More Feature/2.8 backports for 2.8.1 (#3911)

* Move node-cidr-mask-size to ControllerManagerextraArgs (#3845)

* Fix apiServerCertSANs in kubeadm config file (#3839)

* Backport #3908

* Update kubernetes to 1.12.4

README.md

@@ -17,6 +17,9 @@ Quick Start
 
 To deploy the cluster you can use :
 
+### Current release
+2.8
+
 ### Ansible
 
 #### Ansible version
@@ -111,7 +114,7 @@ Supported Components
 --------------------
 
 -   Core
-    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.12.3
+    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.12.4
     -   [etcd](https://github.com/coreos/etcd) v3.2.24
     -   [docker](https://www.docker.com/) v18.06 (see note)
     -   [rkt](https://github.com/rkt/rkt) v1.21.0 (see Note 2)

roles/download/defaults/main.yml

@@ -35,7 +35,7 @@ download_delegate: "{% if download_localhost %}localhost{% else %}{{groups['kube
 image_arch: "{{host_architecture | default('amd64')}}"
 
 # Versions
-kube_version: v1.12.3
+kube_version: v1.12.4
 kubeadm_version: "{{ kube_version }}"
 etcd_version: v3.2.24
 
@@ -70,6 +70,7 @@ cni_download_url: "https://github.com/containernetworking/plugins/releases/downl
 
 # Checksums
 hyperkube_checksums:
+  v1.12.4: a4697d8f3791f0408fcdb97b3de187e47d7b39a63332c75f68f95e25f4891cc9
   v1.12.3: 600aad3f0d016716abd85931239806193ffbe95f2edfdcea11532d518ae5cdb1
   v1.12.2: 566dfed398c20c9944f8999d6370cb584cb8c228b3c5881137b6b3d9306e4b06
   v1.12.1: 4aa23cfb2fc2e2e4d0cbe0d83a648c38e4baabd6c66f5cdbbb40cbc7582fdc74
@@ -88,6 +89,7 @@ hyperkube_checksums:
   v1.10.1: 6e0642ad6bae68dc81b8d1c9efa18e265e17e23da1895862823cafac08c0344c
   v1.10.0: b5575b2fb4266754c1675b8cd5d9b6cac70f3fee7a05c4e80da3a9e83e58c57e
 kubeadm_checksums:
+  v1.12.4: 674ad5892ff2403f492c9042c3cea3fa0bfa3acf95bc7d1777c3645f0ddf64d7
   v1.12.3: c675aa3be82754b3f8dfdde2a1526a72986713312d46d898e65cb564c6aa8ad4
   v1.12.2: 51bc4bfd1d934a27245111c0ad1f793d5147ed15389415a1509502f23fcfa642
   v1.12.1: 5d95efd65aad398d85a9802799f36410ae7a95f9cbe73c8b10d2213c10a6d7be

roles/kubernetes/master/tasks/kubeadm-setup.yml

@@ -54,12 +54,14 @@
       {%- if loadbalancer_apiserver is defined %}
       {{ apiserver_loadbalancer_domain_name }}
       {%- endif %}
-      {%- for host in groups['kube-master'] -%}
-      {%- if hostvars[host]['access_ip'] is defined %}{{ hostvars[host]['access_ip'] }}{% endif %}
+      {% for host in groups['kube-master'] -%}
+      {%- if hostvars[host]['access_ip'] is defined -%}
+      {{ hostvars[host]['access_ip'] }}
+      {%- endif %}
       {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
       {%- endfor %}
-      {%- if supplementary_addresses_in_ssl_keys is defined %}
-      {%- for addr in supplementary_addresses_in_ssl_keys %}
+      {%- if supplementary_addresses_in_ssl_keys is defined -%}
+      {% for addr in supplementary_addresses_in_ssl_keys -%}
       {{ addr }}
       {%- endfor %}
       {%- endif %}

roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2

@@ -20,7 +20,6 @@ networking:
   dnsDomain: {{ dns_domain }}
   serviceSubnet: {{ kube_service_addresses }}
   podSubnet: {{ kube_pods_subnet }}
-  podNetworkCidr: "{{ kube_network_node_prefix }}"
 kubernetesVersion: {{ kube_version }}
 {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
 cloudProvider: {{cloud_provider}}
@@ -121,6 +120,7 @@ controllerManagerExtraArgs:
   node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
   node-monitor-period: {{ kube_controller_node_monitor_period }}
   pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
+  node-cidr-mask-size: "{{ kube_network_node_prefix }}"
   profiling: "{{ kube_profiling }}"
   terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
 {% if kube_feature_gates %}
@@ -171,7 +171,7 @@ apiServerExtraVolumes:
 {% endif %}
 {% endif %}
 apiServerCertSANs:
-{% for san in  apiserver_sans.split(' ') | unique %}
+{% for san in  apiserver_sans.split() | unique %}
   - {{ san }}
 {% endfor %}
 certificatesDir: {{ kube_config_dir }}/ssl

roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2

@@ -21,7 +21,6 @@ networking:
   dnsDomain: {{ dns_domain }}
   serviceSubnet: {{ kube_service_addresses }}
   podSubnet: {{ kube_pods_subnet }}
-  podNetworkCidr: "{{ kube_network_node_prefix }}"
 kubernetesVersion: {{ kube_version }}
 kubeProxy:
   config:
@@ -119,6 +118,7 @@ controllerManagerExtraArgs:
   node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
   node-monitor-period: {{ kube_controller_node_monitor_period }}
   pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
+  node-cidr-mask-size: "{{ kube_network_node_prefix }}"
   profiling: "{{ kube_profiling }}"
   terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
 {% if kube_feature_gates %}
@@ -189,7 +189,7 @@ schedulerExtraArgs:
 {% endfor %}
 {% endif %}
 apiServerCertSANs:
-{% for san in apiserver_sans.split(' ') | unique %}
+{% for san in apiserver_sans.split() | unique %}
   - {{ san }}
 {% endfor %}
 certificatesDir: {{ kube_config_dir }}/ssl

roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2

@@ -36,7 +36,6 @@ networking:
   dnsDomain: {{ dns_domain }}
   serviceSubnet: {{ kube_service_addresses }}
   podSubnet: {{ kube_pods_subnet }}
-  podNetworkCidr: "{{ kube_network_node_prefix }}"
 kubernetesVersion: {{ kube_version }}
 {% if groups['kube-master'] | length > 1 and kubeadm_config_api_fqdn is defined %}
 controlPlaneEndpoint: {{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
@@ -44,7 +43,7 @@ controlPlaneEndpoint: {{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.po
 controlPlaneEndpoint: {{ ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}
 {% endif %}
 apiServerCertSANs:
-{% for san in  apiserver_sans.split(' ') | unique %}
+{% for san in apiserver_sans.split() | unique %}
   - {{ san }}
 {% endfor %}
 certificatesDir: {{ kube_config_dir }}/ssl
@@ -126,6 +125,7 @@ controllerManagerExtraArgs:
   node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
   node-monitor-period: {{ kube_controller_node_monitor_period }}
   pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
+  node-cidr-mask-size: "{{ kube_network_node_prefix }}"
 {% if kube_feature_gates %}
   feature-gates: {{ kube_feature_gates|join(',') }}
 {% endif %}

roles/kubernetes/preinstall/tasks/0020-verify-settings.yml

@@ -109,7 +109,7 @@
 - name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
   assert:
     that: rbac_enabled and kube_api_anonymous_auth
-  when: kube_apiserver_insecure_port == 0
+  when: kube_apiserver_insecure_port == 0 and inventory_hostname in groups['kube-master']
   ignore_errors: "{{ ignore_assert_errors }}"
 
 - name: Stop if kernel version is too low

roles/reset/tasks/main.yml

@@ -110,12 +110,18 @@
 - name: Clear IPVS virtual server table
   shell: "ipvsadm -C"
   when:
-    - kube_proxy_mode == 'ipvs'
+    - kube_proxy_mode == 'ipvs' and inventory_hostname in groups['k8s-cluster']
+
+- name: reset | check kube-ipvs0 network device
+  stat:
+    path: /sys/class/net/kube-ipvs0
+  register: kube_ipvs0
 
 - name: reset | Remove kube-ipvs0
   command: "ip link del kube-ipvs0"
   when:
     - kube_proxy_mode == 'ipvs'
+    - kube_ipvs0.stat.exists
 
 - name: reset | delete some files and directories
   file: