Fix ubuntu-contiv test failed (#3808 )

netchecker agent status is pending
Fix basic auth tokens for kubeadm deployment. (#3801 )
2025-12-14 22:04:43 +03:00 · 2018-12-03 23:01:32 -08:00 · 2018-12-03 10:44:29 -08:00 · 2018-12-03 10:38:51 -08:00 · 2018-12-03 10:29:42 -08:00 · 2018-12-03 05:04:03 -08:00
593 changed files with 11498 additions and 3492 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,7 +7,7 @@ stages:
 variables:
  FAILFASTCI_NAMESPACE: 'kargo-ci'
-  GITLAB_REPOSITORY: 'kargo-ci/kubernetes-incubator__kubespray'
+  GITLAB_REPOSITORY: 'kargo-ci/kubernetes-sigs-kubespray'
 #  DOCKER_HOST: tcp://localhost:2375
  ANSIBLE_FORCE_COLOR: "true"
  MAGIC: "ci check this"
@@ -42,7 +42,7 @@ before_script:
  tags:
    - kubernetes
    - docker
-  image: quay.io/kubespray/kubespray:latest
+  image: quay.io/kubespray/kubespray:v2.7
 .docker_service: &docker_service
  services:
@@ -93,10 +93,10 @@ before_script:
    # Check out latest tag if testing upgrade
    # Uncomment when gitlab kubespray repo has tags
    #- test "${UPGRADE_TEST}" != "false" && git fetch --all && git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
-    - test "${UPGRADE_TEST}" != "false" && git checkout 02cd5418c22d51e40261775908d55bc562206023
+    - test "${UPGRADE_TEST}" != "false" && git checkout 53d87e53c5899d4ea2904ab7e3883708dd6363d3
    # Checkout the CI vars file so it is available
    - test "${UPGRADE_TEST}" != "false" && git checkout "${CI_BUILD_REF}" tests/files/${CI_JOB_NAME}.yml
-    # Workaround https://github.com/kubernetes-incubator/kubespray/issues/2021
+    # Workaround https://github.com/kubernetes-sigs/kubespray/issues/2021
    - 'sh -c "echo ignore_assert_errors: true | tee -a tests/files/${CI_JOB_NAME}.yml"'
@@ -240,9 +240,9 @@ before_script:
 # stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"
-.ubuntu_canal_ha_variables: &ubuntu_canal_ha_variables
+.ubuntu18_flannel_aio_variables: &ubuntu18_flannel_aio_variables
 # stage: deploy-part1
-  UPGRADE_TEST: "graceful"
+  MOVED_TO_GROUP_VARS: "true"
 .centos_weave_kubeadm_variables: &centos_weave_kubeadm_variables
 # stage: deploy-part1
@@ -252,6 +252,10 @@ before_script:
 # stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"
 .ubuntu_canal_ha_variables: &ubuntu_canal_ha_variables
 # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"
 .ubuntu_contiv_sep_variables: &ubuntu_contiv_sep_variables
 # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"
@@ -263,7 +267,7 @@ before_script:
 .ubuntu_cilium_sep_variables: &ubuntu_cilium_sep_variables
 # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"
-  
+
 .rhel7_weave_variables: &rhel7_weave_variables
 # stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"
@@ -272,7 +276,7 @@ before_script:
 # stage: deploy-part2
  MOVED_TO_GROUP_VARS: "true"
-.debian8_calico_variables: &debian8_calico_variables
+.debian9_calico_variables: &debian9_calico_variables
 # stage: deploy-part2
  MOVED_TO_GROUP_VARS: "true"
@@ -292,23 +296,31 @@ before_script:
 # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"
 .centos7_kube_router_variables: &centos7_kube_router_variables
 # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"
 .centos7_multus_calico_variables: &centos7_multus_calico_variables
 # stage: deploy-part2
  UPGRADE_TEST: "graceful"
 .coreos_alpha_weave_ha_variables: &coreos_alpha_weave_ha_variables
 # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"
 .coreos_kube_router_variables: &coreos_kube_router_variables
 # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"
 .ubuntu_rkt_sep_variables: &ubuntu_rkt_sep_variables
 # stage: deploy-part1
  MOVED_TO_GROUP_VARS: "true"
-.ubuntu_vault_sep_variables: &ubuntu_vault_sep_variables
+.ubuntu_flannel_variables: &ubuntu_flannel_variables
-# stage: deploy-part1
+# stage: deploy-part2
  MOVED_TO_GROUP_VARS: "true"
-.coreos_vault_upgrade_variables: &coreos_vault_upgrade_variables
+.ubuntu_kube_router_variables: &ubuntu_kube_router_variables
 # stage: deploy-part1
  UPGRADE_TEST: "basic"
 .ubuntu_flannel_variables: &ubuntu_flannel_variables
 # stage: deploy-special
  MOVED_TO_GROUP_VARS: "true"
@@ -319,10 +331,24 @@ before_script:
 # Builds for PRs only (premoderated by unit-tests step) and triggers (auto)
 ### PR JOBS PART1
-gce_coreos-calico-aio:
+
 gce_ubuntu18-flannel-aio:
  stage: deploy-part1
  <<: *job
  <<: *gce
  variables:
    <<: *ubuntu18_flannel_aio_variables
    <<: *gce_variables
  when: on_success
  except: ['triggers']
  only: [/^pr-.*$/]
 ### PR JOBS PART2
 gce_coreos-calico-aio:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
    <<: *coreos_calico_aio_variables
    <<: *gce_variables
@@ -330,7 +356,6 @@ gce_coreos-calico-aio:
  except: ['triggers']
  only: [/^pr-.*$/]
 ### PR JOBS PART2
 gce_centos7-flannel-addons:
  stage: deploy-part2
  <<: *job
@@ -342,6 +367,30 @@ gce_centos7-flannel-addons:
  except: ['triggers']
  only: [/^pr-.*$/]
 gce_centos-weave-kubeadm-sep:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
    <<: *centos_weave_kubeadm_variables
  when: on_success
  except: ['triggers']
  only: [/^pr-.*$/]
 gce_ubuntu-flannel-ha:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
    <<: *ubuntu_flannel_variables
  when: on_success
  except: ['triggers']
  only: [/^pr-.*$/]
 ### MANUAL JOBS
 gce_ubuntu-weave-sep:
  stage: deploy-part2
  <<: *job
@@ -349,11 +398,10 @@ gce_ubuntu-weave-sep:
  variables:
    <<: *gce_variables
    <<: *ubuntu_weave_sep_variables
-  when: on_success
+  when: manual
  except: ['triggers']
  only: [/^pr-.*$/]
 ### MANUAL JOBS
 gce_coreos-calico-sep-triggers:
  stage: deploy-part2
  <<: *job
@@ -365,7 +413,7 @@ gce_coreos-calico-sep-triggers:
  only: ['triggers']
 gce_ubuntu-canal-ha-triggers:
-  stage: deploy-part2
+  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
@@ -407,7 +455,7 @@ do_ubuntu-canal-ha:
  only: ['master', /^pr-.*$/]
 gce_ubuntu-canal-ha:
-  stage: deploy-part2
+  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
@@ -438,17 +486,6 @@ gce_ubuntu-canal-kubeadm-triggers:
  when: on_success
  only: ['triggers']
 gce_centos-weave-kubeadm:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
    <<: *centos_weave_kubeadm_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
 gce_centos-weave-kubeadm-triggers:
  stage: deploy-part2
  <<: *job
@@ -513,24 +550,24 @@ gce_rhel7-weave-triggers:
  when: on_success
  only: ['triggers']
-gce_debian8-calico-upgrade:
+gce_debian9-calico-upgrade:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
-    <<: *debian8_calico_variables
+    <<: *debian9_calico_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
-gce_debian8-calico-triggers:
+gce_debian9-calico-triggers:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
-    <<: *debian8_calico_variables
+    <<: *debian9_calico_variables
  when: on_success
  only: ['triggers']
@@ -597,6 +634,28 @@ gce_centos7-calico-ha-triggers:
  when: on_success
  only: ['triggers']
 gce_centos7-kube-router:
  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
    <<: *centos7_kube_router_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
 gce_centos7-multus-calico:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
    <<: *centos7_multus_calico_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
 gce_opensuse-canal:
  stage: deploy-part2
  <<: *job
@@ -620,6 +679,17 @@ gce_coreos-alpha-weave-ha:
  except: ['triggers']
  only: ['master', /^pr-.*$/]
 gce_coreos-kube-router:
  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
    <<: *coreos_kube_router_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
 gce_ubuntu-rkt-sep:
  stage: deploy-part2
  <<: *job
@@ -631,35 +701,13 @@ gce_ubuntu-rkt-sep:
  except: ['triggers']
  only: ['master', /^pr-.*$/]
-gce_ubuntu-vault-sep:
+gce_ubuntu-kube-router-sep:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
    <<: *ubuntu_vault_sep_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
 gce_coreos-vault-upgrade:
  stage: deploy-part2
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
    <<: *coreos_vault_upgrade_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
 gce_ubuntu-flannel-sep:
  stage: deploy-special
  <<: *job
  <<: *gce
  variables:
    <<: *gce_variables
-    <<: *ubuntu_flannel_variables
+    <<: *ubuntu_kube_router_variables
  when: manual
  except: ['triggers']
  only: ['master', /^pr-.*$/]
--- a/12
+++ b/12
@@ -6,11 +6,11 @@ RUN apt update -y && \
    apt install -y \
    libssl-dev python-dev sshpass apt-transport-https \
    ca-certificates curl gnupg2 software-properties-common python-pip
-RUN  curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
+RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
-     add-apt-repository \
+    add-apt-repository \
-     "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
-     $(lsb_release -cs) \
+    $(lsb_release -cs) \
-     stable" \
+    stable" \
-     && apt update -y && apt-get install docker-ce -y
+    && apt update -y && apt-get install docker-ce -y
 COPY . .
 RUN /usr/bin/python -m pip install pip -U && /usr/bin/python -m pip install -r tests/requirements.txt && python -m pip install -r requirements.txt
--- a/5
+++ b/5
@@ -0,0 +1,5 @@
 mitogen:
 	ansible-playbook -c local mitogen.yaml -vv
 clean:
 	rm -rf dist/
 	rm *.retry
--- a/12
+++ b/12
@@ -1,9 +1,7 @@
 # See the OWNERS file documentation:
-#  https://github.com/kubernetes/kubernetes/blob/master/docs/devel/owners.md
+# https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
-owners:
+approvers:
-  - Smana
+  - kubespray-approvers
-  - ant31
+reviewers:
-  - bogdando
+  - kubespray-reviewers
  - mattymo
  - rsmitty
--- a/18
+++ b/18
@@ -0,0 +1,18 @@
 aliases:
  kubespray-approvers:
    - ant31
    - mattymo
    - atoms
    - chadswen
    - rsmitty
    - bogdando
    - bradbeam
    - woopstar
    - riverzhang
    - holser
    - smana
  kubespray-reviewers:
    - jjungnickel
    - archifleks
    - chapsuk
    - mirwan
--- a/README.md
+++ b/README.md
@@ -1,11 +1,12 @@
-![Kubernetes Logo](https://raw.githubusercontent.com/kubernetes-incubator/kubespray/master/docs/img/kubernetes-logo.png)
+![Kubernetes Logo](https://raw.githubusercontent.com/kubernetes-sigs/kubespray/master/docs/img/kubernetes-logo.png)
 Deploy a Production Ready Kubernetes Cluster
 ============================================
 If you have questions, join us on the [kubernetes slack](https://kubernetes.slack.com), channel **\#kubespray**.
 You can get your invite [here](http://slack.k8s.io/)
-   Can be deployed on **AWS, GCE, Azure, OpenStack, vSphere or Baremetal**
+-   Can be deployed on **AWS, GCE, Azure, OpenStack, vSphere, Oracle Cloud Infrastructure (Experimental), or Baremetal**
 -   **Highly available** cluster
 -   **Composable** (Choice of the network plugin for instance)
 -   Supports most popular **Linux distributions**
@@ -18,6 +19,12 @@ To deploy the cluster you can use :
 ### Ansible
 #### Ansible version
 Ansible v2.7.0 is failing and/or produce unexpected results due to [ansible/ansible/issues/46600](https://github.com/ansible/ansible/issues/46600)
 #### Usage
    # Install dependencies from ``requirements.txt``
    sudo pip install -r requirements.txt
@@ -29,11 +36,24 @@ To deploy the cluster you can use :
    CONFIG_FILE=inventory/mycluster/hosts.ini python3 contrib/inventory_builder/inventory.py ${IPS[@]}
    # Review and change parameters under ``inventory/mycluster/group_vars``
-    cat inventory/mycluster/group_vars/all.yml
+    cat inventory/mycluster/group_vars/all/all.yml
-    cat inventory/mycluster/group_vars/k8s-cluster.yml
+    cat inventory/mycluster/group_vars/k8s-cluster/k8s-cluster.yml
-    # Deploy Kubespray with Ansible Playbook
+    # Deploy Kubespray with Ansible Playbook - run the playbook as root
-    ansible-playbook -i inventory/mycluster/hosts.ini cluster.yml
+    # The option `-b` is required, as for example writing SSL keys in /etc/,
    # installing packages and interacting with various systemd daemons.
    # Without -b the playbook will fail to run!
    ansible-playbook -i inventory/mycluster/hosts.ini --become --become-user=root cluster.yml
 Note: When Ansible is already installed via system packages on the control machine, other python packages installed via `sudo pip install -r requirements.txt` will go to a different directory tree (e.g. `/usr/local/lib/python2.7/dist-packages` on Ubuntu) from Ansible's (e.g. `/usr/lib/python2.7/dist-packages/ansible` still on Ubuntu).
 As a consequence, `ansible-playbook` command will fail with:
 ```
 ERROR! no action detected in task. This often indicates a misspelled module name, or incorrect module path.
 ```
 probably pointing on a task depending on a module present in requirements.txt (i.e. "unseal vault").
 One way of solving this would be to uninstall the Ansible package and then, to install it via pip but it is not always possible.
 A workaround consists of setting `ANSIBLE_LIBRARY` and `ANSIBLE_MODULE_UTILS` environment variables respectively to the `ansible/modules` and `ansible/module_utils` subdirectories of pip packages installation location, which can be found in the Location field of the output of `pip show [package]` before executing `ansible-playbook`.
 ### Vagrant
@@ -78,9 +98,10 @@ Supported Linux Distributions
 -----------------------------
 -   **Container Linux by CoreOS**
-   **Debian** Jessie, Stretch, Wheezy
+-   **Debian** Buster, Jessie, Stretch, Wheezy
-   **Ubuntu** 16.04
+-   **Ubuntu** 16.04, 18.04
 -   **CentOS/RHEL** 7
 -   **Fedora** 28
 -   **Fedora/CentOS** Atomic
 -   **openSUSE** Leap 42.3/Tumbleweed
@@ -90,23 +111,27 @@ Supported Components
 --------------------
 -   Core
-    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.10.4
+    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.12.3
-    -   [etcd](https://github.com/coreos/etcd) v3.2.18
+    -   [etcd](https://github.com/coreos/etcd) v3.2.24
-    -   [docker](https://www.docker.com/) v17.03 (see note)
+    -   [docker](https://www.docker.com/) v18.06 (see note)
    -   [rkt](https://github.com/rkt/rkt) v1.21.0 (see Note 2)
    -   [cri-o](http://cri-o.io/) v1.11.5 (experimental: see [CRI-O Note](docs/cri-o.md). Only on centos based OS)
 -   Network Plugin
-    -   [calico](https://github.com/projectcalico/calico) v2.6.8
+    -   [calico](https://github.com/projectcalico/calico) v3.1.3
    -   [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-    -   [cilium](https://github.com/cilium/cilium) v1.1.2
+    -   [cilium](https://github.com/cilium/cilium) v1.3.0
-    -   [contiv](https://github.com/contiv/install) v1.1.7
+    -   [contiv](https://github.com/contiv/install) v1.2.1
    -   [flanneld](https://github.com/coreos/flannel) v0.10.0
-    -   [weave](https://github.com/weaveworks/weave) v2.4.0
+    -   [kube-router](https://github.com/cloudnativelabs/kube-router) v0.2.1
    -   [multus](https://github.com/intel/multus-cni) v3.1.autoconf
    -   [weave](https://github.com/weaveworks/weave) v2.5.0
 -   Application
-    -   [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v1.1.0-k8s1.10
+    -   [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
-    -   [cert-manager](https://github.com/jetstack/cert-manager) v0.4.0
+    -   [cert-manager](https://github.com/jetstack/cert-manager) v0.5.2
-    -   [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.17.1
+    -   [coredns](https://github.com/coredns/coredns) v1.2.6
    -   [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.21.0
-Note: kubernetes doesn't support newer docker versions. Among other things kubelet currently breaks on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).
+Note: The list of validated [docker versions](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md) was updated to 1.11.1, 1.12.1, 1.13.1, 17.03, 17.06, 17.09, 18.06. The kubelet might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).
 Note 2: rkt support as docker alternative is limited to control plane (etcd and
 kubelet). Docker is still used for Kubernetes cluster workloads and network
@@ -116,10 +141,10 @@ plugins can be deployed for a given single cluster.
 Requirements
 ------------
-   **Ansible v2.4 (or newer) and python-netaddr is installed on the machine
+-   **Ansible v2.5 (or newer) and python-netaddr is installed on the machine
    that will run Ansible commands**
 -   **Jinja 2.9 (or newer) is required to run the Ansible Playbooks**
-   The target servers must have **access to the Internet** in order to pull docker images.
+-   The target servers must have **access to the Internet** in order to pull docker images. Otherwise, additional configuration is required (See [Offline Environment](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/downloads.md#offline-environment))
 -   The target servers are configured to allow **IPv4 forwarding**.
 -   **Your ssh key must be copied** to all the servers part of your inventory.
 -   The **firewalls are not managed**, you'll need to implement your own rules the way you used to.
@@ -147,6 +172,13 @@ You can choose between 6 network plugins. (default: `calico`, except Vagrant use
 -   [weave](docs/weave.md): Weave is a lightweight container overlay network that doesn't require an external K/V database cluster.
    (Please refer to `weave` [troubleshooting documentation](http://docs.weave.works/weave/latest_release/troubleshooting.html)).
 -   [kube-router](docs/kube-router.md): Kube-router is a L3 CNI for Kubernetes networking aiming to provide operational
    simplicity and high performance: it uses IPVS to provide Kube Services Proxy (if setup to replace kube-proxy),
    iptables for network policies, and BGP for ods L3 networking (with optionally BGP peering with out-of-cluster BGP peers).
    It can also optionally advertise routes to Kubernetes cluster Pods CIDRs, ClusterIPs, ExternalIPs and LoadBalancerIPs.
 -   [multus](docs/multus.md): Multus is a meta CNI plugin that provides multiple network interface support to pods. For each interface Multus delegates CNI calls to secondary CNI plugins such as Calico, macvlan, etc.
 The choice is defined with the variable `kube_network_plugin`. There is also an
 option to leverage built-in cloud provider networking instead.
 See also [Network checker](docs/netcheck.md).
@@ -164,7 +196,7 @@ Tools and projects on top of Kubespray
 -   [Digital Rebar Provision](https://github.com/digitalrebar/provision/blob/master/doc/integrations/ansible.rst)
 -   [Fuel-ccp-installer](https://github.com/openstack/fuel-ccp-installer)
-   [Terraform Contrib](https://github.com/kubernetes-incubator/kubespray/tree/master/contrib/terraform)
+-   [Terraform Contrib](https://github.com/kubernetes-sigs/kubespray/tree/master/contrib/terraform)
 CI Tests
 --------
--- a/150
+++ b/150
@@ -1,6 +1,8 @@
 # -*- mode: ruby -*-
 # # vi: set ft=ruby :
 # For help on using kubespray with vagrant, check out docs/vagrant.md
 require 'fileutils'
 Vagrant.require_version ">= 2.0.0"
@@ -13,13 +15,16 @@ COREOS_URL_TEMPLATE = "https://storage.googleapis.com/%s.release.core-os.net/amd
 DISK_UUID = Time.now.utc.to_i
 SUPPORTED_OS = {
-  "coreos-stable" => {box: "coreos-stable",      bootstrap_os: "coreos", user: "core", box_url: COREOS_URL_TEMPLATE % ["stable"]},
+  "coreos-stable"       => {box: "coreos-stable",      user: "core", box_url: COREOS_URL_TEMPLATE % ["stable"]},
-  "coreos-alpha"  => {box: "coreos-alpha",       bootstrap_os: "coreos", user: "core", box_url: COREOS_URL_TEMPLATE % ["alpha"]},
+  "coreos-alpha"        => {box: "coreos-alpha",       user: "core", box_url: COREOS_URL_TEMPLATE % ["alpha"]},
-  "coreos-beta"   => {box: "coreos-beta",        bootstrap_os: "coreos", user: "core", box_url: COREOS_URL_TEMPLATE % ["beta"]},
+  "coreos-beta"         => {box: "coreos-beta",        user: "core", box_url: COREOS_URL_TEMPLATE % ["beta"]},
-  "ubuntu"        => {box: "bento/ubuntu-16.04", bootstrap_os: "ubuntu", user: "vagrant"},
+  "ubuntu1604"          => {box: "generic/ubuntu1604", user: "vagrant"},
-  "centos"        => {box: "centos/7",           bootstrap_os: "centos", user: "vagrant"},
+  "ubuntu1804"          => {box: "generic/ubuntu1804", user: "vagrant"},
-  "opensuse"      => {box: "opensuse/openSUSE-42.3-x86_64", bootstrap_os: "opensuse", use: "vagrant"},
+  "centos"              => {box: "centos/7",           user: "vagrant"},
-  "opensuse-tumbleweed" => {box: "opensuse/openSUSE-Tumbleweed-x86_64", bootstrap_os: "opensuse", use: "vagrant"},
+  "centos-bento"        => {box: "bento/centos-7.5",   user: "vagrant"},
  "fedora"              => {box: "fedora/28-cloud-base",                user: "vagrant"},
  "opensuse"            => {box: "opensuse/openSUSE-42.3-x86_64",       user: "vagrant"},
  "opensuse-tumbleweed" => {box: "opensuse/openSUSE-Tumbleweed-x86_64", user: "vagrant"},
 }
 # Defaults for config options defined in CONFIG
@@ -31,8 +36,10 @@ $vm_cpus = 1
 $shared_folders = {}
 $forwarded_ports = {}
 $subnet = "172.17.8"
-$os = "ubuntu"
+$os = "ubuntu1804"
 $network_plugin = "flannel"
 # Setting multi_networking to true will install Multus: https://github.com/intel/multus-cni
 $multi_networking = false
 # The first three nodes are etcd servers
 $etcd_instances = $num_instances
 # The first two nodes are kube masters
@@ -44,7 +51,7 @@ $kube_node_instances_with_disks = false
 $kube_node_instances_with_disks_size = "20G"
 $kube_node_instances_with_disks_number = 2
-$local_release_dir = "/vagrant/temp"
+$playbook = "cluster.yml"
 host_vars = {}
@@ -54,13 +61,13 @@ end
 $box = SUPPORTED_OS[$os][:box]
 # if $inventory is not set, try to use example
-$inventory = File.join(File.dirname(__FILE__), "inventory", "sample") if ! $inventory
+$inventory = "inventory/sample" if ! $inventory
 $inventory = File.absolute_path($inventory, File.dirname(__FILE__))
-# if $inventory has a hosts file use it, otherwise copy over vars etc
+# if $inventory has a hosts.ini file use it, otherwise copy over
-# to where vagrant expects dynamic inventory to be.
+# vars etc to where vagrant expects dynamic inventory to be
-if ! File.exist?(File.join(File.dirname($inventory), "hosts"))
+if ! File.exist?(File.join(File.dirname($inventory), "hosts.ini"))
-  $vagrant_ansible = File.join(File.dirname(__FILE__), ".vagrant",
+  $vagrant_ansible = File.join(File.dirname(__FILE__), ".vagrant", "provisioners", "ansible")
                       "provisioners", "ansible")
  FileUtils.mkdir_p($vagrant_ansible) if ! File.exist?($vagrant_ansible)
  if ! File.exist?(File.join($vagrant_ansible,"inventory"))
    FileUtils.ln_s($inventory, File.join($vagrant_ansible,"inventory"))
@@ -75,76 +82,60 @@ if Vagrant.has_plugin?("vagrant-proxyconf")
 end
 Vagrant.configure("2") do |config|
-  # always use Vagrants insecure key
+
  config.ssh.insert_key = false
  config.vm.box = $box
  if SUPPORTED_OS[$os].has_key? :box_url
    config.vm.box_url = SUPPORTED_OS[$os][:box_url]
  end
  config.ssh.username = SUPPORTED_OS[$os][:user]
  # plugin conflict
  if Vagrant.has_plugin?("vagrant-vbguest") then
    config.vbguest.auto_update = false
  end
  # always use Vagrants insecure key
  config.ssh.insert_key = false
  (1..$num_instances).each do |i|
-    config.vm.define vm_name = "%s-%02d" % [$instance_name_prefix, i] do |config|
+    config.vm.define vm_name = "%s-%01d" % [$instance_name_prefix, i] do |node|
-      config.vm.hostname = vm_name
+
      node.vm.hostname = vm_name
      if Vagrant.has_plugin?("vagrant-proxyconf")
-        config.proxy.http     = ENV['HTTP_PROXY'] || ENV['http_proxy'] || ""
+        node.proxy.http     = ENV['HTTP_PROXY'] || ENV['http_proxy'] || ""
-        config.proxy.https    = ENV['HTTPS_PROXY'] || ENV['https_proxy'] ||  ""
+        node.proxy.https    = ENV['HTTPS_PROXY'] || ENV['https_proxy'] ||  ""
-        config.proxy.no_proxy = $no_proxy
+        node.proxy.no_proxy = $no_proxy
      end
      if $expose_docker_tcp
        config.vm.network "forwarded_port", guest: 2375, host: ($expose_docker_tcp + i - 1), auto_correct: true
      end
      $forwarded_ports.each do |guest, host|
        config.vm.network "forwarded_port", guest: guest, host: host, auto_correct: true
      end
      ["vmware_fusion", "vmware_workstation"].each do |vmware|
-        config.vm.provider vmware do |v|
+        node.vm.provider vmware do |v|
          v.vmx['memsize'] = $vm_memory
          v.vmx['numvcpus'] = $vm_cpus
        end
      end
-      config.vm.synced_folder ".", "/vagrant", type: "rsync", rsync__args: ['--verbose', '--archive', '--delete', '-z']
+      node.vm.provider :virtualbox do |vb|
      $shared_folders.each do |src, dst|
        config.vm.synced_folder src, dst, type: "rsync", rsync__args: ['--verbose', '--archive', '--delete', '-z']
      end
      config.vm.provider :virtualbox do |vb|
        vb.gui = $vm_gui
        vb.memory = $vm_memory
        vb.cpus = $vm_cpus
        vb.gui = $vm_gui
        vb.linked_clone = true
      end
-     config.vm.provider :libvirt do |lv|
+      node.vm.provider :libvirt do |lv|
-       lv.memory = $vm_memory
+        lv.memory = $vm_memory
-     end
+        lv.cpus = $vm_cpus
-
+        lv.default_prefix = 'kubespray'
-      ip = "#{$subnet}.#{i+100}"
+        # Fix kernel panic on fedora 28
-      host_vars[vm_name] = {
+        if $os == "fedora"
-        "ip": ip,
+          lv.cpu_mode = "host-passthrough"
-        "bootstrap_os": SUPPORTED_OS[$os][:bootstrap_os],
+        end
-        "local_release_dir" => $local_release_dir,
+      end
        "download_run_once": "False",
        "kube_network_plugin": $network_plugin
      }
      config.vm.network :private_network, ip: ip
      # Disable swap for each vm
      config.vm.provision "shell", inline: "swapoff -a"
      if $kube_node_instances_with_disks
        # Libvirt
        driverletters = ('a'..'z').to_a
-        config.vm.provider :libvirt do |lv|
+        node.vm.provider :libvirt do |lv|
          # always make /dev/sd{a/b/c} so that CI can ensure that
          # virtualbox and libvirt will have the same devices to use for OSDs
          (1..$kube_node_instances_with_disks_number).each do |d|
@@ -153,24 +144,51 @@ Vagrant.configure("2") do |config|
        end
      end
-      # Only execute once the Ansible provisioner,
+      if $expose_docker_tcp
-      # when all the machines are up and ready.
+        node.vm.network "forwarded_port", guest: 2375, host: ($expose_docker_tcp + i - 1), auto_correct: true
      end
      $forwarded_ports.each do |guest, host|
        node.vm.network "forwarded_port", guest: guest, host: host, auto_correct: true
      end
      node.vm.synced_folder ".", "/vagrant", disabled: false, type: "rsync", rsync__args: ['--verbose', '--archive', '--delete', '-z'] , rsync__exclude: ['.git','venv']
      $shared_folders.each do |src, dst|
        node.vm.synced_folder src, dst, type: "rsync", rsync__args: ['--verbose', '--archive', '--delete', '-z']
      end
      ip = "#{$subnet}.#{i+100}"
      node.vm.network :private_network, ip: ip
      # Disable swap for each vm
      node.vm.provision "shell", inline: "swapoff -a"
      host_vars[vm_name] = {
        "ip": ip,
        "kube_network_plugin": $network_plugin,
        "kube_network_plugin_multus": $multi_networking,
        "docker_keepcache": "1",
        "download_run_once": "True",
        "download_localhost": "False"
      }
      # Only execute the Ansible provisioner once, when all the machines are up and ready.
      if i == $num_instances
-        config.vm.provision "ansible" do |ansible|
+        node.vm.provision "ansible" do |ansible|
-          ansible.playbook = "cluster.yml"
+          ansible.playbook = $playbook
-          if File.exist?(File.join(File.dirname($inventory), "hosts"))
+          if File.exist?(File.join( $inventory, "hosts.ini"))
            ansible.inventory_path = $inventory
          end
          ansible.become = true
          ansible.limit = "all"
          ansible.host_key_checking = false
-          ansible.raw_arguments = ["--forks=#{$num_instances}", "--flush-cache"]
+          ansible.raw_arguments = ["--forks=#{$num_instances}", "--flush-cache", "--ask-become-pass"]
          ansible.host_vars = host_vars
          #ansible.tags = ['download']
          ansible.groups = {
-            "etcd" => ["#{$instance_name_prefix}-0[1:#{$etcd_instances}]"],
+            "etcd" => ["#{$instance_name_prefix}-[1:#{$etcd_instances}]"],
-            "kube-master" => ["#{$instance_name_prefix}-0[1:#{$kube_master_instances}]"],
+            "kube-master" => ["#{$instance_name_prefix}-[1:#{$kube_master_instances}]"],
-            "kube-node" => ["#{$instance_name_prefix}-0[1:#{$kube_node_instances}]"],
+            "kube-node" => ["#{$instance_name_prefix}-[1:#{$kube_node_instances}]"],
            "k8s-cluster:children" => ["kube-master", "kube-node"],
          }
        end
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -3,6 +3,8 @@ pipelining=True
 ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100 -o UserKnownHostsFile=/dev/null
 #control_path = ~/.ssh/ansible-%%r@%%h:%%p
 [defaults]
 strategy_plugins = plugins/mitogen/ansible_mitogen/plugins/strategy
 host_key_checking=False
 gathering = smart
 fact_caching = jsonfile
@@ -13,3 +15,5 @@ callback_whitelist = profile_tasks
 roles_path = roles:$VIRTUAL_ENV/usr/local/share/kubespray/roles:$VIRTUAL_ENV/usr/local/share/ansible/roles:/usr/share/kubespray/roles
 deprecation_warnings=False
 inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo, .creds
 [inventory]
 ignore_patterns = artifacts, credentials
--- a/cluster.yml
+++ b/cluster.yml
@@ -1,5 +1,33 @@
 ---
 - hosts: localhost
  gather_facts: false
  tasks:
    - name: "Check ansible version !=2.7.0"
      assert:
        msg: "Ansible V2.7.0 can't be used until: https://github.com/ansible/ansible/issues/46600 is fixed"
        that:
          - ansible_version.string is version("2.7.0", "!=")
          - ansible_version.string is version("2.5.0", ">=")
      tags:
        - check
  vars:
    ansible_connection: local
 - hosts: localhost
  gather_facts: false
  tasks:
    - name: deploy warning for non kubeadm
      debug:
        msg: "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
      when: not kubeadm_enabled and not skip_non_kubeadm_warning
    - name: deploy cluster for non kubeadm
      pause:
        prompt: "Are you sure you want to deploy cluster using the deprecated non-kubeadm mode."
        echo: no
      when: not kubeadm_enabled and not skip_non_kubeadm_warning
 - hosts: bastion[0]
  gather_facts: False
  roles:
    - { role: kubespray-defaults}
@@ -33,20 +61,10 @@
  roles:
    - { role: kubespray-defaults}
    - { role: kubernetes/preinstall, tags: preinstall }
-    - { role: docker, tags: docker, when: manage_docker|default(true) }
+    - { role: "container-engine", tags: "container-engine", when: deploy_container_engine|default(true) }
    - role: rkt
      tags: rkt
      when: "'rkt' in [etcd_deployment_type, kubelet_deployment_type, vault_deployment_type]"
    - { role: download, tags: download, when: "not skip_downloads" }
  environment: "{{proxy_env}}"
 - hosts: etcd:k8s-cluster:vault:calico-rr
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults, when: "cert_management == 'vault'" }
    - { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
  environment: "{{proxy_env}}"
 - hosts: etcd
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
@@ -59,13 +77,6 @@
    - { role: kubespray-defaults}
    - { role: etcd, tags: etcd, etcd_cluster_setup: false, etcd_events_cluster_setup: false }
 - hosts: etcd:k8s-cluster:vault:calico-rr
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
    - { role: vault, tags: vault, when: "cert_management == 'vault'"}
  environment: "{{proxy_env}}"
 - hosts: k8s-cluster
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
@@ -93,6 +104,7 @@
  roles:
    - { role: kubespray-defaults}
    - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
    - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"], when: "kubeadm_enabled" }
 - hosts: kube-master
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
@@ -114,10 +126,10 @@
  roles:
    - { role: kubespray-defaults}
    - { role: dnsmasq, when: "dns_mode == 'dnsmasq_kubedns'", tags: dnsmasq }
-    - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf }
+    - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf, dns_late: true }
  environment: "{{proxy_env}}"
- hosts: kube-master[0]
+- hosts: kube-master
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  roles:
    - { role: kubespray-defaults}
--- a/contrib/aws_inventory/kubespray-aws-inventory.py
+++ b/contrib/aws_inventory/kubespray-aws-inventory.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python
 from __future__ import print_function
 import boto3
 import os
 import argparse
@@ -13,7 +14,7 @@ class SearchEC2Tags(object):
      self.search_tags()
    if self.args.host:
      data = {}
-      print json.dumps(data, indent=2)
+      print(json.dumps(data, indent=2))
  def parse_args(self):
@@ -44,18 +45,29 @@ class SearchEC2Tags(object):
      instances = ec2.instances.filter(Filters=[{'Name': 'tag:'+tag_key, 'Values': tag_value}, {'Name': 'instance-state-name', 'Values': ['running']}])
      for instance in instances:
        ##Suppose default vpc_visibility is private
        dns_name = instance.private_dns_name
        ansible_host = {
          'ansible_ssh_host': instance.private_ip_address
        }
        ##Override when vpc_visibility actually is public
        if self.vpc_visibility == "public":
-          hosts[group].append(instance.public_dns_name)
+          dns_name = instance.public_dns_name
-          hosts['_meta']['hostvars'][instance.public_dns_name] = {
+          ansible_host = {
-             'ansible_ssh_host': instance.public_ip_address
+            'ansible_ssh_host': instance.public_ip_address
          }
        else:
          hosts[group].append(instance.private_dns_name)
          hosts['_meta']['hostvars'][instance.private_dns_name] = {
             'ansible_ssh_host': instance.private_ip_address
          }
        ##Set when instance actually has node_labels
        node_labels_tag = list(filter(lambda t: t['Key'] == 'kubespray-node-labels', instance.tags))
        if node_labels_tag:
          ansible_host['node_labels'] = dict([ label.strip().split('=') for label in node_labels_tag[0]['Value'].split(',') ])
        hosts[group].append(dns_name)
        hosts['_meta']['hostvars'][dns_name] = ansible_host
    hosts['k8s-cluster'] = {'children':['kube-master', 'kube-node']}
-    print json.dumps(hosts, sort_keys=True, indent=2)
+    print(json.dumps(hosts, sort_keys=True, indent=2))
 SearchEC2Tags()
--- a/contrib/azurerm/group_vars/all
+++ b/contrib/azurerm/group_vars/all
@@ -1,5 +1,5 @@
-# Due to some Azure limitations (ex:- Storage Account's name must be unique), 
+# Due to some Azure limitations (ex:- Storage Account's name must be unique),
 # this name must be globally unique - it will be used as a prefix for azure components
 cluster_name: example
@@ -7,6 +7,10 @@ cluster_name: example
 # node that can be used to access the masters and minions
 use_bastion: false
 # Set this to a prefered name that will be used as the first part of the dns name for your bastotion host. For example: k8s-bastion.<azureregion>.cloudapp.azure.com.
 # This is convenient when exceptions have to be configured on a firewall to allow ssh to the given bastion host.
 # bastion_domain_prefix: k8s-bastion
 number_of_k8s_masters: 3
 number_of_k8s_nodes: 3
@@ -20,7 +24,8 @@ admin_username: devops
 admin_password: changeme
 # MAKE SURE TO CHANGE THIS TO YOUR PUBLIC KEY to access your azure machines
-ssh_public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLRzcxbsFDdEibiyXCSdIFh7bKbXso1NqlKjEyPTptf3aBXHEhVil0lJRjGpTlpfTy7PHvXFbXIOCdv9tOmeH1uxWDDeZawgPFV6VSZ1QneCL+8bxzhjiCn8133wBSPZkN8rbFKd9eEUUBfx8ipCblYblF9FcidylwtMt5TeEmXk8yRVkPiCuEYuDplhc2H0f4PsK3pFb5aDVdaDT3VeIypnOQZZoUxHWqm6ThyHrzLJd3SrZf+RROFWW1uInIDf/SZlXojczUYoffxgT1lERfOJCHJXsqbZWugbxQBwqsVsX59+KPxFFo6nV88h3UQr63wbFx52/MXkX4WrCkAHzN ablock-vwfs@dell-lappy"
+ssh_public_keys:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLRzcxbsFDdEibiyXCSdIFh7bKbXso1NqlKjEyPTptf3aBXHEhVil0lJRjGpTlpfTy7PHvXFbXIOCdv9tOmeH1uxWDDeZawgPFV6VSZ1QneCL+8bxzhjiCn8133wBSPZkN8rbFKd9eEUUBfx8ipCblYblF9FcidylwtMt5TeEmXk8yRVkPiCuEYuDplhc2H0f4PsK3pFb5aDVdaDT3VeIypnOQZZoUxHWqm6ThyHrzLJd3SrZf+RROFWW1uInIDf/SZlXojczUYoffxgT1lERfOJCHJXsqbZWugbxQBwqsVsX59+KPxFFo6nV88h3UQr63wbFx52/MXkX4WrCkAHzN ablock-vwfs@dell-lappy"
 # Disable using ssh using password. Change it to false to allow to connect to ssh by password
 disablePasswordAuthentication: true
--- a/contrib/azurerm/roles/generate-inventory_2/templates/inventory.j2
+++ b/contrib/azurerm/roles/generate-inventory_2/templates/inventory.j2
@@ -1,5 +1,5 @@
-{% for vm in  vm_ip_list %}
+{% for vm in vm_ip_list %}
 {% if not use_bastion or vm.virtualMachine.name == 'bastion' %}
 {{ vm.virtualMachine.name }} ansible_ssh_host={{ vm.virtualMachine.network.publicIpAddresses[0].ipAddress }} ip={{ vm.virtualMachine.network.privateIpAddresses[0] }}
 {% else %}
--- a/contrib/azurerm/roles/generate-templates/templates/bastion.json
+++ b/contrib/azurerm/roles/generate-templates/templates/bastion.json
@@ -15,7 +15,12 @@
      "name": "{{bastionIPAddressName}}",
      "location": "[resourceGroup().location]",
      "properties": {
-        "publicIPAllocationMethod": "Static"
+        "publicIPAllocationMethod": "Static",
        "dnsSettings": {
          {% if bastion_domain_prefix %}
          "domainNameLabel": "{{ bastion_domain_prefix }}"
          {% endif %}
        }
      }
    },
    {
@@ -66,10 +71,12 @@
            "disablePasswordAuthentication": "true",
            "ssh": {
              "publicKeys": [
                {% for key in ssh_public_keys %}
                {
                  "path": "{{sshKeyPath}}",
-                  "keyData": "{{ssh_public_key}}"
+                  "keyData": "{{key}}"
-                }
+                }{% if loop.index < ssh_public_keys | length %},{% endif %}
                {% endfor %}
              ]
            }
          }
--- a/contrib/azurerm/roles/generate-templates/templates/masters.json
+++ b/contrib/azurerm/roles/generate-templates/templates/masters.json
@@ -162,10 +162,12 @@
            "disablePasswordAuthentication": "{{disablePasswordAuthentication}}",
            "ssh": {
              "publicKeys": [
                {% for key in ssh_public_keys %}
                {
                  "path": "{{sshKeyPath}}",
-                  "keyData": "{{ssh_public_key}}"
+                  "keyData": "{{key}}"
-                }
+                }{% if loop.index < ssh_public_keys | length %},{% endif %}
                {% endfor %}
              ]
            }
          }
--- a/contrib/azurerm/roles/generate-templates/templates/minions.json
+++ b/contrib/azurerm/roles/generate-templates/templates/minions.json
@@ -79,10 +79,12 @@
            "disablePasswordAuthentication": "{{disablePasswordAuthentication}}",
            "ssh": {
              "publicKeys": [
                {% for key in ssh_public_keys %}
                {
                  "path": "{{sshKeyPath}}",
-                  "keyData": "{{ssh_public_key}}"
+                  "keyData": "{{key}}"
-                }
+                }{% if loop.index < ssh_public_keys | length %},{% endif %}
                {% endfor %}
              ]
            }
          }
--- a/contrib/dind/README.md
+++ b/contrib/dind/README.md
@@ -0,0 +1,176 @@
 # Kubespray DIND experimental setup
 This ansible playbook creates local docker containers
 to serve as Kubernetes "nodes", which in turn will run
 "normal" Kubernetes docker containers, a mode usually
 called DIND (Docker-IN-Docker).
 The playbook has two roles:
 - dind-host: creates the "nodes" as containers in localhost, with
  appropriate settings for DIND (privileged, volume mapping for dind
  storage, etc).
 - dind-cluster: customizes each node container to have required
  system packages installed, and some utils (swapoff, lsattr)
  symlinked to /bin/true to ease mimicking a real node.
 This playbook has been test with Ubuntu 16.04 as host and ubuntu:16.04
 as docker images (note that dind-cluster has specific customization
 for these images).
 The playbook also creates a `/tmp/kubespray.dind.inventory_builder.sh`
 helper (wraps up running `contrib/inventory_builder/inventory.py` with
 node containers IPs and prefix).
 ## Deploying
 See below for a complete successful run:
 1. Create the node containers
 ~~~~
 # From the kubespray root dir
 cd contrib/dind
 pip install -r requirements.txt
 ansible-playbook -i hosts dind-cluster.yaml
 # Back to kubespray root
 cd ../..
 ~~~~
 NOTE: if the playbook run fails with something like below error
 message, you may need to specifically set `ansible_python_interpreter`,
 see `./hosts` file for an example expanded localhost entry.
 ~~~
 failed: [localhost] (item=kube-node1) => {"changed": false, "item": "kube-node1", "msg": "Failed to import docker or docker-py - No module named requests.exceptions. Try `pip install docker` or `pip install docker-py` (Python 2.6)"}
 ~~~
 2. Customize kubespray-dind.yaml
 Note that there's coupling between above created node containers
 and `kubespray-dind.yaml` settings, in particular regarding selected `node_distro`
 (as set in `group_vars/all/all.yaml`), and docker settings.
 ~~~
 $EDITOR contrib/dind/kubespray-dind.yaml
 ~~~
 3. Prepare the inventory and run the playbook
 ~~~
 INVENTORY_DIR=inventory/local-dind
 mkdir -p ${INVENTORY_DIR}
 rm -f ${INVENTORY_DIR}/hosts.ini
 CONFIG_FILE=${INVENTORY_DIR}/hosts.ini /tmp/kubespray.dind.inventory_builder.sh
 ansible-playbook --become -e ansible_ssh_user=debian -i ${INVENTORY_DIR}/hosts.ini cluster.yml --extra-vars @contrib/dind/kubespray-dind.yaml
 ~~~
 NOTE: You could also test other distros without editing files by
 passing `--extra-vars` as per below commandline,
 replacing `DISTRO` by either `debian`, `ubuntu`, `centos`, `fedora`:
 ~~~
 cd contrib/dind
 ansible-playbook -i hosts dind-cluster.yaml --extra-vars node_distro=DISTRO
 cd ../..
 CONFIG_FILE=inventory/local-dind/hosts.ini /tmp/kubespray.dind.inventory_builder.sh
 ansible-playbook --become -e ansible_ssh_user=DISTRO -i inventory/local-dind/hosts.ini cluster.yml --extra-vars @contrib/dind/kubespray-dind.yaml --extra-vars bootstrap_os=DISTRO
 ~~~
 ## Resulting deployment
 See below to get an idea on how a completed deployment looks like,
 from the host where you ran kubespray playbooks.
 ### node_distro: debian
 Running from an Ubuntu Xenial host:
 ~~~
 $ uname -a
 Linux ip-xx-xx-xx-xx 4.4.0-1069-aws #79-Ubuntu SMP Mon Sep 24
 15:01:41 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 $ docker ps
 CONTAINER ID        IMAGE               COMMAND CREATED             STATUS              PORTS               NAMES
 1835dd183b75        debian:9.5          "sh -c 'apt-get -qy …"   43 minutes ago      Up 43 minutes                           kube-node5
 30b0af8d2924        debian:9.5          "sh -c 'apt-get -qy …"   43 minutes ago      Up 43 minutes                           kube-node4
 3e0d1510c62f        debian:9.5          "sh -c 'apt-get -qy …"   43 minutes ago      Up 43 minutes                           kube-node3
 738993566f94        debian:9.5          "sh -c 'apt-get -qy …"   44 minutes ago      Up 44 minutes                           kube-node2
 c581ef662ed2        debian:9.5          "sh -c 'apt-get -qy …"   44 minutes ago      Up 44 minutes                           kube-node1
 $ docker exec kube-node1 kubectl get node
 NAME         STATUS   ROLES         AGE   VERSION
 kube-node1   Ready    master,node   18m   v1.12.1
 kube-node2   Ready    master,node   17m   v1.12.1
 kube-node3   Ready    node          17m   v1.12.1
 kube-node4   Ready    node          17m   v1.12.1
 kube-node5   Ready    node          17m   v1.12.1
 $ docker exec kube-node1 kubectl get pod --all-namespaces
 NAMESPACE     NAME                                    READY   STATUS    RESTARTS   AGE
 default       netchecker-agent-67489                  1/1     Running   0          2m51s
 default       netchecker-agent-6qq6s                  1/1     Running   0          2m51s
 default       netchecker-agent-fsw92                  1/1     Running   0          2m51s
 default       netchecker-agent-fw6tl                  1/1     Running   0          2m51s
 default       netchecker-agent-hostnet-8f2zb          1/1     Running   0          3m
 default       netchecker-agent-hostnet-gq7ml          1/1     Running   0          3m
 default       netchecker-agent-hostnet-jfkgv          1/1     Running   0          3m
 default       netchecker-agent-hostnet-kwfwx          1/1     Running   0          3m
 default       netchecker-agent-hostnet-r46nm          1/1     Running   0          3m
 default       netchecker-agent-lxdrn                  1/1     Running   0          2m51s
 default       netchecker-server-864bd4c897-9vstl      1/1     Running   0          2m40s
 default       sh-68fcc6db45-qf55h                     1/1     Running   1          12m
 kube-system   coredns-7598f59475-6vknq                1/1     Running   0          14m
 kube-system   coredns-7598f59475-l5q5x                1/1     Running   0          14m
 kube-system   kube-apiserver-kube-node1               1/1     Running   0          17m
 kube-system   kube-apiserver-kube-node2               1/1     Running   0          18m
 kube-system   kube-controller-manager-kube-node1      1/1     Running   0          18m
 kube-system   kube-controller-manager-kube-node2      1/1     Running   0          18m
 kube-system   kube-proxy-5xx9d                        1/1     Running   0          17m
 kube-system   kube-proxy-cdqq4                        1/1     Running   0          17m
 kube-system   kube-proxy-n64ls                        1/1     Running   0          17m
 kube-system   kube-proxy-pswmj                        1/1     Running   0          18m
 kube-system   kube-proxy-x89qw                        1/1     Running   0          18m
 kube-system   kube-scheduler-kube-node1               1/1     Running   4          17m
 kube-system   kube-scheduler-kube-node2               1/1     Running   4          18m
 kube-system   kubernetes-dashboard-5db4d9f45f-548rl   1/1     Running   0          14m
 kube-system   nginx-proxy-kube-node3                  1/1     Running   4          17m
 kube-system   nginx-proxy-kube-node4                  1/1     Running   4          17m
 kube-system   nginx-proxy-kube-node5                  1/1     Running   4          17m
 kube-system   weave-net-42bfr                         2/2     Running   0          16m
 kube-system   weave-net-6gt8m                         2/2     Running   0          16m
 kube-system   weave-net-88nnc                         2/2     Running   0          16m
 kube-system   weave-net-shckr                         2/2     Running   0          16m
 kube-system   weave-net-xr46t                         2/2     Running   0          16m
 $ docker exec kube-node1 curl -s http://localhost:31081/api/v1/connectivity_check
 {"Message":"All 10 pods successfully reported back to the server","Absent":null,"Outdated":null}
 ~~~
 ## Using ./run-test-distros.sh
 You can use `./run-test-distros.sh` to run a set of tests via DIND,
 and excerpt from this script, to get an idea:
 ~~~
 # The SPEC file(s) must have two arrays as e.g.
 # DISTROS=(debian centos)
 # EXTRAS=(
 #     'kube_network_plugin=calico'
 #     'kube_network_plugin=flannel'
 #     'kube_network_plugin=weave'
 # )
 # that will be tested in a "combinatory" way (e.g. from above there'll be
 # be 6 test runs), creating a sequenced <spec_filename>-nn.out with each output.
 #
 # Each $EXTRAS element will be whitespace split, and passed as --extra-vars
 # to main kubespray ansible-playbook run.
 ~~~
 See e.g. `test-some_distros-most_CNIs.env` and
 `test-some_distros-kube_router_combo.env` in particular for a richer
 set of CNI specific `--extra-vars` combo.
--- a/contrib/dind/dind-cluster.yaml
+++ b/contrib/dind/dind-cluster.yaml
@@ -0,0 +1,9 @@
 ---
 - hosts: localhost
  gather_facts: False
  roles:
    - { role: dind-host }
 - hosts: containers
  roles:
    - { role: dind-cluster }
--- a/contrib/dind/group_vars/all/all.yaml
+++ b/contrib/dind/group_vars/all/all.yaml
@@ -0,0 +1,2 @@
 # See distro.yaml for supported node_distro images
 node_distro: debian
--- a/contrib/dind/group_vars/all/distro.yaml
+++ b/contrib/dind/group_vars/all/distro.yaml
@@ -0,0 +1,40 @@
 distro_settings:
  debian: &DEBIAN
    image: "debian:9.5"
    user: "debian"
    pid1_exe: /lib/systemd/systemd
    init: |
      sh -c "apt-get -qy update && apt-get -qy install systemd-sysv dbus && exec /sbin/init"
    raw_setup: apt-get -qy update && apt-get -qy install dbus python sudo iproute2
    raw_setup_done: test -x /usr/bin/sudo
    agetty_svc: getty@*
    ssh_service: ssh
    extra_packages: []
  ubuntu:
    <<: *DEBIAN
    image: "ubuntu:16.04"
    user: "ubuntu"
    init: |
      /sbin/init
  centos: &CENTOS
    image: "centos:7"
    user: "centos"
    pid1_exe: /usr/lib/systemd/systemd
    init: |
      /sbin/init
    raw_setup: yum -qy install policycoreutils dbus python sudo iproute iptables
    raw_setup_done: test -x /usr/bin/sudo
    agetty_svc: getty@* serial-getty@*
    ssh_service: sshd
    extra_packages: []
  fedora:
    <<: *CENTOS
    image: "fedora:latest"
    user: "fedora"
    raw_setup: yum -qy install policycoreutils dbus python sudo iproute iptables; mkdir -p /etc/modules-load.d
    extra_packages:
      - hostname
      - procps
      - findutils
      - kmod
      - iputils
--- a/contrib/dind/hosts
+++ b/contrib/dind/hosts
@@ -0,0 +1,15 @@
 [local]
 # If you created a virtualenv for ansible, you may need to specify running the
 # python binary from there instead:
 #localhost ansible_connection=local ansible_python_interpreter=/home/user/kubespray/.venv/bin/python
 localhost ansible_connection=local
 [containers]
 kube-node1
 kube-node2
 kube-node3
 kube-node4
 kube-node5
 [containers:vars]
 ansible_connection=docker
--- a/contrib/dind/kubespray-dind.yaml
+++ b/contrib/dind/kubespray-dind.yaml
@@ -0,0 +1,22 @@
 # kubespray-dind.yaml: minimal kubespray ansible playbook usable for DIND
 # See contrib/dind/README.md
 kube_api_anonymous_auth: true
 kubeadm_enabled: true
 kubelet_fail_swap_on: false
 # Docker nodes need to have been created with same "node_distro: debian"
 # at contrib/dind/group_vars/all/all.yaml
 bootstrap_os: debian
 docker_version: latest
 docker_storage_options: -s overlay2 --storage-opt overlay2.override_kernel_check=true -g /dind/docker
 dns_mode: coredns
 deploy_netchecker: True
 netcheck_agent_image_repo: quay.io/l23network/k8s-netchecker-agent
 netcheck_server_image_repo: quay.io/l23network/k8s-netchecker-server
 netcheck_agent_image_tag: v1.0
 netcheck_server_image_tag: v1.0
--- a/contrib/dind/requirements.txt
+++ b/contrib/dind/requirements.txt
@@ -0,0 +1 @@
 docker
--- a/contrib/dind/roles/dind-cluster/tasks/main.yaml
+++ b/contrib/dind/roles/dind-cluster/tasks/main.yaml
@@ -0,0 +1,70 @@
 - name: set_fact distro_setup
  set_fact:
    distro_setup: "{{ distro_settings[node_distro] }}"
 - name: set_fact other distro settings
  set_fact:
    distro_user: "{{ distro_setup['user'] }}"
    distro_ssh_service: "{{ distro_setup['ssh_service'] }}"
    distro_extra_packages: "{{ distro_setup['extra_packages'] }}"
 - name: Null-ify some linux tools to ease DIND
  file:
    src: "/bin/true"
    dest: "{{item}}"
    state: link
    force: yes
  with_items:
    # DIND box may have swap enable, don't bother
    - /sbin/swapoff
    # /etc/hosts handling would fail on trying to copy file attributes on edit,
    # void it by successfully returning nil output
    - /usr/bin/lsattr
    # disable selinux-isms, sp needed if running on non-Selinux host
    - /usr/sbin/semodule
 - name: Void installing dpkg docs and man pages on Debian based distros
  copy:
    content: |
      # Delete locales
      path-exclude=/usr/share/locale/*
      # Delete man pages
      path-exclude=/usr/share/man/*
      # Delete docs
      path-exclude=/usr/share/doc/*
      path-include=/usr/share/doc/*/copyright
    dest:  /etc/dpkg/dpkg.cfg.d/01_nodoc
  when:
    - ansible_os_family == 'Debian'
 - name: Install system packages to better match a full-fledge node
  package:
    name: "{{ item }}"
    state: present
  with_items: "{{ distro_extra_packages }} + [ 'rsyslog', 'openssh-server' ]"
 - name: Start needed services
  service:
    name: "{{ item }}"
    state: started
  with_items:
    - rsyslog
    - "{{ distro_ssh_service }}"
 - name: Create distro user "{{distro_user}}"
  user:
    name: "{{ distro_user }}"
    uid: 1000
    #groups: sudo
    append: yes
 - name: Allow password-less sudo to "{{ distro_user }}"
  copy:
    content: "{{ distro_user }} ALL=(ALL) NOPASSWD:ALL"
    dest: "/etc/sudoers.d/{{ distro_user }}"
 - name: Add my pubkey to "{{ distro_user }}" user authorized keys
  authorized_key:
    user: "{{ distro_user }}"
    state: present
    key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
--- a/contrib/dind/roles/dind-host/tasks/main.yaml
+++ b/contrib/dind/roles/dind-host/tasks/main.yaml
@@ -0,0 +1,86 @@
 - name: set_fact distro_setup
  set_fact:
    distro_setup: "{{ distro_settings[node_distro] }}"
 - name: set_fact other distro settings
  set_fact:
    distro_image: "{{ distro_setup['image'] }}"
    distro_init: "{{ distro_setup['init'] }}"
    distro_pid1_exe: "{{ distro_setup['pid1_exe'] }}"
    distro_raw_setup: "{{ distro_setup['raw_setup'] }}"
    distro_raw_setup_done: "{{ distro_setup['raw_setup_done'] }}"
    distro_agetty_svc: "{{ distro_setup['agetty_svc'] }}"
 - name: Create dind node containers from "containers" inventory section
  docker_container:
    image: "{{ distro_image }}"
    name: "{{ item }}"
    state: started
    hostname: "{{ item }}"
    command: "{{ distro_init }}"
    #recreate: yes
    privileged: true
    tmpfs:
      - /sys/module/nf_conntrack/parameters
    volumes:
      - /boot:/boot
      - /lib/modules:/lib/modules
      - "{{ item }}:/dind/docker"
  register: containers
  with_items: "{{groups.containers}}"
  tags:
    - addresses
 - name: Gather list of containers IPs
  set_fact:
    addresses: "{{ containers.results | map(attribute='ansible_facts') | map(attribute='docker_container') | map(attribute='NetworkSettings') | map(attribute='IPAddress') | list }}"
  tags:
    - addresses
 - name: Create inventory_builder helper already set with the list of node containers' IPs
  template:
    src: inventory_builder.sh.j2
    dest: /tmp/kubespray.dind.inventory_builder.sh
    mode: 0755
  tags:
    - addresses
 - name: Install needed packages into node containers via raw, need to wait for possible systemd packages to finish installing
  raw: |
    # agetty processes churn a lot of cpu time failing on inexistent ttys, early STOP them, to rip them in below task
    pkill -STOP agetty || true
    {{ distro_raw_setup_done }}  && echo SKIPPED && exit 0
    until [ "$(readlink /proc/1/exe)" = "{{ distro_pid1_exe }}" ] ; do sleep 1; done
    {{ distro_raw_setup }}
  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
  with_items: "{{ containers.results }}"
  register: result
  changed_when: result.stdout.find("SKIPPED") < 0
 - name: Remove gettys from node containers
  raw: |
    until test -S /var/run/dbus/system_bus_socket; do sleep 1; done
    systemctl disable {{ distro_agetty_svc }}
    systemctl stop {{ distro_agetty_svc }}
  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
  with_items: "{{ containers.results }}"
  changed_when: false
 # Running systemd-machine-id-setup doesn't create a unique id for each node container on Debian,
 # handle manually
 - name: Re-create unique machine-id (as we may just get what comes in the docker image), needed by some CNIs for mac address seeding (notably weave)
  raw: |
    echo {{ item | hash('sha1') }} > /etc/machine-id.new
    mv -b /etc/machine-id.new /etc/machine-id
    cmp /etc/machine-id /etc/machine-id~ || true
    systemctl daemon-reload
  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
  with_items: "{{ containers.results }}"
 - name: Early hack image install to adapt for DIND
  raw: |
    rm -fv /usr/bin/udevadm /usr/sbin/udevadm
  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
  with_items: "{{ containers.results }}"
  register: result
  changed_when: result.stdout.find("removed") >= 0
--- a/contrib/dind/roles/dind-host/templates/inventory_builder.sh.j2
+++ b/contrib/dind/roles/dind-host/templates/inventory_builder.sh.j2
@@ -0,0 +1,3 @@
 #!/bin/bash
 # NOTE: if you change HOST_PREFIX, you also need to edit ./hosts [containers] section
 HOST_PREFIX=kube-node python3 contrib/inventory_builder/inventory.py {% for ip in addresses %} {{ ip }} {% endfor %}
--- a/contrib/dind/run-test-distros.sh
+++ b/contrib/dind/run-test-distros.sh
@@ -0,0 +1,93 @@
 #!/bin/bash
 # Q&D test'em all: creates full DIND kubespray deploys
 # for each distro, verifying it via netchecker.
 info() {
    local msg="$*"
    local date="$(date -Isec)"
    echo "INFO: [$date] $msg"
 }
 pass_or_fail() {
    local rc="$?"
    local msg="$*"
    local date="$(date -Isec)"
    [ $rc -eq 0 ] && echo "PASS: [$date] $msg" || echo "FAIL: [$date] $msg"
    return $rc
 }
 test_distro() {
    local distro=${1:?};shift
    local extra="${*:-}"
    local prefix="$distro[${extra}]}"
    ansible-playbook -i hosts dind-cluster.yaml -e node_distro=$distro
    pass_or_fail "$prefix: dind-nodes" || return 1
    (cd ../..
        INVENTORY_DIR=inventory/local-dind
        mkdir -p ${INVENTORY_DIR}
        rm -f ${INVENTORY_DIR}/hosts.ini
        CONFIG_FILE=${INVENTORY_DIR}/hosts.ini /tmp/kubespray.dind.inventory_builder.sh
        # expand $extra with -e in front of each word
        extra_args=""; for extra_arg in $extra; do extra_args="$extra_args -e $extra_arg"; done
        ansible-playbook --become -e ansible_ssh_user=$distro -i \
            ${INVENTORY_DIR}/hosts.ini cluster.yml \
            -e @contrib/dind/kubespray-dind.yaml -e bootstrap_os=$distro ${extra_args}
        pass_or_fail "$prefix: kubespray"
    ) || return 1
    local node0=${NODES[0]}
    docker exec ${node0} kubectl get pod --all-namespaces
    pass_or_fail "$prefix: kube-api" || return 1
    let retries=60
    while ((retries--)); do
        # Some CNI may set NodePort on "main" node interface address (thus no localhost NodePort)
        # e.g. kube-router: https://github.com/cloudnativelabs/kube-router/pull/217
        docker exec ${node0} curl -m2 -s http://${NETCHECKER_HOST:?}:31081/api/v1/connectivity_check | grep successfully && break
        sleep 2
    done
    [ $retries -ge 0 ]
    pass_or_fail "$prefix: netcheck" || return 1
 }
 NODES=($(egrep ^kube-node hosts))
 NETCHECKER_HOST=localhost
 : ${OUTPUT_DIR:=./out}
 mkdir -p ${OUTPUT_DIR}
 # The SPEC file(s) must have two arrays as e.g.
 # DISTROS=(debian centos)
 # EXTRAS=(
 #     'kube_network_plugin=calico'
 #     'kube_network_plugin=flannel'
 #     'kube_network_plugin=weave'
 # )
 # that will be tested in a "combinatory" way (e.g. from above there'll be
 # be 6 test runs), creating a sequenced <spec_filename>-nn.out with each output.
 #
 # Each $EXTRAS element will be whitespace split, and passed as --extra-vars
 # to main kubespray ansible-playbook run.
 SPECS=${*:?Missing SPEC files, e.g. test-most_distros-some_CNIs.env}
 for spec in ${SPECS}; do
    unset DISTROS EXTRAS
    echo "Loading file=${spec} ..."
    . ${spec} || continue
    : ${DISTROS:?} || continue
    echo "DISTROS=${DISTROS[@]}"
    echo "EXTRAS->"
    printf "  %s\n" "${EXTRAS[@]}"
    let n=1
    for distro in ${DISTROS[@]}; do
        for extra in "${EXTRAS[@]:-NULL}"; do
            # Magic value to let this for run once:
            [[ ${extra} == NULL ]] && unset extra
            docker rm -f ${NODES[@]}
            printf -v file_out "%s/%s-%02d.out" ${OUTPUT_DIR} ${spec} $((n++))
            {
                info "${distro}[${extra}] START: file_out=${file_out}"
                time test_distro ${distro} ${extra}
            } |& tee ${file_out}
            # sleeping for the sake of the human to verify if they want
            sleep 2m
        done
    done
 done
 egrep -H '^(....:|real)' $(ls -tr ${OUTPUT_DIR}/*.out)
--- a/contrib/dind/test-most_distros-some_CNIs.env
+++ b/contrib/dind/test-most_distros-some_CNIs.env
@@ -0,0 +1,11 @@
 # Test spec file: used from ./run-test-distros.sh, will run
 # each distro in $DISTROS overloading main kubespray ansible-playbook run
 # Get all DISTROS from distro.yaml (shame no yaml parsing, but nuff anyway)
 # DISTROS="${*:-$(egrep -o '^  \w+' group_vars/all/distro.yaml|paste -s)}"
 DISTROS=(debian ubuntu centos fedora)
 # Each line below will be added as --extra-vars to main playbook run
 EXTRAS=(
    'kube_network_plugin=calico'
    'kube_network_plugin=weave'
 )
--- a/contrib/dind/test-some_distros-kube_router_combo.env
+++ b/contrib/dind/test-some_distros-kube_router_combo.env
@@ -0,0 +1,8 @@
 DISTROS=(debian centos)
 NETCHECKER_HOST=${NODES[0]}
 EXTRAS=(
  'kube_network_plugin=kube-router {"kubeadm_enabled":true,"kube_router_run_service_proxy":false}'
  'kube_network_plugin=kube-router {"kubeadm_enabled":true,"kube_router_run_service_proxy":true}'
  'kube_network_plugin=kube-router {"kubeadm_enabled":false,"kube_router_run_service_proxy":false}'
  'kube_network_plugin=kube-router {"kubeadm_enabled":false,"kube_router_run_service_proxy":true}'
 )
--- a/contrib/dind/test-some_distros-most_CNIs.env
+++ b/contrib/dind/test-some_distros-most_CNIs.env
@@ -0,0 +1,8 @@
 DISTROS=(debian centos)
 EXTRAS=(
  'kube_network_plugin=calico {"kubeadm_enabled":true}'
  'kube_network_plugin=canal {"kubeadm_enabled":true}'
  'kube_network_plugin=cilium {"kubeadm_enabled":true}'
  'kube_network_plugin=flannel {"kubeadm_enabled":true}'
  'kube_network_plugin=weave {"kubeadm_enabled":true}'
 )
--- a/contrib/metallb/README.md
+++ b/contrib/metallb/README.md
@@ -0,0 +1,10 @@
 # Deploy MetalLB into Kubespray/Kubernetes
 ```
 MetalLB hooks into your Kubernetes cluster, and provides a network load-balancer implementation. In short, it allows you to create Kubernetes services of type “LoadBalancer” in clusters that don’t run on a cloud provider, and thus cannot simply hook into paid products to provide load-balancers.
 ```
 This playbook aims to automate [this](https://metallb.universe.tf/tutorial/layer2/tutorial). It deploys MetalLB into kubernetes and sets up a layer 2 loadbalancer.
 ## Install
 ```
 ansible-playbook --ask-become -i inventory/sample/k8s_heketi_inventory.yml contrib/metallb/metallb.yml
 ```
--- a/contrib/metallb/metallb.yml
+++ b/contrib/metallb/metallb.yml
@@ -0,0 +1,6 @@
 ---
 - hosts: kube-master[0]
  tags:
    - "provision"
  roles:
    - { role: provision }
--- a/contrib/metallb/roles/provision/defaults/main.yml
+++ b/contrib/metallb/roles/provision/defaults/main.yml
@@ -0,0 +1,7 @@
 ---
 metallb:
  ip_range: "10.5.0.50-10.5.0.99"
  limits:
    cpu: "100m"
    memory: "100Mi"
  port: "7472"
--- a/contrib/metallb/roles/provision/tasks/main.yml
+++ b/contrib/metallb/roles/provision/tasks/main.yml
@@ -0,0 +1,17 @@
 ---
 - name: "Kubernetes Apps | Lay Down MetalLB"
  become: true
  template: { src: "{{ item }}.j2", dest: "{{ kube_config_dir }}/{{ item }}" }
  with_items: ["metallb.yml", "metallb-config.yml"]
  register: "rendering"
  when:
    - "inventory_hostname == groups['kube-master'][0]"
 - name: "Kubernetes Apps | Install and configure MetalLB"
  kube:
    name: "MetalLB"
    kubectl: "{{bin_dir}}/kubectl"
    filename: "{{ kube_config_dir }}/{{ item.item }}"
    state: "{{ item.changed | ternary('latest','present') }}"
  with_items: "{{ rendering.results }}"
  when:
    - "inventory_hostname == groups['kube-master'][0]"
--- a/contrib/metallb/roles/provision/templates/metallb-config.yml.j2
+++ b/contrib/metallb/roles/provision/templates/metallb-config.yml.j2
@@ -0,0 +1,13 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  namespace: metallb-system
  name: config
 data:
  config: |
    address-pools:
    - name: loadbalanced
      protocol: layer2
      addresses:
      - {{ metallb.ip_range }}
--- a/contrib/metallb/roles/provision/templates/metallb.yml.j2
+++ b/contrib/metallb/roles/provision/templates/metallb.yml.j2
@@ -0,0 +1,254 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: metallb-system
  labels:
    app: metallb
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  namespace: metallb-system
  name: controller
  labels:
    app: metallb
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  namespace: metallb-system
  name: speaker
  labels:
    app: metallb
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: metallb-system:controller
  labels:
    app: metallb
 rules:
 - apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "watch", "update"]
 - apiGroups: [""]
  resources: ["services/status"]
  verbs: ["update"]
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: metallb-system:speaker
  labels:
    app: metallb
 rules:
 - apiGroups: [""]
  resources: ["services", "endpoints", "nodes"]
  verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  namespace: metallb-system
  name: leader-election
  labels:
    app: metallb
 rules:
 - apiGroups: [""]
  resources: ["endpoints"]
  resourceNames: ["metallb-speaker"]
  verbs: ["get", "update"]
 - apiGroups: [""]
  resources: ["endpoints"]
  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  namespace: metallb-system
  name: config-watcher
  labels:
    app: metallb
 rules:
 - apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create"]
 ---
 ## Role bindings
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: metallb-system:controller
  labels:
    app: metallb
 subjects:
 - kind: ServiceAccount
  name: controller
  namespace: metallb-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metallb-system:controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: metallb-system:speaker
  labels:
    app: metallb
 subjects:
 - kind: ServiceAccount
  name: speaker
  namespace: metallb-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metallb-system:speaker
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  namespace: metallb-system
  name: config-watcher
  labels:
    app: metallb
 subjects:
 - kind: ServiceAccount
  name: controller
 - kind: ServiceAccount
  name: speaker
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: config-watcher
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  namespace: metallb-system
  name: leader-election
  labels:
    app: metallb
 subjects:
 - kind: ServiceAccount
  name: speaker
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: leader-election
 ---
 apiVersion: apps/v1beta2
 kind: DaemonSet
 metadata:
  namespace: metallb-system
  name: speaker
  labels:
    app: metallb
    component: speaker
 spec:
  selector:
    matchLabels:
      app: metallb
      component: speaker
  template:
    metadata:
      labels:
        app: metallb
        component: speaker
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "{{ metallb.port }}"
    spec:
      serviceAccountName: speaker
      terminationGracePeriodSeconds: 0
      hostNetwork: true
      containers:
      - name: speaker
        image: metallb/speaker:v0.6.2
        imagePullPolicy: IfNotPresent
        args:
        - --port={{ metallb.port }}
        - --config=config
        env:
        - name: METALLB_NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        ports:
        - name: monitoring
          containerPort: {{ metallb.port }}
        resources:
          limits:
            cpu: {{ metallb.limits.cpu }}
            memory: {{ metallb.limits.memory }}
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
            - all
            add:
            - net_raw
 ---
 apiVersion: apps/v1beta2
 kind: Deployment
 metadata:
  namespace: metallb-system
  name: controller
  labels:
    app: metallb
    component: controller
 spec:
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app: metallb
      component: controller
  template:
    metadata:
      labels:
        app: metallb
        component: controller
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "{{ metallb.port }}"
    spec:
      serviceAccountName: controller
      terminationGracePeriodSeconds: 0
      securityContext:
        runAsNonRoot: true
        runAsUser: 65534 # nobody
      containers:
      - name: controller
        image: metallb/controller:v0.6.2
        imagePullPolicy: IfNotPresent
        args:
        - --port={{ metallb.port }}
        - --config=config
        ports:
        - name: monitoring
          containerPort: {{ metallb.port }}
        resources:
          limits:
            cpu: {{ metallb.limits.cpu }}
            memory: {{ metallb.limits.memory }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          readOnlyRootFilesystem: true
 ---
--- a/contrib/network-storage/glusterfs/inventory.example
+++ b/contrib/network-storage/glusterfs/inventory.example
@@ -12,7 +12,7 @@
 # ## As in the previous case, you can set ip to give direct communication on internal IPs
 # gfs_node1 ansible_ssh_host=95.54.0.18 # disk_volume_device_1=/dev/vdc  ip=10.3.0.7
 # gfs_node2 ansible_ssh_host=95.54.0.19 # disk_volume_device_1=/dev/vdc  ip=10.3.0.8 
-# gfs_node1 ansible_ssh_host=95.54.0.20 # disk_volume_device_1=/dev/vdc  ip=10.3.0.9 
+# gfs_node3 ansible_ssh_host=95.54.0.20 # disk_volume_device_1=/dev/vdc  ip=10.3.0.9 
 # [kube-master]
 # node1
--- a/contrib/network-storage/glusterfs/roles/glusterfs/client/defaults/main.yml
+++ b/contrib/network-storage/glusterfs/roles/glusterfs/client/defaults/main.yml
@@ -2,7 +2,7 @@
 # For Ubuntu.
 glusterfs_default_release: ""
 glusterfs_ppa_use: yes
-glusterfs_ppa_version: "3.8"
+glusterfs_ppa_version: "4.1"
 # Gluster configuration.
 gluster_mount_dir: /mnt/gluster
--- a/contrib/network-storage/glusterfs/roles/glusterfs/server/defaults/main.yml
+++ b/contrib/network-storage/glusterfs/roles/glusterfs/server/defaults/main.yml
@@ -2,7 +2,7 @@
 # For Ubuntu.
 glusterfs_default_release: ""
 glusterfs_ppa_use: yes
-glusterfs_ppa_version: "3.8"
+glusterfs_ppa_version: "3.12"
 # Gluster configuration.
 gluster_mount_dir: /mnt/gluster
--- a/contrib/network-storage/glusterfs/roles/glusterfs/server/vars/Debian.yml
+++ b/contrib/network-storage/glusterfs/roles/glusterfs/server/vars/Debian.yml
@@ -1,2 +1,2 @@
 ---
-glusterfs_daemon: glusterfs-server
+glusterfs_daemon: glusterd
--- a/contrib/network-storage/heketi/README.md
+++ b/contrib/network-storage/heketi/README.md
@@ -0,0 +1,16 @@
 # Deploy Heketi/Glusterfs into Kubespray/Kubernetes
 This playbook aims to automate [this](https://github.com/heketi/heketi/blob/master/docs/admin/install-kubernetes.md) tutorial. It deploys heketi/glusterfs into kubernetes and sets up a storageclass.
 ## Client Setup
 Heketi provides a CLI that provides users with a means to administer the deployment and configuration of GlusterFS in Kubernetes. [Download and install the heketi-cli](https://github.com/heketi/heketi/releases) on your client machine.
 ## Install
 Copy the inventory.yml.sample over to inventory/sample/k8s_heketi_inventory.yml and change it according to your setup.
 ```
 ansible-playbook --ask-become -i inventory/sample/k8s_heketi_inventory.yml contrib/network-storage/heketi/heketi.yml
 ```
 ## Tear down
 ```
 ansible-playbook --ask-become -i inventory/sample/k8s_heketi_inventory.yml contrib/network-storage/heketi/heketi-tear-down.yml
 ```
--- a/contrib/network-storage/heketi/heketi-tear-down.yml
+++ b/contrib/network-storage/heketi/heketi-tear-down.yml
@@ -0,0 +1,9 @@
 ---
 - hosts: kube-master[0]
  roles:
    - { role: tear-down }
 - hosts: heketi-node
  become: yes
  roles:
    - { role: tear-down-disks }
--- a/contrib/network-storage/heketi/heketi.yml
+++ b/contrib/network-storage/heketi/heketi.yml
@@ -0,0 +1,10 @@
 ---
 - hosts: heketi-node
  roles:
    - { role: prepare }
 - hosts: kube-master[0]
  tags:
    - "provision"
  roles:
    - { role: provision }
--- a/contrib/network-storage/heketi/inventory.yml.sample
+++ b/contrib/network-storage/heketi/inventory.yml.sample
@@ -0,0 +1,26 @@
 all:
    vars:
        heketi_admin_key: "11elfeinhundertundelf"
        heketi_user_key: "!!einseinseins"
    children:
        k8s-cluster:
            vars:
                kubelet_fail_swap_on: false
            children:
                kube-master:
                    hosts:
                        node1:
                etcd:
                    hosts:
                        node2:
                kube-node:
                    hosts: &kube_nodes
                        node1:
                        node2:
                        node3:
                        node4:
                heketi-node:
                    vars:
                        disk_volume_device_1: "/dev/vdb"
                    hosts:
                        <<: *kube_nodes
--- a/contrib/network-storage/heketi/requirements.txt
+++ b/contrib/network-storage/heketi/requirements.txt
@@ -0,0 +1 @@
 jmespath
--- a/contrib/network-storage/heketi/roles/prepare/tasks/main.yml
+++ b/contrib/network-storage/heketi/roles/prepare/tasks/main.yml
@@ -0,0 +1,24 @@
 ---
 - name: "Load lvm kernel modules"
  become: true
  with_items:
      - "dm_snapshot"
      - "dm_mirror"
      - "dm_thin_pool"
  modprobe:
      name: "{{ item }}"
      state: "present"
 - name: "Install glusterfs mount utils (RedHat)"
  become: true
  yum:
      name: "glusterfs-fuse"
      state: "present"
  when: "ansible_os_family == 'RedHat'"
 - name: "Install glusterfs mount utils (Debian)"
  become: true
  apt:
      name: "glusterfs-client"
      state: "present"
  when: "ansible_os_family == 'Debian'"
--- a/contrib/network-storage/heketi/roles/provision/defaults/main.yml
+++ b/contrib/network-storage/heketi/roles/provision/defaults/main.yml
@@ -0,0 +1 @@
 ---
--- a/contrib/network-storage/heketi/roles/provision/handlers/main.yml
+++ b/contrib/network-storage/heketi/roles/provision/handlers/main.yml
@@ -0,0 +1,3 @@
 ---
 - name: "stop port forwarding"
  command: "killall "
--- a/contrib/network-storage/heketi/roles/provision/tasks/bootstrap.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/bootstrap.yml
@@ -0,0 +1,56 @@
 # Bootstrap heketi
 - name: "Get state of heketi service, deployment and pods."
  register: "initial_heketi_state"
  changed_when: false
  command: "{{ bin_dir }}/kubectl get services,deployments,pods --selector=deploy-heketi --output=json"
 - name: "Bootstrap heketi."
  when:
    - "(initial_heketi_state.stdout|from_json|json_query(\"items[?kind=='Service']\"))|length == 0"
    - "(initial_heketi_state.stdout|from_json|json_query(\"items[?kind=='Deployment']\"))|length == 0"
    - "(initial_heketi_state.stdout|from_json|json_query(\"items[?kind=='Pod']\"))|length == 0"
  include_tasks: "bootstrap/deploy.yml"
 # Prepare heketi topology
 - name: "Get heketi initial pod state."
  register: "initial_heketi_pod"
  command: "{{ bin_dir }}/kubectl get pods --selector=deploy-heketi=pod,glusterfs=heketi-pod,name=deploy-heketi --output=json"
  changed_when: false
 - name: "Ensure heketi bootstrap pod is up."
  assert:
    that: "(initial_heketi_pod.stdout|from_json|json_query('items[*]'))|length == 1"
 - set_fact:
    initial_heketi_pod_name: "{{ initial_heketi_pod.stdout|from_json|json_query(\"items[*].metadata.name|[0]\") }}"
 - name: "Test heketi topology."
  changed_when: false
  register: "heketi_topology"
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology info --json"
 - name: "Load heketi topology."
  when: "heketi_topology.stdout|from_json|json_query(\"clusters[*].nodes[*]\")|flatten|length == 0"
  include_tasks: "bootstrap/topology.yml"
 # Provision heketi database volume
 - name: "Prepare heketi volumes."
  include_tasks: "bootstrap/volumes.yml"
 # Remove bootstrap heketi
 - name: "Tear down bootstrap."
  include_tasks: "bootstrap/tear-down.yml"
 # Prepare heketi storage
 - name: "Test heketi storage."
  command: "{{ bin_dir }}/kubectl get secrets,endpoints,services,jobs --output=json"
  changed_when: false
  register: "heketi_storage_state"
 # ensure endpoints actually exist before trying to move database data to it
 - name: "Create heketi storage."
  include_tasks: "bootstrap/storage.yml"
  vars:
    secret_query: "items[?metadata.name=='heketi-storage-secret' && kind=='Secret']"
    endpoints_query: "items[?metadata.name=='heketi-storage-endpoints' && kind=='Endpoints']"
    service_query: "items[?metadata.name=='heketi-storage-endpoints' && kind=='Service']"
    job_query: "items[?metadata.name=='heketi-storage-copy-job' && kind=='Job']"
  when:
    - "heketi_storage_state.stdout|from_json|json_query(secret_query)|length == 0"
    - "heketi_storage_state.stdout|from_json|json_query(endpoints_query)|length == 0"
    - "heketi_storage_state.stdout|from_json|json_query(service_query)|length == 0"
    - "heketi_storage_state.stdout|from_json|json_query(job_query)|length == 0"
--- a/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/deploy.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/deploy.yml
@@ -0,0 +1,24 @@
 ---
 - name: "Kubernetes Apps | Lay Down Heketi Bootstrap"
  become: true
  template: { src: "heketi-bootstrap.json.j2", dest: "{{ kube_config_dir }}/heketi-bootstrap.json" }
  register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Bootstrap"
  kube:
    name: "GlusterFS"
    kubectl: "{{bin_dir}}/kubectl"
    filename: "{{ kube_config_dir }}/heketi-bootstrap.json"
    state: "{{ rendering.changed | ternary('latest', 'present') }}"
 - name: "Wait for heketi bootstrap to complete."
  changed_when: false
  register: "initial_heketi_state"
  vars:
    initial_heketi_state: { stdout: "{}" }
    pods_query: "items[?kind=='Pod'].status.conditions|[0][?type=='Ready'].status|[0]"
    deployments_query: "items[?kind=='Deployment'].status.conditions|[0][?type=='Available'].status|[0]"
  command: "{{ bin_dir }}/kubectl get services,deployments,pods --selector=deploy-heketi --output=json"
  until:
      - "initial_heketi_state.stdout|from_json|json_query(pods_query) == 'True'"
      - "initial_heketi_state.stdout|from_json|json_query(deployments_query) == 'True'"
  retries: 60
  delay: 5
--- a/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/storage.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/storage.yml
@@ -0,0 +1,33 @@
 ---
 - name: "Test heketi storage."
  command: "{{ bin_dir }}/kubectl get secrets,endpoints,services,jobs --output=json"
  changed_when: false
  register: "heketi_storage_state"
 - name: "Create heketi storage."
  kube:
    name: "GlusterFS"
    kubectl: "{{bin_dir}}/kubectl"
    filename: "{{ kube_config_dir }}/heketi-storage-bootstrap.json"
    state: "present"
  vars:
    secret_query: "items[?metadata.name=='heketi-storage-secret' && kind=='Secret']"
    endpoints_query: "items[?metadata.name=='heketi-storage-endpoints' && kind=='Endpoints']"
    service_query: "items[?metadata.name=='heketi-storage-endpoints' && kind=='Service']"
    job_query: "items[?metadata.name=='heketi-storage-copy-job' && kind=='Job']"
  when:
    - "heketi_storage_state.stdout|from_json|json_query(secret_query)|length == 0"
    - "heketi_storage_state.stdout|from_json|json_query(endpoints_query)|length == 0"
    - "heketi_storage_state.stdout|from_json|json_query(service_query)|length == 0"
    - "heketi_storage_state.stdout|from_json|json_query(job_query)|length == 0"
  register: "heketi_storage_result"
 - name: "Get state of heketi database copy job."
  command: "{{ bin_dir }}/kubectl get jobs --output=json"
  changed_when: false
  register: "heketi_storage_state"
  vars:
    heketi_storage_state: { stdout: "{}" }
    job_query: "items[?metadata.name=='heketi-storage-copy-job' && kind=='Job' && status.succeeded==1]"
  until:
    - "heketi_storage_state.stdout|from_json|json_query(job_query)|length == 1"
  retries: 60
  delay: 5
--- a/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/tear-down.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/tear-down.yml
@@ -0,0 +1,14 @@
 ---
 - name: "Get existing Heketi deploy resources."
  command: "{{ bin_dir }}/kubectl get all --selector=\"deploy-heketi\" -o=json"
  register: "heketi_resources"
  changed_when: false
 - name: "Delete bootstrap Heketi."
  command: "{{ bin_dir }}/kubectl delete all,service,jobs,deployment,secret --selector=\"deploy-heketi\""
  when: "heketi_resources.stdout|from_json|json_query('items[*]')|length > 0"
 - name: "Ensure there is nothing left over."
  command: "{{ bin_dir }}/kubectl get all,service,jobs,deployment,secret --selector=\"deploy-heketi\" -o=json"
  register: "heketi_result"
  until: "heketi_result.stdout|from_json|json_query('items[*]')|length == 0"
  retries: 60
  delay: 5
--- a/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/topology.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/topology.yml
@@ -0,0 +1,26 @@
 ---
 - name: "Get heketi topology."
  changed_when: false
  register: "heketi_topology"
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology info --json"
 - name: "Render heketi topology template."
  become: true
  vars: { nodes: "{{ groups['heketi-node'] }}" }
  register: "render"
  template:
    src: "topology.json.j2"
    dest: "{{ kube_config_dir }}/topology.json"
 - name: "Copy topology configuration into container."
  changed_when: false
  command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ initial_heketi_pod_name }}:/tmp/topology.json"
 - name: "Load heketi topology."
  when: "render.changed"
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology load --json=/tmp/topology.json"
  register: "load_heketi"
 - name: "Get heketi topology."
  changed_when: false
  register: "heketi_topology"
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology info --json"
  until: "heketi_topology.stdout|from_json|json_query(\"clusters[*].nodes[*].devices[?state=='online'].id\")|flatten|length == groups['heketi-node']|length"
  retries: 60
  delay: 5
--- a/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/volumes.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/bootstrap/volumes.yml
@@ -0,0 +1,41 @@
 ---
 - name: "Get heketi volume ids."
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} volume list --json"
  changed_when: false
  register: "heketi_volumes"
 - name: "Get heketi volumes."
  changed_when: false
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} volume info {{ volume_id }} --json"
  with_items: "{{ heketi_volumes.stdout|from_json|json_query(\"volumes[*]\") }}"
  loop_control: { loop_var: "volume_id" }
  register: "volumes_information"
 - name: "Test heketi database volume."
  set_fact: { heketi_database_volume_exists: true }
  with_items: "{{ volumes_information.results }}"
  loop_control: { loop_var: "volume_information" }
  vars: { volume: "{{ volume_information.stdout|from_json }}" }
  when: "volume.name == 'heketidbstorage'"
 - name: "Provision database volume."
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} setup-openshift-heketi-storage"
  when: "heketi_database_volume_exists is undefined"
 - name: "Copy configuration from pod."
  become: true
  command: "{{ bin_dir }}/kubectl cp {{ initial_heketi_pod_name }}:/heketi-storage.json {{ kube_config_dir }}/heketi-storage-bootstrap.json"
 - name: "Get heketi volume ids."
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} volume list --json"
  changed_when: false
  register: "heketi_volumes"
 - name: "Get heketi volumes."
  changed_when: false
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} volume info {{ volume_id }} --json"
  with_items: "{{ heketi_volumes.stdout|from_json|json_query(\"volumes[*]\") }}"
  loop_control: { loop_var: "volume_id" }
  register: "volumes_information"
 - name: "Test heketi database volume."
  set_fact: { heketi_database_volume_created: true }
  with_items: "{{ volumes_information.results }}"
  loop_control: { loop_var: "volume_information" }
  vars: { volume: "{{ volume_information.stdout|from_json }}" }
  when: "volume.name == 'heketidbstorage'"
 - name: "Ensure heketi database volume exists."
  assert: { that: "heketi_database_volume_created is defined" , msg: "Heketi database volume does not exist." }
--- a/contrib/network-storage/heketi/roles/provision/tasks/cleanup.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/cleanup.yml
@@ -0,0 +1,4 @@
 ---
 - name: "Clean up left over jobs."
  command: "{{ bin_dir }}/kubectl delete jobs,pods --selector=\"deploy-heketi\""
  changed_when: false
--- a/contrib/network-storage/heketi/roles/provision/tasks/glusterfs.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/glusterfs.yml
@@ -0,0 +1,38 @@
 ---
 - name: "Kubernetes Apps | Lay Down GlusterFS Daemonset"
  template: { src: "glusterfs-daemonset.json.j2", dest: "{{ kube_config_dir }}/glusterfs-daemonset.json" }
  become: true
  register: "rendering"
 - name: "Kubernetes Apps | Install and configure GlusterFS daemonset"
  kube:
    name: "GlusterFS"
    kubectl: "{{bin_dir}}/kubectl"
    filename: "{{ kube_config_dir }}/glusterfs-daemonset.json"
    state: "{{ rendering.changed | ternary('latest', 'present') }}"
 - name: "Kubernetes Apps | Label GlusterFS nodes"
  include_tasks: "glusterfs/label.yml"
  with_items: "{{ groups['heketi-node'] }}"
  loop_control:
    loop_var: "node"
 - name: "Kubernetes Apps | Wait for daemonset to become available."
  register: "daemonset_state"
  command: "{{ bin_dir }}/kubectl get daemonset glusterfs --output=json --ignore-not-found=true"
  changed_when: false
  vars:
    daemonset_state: { stdout: "{}" }
    ready: "{{ daemonset_state.stdout|from_json|json_query(\"status.numberReady\") }}"
    desired: "{{ daemonset_state.stdout|from_json|json_query(\"status.desiredNumberScheduled\") }}"
  until: "ready | int >= 3"
  retries: 60
  delay: 5
 - name: "Kubernetes Apps | Lay Down Heketi Service Account"
  template: { src: "heketi-service-account.json.j2", dest: "{{ kube_config_dir }}/heketi-service-account.json" }
  become: true
  register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Service Account"
  kube:
    name: "GlusterFS"
    kubectl: "{{bin_dir}}/kubectl"
    filename: "{{ kube_config_dir }}/heketi-service-account.json"
    state: "{{ rendering.changed | ternary('latest', 'present') }}"
--- a/contrib/network-storage/heketi/roles/provision/tasks/glusterfs/label.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/glusterfs/label.yml
@@ -0,0 +1,11 @@
 ---
 - register: "label_present"
  command: "{{ bin_dir }}/kubectl get node --selector=storagenode=glusterfs,kubernetes.io/hostname={{ node }} --ignore-not-found=true"
  changed_when: false
 - name: "Assign storage label"
  when: "label_present.stdout_lines|length == 0"
  command: "{{ bin_dir }}/kubectl label node {{ node }} storagenode=glusterfs"
 - register: "label_present"
  command: "{{ bin_dir }}/kubectl get node --selector=storagenode=glusterfs,kubernetes.io/hostname={{ node }} --ignore-not-found=true"
  changed_when: false
 - assert: { that: "label_present|length > 0", msg: "Node {{ node }} has not been assigned with label storagenode=glusterfs." }
--- a/contrib/network-storage/heketi/roles/provision/tasks/heketi.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/heketi.yml
@@ -0,0 +1,26 @@
 ---
 - name: "Kubernetes Apps | Lay Down Heketi"
  become: true
  template: { src: "heketi-deployment.json.j2", dest: "{{ kube_config_dir }}/heketi-deployment.json" }
  register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi"
  kube:
    name: "GlusterFS"
    kubectl: "{{bin_dir}}/kubectl"
    filename: "{{ kube_config_dir }}/heketi-deployment.json"
    state: "{{ rendering.changed | ternary('latest', 'present') }}"
 - name: "Ensure heketi is up and running."
  changed_when: false
  register: "heketi_state"
  vars:
    heketi_state: { stdout: "{}" }
    pods_query: "items[?kind=='Pod'].status.conditions|[0][?type=='Ready'].status|[0]"
    deployments_query: "items[?kind=='Deployment'].status.conditions|[0][?type=='Available'].status|[0]"
  command: "{{ bin_dir }}/kubectl get deployments,pods --selector=glusterfs --output=json"
  until:
      - "heketi_state.stdout|from_json|json_query(pods_query) == 'True'"
      - "heketi_state.stdout|from_json|json_query(deployments_query) == 'True'"
  retries: 60
  delay: 5
 - set_fact:
    heketi_pod_name: "{{ heketi_state.stdout|from_json|json_query(\"items[?kind=='Pod'].metadata.name|[0]\") }}"
--- a/contrib/network-storage/heketi/roles/provision/tasks/main.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/main.yml
@@ -0,0 +1,30 @@
 ---
 - name: "Kubernetes Apps | GlusterFS"
  include_tasks: "glusterfs.yml"
 - name: "Kubernetes Apps | Heketi Secrets"
  include_tasks: "secret.yml"
 - name: "Kubernetes Apps | Test Heketi"
  register: "heketi_service_state"
  command: "{{bin_dir}}/kubectl get service heketi-storage-endpoints -o=name --ignore-not-found=true"
  changed_when: false
 - name: "Kubernetes Apps | Bootstrap Heketi"
  when: "heketi_service_state.stdout == \"\""
  include_tasks: "bootstrap.yml"
 - name: "Kubernetes Apps | Heketi"
  include_tasks: "heketi.yml"
 - name: "Kubernetes Apps | Heketi Topology"
  include_tasks: "topology.yml"
 - name: "Kubernetes Apps | Heketi Storage"
  include_tasks: "storage.yml"
 - name: "Kubernetes Apps | Storage Class"
  include_tasks: "storageclass.yml"
 - name: "Clean up"
  include_tasks: "cleanup.yml"
--- a/contrib/network-storage/heketi/roles/provision/tasks/secret.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/secret.yml
@@ -0,0 +1,27 @@
 ---
 - register: "clusterrolebinding_state"
  command: "{{bin_dir}}/kubectl get clusterrolebinding heketi-gluster-admin -o=name --ignore-not-found=true"
  changed_when: false
 - name: "Kubernetes Apps | Deploy cluster role binding."
  when: "clusterrolebinding_state.stdout == \"\""
  command: "{{bin_dir}}/kubectl create clusterrolebinding heketi-gluster-admin --clusterrole=edit --serviceaccount=default:heketi-service-account"
 - register: "clusterrolebinding_state"
  command: "{{bin_dir}}/kubectl get clusterrolebinding heketi-gluster-admin -o=name --ignore-not-found=true"
  changed_when: false
 - assert: { that: "clusterrolebinding_state.stdout != \"\"", message: "Cluster role binding is not present." }
 - register: "secret_state"
  command: "{{bin_dir}}/kubectl get secret heketi-config-secret -o=name --ignore-not-found=true"
  changed_when: false
 - name: "Render Heketi secret configuration."
  become: true
  template:
    src: "heketi.json.j2"
    dest: "{{ kube_config_dir }}/heketi.json"
 - name: "Deploy Heketi config secret"
  when: "secret_state.stdout == \"\""
  command: "{{bin_dir}}/kubectl create secret generic heketi-config-secret --from-file={{ kube_config_dir }}/heketi.json"
 - register: "secret_state"
  command: "{{bin_dir}}/kubectl get secret heketi-config-secret -o=name --ignore-not-found=true"
  changed_when: false
 - assert: { that: "secret_state.stdout != \"\"", message: "Heketi config secret is not present." }
--- a/contrib/network-storage/heketi/roles/provision/tasks/storage.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/storage.yml
@@ -0,0 +1,12 @@
 ---
 - name: "Kubernetes Apps | Lay Down Heketi Storage"
  become: true
  vars: { nodes: "{{ groups['heketi-node'] }}" }
  template: { src: "heketi-storage.json.j2", dest: "{{ kube_config_dir }}/heketi-storage.json" }
  register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Storage"
  kube:
    name: "GlusterFS"
    kubectl: "{{bin_dir}}/kubectl"
    filename: "{{ kube_config_dir }}/heketi-storage.json"
    state: "{{ rendering.changed | ternary('latest', 'present') }}"
--- a/contrib/network-storage/heketi/roles/provision/tasks/storageclass.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/storageclass.yml
@@ -0,0 +1,25 @@
 ---
 - name: "Test storage class."
  command: "{{ bin_dir }}/kubectl get storageclass gluster --ignore-not-found=true --output=json"
  register: "storageclass"
  changed_when: false
 - name: "Test heketi service."
  command: "{{ bin_dir }}/kubectl get service heketi --ignore-not-found=true --output=json"
  register: "heketi_service"
  changed_when: false
 - name: "Ensure heketi service is available."
  assert: { that: "heketi_service.stdout != \"\""  }
 - name: "Render storage class configuration."
  become: true
  vars:
    endpoint_address: "{{ (heketi_service.stdout|from_json).spec.clusterIP }}"
  template:
    src: "storageclass.yml.j2"
    dest: "{{ kube_config_dir }}/storageclass.yml"
  register: "rendering"
 - name: "Kubernetes Apps | Install and configure Storace Class"
  kube:
    name: "GlusterFS"
    kubectl: "{{bin_dir}}/kubectl"
    filename: "{{ kube_config_dir }}/storageclass.yml"
    state: "{{ rendering.changed | ternary('latest', 'present') }}"
--- a/contrib/network-storage/heketi/roles/provision/tasks/topology.yml
+++ b/contrib/network-storage/heketi/roles/provision/tasks/topology.yml
@@ -0,0 +1,25 @@
 ---
 - name: "Get heketi topology."
  register: "heketi_topology"
  changed_when: false
  command: "{{ bin_dir }}/kubectl exec {{ heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology info --json"
 - name: "Render heketi topology template."
  become: true
  vars: { nodes: "{{ groups['heketi-node'] }}" }
  register: "rendering"
  template:
    src: "topology.json.j2"
    dest: "{{ kube_config_dir }}/topology.json"
 - name: "Copy topology configuration into container."
  when: "rendering.changed"
  command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ heketi_pod_name }}:/tmp/topology.json"
 - name: "Load heketi topology."
  when: "rendering.changed"
  command: "{{ bin_dir }}/kubectl exec {{ heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology load --json=/tmp/topology.json"
 - name: "Get heketi topology."
  register: "heketi_topology"
  changed_when: false
  command: "{{ bin_dir }}/kubectl exec {{ heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology info --json"
  until: "heketi_topology.stdout|from_json|json_query(\"clusters[*].nodes[*].devices[?state=='online'].id\")|flatten|length == groups['heketi-node']|length"
  retries: 60
  delay: 5
--- a/contrib/network-storage/heketi/roles/provision/templates/glusterfs-daemonset.json.j2
+++ b/contrib/network-storage/heketi/roles/provision/templates/glusterfs-daemonset.json.j2
@@ -0,0 +1,144 @@
 {
    "kind": "DaemonSet",
    "apiVersion": "extensions/v1beta1",
    "metadata": {
        "name": "glusterfs",
        "labels": {
            "glusterfs": "deployment"
        },
        "annotations": {
            "description": "GlusterFS Daemon Set",
            "tags": "glusterfs"
        }
    },
    "spec": {
        "template": {
            "metadata": {
                "name": "glusterfs",
                "labels": {
                    "glusterfs-node": "daemonset"
                }
            },
            "spec": {
                "nodeSelector": {
                    "storagenode" : "glusterfs"
                },
                "hostNetwork": true,
                "containers": [
                    {
                        "image": "gluster/gluster-centos:gluster4u0_centos7",
                        "imagePullPolicy": "IfNotPresent",
                        "name": "glusterfs",
                        "volumeMounts": [
                            {
                                "name": "glusterfs-heketi",
                                "mountPath": "/var/lib/heketi"
                            },
                            {
                                "name": "glusterfs-run",
                                "mountPath": "/run"
                            },
                            {
                                "name": "glusterfs-lvm",
                                "mountPath": "/run/lvm"
                            },
                            {
                                "name": "glusterfs-etc",
                                "mountPath": "/etc/glusterfs"
                            },
                            {
                                "name": "glusterfs-logs",
                                "mountPath": "/var/log/glusterfs"
                            },
                            {
                                "name": "glusterfs-config",
                                "mountPath": "/var/lib/glusterd"
                            },
                            {
                                "name": "glusterfs-dev",
                                "mountPath": "/dev"
                            },
                            {
                                "name": "glusterfs-cgroup",
                                "mountPath": "/sys/fs/cgroup"
                            }
                        ],
                        "securityContext": {
                            "capabilities": {},
                            "privileged": true
                        },
                        "readinessProbe": {
                            "timeoutSeconds": 3,
                            "initialDelaySeconds": 60,
                            "exec": {
                                "command": [
                                    "/bin/bash",
                                    "-c",
                                    "systemctl status glusterd.service"
                                ]
                            }
                        },
                        "livenessProbe": {
                            "timeoutSeconds": 3,
                            "initialDelaySeconds": 60,
                            "exec": {
                                "command": [
                                    "/bin/bash",
                                    "-c",
                                    "systemctl status glusterd.service"
                                ]
                            }
                        }
                    }
                ],
                "volumes": [
                    {
                        "name": "glusterfs-heketi",
                        "hostPath": {
                            "path": "/var/lib/heketi"
                        }
                    },
                    {
                        "name": "glusterfs-run"
                    },
                    {
                        "name": "glusterfs-lvm",
                        "hostPath": {
                            "path": "/run/lvm"
                        }
                    },
                    {
                        "name": "glusterfs-etc",
                        "hostPath": {
                            "path": "/etc/glusterfs"
                        }
                    },
                    {
                        "name": "glusterfs-logs",
                        "hostPath": {
                            "path": "/var/log/glusterfs"
                        }
                    },
                    {
                        "name": "glusterfs-config",
                        "hostPath": {
                            "path": "/var/lib/glusterd"
                        }
                    },
                    {
                        "name": "glusterfs-dev",
                        "hostPath": {
                            "path": "/dev"
                        }
                    },
                    {
                        "name": "glusterfs-cgroup",
                        "hostPath": {
                            "path": "/sys/fs/cgroup"
                        }
                    }
                ]
            }
        }
    }
 }
--- a/contrib/network-storage/heketi/roles/provision/templates/heketi-bootstrap.json.j2
+++ b/contrib/network-storage/heketi/roles/provision/templates/heketi-bootstrap.json.j2
@@ -0,0 +1,133 @@
 {
  "kind": "List",
  "apiVersion": "v1",
  "items": [
    {
      "kind": "Service",
      "apiVersion": "v1",
      "metadata": {
        "name": "deploy-heketi",
        "labels": {
          "glusterfs": "heketi-service",
          "deploy-heketi": "support"
        },
        "annotations": {
          "description": "Exposes Heketi Service"
        }
      },
      "spec": {
        "selector": {
          "name": "deploy-heketi"
        },
        "ports": [
          {
            "name": "deploy-heketi",
            "port": 8080,
            "targetPort": 8080
          }
        ]
      }
    },
    {
      "kind": "Deployment",
      "apiVersion": "extensions/v1beta1",
      "metadata": {
        "name": "deploy-heketi",
        "labels": {
          "glusterfs": "heketi-deployment",
          "deploy-heketi": "deployment"
        },
        "annotations": {
          "description": "Defines how to deploy Heketi"
        }
      },
      "spec": {
        "replicas": 1,
        "template": {
          "metadata": {
            "name": "deploy-heketi",
            "labels": {
              "name": "deploy-heketi",
              "glusterfs": "heketi-pod",
              "deploy-heketi": "pod"
            }
          },
          "spec": {
            "serviceAccountName": "heketi-service-account",
            "containers": [
              {
                "image": "heketi/heketi:7",
                "imagePullPolicy": "Always",
                "name": "deploy-heketi",
                "env": [
                  {
                    "name": "HEKETI_EXECUTOR",
                    "value": "kubernetes"
                  },
                  {
                    "name": "HEKETI_DB_PATH",
                    "value": "/var/lib/heketi/heketi.db"
                  },
                  {
                    "name": "HEKETI_FSTAB",
                    "value": "/var/lib/heketi/fstab"
                  },
                  {
                    "name": "HEKETI_SNAPSHOT_LIMIT",
                    "value": "14"
                  },
                  {
                    "name": "HEKETI_KUBE_GLUSTER_DAEMONSET",
                    "value": "y"
                  }
                ],
                "ports": [
                  {
                    "containerPort": 8080
                  }
                ],
                "volumeMounts": [
                  {
                    "name": "db",
                    "mountPath": "/var/lib/heketi"
                  },
                  {
                    "name": "config",
                    "mountPath": "/etc/heketi"
                  }
                ],
                "readinessProbe": {
                  "timeoutSeconds": 3,
                  "initialDelaySeconds": 3,
                  "httpGet": {
                    "path": "/hello",
                    "port": 8080
                  }
                },
                "livenessProbe": {
                  "timeoutSeconds": 3,
                  "initialDelaySeconds": 30,
                  "httpGet": {
                    "path": "/hello",
                    "port": 8080
                  }
                }
              }
            ],
            "volumes": [
              {
                "name": "db"
              },
              {
                "name": "config",
                "secret": {
                  "secretName": "heketi-config-secret"
                }
              }
            ]
          }
        }
      }
    }
  ]
 }
--- a/contrib/network-storage/heketi/roles/provision/templates/heketi-deployment.json.j2
+++ b/contrib/network-storage/heketi/roles/provision/templates/heketi-deployment.json.j2
@@ -0,0 +1,159 @@
 {
  "kind": "List",
  "apiVersion": "v1",
  "items": [
    {
      "kind": "Secret",
      "apiVersion": "v1",
      "metadata": {
        "name": "heketi-db-backup",
        "labels": {
          "glusterfs": "heketi-db",
          "heketi": "db"
        }
      },
      "data": {
      },
      "type": "Opaque"
    },
    {
      "kind": "Service",
      "apiVersion": "v1",
      "metadata": {
        "name": "heketi",
        "labels": {
          "glusterfs": "heketi-service",
          "deploy-heketi": "support"
        },
        "annotations": {
          "description": "Exposes Heketi Service"
        }
      },
      "spec": {
        "selector": {
          "name": "heketi"
        },
        "ports": [
          {
            "name": "heketi",
            "port": 8080,
            "targetPort": 8080
          }
        ]
      }
    },
    {
      "kind": "Deployment",
      "apiVersion": "extensions/v1beta1",
      "metadata": {
        "name": "heketi",
        "labels": {
          "glusterfs": "heketi-deployment"
        },
        "annotations": {
          "description": "Defines how to deploy Heketi"
        }
      },
      "spec": {
        "replicas": 1,
        "template": {
          "metadata": {
            "name": "heketi",
            "labels": {
              "name": "heketi",
              "glusterfs": "heketi-pod"
            }
          },
          "spec": {
            "serviceAccountName": "heketi-service-account",
            "containers": [
              {
                "image": "heketi/heketi:7",
                "imagePullPolicy": "Always",
                "name": "heketi",
                "env": [
                  {
                    "name": "HEKETI_EXECUTOR",
                    "value": "kubernetes"
                  },
                  {
                    "name": "HEKETI_DB_PATH",
                    "value": "/var/lib/heketi/heketi.db"
                  },
                  {
                    "name": "HEKETI_FSTAB",
                    "value": "/var/lib/heketi/fstab"
                  },
                  {
                    "name": "HEKETI_SNAPSHOT_LIMIT",
                    "value": "14"
                  },
                  {
                    "name": "HEKETI_KUBE_GLUSTER_DAEMONSET",
                    "value": "y"
                  }
                ],
                "ports": [
                  {
                    "containerPort": 8080
                  }
                ],
                "volumeMounts": [
                  {
                    "mountPath": "/backupdb",
                    "name": "heketi-db-secret"
                  },
                  {
                    "name": "db",
                    "mountPath": "/var/lib/heketi"
                  },
                  {
                    "name": "config",
                    "mountPath": "/etc/heketi"
                  }
                ],
                "readinessProbe": {
                  "timeoutSeconds": 3,
                  "initialDelaySeconds": 3,
                  "httpGet": {
                    "path": "/hello",
                    "port": 8080
                  }
                },
                "livenessProbe": {
                  "timeoutSeconds": 3,
                  "initialDelaySeconds": 30,
                  "httpGet": {
                    "path": "/hello",
                    "port": 8080
                  }
                }
              }
            ],
            "volumes": [
              {
                "name": "db",
                "glusterfs": {
                  "endpoints": "heketi-storage-endpoints",
                  "path": "heketidbstorage"
                }
              },
              {
                "name": "heketi-db-secret",
                "secret": {
                  "secretName": "heketi-db-backup"
                }
              },
              {
                "name": "config",
                "secret": {
                  "secretName": "heketi-config-secret"
                }
              }
            ]
          }
        }
      }
    }
  ]
 }
--- a/contrib/network-storage/heketi/roles/provision/templates/heketi-service-account.json.j2
+++ b/contrib/network-storage/heketi/roles/provision/templates/heketi-service-account.json.j2
@@ -0,0 +1,7 @@
 {
  "apiVersion": "v1",
  "kind": "ServiceAccount",
  "metadata": {
    "name": "heketi-service-account"
  }
 }
--- a/contrib/network-storage/heketi/roles/provision/templates/heketi-storage.json.j2
+++ b/contrib/network-storage/heketi/roles/provision/templates/heketi-storage.json.j2
@@ -0,0 +1,54 @@
 {
  "apiVersion": "v1",
  "kind": "List",
  "items": [
    {
      "kind": "Endpoints",
      "apiVersion": "v1",
      "metadata": {
        "name": "heketi-storage-endpoints",
        "creationTimestamp": null
      },
      "subsets": [
 {% set nodeblocks = [] %}
 {% for node in nodes %}
 {% set nodeblock %}
        {
          "addresses": [
            {
              "ip": "{{ hostvars[node]['ansible_facts']['default_ipv4']['address'] }}"
            }
          ],
          "ports": [
            {
              "port": 1
            }
          ]
        }
 {% endset %}
 {% if nodeblocks.append(nodeblock) %}{% endif %}
 {% endfor %}
 {{ nodeblocks|join(',') }}
      ]
    },
    {
      "kind": "Service",
      "apiVersion": "v1",
      "metadata": {
        "name": "heketi-storage-endpoints",
        "creationTimestamp": null
      },
      "spec": {
        "ports": [
          {
            "port": 1,
            "targetPort": 0
          }
        ]
      },
      "status": {
        "loadBalancer": {}
      }
    }
  ]
 }
--- a/contrib/network-storage/heketi/roles/provision/templates/heketi.json.j2
+++ b/contrib/network-storage/heketi/roles/provision/templates/heketi.json.j2
@@ -0,0 +1,44 @@
 {
  "_port_comment": "Heketi Server Port Number",
  "port": "8080",
  "_use_auth": "Enable JWT authorization. Please enable for deployment",
  "use_auth": true,
  "_jwt": "Private keys for access",
  "jwt": {
    "_admin": "Admin has access to all APIs",
    "admin": {
      "key": "{{ heketi_admin_key }}"
    },
    "_user": "User only has access to /volumes endpoint",
    "user": {
      "key": "{{ heketi_user_key }}"
    }
  },
  "_glusterfs_comment": "GlusterFS Configuration",
  "glusterfs": {
    "_executor_comment": "Execute plugin. Possible choices: mock, kubernetes, ssh",
    "executor": "kubernetes",
    "_db_comment": "Database file name",
    "db": "/var/lib/heketi/heketi.db",
    "kubeexec": {
      "rebalance_on_expansion": true
    },
    "sshexec": {
      "rebalance_on_expansion": true,
      "keyfile": "/etc/heketi/private_key",
      "fstab": "/etc/fstab",
      "port": "22",
      "user": "root",
      "sudo": false
    }
  },
  "_backup_db_to_kube_secret": "Backup the heketi database to a Kubernetes secret when running in Kubernetes. Default is off.",
  "backup_db_to_kube_secret": false
 }
--- a/contrib/network-storage/heketi/roles/provision/templates/storageclass.yml.j2
+++ b/contrib/network-storage/heketi/roles/provision/templates/storageclass.yml.j2
@@ -0,0 +1,12 @@
 ---
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
  name: gluster
  annotations:
    storageclass.beta.kubernetes.io/is-default-class: "true"
 provisioner: kubernetes.io/glusterfs
 parameters:
  resturl: "http://{{ endpoint_address }}:8080"
  restuser: "admin"
  restuserkey: "{{ heketi_admin_key }}"
--- a/contrib/network-storage/heketi/roles/provision/templates/topology.json.j2
+++ b/contrib/network-storage/heketi/roles/provision/templates/topology.json.j2
@@ -0,0 +1,34 @@
 {
  "clusters": [
    {
      "nodes": [
 {% set nodeblocks = [] %}
 {% for node in nodes %}
 {% set nodeblock %}
        {
          "node": {
            "hostnames": {
              "manage": [
                "{{ node }}"
              ],
              "storage": [
                "{{ hostvars[node]['ansible_facts']['default_ipv4']['address'] }}"
              ]
            },
            "zone": 1
          },
          "devices": [
            {
              "name": "{{ hostvars[node]['disk_volume_device_1'] }}",
              "destroydata": false
            }
          ]
        }
 {% endset %}
 {% if nodeblocks.append(nodeblock) %}{% endif %}
 {% endfor %}
 {{ nodeblocks|join(',') }}
      ]
    }
  ]
 }
--- a/contrib/network-storage/heketi/roles/tear-down-disks/tasks/main.yml
+++ b/contrib/network-storage/heketi/roles/tear-down-disks/tasks/main.yml
@@ -0,0 +1,46 @@
 ---
 - name: "Install lvm utils (RedHat)"
  become: true
  yum:
      name: "lvm2"
      state: "present"
  when: "ansible_os_family == 'RedHat'"
 - name: "Install lvm utils (Debian)"
  become: true
  apt:
      name: "lvm2"
      state: "present"
  when: "ansible_os_family == 'Debian'"
 - name: "Get volume group information."
  become: true
  shell: "pvs {{ disk_volume_device_1 }} --option vg_name | tail -n+2"
  register: "volume_groups"
  ignore_errors: true
  changed_when: false
 - name: "Remove volume groups."
  become: true
  command: "vgremove {{ volume_group }} --yes"
  with_items: "{{ volume_groups.stdout_lines }}"
  loop_control: { loop_var: "volume_group" }
 - name: "Remove physical volume from cluster disks."
  become: true
  command: "pvremove {{ disk_volume_device_1 }} --yes"
  ignore_errors: true
 - name: "Remove lvm utils (RedHat)"
  become: true
  yum:
      name: "lvm2"
      state: "absent"
  when: "ansible_os_family == 'RedHat'"
 - name: "Remove lvm utils (Debian)"
  become: true
  apt:
      name: "lvm2"
      state: "absent"
  when: "ansible_os_family == 'Debian'"
--- a/contrib/network-storage/heketi/roles/tear-down/tasks/main.yml
+++ b/contrib/network-storage/heketi/roles/tear-down/tasks/main.yml
@@ -0,0 +1,51 @@
 ---
 - name: "Remove storage class."
  command: "{{ bin_dir }}/kubectl delete storageclass gluster"
  ignore_errors: true
 - name: "Tear down heketi."
  command: "{{ bin_dir }}/kubectl delete all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-pod\""
  ignore_errors: true
 - name: "Tear down heketi."
  command: "{{ bin_dir }}/kubectl delete all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-deployment\""
  ignore_errors: true
 - name: "Tear down bootstrap."
  include_tasks: "../provision/tasks/bootstrap/tear-down.yml"
 - name: "Ensure there is nothing left over."
  command: "{{ bin_dir }}/kubectl get all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-pod\" -o=json"
  register: "heketi_result"
  until: "heketi_result.stdout|from_json|json_query('items[*]')|length == 0"
  retries: 60
  delay: 5
 - name: "Ensure there is nothing left over."
  command: "{{ bin_dir }}/kubectl get all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-deployment\" -o=json"
  register: "heketi_result"
  until: "heketi_result.stdout|from_json|json_query('items[*]')|length == 0"
  retries: 60
  delay: 5
 - name: "Tear down glusterfs."
  command: "{{ bin_dir }}/kubectl delete daemonset.extensions/glusterfs"
  ignore_errors: true
 - name: "Remove heketi storage service."
  command: "{{ bin_dir }}/kubectl delete service heketi-storage-endpoints"
  ignore_errors: true
 - name: "Remove heketi gluster role binding"
  command: "{{ bin_dir }}/kubectl delete clusterrolebinding heketi-gluster-admin"
  ignore_errors: true
 - name: "Remove heketi config secret"
  command: "{{ bin_dir }}/kubectl delete secret heketi-config-secret"
  ignore_errors: true
 - name: "Remove heketi db backup"
  command: "{{ bin_dir }}/kubectl delete secret heketi-db-backup"
  ignore_errors: true
 - name: "Remove heketi service account"
  command: "{{ bin_dir }}/kubectl delete serviceaccount heketi-service-account"
  ignore_errors: true
 - name: "Get secrets"
  command: "{{ bin_dir }}/kubectl get secrets --output=\"json\""
  register: "secrets"
  changed_when: false
 - name: "Remove heketi storage secret"
  vars: { storage_query: "items[?metadata.annotations.\"kubernetes.io/service-account.name\"=='heketi-service-account'].metadata.name|[0]" }
  command: "{{ bin_dir }}/kubectl delete secret {{ secrets.stdout|from_json|json_query(storage_query) }}"
  when: "storage_query is defined"
  ignore_errors: true
--- a/contrib/packaging/rpm/kubespray.spec
+++ b/contrib/packaging/rpm/kubespray.spec
@@ -20,7 +20,7 @@ BuildRequires:  python2-setuptools
 BuildRequires:  python-d2to1
 BuildRequires:  python2-pbr
-Requires: ansible >= 2.4.0
+Requires: ansible >= 2.5.0
 Requires: python-jinja2 >= 2.10
 Requires: python-netaddr
 Requires: python-pbr
--- a/contrib/terraform/aws/README.md
+++ b/contrib/terraform/aws/README.md
@@ -22,8 +22,6 @@ export TF_VAR_AWS_SECRET_ACCESS_KEY ="xxx"
 export TF_VAR_AWS_SSH_KEY_NAME="yyy"
 export TF_VAR_AWS_DEFAULT_REGION="zzz"
 ```
 - Rename `contrib/terraform/aws/terraform.tfvars.example` to `terraform.tfvars`
 - Update `contrib/terraform/aws/terraform.tfvars` with your data. By default, the Terraform scripts use CoreOS as base image. If you want to change this behaviour, see note "Using other distrib than CoreOs" below.
 - Create an AWS EC2 SSH Key
 - Run with `terraform apply --var-file="credentials.tfvars"` or `terraform apply` depending if you exported your AWS credentials
@@ -45,7 +43,7 @@ ssh -F ./ssh-bastion.conf user@$ip
 Example (this one assumes you are using CoreOS)
 ```commandline
-ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_user=core -e bootstrap_os=coreos -b --become-user=root --flush-cache
+ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_user=core -b --become-user=root --flush-cache
 ```
 ***Using other distrib than CoreOs***
 If you want to use another distribution than CoreOS, you can modify the search filters of the 'data "aws_ami" "distro"' in variables.tf.
@@ -113,9 +111,9 @@ the `AWS CLI` with the following command:
 aws iam delete-instance-profile --region <region_name> --instance-profile-name <profile_name>
 ```
-***Ansible Inventory doesnt get created:***
+***Ansible Inventory doesn't get created:***
-It could happen that Terraform doesnt create an Ansible Inventory file automatically. If this is the case copy the output after `inventory=` and create a file named `hosts`in the directory `inventory` and paste the inventory into the file.
+It could happen that Terraform doesn't create an Ansible Inventory file automatically. If this is the case copy the output after `inventory=` and create a file named `hosts`in the directory `inventory` and paste the inventory into the file.
 **Architecture**
--- a/contrib/terraform/aws/create-infrastructure.tf
+++ b/contrib/terraform/aws/create-infrastructure.tf
@@ -181,7 +181,7 @@ data "template_file" "inventory" {
 resource "null_resource" "inventories" {
  provisioner "local-exec" {
-      command = "echo '${data.template_file.inventory.rendered}' > ../../../inventory/hosts"
+      command = "echo '${data.template_file.inventory.rendered}' > ${var.inventory_file}"
  }
  triggers {
--- a/contrib/terraform/aws/templates/inventory.tpl
+++ b/contrib/terraform/aws/templates/inventory.tpl
@@ -2,8 +2,9 @@
 ${connection_strings_master}
 ${connection_strings_node}
 ${connection_strings_etcd}
 ${public_ip_address_bastion}
-
+[bastion]
 ${public_ip_address_bastion}
 [kube-master]
@@ -24,4 +25,4 @@ kube-master
 [k8s-cluster:vars]
-${elb_api_fqdn}
+${elb_api_fqdn}
--- a/contrib/terraform/aws/terraform.tfvars
+++ b/contrib/terraform/aws/terraform.tfvars
@@ -31,3 +31,5 @@ default_tags = {
 #  Env = "devtest"
 #  Product = "kubernetes"
 }
 inventory_file = "../../../inventory/hosts"
--- a/contrib/terraform/aws/variables.tf
+++ b/contrib/terraform/aws/variables.tf
@@ -103,3 +103,7 @@ variable "default_tags" {
  description = "Default tags for all resources"
  type = "map"
 }
 variable "inventory_file" {
  description = "Where to store the generated inventory file"
 }
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -8,6 +8,23 @@ Openstack.
 This will install a Kubernetes cluster on an Openstack Cloud. It should work on
 most modern installs of OpenStack that support the basic services.
 ### Known compatible public clouds
 - [Auro](https://auro.io/)
 - [BetaCloud](https://www.betacloud.io/)
 - [CityCloud](https://www.citycloud.com/)
 - [DreamHost](https://www.dreamhost.com/cloud/computing/)
 - [ELASTX](https://elastx.se/)
 - [EnterCloudSuite](https://www.entercloudsuite.com/)
 - [FugaCloud](https://fuga.cloud/)
 - [OVH](https://www.ovh.com/)
 - [Rackspace](https://www.rackspace.com/)
 - [Ultimum](https://ultimum.io/)
 - [VexxHost](https://vexxhost.com/)
 - [Zetta](https://www.zetta.io/)
 ### Known incompatible public clouds
 - T-Systems / Open Telekom Cloud: requires `wait_until_associated`
 ## Approach
 The terraform configuration inspects variables found in
 [variables.tf](variables.tf) to create resources in your OpenStack cluster.
@@ -223,6 +240,9 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tf`.
 |`number_of_gfs_nodes_no_floating_ip` | Number of gluster servers to provision. |
 | `gfs_volume_size_in_gb` | Size of the non-ephemeral volumes to be attached to store the GlusterFS bricks |
 |`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. |
 |`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. |
 |`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
 |`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
 #### Terraform state files
@@ -258,7 +278,7 @@ $ terraform apply -var-file=cluster.tf ../../contrib/terraform/openstack
 if you chose to create a bastion host, this script will create
 `contrib/terraform/openstack/k8s-cluster.yml` with an ssh command for Ansible to
-be able to access your machines tunneling  through the bastion's IP address. If
+be able to access your machines tunneling through the bastion's IP address. If
 you want to manually handle the ssh tunneling to these machines, please delete
 or move that file. If you want to use this, just leave it there, as ansible will
 pick it up automatically.
@@ -339,11 +359,6 @@ If it fails try to connect manually via SSH.  It could be something as simple as
 ### Configure cluster variables
 Edit `inventory/$CLUSTER/group_vars/all.yml`:
 - Set variable **bootstrap_os** appropriately for your desired image:
 ```
 # Valid bootstrap options (required): ubuntu, coreos, centos, none
 bootstrap_os: coreos
 ```
 - **bin_dir**:
 ```
 # Directory where the binaries will be installed
@@ -422,14 +437,6 @@ $ kubectl config use-context default-system
 kubectl version
 ```
 If you are using floating ip addresses then you may get this error:
 ```
 Unable to connect to the server: x509: certificate is valid for 10.0.0.6, 10.0.0.6, 10.233.0.1, 127.0.0.1, not 132.249.238.25
 ```
 You can tell kubectl to ignore this condition by adding the
 `--insecure-skip-tls-verify` option.
 ## GlusterFS
 GlusterFS is not deployed by the standard`cluster.yml` playbook, see the
 [GlusterFS playbook documentation](../../network-storage/glusterfs/README.md)
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -6,6 +6,7 @@ module "network" {
  subnet_cidr     = "${var.subnet_cidr}"
  cluster_name    = "${var.cluster_name}"
  dns_nameservers = "${var.dns_nameservers}"
  use_neutron     = "${var.use_neutron}"
 }
 module "ips" {
@@ -50,7 +51,10 @@ module "compute" {
  k8s_master_fips                              = "${module.ips.k8s_master_fips}"
  k8s_node_fips                                = "${module.ips.k8s_node_fips}"
  bastion_fips                                 = "${module.ips.bastion_fips}"
  bastion_allowed_remote_ips                   = "${var.bastion_allowed_remote_ips}"
  supplementary_master_groups                  = "${var.supplementary_master_groups}"
  supplementary_node_groups                    = "${var.supplementary_node_groups}"
  worker_allowed_ports                         = "${var.worker_allowed_ports}"
  network_id = "${module.network.router_id}"
 }
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -3,72 +3,63 @@ resource "openstack_compute_keypair_v2" "k8s" {
  public_key = "${chomp(file(var.public_key_path))}"
 }
-resource "openstack_compute_secgroup_v2" "k8s_master" {
+resource "openstack_networking_secgroup_v2" "k8s_master" {
  name        = "${var.cluster_name}-k8s-master"
  description = "${var.cluster_name} - Kubernetes Master"
  rule {
    ip_protocol = "tcp"
    from_port   = "6443"
    to_port     = "6443"
    cidr        = "0.0.0.0/0"
  }
 }
-resource "openstack_compute_secgroup_v2" "bastion" {
+resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
  direction = "ingress"
  ethertype = "IPv4"
  protocol = "tcp"
  port_range_min = "6443"
  port_range_max = "6443"
  remote_ip_prefix = "0.0.0.0/0"
  security_group_id = "${openstack_networking_secgroup_v2.k8s_master.id}"
 }
 resource "openstack_networking_secgroup_v2" "bastion" {
  name        = "${var.cluster_name}-bastion"
  description = "${var.cluster_name} - Bastion Server"
  rule {
    ip_protocol = "tcp"
    from_port   = "22"
    to_port     = "22"
    cidr        = "0.0.0.0/0"
  }
 }
-resource "openstack_compute_secgroup_v2" "k8s" {
+resource "openstack_networking_secgroup_rule_v2" "bastion" {
  count = "${length(var.bastion_allowed_remote_ips)}"
  direction = "ingress"
  ethertype = "IPv4"
  protocol = "tcp"
  port_range_min = "22"
  port_range_max = "22"
  remote_ip_prefix = "${var.bastion_allowed_remote_ips[count.index]}"
  security_group_id = "${openstack_networking_secgroup_v2.bastion.id}"
 }
 resource "openstack_networking_secgroup_v2" "k8s" {
  name        = "${var.cluster_name}-k8s"
  description = "${var.cluster_name} - Kubernetes"
  rule {
    ip_protocol = "icmp"
    from_port   = "-1"
    to_port     = "-1"
    cidr        = "0.0.0.0/0"
  }
  rule {
    ip_protocol = "tcp"
    from_port   = "1"
    to_port     = "65535"
    self        = true
  }
  rule {
    ip_protocol = "udp"
    from_port   = "1"
    to_port     = "65535"
    self        = true
  }
  rule {
    ip_protocol = "icmp"
    from_port   = "-1"
    to_port     = "-1"
    self        = true
  }
 }
-resource "openstack_compute_secgroup_v2" "worker" {
+
 resource "openstack_networking_secgroup_rule_v2" "k8s" {
  direction = "ingress"
  ethertype = "IPv4"
  remote_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
  security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
 }
 resource "openstack_networking_secgroup_v2" "worker" {
  name        = "${var.cluster_name}-k8s-worker"
  description = "${var.cluster_name} - Kubernetes worker nodes"
 }
-  rule {
+resource "openstack_networking_secgroup_rule_v2" "worker" {
-    ip_protocol = "tcp"
+  count = "${length(var.worker_allowed_ports)}"
-    from_port   = "30000"
+  direction = "ingress"
-    to_port     = "32767"
+  ethertype = "IPv4"
-    cidr        = "0.0.0.0/0"
+  protocol = "${lookup(var.worker_allowed_ports[count.index], "protocol", "tcp")}"
-  }
+  port_range_min = "${lookup(var.worker_allowed_ports[count.index], "port_range_min")}"
  port_range_max = "${lookup(var.worker_allowed_ports[count.index], "port_range_max")}"
  remote_ip_prefix = "${lookup(var.worker_allowed_ports[count.index], "remote_ip_prefix", "0.0.0.0/0")}"
  security_group_id = "${openstack_networking_secgroup_v2.worker.id}"
 }
 resource "openstack_compute_instance_v2" "bastion" {
@@ -82,8 +73,8 @@ resource "openstack_compute_instance_v2" "bastion" {
    name = "${var.network_name}"
  }
-  security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
+  security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
-    "${openstack_compute_secgroup_v2.bastion.name}",
+    "${openstack_networking_secgroup_v2.bastion.name}",
    "default",
  ]
@@ -111,9 +102,9 @@ resource "openstack_compute_instance_v2" "k8s_master" {
    name = "${var.network_name}"
  }
-  security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
+  security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
-    "${openstack_compute_secgroup_v2.bastion.name}",
+    "${openstack_networking_secgroup_v2.bastion.name}",
-    "${openstack_compute_secgroup_v2.k8s.name}",
+    "${openstack_networking_secgroup_v2.k8s.name}",
    "default",
  ]
@@ -141,9 +132,9 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
    name = "${var.network_name}"
  }
-  security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
+  security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
-    "${openstack_compute_secgroup_v2.bastion.name}",
+    "${openstack_networking_secgroup_v2.bastion.name}",
-    "${openstack_compute_secgroup_v2.k8s.name}",
+    "${openstack_networking_secgroup_v2.k8s.name}",
  ]
  metadata = {
@@ -170,7 +161,7 @@ resource "openstack_compute_instance_v2" "etcd" {
    name = "${var.network_name}"
  }
-  security_groups = ["${openstack_compute_secgroup_v2.k8s.name}"]
+  security_groups = ["${openstack_networking_secgroup_v2.k8s.name}"]
  metadata = {
    ssh_user         = "${var.ssh_user}"
@@ -192,8 +183,8 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
    name = "${var.network_name}"
  }
-  security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
+  security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
-    "${openstack_compute_secgroup_v2.k8s.name}",
+    "${openstack_networking_secgroup_v2.k8s.name}",
    "default",
  ]
@@ -217,8 +208,8 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
    name = "${var.network_name}"
  }
-  security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
+  security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
-    "${openstack_compute_secgroup_v2.k8s.name}",
+    "${openstack_networking_secgroup_v2.k8s.name}",
  ]
  metadata = {
@@ -241,15 +232,15 @@ resource "openstack_compute_instance_v2" "k8s_node" {
    name = "${var.network_name}"
  }
-  security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
+  security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
-    "${openstack_compute_secgroup_v2.bastion.name}",
+    "${openstack_networking_secgroup_v2.bastion.name}",
-    "${openstack_compute_secgroup_v2.worker.name}",
+    "${openstack_networking_secgroup_v2.worker.name}",
    "default",
  ]
  metadata = {
    ssh_user         = "${var.ssh_user}"
-    kubespray_groups = "kube-node,k8s-cluster"
+    kubespray_groups = "kube-node,k8s-cluster,${var.supplementary_node_groups}"
    depends_on       = "${var.network_id}"
  }
@@ -271,14 +262,14 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
    name = "${var.network_name}"
  }
-  security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
+  security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
-    "${openstack_compute_secgroup_v2.worker.name}",
+    "${openstack_networking_secgroup_v2.worker.name}",
    "default",
  ]
  metadata = {
    ssh_user         = "${var.ssh_user}"
-    kubespray_groups = "kube-node,k8s-cluster,no-floating"
+    kubespray_groups = "kube-node,k8s-cluster,no-floating,${var.supplementary_node_groups}"
    depends_on       = "${var.network_id}"
  }
@@ -321,7 +312,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
    name = "${var.network_name}"
  }
-  security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
+  security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
    "default",
  ]
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -46,7 +46,9 @@ variable "network_name" {}
 variable "flavor_bastion" {}
-variable "network_id" {}
+variable "network_id" {
  default = ""
 }
 variable "k8s_master_fips" {
  type = "list"
@@ -60,6 +62,18 @@ variable "bastion_fips" {
  type = "list"
 }
 variable "bastion_allowed_remote_ips" {
  type = "list"
 }
 variable "supplementary_master_groups" {
  default = ""
 }
 variable "supplementary_node_groups" {
  default = ""
 }
 variable "worker_allowed_ports" {
  type = "list"
 }
--- a/contrib/terraform/openstack/modules/ips/variables.tf
+++ b/contrib/terraform/openstack/modules/ips/variables.tf
@@ -12,4 +12,6 @@ variable "external_net" {}
 variable "network_name" {}
-variable "router_id" {}
+variable "router_id" {
  default = ""
 }
--- a/contrib/terraform/openstack/modules/network/main.tf
+++ b/contrib/terraform/openstack/modules/network/main.tf
@@ -1,16 +1,19 @@
 resource "openstack_networking_router_v2" "k8s" {
  name                = "${var.cluster_name}-router"
  count               = "${var.use_neutron}"
  admin_state_up      = "true"
  external_network_id = "${var.external_net}"
 }
 resource "openstack_networking_network_v2" "k8s" {
  name           = "${var.network_name}"
  count          = "${var.use_neutron}"
  admin_state_up = "true"
 }
 resource "openstack_networking_subnet_v2" "k8s" {
  name            = "${var.cluster_name}-internal-network"
  count           = "${var.use_neutron}"
  network_id      = "${openstack_networking_network_v2.k8s.id}"
  cidr            = "${var.subnet_cidr}"
  ip_version      = 4
@@ -18,6 +21,7 @@ resource "openstack_networking_subnet_v2" "k8s" {
 }
 resource "openstack_networking_router_interface_v2" "k8s" {
  count     = "${var.use_neutron}"
  router_id = "${openstack_networking_router_v2.k8s.id}"
  subnet_id = "${openstack_networking_subnet_v2.k8s.id}"
 }
--- a/contrib/terraform/openstack/modules/network/outputs.tf
+++ b/contrib/terraform/openstack/modules/network/outputs.tf
@@ -1,7 +1,12 @@
 output "router_id" {
-  value = "${openstack_networking_router_interface_v2.k8s.id}"
+  value = "${element(concat(openstack_networking_router_v2.k8s.*.id, list("")), 0)}"
 }
 output "router_internal_port_id" {
  value = "${element(concat(openstack_networking_router_interface_v2.k8s.*.id, list("")), 0)}"
 }
 output "subnet_id" {
-  value = "${openstack_networking_subnet_v2.k8s.id}"
+  value = "${element(concat(openstack_networking_subnet_v2.k8s.*.id, list("")), 0)}"
 }
--- a/contrib/terraform/openstack/modules/network/variables.tf
+++ b/contrib/terraform/openstack/modules/network/variables.tf
@@ -9,3 +9,5 @@ variable "dns_nameservers" {
 }
 variable "subnet_cidr" {}
 variable "use_neutron" {}
--- a/contrib/terraform/openstack/sample-inventory/cluster.tf
+++ b/contrib/terraform/openstack/sample-inventory/cluster.tf
@@ -43,4 +43,4 @@ network_name = "<network>"
 external_net = "<UUID>"
 subnet_cidr = "<cidr>"
 floatingip_pool = "<pool>"
-
+bastion_allowed_remote_ips = ["0.0.0.0/0"]
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -103,6 +103,11 @@ variable "network_name" {
  default     = "internal"
 }
 variable "use_neutron" {
  description = "Use neutron"
  default     = 1
 }
 variable "subnet_cidr" {
  description = "Subnet CIDR block."
  type = "string"
@@ -128,3 +133,26 @@ variable "supplementary_master_groups" {
  description = "supplementary kubespray ansible groups for masters, such kube-node"
  default = ""
 }
 variable "supplementary_node_groups" {
  description = "supplementary kubespray ansible groups for worker nodes, such as kube-ingress"
  default = ""
 }
 variable "bastion_allowed_remote_ips" {
  description = "An array of CIDRs allowed to SSH to hosts"
  type = "list"
  default = ["0.0.0.0/0"]
 }
 variable "worker_allowed_ports" {
  type = "list"
  default = [
    {
      "protocol" = "tcp"
      "port_range_min" = 30000
      "port_range_max" = 32767
      "remote_ip_prefix" = "0.0.0.0/0"
    }
  ]
 }
--- a/contrib/terraform/terraform.py
+++ b/contrib/terraform/terraform.py
@@ -328,6 +328,7 @@ def openstack_host(resource, module_name):
    attrs = {
        'access_ip_v4': raw_attrs['access_ip_v4'],
        'access_ip_v6': raw_attrs['access_ip_v6'],
        'access_ip': raw_attrs['access_ip_v4'],
        'ip': raw_attrs['network.0.fixed_ip_v4'],
        'flavor': parse_dict(raw_attrs, 'flavor',
                             sep='_'),
@@ -685,6 +686,7 @@ def iter_host_ips(hosts, ips):
            ip = ips[host_id]
            host[1].update({
                'access_ip_v4': ip,
                'access_ip': ip,
                'public_ipv4': ip,
                'ansible_ssh_host': ip,
            })
--- a/contrib/vault/groups_vars/vault.yaml
+++ b/contrib/vault/groups_vars/vault.yaml
@@ -0,0 +1,31 @@
 vault_deployment_type: docker
 vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
 vault_version: 0.10.1
 vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
 vault_image_repo: "vault"
 vault_image_tag: "{{ vault_version }}"
 vault_downloads:
  vault:
    enabled: "{{ cert_management == 'vault' }}"
    container: "{{ vault_deployment_type != 'host' }}"
    file: "{{ vault_deployment_type == 'host' }}"
    dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
    mode: "0755"
    owner: "vault"
    repo: "{{ vault_image_repo }}"
    sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
    tag: "{{ vault_image_tag }}"
    unarchive: true
    url: "{{ vault_download_url }}"
    version: "{{ vault_version }}"
    groups:
      - vault
 # Vault data dirs.
 vault_base_dir: /etc/vault
 vault_cert_dir: "{{ vault_base_dir }}/ssl"
 vault_config_dir: "{{ vault_base_dir }}/config"
 vault_roles_dir: "{{ vault_base_dir }}/roles"
 vault_secrets_dir: "{{ vault_base_dir }}/secrets"
 kube_vault_mount_path: "/kube"
 etcd_vault_mount_path: "/etcd"
--- a/contrib/vault/requirements.txt
+++ b/contrib/vault/requirements.txt
@@ -0,0 +1 @@
 ansible-modules-hashivault>=3.9.4
--- a/contrib/vault/roles/etcd/vault/tasks/gen_certs_vault.yml
+++ b/contrib/vault/roles/etcd/vault/tasks/gen_certs_vault.yml
@@ -26,6 +26,9 @@
        "{{ hostvars[host]['ip'] }}",
        {%- endif -%}
        {%- endfor -%}
        {%- for cert_alt_ip in etcd_cert_alt_ips -%}
        "{{ cert_alt_ip }}",
        {%- endfor -%}
        "127.0.0.1","::1"
        ]
    issue_cert_path: "{{ item }}"
@@ -62,3 +65,9 @@
  with_items: "{{ etcd_node_certs_needed|d([]) }}"
  when: inventory_hostname in etcd_node_cert_hosts
  notify: set etcd_secret_changed
 - name: gen_certs_vault | ensure file permissions
  shell: >-
    find {{etcd_cert_dir }} -type d -exec chmod 0755 {} \; &&
    find {{etcd_cert_dir }} -type f -exec chmod 0640 {} \;
  changed_when: false
--- a/contrib/vault/roles/etcd/vault/tasks/sync_etcd_master_certs.yml
+++ b/contrib/vault/roles/etcd/vault/tasks/sync_etcd_master_certs.yml
--- a/contrib/vault/roles/etcd/vault/tasks/sync_etcd_node_certs.yml
+++ b/contrib/vault/roles/etcd/vault/tasks/sync_etcd_node_certs.yml
--- a/contrib/vault/roles/kubernetes/vault-secrets/tasks/gen_certs_vault.yml
+++ b/contrib/vault/roles/kubernetes/vault-secrets/tasks/gen_certs_vault.yml
--- a/contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_master_certs.yml
+++ b/contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_master_certs.yml
--- a/contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_node_certs.yml
+++ b/contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_node_certs.yml
--- a/contrib/vault/roles/vault/defaults/main.yml
+++ b/contrib/vault/roles/vault/defaults/main.yml
@@ -21,10 +21,17 @@ vault_log_dir: "/var/log/vault"
 vault_version: 0.10.1
 vault_binary_checksum: 66f0f1b0b221d664dd5913f8697409d7401df4bb2a19c7277e8fbad152063fae
-vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
+vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
 # hvac==0.7.0 is broken at the moment
 hvac_version: 0.6.4
 # Arch of Docker images and needed packages
 image_arch: "{{host_architecture}}"
 vault_download_vars:
  container: "{{ vault_deployment_type != 'host' }}"
-  dest: "vault/vault_{{ vault_version }}_linux_amd64.zip"
+  dest: "vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
  enabled: true
  mode: "0755"
  owner: "vault"
@@ -45,7 +52,7 @@ vault_bind_address: 0.0.0.0
 vault_port: 8200
 vault_etcd_url: "{{ etcd_access_addresses }}"
-# 8y default lease
+# By default lease
 vault_default_lease_ttl: 70080h
 vault_max_lease_ttl: 87600h
@@ -72,6 +79,7 @@ vault_config:
  cluster_name: "kubernetes-vault"
  default_lease_ttl: "{{ vault_default_lease_ttl }}"
  max_lease_ttl: "{{ vault_max_lease_ttl }}"
  ui: "true"
  listener:
    tcp:
      address: "{{ vault_bind_address }}:{{ vault_port }}"
@@ -118,7 +126,7 @@ vault_pki_mounts:
    roles:
      - name: userpass
        group: userpass
-        password: "{{ lookup('password', inventory_dir + '/credentials/vault/userpass.creds length=15') }}"
+        password: "{{ lookup('password', credentials_dir + '/vault/userpass.creds length=15') }}"
        policy_rules: default
        role_options:
          allow_any_name: true
@@ -132,7 +140,7 @@ vault_pki_mounts:
    roles:
      - name: vault
        group: vault
-        password: "{{ lookup('password', inventory_dir + '/credentials/vault/vault.creds length=15') }}"
+        password: "{{ lookup('password', credentials_dir + '/vault/vault.creds length=15') }}"
        policy_rules: default
        role_options:
          allow_any_name: true
@@ -145,7 +153,7 @@ vault_pki_mounts:
    roles:
      - name: etcd
        group: etcd
-        password: "{{ lookup('password', inventory_dir + '/credentials/vault/etcd.creds length=15') }}"
+        password: "{{ lookup('password', credentials_dir + '/vault/etcd.creds length=15') }}"
        policy_rules: default
        role_options:
          allow_any_name: true
@@ -160,7 +168,7 @@ vault_pki_mounts:
    roles:
      - name: kube-master
        group: kube-master
-        password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-master.creds length=15') }}"
+        password: "{{ lookup('password', credentials_dir + '/vault/kube-master.creds length=15') }}"
        policy_rules: default
        role_options:
          allow_any_name: true
@@ -168,7 +176,7 @@ vault_pki_mounts:
          organization: "system:masters"
      - name: front-proxy-client
        group: kube-master
-        password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}"
+        password: "{{ lookup('password', credentials_dir + '/vault/kube-proxy.creds length=15') }}"
        policy_rules: default
        role_options:
          allow_any_name: true
@@ -176,7 +184,7 @@ vault_pki_mounts:
          organization: "system:front-proxy-client"
      - name: kube-node
        group: k8s-cluster
-        password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-node.creds length=15') }}"
+        password: "{{ lookup('password', credentials_dir + '/vault/kube-node.creds length=15') }}"
        policy_rules: default
        role_options:
          allow_any_name: true
@@ -184,7 +192,7 @@ vault_pki_mounts:
          organization: "system:nodes"
      - name: kube-proxy
        group: k8s-cluster
-        password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}"
+        password: "{{ lookup('password', credentials_dir + '/vault/kube-proxy.creds length=15') }}"
        policy_rules: default
        role_options:
          allow_any_name: true
--- a/contrib/vault/roles/vault/handlers/main.yml
+++ b/contrib/vault/roles/vault/handlers/main.yml
@@ -12,7 +12,7 @@
    headers: "{{ vault_client_headers }}"
    status_code: "{{ vault_successful_http_codes | join(',') }}"
  register: vault_health_check
-  until: vault_health_check|succeeded
+  until: vault_health_check is succeeded
  retries: 10
  delay: "{{ retry_stagger | random + 3 }}"
  run_once: yes
--- a/contrib/vault/roles/vault/meta/main.yml
+++ b/contrib/vault/roles/vault/meta/main.yml
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`# See distro.yaml for supported node_distro images`
							`node_distro: debian`
`@@ -1,2 +1,2 @@`
	`---`	`---`
	`glusterfs_daemon: glusterfs-server`	`glusterfs_daemon: glusterd`