WIP: feat(rebase): Rebase upstream kubespray release-2.14 branch

.gitlab-ci.yml

@@ -15,6 +15,7 @@ variables:
   MAGIC: "ci check this"
   TEST_ID: "$CI_PIPELINE_ID-$CI_BUILD_ID"
   CI_TEST_VARS: "./tests/files/${CI_JOB_NAME}.yml"
+  CI_TEST_REGISTRY_MIRROR: "./tests/common/_docker_hub_registry_mirror.yml"
   GS_ACCESS_KEY_ID: $GS_KEY
   GS_SECRET_ACCESS_KEY: $GS_SECRET
   CONTAINER_ENGINE: docker

.gitlab-ci/shellcheck.yml

@@ -12,5 +12,5 @@ shellcheck:
     - shellcheck --version
   script:
     # Run shellcheck for all *.sh except contrib/
-    - find . -name '*.sh' -not -path './contrib/*' | xargs shellcheck --severity error
+    - find . -name '*.sh' -not -path './contrib/*' -not -path './.git/*' | xargs shellcheck --severity error
   except: ['triggers', 'master']

contrib/inventory_builder/tests/test_inventory.py

@@ -51,7 +51,7 @@ def test_ensure_required_groups(self):
         groups = ['group1', 'group2']
         self.inv.ensure_required_groups(groups)
         for group in groups:
-            self.assertTrue(group in self.inv.yaml_config['all']['children'])
+            self.assertIn(group, self.inv.yaml_config['all']['children'])
 
     def test_get_host_id(self):
         hostnames = ['node99', 'no99de01', '01node01', 'node1.domain',
@@ -209,8 +209,8 @@ def test_purge_invalid_hosts(self):
             ('doesnotbelong2', {'whateveropts=ilike'})])
         self.inv.yaml_config['all']['hosts'] = existing_hosts
         self.inv.purge_invalid_hosts(proper_hostnames)
-        self.assertTrue(
-            bad_host not in self.inv.yaml_config['all']['hosts'].keys())
+        self.assertNotIn(
+            bad_host, self.inv.yaml_config['all']['hosts'].keys())
 
     def test_add_host_to_group(self):
         group = 'etcd'
@@ -227,8 +227,8 @@ def test_set_kube_master(self):
         host = 'node1'
 
         self.inv.set_kube_master([host])
-        self.assertTrue(
-            host in self.inv.yaml_config['all']['children'][group]['hosts'])
+        self.assertIn(
+            host, self.inv.yaml_config['all']['children'][group]['hosts'])
 
     def test_set_all(self):
         hosts = OrderedDict([
@@ -246,25 +246,25 @@ def test_set_k8s_cluster(self):
 
         self.inv.set_k8s_cluster()
         for host in expected_hosts:
-            self.assertTrue(
-                host in
+            self.assertIn(
+                host,
                 self.inv.yaml_config['all']['children'][group]['children'])
 
     def test_set_kube_node(self):
         group = 'kube-node'
         host = 'node1'
 
         self.inv.set_kube_node([host])
-        self.assertTrue(
-            host in self.inv.yaml_config['all']['children'][group]['hosts'])
+        self.assertIn(
+            host, self.inv.yaml_config['all']['children'][group]['hosts'])
 
     def test_set_etcd(self):
         group = 'etcd'
         host = 'node1'
 
         self.inv.set_etcd([host])
-        self.assertTrue(
-            host in self.inv.yaml_config['all']['children'][group]['hosts'])
+        self.assertIn(
+            host, self.inv.yaml_config['all']['children'][group]['hosts'])
 
     def test_scale_scenario_one(self):
         num_nodes = 50

docs/azure.md

@@ -42,6 +42,10 @@ The type of the vm. Supported values are `standard` or `vmss`. If vm is type of
 
 The name of the virtual network your instances are in, can be retrieved via `az network vnet list`
 
+### azure\_vnet\_resource\_group
+
+The name of the resource group that contains the vnet.
+
 ### azure\_subnet\_name
 
 The name of the subnet your instances are in, can be retrieved via `az network vnet subnet list --resource-group RESOURCE_GROUP --vnet-name VNET_NAME`
@@ -50,6 +54,18 @@ The name of the subnet your instances are in, can be retrieved via `az network v
 
 The name of the network security group your instances are in, can be retrieved via `az network nsg list`
 
+### azure\_security\_group\_resource\_group
+
+The name of the resource group that contains the network security group.  Defaults to `azure_vnet_resource_group`
+
+### azure\_route\_table\_name
+
+The name of the route table used with your instances.
+
+### azure\_route\_table\_resource\_group
+
+The name of the resource group that contains the route table.  Defaults to `azure_vnet_resource_group`
+
 ### azure\_aad\_client\_id + azure\_aad\_client\_secret
 
 These will have to be generated first:

docs/centos8.md

@@ -2,7 +2,7 @@
 
 RHEL / CentOS 8 ships only with iptables-nft (ie without iptables-legacy)
 The only tested configuration for now is using Calico CNI
-You need to use K8S 1.17+ and to add `calico_iptables_backend: "NFT"` to your configuration
+You need to use K8S 1.17+ and to add `calico_iptables_backend: "NFT"` or `calico_iptables_backend: "Auto"` to your configuration
 
 If you have containers that are using iptables in the host network namespace (`hostNetwork=true`),
 you need to ensure they are using iptables-nft.

docs/containerd.md

@@ -0,0 +1,31 @@
+# conrainerd
+
+[containerd] An industry-standard container runtime with an emphasis on simplicity, robustness and portability
+Kubespray supports basic functionality for using containerd as the default container runtime in a cluster.
+
+_To use the containerd container runtime set the following variables:_
+
+## k8s-cluster.yml
+
+```yaml
+container_manager: containerd
+```
+
+## Containerd config
+
+Example: define registry mirror for docker hub
+
+```yaml
+containerd_config:
+  grpc:
+    max_recv_message_size: 16777216
+    max_send_message_size: 16777216
+  debug:
+    level: ""
+  registries:
+    "docker.io":
+      - "https://mirror.gcr.io"
+      - "https://registry-1.docker.io"
+```
+
+[containerd]: https://containerd.io/

docs/cri-o.md

@@ -4,10 +4,9 @@
 Kubespray supports basic functionality for using CRI-O as the default container runtime in a cluster.
 
 * Kubernetes supports CRI-O on v1.11.1 or later.
-* Helm and other tools may not function as normal due to dependency on Docker.
 * `scale.yml` and `upgrade-cluster.yml` are not supported on clusters using CRI-O.
 
-_To use CRI-O instead of Docker, set the following variables:_
+_To use the CRI-O container runtime set the following variables:_
 
 ## all.yml
 

inventory/sample/group_vars/all/azure.yml

@@ -10,9 +10,11 @@
 # azure_location:
 # azure_subnet_name:
 # azure_security_group_name:
+# azure_security_group_resource_group:
 # azure_vnet_name:
 # azure_vnet_resource_group:
 # azure_route_table_name:
+# azure_route_table_resource_group:
 # supported values are 'standard' or 'vmss'
 # azure_vmtype: standard
 

inventory/sample/group_vars/all/containerd.yml

@@ -1,14 +1,18 @@
 ---
 # Please see roles/container-engine/containerd/defaults/main.yml for more configuration options
 
+# Example: define registry mirror for docker hub
+
 # containerd_config:
 #   grpc:
 #     max_recv_message_size: 16777216
 #     max_send_message_size: 16777216
 #   debug:
 #     level: ""
 #   registries:
-#     "docker.io": "https://registry-1.docker.io"
+#     "docker.io":
+#       - "https://mirror.gcr.io"
+#       - "https://registry-1.docker.io"
 #   max_container_log_line_size: -1
 #   metrics:
 #     address: ""

roles/container-engine/containerd/templates/config.toml.j2

@@ -62,7 +62,7 @@ disabled_plugins = ["restart"]
 [plugins.cri.registry.mirrors]
 {% for registry, addr in containerd_config.registries.items() %}
 [plugins.cri.registry.mirrors."{{ registry }}"]
-  endpoint = ["{{ addr }}"]
+  endpoint = ["{{ ([ addr ] | flatten ) | join('","') }}"]
 {% endfor %}
 {% endif %}
 

roles/container-engine/containerd/templates/rh_containerd.repo.j2

@@ -5,5 +5,9 @@ enabled=1
 gpgcheck={{ '1' if docker_rh_repo_gpgkey else '0' }}
 keepcache={{ docker_rpm_keepcache | default('1') }}
 gpgkey={{ docker_rh_repo_gpgkey }}
-{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
-{% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8 %}module_hotfixes=True{% endif %}
+{% if http_proxy is defined %}
+proxy={{ http_proxy }}
+{% endif %}
+{% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8 %}
+module_hotfixes=True
+{% endif %}

roles/container-engine/cri-o/defaults/main.yml

@@ -21,6 +21,7 @@ crio_stream_port: "10010"
 crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"
 
 crio_kubernetes_version_matrix:
+  "1.19": "1.19"
   "1.18": "1.18"
   "1.17": "1.17"
   "1.16": "1.16"

roles/container-engine/cri-o/molecule/default/molecule.yml

@@ -26,7 +26,7 @@ platforms:
     groups:
       - kube-master
   - name: fedora
-    box: fedora/31-cloud-base
+    box: fedora/33-cloud-base
     cpus: 2
     memory: 1024
     groups:

roles/container-engine/cri-o/tasks/crio_repo.yml

@@ -5,7 +5,7 @@
     crio_kubic_debian_repo_name: "{{ ((ansible_distribution == 'Ubuntu') | ternary('x','')) ~ ansible_distribution ~ '_' ~ ansible_distribution_version }}"
   when: ansible_os_family == "Debian"
 
-- name: Add CRI-O kubic repo key
+- name: Add CRI-O kubic apt repo key
   apt_key:
     url: "https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/{{ crio_kubic_debian_repo_name }}/Release.key"
     state: present
@@ -15,23 +15,31 @@
   retries: 4
   delay: "{{ retry_stagger | d(3) }}"
 
-- name: Add CRI-O kubic repo
+- name: Add CRI-O kubic apt repo
   apt_repository:
     repo: "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ crio_kubic_debian_repo_name }}/ /"
     state: present
-    filename: devel:kubic:libcontainers:stable
+    filename: devel-kubic-libcontainers-stable
   when: crio_kubic_debian_repo_name is defined
 
-- name: Add CRI-O kubic repo
+- name: Add CRI-O kubic cri-o apt repo
+  apt_repository:
+    repo: "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_version }}/{{ crio_kubic_debian_repo_name }}/ /"
+    state: present
+    filename: devel-kubic-libcontainers-stable-cri-o
+  when: crio_kubic_debian_repo_name is defined
+
+- name: Add CRI-O kubic yum repo
   yum_repository:
     name: devel_kubic_libcontainers_stable
     description: Stable Releases of Upstream github.com/containers packages (CentOS_$releasever)
     baseurl: http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/
     gpgcheck: yes
     gpgkey: http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/repodata/repomd.xml.key
+    keepcache: false
   when: ansible_distribution in ["CentOS"]
 
-- name: Add CRI-O kubic repo
+- name: Add CRI-O kubic yum repo
   yum_repository:
     name: "devel_kubic_libcontainers_stable_cri-o_{{ crio_version }}"
     description: "CRI-O {{ crio_version }} (CentOS_$releasever)"

roles/container-engine/cri-o/vars/centos-7.yml

@@ -1,5 +1,12 @@
 ---
+crio_versioned_pkg:
+  "1.19":
+    - "cri-o-1.19.*"
+  "1.18":
+    - "cri-o-1.18.*"
+  "1.17":
+    - "cri-o-1.17.*"
 
-crio_packages:
-  - cri-o
-  - oci-systemd-hook
+default_crio_packages: "{{ crio_versioned_pkg[crio_version] }}"
+
+crio_packages: "{{ centos_crio_packages | default(default_crio_packages) }}"

roles/container-engine/cri-o/vars/centos-8.yml

@@ -1,4 +1,12 @@
 ---
+crio_versioned_pkg:
+  "1.19":
+    - "cri-o-1.19.*"
+  "1.18":
+    - "cri-o-1.18.*"
+  "1.17":
+    - "cri-o-1.17.*"
 
-crio_packages:
-  - cri-o
+default_crio_packages: "{{ crio_versioned_pkg[crio_version] }}"
+
+crio_packages: "{{ centos_crio_packages | default(default_crio_packages) }}"

roles/container-engine/cri-o/vars/debian.yml

@@ -1,7 +1,17 @@
 ---
+# Debian-10 has pkg only for cri-o 1.19
+crio_kubernetes_version_matrix:
+  "1.19": "1.19"
+  "1.18": "1.19"
+  "1.17": "1.19"
 
-crio_packages:
-  - "cri-o-{{ crio_version }}"
-  - runc
+crio_versioned_pkg:
+  "1.19":
+    - "cri-o=1.19*"
+    - cri-o-runc
+
+default_crio_packages: "{{ crio_versioned_pkg[crio_version] }}"
+
+crio_packages: "{{ debian_crio_packages | default(default_crio_packages) }}"
 
 crio_runc_path: /usr/sbin/runc

roles/container-engine/cri-o/vars/fedora.yml

@@ -4,3 +4,10 @@ crio_packages:
   - cri-tools
 
 crio_conmon: /usr/libexec/crio/conmon
+
+# TODO: remove crio_kubernetes_version_matrix and crio_version once Fedora supports 1.19
+crio_kubernetes_version_matrix:
+  "1.18": "1.18"
+  "1.17": "1.17"
+
+crio_version: "{{ crio_kubernetes_version_matrix[crio_required_version] | default('1.17') }}"

roles/container-engine/cri-o/vars/ubuntu.yml

@@ -1,7 +1,18 @@
 ---
+crio_versioned_pkg:
+  "1.19":
+    - "cri-o=1.19*"
+    - cri-o-runc
+  "1.18":
+    - "cri-o=1.18*"
+    - cri-o-runc
+  "1.17":
+    - "cri-o=1.17*"
+    - cri-o-runc
 
-crio_packages:
-  - "cri-o-{{ crio_version }}"
+default_crio_packages: "{{ crio_versioned_pkg[crio_version] }}"
+
+crio_packages: "{{ ubuntu_crio_packages | default(default_crio_packages) }}"
 
 crio_runc_path: /usr/sbin/runc
 

roles/container-engine/docker/templates/rh_docker.repo.j2

@@ -5,6 +5,9 @@ enabled=1
 gpgcheck={{ '1' if docker_rh_repo_gpgkey else '0' }}
 keepcache={{ docker_rpm_keepcache | default('1') }}
 gpgkey={{ docker_rh_repo_gpgkey }}
-{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
-
-{% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8 %}module_hotfixes=True{% endif %}
+{% if http_proxy is defined %}
+proxy={{ http_proxy }}
+{% endif %}
+{% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8 %}
+module_hotfixes=True
+{% endif %}