -219,111 +216,119 @@ before_script:
    ## Idempotency checks 5/5 (Advanced DNS checks)
    - >
      if [ "${IDEMPOT_CHECK}" = "true" -a "${RESET_CHECK}" = "true" ]; then
-      ansible-playbook -i inventory/inventory.ini -e ansible_python_interpreter=${PYPATH}
+      ansible-playbook -i ${ANSIBLE_INVENTORY} -e ansible_python_interpreter=${PYPATH}
      -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root
      --limit "all:!fake_hosts"
      tests/testcases/040_check-network-adv.yml $LOG_LEVEL;
      fi

  after_script:
-    - >
-      ansible-playbook -i inventory/inventory.ini tests/cloud_playbooks/delete-gce.yml -c local  $LOG_LEVEL
-      -e @${CI_TEST_VARS}
-      -e test_id=${TEST_ID}
-      -e gce_project_id=${GCE_PROJECT_ID}
-      -e gce_service_account_email=${GCE_ACCOUNT}
-      -e gce_credentials_file=${HOME}/.ssh/gce.json
-      -e inventory_path=${PWD}/inventory/inventory.ini
+    - cd tests && make delete-${CI_PLATFORM} -s ; cd -
+
+.gce: &gce
+  <<: *testcases
+  variables:
+    <<: *gce_variables
+
+.do: &do
+  variables:
+    <<: *do_variables
+  <<: *testcases

 # Test matrix. Leave the comments for markup scripts.
 .coreos_calico_aio_variables: &coreos_calico_aio_variables
-# stage: deploy-gce-part1
+# stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"

 .ubuntu_canal_ha_variables: &ubuntu_canal_ha_variables
-# stage: deploy-gce-part1
+# stage: deploy-part1
  UPGRADE_TEST: "graceful"

 .centos_weave_kubeadm_variables: &centos_weave_kubeadm_variables
-# stage: deploy-gce-part1
+# stage: deploy-part1
  UPGRADE_TEST: "graceful"

 .ubuntu_canal_kubeadm_variables: &ubuntu_canal_kubeadm_variables
-# stage: deploy-gce-part1
+# stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"

 .ubuntu_contiv_sep_variables: &ubuntu_contiv_sep_variables
-# stage: deploy-gce-special
+# stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

+.coreos_cilium_variables: &coreos_cilium_variables
+# stage: deploy-special
+  MOVED_TO_GROUP_VARS: "true"
+
+.ubuntu_cilium_sep_variables: &ubuntu_cilium_sep_variables
+# stage: deploy-special
+  MOVED_TO_GROUP_VARS: "true"
+  
 .rhel7_weave_variables: &rhel7_weave_variables
-# stage: deploy-gce-part1
+# stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"

 .centos7_flannel_addons_variables: &centos7_flannel_addons_variables
-# stage: deploy-gce-part2
+# stage: deploy-part2
  MOVED_TO_GROUP_VARS: "true"

 .debian8_calico_variables: &debian8_calico_variables
-# stage: deploy-gce-part2
+# stage: deploy-part2
  MOVED_TO_GROUP_VARS: "true"

 .coreos_canal_variables: &coreos_canal_variables
-# stage: deploy-gce-part2
+# stage: deploy-part2
  MOVED_TO_GROUP_VARS: "true"

 .rhel7_canal_sep_variables: &rhel7_canal_sep_variables
-# stage: deploy-gce-special
+# stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .ubuntu_weave_sep_variables: &ubuntu_weave_sep_variables
-# stage: deploy-gce-special
+# stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .centos7_calico_ha_variables: &centos7_calico_ha_variables
-# stage: deploy-gce-special
+# stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .coreos_alpha_weave_ha_variables: &coreos_alpha_weave_ha_variables
-# stage: deploy-gce-special
+# stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

 .ubuntu_rkt_sep_variables: &ubuntu_rkt_sep_variables
-# stage: deploy-gce-part1
+# stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"

 .ubuntu_vault_sep_variables: &ubuntu_vault_sep_variables
-# stage: deploy-gce-part1
+# stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"

 .ubuntu_flannel_variables: &ubuntu_flannel_variables
-# stage: deploy-gce-special
+# stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"

+.opensuse_canal_variables: &opensuse_canal_variables
+# stage: deploy-part2
+  MOVED_TO_GROUP_VARS: "true"
+
+
 # Builds for PRs only (premoderated by unit-tests step) and triggers (auto)
-coreos-calico-aio:
-  stage: deploy-gce-part1
+### PR JOBS PART1
+gce_coreos-calico-aio:
+  stage: deploy-part1
  <<: *job
  <<: *gce
  variables:
-    <<: *gce_variables
    <<: *coreos_calico_aio_variables
+    <<: *gce_variables
  when: on_success
  except: ['triggers']
  only: [/^pr-.*$/]

-coreos-calico-sep-triggers:
-  stage: deploy-gce-part1
-  <<: *job
-  <<: *gce
-  variables:
-    <<: *gce_variables
-    <<: *coreos_calico_aio_variables
-  when: on_success
-  only: ['triggers']
-
-centos7-flannel-addons:
-  stage: deploy-gce-part2
+### PR JOBS PART2
+gce_centos7-flannel-addons:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -333,18 +338,8 @@ centos7-flannel-addons:
  except: ['triggers']
  only: [/^pr-.*$/]

-centos7-flannel-addons-triggers:
-  stage: deploy-gce-part1
-  <<: *job
-  <<: *gce
-  variables:
-    <<: *gce_variables
-    <<: *centos7_flannel_addons_variables
-  when: on_success
-  only: ['triggers']
-
-ubuntu-weave-sep:
-  stage: deploy-gce-special
+gce_ubuntu-weave-sep:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -354,8 +349,40 @@ ubuntu-weave-sep:
  except: ['triggers']
  only: [/^pr-.*$/]

-ubuntu-weave-sep-triggers:
-  stage: deploy-gce-part1
+### MANUAL JOBS
+gce_coreos-calico-sep-triggers:
+  stage: deploy-part2
+  <<: *job
+  <<: *gce
+  variables:
+    <<: *gce_variables
+    <<: *coreos_calico_aio_variables
+  when: on_success
+  only: ['triggers']
+
+gce_ubuntu-canal-ha-triggers:
+  stage: deploy-part2
+  <<: *job
+  <<: *gce
+  variables:
+    <<: *gce_variables
+    <<: *ubuntu_canal_ha_variables
+  when: on_success
+  only: ['triggers']
+
+gce_centos7-flannel-addons-triggers:
+  stage: deploy-part2
+  <<: *job
+  <<: *gce
+  variables:
+    <<: *gce_variables
+    <<: *centos7_flannel_addons_variables
+  when: on_success
+  only: ['triggers']
+
+
+gce_ubuntu-weave-sep-triggers:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -365,8 +392,18 @@ ubuntu-weave-sep-triggers:
  only: ['triggers']

 # More builds for PRs/merges (manual) and triggers (auto)
-ubuntu-canal-ha:
-  stage: deploy-gce-part1
+do_ubuntu-canal-ha:
+  stage: deploy-part2
+  <<: *job
+  <<: *do
+  variables:
+    <<: *do_variables
+  when: manual
+  except: ['triggers']
+  only: ['master', /^pr-.*$/]
+
+gce_ubuntu-canal-ha:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -376,18 +413,8 @@ ubuntu-canal-ha:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-ubuntu-canal-ha-triggers:
-  stage: deploy-gce-part1
-  <<: *job
-  <<: *gce
-  variables:
-    <<: *gce_variables
-    <<: *ubuntu_canal_ha_variables
-  when: on_success
-  only: ['triggers']
-
-ubuntu-canal-kubeadm:
-  stage: deploy-gce-part1
+gce_ubuntu-canal-kubeadm:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -397,8 +424,8 @@ ubuntu-canal-kubeadm:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-ubuntu-canal-kubeadm-triggers:
-  stage: deploy-gce-part1
+gce_ubuntu-canal-kubeadm-triggers:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -407,8 +434,8 @@ ubuntu-canal-kubeadm-triggers:
  when: on_success
  only: ['triggers']

-centos-weave-kubeadm:
-  stage: deploy-gce-part1
+gce_centos-weave-kubeadm:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -418,8 +445,8 @@ centos-weave-kubeadm:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-centos-weave-kubeadm-triggers:
-  stage: deploy-gce-part1
+gce_centos-weave-kubeadm-triggers:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -428,8 +455,8 @@ centos-weave-kubeadm-triggers:
  when: on_success
  only: ['triggers']

-ubuntu-contiv-sep:
-  stage: deploy-gce-special
+gce_ubuntu-contiv-sep:
+  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
@@ -439,8 +466,30 @@ ubuntu-contiv-sep:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-rhel7-weave:
-  stage: deploy-gce-part1
+gce_coreos-cilium:
+  stage: deploy-special
+  <<: *job
+  <<: *gce
+  variables:
+    <<: *gce_variables
+    <<: *coreos_cilium_variables
+  when: manual
+  except: ['triggers']
+  only: ['master', /^pr-.*$/]
+
+gce_ubuntu-cilium-sep:
+  stage: deploy-special
+  <<: *job
+  <<: *gce
+  variables:
+    <<: *gce_variables
+    <<: *ubuntu_cilium_sep_variables
+  when: manual
+  except: ['triggers']
+  only: ['master', /^pr-.*$/]
+
+gce_rhel7-weave:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -450,8 +499,8 @@ rhel7-weave:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-rhel7-weave-triggers:
-  stage: deploy-gce-part1
+gce_rhel7-weave-triggers:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -460,8 +509,8 @@ rhel7-weave-triggers:
  when: on_success
  only: ['triggers']

-debian8-calico-upgrade:
-  stage: deploy-gce-part2
+gce_debian8-calico-upgrade:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -471,8 +520,8 @@ debian8-calico-upgrade:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-debian8-calico-triggers:
-  stage: deploy-gce-part1
+gce_debian8-calico-triggers:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -481,8 +530,8 @@ debian8-calico-triggers:
  when: on_success
  only: ['triggers']

-coreos-canal:
-  stage: deploy-gce-part2
+gce_coreos-canal:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -492,8 +541,8 @@ coreos-canal:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-coreos-canal-triggers:
-  stage: deploy-gce-part1
+gce_coreos-canal-triggers:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -502,8 +551,8 @@ coreos-canal-triggers:
  when: on_success
  only: ['triggers']

-rhel7-canal-sep:
-  stage: deploy-gce-special
+gce_rhel7-canal-sep:
+  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
@@ -513,8 +562,8 @@ rhel7-canal-sep:
  except: ['triggers']
  only: ['master', /^pr-.*$/,]

-rhel7-canal-sep-triggers:
-  stage: deploy-gce-part1
+gce_rhel7-canal-sep-triggers:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -523,8 +572,8 @@ rhel7-canal-sep-triggers:
  when: on_success
  only: ['triggers']

-centos7-calico-ha:
-  stage: deploy-gce-special
+gce_centos7-calico-ha:
+  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
@@ -534,8 +583,8 @@ centos7-calico-ha:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-centos7-calico-ha-triggers:
-  stage: deploy-gce-part1
+gce_centos7-calico-ha-triggers:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -544,9 +593,20 @@ centos7-calico-ha-triggers:
  when: on_success
  only: ['triggers']

+gce_opensuse-canal:
+  stage: deploy-part2
+  <<: *job
+  <<: *gce
+  variables:
+    <<: *gce_variables
+    <<: *opensuse_canal_variables
+  when: manual
+  except: ['triggers']
+  only: ['master', /^pr-.*$/]
+
 # no triggers yet https://github.com/kubernetes-incubator/kargo/issues/613
-coreos-alpha-weave-ha:
-  stage: deploy-gce-special
+gce_coreos-alpha-weave-ha:
+  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
@@ -556,8 +616,8 @@ coreos-alpha-weave-ha:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-ubuntu-rkt-sep:
-  stage: deploy-gce-part1
+gce_ubuntu-rkt-sep:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -567,8 +627,8 @@ ubuntu-rkt-sep:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-ubuntu-vault-sep:
-  stage: deploy-gce-part1
+gce_ubuntu-vault-sep:
+  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
@@ -578,8 +638,8 @@ ubuntu-vault-sep:
  except: ['triggers']
  only: ['master', /^pr-.*$/]

-ubuntu-flannel-sep:
-  stage: deploy-gce-special
+gce_ubuntu-flannel-sep:
+  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
--- a/16
+++ b/16
@@ -0,0 +1,16 @@
+FROM ubuntu:16.04
+
+RUN mkdir /kubespray
+WORKDIR /kubespray
+RUN apt update -y && \
+    apt install -y \
+    libssl-dev python-dev sshpass apt-transport-https \
+    ca-certificates curl gnupg2 software-properties-common python-pip
+RUN  curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
+     add-apt-repository \
+     "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+     $(lsb_release -cs) \
+     stable" \
+     && apt update -y && apt-get install docker-ce -y
+COPY . .
+RUN /usr/bin/python -m pip install pip -U && /usr/bin/python -m pip install -r tests/requirements.txt && python -m pip install -r requirements.txt
--- a/README.md
+++ b/README.md
@@ -1,68 +1,93 @@
 ![Kubernetes Logo](https://s28.postimg.org/lf3q4ocpp/k8s.png)

-## Deploy a production ready kubernetes cluster
+Deploy a Production Ready Kubernetes Cluster
+============================================

-If you have questions, join us on the [kubernetes slack](https://kubernetes.slack.com), channel **#kubespray**.
+If you have questions, join us on the [kubernetes slack](https://kubernetes.slack.com), channel **\#kubespray**.

- Can be deployed on **AWS, GCE, Azure, OpenStack or Baremetal**
- **High available** cluster
- **Composable** (Choice of the network plugin for instance)
- Support most popular **Linux distributions**
- **Continuous integration tests**
+-   Can be deployed on **AWS, GCE, Azure, OpenStack, vSphere or Baremetal**
+-   **High available** cluster
+-   **Composable** (Choice of the network plugin for instance)
+-   Support most popular **Linux distributions**
+-   **Continuous integration tests**

+Quick Start
+-----------

 To deploy the cluster you can use :

-[**kubespray-cli**](https://github.com/kubespray/kubespray-cli) <br>
-**Ansible** usual commands and [**inventory builder**](https://github.com/kubernetes-incubator/kubespray/blob/master/contrib/inventory_builder/inventory.py) <br>
-**vagrant** by simply running `vagrant up` (for tests purposes) <br>
+### Ansible

+    # Copy ``inventory/sample`` as ``inventory/mycluster``
+    cp -rfp inventory/sample inventory/mycluster

-*  [Requirements](#requirements)
-*  [Kubespray vs ...](docs/comparisons.md)
-*  [Getting started](docs/getting-started.md)
-*  [Ansible inventory and tags](docs/ansible.md)
-*  [Integration with existing ansible repo](docs/integration.md)
-*  [Deployment data variables](docs/vars.md)
-*  [DNS stack](docs/dns-stack.md)
-*  [HA mode](docs/ha-mode.md)
-*  [Network plugins](#network-plugins)
-*  [Vagrant install](docs/vagrant.md)
-*  [CoreOS bootstrap](docs/coreos.md)
-*  [Debian Jessie setup](docs/debian.md)
-*  [Downloaded artifacts](docs/downloads.md)
-*  [Cloud providers](docs/cloud.md)
-*  [OpenStack](docs/openstack.md)
-*  [AWS](docs/aws.md)
-*  [Azure](docs/azure.md)
-*  [vSphere](docs/vsphere.md)
-*  [Large deployments](docs/large-deployments.md)
-*  [Upgrades basics](docs/upgrades.md)
-*  [Roadmap](docs/roadmap.md)
+    # Update Ansible inventory file with inventory builder
+    declare -a IPS=(10.10.1.3 10.10.1.4 10.10.1.5)
+    CONFIG_FILE=inventory/mycluster/hosts.ini python3 contrib/inventory_builder/inventory.py ${IPS[@]}

-Supported Linux distributions
-===============
+    # Review and change parameters under ``inventory/mycluster/group_vars``
+    cat inventory/mycluster/group_vars/all.yml
+    cat inventory/mycluster/group_vars/k8s-cluster.yml

-* **Container Linux by CoreOS**
-* **Debian** Jessie
-* **Ubuntu** 16.04
-* **CentOS/RHEL** 7
+    # Deploy Kubespray with Ansible Playbook
+    ansible-playbook -i inventory/mycluster/hosts.ini cluster.yml
+
+### Vagrant
+
+    # Simply running `vagrant up` (for tests purposes)
+    vagrant up
+
+Documents
+---------
+
+-   [Requirements](#requirements)
+-   [Kubespray vs ...](docs/comparisons.md)
+-   [Getting started](docs/getting-started.md)
+-   [Ansible inventory and tags](docs/ansible.md)
+-   [Integration with existing ansible repo](docs/integration.md)
+-   [Deployment data variables](docs/vars.md)
+-   [DNS stack](docs/dns-stack.md)
+-   [HA mode](docs/ha-mode.md)
+-   [Network plugins](#network-plugins)
+-   [Vagrant install](docs/vagrant.md)
+-   [CoreOS bootstrap](docs/coreos.md)
+-   [Debian Jessie setup](docs/debian.md)
+-   [openSUSE setup](docs/opensuse.md)
+-   [Downloaded artifacts](docs/downloads.md)
+-   [Cloud providers](docs/cloud.md)
+-   [OpenStack](docs/openstack.md)
+-   [AWS](docs/aws.md)
+-   [Azure](docs/azure.md)
+-   [vSphere](docs/vsphere.md)
+-   [Large deployments](docs/large-deployments.md)
+-   [Upgrades basics](docs/upgrades.md)
+-   [Roadmap](docs/roadmap.md)
+
+Supported Linux Distributions
+-----------------------------
+
+-   **Container Linux by CoreOS**
+-   **Debian** Jessie, Stretch, Wheezy
+-   **Ubuntu** 16.04
+-   **CentOS/RHEL** 7
+-   **Fedora/CentOS** Atomic
+-   **openSUSE** Leap 42.3/Tumbleweed

 Note: Upstart/SysV init based OS types are not supported.

 Versions of supported components
 --------------------------------

-
-[kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.9.2 <br>
-[etcd](https://github.com/coreos/etcd/releases) v3.2.4 <br>
-[flanneld](https://github.com/coreos/flannel/releases) v0.8.0 <br>
-[calico](https://docs.projectcalico.org/v2.5/releases/) v2.5.0 <br>
-[canal](https://github.com/projectcalico/canal) (given calico/flannel versions) <br>
-[contiv](https://github.com/contiv/install/releases) v1.0.3 <br>
-[weave](http://weave.works/) v2.0.1 <br>
-[docker](https://www.docker.com/) v1.13 (see note)<br>
-[rkt](https://coreos.com/rkt/docs/latest/) v1.21.0 (see Note 2)<br>
+-   [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.9.5
+-   [etcd](https://github.com/coreos/etcd/releases) v3.2.4
+-   [flanneld](https://github.com/coreos/flannel/releases) v0.10.0
+-   [calico](https://docs.projectcalico.org/v2.6/releases/) v2.6.8
+-   [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
+-   [cilium](https://github.com/cilium/cilium) v1.0.0-rc8
+-   [contiv](https://github.com/contiv/install/releases) v1.1.7
+-   [weave](http://weave.works/) v2.2.1
+-   [docker](https://www.docker.com/) v17.03 (see note)
+-   [rkt](https://coreos.com/rkt/docs/latest/) v1.21.0 (see Note 2)

 Note: kubernetes doesn't support newer docker versions. Among other things kubelet currently breaks on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).

@@ -72,55 +97,64 @@ plugins' related OS services. Also note, only one of the supported network
 plugins can be deployed for a given single cluster.

 Requirements
--------------
+------------

-* **Ansible v2.4 (or newer) and python-netaddr is installed on the machine
-  that will run Ansible commands**
-* **Jinja 2.9 (or newer) is required to run the Ansible Playbooks**
-* The target servers must have **access to the Internet** in order to pull docker images.
-* The target servers are configured to allow **IPv4 forwarding**.
-* **Your ssh key must be copied** to all the servers part of your inventory.
-* The **firewalls are not managed**, you'll need to implement your own rules the way you used to.
-in order to avoid any issue during deployment you should disable your firewall.
+-   **Ansible v2.4 (or newer) and python-netaddr is installed on the machine
+    that will run Ansible commands**
+-   **Jinja 2.9 (or newer) is required to run the Ansible Playbooks**
+-   The target servers must have **access to the Internet** in order to pull docker images.
+-   The target servers are configured to allow **IPv4 forwarding**.
+-   **Your ssh key must be copied** to all the servers part of your inventory.
+-   The **firewalls are not managed**, you'll need to implement your own rules the way you used to.
+    in order to avoid any issue during deployment you should disable your firewall.
+-   If kubespray is ran from non-root user account, correct privilege escalation method
+    should be configured in the target servers. Then the `ansible_become` flag
+    or command parameters `--become or -b` should be specified.

+Network Plugins
+---------------

-## Network plugins
+You can choose between 6 network plugins. (default: `calico`, except Vagrant uses `flannel`)

-You can choose between 4 network plugins. (default: `calico`, except Vagrant uses `flannel`)
+-   [flannel](docs/flannel.md): gre/vxlan (layer 2) networking.

-* [**flannel**](docs/flannel.md): gre/vxlan (layer 2) networking.
+-   [calico](docs/calico.md): bgp (layer 3) networking.

-* [**calico**](docs/calico.md): bgp (layer 3) networking.
+-   [canal](https://github.com/projectcalico/canal): a composition of calico and flannel plugins.

-* [**canal**](https://github.com/projectcalico/canal): a composition of calico and flannel plugins.
+-   [cilium](http://docs.cilium.io/en/latest/):  layer 3/4 networking (as well as layer 7 to protect and secure application protocols), supports dynamic insertion of BPF bytecode into the Linux kernel to implement security services, networking and visibility logic.

-* [**contiv**](docs/contiv.md): supports vlan, vxlan, bgp and Cisco SDN networking. This plugin is able to
-  apply firewall policies, segregate containers in multiple network and bridging pods onto physical networks.
+-   [contiv](docs/contiv.md): supports vlan, vxlan, bgp and Cisco SDN networking. This plugin is able to
+    apply firewall policies, segregate containers in multiple network and bridging pods onto physical networks.

-* [**weave**](docs/weave.md): Weave is a lightweight container overlay network that doesn't require an external K/V database cluster. <br>
-(Please refer to `weave` [troubleshooting documentation](http://docs.weave.works/weave/latest_release/troubleshooting.html)).
+-   [weave](docs/weave.md): Weave is a lightweight container overlay network that doesn't require an external K/V database cluster.
+    (Please refer to `weave` [troubleshooting documentation](http://docs.weave.works/weave/latest_release/troubleshooting.html)).

 The choice is defined with the variable `kube_network_plugin`. There is also an
 option to leverage built-in cloud provider networking instead.
 See also [Network checker](docs/netcheck.md).

-## Community docs and resources
- - [kubernetes.io/docs/getting-started-guides/kubespray/](https://kubernetes.io/docs/getting-started-guides/kubespray/)
- - [kubespray, monitoring and logging](https://github.com/gregbkr/kubernetes-kargo-logging-monitoring) by @gregbkr
- - [Deploy Kubernetes w/ Ansible & Terraform](https://rsmitty.github.io/Terraform-Ansible-Kubernetes/) by @rsmitty
- - [Deploy a Kubernetes Cluster with Kubespray (video)](https://www.youtube.com/watch?v=N9q51JgbWu8)
+Community docs and resources
+----------------------------

-## Tools and projects on top of Kubespray
- - [Digital Rebar Provision](https://github.com/digitalrebar/provision/blob/master/doc/integrations/ansible.rst)
- - [Kubespray-cli](https://github.com/kubespray/kubespray-cli)
- - [Fuel-ccp-installer](https://github.com/openstack/fuel-ccp-installer)
- - [Terraform Contrib](https://github.com/kubernetes-incubator/kubespray/tree/master/contrib/terraform)
+-   [kubernetes.io/docs/getting-started-guides/kubespray/](https://kubernetes.io/docs/getting-started-guides/kubespray/)
+-   [kubespray, monitoring and logging](https://github.com/gregbkr/kubernetes-kargo-logging-monitoring) by @gregbkr
+-   [Deploy Kubernetes w/ Ansible & Terraform](https://rsmitty.github.io/Terraform-Ansible-Kubernetes/) by @rsmitty
+-   [Deploy a Kubernetes Cluster with Kubespray (video)](https://www.youtube.com/watch?v=N9q51JgbWu8)

-## CI Tests
+Tools and projects on top of Kubespray
+--------------------------------------
+
+-   [Digital Rebar Provision](https://github.com/digitalrebar/provision/blob/master/doc/integrations/ansible.rst)
+-   [Fuel-ccp-installer](https://github.com/openstack/fuel-ccp-installer)
+-   [Terraform Contrib](https://github.com/kubernetes-incubator/kubespray/tree/master/contrib/terraform)
+
+CI Tests
+--------

 ![Gitlab Logo](https://s27.postimg.org/wmtaig1wz/gitlabci.png)

-[![Build graphs](https://gitlab.com/kubespray-ci/kubernetes-incubator__kubespray/badges/master/build.svg)](https://gitlab.com/kubespray-ci/kubernetes-incubator__kubespray/pipelines) </br>
+[![Build graphs](https://gitlab.com/kubespray-ci/kubernetes-incubator__kubespray/badges/master/build.svg)](https://gitlab.com/kubespray-ci/kubernetes-incubator__kubespray/pipelines)

-CI/end-to-end tests sponsored by Google (GCE), DigitalOcean, [teuto.net](https://teuto.net/) (openstack).
+CI/end-to-end tests sponsored by Google (GCE)
 See the [test matrix](docs/test_cases.md) for details.
--- a/47
+++ b/47
@@ -3,18 +3,23 @@

 require 'fileutils'

-Vagrant.require_version ">= 1.9.0"
+Vagrant.require_version ">= 2.0.0"

 CONFIG = File.join(File.dirname(__FILE__), "vagrant/config.rb")

 COREOS_URL_TEMPLATE = "https://storage.googleapis.com/%s.release.core-os.net/amd64-usr/current/coreos_production_vagrant.json"

+# Uniq disk UUID for libvirt
+DISK_UUID = Time.now.utc.to_i
+
 SUPPORTED_OS = {
  "coreos-stable" => {box: "coreos-stable",      bootstrap_os: "coreos", user: "core", box_url: COREOS_URL_TEMPLATE % ["stable"]},
  "coreos-alpha"  => {box: "coreos-alpha",       bootstrap_os: "coreos", user: "core", box_url: COREOS_URL_TEMPLATE % ["alpha"]},
  "coreos-beta"   => {box: "coreos-beta",        bootstrap_os: "coreos", user: "core", box_url: COREOS_URL_TEMPLATE % ["beta"]},
  "ubuntu"        => {box: "bento/ubuntu-16.04", bootstrap_os: "ubuntu", user: "vagrant"},
-  "centos"        => {box: "bento/centos-7.3",   bootstrap_os: "centos", user: "vagrant"},
+  "centos"        => {box: "centos/7",           bootstrap_os: "centos", user: "vagrant"},
+  "opensuse"      => {box: "opensuse/openSUSE-42.3-x86_64", bootstrap_os: "opensuse", use: "vagrant"},
+  "opensuse-tumbleweed" => {box: "opensuse/openSUSE-Tumbleweed-x86_64", bootstrap_os: "opensuse", use: "vagrant"},
 }

 # Defaults for config options defined in CONFIG
@@ -34,6 +39,11 @@ $etcd_instances = $num_instances
 $kube_master_instances = $num_instances == 1 ? $num_instances : ($num_instances - 1)
 # All nodes are kube nodes
 $kube_node_instances = $num_instances
+# The following only works when using the libvirt provider
+$kube_node_instances_with_disks = false
+$kube_node_instances_with_disks_size = "20G"
+$kube_node_instances_with_disks_number = 2
+
 $local_release_dir = "/vagrant/temp"

 host_vars = {}
@@ -44,7 +54,7 @@ end

 $box = SUPPORTED_OS[$os][:box]
 # if $inventory is not set, try to use example
-$inventory = File.join(File.dirname(__FILE__), "inventory") if ! $inventory
+$inventory = File.join(File.dirname(__FILE__), "inventory", "sample") if ! $inventory

 # if $inventory has a hosts file use it, otherwise copy over vars etc
 # to where vagrant expects dynamic inventory to be.
@@ -53,7 +63,7 @@ if ! File.exist?(File.join(File.dirname($inventory), "hosts"))
                       "provisioners", "ansible")
  FileUtils.mkdir_p($vagrant_ansible) if ! File.exist?($vagrant_ansible)
  if ! File.exist?(File.join($vagrant_ansible,"inventory"))
-    FileUtils.ln_s($inventory, $vagrant_ansible)
+    FileUtils.ln_s($inventory, File.join($vagrant_ansible,"inventory"))
  end
 end

@@ -76,7 +86,6 @@ Vagrant.configure("2") do |config|
  if Vagrant.has_plugin?("vagrant-vbguest") then
    config.vbguest.auto_update = false
  end
-
  (1..$num_instances).each do |i|
    config.vm.define vm_name = "%s-%02d" % [$instance_name_prefix, i] do |config|
      config.vm.hostname = vm_name
@@ -102,8 +111,10 @@ Vagrant.configure("2") do |config|
        end
      end

+      config.vm.synced_folder ".", "/vagrant", type: "rsync", rsync__args: ['--verbose', '--archive', '--delete', '-z']
+
      $shared_folders.each do |src, dst|
-        config.vm.synced_folder src, dst
+        config.vm.synced_folder src, dst, type: "rsync", rsync__args: ['--verbose', '--archive', '--delete', '-z']
      end

      config.vm.provider :virtualbox do |vb|
@@ -112,6 +123,10 @@ Vagrant.configure("2") do |config|
        vb.cpus = $vm_cpus
      end

+     config.vm.provider :libvirt do |lv|
+       lv.memory = $vm_memory
+     end
+
      ip = "#{$subnet}.#{i+100}"
      host_vars[vm_name] = {
        "ip": ip,
@@ -122,16 +137,22 @@ Vagrant.configure("2") do |config|
      }

      config.vm.network :private_network, ip: ip
-      
-      # workaround for Vagrant 1.9.1 and centos vm
-      # https://github.com/hashicorp/vagrant/issues/8096
-      if Vagrant::VERSION == "1.9.1" && $os == "centos"
-        config.vm.provision "shell", inline: "service network restart", run: "always"
-      end

      # Disable swap for each vm
      config.vm.provision "shell", inline: "swapoff -a"

+      if $kube_node_instances_with_disks
+        # Libvirt
+        driverletters = ('a'..'z').to_a
+        config.vm.provider :libvirt do |lv|
+          # always make /dev/sd{a/b/c} so that CI can ensure that
+          # virtualbox and libvirt will have the same devices to use for OSDs
+          (1..$kube_node_instances_with_disks_number).each do |d|
+            lv.storage :file, :device => "hd#{driverletters[d]}", :path => "disk-#{i}-#{d}-#{DISK_UUID}.disk", :size => $kube_node_instances_with_disks_size, :bus => "ide"
+          end
+        end
+      end
+
      # Only execute once the Ansible provisioner,
      # when all the machines are up and ready.
      if i == $num_instances
@@ -140,7 +161,7 @@ Vagrant.configure("2") do |config|
          if File.exist?(File.join(File.dirname($inventory), "hosts"))
            ansible.inventory_path = $inventory
          end
-          ansible.sudo = true
+          ansible.become = true
          ansible.limit = "all"
          ansible.host_key_checking = false
          ansible.raw_arguments = ["--forks=#{$num_instances}", "--flush-cache"]
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -12,3 +12,4 @@ library = ./library
 callback_whitelist = profile_tasks
 roles_path = roles:$VIRTUAL_ENV/usr/local/share/kubespray/roles:$VIRTUAL_ENV/usr/local/share/ansible/roles:/usr/share/kubespray/roles
 deprecation_warnings=False
+inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo, .creds
--- a/cluster.yml
+++ b/cluster.yml
@@ -21,6 +21,12 @@
  vars:
    ansible_ssh_pipelining: true
  gather_facts: true
+  pre_tasks:
+    - name: gather facts from all instances
+      setup:
+      delegate_to: "{{item}}"
+      delegate_facts: True
+      with_items: "{{ groups['k8s-cluster'] + groups['etcd'] + groups['calico-rr']|default([]) }}"

 - hosts: k8s-cluster:etcd:calico-rr
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
@@ -94,6 +100,8 @@
    - { role: kubespray-defaults}
    - { role: kubernetes-apps/network_plugin, tags: network }
    - { role: kubernetes-apps/policy_controller, tags: policy-controller }
+    - { role: kubernetes-apps/ingress_controller, tags: ingress-controller }
+    - { role: kubernetes-apps/external_provisioner, tags: external-provisioner }

 - hosts: calico-rr
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
--- a/contrib/azurerm/README.md
+++ b/contrib/azurerm/README.md
@@ -59,6 +59,6 @@ It will create the file ./inventory which can then be used with kubespray, e.g.:

 ```shell
 $ cd kubespray-root-dir
-$ ansible-playbook -i contrib/azurerm/inventory -u devops --become -e "@inventory/group_vars/all.yml" cluster.yml
+$ ansible-playbook -i contrib/azurerm/inventory -u devops --become -e "@inventory/sample/group_vars/all.yml" cluster.yml
 ```

--- a/contrib/azurerm/roles/generate-inventory_2/templates/inventory.j2
+++ b/contrib/azurerm/roles/generate-inventory_2/templates/inventory.j2
@@ -1,6 +1,6 @@

 {% for vm in  vm_ip_list %}
-{% if not use_bastion or vm.virtualMachinename == 'bastion' %}
+{% if not use_bastion or vm.virtualMachine.name == 'bastion' %}
 {{ vm.virtualMachine.name }} ansible_ssh_host={{ vm.virtualMachine.network.publicIpAddresses[0].ipAddress }} ip={{ vm.virtualMachine.network.privateIpAddresses[0] }}
 {% else %}
 {{ vm.virtualMachine.name }} ansible_ssh_host={{  vm.virtualMachine.network.privateIpAddresses[0] }}
--- a/contrib/inventory_builder/inventory.py
+++ b/contrib/inventory_builder/inventory.py
@@ -54,7 +54,7 @@ def get_var_as_bool(name, default):

 # Configurable as shell vars start

-CONFIG_FILE = os.environ.get("CONFIG_FILE", "./inventory.cfg")
+CONFIG_FILE = os.environ.get("CONFIG_FILE", "./inventory/sample/hosts.ini")
 # Reconfigures cluster distribution at scale
 SCALE_THRESHOLD = int(os.environ.get("SCALE_THRESHOLD", 50))
 MASSIVE_SCALE_THRESHOLD = int(os.environ.get("SCALE_THRESHOLD", 200))
@@ -318,7 +318,7 @@ Delete a host by id: inventory.py -node1

 Configurable env vars:
 DEBUG                   Enable debug printing. Default: True
-CONFIG_FILE             File to write config to Default: ./inventory.cfg
+CONFIG_FILE             File to write config to Default: ./inventory/sample/hosts.ini
 HOST_PREFIX             Host prefix for generated hosts. Default: node
 SCALE_THRESHOLD         Separate ETCD role if # of nodes >= 50
 MASSIVE_SCALE_THRESHOLD Separate K8s master and ETCD if # of nodes >= 200
--- a/contrib/network-storage/glusterfs/README.md
+++ b/contrib/network-storage/glusterfs/README.md
@@ -6,16 +6,16 @@ You can either deploy using Ansible on its own by supplying your own inventory f

 In the same directory of this ReadMe file you should find a file named `inventory.example` which contains an example setup. Please note that, additionally to the Kubernetes nodes/masters, we define a set of machines for GlusterFS and we add them to the group `[gfs-cluster]`, which in turn is added to the larger `[network-storage]` group as a child group.

-Change that file to reflect your local setup (adding more machines or removing them and setting the adequate ip numbers), and save it to `inventory/k8s_gfs_inventory`. Make sure that the settings on `inventory/group_vars/all.yml` make sense with your deployment. Then execute change to the kubespray root folder, and execute (supposing that the machines are all using ubuntu):
+Change that file to reflect your local setup (adding more machines or removing them and setting the adequate ip numbers), and save it to `inventory/sample/k8s_gfs_inventory`. Make sure that the settings on `inventory/sample/group_vars/all.yml` make sense with your deployment. Then execute change to the kubespray root folder, and execute (supposing that the machines are all using ubuntu):

 ```
-ansible-playbook -b --become-user=root -i inventory/k8s_gfs_inventory --user=ubuntu ./cluster.yml
+ansible-playbook -b --become-user=root -i inventory/sample/k8s_gfs_inventory --user=ubuntu ./cluster.yml
 ```

 This will provision your Kubernetes cluster. Then, to provision and configure the GlusterFS cluster, from the same directory execute:

 ```
-ansible-playbook -b --become-user=root -i inventory/k8s_gfs_inventory --user=ubuntu ./contrib/network-storage/glusterfs/glusterfs.yml
+ansible-playbook -b --become-user=root -i inventory/sample/k8s_gfs_inventory --user=ubuntu ./contrib/network-storage/glusterfs/glusterfs.yml
 ```

 If your machines are not using Ubuntu, you need to change the `--user=ubuntu` to the correct user. Alternatively, if your Kubernetes machines are using one OS and your GlusterFS a different one, you can instead specify the `ansible_ssh_user=<correct-user>` variable in the inventory file that you just created, for each machine/VM:
--- a/contrib/packaging/rpm/kubespray.spec
+++ b/contrib/packaging/rpm/kubespray.spec
@@ -20,9 +20,10 @@ BuildRequires:  python2-setuptools
 BuildRequires:  python-d2to1
 BuildRequires:  python2-pbr

-Requires: ansible
+Requires: ansible >= 2.4.0
 Requires: python-jinja2 >= 2.10
 Requires: python-netaddr
+Requires: python-pbr

 %description

@@ -47,10 +48,10 @@ export SKIP_PIP_INSTALL=1

 %files
 %doc %{_docdir}/%{name}/README.md
-%doc %{_docdir}/%{name}/inventory/inventory.example
+%doc %{_docdir}/%{name}/inventory/sample/hosts.ini
 %config %{_sysconfdir}/%{name}/ansible.cfg
-%config %{_sysconfdir}/%{name}/inventory/group_vars/all.yml
-%config %{_sysconfdir}/%{name}/inventory/group_vars/k8s-cluster.yml
+%config %{_sysconfdir}/%{name}/inventory/sample/group_vars/all.yml
+%config %{_sysconfdir}/%{name}/inventory/sample/group_vars/k8s-cluster.yml
 %license %{_docdir}/%{name}/LICENSE
 %{python2_sitelib}/%{srcname}-%{release}-py%{python2_version}.egg-info
 %{_datarootdir}/%{name}/roles/
--- a/contrib/terraform/aws/templates/inventory.tpl
+++ b/contrib/terraform/aws/templates/inventory.tpl
@@ -24,4 +24,4 @@ kube-master


 [k8s-cluster:vars]
-${elb_api_fqdn}
+${elb_api_fqdn}
--- a/contrib/terraform/openstack/.gitignore
+++ b/contrib/terraform/openstack/.gitignore
@@ -0,0 +1,4 @@
+.terraform
+*.tfvars
+*.tfstate
+*.tfstate.backup
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -17,32 +17,33 @@ to actually install kubernetes and stand up the cluster.

 ### Networking
 The configuration includes creating a private subnet with a router to the
-external net. It will allocate floating-ips from a pool and assign them to the
+external net. It will allocate floating IPs from a pool and assign them to the
 hosts where that makes sense. You have the option of creating bastion hosts
-inside the private subnet to access the nodes there.
+inside the private subnet to access the nodes there.  Alternatively, a node with
+a floating IP can be used as a jump host to nodes without.

 ### Kubernetes Nodes
 You can create many different kubernetes topologies by setting the number of
 different classes of hosts. For each class there are options for allocating
-floating ip addresses or not.
- Master Nodes with etcd
+floating IP addresses or not.
+- Master nodes with etcd
 - Master nodes without etcd
 - Standalone etcd hosts
 - Kubernetes worker nodes

-Note that the ansible script will report an invalid configuration if you wind up
+Note that the Ansible script will report an invalid configuration if you wind up
 with an even number of etcd instances since that is not a valid configuration.

-### Gluster FS
-The terraform configuration supports provisioning of an optional GlusterFS
+### GlusterFS
+The Terraform configuration supports provisioning of an optional GlusterFS
 shared file system based on a separate set of VMs. To enable this, you need to
-specify
- the number of gluster hosts
+specify:
+- the number of Gluster hosts (minimum 2)
 - Size of the non-ephemeral volumes to be attached to store the GlusterFS bricks
 - Other properties related to provisioning the hosts

 Even if you are using Container Linux by CoreOS for your cluster, you will still
-need the GlusterFS VMs to be based on either Debian or RedHat based images,
+need the GlusterFS VMs to be based on either Debian or RedHat based images.
 Container Linux by CoreOS cannot serve GlusterFS, but can connect to it through
 binaries available on hyperkube v1.4.3_coreos.0 or higher.

@@ -50,9 +51,9 @@ binaries available on hyperkube v1.4.3_coreos.0 or higher.

 - [Install Terraform](https://www.terraform.io/intro/getting-started/install.html)
 - [Install Ansible](http://docs.ansible.com/ansible/latest/intro_installation.html)
- you already have a suitable OS image in glance
- you already have a floating-ip pool created
- you have security-groups enabled
+- you already have a suitable OS image in Glance
+- you already have a floating IP pool created
+- you have security groups enabled
 - you have a pair of keys generated that can be used to secure the new hosts

 ## Module Architecture
@@ -67,7 +68,7 @@ any external references to the floating IP (e.g. DNS) that would otherwise have
 to be updated.

 You can force your existing IPs by modifying the compute variables in
-`kubespray.tf` as
+`kubespray.tf` as follows:

 ```
 k8s_master_fips = ["151.101.129.67"]
@@ -75,46 +76,135 @@ k8s_node_fips = ["151.101.129.68"]
 ```

 ## Terraform
-Terraform will be used to provision all of the OpenStack resources. It is also
-used to deploy and provision the software requirements.
+Terraform will be used to provision all of the OpenStack resources with base software as appropriate.

-### Prep
+### Configuration

-#### OpenStack
+#### Inventory files

-Ensure your OpenStack **Identity v2** credentials are loaded in environment
-variables. This can be done by downloading a credentials .rc file from your
-OpenStack dashboard and sourcing it:
+Create an inventory directory for your cluster by copying the existing sample and linking the `hosts` script (used to build the inventory based on Terraform state):

-```
-$ source ~/.stackrc
+```ShellSession
+$ cp -LRp contrib/terraform/openstack/sample-inventory inventory/$CLUSTER
+$ cd inventory/$CLUSTER
+$ ln -s ../../contrib/terraform/openstack/hosts
 ```

-Ensure that you have your Openstack credentials loaded into Terraform
-environment variables. Likely via a command similar to:
+This will be the base for subsequent Terraform commands.
+
+#### OpenStack access and credentials
+
+No provider variables are hardcoded inside `variables.tf` because Terraform
+supports various authentication methods for OpenStack: the older script and 
+environment method (using `openrc`) as well as a newer declarative method, and 
+different OpenStack environments may support Identity API version 2 or 3.
+
+These are examples and may vary depending on your OpenStack cloud provider,
+for an exhaustive list on how to authenticate on OpenStack with Terraform
+please read the [OpenStack provider documentation](https://www.terraform.io/docs/providers/openstack/).
+
+##### Declarative method (recommended)
+
+The recommended authentication method is to describe credentials in a YAML file `clouds.yaml` that can be stored in:
+
+* the current directory
+* `~/.config/openstack`
+* `/etc/openstack`
+
+`clouds.yaml`:

 ```
-$ echo Setting up Terraform creds && \
-  export TF_VAR_username=${OS_USERNAME} && \
-  export TF_VAR_password=${OS_PASSWORD} && \
-  export TF_VAR_tenant=${OS_TENANT_NAME} && \
-  export TF_VAR_auth_url=${OS_AUTH_URL}
+clouds:
+  mycloud:
+    auth:
+      auth_url: https://openstack:5000/v3
+      username: "username"
+      project_name: "projectname"
+      project_id: projectid
+      user_domain_name: "Default"
+      password: "password"
+    region_name: "RegionOne"
+    interface: "public"
+    identity_api_version: 3
 ```

-### Terraform Variables
+If you have multiple clouds defined in your `clouds.yaml` file you can choose
+the one you want to use with the environment variable `OS_CLOUD`:
+
+```
+export OS_CLOUD=mycloud
+```
+
+##### Openrc method (deprecated)
+
+When using classic environment variables, Terraform uses default `OS_*`
+environment variables.  A script suitable for your environment may be available
+from Horizon under *Project* -> *Compute* -> *Access & Security* -> *API Access*.
+
+With identity v2:
+
+```
+source openrc
+
+env | grep OS
+
+OS_AUTH_URL=https://openstack:5000/v2.0
+OS_PROJECT_ID=projectid
+OS_PROJECT_NAME=projectname
+OS_USERNAME=username
+OS_PASSWORD=password
+OS_REGION_NAME=RegionOne
+OS_INTERFACE=public
+OS_IDENTITY_API_VERSION=2
+```
+
+With identity v3:
+
+```
+source openrc
+
+env | grep OS
+
+OS_AUTH_URL=https://openstack:5000/v3
+OS_PROJECT_ID=projectid
+OS_PROJECT_NAME=username
+OS_PROJECT_DOMAIN_ID=default
+OS_USERNAME=username
+OS_PASSWORD=password
+OS_REGION_NAME=RegionOne
+OS_INTERFACE=public
+OS_IDENTITY_API_VERSION=3
+OS_USER_DOMAIN_NAME=Default
+```
+
+Terraform does not support a mix of DomainName and DomainID, choose one or the
+other:
+
+```
+* provider.openstack: You must provide exactly one of DomainID or DomainName to authenticate by Username
+```
+
+```
+unset OS_USER_DOMAIN_NAME
+export OS_USER_DOMAIN_ID=default
+
+or
+
+unset OS_PROJECT_DOMAIN_ID
+set OS_PROJECT_DOMAIN_NAME=Default
+```
+
+#### Cluster variables
 The construction of the cluster is driven by values found in
 [variables.tf](variables.tf).

-The best way to set these values is to create a file in the project's root
-directory called something like`my-terraform-vars.tfvars`. Many of the
-variables are obvious. Here is a summary of some of the more interesting
-ones:
+For your cluster, edit `inventory/$CLUSTER/cluster.tf`.

 |Variable | Description |
 |---------|-------------|
 |`cluster_name` | All OpenStack resources will use the Terraform variable`cluster_name` (default`example`) in their name to make it easier to track. For example the first compute resource will be named`example-kubernetes-1`. |
 |`network_name` | The name to be given to the internal network that will be generated |
-|`dns_nameservers`| An array of DNS name server names to be used by hosts in the internal subnet. | 
+|`dns_nameservers`| An array of DNS name server names to be used by hosts in the internal subnet. |
 |`floatingip_pool` | Name of the pool from which floating IPs will be allocated |
 |`external_net` | UUID of the external network that will be routed to |
 |`flavor_k8s_master`,`flavor_k8s_node`,`flavor_etcd`, `flavor_bastion`,`flavor_gfs_node` | Flavor depends on your openstack installation, you can get available flavor IDs through`nova flavor-list` |
@@ -129,42 +219,74 @@ ones:
 |`number_of_gfs_nodes_no_floating_ip` | Number of gluster servers to provision. |
 | `gfs_volume_size_in_gb` | Size of the non-ephemeral volumes to be attached to store the GlusterFS bricks |

-## Initializing Terraform
-Before Terraform can operate on your cluster you need to install required
-plugins. This is accomplished with the command
+#### Terraform state files

-```bash
-$ terraform init contrib/terraform/openstack
+In the cluster's inventory folder, the following files might be created (either by Terraform
+or manually), to prevent you from pushing them accidentally they are in a
+`.gitignore` file in the `terraform/openstack` directory :
+
+* `.terraform`
+* `.tfvars`
+* `.tfstate`
+* `.tfstate.backup`
+
+You can still add them manually if you want to.
+
+### Initialization
+
+Before Terraform can operate on your cluster you need to install the required
+plugins. This is accomplished as follows:
+
+```ShellSession
+$ cd inventory/$CLUSTER
+$ terraform init ../../contrib/terraform/openstack
 ```

-## Provisioning Cluster with Terraform
-You can apply the terraform config to your cluster with the following command
-issued from the project's root directory
-```bash
-$ terraform apply -state=contrib/terraform/openstack/terraform.tfstate -var-file=my-terraform-vars.tfvars contrib/terraform/openstack
+This should finish fairly quickly telling you Terraform has successfully initialized and loaded necessary modules.
+
+### Provisioning cluster
+You can apply the Terraform configuration to your cluster with the following command
+issued from your cluster's inventory directory (`inventory/$CLUSTER`):
+```ShellSession
+$ terraform apply -var-file=cluster.tf ../../contrib/terraform/openstack
 ```

 if you chose to create a bastion host, this script will create
-`contrib/terraform/openstack/k8s-cluster.yml` with an ssh command for ansible to
-be able to access your machines tunneling  through the bastion's ip adress. If
+`contrib/terraform/openstack/k8s-cluster.yml` with an ssh command for Ansible to
+be able to access your machines tunneling  through the bastion's IP address. If
 you want to manually handle the ssh tunneling to these machines, please delete
 or move that file. If you want to use this, just leave it there, as ansible will
 pick it up automatically.

+### Destroying cluster
+You can destroy your new cluster with the following command issued from the cluster's inventory directory:

-## Destroying Cluster with Terraform
-You can destroy a config deployed to your cluster with the following command
-issued from the project's root directory
-```bash
-$ terraform destroy -state=contrib/terraform/openstack/terraform.tfstate -var-file=my-terraform-vars.tfvars contrib/terraform/openstack
+```ShellSession
+$ terraform destroy -var-file=cluster.tf ../../contrib/terraform/openstack
 ```

-## Debugging Cluster Provisioning
+If you've started the Ansible run, it may also be a good idea to do some manual cleanup:
+
+* remove SSH keys from the destroyed cluster from your `~/.ssh/known_hosts` file
+* clean up any temporary cache files: `rm /tmp/$CLUSTER-*`
+
+### Debugging
 You can enable debugging output from Terraform by setting
-`OS_DEBUG` to 1 and`TF_LOG` to`DEBUG` before runing the terraform command
+`OS_DEBUG` to 1 and`TF_LOG` to`DEBUG` before running the Terraform command.

+### Terraform output
+
+Terraform can output values that are useful for configure Neutron/Octavia LBaaS or Cinder persistent volume provisioning as part of your Kubernetes deployment:
+
+ - `private_subnet_id`: the subnet where your instances are running is used for `openstack_lbaas_subnet_id`
+ - `floating_network_id`: the network_id where the floating IP are provisioned is used for `openstack_lbaas_floating_network_id`
+
+## Ansible
+
+### Node access
+
+#### SSH

-# Running the Ansible Script
 Ensure your local ssh-agent is running and your ssh key has been added. This
 step is required by the terraform provisioner:

@@ -173,11 +295,22 @@ $ eval $(ssh-agent -s)
 $ ssh-add ~/.ssh/id_rsa
 ```

+If you have deployed and destroyed a previous iteration of your cluster, you will need to clear out any stale keys from your SSH "known hosts" file ( `~/.ssh/known_hosts`).

-Make sure you can connect to the hosts:
+#### Bastion host
+
+If you are not using a bastion host, but not all of your nodes have floating IPs, create a file `inventory/$CLUSTER/group_vars/no-floating.yml` with the following content.  Use one of your nodes with a floating IP (this should have been output at the end of the Terraform step) and the appropriate user for that OS, or if you have another jump host, use that.

 ```
-$ ansible -i contrib/terraform/openstack/hosts -m ping all
+ansible_ssh_common_args: '-o ProxyCommand="ssh -o StrictHostKeyChecking=no -W %h:%p -q USER@MASTER_IP"'
+```
+
+#### Test access
+
+Make sure you can connect to the hosts.  Note that Container Linux by CoreOS will have a state `FAILED` due to Python not being present.  This is okay, because Python will be installed during bootstrapping, so long as the hosts are not `UNREACHABLE`.
+
+```
+$ ansible -i inventory/$CLUSTER/hosts -m ping all
 example-k8s_node-1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
@@ -192,21 +325,17 @@ example-k8s-master-1 | SUCCESS => {
 }
 ```

-if you are deploying a system that needs bootstrapping, like Container Linux by
-CoreOS, these might have a state`FAILED` due to Container Linux by CoreOS not
-having python. As long as the state is not`UNREACHABLE`, this is fine.
+If it fails try to connect manually via SSH.  It could be something as simple as a stale host key.

-if it fails try to connect manually via SSH ... it could be something as simple as a stale host key.
+### Configure cluster variables

-## Configure Cluster variables
-
-Edit`inventory/group_vars/all.yml`:
- Set variable **bootstrap_os** according selected image
+Edit `inventory/$CLUSTER/group_vars/all.yml`:
+- Set variable **bootstrap_os** appropriately for your desired image:
 ```
 # Valid bootstrap options (required): ubuntu, coreos, centos, none
 bootstrap_os: coreos
 ```
- **bin_dir**
+- **bin_dir**:
 ```
 # Directory where the binaries will be installed
 # Default:
@@ -214,20 +343,19 @@ bootstrap_os: coreos
 # For Container Linux by CoreOS:
 bin_dir: /opt/bin
 ```
- and **cloud_provider**
+- and **cloud_provider**:
 ```
 cloud_provider: openstack
 ```
-Edit`inventory/group_vars/k8s-cluster.yml`:
- Set variable **kube_network_plugin** according selected networking
+Edit `inventory/$CLUSTER/group_vars/k8s-cluster.yml`:
+- Set variable **kube_network_plugin** to your desired networking plugin.
+  - **flannel** works out-of-the-box
+  - **calico** requires [configuring OpenStack Neutron ports](/docs/openstack.md) to allow service and pod subnets
 ```
 # Choose network plugin (calico, weave or flannel)
 # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
 kube_network_plugin: flannel
 ```
-> flannel works out-of-the-box
-
-> calico requires allowing service's and pod's subnets on according OpenStack Neutron ports
 - Set variable **resolvconf_mode**
 ```
 # Can be docker_dns, host_resolvconf or none
@@ -237,18 +365,19 @@ kube_network_plugin: flannel
 resolvconf_mode: host_resolvconf
 ```

-For calico configure OpenStack Neutron ports: [OpenStack](/docs/openstack.md)
-
-## Deploy kubernetes:
+### Deploy Kubernetes

 ```
-$ ansible-playbook --become -i contrib/terraform/openstack/hosts cluster.yml
+$ ansible-playbook --become -i inventory/$CLUSTER/hosts cluster.yml
 ```

-## Set up local kubectl
-1. Install kubectl on your workstation:
-[Install and Set Up kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-2. Add route to internal IP of master node (if needed):
+This will take some time as there are many tasks to run.
+
+## Kubernetes
+
+### Set up kubectl
+1. [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on your workstation
+2. Add a route to the internal IP of a master node (if needed):
 ```
 sudo route add [master-internal-ip] gw [router-ip]
 ```
@@ -256,28 +385,28 @@ or
 ```
 sudo route add -net [internal-subnet]/24 gw [router-ip]
 ```
-3. List Kubernetes certs&keys:
+3. List Kubernetes certificates & keys:
 ```
 ssh [os-user]@[master-ip] sudo ls /etc/kubernetes/ssl/
 ```
-4. Get admin's certs&key:
+4. Get `admin`'s certificates and keys:
 ```
 ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-[cluster_name]-k8s-master-1-key.pem > admin-key.pem
 ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-[cluster_name]-k8s-master-1.pem > admin.pem
 ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/ca.pem > ca.pem
 ```
 5. Configure kubectl:
-```
-kubectl config set-cluster default-cluster --server=https://[master-internal-ip]:6443 \
+```ShellSession
+$ kubectl config set-cluster default-cluster --server=https://[master-internal-ip]:6443 \
    --certificate-authority=ca.pem

-kubectl config set-credentials default-admin \
+$ kubectl config set-credentials default-admin \
    --certificate-authority=ca.pem \
    --client-key=admin-key.pem \
    --client-certificate=admin.pem

-kubectl config set-context default-system --cluster=default-cluster --user=default-admin
-kubectl config use-context default-system
+$ kubectl config set-context default-system --cluster=default-cluster --user=default-admin
+$ kubectl config use-context default-system
 ```
 7. Check it:
 ```
@@ -294,14 +423,15 @@ You can tell kubectl to ignore this condition by adding the

 ## GlusterFS
 GlusterFS is not deployed by the standard`cluster.yml` playbook, see the
-[glusterfs playbook documentation](../../network-storage/glusterfs/README.md)
+[GlusterFS playbook documentation](../../network-storage/glusterfs/README.md)
 for instructions.

-Basically you will install gluster as
-```bash
-$ ansible-playbook --become -i contrib/terraform/openstack/hosts ./contrib/network-storage/glusterfs/glusterfs.yml
+Basically you will install Gluster as
+```ShellSession
+$ ansible-playbook --become -i inventory/$CLUSTER/hosts ./contrib/network-storage/glusterfs/glusterfs.yml
 ```


-# What's next
-[Start Hello Kubernetes Service](https://kubernetes.io/docs/tasks/access-application-cluster/service-access-application-cluster/)
+## What's next
+
+Try out your new Kubernetes cluster with the [Hello Kubernetes service](https://kubernetes.io/docs/tasks/access-application-cluster/service-access-application-cluster/).
--- a/contrib/terraform/openstack/ansible_bastion_template.txt
+++ b/contrib/terraform/openstack/ansible_bastion_template.txt
@@ -1 +1 @@
-ansible_ssh_common_args: '-o ProxyCommand="ssh -o StrictHostKeyChecking=no -W %h:%p -q USER@BASTION_ADDRESS"' 
+ansible_ssh_common_args: "-o ProxyCommand='ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p -q USER@BASTION_ADDRESS {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %}'"
--- a/contrib/terraform/openstack/group_vars
+++ b/contrib/terraform/openstack/group_vars
@@ -1 +0,0 @@
-../../../inventory/group_vars
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -1,55 +1,77 @@
-
 module "network" {
  source = "modules/network"

-  external_net = "${var.external_net}"
-  network_name = "${var.network_name}"
-  cluster_name = "${var.cluster_name}"
+  external_net    = "${var.external_net}"
+  network_name    = "${var.network_name}"
+  cluster_name    = "${var.cluster_name}"
  dns_nameservers = "${var.dns_nameservers}"
 }

-
 module "ips" {
  source = "modules/ips"

-  number_of_k8s_masters = "${var.number_of_k8s_masters}"
+  number_of_k8s_masters         = "${var.number_of_k8s_masters}"
  number_of_k8s_masters_no_etcd = "${var.number_of_k8s_masters_no_etcd}"
-  number_of_k8s_nodes = "${var.number_of_k8s_nodes}"
-  floatingip_pool = "${var.floatingip_pool}"
-  number_of_bastions = "${var.number_of_bastions}"
-  external_net = "${var.external_net}"
-  network_name = "${var.network_name}"
-  router_id = "${module.network.router_id}"
+  number_of_k8s_nodes           = "${var.number_of_k8s_nodes}"
+  floatingip_pool               = "${var.floatingip_pool}"
+  number_of_bastions            = "${var.number_of_bastions}"
+  external_net                  = "${var.external_net}"
+  network_name                  = "${var.network_name}"
+  router_id                     = "${module.network.router_id}"
 }

 module "compute" {
  source = "modules/compute"

-  cluster_name = "${var.cluster_name}"
-  number_of_k8s_masters = "${var.number_of_k8s_masters}"
-  number_of_k8s_masters_no_etcd = "${var.number_of_k8s_masters_no_etcd}"
-  number_of_etcd = "${var.number_of_etcd}"
-  number_of_k8s_masters_no_floating_ip = "${var.number_of_k8s_masters_no_floating_ip}"
+  cluster_name                                 = "${var.cluster_name}"
+  number_of_k8s_masters                        = "${var.number_of_k8s_masters}"
+  number_of_k8s_masters_no_etcd                = "${var.number_of_k8s_masters_no_etcd}"
+  number_of_etcd                               = "${var.number_of_etcd}"
+  number_of_k8s_masters_no_floating_ip         = "${var.number_of_k8s_masters_no_floating_ip}"
  number_of_k8s_masters_no_floating_ip_no_etcd = "${var.number_of_k8s_masters_no_floating_ip_no_etcd}"
-  number_of_k8s_nodes = "${var.number_of_k8s_nodes}"
-  number_of_bastions = "${var.number_of_bastions}"
-  number_of_k8s_nodes_no_floating_ip = "${var.number_of_k8s_nodes_no_floating_ip}"
-  number_of_gfs_nodes_no_floating_ip = "${var.number_of_gfs_nodes_no_floating_ip}"
-  gfs_volume_size_in_gb = "${var.gfs_volume_size_in_gb}"
-  public_key_path = "${var.public_key_path}"
-  image = "${var.image}"
-  image_gfs = "${var.image_gfs}"
-  ssh_user = "${var.ssh_user}"
-  ssh_user_gfs = "${var.ssh_user_gfs}"
-  flavor_k8s_master = "${var.flavor_k8s_master}"
-  flavor_k8s_node = "${var.flavor_k8s_node}"
-  flavor_etcd = "${var.flavor_etcd}"
-  flavor_gfs_node = "${var.flavor_gfs_node}"
-  network_name = "${var.network_name}"
-  flavor_bastion = "${var.flavor_bastion}"
-  k8s_master_fips = "${module.ips.k8s_master_fips}"
-  k8s_node_fips = "${module.ips.k8s_node_fips}"
-  bastion_fips = "${module.ips.bastion_fips}"
+  number_of_k8s_nodes                          = "${var.number_of_k8s_nodes}"
+  number_of_bastions                           = "${var.number_of_bastions}"
+  number_of_k8s_nodes_no_floating_ip           = "${var.number_of_k8s_nodes_no_floating_ip}"
+  number_of_gfs_nodes_no_floating_ip           = "${var.number_of_gfs_nodes_no_floating_ip}"
+  gfs_volume_size_in_gb                        = "${var.gfs_volume_size_in_gb}"
+  public_key_path                              = "${var.public_key_path}"
+  image                                        = "${var.image}"
+  image_gfs                                    = "${var.image_gfs}"
+  ssh_user                                     = "${var.ssh_user}"
+  ssh_user_gfs                                 = "${var.ssh_user_gfs}"
+  flavor_k8s_master                            = "${var.flavor_k8s_master}"
+  flavor_k8s_node                              = "${var.flavor_k8s_node}"
+  flavor_etcd                                  = "${var.flavor_etcd}"
+  flavor_gfs_node                              = "${var.flavor_gfs_node}"
+  network_name                                 = "${var.network_name}"
+  flavor_bastion                               = "${var.flavor_bastion}"
+  k8s_master_fips                              = "${module.ips.k8s_master_fips}"
+  k8s_node_fips                                = "${module.ips.k8s_node_fips}"
+  bastion_fips                                 = "${module.ips.bastion_fips}"

  network_id = "${module.network.router_id}"
 }
+
+output "private_subnet_id" {
+  value = "${module.network.subnet_id}"
+}
+
+output "floating_network_id" {
+  value = "${var.external_net}"
+}
+
+output "router_id" {
+  value = "${module.network.router_id}"
+}
+
+output "k8s_master_fips" {
+  value = "${module.ips.k8s_master_fips}"
+}
+
+output "k8s_node_fips" {
+  value = "${module.ips.k8s_node_fips}"
+}
+
+output "bastion_fips" {
+  value = "${module.ips.bastion_fips}"
+}
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -1,280 +1,306 @@
-
-
-variable user_data  {
-  type    = "string"
-  default = <<EOF
-#cloud-config
-manage_etc_hosts: localhost
-package_update: true
-package_upgrade: true
-EOF
-}
 resource "openstack_compute_keypair_v2" "k8s" {
-    name = "kubernetes-${var.cluster_name}"
-    public_key = "${chomp(file(var.public_key_path))}"
+  name       = "kubernetes-${var.cluster_name}"
+  public_key = "${chomp(file(var.public_key_path))}"
 }

 resource "openstack_compute_secgroup_v2" "k8s_master" {
-    name = "${var.cluster_name}-k8s-master"
-    description = "${var.cluster_name} - Kubernetes Master"
-    rule {
-        ip_protocol = "tcp"
-        from_port = "6443"
-        to_port = "6443"
-        cidr = "0.0.0.0/0"
-    }
+  name        = "${var.cluster_name}-k8s-master"
+  description = "${var.cluster_name} - Kubernetes Master"
+
+  rule {
+    ip_protocol = "tcp"
+    from_port   = "6443"
+    to_port     = "6443"
+    cidr        = "0.0.0.0/0"
+  }
 }

 resource "openstack_compute_secgroup_v2" "bastion" {
-    name = "${var.cluster_name}-bastion"
-    description = "${var.cluster_name} - Bastion Server"
-    rule {
-        ip_protocol = "tcp"
-        from_port = "22"
-        to_port = "22"
-        cidr = "0.0.0.0/0"
-    }
+  name        = "${var.cluster_name}-bastion"
+  description = "${var.cluster_name} - Bastion Server"
+
+  rule {
+    ip_protocol = "tcp"
+    from_port   = "22"
+    to_port     = "22"
+    cidr        = "0.0.0.0/0"
+  }
 }

 resource "openstack_compute_secgroup_v2" "k8s" {
-    name = "${var.cluster_name}-k8s"
-    description = "${var.cluster_name} - Kubernetes"
-    rule {
-        ip_protocol = "icmp"
-        from_port = "-1"
-        to_port = "-1"
-        cidr = "0.0.0.0/0"
-    }
-    rule {
-        ip_protocol = "tcp"
-        from_port = "1"
-        to_port = "65535"
-        self = true
-    }
-    rule {
-        ip_protocol = "udp"
-        from_port = "1"
-        to_port = "65535"
-        self = true
-    }
-    rule {
-        ip_protocol = "icmp"
-        from_port = "-1"
-        to_port = "-1"
-        self = true
-    }
+  name        = "${var.cluster_name}-k8s"
+  description = "${var.cluster_name} - Kubernetes"
+
+  rule {
+    ip_protocol = "icmp"
+    from_port   = "-1"
+    to_port     = "-1"
+    cidr        = "0.0.0.0/0"
+  }
+
+  rule {
+    ip_protocol = "tcp"
+    from_port   = "1"
+    to_port     = "65535"
+    self        = true
+  }
+
+  rule {
+    ip_protocol = "udp"
+    from_port   = "1"
+    to_port     = "65535"
+    self        = true
+  }
+
+  rule {
+    ip_protocol = "icmp"
+    from_port   = "-1"
+    to_port     = "-1"
+    self        = true
+  }
 }

 resource "openstack_compute_instance_v2" "bastion" {
-    name = "${var.cluster_name}-bastion-${count.index+1}"
-    count = "${var.number_of_bastions}"
-    image_name = "${var.image}"
-    flavor_id = "${var.flavor_bastion}"
-    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
-    network {
-        name = "${var.network_name}"
-    }
-    security_groups = [ "${openstack_compute_secgroup_v2.k8s.name}",
-                        "${openstack_compute_secgroup_v2.bastion.name}",
-                        "default" ]
-    metadata = {
-        ssh_user = "${var.ssh_user}"
-        kubespray_groups = "bastion"
-        depends_on = "${var.network_id}"
-    }
+  name       = "${var.cluster_name}-bastion-${count.index+1}"
+  count      = "${var.number_of_bastions}"
+  image_name = "${var.image}"
+  flavor_id  = "${var.flavor_bastion}"
+  key_pair   = "${openstack_compute_keypair_v2.k8s.name}"

-    provisioner "local-exec" {
-	     command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${var.bastion_fips[0]}/ > contrib/terraform/openstack/group_vars/no-floating.yml"
-    }
+  network {
+    name = "${var.network_name}"
+  }
+
+  security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
+    "${openstack_compute_secgroup_v2.bastion.name}",
+    "default",
+  ]
+
+  metadata = {
+    ssh_user         = "${var.ssh_user}"
+    kubespray_groups = "bastion"
+    depends_on       = "${var.network_id}"
+  }
+
+  provisioner "local-exec" {
+    command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${var.bastion_fips[0]}/ > contrib/terraform/openstack/group_vars/no-floating.yml"
+  }

-    user_data = "${var.user_data}"
 }

 resource "openstack_compute_instance_v2" "k8s_master" {
-    name = "${var.cluster_name}-k8s-master-${count.index+1}"
-    count = "${var.number_of_k8s_masters}"
-    image_name = "${var.image}"
-    flavor_id = "${var.flavor_k8s_master}"
-    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
-    network {
-        name = "${var.network_name}"
-    }
-    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
-                        "${openstack_compute_secgroup_v2.bastion.name}",
-                        "${openstack_compute_secgroup_v2.k8s.name}",
-                        "default" ]
-    metadata = {
-        ssh_user = "${var.ssh_user}"
-        kubespray_groups = "etcd,kube-master,kube-node,k8s-cluster,vault"
-        depends_on = "${var.network_id}"
-    }
-    user_data = "${var.user_data}"
+  name       = "${var.cluster_name}-k8s-master-${count.index+1}"
+  count      = "${var.number_of_k8s_masters}"
+  image_name = "${var.image}"
+  flavor_id  = "${var.flavor_k8s_master}"
+  key_pair   = "${openstack_compute_keypair_v2.k8s.name}"
+
+  network {
+    name = "${var.network_name}"
+  }
+
+  security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
+    "${openstack_compute_secgroup_v2.bastion.name}",
+    "${openstack_compute_secgroup_v2.k8s.name}",
+    "default",
+  ]
+
+  metadata = {
+    ssh_user         = "${var.ssh_user}"
+    kubespray_groups = "etcd,kube-master,k8s-cluster,vault"
+    depends_on       = "${var.network_id}"
+  }
+
 }

 resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
-    name = "${var.cluster_name}-k8s-master-ne-${count.index+1}"
-    count = "${var.number_of_k8s_masters_no_etcd}"
-    image_name = "${var.image}"
-    flavor_id = "${var.flavor_k8s_master}"
-    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
-    network {
-        name = "${var.network_name}"
-    }
-    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
-                        "${openstack_compute_secgroup_v2.k8s.name}" ]
-    metadata = {
-        ssh_user = "${var.ssh_user}"
-        kubespray_groups = "kube-master,kube-node,k8s-cluster,vault"
-        depends_on = "${var.network_id}"
-    }
-    user_data = "${var.user_data}"
+  name       = "${var.cluster_name}-k8s-master-ne-${count.index+1}"
+  count      = "${var.number_of_k8s_masters_no_etcd}"
+  image_name = "${var.image}"
+  flavor_id  = "${var.flavor_k8s_master}"
+  key_pair   = "${openstack_compute_keypair_v2.k8s.name}"
+
+  network {
+    name = "${var.network_name}"
+  }
+
+  security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
+    "${openstack_compute_secgroup_v2.k8s.name}",
+  ]
+
+  metadata = {
+    ssh_user         = "${var.ssh_user}"
+    kubespray_groups = "kube-master,k8s-cluster,vault"
+    depends_on       = "${var.network_id}"
+  }
+
 }

 resource "openstack_compute_instance_v2" "etcd" {
-    name = "${var.cluster_name}-etcd-${count.index+1}"
-    count = "${var.number_of_etcd}"
-    image_name = "${var.image}"
-    flavor_id = "${var.flavor_etcd}"
-    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
-    network {
-        name = "${var.network_name}"
-    }
-    security_groups = [ "${openstack_compute_secgroup_v2.k8s.name}" ]
-    metadata = {
-        ssh_user = "${var.ssh_user}"
-        kubespray_groups = "etcd,vault,no-floating"
-        depends_on = "${var.network_id}"
-    }
-    user_data = "${var.user_data}"
+  name       = "${var.cluster_name}-etcd-${count.index+1}"
+  count      = "${var.number_of_etcd}"
+  image_name = "${var.image}"
+  flavor_id  = "${var.flavor_etcd}"
+  key_pair   = "${openstack_compute_keypair_v2.k8s.name}"
+
+  network {
+    name = "${var.network_name}"
+  }
+
+  security_groups = ["${openstack_compute_secgroup_v2.k8s.name}"]
+
+  metadata = {
+    ssh_user         = "${var.ssh_user}"
+    kubespray_groups = "etcd,vault,no-floating"
+    depends_on       = "${var.network_id}"
+  }
+
 }

-
 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
-    name = "${var.cluster_name}-k8s-master-nf-${count.index+1}"
-    count = "${var.number_of_k8s_masters_no_floating_ip}"
-    image_name = "${var.image}"
-    flavor_id = "${var.flavor_k8s_master}"
-    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
-    network {
-        name = "${var.network_name}"
-    }
-    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
-                        "${openstack_compute_secgroup_v2.k8s.name}",
-                        "default" ]
-    metadata = {
-        ssh_user = "${var.ssh_user}"
-        kubespray_groups = "etcd,kube-master,kube-node,k8s-cluster,vault,no-floating"
-        depends_on = "${var.network_id}"
-    }
-    user_data = "${var.user_data}"
+  name       = "${var.cluster_name}-k8s-master-nf-${count.index+1}"
+  count      = "${var.number_of_k8s_masters_no_floating_ip}"
+  image_name = "${var.image}"
+  flavor_id  = "${var.flavor_k8s_master}"
+  key_pair   = "${openstack_compute_keypair_v2.k8s.name}"
+
+  network {
+    name = "${var.network_name}"
+  }
+
+  security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
+    "${openstack_compute_secgroup_v2.k8s.name}",
+    "default",
+  ]
+
+  metadata = {
+    ssh_user         = "${var.ssh_user}"
+    kubespray_groups = "etcd,kube-master,k8s-cluster,vault,no-floating"
+    depends_on       = "${var.network_id}"
+  }
+
 }

 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
-    name = "${var.cluster_name}-k8s-master-ne-nf-${count.index+1}"
-    count = "${var.number_of_k8s_masters_no_floating_ip_no_etcd}"
-    image_name = "${var.image}"
-    flavor_id = "${var.flavor_k8s_master}"
-    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
-    network {
-        name = "${var.network_name}"
-    }
-    security_groups = [ "${openstack_compute_secgroup_v2.k8s_master.name}",
-                        "${openstack_compute_secgroup_v2.k8s.name}" ]
-    metadata = {
-        ssh_user = "${var.ssh_user}"
-        kubespray_groups = "kube-master,kube-node,k8s-cluster,vault,no-floating"
-        depends_on = "${var.network_id}"
-    }
-    user_data = "${var.user_data}"
+  name       = "${var.cluster_name}-k8s-master-ne-nf-${count.index+1}"
+  count      = "${var.number_of_k8s_masters_no_floating_ip_no_etcd}"
+  image_name = "${var.image}"
+  flavor_id  = "${var.flavor_k8s_master}"
+  key_pair   = "${openstack_compute_keypair_v2.k8s.name}"
+
+  network {
+    name = "${var.network_name}"
+  }
+
+  security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
+    "${openstack_compute_secgroup_v2.k8s.name}",
+  ]
+
+  metadata = {
+    ssh_user         = "${var.ssh_user}"
+    kubespray_groups = "kube-master,k8s-cluster,vault,no-floating"
+    depends_on       = "${var.network_id}"
+  }
+
 }

-
 resource "openstack_compute_instance_v2" "k8s_node" {
-    name = "${var.cluster_name}-k8s-node-${count.index+1}"
-    count = "${var.number_of_k8s_nodes}"
-    image_name = "${var.image}"
-    flavor_id = "${var.flavor_k8s_node}"
-    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
-    network {
-        name = "${var.network_name}"
-    }
-    security_groups = [ "${openstack_compute_secgroup_v2.k8s.name}",
-                        "${openstack_compute_secgroup_v2.bastion.name}",
-                        "default" ]
-    metadata = {
-        ssh_user = "${var.ssh_user}"
-        kubespray_groups = "kube-node,k8s-cluster"
-        depends_on = "${var.network_id}"
-    }
-    user_data = "${var.user_data}"
+  name       = "${var.cluster_name}-k8s-node-${count.index+1}"
+  count      = "${var.number_of_k8s_nodes}"
+  image_name = "${var.image}"
+  flavor_id  = "${var.flavor_k8s_node}"
+  key_pair   = "${openstack_compute_keypair_v2.k8s.name}"
+
+  network {
+    name = "${var.network_name}"
+  }
+
+  security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
+    "${openstack_compute_secgroup_v2.bastion.name}",
+    "default",
+  ]
+
+  metadata = {
+    ssh_user         = "${var.ssh_user}"
+    kubespray_groups = "kube-node,k8s-cluster"
+    depends_on       = "${var.network_id}"
+  }
+
 }

 resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
-    name = "${var.cluster_name}-k8s-node-nf-${count.index+1}"
-    count = "${var.number_of_k8s_nodes_no_floating_ip}"
-    image_name = "${var.image}"
-    flavor_id = "${var.flavor_k8s_node}"
-    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
-    network {
-        name = "${var.network_name}"
-    }
-    security_groups = [ "${openstack_compute_secgroup_v2.k8s.name}",
-                        "default" ]
-    metadata = {
-        ssh_user = "${var.ssh_user}"
-        kubespray_groups = "kube-node,k8s-cluster,no-floating"
-        depends_on = "${var.network_id}"
-    }
-    user_data = "${var.user_data}"
+  name       = "${var.cluster_name}-k8s-node-nf-${count.index+1}"
+  count      = "${var.number_of_k8s_nodes_no_floating_ip}"
+  image_name = "${var.image}"
+  flavor_id  = "${var.flavor_k8s_node}"
+  key_pair   = "${openstack_compute_keypair_v2.k8s.name}"
+
+  network {
+    name = "${var.network_name}"
+  }
+
+  security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
+    "default",
+  ]
+
+  metadata = {
+    ssh_user         = "${var.ssh_user}"
+    kubespray_groups = "kube-node,k8s-cluster,no-floating"
+    depends_on       = "${var.network_id}"
+  }
+
 }

 resource "openstack_compute_floatingip_associate_v2" "bastion" {
-    count = "${var.number_of_bastions}"
-    floating_ip = "${var.bastion_fips[count.index]}"
-    instance_id = "${element(openstack_compute_instance_v2.bastion.*.id, count.index)}"
+  count       = "${var.number_of_bastions}"
+  floating_ip = "${var.bastion_fips[count.index]}"
+  instance_id = "${element(openstack_compute_instance_v2.bastion.*.id, count.index)}"
 }

 resource "openstack_compute_floatingip_associate_v2" "k8s_master" {
-    count = "${var.number_of_k8s_masters}"
-    instance_id = "${element(openstack_compute_instance_v2.k8s_master.*.id, count.index)}"
-    floating_ip = "${var.k8s_master_fips[count.index]}"
+  count       = "${var.number_of_k8s_masters}"
+  instance_id = "${element(openstack_compute_instance_v2.k8s_master.*.id, count.index)}"
+  floating_ip = "${var.k8s_master_fips[count.index]}"
 }

 resource "openstack_compute_floatingip_associate_v2" "k8s_node" {
-    count = "${var.number_of_k8s_nodes}"
-    floating_ip = "${var.k8s_node_fips[count.index]}"
-    instance_id = "${element(openstack_compute_instance_v2.k8s_node.*.id, count.index)}"
+  count       = "${var.number_of_k8s_nodes}"
+  floating_ip = "${var.k8s_node_fips[count.index]}"
+  instance_id = "${element(openstack_compute_instance_v2.k8s_node.*.id, count.index)}"
 }

-
 resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
-  name = "${var.cluster_name}-glusterfs_volume-${count.index+1}"
-  count = "${var.number_of_gfs_nodes_no_floating_ip}"
+  name        = "${var.cluster_name}-glusterfs_volume-${count.index+1}"
+  count       = "${var.number_of_gfs_nodes_no_floating_ip}"
  description = "Non-ephemeral volume for GlusterFS"
-  size = "${var.gfs_volume_size_in_gb}"
+  size        = "${var.gfs_volume_size_in_gb}"
 }

 resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
-    name = "${var.cluster_name}-gfs-node-nf-${count.index+1}"
-    count = "${var.number_of_gfs_nodes_no_floating_ip}"
-    image_name = "${var.image_gfs}"
-    flavor_id = "${var.flavor_gfs_node}"
-    key_pair = "${openstack_compute_keypair_v2.k8s.name}"
-    network {
-        name = "${var.network_name}"
-    }
-    security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
-                        "default" ]
-    metadata = {
-        ssh_user = "${var.ssh_user_gfs}"
-        kubespray_groups = "gfs-cluster,network-storage,no-floating"
-        depends_on = "${var.network_id}"
-    }
-    user_data = "#cloud-config\nmanage_etc_hosts: localhost\npackage_update: true\npackage_upgrade: true"
+  name       = "${var.cluster_name}-gfs-node-nf-${count.index+1}"
+  count      = "${var.number_of_gfs_nodes_no_floating_ip}"
+  image_name = "${var.image_gfs}"
+  flavor_id  = "${var.flavor_gfs_node}"
+  key_pair   = "${openstack_compute_keypair_v2.k8s.name}"
+
+  network {
+    name = "${var.network_name}"
+  }
+
+  security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
+    "default",
+  ]
+
+  metadata = {
+    ssh_user         = "${var.ssh_user_gfs}"
+    kubespray_groups = "gfs-cluster,network-storage,no-floating"
+    depends_on       = "${var.network_id}"
+  }
+
 }

 resource "openstack_compute_volume_attach_v2" "glusterfs_volume" {
-  count = "${var.number_of_gfs_nodes_no_floating_ip}"
+  count       = "${var.number_of_gfs_nodes_no_floating_ip}"
  instance_id = "${element(openstack_compute_instance_v2.glusterfs_node_no_floating_ip.*.id, count.index)}"
  volume_id   = "${element(openstack_blockstorage_volume_v2.glusterfs_volume.*.id, count.index)}"
 }
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -1,74 +1,48 @@
-variable "cluster_name" {
-}
+variable "cluster_name" {}

-variable "number_of_k8s_masters" {
-}
+variable "number_of_k8s_masters" {}

-variable "number_of_k8s_masters_no_etcd" {
-}
+variable "number_of_k8s_masters_no_etcd" {}

-variable "number_of_etcd" {
-}
+variable "number_of_etcd" {}

-variable "number_of_k8s_masters_no_floating_ip" {
-}
+variable "number_of_k8s_masters_no_floating_ip" {}

-variable "number_of_k8s_masters_no_floating_ip_no_etcd" {
-}
+variable "number_of_k8s_masters_no_floating_ip_no_etcd" {}

-variable "number_of_k8s_nodes" {
-}
+variable "number_of_k8s_nodes" {}

-variable "number_of_k8s_nodes_no_floating_ip" {
-}
+variable "number_of_k8s_nodes_no_floating_ip" {}

-variable "number_of_bastions" {
-}
+variable "number_of_bastions" {}

-variable "number_of_gfs_nodes_no_floating_ip" {
-}
+variable "number_of_gfs_nodes_no_floating_ip" {}

-variable "gfs_volume_size_in_gb" {
-}
+variable "gfs_volume_size_in_gb" {}

-variable "public_key_path" {
-}
+variable "public_key_path" {}

-variable "image" {
-}
+variable "image" {}

-variable "image_gfs" {
-}
+variable "image_gfs" {}

-variable "ssh_user" {
-}
+variable "ssh_user" {}

-variable "ssh_user_gfs" {
-}
+variable "ssh_user_gfs" {}

-variable "flavor_k8s_master" {
-}
+variable "flavor_k8s_master" {}

-variable "flavor_k8s_node" {
-}
+variable "flavor_k8s_node" {}

-variable "flavor_etcd" {
-}
+variable "flavor_etcd" {}

-variable "flavor_gfs_node" {
-}
+variable "flavor_gfs_node" {}

-variable "network_name" {
-}
+variable "network_name" {}

-variable "flavor_bastion" {
-}
-
-
-variable "network_id"{
-
-}
+variable "flavor_bastion" {}

+variable "network_id" {}

 variable "k8s_master_fips" {
  type = "list"
--- a/contrib/terraform/openstack/modules/ips/main.tf
+++ b/contrib/terraform/openstack/modules/ips/main.tf
@@ -1,4 +1,3 @@
-
 resource "null_resource" "dummy_dependency" {
  triggers {
    dependency_id = "${var.router_id}"
@@ -6,19 +5,19 @@ resource "null_resource" "dummy_dependency" {
 }

 resource "openstack_networking_floatingip_v2" "k8s_master" {
-    count = "${var.number_of_k8s_masters}"
-    pool = "${var.floatingip_pool}"
-    depends_on = ["null_resource.dummy_dependency"]
+  count      = "${var.number_of_k8s_masters}"
+  pool       = "${var.floatingip_pool}"
+  depends_on = ["null_resource.dummy_dependency"]
 }

 resource "openstack_networking_floatingip_v2" "k8s_node" {
-    count = "${var.number_of_k8s_nodes}"
-    pool = "${var.floatingip_pool}"
-    depends_on = ["null_resource.dummy_dependency"]
+  count      = "${var.number_of_k8s_nodes}"
+  pool       = "${var.floatingip_pool}"
+  depends_on = ["null_resource.dummy_dependency"]
 }

 resource "openstack_networking_floatingip_v2" "bastion" {
-    count = "${var.number_of_bastions}"
-    pool = "${var.floatingip_pool}"
-    depends_on = ["null_resource.dummy_dependency"]
+  count      = "${var.number_of_bastions}"
+  pool       = "${var.floatingip_pool}"
+  depends_on = ["null_resource.dummy_dependency"]
 }
--- a/contrib/terraform/openstack/modules/ips/outputs.tf
+++ b/contrib/terraform/openstack/modules/ips/outputs.tf
@@ -1,11 +1,11 @@
 output "k8s_master_fips" {
-    value = ["${openstack_networking_floatingip_v2.k8s_master.*.address}"]
+  value = ["${openstack_networking_floatingip_v2.k8s_master.*.address}"]
 }

 output "k8s_node_fips" {
-    value = ["${openstack_networking_floatingip_v2.k8s_node.*.address}"]
+  value = ["${openstack_networking_floatingip_v2.k8s_node.*.address}"]
 }

 output "bastion_fips" {
-    value = ["${openstack_networking_floatingip_v2.bastion.*.address}"]
+  value = ["${openstack_networking_floatingip_v2.bastion.*.address}"]
 }
--- a/contrib/terraform/openstack/modules/ips/variables.tf
+++ b/contrib/terraform/openstack/modules/ips/variables.tf
@@ -1,26 +1,15 @@
-variable "number_of_k8s_masters" {
-}
+variable "number_of_k8s_masters" {}

-variable "number_of_k8s_masters_no_etcd" {
-}
+variable "number_of_k8s_masters_no_etcd" {}

-variable "number_of_k8s_nodes" {
-}
+variable "number_of_k8s_nodes" {}

-variable "floatingip_pool" {
-}
+variable "floatingip_pool" {}

-variable "number_of_bastions" {
+variable "number_of_bastions" {}

- }
+variable "external_net" {}

-variable "external_net" {
+variable "network_name" {}

-}
-
-variable "network_name" {
-}
-
-variable "router_id"{
-
-}
+variable "router_id" {}
--- a/contrib/terraform/openstack/modules/network/main.tf
+++ b/contrib/terraform/openstack/modules/network/main.tf
@@ -1,8 +1,7 @@
-
 resource "openstack_networking_router_v2" "k8s" {
-  name             = "${var.cluster_name}-router"
-  admin_state_up   = "true"
-  external_gateway = "${var.external_net}"
+  name                = "${var.cluster_name}-router"
+  admin_state_up      = "true"
+  external_network_id = "${var.external_net}"
 }

 resource "openstack_networking_network_v2" "k8s" {
--- a/contrib/terraform/openstack/modules/network/outputs.tf
+++ b/contrib/terraform/openstack/modules/network/outputs.tf
@@ -1,7 +1,7 @@
 output "router_id" {
-    value = "${openstack_networking_router_interface_v2.k8s.id}"
+  value = "${openstack_networking_router_interface_v2.k8s.id}"
 }

-output "network_id" {
-    value = "${openstack_networking_subnet_v2.k8s.id}"
+output "subnet_id" {
+  value = "${openstack_networking_subnet_v2.k8s.id}"
 }
--- a/contrib/terraform/openstack/modules/network/variables.tf
+++ b/contrib/terraform/openstack/modules/network/variables.tf
@@ -1,13 +1,9 @@
-variable "external_net" {
+variable "external_net" {}

-}
+variable "network_name" {}

-variable "network_name" {
-}
+variable "cluster_name" {}

-variable "cluster_name" {
-}
-
-variable "dns_nameservers"{
+variable "dns_nameservers" {
  type = "list"
 }
--- a/contrib/terraform/openstack/sample-inventory/cluster.tf
+++ b/contrib/terraform/openstack/sample-inventory/cluster.tf
@@ -0,0 +1,45 @@
+# your Kubernetes cluster name here
+cluster_name = "i-didnt-read-the-docs"
+
+# SSH key to use for access to nodes
+public_key_path = "~/.ssh/id_rsa.pub"
+
+# image to use for bastion, masters, standalone etcd instances, and nodes
+image = "<image name>"
+# user on the node (ex. core on Container Linux, ubuntu on Ubuntu, etc.)
+ssh_user = "<cloud-provisioned user>"
+
+# 0|1 bastion nodes
+number_of_bastions = 0
+#flavor_bastion = "<UUID>"
+
+# standalone etcds
+number_of_etcd = 0
+
+# masters
+number_of_k8s_masters = 1
+number_of_k8s_masters_no_etcd = 0
+number_of_k8s_masters_no_floating_ip = 0
+number_of_k8s_masters_no_floating_ip_no_etcd = 0
+flavor_k8s_master = "<UUID>"
+
+# nodes
+number_of_k8s_nodes = 2
+number_of_k8s_nodes_no_floating_ip = 4
+#flavor_k8s_node = "<UUID>"
+
+# GlusterFS
+# either 0 or more than one
+#number_of_gfs_nodes_no_floating_ip = 0
+#gfs_volume_size_in_gb = 150
+# Container Linux does not support GlusterFS
+#image_gfs = "<image name>"
+# May be different from other nodes
+#ssh_user_gfs = "ubuntu"
+#flavor_gfs_node = "<UUID>"
+
+# networking
+network_name = "<network>"
+external_net = "<UUID>"
+floatingip_pool = "<pool>"
+
--- a/contrib/terraform/openstack/sample-inventory/group_vars
+++ b/contrib/terraform/openstack/sample-inventory/group_vars
@@ -0,0 +1 @@
+../../../../inventory/sample/group_vars
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -44,86 +44,70 @@ variable "gfs_volume_size_in_gb" {

 variable "public_key_path" {
  description = "The path of the ssh pub key"
-  default = "~/.ssh/id_rsa.pub"
+  default     = "~/.ssh/id_rsa.pub"
 }

 variable "image" {
  description = "the image to use"
-  default = "ubuntu-14.04"
+  default     = "ubuntu-14.04"
 }

 variable "image_gfs" {
  description = "Glance image to use for GlusterFS"
-  default = "ubuntu-16.04"
+  default     = "ubuntu-16.04"
 }

 variable "ssh_user" {
  description = "used to fill out tags for ansible inventory"
-  default = "ubuntu"
+  default     = "ubuntu"
 }

 variable "ssh_user_gfs" {
  description = "used to fill out tags for ansible inventory"
-  default = "ubuntu"
+  default     = "ubuntu"
 }

 variable "flavor_bastion" {
  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
-  default = 3
+  default     = 3
 }

 variable "flavor_k8s_master" {
  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
-  default = 3
+  default     = 3
 }

 variable "flavor_k8s_node" {
  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
-  default = 3
+  default     = 3
 }

 variable "flavor_etcd" {
  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
-  default = 3
+  default     = 3
 }

 variable "flavor_gfs_node" {
  description = "Use 'nova flavor-list' command to see what your OpenStack instance uses for IDs"
-  default = 3
+  default     = 3
 }

 variable "network_name" {
  description = "name of the internal network to use"
-  default = "internal"
+  default     = "internal"
 }

-variable "dns_nameservers"{
+variable "dns_nameservers" {
  description = "An array of DNS name server names used by hosts in this subnet."
-  type = "list"
-  default = []
+  type        = "list"
+  default     = []
 }

 variable "floatingip_pool" {
  description = "name of the floating ip pool to use"
-  default = "external"
+  default     = "external"
 }

 variable "external_net" {
  description = "uuid of the external/public network"
 }
-
-variable "username" {
-  description = "Your openstack username"
-}
-
-variable "password" {
-  description = "Your openstack password"
-}
-
-variable "tenant" {
-  description = "Your openstack tenant/project"
-}
-
-variable "auth_url" {
-  description = "Your openstack auth URL"
-}
--- a/docs/ansible.md
+++ b/docs/ansible.md
@@ -27,7 +27,7 @@ not _kube-node_.

 There are also two special groups:

-* **calico-rr**  : explained for [advanced Calico networking cases](calico.md)
+* **calico-rr** : explained for [advanced Calico networking cases](calico.md)
 * **bastion** : configure a bastion host if your nodes are not directly reachable

 Below is a complete inventory example:
@@ -66,10 +66,10 @@ kube-master
 Group vars and overriding variables precedence
 ----------------------------------------------

-The group variables to control main deployment options are located in the directory ``inventory/group_vars``.
-Optional variables are located in the `inventory/group_vars/all.yml`.
+The group variables to control main deployment options are located in the directory ``inventory/sample/group_vars``.
+Optional variables are located in the `inventory/sample/group_vars/all.yml`.
 Mandatory variables that are common for at least one role (or a node group) can be found in the
-`inventory/group_vars/k8s-cluster.yml`.
+`inventory/sample/group_vars/k8s-cluster.yml`.
 There are also role vars for docker, rkt, kubernetes preinstall and master roles.
 According to the [ansible docs](http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable),
 those cannot be overriden from the group vars. In order to override, one should use
@@ -153,16 +153,16 @@ Example command to filter and apply only DNS configuration tasks and skip
 everything else related to host OS configuration and downloading images of containers:

 ```
-ansible-playbook -i inventory/inventory.ini cluster.yml  --tags preinstall,dnsmasq,facts --skip-tags=download,bootstrap-os
+ansible-playbook -i inventory/sample/hosts.ini cluster.yml --tags preinstall,dnsmasq,facts --skip-tags=download,bootstrap-os
 ```
 And this play only removes the K8s cluster DNS resolver IP from hosts' /etc/resolv.conf files:
 ```
-ansible-playbook -i inventory/inventory.ini -e dnsmasq_dns_server='' cluster.yml --tags resolvconf
+ansible-playbook -i inventory/sample/hosts.ini -e dnsmasq_dns_server='' cluster.yml --tags resolvconf
 ```
 And this prepares all container images localy (at the ansible runner node) without installing
 or upgrading related stuff or trying to upload container to K8s cluster nodes:
 ```
-ansible-playbook -i inventory/inventory.ini cluster.yml \
+ansible-playbook -i inventory/sample/hosts.ini cluster.yml \
    -e download_run_once=true -e download_localhost=true \
    --tags download --skip-tags upload,upgrade
 ```
--- a/docs/atomic.md
+++ b/docs/atomic.md
@@ -7,7 +7,7 @@ Note: Flannel is the only plugin that has currently been tested with atomic

 ### Vagrant

-* For bootstrapping with Vagrant, use box centos/atomic-host 
+* For bootstrapping with Vagrant, use box centos/atomic-host or fedora/atomic-host 
 * Update VagrantFile variable `local_release_dir` to `/var/vagrant/temp`.
 * Update `vm_memory = 2048` and `vm_cpus = 2`
 * Networking on vagrant hosts has to be brought up manually once they are booted.
@@ -17,6 +17,7 @@ Note: Flannel is the only plugin that has currently been tested with atomic
    sudo /sbin/ifup enp0s8
    ```

-* For users of vagrant-libvirt download qcow2 format from https://wiki.centos.org/SpecialInterestGroup/Atomic/Download/
+* For users of vagrant-libvirt download centos/atomic-host qcow2 format from https://wiki.centos.org/SpecialInterestGroup/Atomic/Download/
+* For users of vagrant-libvirt download fedora/atomic-host qcow2 format from https://getfedora.org/en/atomic/download/

-Then you can proceed to [cluster deployment](#run-deployment)
+Then you can proceed to [cluster deployment](#run-deployment)
--- a/docs/aws.md
+++ b/docs/aws.md
@@ -5,7 +5,7 @@ To deploy kubespray on [AWS](https://aws.amazon.com/) uncomment the `cloud_provi

 Prior to creating your instances, you **must** ensure that you have created IAM roles and policies for both "kubernetes-master" and "kubernetes-node". You can find the IAM policies [here](https://github.com/kubernetes-incubator/kubespray/tree/master/contrib/aws_iam/). See the [IAM Documentation](https://aws.amazon.com/documentation/iam/) if guidance is needed on how to set these up. When you bring your instances online, associate them with the respective IAM role. Nodes that are only to be used for Etcd do not need a role.

-You would also need to tag the resources in your VPC accordingly for the aws provider to utilize them. Tag the subnets and all instances that kubernetes will be run on with key `kuberentes.io/cluster/$cluster_name` (`$cluster_name` must be a unique identifier for the cluster). Tag the subnets that must be targetted by external ELBs with the key `kubernetes.io/role/elb` and internal ELBs with the key `kubernetes.io/role/internal-elb`.
+You would also need to tag the resources in your VPC accordingly for the aws provider to utilize them. Tag the subnets and all instances that kubernetes will be run on with key `kubernetes.io/cluster/$cluster_name` (`$cluster_name` must be a unique identifier for the cluster). Tag the subnets that must be targetted by external ELBs with the key `kubernetes.io/role/elb` and internal ELBs with the key `kubernetes.io/role/internal-elb`.

 Make sure your VPC has both DNS Hostnames support and Private DNS enabled.

--- a/docs/cloud.md
+++ b/docs/cloud.md
@@ -3,20 +3,11 @@ Cloud providers

 #### Provisioning

-You can use kubespray-cli to start new instances on cloud providers
-here's an example
-```
-kubespray [aws|gce] --nodes 2 --etcd 3 --cluster-name test-smana
-```
+You can deploy instances in your cloud environment in several different ways. Examples include Terraform, Ansible (ec2 and gce modules), and manual creation.

 #### Deploy kubernetes

-With kubespray-cli
-```
-kubespray deploy [--aws|--gce] -u admin
-```
-
-Or ansible-playbook command
+With ansible-playbook command
 ```
 ansible-playbook -u smana -e ansible_ssh_user=admin -e cloud_provider=[aws|gce] -b --become-user=root -i inventory/single.cfg cluster.yml
 ```
--- a/docs/coreos.md
+++ b/docs/coreos.md
@@ -1,13 +1,7 @@
 CoreOS bootstrap
 ===============

-Example with **kubespray-cli**:
-
-```
-kubespray deploy --gce --coreos
-```
-
-Or with Ansible:
+Example with Ansible:

 Before running the cluster playbook you must satisfy the following requirements:

--- a/docs/dns-stack.md
+++ b/docs/dns-stack.md
@@ -62,6 +62,14 @@ other queries are forwardet to the nameservers found in ``upstream_dns_servers``
 This does not install the dnsmasq DaemonSet and instructs kubelet to directly use kubedns/skydns for
 all queries.

+#### coredns
+This does not install the dnsmasq DaemonSet and instructs kubelet to directly use CoreDNS for
+all queries.
+
+#### coredns_dual
+This does not install the dnsmasq DaemonSet and instructs kubelet to directly use CoreDNS for
+all queries. It will also deploy a secondary CoreDNS stack
+
 #### manual
 This does not install dnsmasq or kubedns, but allows you to specify
 `manual_dns_server`, which will be configured on nodes for handling Pod DNS.
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -1,29 +1,12 @@
 Getting started
 ===============

-The easiest way to run the deployement is to use the **kubespray-cli** tool.
-A complete documentation can be found in its [github repository](https://github.com/kubespray/kubespray-cli).
-
-Here is a simple example on AWS:
-
-* Create instances and generate the inventory
-
-```
-kubespray aws --instances 3
-```
-
-* Run the deployment
-
-```
-kubespray deploy --aws -u centos -n calico
-```
-
 Building your own inventory
 ---------------------------

 Ansible inventory can be stored in 3 formats: YAML, JSON, or INI-like. There is
 an example inventory located
-[here](https://github.com/kubernetes-incubator/kubespray/blob/master/inventory/inventory.example).
+[here](https://github.com/kubernetes-incubator/kubespray/blob/master/inventory/sample/hosts.ini).

 You can use an
 [inventory generator](https://github.com/kubernetes-incubator/kubespray/blob/master/contrib/inventory_builder/inventory.py)
@@ -35,11 +18,9 @@ certain threshold. Run `python3 contrib/inventory_builder/inventory.py help` hel

 Example inventory generator usage:

-```
-cp -r inventory my_inventory
-declare -a IPS=(10.10.1.3 10.10.1.4 10.10.1.5)
-CONFIG_FILE=my_inventory/inventory.cfg python3 contrib/inventory_builder/inventory.py ${IPS[@]}
-```
+    cp -r inventory/sample inventory/mycluster
+    declare -a IPS=(10.10.1.3 10.10.1.4 10.10.1.5)
+    CONFIG_FILE=inventory/mycluster/hosts.ini python3 contrib/inventory_builder/inventory.py ${IPS[@]}

 Starting custom deployment
 --------------------------
@@ -47,12 +28,10 @@ Starting custom deployment
 Once you have an inventory, you may want to customize deployment data vars
 and start the deployment:

-**IMPORTANT: Edit my_inventory/groups_vars/*.yaml to override data vars**
+**IMPORTANT**: Edit my\_inventory/groups\_vars/\*.yaml to override data vars:

-```
-ansible-playbook -i my_inventory/inventory.cfg cluster.yml -b -v \
-  --private-key=~/.ssh/private_key
-```
+    ansible-playbook -i inventory/mycluster/hosts.ini cluster.yml -b -v \
+      --private-key=~/.ssh/private_key

 See more details in the [ansible guide](ansible.md).

@@ -61,31 +40,43 @@ Adding nodes

 You may want to add **worker** nodes to your existing cluster. This can be done by re-running the `cluster.yml` playbook, or you can target the bare minimum needed to get kubelet installed on the worker and talking to your masters. This is especially helpful when doing something like autoscaling your clusters.

- Add the new worker node to your inventory under kube-node (or utilize a [dynamic inventory](https://docs.ansible.com/ansible/intro_dynamic_inventory.html)).
- Run the ansible-playbook command, substituting `scale.yml` for `cluster.yml`:
+-   Add the new worker node to your inventory under kube-node (or utilize a [dynamic inventory](https://docs.ansible.com/ansible/intro_dynamic_inventory.html)).
+-   Run the ansible-playbook command, substituting `scale.yml` for `cluster.yml`:
+
+        ansible-playbook -i inventory/mycluster/hosts.ini scale.yml -b -v \
+          --private-key=~/.ssh/private_key
+
+Remove nodes
+------------
+
+You may want to remove **worker** nodes to your existing cluster. This can be done by re-running the `remove-node.yml` playbook. First, all nodes will be drained, then stop some kubernetes services and delete some certificates, and finally execute the kubectl command to delete these nodes. This can be combined with the add node function, This is generally helpful when doing something like autoscaling your clusters. Of course if a node is not working, you can remove the node and install it again.
+
+- Add worker nodes to the list under kube-node if you want to delete them (or utilize a [dynamic inventory](https://docs.ansible.com/ansible/intro_dynamic_inventory.html)).
+- Run the ansible-playbook command, substituting `remove-node.yml`:
 ```
-ansible-playbook -i my_inventory/inventory.cfg scale.yml -b -v \
+ansible-playbook -i inventory/mycluster/hosts.ini remove-node.yml -b -v \
  --private-key=~/.ssh/private_key
 ```

 Connecting to Kubernetes
 ------------------------
+
 By default, Kubespray configures kube-master hosts with insecure access to
 kube-apiserver via port 8080. A kubeconfig file is not necessary in this case,
-because kubectl will use http://localhost:8080 to connect. The kubeconfig files
+because kubectl will use <http://localhost:8080> to connect. The kubeconfig files
 generated will point to localhost (on kube-masters) and kube-node hosts will
 connect either to a localhost nginx proxy or to a loadbalancer if configured.
 More details on this process are in the [HA guide](ha-mode.md).

-Kubespray permits connecting to the cluster remotely on any IP of any 
-kube-master host on port 6443 by default. However, this requires 
-authentication. One could generate a kubeconfig based on one installed 
+Kubespray permits connecting to the cluster remotely on any IP of any
+kube-master host on port 6443 by default. However, this requires
+authentication. One could generate a kubeconfig based on one installed
 kube-master hosts (needs improvement) or connect with a username and password.
 By default, a user with admin rights is created, named `kube`.
-The password can be viewed after deployment by looking at the file 
-`PATH_TO_KUBESPRAY/credentials/kube_user`. This contains a randomly generated
+The password can be viewed after deployment by looking at the file
+`PATH_TO_KUBESPRAY/credentials/kube_user.creds`. This contains a randomly generated
 password. If you wish to set your own password, just precreate/modify this
-file yourself. 
+file yourself.

 For more information on kubeconfig and accessing a Kubernetes cluster, refer to
 the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).
@@ -94,29 +85,33 @@ Accessing Kubernetes Dashboard
 ------------------------------

 As of kubernetes-dashboard v1.7.x:
-* New login options that use apiserver auth proxying of token/basic/kubeconfig by default
-* Requires RBAC in authorization_modes
-* Only serves over https
-* No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL
+
+-   New login options that use apiserver auth proxying of token/basic/kubeconfig by default
+-   Requires RBAC in authorization\_modes
+-   Only serves over https
+-   No longer available at <https://first_master:6443/ui> until apiserver is updated with the https proxy URL

 If the variable `dashboard_enabled` is set (default is true), then you can access the Kubernetes Dashboard at the following URL, You will be prompted for credentials:
-https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
+<https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login>

 Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from:
-http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
+<http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login>

-It is recommended to access dashboard from behind a gateway (like Ingress Controller) that enforces an authentication token. Details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
+It is recommended to access dashboard from behind a gateway (like Ingress Controller) that enforces an authentication token. Details and other access options here: <https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above>

 Accessing Kubernetes API
 ------------------------

 The main client of Kubernetes is `kubectl`. It is installed on each kube-master
 host and can optionally be configured on your ansible host by setting
-`kubeconfig_localhost: true` in the configuration. If enabled, kubectl and
-admin.conf will appear in the artifacts/ directory after deployment. You can
-see a list of nodes by running the following commands:
+`kubectl_localhost: true` and `kubeconfig_localhost: true` in the configuration:

-    cd artifacts/
-    ./kubectl --kubeconfig admin.conf get nodes
+-   If `kubectl_localhost` enabled, `kubectl` will download onto `/usr/local/bin/` and setup with bash completion. A helper script `inventory/mycluster/artifacts/kubectl.sh` also created for setup with below `admin.conf`.
+-   If `kubeconfig_localhost` enabled `admin.conf` will appear in the `inventory/mycluster/artifacts/` directory after deployment.

-If desired, copy kubectl to your bin dir and admin.conf to ~/.kube/config.
+You can see a list of nodes by running the following commands:
+
+    cd inventory/mycluster/artifacts
+    ./kubectl.sh get nodes
+
+If desired, copy admin.conf to ~/.kube/config.
--- a/docs/large-deployments.md
+++ b/docs/large-deployments.md
@@ -3,8 +3,7 @@ Large deployments of K8s

 For a large scaled deployments, consider the following configuration changes:

-* Tune [ansible settings]
-  (http://docs.ansible.com/ansible/intro_configuration.html)
+* Tune [ansible settings](http://docs.ansible.com/ansible/intro_configuration.html)
  for `forks` and `timeout` vars to fit large numbers of nodes being deployed.

 * Override containers' `foo_image_repo` vars to point to intranet registry.
@@ -47,5 +46,8 @@ For a large scaled deployments, consider the following configuration changes:
  section of the Getting started guide for tips on creating a large scale
  Ansible inventory.

+* Override the ``etcd_events_cluster_setup: true`` store events in a separate
+  dedicated etcd instance.
+
 For example, when deploying 200 nodes, you may want to run ansible with
 ``--forks=50``, ``--timeout=600`` and define the ``retry_stagger: 60``.
--- a/docs/opensuse.md
+++ b/docs/opensuse.md
@@ -0,0 +1,19 @@
+openSUSE Leap 42.3 and Tumbleweed
+===============
+
+openSUSE Leap installation Notes:
+
+- Install Ansible
+
+  ```
+  sudo zypper ref
+  sudo zypper -n install ansible
+
+  ```
+
+- Install Jinja2 and Python-Netaddr
+
+  ```sudo zypper -n install python-Jinja2 python-netaddr```
+
+
+Now you can continue with [Preparing your deployment](getting-started.md#starting-custom-deployment)
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@@ -24,13 +24,13 @@ If you wanted to upgrade just kube_version from v1.4.3 to v1.4.6, you could
 deploy the following way:

 ```
-ansible-playbook cluster.yml -i inventory/inventory.cfg -e kube_version=v1.4.3
+ansible-playbook cluster.yml -i inventory/sample/hosts.ini -e kube_version=v1.4.3
 ```

 And then repeat with v1.4.6 as kube_version:

 ```
-ansible-playbook cluster.yml -i inventory/inventory.cfg -e kube_version=v1.4.6
+ansible-playbook cluster.yml -i inventory/sample/hosts.ini -e kube_version=v1.4.6
 ```

 #### Graceful upgrade
@@ -44,7 +44,7 @@ deployed.
 ```
 git fetch origin
 git checkout origin/master
-ansible-playbook upgrade-cluster.yml -b -i inventory/inventory.cfg -e kube_version=v1.6.0
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e kube_version=v1.6.0
 ```

 After a successul upgrade, the Server Version should be updated:
--- a/docs/vagrant.md
+++ b/docs/vagrant.md
@@ -1,7 +1,7 @@
 Vagrant Install
 =================

-Assuming you have Vagrant (1.9+) installed with virtualbox (it may work
+Assuming you have Vagrant (2.0+) installed with virtualbox (it may work
 with vmware, but is untested) you should be able to launch a 3 node
 Kubernetes cluster by simply running `$ vagrant up`.<br />

--- a/docs/vars.md
+++ b/docs/vars.md
@@ -63,7 +63,8 @@ following default cluster paramters:
  bits in kube_pods_subnet dictates how many kube-nodes can be in cluster.
 * *dns_setup* - Enables dnsmasq
 * *dnsmasq_dns_server* - Cluster IP for dnsmasq (default is 10.233.0.2)
-* *skydns_server* - Cluster IP for KubeDNS (default is 10.233.0.3)
+* *skydns_server* - Cluster IP for DNS (default is 10.233.0.3)
+* *skydns_server_secondary* - Secondary Cluster IP for CoreDNS used with coredns_dual deployment (default is 10.233.0.4)
 * *cloud_provider* - Enable extra Kubelet option if operating inside GCE or
  OpenStack (default is unset)
 * *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
@@ -105,9 +106,9 @@ Stack](https://github.com/kubernetes-incubator/kubespray/blob/master/docs/dns-st
 * *http_proxy/https_proxy/no_proxy* - Proxy variables for deploying behind a
  proxy. Note that no_proxy defaults to all internal cluster IPs and hostnames
  that correspond to each node.
-* *kubelet_deployment_type* - Controls which platform to deploy kubelet on. 
+* *kubelet_deployment_type* - Controls which platform to deploy kubelet on.
  Available options are ``host``, ``rkt``, and ``docker``. ``docker`` mode
-  is unlikely to work on newer releases. Starting with Kubernetes v1.7 
+  is unlikely to work on newer releases. Starting with Kubernetes v1.7
  series, this now defaults to ``host``. Before v1.7, the default was Docker.
  This is because of cgroup [issues](https://github.com/kubernetes/kubernetes/issues/43704).
 * *kubelet_load_modules* - For some things, kubelet needs to load kernel modules.  For example,
@@ -117,6 +118,14 @@ Stack](https://github.com/kubernetes-incubator/kubespray/blob/master/docs/dns-st
 * *kubelet_cgroup_driver* - Allows manual override of the
  cgroup-driver option for Kubelet. By default autodetection is used
  to match Docker configuration.
+* *node_labels* - Labels applied to nodes via kubelet --node-labels parameter.
+  For example, labels can be set in the inventory as variables or more widely in group_vars.
+  *node_labels* must be defined as a dict:
+```
+node_labels:
+  label1_name: label1_value
+  label2_name: label2_value
+```

 ##### Custom flags for Kube Components
 For all kube components, custom flags can be passed in. This allows for edge cases where users need changes to the default deployment that may not be applicable to all deployments. This can be done by providing a list of flags. Example:
@@ -136,6 +145,6 @@ The possible vars are:

 By default, a user with admin rights is created, named `kube`.
 The password can be viewed after deployment by looking at the file
-`PATH_TO_KUBESPRAY/credentials/kube_user`. This contains a randomly generated
+`PATH_TO_KUBESPRAY/credentials/kube_user.creds`. This contains a randomly generated
 password. If you wish to set your own password, just precreate/modify this
 file yourself or change `kube_api_pwd` var.
--- a/docs/vsphere.md
+++ b/docs/vsphere.md
@@ -16,7 +16,7 @@ After this step you should have:

 ## Kubespray configuration

-Fist you must define the cloud provider in `inventory/group_vars/all.yml` and set it to `vsphere`.
+Fist you must define the cloud provider in `inventory/sample/group_vars/all.yml` and set it to `vsphere`.
 ```yml
 cloud_provider: vsphere
 ```
@@ -58,7 +58,7 @@ vsphere_resource_pool: "K8s-Pool"
 Once the configuration is set, you can execute the playbook again to apply the new configuration
 ```
 cd kubespray
-ansible-playbook -i inventory/inventory.cfg -b -v cluster.yml
+ansible-playbook -i inventory/sample/hosts.ini -b -v cluster.yml
 ```

 You'll find some usefull examples [here](https://github.com/kubernetes/kubernetes/tree/master/examples/volumes/vsphere) to test your configuration.
--- a/docs/weave.md
+++ b/docs/weave.md
@@ -12,7 +12,7 @@ Weave encryption is supported for all communication
 * To use Weave encryption, specify a strong password (if no password, no encrytion)

 ```
-# In file ./inventory/group_vars/k8s-cluster.yml
+# In file ./inventory/sample/group_vars/k8s-cluster.yml
 weave_password: EnterPasswordHere
 ```

@@ -77,14 +77,14 @@ The seed mode also allows multi-clouds and hybrid on-premise/cloud clusters depl
 * Switch from consensus mode to seed mode

 ```
-# In file ./inventory/group_vars/k8s-cluster.yml
+# In file ./inventory/sample/group_vars/k8s-cluster.yml
 weave_mode_seed: true
 ```

 These two variables are only used when `weave_mode_seed` is set to `true` (**/!\ do not manually change these values**)

 ```
-# In file ./inventory/group_vars/k8s-cluster.yml
+# In file ./inventory/sample/group_vars/k8s-cluster.yml
 weave_seed: uninitialized
 weave_peers: uninitialized
 ```
--- a/extra_playbooks/build-cephfs-provisioner.yml
+++ b/extra_playbooks/build-cephfs-provisioner.yml
@@ -0,0 +1,54 @@
+---
+
+- hosts: localhost
+  tasks:
+    - name: CephFS Provisioner | Install pip packages
+      pip:
+        name: "{{ item.name }}"
+        version: "{{ item.version }}"
+        state: "{{ item.state }}"
+      with_items:
+        - { state: "present", name: "docker", version: "2.7.0" }
+        - { state: "present", name: "docker-compose", version: "1.18.0" }
+
+    - name: CephFS Provisioner | Check Go version
+      shell: |
+        go version
+      ignore_errors: yes
+      register: go_version_result
+
+    - name: CephFS Provisioner | Install Go 1.9
+      shell: |
+        add-apt-repository -y ppa:gophers/archive
+        apt-get update
+        apt-get install -y golang-1.9
+        ln -fs /usr/lib/go-1.9/bin/* /usr/local/bin/
+      when: 'go_version_result.rc != 0 or "go version go1.9" not in go_version_result.stdout'
+
+    - name: CephFS Provisioner | Check if image exists
+      shell: |
+        docker image list | grep 'cephfs-provisioner'
+      ignore_errors: yes
+      register: check_image_result
+
+    - block:
+        - name: CephFS Provisioner | Clone repo
+          git:
+            repo: https://github.com/kubernetes-incubator/external-storage.git
+            dest: "~/go/src/github.com/kubernetes-incubator"
+            version: 92295a30
+            clone: no
+            update: yes
+            
+        - name: CephFS Provisioner | Build image
+          shell: |
+            cd ~/go/src/github.com/kubernetes-incubator/external-storage
+            REGISTRY=quay.io/kubespray/ VERSION=92295a30 make ceph/cephfs
+
+        - name: CephFS Provisioner | Push image
+          docker_image:
+            name: quay.io/kubespray/cephfs-provisioner:92295a30
+            push: yes
+          retries: 10
+
+      when: check_image_result.rc != 0
--- a/inventory/local/group_vars
+++ b/inventory/local/group_vars
@@ -0,0 +1 @@
+../sample/group_vars
--- a/inventory/local/hosts.ini
+++ b/inventory/local/hosts.ini
--- a/inventory/sample/group_vars/all.yml
+++ b/inventory/sample/group_vars/all.yml
@@ -17,9 +17,13 @@ bin_dir: /usr/local/bin
 ### LOADBALANCING AND ACCESS MODES
 ## Enable multiaccess to configure etcd clients to access all of the etcd members directly
 ## as the "http://hostX:port, http://hostY:port, ..." and ignore the proxy loadbalancers.
-## This may be the case if clients support and loadbalance multiple etcd servers  natively.
+## This may be the case if clients support and loadbalance multiple etcd servers natively.
 #etcd_multiaccess: true

+### ETCD: disable peer client cert authentication.
+# This affects ETCD_PEER_CLIENT_CERT_AUTH variable
+#etcd_peer_client_auth: true
+
 ## External LB example config
 ## apiserver_loadbalancer_domain_name: "elb.some.domain"
 #loadbalancer_apiserver:
@@ -38,7 +42,7 @@ bin_dir: /usr/local/bin
 ## for mounting persistent volumes into containers.  These may not be loaded by preinstall kubernetes
 ## processes.  For example, ceph and rbd backed volumes.  Set to true to allow kubelet to load kernel
 ## modules.
-# kubelet_load_modules: false
+#kubelet_load_modules: false

 ## Internal network total size. This is the prefix of the
 ## entire network. Must be unused in your environment.
@@ -72,6 +76,7 @@ bin_dir: /usr/local/bin
 #azure_subnet_name:
 #azure_security_group_name:
 #azure_vnet_name:
+#azure_vnet_resource_group:
 #azure_route_table_name:

 ## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (Fixed in 1.9: https://github.com/kubernetes/kubernetes/issues/50461)
@@ -92,10 +97,6 @@ bin_dir: /usr/local/bin

 ## Uncomment to enable experimental kubeadm deployment mode
 #kubeadm_enabled: false
-#kubeadm_token_first: "{{ lookup('password', 'credentials/kubeadm_token_first length=6  chars=ascii_lowercase,digits') }}"
-#kubeadm_token_second: "{{ lookup('password', 'credentials/kubeadm_token_second length=16 chars=ascii_lowercase,digits') }}"
-#kubeadm_token: "{{ kubeadm_token_first }}.{{ kubeadm_token_second }}"
-#
 ## Set these proxy values in order to update package manager and docker daemon to use proxies
 #http_proxy: ""
 #https_proxy: ""
@@ -111,7 +112,7 @@ bin_dir: /usr/local/bin

 ## Default packages to install within the cluster, f.e:
 #kpm_packages:
-#  - name: kube-system/grafana
+# - name: kube-system/grafana

 ## Certificate Management
 ## This setting determines whether certs are generated via scripts or whether a
@@ -127,3 +128,10 @@ bin_dir: /usr/local/bin

 ## Set level of detail for etcd exported metrics, specify 'extensive' to include histogram metrics.
 #etcd_metrics: basic
+
+## Etcd is restricted by default to 512M on systems under 4GB RAM, 512MB is not enough for much more than testing.
+## Set this if your etcd nodes have less than 4GB but you want more RAM for etcd. Set to 0 for unrestricted RAM.
+#etcd_memory_limit: "512M"
+
+# The read-only port for the Kubelet to serve on with no authentication/authorization. Uncomment to enable.
+#kube_read_only_port: 10255
--- a/inventory/sample/group_vars/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster.yml
@@ -1,12 +1,11 @@
 # Kubernetes configuration dirs and system namespace.
 # Those are where all the additional config stuff goes
-# the kubernetes normally puts in /srv/kubernets.
+# the kubernetes normally puts in /srv/kubernetes.
 # This puts them in a sane location and namespace.
-# Editting those values will almost surely break something.
+# Editing those values will almost surely break something.
 kube_config_dir: /etc/kubernetes
 kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
 kube_manifest_dir: "{{ kube_config_dir }}/manifests"
-system_namespace: kube-system

 # This is where all the cert scripts and certs will be located
 kube_cert_dir: "{{ kube_config_dir }}/ssl"
@@ -20,7 +19,7 @@ kube_users_dir: "{{ kube_config_dir }}/users"
 kube_api_anonymous_auth: true

 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.9.2
+kube_version: v1.9.5

 # Where the binaries will be downloaded.
 # Note: ensure that you've enough disk space (about 1G)
@@ -29,7 +28,7 @@ local_release_dir: "/tmp/releases"
 retry_stagger: 5

 # This is the group that the cert creation scripts chgrp the
-# cert files to. Not really changable...
+# cert files to. Not really changeable...
 kube_cert_group: kube-cert

 # Cluster Loglevel configuration
@@ -37,7 +36,7 @@ kube_log_level: 2

 # Users to create for basic auth in Kubernetes API via HTTP
 # Optionally add groups for user
-kube_api_pwd: "{{ lookup('password', 'credentials/kube_user length=15 chars=ascii_letters,digits') }}"
+kube_api_pwd: "{{ lookup('password', inventory_dir + '/credentials/kube_user.creds length=15 chars=ascii_letters,digits') }}"
 kube_users:
  kube:
    pass: "{{kube_api_pwd}}"
@@ -62,7 +61,7 @@ kube_users:
 # kube_oidc_groups_claim: groups


-# Choose network plugin (calico, contiv, weave or flannel)
+# Choose network plugin (cilium, calico, contiv, weave or flannel)
 # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
 kube_network_plugin: calico

@@ -83,6 +82,9 @@ weave_mode_seed: false
 weave_seed: uninitialized
 weave_peers: uninitialized

+# Set the MTU of Weave (default 1376, Jumbo Frames: 8916)
+weave_mtu: 1376
+
 # Enable kubernetes network policies
 enable_network_policy: false

@@ -106,12 +108,19 @@ kube_apiserver_insecure_port: 8080 # (http)
 # Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
 #kube_apiserver_insecure_port: 0 # (disabled)

+# Kube-proxy proxyMode configuration.
+# Can be ipvs, iptables
+kube_proxy_mode: iptables
+
+## Encrypting Secret Data at Rest (experimental)
+kube_encrypt_secret_data: false
+
 # DNS configuration.
 # Kubernetes cluster name, also will be used as DNS domain
 cluster_name: cluster.local
 # Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
 ndots: 2
-# Can be dnsmasq_kubedns, kubedns, manual or none
+# Can be dnsmasq_kubedns, kubedns, coredns, coredns_dual, manual or none
 dns_mode: kubedns
 # Set manual server if using a custom cluster DNS server
 #manual_dns_server: 10.x.x.x
@@ -122,6 +131,7 @@ resolvconf_mode: docker_dns
 deploy_netchecker: false
 # Ip address of the kubernetes skydns service
 skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
+skydns_server_secondary: "{{ kube_service_addresses|ipaddr('net')|ipaddr(4)|ipaddr('address') }}"
 dnsmasq_dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
 dns_domain: "{{ cluster_name }}"

@@ -158,15 +168,55 @@ helm_enabled: false
 # Istio deployment
 istio_enabled: false

+# Registry deployment
+registry_enabled: false
+# registry_namespace: "{{ system_namespace }}"
+# registry_storage_class: ""
+# registry_disk_size: "10Gi"
+
 # Local volume provisioner deployment
-local_volumes_enabled: false
+local_volume_provisioner_enabled: false
+# local_volume_provisioner_namespace: "{{ system_namespace }}"
+# local_volume_provisioner_base_dir: /mnt/disks
+# local_volume_provisioner_mount_dir: /mnt/disks
+# local_volume_provisioner_storage_class: local-storage
+
+# CephFS provisioner deployment
+cephfs_provisioner_enabled: false
+# cephfs_provisioner_namespace: "{{ system_namespace }}"
+# cephfs_provisioner_cluster: ceph
+# cephfs_provisioner_monitors:
+#   - 172.24.0.1:6789
+#   - 172.24.0.2:6789
+#   - 172.24.0.3:6789
+# cephfs_provisioner_admin_id: admin
+# cephfs_provisioner_secret: secret
+# cephfs_provisioner_storage_class: cephfs
+
+# Nginx ingress controller deployment
+ingress_nginx_enabled: false
+# ingress_nginx_host_network: false
+# ingress_nginx_namespace: "ingress-nginx"
+# ingress_nginx_insecure_port: 80
+# ingress_nginx_secure_port: 443
+# ingress_nginx_configmap:
+#   map-hash-bucket-size: "128"
+#   ssl-protocols: "SSLv2"
+# ingress_nginx_configmap_tcp_services:
+#   9000: "default/example-go:8080"
+# ingress_nginx_configmap_udp_services:
+#   53: "kube-system/kube-dns:53"
+
+# Cert manager deployment
+cert_manager_enabled: false
+# cert_manager_namespace: "cert-manager"

 # Add Persistent Volumes Storage Class for corresponding cloud provider ( OpenStack is only supported now )
 persistent_volumes_enabled: false

-# Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
+# Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts
 # kubeconfig_localhost: false
-# Download kubectl onto the host that runs Ansible in GITDIR/artifacts
+# Download kubectl onto the host that runs Ansible in {{ bin_dir }}
 # kubectl_localhost: false

 # dnsmasq
--- a/inventory/inventory.example
+++ b/inventory/inventory.example
@@ -26,6 +26,11 @@
 # node5
 # node6

+# [kube-ingress]
+# node2
+# node3
+
 # [k8s-cluster:children]
+# kube-master
 # kube-node
-# kube-master
+# kube-ingress
--- a/library/kube.py
+++ b/library/kube.py
@@ -18,7 +18,9 @@ options:
    required: false
    default: null
    description:
-      - The path and filename of the resource(s) definition file.
+      - The path and filename of the resource(s) definition file(s).
+      - To operate on several files this can accept a comma separated list of files or a list of files.
+    aliases: [ 'files', 'file', 'filenames' ]
  kubectl:
    required: false
    default: null
@@ -86,6 +88,15 @@ EXAMPLES = """

 - name: test nginx is present
  kube: filename=/tmp/nginx.yml
+
+- name: test nginx and postgresql are present
+  kube: files=/tmp/nginx.yml,/tmp/postgresql.yml
+
+- name: test nginx and postgresql are present
+  kube:
+    files:
+      - /tmp/nginx.yml
+      - /tmp/postgresql.yml
 """


@@ -112,7 +123,7 @@ class KubeManager(object):
        self.all = module.params.get('all')
        self.force = module.params.get('force')
        self.name = module.params.get('name')
-        self.filename = module.params.get('filename')
+        self.filename = [f.strip() for f in module.params.get('filename') or []]
        self.resource = module.params.get('resource')
        self.label = module.params.get('label')

@@ -122,7 +133,7 @@ class KubeManager(object):
            rc, out, err = self.module.run_command(args)
            if rc != 0:
                self.module.fail_json(
-                    msg='error running kubectl (%s) command (rc=%d): %s' % (' '.join(args), rc, out or err))
+                    msg='error running kubectl (%s) command (rc=%d), out=\'%s\', err=\'%s\'' % (' '.join(args), rc, out, err))
        except Exception as exc:
            self.module.fail_json(
                msg='error running kubectl (%s) command: %s' % (' '.join(args), str(exc)))
@@ -147,7 +158,7 @@ class KubeManager(object):
        if not self.filename:
            self.module.fail_json(msg='filename required to create')

-        cmd.append('--filename=' + self.filename)
+        cmd.append('--filename=' + ','.join(self.filename))

        return self._execute(cmd)

@@ -161,7 +172,7 @@ class KubeManager(object):
        if not self.filename:
            self.module.fail_json(msg='filename required to reload')

-        cmd.append('--filename=' + self.filename)
+        cmd.append('--filename=' + ','.join(self.filename))

        return self._execute(cmd)

@@ -173,7 +184,7 @@ class KubeManager(object):
        cmd = ['delete']

        if self.filename:
-            cmd.append('--filename=' + self.filename)
+            cmd.append('--filename=' + ','.join(self.filename))
        else:
            if not self.resource:
                self.module.fail_json(msg='resource required to delete without filename')
@@ -197,27 +208,31 @@ class KubeManager(object):
    def exists(self):
        cmd = ['get']

-        if not self.resource:
-            return False
+        if self.filename:
+            cmd.append('--filename=' + ','.join(self.filename))
+        else:
+            if not self.resource:
+                self.module.fail_json(msg='resource required without filename')

-        cmd.append(self.resource)
+            cmd.append(self.resource)

-        if self.name:
-            cmd.append(self.name)
+            if self.name:
+                cmd.append(self.name)
+
+            if self.label:
+                cmd.append('--selector=' + self.label)
+
+            if self.all:
+                cmd.append('--all-namespaces')

        cmd.append('--no-headers')

-        if self.label:
-            cmd.append('--selector=' + self.label)
-
-        if self.all:
-            cmd.append('--all-namespaces')
-
        result = self._execute_nofail(cmd)
        if not result:
            return False
        return True

+    # TODO: This is currently unused, perhaps convert to 'scale' with a replicas param?
    def stop(self):

        if not self.force and not self.exists():
@@ -226,7 +241,7 @@ class KubeManager(object):
        cmd = ['stop']

        if self.filename:
-            cmd.append('--filename=' + self.filename)
+            cmd.append('--filename=' + ','.join(self.filename))
        else:
            if not self.resource:
                self.module.fail_json(msg='resource required to stop without filename')
@@ -253,7 +268,7 @@ def main():
    module = AnsibleModule(
        argument_spec=dict(
            name=dict(),
-            filename=dict(),
+            filename=dict(type='list', aliases=['files', 'file', 'filenames']),
            namespace=dict(),
            resource=dict(),
            label=dict(),
@@ -263,7 +278,8 @@ def main():
            all=dict(default=False, type='bool'),
            log_level=dict(default=0, type='int'),
            state=dict(default='present', choices=['present', 'absent', 'latest', 'reloaded', 'stopped']),
-            )
+            ),
+            mutually_exclusive=[['filename', 'list']]
        )

    changed = False
--- a/remove-node.yml
+++ b/remove-node.yml
@@ -0,0 +1,29 @@
+---
+
+- hosts: all
+  gather_facts: true
+
+- hosts: etcd:k8s-cluster:vault:calico-rr
+  vars_prompt:
+    name: "delete_nodes_confirmation"
+    prompt: "Are you sure you want to delete nodes state? Type 'yes' to delete nodes."
+    default: "no"
+    private: no
+
+  pre_tasks:
+    - name: check confirmation
+      fail:
+        msg: "Delete nodes confirmation failed"
+      when: delete_nodes_confirmation != "yes"
+
+- hosts: kube-master
+  roles:
+    - { role: remove-node/pre-remove, tags: pre-remove }
+
+- hosts: kube-node
+  roles:
+    - { role: reset, tags: reset }
+
+- hosts: kube-master
+  roles:
+    - { role: remove-node/post-remove, tags: post-remove }
--- a/roles/bootstrap-os/defaults/main.yml
+++ b/roles/bootstrap-os/defaults/main.yml
@@ -2,3 +2,5 @@
 pip_python_coreos_modules:
  - httplib2
  - six
+
+override_system_hostname: true
--- a/roles/bootstrap-os/tasks/bootstrap-opensuse.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-opensuse.yml
@@ -0,0 +1,7 @@
+---
+- name: Install required packages (SUSE)
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - python-cryptography
--- a/roles/bootstrap-os/tasks/main.yml
+++ b/roles/bootstrap-os/tasks/main.yml
@@ -11,6 +11,9 @@
 - import_tasks: bootstrap-centos.yml
  when: bootstrap_os == "centos"

+- import_tasks: bootstrap-opensuse.yml
+  when: bootstrap_os == "opensuse"
+
 - import_tasks: setup-pipelining.yml

 - name: check if atomic host
@@ -26,18 +29,25 @@
    gather_subset: '!all'
    filter: ansible_*

- name: Assign inventory name to unconfigured hostnames (non-CoreOS)
+- name: Assign inventory name to unconfigured hostnames (non-CoreOS and Tumbleweed)
  hostname:
    name: "{{inventory_hostname}}"
-  when: ansible_os_family not in ['CoreOS', 'Container Linux by CoreOS']
+  when:
+    - override_system_hostname
+    - ansible_distribution not in ['openSUSE Tumbleweed']
+    - ansible_os_family not in ['CoreOS', 'Container Linux by CoreOS']

- name: Assign inventory name to unconfigured hostnames (CoreOS only)
+- name: Assign inventory name to unconfigured hostnames (CoreOS and Tumbleweed only)
  command: "hostnamectl set-hostname  {{inventory_hostname}}"
  register: hostname_changed
-  when: ansible_hostname == 'localhost' and ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
+  when:
+    - ansible_hostname == 'localhost'
+    - ansible_distribution in ['openSUSE Tumbleweed'] or ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
+    - override_system_hostname

- name: Update hostname fact (CoreOS only)
+- name: Update hostname fact (CoreOS and Tumbleweed only)
  setup:
    gather_subset: '!all'
    filter: ansible_hostname
-  when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] and hostname_changed.changed
+  when:
+    - hostname_changed.changed
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@@ -91,7 +91,7 @@
 - name: Start Resources
  kube:
    name: "{{item.item.name}}"
-    namespace: "{{system_namespace}}"
+    namespace: "kube-system"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
--- a/roles/dnsmasq/templates/01-kube-dns.conf.j2
+++ b/roles/dnsmasq/templates/01-kube-dns.conf.j2
@@ -22,7 +22,7 @@ server={{ srv }}
 {% endfor %}
 {% elif resolvconf_mode == 'host_resolvconf' %}
 {# The default resolver is only needed when the hosts resolv.conf was modified by us. If it was not modified, we can rely on dnsmasq to reuse the systems resolv.conf #}
-server={{ default_resolver }}
+server={{ cloud_resolver }}
 {% endif %}

 {% if kube_log_level == '4' %}
--- a/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml
+++ b/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml
@@ -3,11 +3,11 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: dnsmasq
-  namespace: "{{ system_namespace }}"
+  namespace: "kube-system"
 subjects:
  - kind: ServiceAccount
    name: dnsmasq
-    namespace: "{{ system_namespace}}"
+    namespace: "kube-system"
 roleRef:
  kind: ClusterRole
  name: cluster-admin
--- a/roles/dnsmasq/templates/dnsmasq-deploy.yml
+++ b/roles/dnsmasq/templates/dnsmasq-deploy.yml
@@ -3,7 +3,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: dnsmasq
-  namespace: "{{system_namespace}}"
+  namespace: "kube-system"
  labels:
    k8s-app: dnsmasq
    kubernetes.io/cluster-service: "true"
--- a/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml
+++ b/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml
@@ -3,6 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: dnsmasq
-  namespace: "{{ system_namespace }}"
+  namespace: "kube-system"
  labels:
    kubernetes.io/cluster-service: "true"
--- a/roles/dnsmasq/templates/dnsmasq-svc.yml
+++ b/roles/dnsmasq/templates/dnsmasq-svc.yml
@@ -6,7 +6,7 @@ metadata:
    kubernetes.io/cluster-service: 'true'
    k8s-app: dnsmasq
  name: dnsmasq
-  namespace: {{system_namespace}}
+  namespace: kube-system
 spec:
  ports:
    - port: 53
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -1,5 +1,6 @@
 ---
 docker_version: '17.03'
+docker_selinux_version: '17.03'

 docker_package_info:
  pkgs:
@@ -10,11 +11,31 @@ docker_repo_key_info:
 docker_repo_info:
  repos:

+dockerproject_repo_key_info:
+  repo_keys:
+
+dockerproject_repo_info:
+  repos:
+
 docker_dns_servers_strict: yes

 docker_container_storage_setup: false

-docker_rh_repo_base_url: 'https://yum.dockerproject.org/repo/main/centos/7'
-docker_rh_repo_gpgkey: 'https://yum.dockerproject.org/gpg'
-docker_apt_repo_base_url: 'https://apt.dockerproject.org/repo'
-docker_apt_repo_gpgkey: 'https://apt.dockerproject.org/gpg'
+# Used to override obsoletes=0
+yum_conf: /etc/yum.conf
+docker_yum_conf: /etc/yum_docker.conf
+
+# CentOS/RedHat docker-ce repo
+docker_rh_repo_base_url: 'https://download.docker.com/linux/centos/7/$basearch/stable'
+docker_rh_repo_gpgkey: 'https://download.docker.com/linux/centos/gpg'
+# Ubuntu docker-ce repo
+docker_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu"
+docker_ubuntu_repo_gpgkey: 'https://download.docker.com/linux/ubuntu/gpg'
+# Debian docker-ce repo
+docker_debian_repo_base_url: "https://download.docker.com/linux/debian"
+docker_debian_repo_gpgkey: 'https://download.docker.com/linux/debian/gpg'
+# dockerproject repo
+dockerproject_rh_repo_base_url: 'https://yum.dockerproject.org/repo/main/centos/7'
+dockerproject_rh_repo_gpgkey: 'https://yum.dockerproject.org/gpg'
+dockerproject_apt_repo_base_url: 'https://apt.dockerproject.org/repo'
+dockerproject_apt_repo_gpgkey: 'https://apt.dockerproject.org/gpg'
--- a/roles/docker/docker-storage/defaults/main.yml
+++ b/roles/docker/docker-storage/defaults/main.yml
@@ -3,9 +3,9 @@ docker_container_storage_setup_version: v0.6.0
 docker_container_storage_setup_profile_name: kubespray
 docker_container_storage_setup_storage_driver: devicemapper
 docker_container_storage_setup_container_thinpool: docker-pool
-#It must be define a disk path for docker_container_storage_setup_devs.
-#Otherwise docker-storage-setup will be executed incorrectly.
-#docker_container_storage_setup_devs: /dev/vdb
+# It must be define a disk path for docker_container_storage_setup_devs.
+# Otherwise docker-storage-setup will be executed incorrectly.
+# docker_container_storage_setup_devs: /dev/vdb
 docker_container_storage_setup_data_size: 40%FREE
 docker_container_storage_setup_min_data_size: 2G
 docker_container_storage_setup_chunk_size: 512K
--- a/roles/docker/docker-storage/tasks/main.yml
+++ b/roles/docker/docker-storage/tasks/main.yml
@@ -31,7 +31,7 @@
    group: root
    mode: 0644

-#https://docs.docker.com/engine/installation/linux/docker-ce/centos/#install-using-the-repository
+# https://docs.docker.com/engine/installation/linux/docker-ce/centos/#install-using-the-repository
 - name: docker-storage-setup | install lvm2
  yum:
    name: lvm2
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -15,6 +15,14 @@
  tags:
    - facts

+# https://yum.dockerproject.org/repo/main/opensuse/ contains packages for an EOL
+# openSUSE version so we can't use it. The only alternative is to use the docker
+# packages from the distribution repositories.
+- name: Warn about Docker version on SUSE
+  debug:
+    msg: "SUSE distributions always install Docker from the distro repos"
+  when: ansible_pkg_mgr == 'zypper'
+
 - include_tasks: set_facts_dns.yml
  when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
  tags:
@@ -30,7 +38,9 @@
  tags:
    - facts

- name: ensure docker repository public key is installed
+- import_tasks: pre-upgrade.yml
+
+- name: ensure docker-ce repository public key is installed
  action: "{{ docker_repo_key_info.pkg_key }}"
  args:
    id: "{{item}}"
@@ -41,15 +51,36 @@
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  with_items: "{{ docker_repo_key_info.repo_keys }}"
-  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic)
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic)

- name: ensure docker repository is enabled
+- name: ensure docker-ce repository is enabled
  action: "{{ docker_repo_info.pkg_repo }}"
  args:
    repo: "{{item}}"
    state: present
  with_items: "{{ docker_repo_info.repos }}"
-  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_repo_info.repos|length > 0)
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) and (docker_repo_info.repos|length > 0)
+
+- name: ensure docker-engine repository public key is installed
+  action: "{{ dockerproject_repo_key_info.pkg_key }}"
+  args:
+    id: "{{item}}"
+    url: "{{dockerproject_repo_key_info.url}}"
+    state: present
+  register: keyserver_task_result
+  until: keyserver_task_result|succeeded
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"
+  with_items: "{{ dockerproject_repo_key_info.repo_keys }}"
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic)
+
+- name: ensure docker-engine repository is enabled
+  action: "{{ dockerproject_repo_info.pkg_repo }}"
+  args:
+    repo: "{{item}}"
+    state: present
+  with_items: "{{ dockerproject_repo_info.repos }}"
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) and (dockerproject_repo_info.repos|length > 0)

 - name: Configure docker repository on RedHat/CentOS
  template:
@@ -57,11 +88,27 @@
    dest: "/etc/yum.repos.d/docker.repo"
  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic

+- name: Copy yum.conf for editing
+  copy:
+    src: "{{ yum_conf }}"
+    dest: "{{ docker_yum_conf }}"
+    remote_src: yes
+  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+
+- name: Edit copy of yum.conf to set obsoletes=0
+  lineinfile:
+    path: "{{ docker_yum_conf }}"
+    state: present
+    regexp: '^obsoletes='
+    line: 'obsoletes=0'
+  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+
 - name: ensure docker packages are installed
  action: "{{ docker_package_info.pkg_mgr }}"
  args:
    pkg: "{{item.name}}"
    force: "{{item.force|default(omit)}}"
+    conf_file: "{{item.yum_conf|default(omit)}}"
    state: present
  register: docker_task_result
  until: docker_task_result|succeeded
@@ -71,6 +118,12 @@
  notify: restart docker
  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0)

+- name: ensure service is started if docker packages are already present
+  service:
+    name: docker
+    state: started
+  when: docker_task_result is not changed
+
 - name: flush handlers so we can wait for docker to come up
  meta: flush_handlers

--- a/roles/docker/tasks/pre-upgrade.yml
+++ b/roles/docker/tasks/pre-upgrade.yml
@@ -0,0 +1,25 @@
+---
+- name: Ensure old versions of Docker are not installed. | Debian
+  package:
+    name: '{{ item }}'
+    state: absent
+  with_items:
+    - docker
+    - docker-engine
+  when:
+    - ansible_os_family == 'Debian'
+    - (docker_versioned_pkg[docker_version | string] | search('docker-ce'))
+
+- name: Ensure old versions of Docker are not installed. | RedHat
+  package:
+    name: '{{ item }}'
+    state: absent
+  with_items:
+    - docker
+    - docker-common
+    - docker-engine
+    - docker-selinux
+  when:
+    - ansible_os_family == 'RedHat'
+    - (docker_versioned_pkg[docker_version | string] | search('docker-ce'))
+    - not is_atomic
--- a/roles/docker/tasks/set_facts_dns.yml
+++ b/roles/docker/tasks/set_facts_dns.yml
@@ -3,8 +3,10 @@
 - name: set dns server for docker
  set_fact:
    docker_dns_servers: |-
-      {%- if dns_mode == 'kubedns' -%}
+      {%- if dns_mode in ['kubedns', 'coredns'] -%}
        {{ [ skydns_server ] }}
+      {%- elif dns_mode == 'coredns_dual' -%}
+        {{ [ skydns_server ] + [ skydns_server_secondary ] }}
      {%- elif dns_mode == 'dnsmasq_kubedns' -%}
        {{ [ dnsmasq_dns_server ] }}
      {%- elif dns_mode == 'manual' -%}
@@ -24,7 +26,7 @@
 - name: add upstream dns servers (only when dnsmasq is not used)
  set_fact:
    docker_dns_servers: "{{ docker_dns_servers + upstream_dns_servers|default([]) }}"
-  when: dns_mode == 'kubedns'
+  when: dns_mode in ['kubedns', 'coredns', 'coreos_dual']

 - name: add global searchdomains
  set_fact:
--- a/roles/docker/tasks/systemd.yml
+++ b/roles/docker/tasks/systemd.yml
@@ -12,9 +12,9 @@
  when: http_proxy is defined or https_proxy is defined

 - name: get systemd version
-  command: rpm -q --qf '%{V}\n' systemd
+  shell: systemctl --version | head -n 1 | cut -d " " -f 2
  register: systemd_version
-  when: ansible_os_family == "RedHat" and not is_atomic
+  when: not is_atomic
  changed_when: false

 - name: Write docker.service systemd file
--- a/roles/docker/templates/docker.service.j2
+++ b/roles/docker/templates/docker.service.j2
@@ -7,6 +7,9 @@ Wants=docker-storage-setup.service
 {% elif ansible_os_family == "Debian" %}
 After=network.target docker.socket
 Wants=docker.socket
+{% elif ansible_os_family == "Suse" %}
+After=network.target containerd.socket containerd.service
+Requires=containerd.socket containerd.service
 {% endif %}

 [Service]
@@ -19,19 +22,25 @@ ExecReload=/bin/kill -s HUP $MAINPID
 Delegate=yes
 KillMode=process
 ExecStart={{ docker_bin_dir }}/docker{% if installed_docker_version.stdout|version_compare('17.03', '<') %} daemon{% else %}d{% endif %} \
+{% if ansible_os_family == "Suse" %}
+          --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/bin/docker-runc \
+{% endif %}
          $DOCKER_OPTS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $DOCKER_DNS_OPTIONS \
          $INSECURE_REGISTRY
-{% if ansible_os_family == "RedHat" and systemd_version.stdout|int >= 226 %}
+{% if not is_atomic and systemd_version.stdout|int >= 226 %}
 TasksMax=infinity
 {% endif %}
 LimitNOFILE=1048576
 LimitNPROC=1048576
 LimitCORE=infinity
 TimeoutStartSec=1min
-Restart=on-abnormal
+# restart the docker process if it exits prematurely
+Restart=on-failure
+StartLimitBurst=3
+StartLimitInterval=60s

 [Install]
 WantedBy=multi-user.target
--- a/roles/docker/templates/rh_docker.repo.j2
+++ b/roles/docker/templates/rh_docker.repo.j2
@@ -1,7 +1,15 @@
-[dockerrepo]
-name=Docker Repository
+[docker-ce]
+name=Docker-CE Repository
 baseurl={{ docker_rh_repo_base_url }}
 enabled=1
 gpgcheck=1
 gpgkey={{ docker_rh_repo_gpgkey }}
 {% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
+
+[docker-engine]
+name=Docker-Engine Repository
+baseurl={{ dockerproject_rh_repo_base_url }}
+enabled=1
+gpgcheck=1
+gpgkey={{ dockerproject_rh_repo_gpgkey }}
+{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
--- a/roles/docker/vars/debian.yml
+++ b/roles/docker/vars/debian.yml
@@ -1,15 +1,16 @@
 ---
 docker_kernel_min_version: '3.10'

+# https://download.docker.com/linux/debian/
 # https://apt.dockerproject.org/repo/dists/debian-wheezy/main/filelist
 docker_versioned_pkg:
-  'latest': docker-engine
+  'latest': docker-ce
  '1.11': docker-engine=1.11.2-0~{{ ansible_distribution_release|lower }}
  '1.12': docker-engine=1.12.6-0~debian-{{ ansible_distribution_release|lower }}
  '1.13': docker-engine=1.13.1-0~debian-{{ ansible_distribution_release|lower }}
-  '17.03': docker-engine=17.03.1~ce-0~debian-{{ ansible_distribution_release|lower }}
-  'stable': docker-engine=17.03.1~ce-0~debian-{{ ansible_distribution_release|lower }}
-  'edge': docker-engine=17.05.0~ce-0~debian-{{ ansible_distribution_release|lower }}
+  '17.03': docker-ce=17.03.2~ce-0~debian-{{ ansible_distribution_release|lower }}
+  'stable': docker-ce=17.03.2~ce-0~debian-{{ ansible_distribution_release|lower }}
+  'edge': docker-ce=17.12.1~ce-0~debian-{{ ansible_distribution_release|lower }}

 docker_package_info:
  pkg_mgr: apt
@@ -19,14 +20,28 @@ docker_package_info:

 docker_repo_key_info:
  pkg_key: apt_key
-  url: '{{ docker_apt_repo_gpgkey }}'
+  url: '{{ docker_debian_repo_gpgkey }}'
  repo_keys:
-    - 58118E89F3A912897C070ADBF76221572C52609D
+    - 9DC858229FC7DD38854AE2D88D81803C0EBFCD88

 docker_repo_info:
  pkg_repo: apt_repository
  repos:
    - >
-       deb {{ docker_apt_repo_base_url }}
+       deb {{ docker_debian_repo_base_url }}
+       {{ ansible_distribution_release|lower }}
+       stable
+
+dockerproject_repo_key_info:
+  pkg_key: apt_key
+  url: '{{ dockerproject_apt_repo_gpgkey }}'
+  repo_keys:
+    - 58118E89F3A912897C070ADBF76221572C52609D
+
+dockerproject_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb {{ dockerproject_apt_repo_base_url }}
       {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
       main
--- a/roles/docker/vars/fedora.yml
+++ b/roles/docker/vars/fedora.yml
@@ -1,28 +0,0 @@
---
-docker_kernel_min_version: '0'
-
-# https://docs.docker.com/engine/installation/linux/fedora/#install-from-a-package
-# https://download.docker.com/linux/fedora/7/x86_64/stable/
-# the package names below are guesses;
-# docs mention `sudo dnf config-manager --enable docker-ce-edge` for edge
-docker_versioned_pkg:
-  'latest': docker
-  '1.11': docker-1:1.11.2
-  '1.12': docker-1:1.12.6
-  '1.13': docker-1.13.1
-  '17.03': docker-17.03.1
-  'stable': docker-ce
-  'edge': docker-ce-edge
-
-docker_package_info:
-  pkg_mgr: dnf
-  pkgs:
-    - name: "{{ docker_versioned_pkg[docker_version | string] }}"
-
-docker_repo_key_info:
-  pkg_key: ''
-  repo_keys: []
-
-docker_repo_info:
-  pkg_repo: ''
-  repos: []
--- a/roles/docker/vars/redhat.yml
+++ b/roles/docker/vars/redhat.yml
@@ -1,24 +1,36 @@
 ---
 docker_kernel_min_version: '0'

-# https://yum.dockerproject.org/repo/main/centos/7/Packages/
+# https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
+# https://download.docker.com/linux/centos/7/x86_64/stable/Packages/
+# https://yum.dockerproject.org/repo/main/centos/7
 # or do 'yum --showduplicates list docker-engine'
 docker_versioned_pkg:
-  'latest': docker-engine
+  'latest': docker-ce
  '1.11': docker-engine-1.11.2-1.el7.centos
  '1.12': docker-engine-1.12.6-1.el7.centos
  '1.13': docker-engine-1.13.1-1.el7.centos
-  '17.03': docker-engine-17.03.1.ce-1.el7.centos
-  'stable': docker-engine-17.03.1.ce-1.el7.centos
-  'edge': docker-engine-17.05.0.ce-1.el7.centos
+  '17.03': docker-ce-17.03.2.ce-1.el7.centos
+  'stable': docker-ce-17.03.2.ce-1.el7.centos
+  'edge': docker-ce-17.12.1.ce-1.el7.centos
+
+docker_selinux_versioned_pkg:
+  'latest': docker-ce-selinux
+  '1.11': docker-engine-selinux-1.11.2-1.el7.centos
+  '1.12': docker-engine-selinux-1.12.6-1.el7.centos
+  '1.13': docker-engine-selinux-1.13.1-1.el7.centos
+  '17.03': docker-ce-selinux-17.03.2.ce-1.el7.centos
+  'stable': docker-ce-selinux-17.03.2.ce-1.el7.centos
+  'edge': docker-ce-selinux-17.03.2.ce-1.el7.centos

-# https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
-# https://download.docker.com/linux/centos/7/x86_64/stable/Packages/

 docker_package_info:
  pkg_mgr: yum
  pkgs:
+    - name: "{{ docker_selinux_versioned_pkg[docker_selinux_version | string] }}"
+      yum_conf: "{{ docker_yum_conf }}"
    - name: "{{ docker_versioned_pkg[docker_version | string] }}"
+      yum_conf: "{{ docker_yum_conf }}"

 docker_repo_key_info:
  pkg_key: ''
--- a/roles/docker/vars/fedora-20.yml
+++ b/roles/docker/vars/fedora-20.yml
@@ -1,12 +1,10 @@
 ---
 docker_kernel_min_version: '0'

-# versioning: docker-io itself is pinned at docker 1.5
-
 docker_package_info:
-  pkg_mgr: yum
+  pkg_mgr: zypper
  pkgs:
-    - name: docker-io
+    - name: docker

 docker_repo_key_info:
  pkg_key: ''
--- a/roles/docker/vars/ubuntu.yml
+++ b/roles/docker/vars/ubuntu.yml
@@ -1,15 +1,15 @@
 ---
 docker_kernel_min_version: '3.10'

-# https://apt.dockerproject.org/repo/dists/ubuntu-xenial/main/filelist
+# https://download.docker.com/linux/ubuntu/
 docker_versioned_pkg:
-  'latest': docker-engine
-  '1.11': docker-engine=1.11.1-0~{{ ansible_distribution_release|lower }}
+  'latest': docker-ce
+  '1.11': docker-engine=1.11.2-0~{{ ansible_distribution_release|lower }}
  '1.12': docker-engine=1.12.6-0~ubuntu-{{ ansible_distribution_release|lower }}
  '1.13': docker-engine=1.13.1-0~ubuntu-{{ ansible_distribution_release|lower }}
-  '17.03': docker-engine=17.03.1~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
-  'stable': docker-engine=17.03.1~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
-  'edge': docker-engine=17.05.0~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
+  '17.03': docker-ce=17.03.2~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
+  'stable': docker-ce=17.03.2~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
+  'edge': docker-ce=17.12.1~ce-0~ubuntu-{{ ansible_distribution_release|lower }}

 docker_package_info:
  pkg_mgr: apt
@@ -19,14 +19,28 @@ docker_package_info:

 docker_repo_key_info:
  pkg_key: apt_key
-  url: '{{ docker_apt_repo_gpgkey }}'
+  url: '{{ docker_ubuntu_repo_gpgkey }}'
  repo_keys:
-    - 58118E89F3A912897C070ADBF76221572C52609D
+    - 9DC858229FC7DD38854AE2D88D81803C0EBFCD88

 docker_repo_info:
  pkg_repo: apt_repository
  repos:
    - >
-       deb {{ docker_apt_repo_base_url }}
+       deb {{ docker_ubuntu_repo_base_url }}
+       {{ ansible_distribution_release|lower }}
+       stable
+
+dockerproject_repo_key_info:
+  pkg_key: apt_key
+  url: '{{ dockerproject_apt_repo_gpgkey }}'
+  repo_keys:
+    - 58118E89F3A912897C070ADBF76221572C52609D
+
+dockerproject_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb {{ dockerproject_apt_repo_base_url }}
       {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
       main
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-local_release_dir: /tmp
+local_release_dir: /tmp/releases

 # Used to only evaluate vars from download role
 skip_downloads: false
@@ -24,23 +24,24 @@ download_always_pull: False
 download_delegate: "{% if download_localhost %}localhost{% else %}{{groups['kube-master'][0]}}{% endif %}"

 # Versions
-kube_version: v1.9.2
+kube_version: v1.9.5
 kubeadm_version: "{{ kube_version }}"
 etcd_version: v3.2.4
 # TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
 # after migration to container download
-calico_version: "v2.6.2"
-calico_ctl_version: "v1.6.1"
-calico_cni_version: "v1.11.0"
-calico_policy_version: "v1.0.0"
-calico_rr_version: "v0.4.0"
-flannel_version: "v0.9.1"
+calico_version: "v2.6.8"
+calico_ctl_version: "v1.6.3"
+calico_cni_version: "v1.11.4"
+calico_policy_version: "v1.0.3"
+calico_rr_version: "v0.4.2"
+flannel_version: "v0.10.0"
 flannel_cni_version: "v0.3.0"
 istio_version: "0.2.6"
 vault_version: 0.8.1
-weave_version: 2.1.3
+weave_version: 2.2.1
 pod_infra_version: 3.0
 contiv_version: 1.1.7
+cilium_version: "v1.0.0-rc8"

 # Download URLs
 istioctl_download_url: "https://storage.googleapis.com/istio-release/releases/{{ istio_version }}/istioctl/istioctl-linux"
@@ -49,7 +50,7 @@ vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/va

 # Checksums
 istioctl_checksum: fd703063c540b8c0ab943f478c05ab257d88ae27224c746a27d0526ddbf7c370
-kubeadm_checksum: 560b44a2b91747f4fb64ac8754fcf65db9a39a84c6b54d4e6483400ac6c674fc
+kubeadm_checksum: 12b6e9ac1624852b7c978bde70b9bde9ca0e4fc6581d09bddfb117bb41f93c74
 vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188

 # Containers
@@ -69,8 +70,24 @@ calico_policy_image_repo: "quay.io/calico/kube-controllers"
 calico_policy_image_tag: "{{ calico_policy_version }}"
 calico_rr_image_repo: "quay.io/calico/routereflector"
 calico_rr_image_tag: "{{ calico_rr_version }}"
-hyperkube_image_repo: "quay.io/coreos/hyperkube"
-hyperkube_image_tag: "{{ kube_version }}_coreos.0"
+istio_proxy_image_repo: docker.io/istio/proxy
+istio_proxy_image_tag: "{{ istio_version }}"
+istio_proxy_init_image_repo: docker.io/istio/proxy_init
+istio_proxy_init_image_tag: "{{ istio_version }}"
+istio_ca_image_repo: docker.io/istio/istio-ca
+istio_ca_image_tag: "{{ istio_version }}"
+istio_mixer_image_repo: docker.io/istio/mixer
+istio_mixer_image_tag: "{{ istio_version }}"
+istio_pilot_image_repo: docker.io/istio/pilot
+istio_pilot_image_tag: "{{ istio_version }}"
+istio_proxy_debug_image_repo: docker.io/istio/proxy_debug
+istio_proxy_debug_image_tag: "{{ istio_version }}"
+istio_sidecar_initializer_image_repo: docker.io/istio/sidecar_initializer
+istio_sidecar_initializer_image_tag: "{{ istio_version }}"
+istio_statsd_image_repo: prom/statsd-exporter
+istio_statsd_image_tag: latest
+hyperkube_image_repo: "gcr.io/google-containers/hyperkube"
+hyperkube_image_tag: "{{ kube_version }}"
 pod_infra_image_repo: "gcr.io/google_containers/pause-amd64"
 pod_infra_image_tag: "{{ pod_infra_version }}"
 install_socat_image_repo: "xueshanf/install-socat"
@@ -88,7 +105,8 @@ contiv_image_repo: "contiv/netplugin"
 contiv_image_tag: "{{ contiv_version }}"
 contiv_auth_proxy_image_repo: "contiv/auth_proxy"
 contiv_auth_proxy_image_tag: "{{ contiv_version }}"
-
+cilium_image_repo: "docker.io/cilium/cilium"
+cilium_image_tag: "{{ cilium_version }}"
 nginx_image_repo: nginx
 nginx_image_tag: 1.13
 dnsmasq_version: 2.78
@@ -97,6 +115,9 @@ dnsmasq_image_tag: "{{ dnsmasq_version }}"
 kubedns_version: 1.14.8
 kubedns_image_repo: "gcr.io/google_containers/k8s-dns-kube-dns-amd64"
 kubedns_image_tag: "{{ kubedns_version }}"
+coredns_version: 1.1.0
+coredns_image_repo: "docker.io/coredns/coredns"
+coredns_image_tag: "{{ coredns_version }}"
 dnsmasq_nanny_image_repo: "gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64"
 dnsmasq_nanny_image_tag: "{{ kubedns_version }}"
 dnsmasq_sidecar_image_repo: "gcr.io/google_containers/k8s-dns-sidecar-amd64"
@@ -118,14 +139,30 @@ fluentd_image_tag: "{{ fluentd_version }}"
 kibana_version: "v4.6.1"
 kibana_image_repo: "gcr.io/google_containers/kibana"
 kibana_image_tag: "{{ kibana_version }}"
-
-helm_version: "v2.7.2"
+helm_version: "v2.8.1"
 helm_image_repo: "lachlanevenson/k8s-helm"
 helm_image_tag: "{{ helm_version }}"
 tiller_image_repo: "gcr.io/kubernetes-helm/tiller"
 tiller_image_tag: "{{ helm_version }}"
 vault_image_repo: "vault"
 vault_image_tag: "{{ vault_version }}"
+registry_image_repo: "registry"
+registry_image_tag: "2.6"
+registry_proxy_image_repo: "gcr.io/google_containers/kube-registry-proxy"
+registry_proxy_image_tag: "0.4"
+local_volume_provisioner_image_repo: "quay.io/external_storage/local-volume-provisioner"
+local_volume_provisioner_image_tag: "v2.0.0"
+cephfs_provisioner_image_repo: "quay.io/kubespray/cephfs-provisioner"
+cephfs_provisioner_image_tag: "92295a30"
+ingress_nginx_controller_image_repo: "quay.io/kubernetes-ingress-controller/nginx-ingress-controller"
+ingress_nginx_controller_image_tag: "0.12.0"
+ingress_nginx_default_backend_image_repo: "gcr.io/google_containers/defaultbackend"
+ingress_nginx_default_backend_image_tag: "1.4"
+cert_manager_version: "v0.2.3"
+cert_manager_controller_image_repo: "quay.io/jetstack/cert-manager-controller"
+cert_manager_controller_image_tag: "{{ cert_manager_version }}"
+cert_manager_ingress_shim_image_repo: "quay.io/jetstack/cert-manager-ingress-shim"
+cert_manager_ingress_shim_image_tag: "{{ cert_manager_version }}"

 downloads:
  netcheck_server:
@@ -134,18 +171,24 @@ downloads:
    repo: "{{ netcheck_server_img_repo }}"
    tag: "{{ netcheck_server_tag }}"
    sha256: "{{ netcheck_server_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  netcheck_agent:
    enabled: "{{ deploy_netchecker }}"
    container: true
    repo: "{{ netcheck_agent_img_repo }}"
    tag: "{{ netcheck_agent_tag }}"
    sha256: "{{ netcheck_agent_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  etcd:
    enabled: true
    container: true
    repo: "{{ etcd_image_repo }}"
    tag: "{{ etcd_image_tag }}"
    sha256: "{{ etcd_digest_checksum|default(None) }}"
+    groups:
+      - etcd
  kubeadm:
    enabled: "{{ kubeadm_enabled }}"
    file: true
@@ -157,6 +200,8 @@ downloads:
    unarchive: false
    owner: "root"
    mode: "0755"
+    groups:
+      - k8s-cluster
  istioctl:
    enabled: "{{ istio_enabled }}"
    file: true
@@ -168,128 +213,250 @@ downloads:
    unarchive: false
    owner: "root"
    mode: "0755"
+    groups:
+      - kube-master
+  istio_proxy:
+    enabled: "{{ istio_enabled }}"
+    container: true
+    repo: "{{ istio_proxy_image_repo }}"
+    tag: "{{ istio_proxy_image_tag }}"
+    sha256: "{{ istio_proxy_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  istio_proxy_init:
+    enabled: "{{ istio_enabled }}"
+    container: true
+    repo: "{{ istio_proxy_init_image_repo }}"
+    tag: "{{ istio_proxy_init_image_tag }}"
+    sha256: "{{ istio_proxy_init_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  istio_ca:
+    enabled: "{{ istio_enabled }}"
+    container: true
+    repo: "{{ istio_ca_image_repo }}"
+    tag: "{{ istio_ca_image_tag }}"
+    sha256: "{{ istio_ca_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  istio_mixer:
+    enabled: "{{ istio_enabled }}"
+    container: true
+    repo: "{{ istio_mixer_image_repo }}"
+    tag: "{{ istio_mixer_image_tag }}"
+    sha256: "{{ istio_mixer_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  istio_pilot:
+    enabled: "{{ istio_enabled }}"
+    container: true
+    repo: "{{ istio_pilot_image_repo }}"
+    tag: "{{ istio_pilot_image_tag }}"
+    sha256: "{{ istio_pilot_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  istio_proxy_debug:
+    enabled: "{{ istio_enabled }}"
+    container: true
+    repo: "{{ istio_proxy_debug_image_repo }}"
+    tag: "{{ istio_proxy_debug_image_tag }}"
+    sha256: "{{ istio_proxy_debug_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  istio_sidecar_initializer:
+    enabled: "{{ istio_enabled }}"
+    container: true
+    repo: "{{ istio_sidecar_initializer_image_repo }}"
+    tag: "{{ istio_sidecar_initializer_image_tag }}"
+    sha256: "{{ istio_sidecar_initializer_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  istio_statsd:
+    enabled: "{{ istio_enabled }}"
+    container: true
+    repo: "{{ istio_statsd_image_repo }}"
+    tag: "{{ istio_statsd_image_tag }}"
+    sha256: "{{ istio_statsd_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  hyperkube:
    enabled: true
    container: true
    repo: "{{ hyperkube_image_repo }}"
    tag: "{{ hyperkube_image_tag }}"
    sha256: "{{ hyperkube_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
+  cilium:
+    enabled: "{{ kube_network_plugin == 'cilium' }}"
+    container: true
+    repo: "{{ cilium_image_repo }}"
+    tag: "{{ cilium_image_tag }}"
+    sha256: "{{ cilium_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  flannel:
    enabled: "{{ kube_network_plugin == 'flannel' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ flannel_image_repo }}"
    tag: "{{ flannel_image_tag }}"
    sha256: "{{ flannel_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  flannel_cni:
    enabled: "{{ kube_network_plugin == 'flannel' }}"
    container: true
    repo: "{{ flannel_cni_image_repo }}"
    tag: "{{ flannel_cni_image_tag }}"
    sha256: "{{ flannel_cni_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  calicoctl:
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calicoctl_image_repo }}"
    tag: "{{ calicoctl_image_tag }}"
    sha256: "{{ calicoctl_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  calico_node:
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calico_node_image_repo }}"
    tag: "{{ calico_node_image_tag }}"
    sha256: "{{ calico_node_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  calico_cni:
    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calico_cni_image_repo }}"
    tag: "{{ calico_cni_image_tag }}"
    sha256: "{{ calico_cni_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  calico_policy:
    enabled: "{{ enable_network_policy or kube_network_plugin == 'canal' }}"
    container: true
    repo: "{{ calico_policy_image_repo }}"
    tag: "{{ calico_policy_image_tag }}"
    sha256: "{{ calico_policy_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  calico_rr:
-    enabled: "{{ peer_with_calico_rr is defined and peer_with_calico_rr}} and kube_network_plugin == 'calico'"
+    enabled: "{{ peer_with_calico_rr is defined and peer_with_calico_rr and kube_network_plugin == 'calico' }}"
    container: true
    repo: "{{ calico_rr_image_repo }}"
    tag: "{{ calico_rr_image_tag }}"
    sha256: "{{ calico_rr_digest_checksum|default(None) }}"
+    groups:
+      - calico-rr
  weave_kube:
    enabled: "{{ kube_network_plugin == 'weave' }}"
    container: true
    repo: "{{ weave_kube_image_repo }}"
    tag: "{{ weave_kube_image_tag }}"
    sha256: "{{ weave_kube_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  weave_npc:
    enabled: "{{ kube_network_plugin == 'weave' }}"
    container: true
    repo: "{{ weave_npc_image_repo }}"
    tag: "{{ weave_npc_image_tag }}"
    sha256: "{{ weave_npc_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  contiv:
    enabled: "{{ kube_network_plugin == 'contiv' }}"
    container: true
    repo: "{{ contiv_image_repo }}"
    tag: "{{ contiv_image_tag }}"
    sha256: "{{ contiv_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  contiv_auth_proxy:
    enabled: "{{ kube_network_plugin == 'contiv' }}"
    container: true
    repo: "{{ contiv_auth_proxy_image_repo }}"
    tag: "{{ contiv_auth_proxy_image_tag }}"
    sha256: "{{ contiv_auth_proxy_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  pod_infra:
    enabled: true
    container: true
    repo: "{{ pod_infra_image_repo }}"
    tag: "{{ pod_infra_image_tag }}"
    sha256: "{{ pod_infra_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  install_socat:
    enabled: "{{ ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] }}"
    container: true
    repo: "{{ install_socat_image_repo }}"
    tag: "{{ install_socat_image_tag }}"
    sha256: "{{ install_socat_digest_checksum|default(None) }}"
+    groups:
+      - k8s-cluster
  nginx:
-    enabled: true
+    enabled: "{{ loadbalancer_apiserver_localhost }}"
    container: true
    repo: "{{ nginx_image_repo }}"
    tag: "{{ nginx_image_tag }}"
    sha256: "{{ nginx_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  dnsmasq:
    enabled: "{{ dns_mode == 'dnsmasq_kubedns' }}"
    container: true
    repo: "{{ dnsmasq_image_repo }}"
    tag: "{{ dnsmasq_image_tag }}"
    sha256: "{{ dnsmasq_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  kubedns:
-    enabled: true
+    enabled: "{{ dns_mode in ['kubedns', 'dnsmasq_kubedns'] }}"
    container: true
    repo: "{{ kubedns_image_repo }}"
    tag: "{{ kubedns_image_tag }}"
    sha256: "{{ kubedns_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  coredns:
+    enabled: "{{ dns_mode in ['coredns', 'coredns_dual'] }}"
+    container: true
+    repo: "{{ coredns_image_repo }}"
+    tag: "{{ coredns_image_tag }}"
+    sha256: "{{ coredns_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  dnsmasq_nanny:
-    enabled: true
+    enabled: "{{ dns_mode in ['kubedns', 'dnsmasq_kubedns'] }}"
    container: true
    repo: "{{ dnsmasq_nanny_image_repo }}"
    tag: "{{ dnsmasq_nanny_image_tag }}"
    sha256: "{{ dnsmasq_nanny_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  dnsmasq_sidecar:
-    enabled: true
+    enabled: "{{ dns_mode in ['kubedns', 'dnsmasq_kubedns'] }}"
    container: true
    repo: "{{ dnsmasq_sidecar_image_repo }}"
    tag: "{{ dnsmasq_sidecar_image_tag }}"
    sha256: "{{ dnsmasq_sidecar_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  kubednsautoscaler:
-    enabled: true
+    enabled: "{{ dns_mode in ['kubedns', 'dnsmasq_kubedns'] }}"
    container: true
    repo: "{{ kubednsautoscaler_image_repo }}"
    tag: "{{ kubednsautoscaler_image_tag }}"
    sha256: "{{ kubednsautoscaler_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  testbox:
-    enabled: true
+    enabled: false
    container: true
    repo: "{{ test_image_repo }}"
    tag: "{{ test_image_tag }}"
@@ -300,30 +467,40 @@ downloads:
    repo: "{{ elasticsearch_image_repo }}"
    tag: "{{ elasticsearch_image_tag }}"
    sha256: "{{ elasticsearch_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  fluentd:
    enabled: "{{ efk_enabled }}"
    container: true
    repo: "{{ fluentd_image_repo }}"
    tag: "{{ fluentd_image_tag }}"
    sha256: "{{ fluentd_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  kibana:
    enabled: "{{ efk_enabled }}"
    container: true
    repo: "{{ kibana_image_repo }}"
    tag: "{{ kibana_image_tag }}"
    sha256: "{{ kibana_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  helm:
    enabled: "{{ helm_enabled }}"
    container: true
    repo: "{{ helm_image_repo }}"
    tag: "{{ helm_image_tag }}"
    sha256: "{{ helm_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  tiller:
    enabled: "{{ helm_enabled }}"
    container: true
    repo: "{{ tiller_image_repo }}"
    tag: "{{ tiller_image_tag }}"
    sha256: "{{ tiller_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
  vault:
    enabled: "{{ cert_management == 'vault' }}"
    container: "{{ vault_deployment_type != 'host' }}"
@@ -338,6 +515,72 @@ downloads:
    unarchive: true
    url: "{{ vault_download_url }}"
    version: "{{ vault_version }}"
+    groups:
+      - vault
+  registry:
+    enabled: "{{ registry_enabled }}"
+    container: true
+    repo: "{{ registry_image_repo }}"
+    tag: "{{ registry_image_tag }}"
+    sha256: "{{ registry_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  registry_proxy:
+    enabled: "{{ registry_enabled }}"
+    container: true
+    repo: "{{ registry_proxy_image_repo }}"
+    tag: "{{ registry_proxy_image_tag }}"
+    sha256: "{{ registry_proxy_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  local_volume_provisioner:
+    enabled: "{{ local_volume_provisioner_enabled }}"
+    container: true
+    repo: "{{ local_volume_provisioner_image_repo }}"
+    tag: "{{ local_volume_provisioner_image_tag }}"
+    sha256: "{{ local_volume_provisioner_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  cephfs_provisioner:
+    enabled: "{{ cephfs_provisioner_enabled }}"
+    container: true
+    repo: "{{ cephfs_provisioner_image_repo }}"
+    tag: "{{ cephfs_provisioner_image_tag }}"
+    sha256: "{{ cephfs_provisioner_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  ingress_nginx_controller:
+    enabled: "{{ ingress_nginx_enabled }}"
+    container: true
+    repo: "{{ ingress_nginx_controller_image_repo }}"
+    tag: "{{ ingress_nginx_controller_image_tag }}"
+    sha256: "{{ ingress_nginx_controller_digest_checksum|default(None) }}"
+    groups:
+      - kube-ingress
+  ingress_nginx_default_backend:
+    enabled: "{{ ingress_nginx_enabled }}"
+    container: true
+    repo: "{{ ingress_nginx_default_backend_image_repo }}"
+    tag: "{{ ingress_nginx_default_backend_image_tag }}"
+    sha256: "{{ ingress_nginx_default_backend_digest_checksum|default(None) }}"
+    groups:
+      - kube-ingress
+  cert_manager_controller:
+    enabled: "{{ cert_manager_enabled }}"
+    container: true
+    repo: "{{ cert_manager_controller_image_repo }}"
+    tag: "{{ cert_manager_controller_image_tag }}"
+    sha256: "{{ cert_manager_controller_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+  cert_manager_ingress_shim:
+    enabled: "{{ cert_manager_enabled }}"
+    container: true
+    repo: "{{ cert_manager_ingress_shim_image_repo }}"
+    tag: "{{ cert_manager_ingress_shim_image_tag }}"
+    sha256: "{{ cert_manager_ingress_shim_digest_checksum|default(None) }}"
+    groups:
+      - kube-node

 download_defaults:
  container: false
--- a/roles/download/tasks/download_container.yml
+++ b/roles/download/tasks/download_container.yml
@@ -2,7 +2,7 @@
 - name: container_download | Make download decision if pull is required by tag or sha256
  include_tasks: set_docker_image_facts.yml
  delegate_to: "{{ download_delegate if download_run_once or omit }}"
-  delegate_facts: no
+  delegate_facts: yes
  run_once: "{{ download_run_once }}"
  when:
    - download.enabled
@@ -38,3 +38,4 @@
    - download.enabled
    - download.container
    - pull_required|default(download_always_pull)
+    - group_names | intersect(download.groups) | length
--- a/roles/download/tasks/download_file.yml
+++ b/roles/download/tasks/download_file.yml
@@ -13,6 +13,7 @@
  when:
    - download.enabled
    - download.file
+    - group_names | intersect(download.groups) | length

 - name: file_download | Download item
  get_url:
@@ -28,6 +29,7 @@
  when:
    - download.enabled
    - download.file
+    - group_names | intersect(download.groups) | length

 - name: file_download | Extract archives
  unarchive:
@@ -40,3 +42,4 @@
    - download.enabled
    - download.file
    - download.unarchive|default(False)
+    - group_names | intersect(download.groups) | length
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -22,3 +22,4 @@
    - item.value.enabled
    - item.value.container
    - download_run_once
+    - group_names | intersect(download.groups) | length
--- a/roles/download/tasks/sync_container.yml
+++ b/roles/download/tasks/sync_container.yml
@@ -17,6 +17,7 @@
    - download.enabled
    - download.container
    - download_run_once
+
  tags:
    - facts

@@ -42,7 +43,7 @@

 - name: container_download | Stat saved container image
  stat:
-    path: "{{fname}}"
+    path: "{{ fname }}"
  register: img
  changed_when: false
  delegate_to: "{{ download_delegate }}"
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -4,6 +4,7 @@ etcd_cluster_setup: true

 etcd_backup_prefix: "/var/backups"
 etcd_data_dir: "/var/lib/etcd"
+etcd_events_data_dir: "/var/lib/etcd-events"

 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
@@ -11,9 +12,9 @@ etcd_cert_group: root
 # Note: This does not set up DNS entries. It simply adds the following DNS
 # entries to the certificate
 etcd_cert_alt_names:
-  - "etcd.{{ system_namespace }}.svc.{{ dns_domain }}"
-  - "etcd.{{ system_namespace }}.svc"
-  - "etcd.{{ system_namespace }}"
+  - "etcd.kube-system.svc.{{ dns_domain }}"
+  - "etcd.kube-system.svc"
+  - "etcd.kube-system"
  - "etcd"

 etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
@@ -21,6 +22,13 @@ etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
 etcd_heartbeat_interval: "250"
 etcd_election_timeout: "5000"

+# etcd_snapshot_count: "10000"
+
+# Parameters for ionice
+# -c takes an integer between 0 and 3 or one of the strings none, realtime, best-effort or idle.
+# -n takes an integer between 0 (highest priority) and 7 (lowest priority)
+# etcd_ionice: "-c2 -n0"
+
 etcd_metrics: "basic"

 # Limits
@@ -32,7 +40,7 @@ etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %

 etcd_blkio_weight: 1000

-etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr', [])) }}"
+etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr', [])) | union(groups.get('vault', [])) }}"

 etcd_compaction_retention: "8"

@@ -40,3 +48,6 @@ etcd_vault_mount_path: etcd

 # Force clients like etcdctl to use TLS certs (different than peer security)
 etcd_secure_client: true
+
+# Enable peer client cert authentication
+etcd_peer_client_auth: true
--- a/roles/etcd/files/make-ssl-etcd.sh
+++ b/roles/etcd/files/make-ssl-etcd.sh
@@ -65,7 +65,7 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
    cp $SSLDIR/{ca.pem,ca-key.pem} .
 else
    openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
-    openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=etcd-ca" > /dev/null 2>&1
+    openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=etcd-ca" > /dev/null 2>&1
 fi

 # ETCD member
@@ -75,12 +75,12 @@ if [ -n "$MASTERS" ]; then
        # Member key
        openssl genrsa -out member-${host}-key.pem 2048 > /dev/null 2>&1
        openssl req -new -key member-${host}-key.pem -out member-${host}.csr -subj "/CN=etcd-member-${cn}" -config ${CONFIG} > /dev/null 2>&1
-        openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days 3650 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
+        openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days 36500 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1

        # Admin key
        openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
        openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=etcd-admin-${cn}" > /dev/null 2>&1
-        openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 3650 -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
+        openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 36500 -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
    done
 fi

@@ -90,7 +90,7 @@ if [ -n "$HOSTS" ]; then
        cn="${host%%.*}"
        openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
        openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=etcd-node-${cn}" > /dev/null 2>&1
-        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
+        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 36500 -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
    done
 fi

--- a/roles/etcd/handlers/backup.yml
+++ b/roles/etcd/handlers/backup.yml
@@ -48,7 +48,7 @@
      snapshot save {{ etcd_backup_directory }}/snapshot.db
  environment:
    ETCDCTL_API: 3
-    ETCDCTL_CERT: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
-    ETCDCTL_KEY: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
+    ETCDCTL_CERT: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+    ETCDCTL_KEY: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
  retries: 3
  delay: "{{ retry_stagger | random + 3 }}"
--- a/roles/etcd/handlers/main.yml
+++ b/roles/etcd/handlers/main.yml
@@ -7,17 +7,33 @@
    - reload etcd
    - wait for etcd up

+- name: restart etcd-events
+  command: /bin/true
+  notify:
+    - etcd-events | reload systemd
+    - reload etcd-events
+    - wait for etcd-events up
+
 - import_tasks: backup.yml

 - name: etcd | reload systemd
  command: systemctl daemon-reload

+- name: etcd-events | reload systemd
+  command: systemctl daemon-reload
+
 - name: reload etcd
  service:
    name: etcd
    state: restarted
  when: is_etcd_master

+- name: reload etcd-events
+  service:
+    name: etcd-events
+    state: restarted
+  when: is_etcd_master
+
 - name: wait for etcd up
  uri:
    url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2379/health"
@@ -29,6 +45,17 @@
  retries: 10
  delay: 5

+- name: wait for etcd-events up
+  uri:
+    url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2381/health"
+    validate_certs: no
+    client_cert: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem"
+    client_key: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem"
+  register: result
+  until: result.status is defined and result.status == 200
+  retries: 10
+  delay: 5
+
 - name: set etcd_secret_changed
  set_fact:
    etcd_secret_changed: true
--- a/roles/etcd/tasks/configure.yml
+++ b/roles/etcd/tasks/configure.yml
@@ -1,5 +1,5 @@
 ---
- name: Configure | Check if member is in cluster
+- name: Configure | Check if member is in etcd cluster
  shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_access_addresses }} member list | grep -q {{ etcd_access_address }}"
  register: etcd_member_in_cluster
  ignore_errors: true
@@ -9,17 +9,21 @@
  tags:
    - facts
  environment:
-    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
-    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"

- name: Install etcd launch script
-  template:
-    src: etcd.j2
-    dest: "{{ bin_dir }}/etcd"
-    owner: 'root'
-    mode: 0755
-    backup: yes
-  notify: restart etcd
+- name: Configure | Check if member is in etcd-events cluster
+  shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_events_access_addresses }} member list | grep -q {{ etcd_access_address }}"
+  register: etcd_events_member_in_cluster
+  ignore_errors: true
+  changed_when: false
+  check_mode: no
+  when: is_etcd_master and etcd_events_cluster_setup
+  tags:
+    - facts
+  environment:
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"

 - name: Configure | Copy etcd.service systemd file
  template:
@@ -29,11 +33,36 @@
  when: is_etcd_master
  notify: restart etcd

- name: Configure | Join member(s) to cluster one at a time
-  include_tasks: join_member.yml
+- name: Configure | Copy etcd-events.service systemd file
+  template:
+    src: "etcd-events-host.service.j2"
+    dest: /etc/systemd/system/etcd-events.service
+    backup: yes
+  when: is_etcd_master and etcd_deployment_type == "host" and etcd_events_cluster_setup
+  notify: restart etcd-events
+
+- name: Configure | Copy etcd-events.service systemd file
+  template:
+    src: "etcd-events-docker.service.j2"
+    dest: /etc/systemd/system/etcd-events.service
+    backup: yes
+  when: is_etcd_master and etcd_deployment_type == "docker" and etcd_events_cluster_setup
+  notify: restart etcd-events
+
+- name: Configure | Join member(s) to etcd cluster one at a time
+  include_tasks: join_etcd_member.yml
  vars:
    target_node: "{{ item }}"
  loop_control:
    pause: 10
  with_items: "{{ groups['etcd'] }}"
  when: inventory_hostname == item and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
+
+- name: Configure | Join member(s) to etcd-events cluster one at a time
+  include_tasks: join_etcd-evetns_member.yml
+  vars:
+    target_node: "{{ item }}"
+  loop_control:
+    pause: 10
+  with_items: "{{ groups['etcd'] }}"
+  when: inventory_hostname == item and etcd_events_cluster_setup and etcd_events_member_in_cluster.rc != 0 and etcd_events_cluster_is_healthy.rc == 0
--- a/roles/etcd/tasks/install_docker.yml
+++ b/roles/etcd/tasks/install_docker.yml
@@ -4,9 +4,27 @@
           {{ docker_bin_dir }}/docker create --name etcdctl-binarycopy {{ etcd_image_repo }}:{{ etcd_image_tag }} &&
           {{ docker_bin_dir }}/docker cp etcdctl-binarycopy:/usr/local/bin/etcdctl {{ bin_dir }}/etcdctl &&
           {{ docker_bin_dir }}/docker rm -f etcdctl-binarycopy"
-  when: etcd_deployment_type == "docker"
  register: etcd_task_result
  until: etcd_task_result.rc == 0
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false
+
+- name: Install etcd launch script
+  template:
+    src: etcd.j2
+    dest: "{{ bin_dir }}/etcd"
+    owner: 'root'
+    mode: 0755
+    backup: yes
+  notify: restart etcd
+
+- name: Install etcd-events launch script
+  template:
+    src: etcd-events.j2
+    dest: "{{ bin_dir }}/etcd-events"
+    owner: 'root'
+    mode: 0755
+    backup: yes
+  when: etcd_events_cluster_setup
+  notify: restart etcd-events
--- a/roles/etcd/tasks/install_host.yml
+++ b/roles/etcd/tasks/install_host.yml
@@ -0,0 +1,12 @@
+---
+- name: Install | Copy etcdctl and etcd binary from docker container
+  command: sh -c "{{ docker_bin_dir }}/docker rm -f etcdctl-binarycopy;
+           {{ docker_bin_dir }}/docker create --name etcdctl-binarycopy {{ etcd_image_repo }}:{{ etcd_image_tag }} &&
+           {{ docker_bin_dir }}/docker cp etcdctl-binarycopy:/usr/local/bin/etcdctl {{ bin_dir }}/etcdctl &&
+           {{ docker_bin_dir }}/docker cp etcdctl-binarycopy:/usr/local/bin/etcd {{ bin_dir }}/etcd &&
+           {{ docker_bin_dir }}/docker rm -f etcdctl-binarycopy"
+  register: etcd_task_result
+  until: etcd_task_result.rc == 0
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"
+  changed_when: false
--- a/roles/etcd/tasks/join_etcd-events_member.yml
+++ b/roles/etcd/tasks/join_etcd-events_member.yml
@@ -0,0 +1,47 @@
+---
+- name: Join Member | Add member to cluster
+  shell: "{{ bin_dir }}/etcdctl --endpoints={{ etcd_events_access_addresses }} member add {{ etcd_member_name }} {{ etcd_events_peer_url }}"
+  register: member_add_result
+  until: member_add_result.rc == 0
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"
+  when: target_node == inventory_hostname
+  environment:
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
+
+- include_tasks: refresh_config.yml
+  vars:
+    etcd_events_peer_addresses: >-
+      {% for host in groups['etcd'] -%}
+        {%- if hostvars[host]['etcd_events_member_in_cluster'].rc == 0 -%}
+          {{ "etcd"+loop.index|string }}=https://{{ hostvars[host].access_ip | default(hostvars[host].ip | default(hostvars[host].ansible_default_ipv4['address'])) }}:2382,
+        {%- endif -%}
+        {%- if loop.last -%}
+          {{ etcd_member_name }}={{ etcd_events_peer_url }}
+        {%- endif -%}
+      {%- endfor -%}
+  when: target_node == inventory_hostname
+
+- name: Join Member | reload systemd
+  command: systemctl daemon-reload
+  when: target_node == inventory_hostname
+
+- name: Join Member | Ensure etcd-events is running
+  service:
+    name: etcd-events
+    state: started
+    enabled: yes
+  when: target_node == inventory_hostname
+
+- name: Join Member | Ensure member is in etcd-events cluster
+  shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_events_access_addresses }} member list | grep -q {{ etcd_events_access_address }}"
+  register: etcd_events_member_in_cluster
+  changed_when: false
+  check_mode: no
+  tags:
+    - facts
+  when: target_node == inventory_hostname
+  environment:
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
--- a/roles/etcd/tasks/join_etcd_member.yml
+++ b/roles/etcd/tasks/join_etcd_member.yml
@@ -0,0 +1,47 @@
+---
+- name: Join Member | Add member to cluster
+  shell: "{{ bin_dir }}/etcdctl --endpoints={{ etcd_access_addresses }} member add {{ etcd_member_name }} {{ etcd_peer_url }}"
+  register: member_add_result
+  until: member_add_result.rc == 0
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"
+  when: target_node == inventory_hostname
+  environment:
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
+
+- include_tasks: refresh_config.yml
+  vars:
+    etcd_peer_addresses: >-
+      {% for host in groups['etcd'] -%}
+        {%- if hostvars[host]['etcd_member_in_cluster'].rc == 0 -%}
+          {{ "etcd"+loop.index|string }}=https://{{ hostvars[host].access_ip | default(hostvars[host].ip | default(hostvars[host].ansible_default_ipv4['address'])) }}:2380,
+        {%- endif -%}
+        {%- if loop.last -%}
+          {{ etcd_member_name }}={{ etcd_peer_url }}
+        {%- endif -%}
+      {%- endfor -%}
+  when: target_node == inventory_hostname
+
+- name: Join Member | reload systemd
+  command: systemctl daemon-reload
+  when: target_node == inventory_hostname
+
+- name: Join Member | Ensure etcd is running
+  service:
+    name: etcd
+    state: started
+    enabled: yes
+  when: target_node == inventory_hostname
+
+- name: Join Member | Ensure member is in cluster
+  shell: "{{ bin_dir }}/etcdctl --no-sync --endpoints={{ etcd_access_addresses }} member list | grep -q {{ etcd_access_address }}"
+  register: etcd_member_in_cluster
+  changed_when: false
+  check_mode: no
+  tags:
+    - facts
+  when: target_node == inventory_hostname
+  environment:
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
--- a/roles/etcd/tasks/join_member.yml
+++ b/roles/etcd/tasks/join_member.yml
@@ -7,8 +7,8 @@
  delay: "{{ retry_stagger | random + 3 }}"
  when: target_node == inventory_hostname
  environment:
-    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
-    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"

 - include_tasks: refresh_config.yml
  vars:
@@ -43,5 +43,5 @@
    - facts
  when: target_node == inventory_hostname
  environment:
-    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
-    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -29,13 +29,13 @@
  tags:
    - upgrade

- import_tasks: set_cluster_health.yml
+- include_tasks: set_cluster_health.yml
  when: is_etcd_master and etcd_cluster_setup

- import_tasks: configure.yml
+- include_tasks: configure.yml
  when: is_etcd_master and etcd_cluster_setup

- import_tasks: refresh_config.yml
+- include_tasks: refresh_config.yml
  when: is_etcd_master and etcd_cluster_setup

 - name: Restart etcd if certs changed
@@ -43,6 +43,11 @@
  notify: restart etcd
  when: is_etcd_master and etcd_secret_changed|default(false)

+- name: Restart etcd-events if certs changed
+  command: /bin/true
+  notify: restart etcd
+  when: is_etcd_master and etcd_events_cluster_setup and etcd_secret_changed|default(false)
+
 # reload-systemd
 - meta: flush_handlers

@@ -53,11 +58,18 @@
    enabled: yes
  when: is_etcd_master and etcd_cluster_setup

+- name: Ensure etcd-events is running
+  service:
+    name: etcd-events
+    state: started
+    enabled: yes
+  when: is_etcd_master and etcd_events_cluster_setup
+
 # After etcd cluster is assembled, make sure that
 # initial state of the cluster is in `existing`
 # state insted of `new`.
- import_tasks: set_cluster_health.yml
+- include_tasks: set_cluster_health.yml
  when: is_etcd_master and etcd_cluster_setup

- import_tasks: refresh_config.yml
+- include_tasks: refresh_config.yml
  when: is_etcd_master and etcd_cluster_setup
--- a/roles/etcd/tasks/refresh_config.yml
+++ b/roles/etcd/tasks/refresh_config.yml
@@ -5,3 +5,10 @@
    dest: /etc/etcd.env
  notify: restart etcd
  when: is_etcd_master
+
+- name: Refresh config | Create etcd-events config file
+  template:
+    src: etcd-events.env.j2
+    dest: /etc/etcd-events.env
+  notify: restart etcd-events
+  when: is_etcd_master and etcd_events_cluster_setup
--- a/roles/etcd/tasks/set_cluster_health.yml
+++ b/roles/etcd/tasks/set_cluster_health.yml
@@ -1,5 +1,5 @@
 ---
- name: Configure | Check if cluster is healthy
+- name: Configure | Check if etcd cluster is healthy
  shell: "{{ bin_dir }}/etcdctl --endpoints={{ etcd_access_addresses }} cluster-health | grep -q 'cluster is healthy'"
  register: etcd_cluster_is_healthy
  ignore_errors: true
@@ -9,5 +9,18 @@
  tags:
    - facts
  environment:
-    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
-    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
+
+- name: Configure | Check if etcd-events cluster is healthy
+  shell: "{{ bin_dir }}/etcdctl --endpoints={{ etcd_events_access_addresses }} cluster-health | grep -q 'cluster is healthy'"
+  register: etcd_events_cluster_is_healthy
+  ignore_errors: true
+  changed_when: false
+  check_mode: no
+  when: is_etcd_master and etcd_events_cluster_setup
+  tags:
+    - facts
+  environment:
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
--- a/roles/etcd/tasks/upd_ca_trust.yml
+++ b/roles/etcd/tasks/upd_ca_trust.yml
@@ -8,6 +8,8 @@
      /etc/pki/ca-trust/source/anchors/etcd-ca.crt
      {%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
      /etc/ssl/certs/etcd-ca.pem
+      {%- elif ansible_os_family == "Suse" -%}
+      /etc/pki/trust/anchors/etcd-ca.pem
      {%- endif %}
  tags:
    - facts
@@ -19,9 +21,9 @@
    remote_src: true
  register: etcd_ca_cert

- name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS)
+- name: Gen_certs | update ca-certificates (Debian/Ubuntu/SUSE/Container Linux by CoreOS)
  command: update-ca-certificates
-  when: etcd_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Container Linux by CoreOS"]
+  when: etcd_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Container Linux by CoreOS", "Suse"]

 - name: Gen_certs | update ca-certificates (RedHat)
  command: update-ca-trust extract
--- a/roles/etcd/templates/etcd-events-docker.service.j2
+++ b/roles/etcd/templates/etcd-events-docker.service.j2
@@ -0,0 +1,18 @@
+[Unit]
+Description=etcd docker wrapper
+Wants=docker.socket
+After=docker.service
+
+[Service]
+User=root
+PermissionsStartOnly=true
+EnvironmentFile=-/etc/etcd-events.env
+ExecStart={{ bin_dir }}/etcd-events
+ExecStartPre=-{{ docker_bin_dir }}/docker rm -f {{ etcd_member_name }}-events
+ExecStop={{ docker_bin_dir }}/docker stop {{ etcd_member_name }}-events
+Restart=always
+RestartSec=15s
+TimeoutStartSec=30s
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/etcd/templates/etcd-events-host.service.j2
+++ b/roles/etcd/templates/etcd-events-host.service.j2
@@ -0,0 +1,16 @@
+[Unit]
+Description=etcd
+After=network.target
+
+[Service]
+Type=notify
+User=root
+EnvironmentFile=/etc/etcd-events.env
+ExecStart={{ bin_dir }}/etcd
+NotifyAccess=all
+Restart=always
+RestartSec=10s
+LimitNOFILE=40000
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/etcd/templates/etcd-events.env.j2
+++ b/roles/etcd/templates/etcd-events.env.j2
@@ -0,0 +1,29 @@
+ETCD_DATA_DIR={{ etcd_events_data_dir }}
+ETCD_ADVERTISE_CLIENT_URLS={{ etcd_events_client_url }}
+ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_events_peer_url }}
+ETCD_INITIAL_CLUSTER_STATE={% if etcd_cluster_is_healthy.rc != 0 | bool %}new{% else %}existing{% endif %}
+
+ETCD_METRICS={{ etcd_metrics }}
+ETCD_LISTEN_CLIENT_URLS=https://{{ etcd_address }}:2381,https://127.0.0.1:2381
+ETCD_ELECTION_TIMEOUT={{ etcd_election_timeout }}
+ETCD_HEARTBEAT_INTERVAL={{ etcd_heartbeat_interval }}
+ETCD_INITIAL_CLUSTER_TOKEN=k8s_events_etcd
+ETCD_LISTEN_PEER_URLS=https://{{ etcd_address }}:2382
+ETCD_NAME={{ etcd_member_name }}-events
+ETCD_PROXY=off
+ETCD_INITIAL_CLUSTER={{ etcd_events_peer_addresses }}
+ETCD_AUTO_COMPACTION_RETENTION={{ etcd_compaction_retention }}
+{% if etcd_snapshot_count is defined %}
+ETCD_SNAPSHOT_COUNT={{ etcd_snapshot_count }}
+{% endif %}
+
+# TLS settings
+ETCD_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
+ETCD_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
+ETCD_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
+ETCD_CLIENT_CERT_AUTH={{ etcd_secure_client | lower}}
+
+ETCD_PEER_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
+ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
+ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
+ETCD_PEER_CLIENT_CERT_AUTH={{ etcd_peer_client_auth }}
--- a/roles/etcd/templates/etcd-events.j2
+++ b/roles/etcd/templates/etcd-events.j2
@@ -0,0 +1,21 @@
+#!/bin/bash
+{{ docker_bin_dir }}/docker run \
+  --restart=on-failure:5 \
+  --env-file=/etc/etcd-events.env \
+  --net=host \
+  -v /etc/ssl/certs:/etc/ssl/certs:ro \
+  -v {{ etcd_cert_dir }}:{{ etcd_cert_dir }}:ro \
+  -v {{ etcd_events_data_dir }}:{{ etcd_events_data_dir }}:rw \
+  {% if etcd_memory_limit is defined %}
+  --memory={{ etcd_memory_limit|regex_replace('Mi', 'M') }} \
+  {% endif %}
+  {% if etcd_cpu_limit is defined %}
+  --cpu-shares={{ etcd_cpu_limit|regex_replace('m', '') }} \
+  {% endif %}
+  {% if etcd_blkio_weight is defined %}
+  --blkio-weight={{ etcd_blkio_weight }} \
+  {% endif %}
+  --name={{ etcd_member_name }}-events \
+  {{ etcd_image_repo }}:{{ etcd_image_tag }} \
+  /usr/local/bin/etcd \
+  "$@"
--- a/roles/etcd/templates/etcd-host.service.j2
+++ b/roles/etcd/templates/etcd-host.service.j2
@@ -4,7 +4,7 @@ After=network.target

 [Service]
 Type=notify
-User=etcd
+User=root
 EnvironmentFile=/etc/etcd.env
 ExecStart={{ bin_dir }}/etcd
 NotifyAccess=all
--- a/roles/etcd/templates/etcd.env.j2
+++ b/roles/etcd/templates/etcd.env.j2
@@ -13,6 +13,9 @@ ETCD_NAME={{ etcd_member_name }}
 ETCD_PROXY=off
 ETCD_INITIAL_CLUSTER={{ etcd_peer_addresses }}
 ETCD_AUTO_COMPACTION_RETENTION={{ etcd_compaction_retention }}
+{% if etcd_snapshot_count is defined %}
+ETCD_SNAPSHOT_COUNT={{ etcd_snapshot_count }}
+{% endif %}

 # TLS settings
 ETCD_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
@@ -23,4 +26,4 @@ ETCD_CLIENT_CERT_AUTH={{ etcd_secure_client | lower}}
 ETCD_PEER_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
 ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
 ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
-ETCD_PEER_CLIENT_CERT_AUTH=true
+ETCD_PEER_CLIENT_CERT_AUTH={{ etcd_peer_client_auth }}
--- a/roles/etcd/templates/etcd.j2
+++ b/roles/etcd/templates/etcd.j2
@@ -6,17 +6,19 @@
  -v /etc/ssl/certs:/etc/ssl/certs:ro \
  -v {{ etcd_cert_dir }}:{{ etcd_cert_dir }}:ro \
  -v {{ etcd_data_dir }}:{{ etcd_data_dir }}:rw \
-  {% if etcd_memory_limit is defined %}
+{% if etcd_memory_limit is defined %}
  --memory={{ etcd_memory_limit|regex_replace('Mi', 'M') }} \
-  {% endif %}
-  --oom-kill-disable \
-  {% if etcd_cpu_limit is defined %}
+{% endif %}
+{% if etcd_cpu_limit is defined %}
  --cpu-shares={{ etcd_cpu_limit|regex_replace('m', '') }} \
-  {% endif %}
-  {% if etcd_blkio_weight is defined %}
+{% endif %}
+{% if etcd_blkio_weight is defined %}
  --blkio-weight={{ etcd_blkio_weight }} \
-  {% endif %}
+{% endif %}
  --name={{ etcd_member_name | default("etcd") }} \
  {{ etcd_image_repo }}:{{ etcd_image_tag }} \
+{% if etcd_ionice is defined %}
+  /bin/ionice {{ etcd_ionice }} \
+{% endif %}
  /usr/local/bin/etcd \
  "$@"
--- a/Show More
+++ b/Show More