Ansible kubespray script looking for /etc/kubernetes/pki directory . unable to load CA certificate /etc/kubernetes/pki/etc/kubernetes/pki/ca.crt #4237

erdarun · 2019-02-14T07:36:53Z

Is this a BUG REPORT or FEATURE REQUEST? (choose one): Bug

Environment:

Cloud provider or hardware configuration: cloud
OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"):
Linux 3.10.0-862.9.1.el7.x86_64 x86_64
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Version of Ansible (ansible --version): 2.7.5

Kubespray version (commit) (git rev-parse --short HEAD): a6cb551

Network plugin used: calico

Copy of your inventory file:

[all]
node1 ansible_host=10.38.133.7 ip=10.38.133.7
node2 ansible_host=10.38.141.119 ip=10.38.141.119
node3 ansible_host=10.38.130.133 ip=10.38.130.133
node4 ansible_host=10.38.128.144 ip=10.38.128.144
node5 ansible_host=10.38.138.184 ip=10.38.138.184
node6 ansible_host=10.38.134.231 ip=10.38.134.231
node7 ansible_host=10.38.141.67 ip=10.38.141.67

[kube-master]
node1
node2
node7

[kube-node]
node1
node2
node3
node4
node5
node6

[etcd]
node1
node2
node3

[k8s-cluster:children]
kube-node
kube-master

[all:vars]
ansible_ssh_user="root"
ansible_become=true
ansible_python_interpreter="/usr/bin/python2.7"
etcd_multiaccess=true
loadbalancer_apiserver_localhost=false
bootstrap_os="centos"
kube_log_dir="/var/log/kubernetes"
retry_stagger=60
kube_log_level=2
kube_network_plugin="calico"
dns_mode="dnsmasq_kubedns"
#deploy_netchecker=true
docker_dns_servers_strict="no"
docker_dns_servers=[ "172.16.48.2" "10.65.84.80" ]
kube_service_addresses="172.16.48.0/22"
calico_subnet="172.16.52.1/22"
kube_pods_subnet="172.16.56.0/21"
kube_network_node_prefix=28
kubelet_load_modules=true
kernel_upgrade=true
override_system_hostname=false
kubelet_fail_swap_on=False

Command used to invoke ansible:
ansible-playbook -b cluster.yml -i inventory/lab/hosts.ini -e kube_version=v1.13.2 -vv --flush-cache

Output of ansible run:

Got stuck when initializing master and unitializing master.

Check master with journalctl -fu kubelet
received below message.
unable to load CA certificate /etc/kubernetes/pki/etc/kubernetes/pki/ca.crt

There is no pki directory available. As an working around, started creating symlinks from /etc/kubernetes/ssl to /etc/kubernetes/pki directory and everything workings well.

Scripts are ran as root user and password less login enabled.

Please guide me in how to get this sorted without manual intervention. Thanks

Anything else do we need to know:

NAME STATUS ROLES AGE VERSION
node1 Ready master 16h v1.13.3
node2 Ready master 16h v1.13.3
node3 Ready 16h v1.13.3
node4 Ready 16h v1.13.3
node5 Ready 16h v1.13.3

Roles not updated for nodes , we were suppose to manually update.

The text was updated successfully, but these errors were encountered:

jimk-osu · 2019-02-21T15:17:30Z

issue 4038 has a small hack that seemed to work for me manually and I've added the following to kubespray/roles/kubernetes/master/tasks/kubeadm-certificate.yml:

- name: Sym link ssl to pki
  command: "ln -s {{ kube_cert_dir }} /etc/kubernetes/pki"

This reverts commit ea7a6f1.

…igs#4354)" This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters.

This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters.

* fix(contrib/metallb): adds missing become: true in role (kubernetes-sigs#4356) On CoreOS, without this, it fails to kubectl apply MetalLB due to lack of privileges. * Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354) * Use sample inventory file in doc (kubernetes-sigs#4052) * Revert "Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354)" (kubernetes-sigs#4369) This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters. * Fix support for ansible 2.7.9 (kubernetes-sigs#4375) * Use wide for netchecker debug output (kubernetes-sigs#4383) * Added support of bastion host for reset.yaml (kubernetes-sigs#4359) * Added support of bastion host for reset.yaml * Empty commit to triger CI * Use proxy_env with kubeadm phase commands (kubernetes-sigs#4325) * clarify that kubespray now supports kubeadm (fixes kubernetes-sigs#4089) (kubernetes-sigs#4366) * Reduce jinja2 filters in coredns templates (kubernetes-sigs#4390) * Upgrade to k8s 1.13.5 * Increase CPU flavor for CI (kubernetes-sigs#4389) * Fix CA cert environment variable for ectd v3 (kubernetes-sigs#4381) * Added livenessProbe for local nginx apiserver proxy liveness probe (kubernetes-sigs#4222) * Added configurable local apiserver proxy liveness probe * Enable API LB healthcheck by default * Fix template spacing and moved healthz location to nginx http section * Fix healthcheck listen address to allow kubelet request healthcheck * Default values for variable dns_servers and dns_domain are set in two files: (kubernetes-sigs#3999) values from inventory in roles/kubespray-defaults/defaults/main.yml hardcoded values in roles/container-engine/defaults/main.yml dns_servers set empty in roles/container-engine/defaults/main.yml and skydns_server not set in docker_dns_servers variables also set default value for manual_dns_serve another variables in roles/container-engine/defaults not need to set * Fix bootsrap-os role, failing to create remote_tmp (kubernetes-sigs#4384) * Fix bootsrap-os role, failing to create remote_tmp * use ansible_remote_tmp hostvar * Use static files in KubeDNS templating task (kubernetes-sigs#4379) This commit adapts the "Lay Down KubeDNS Template" task to use the static files moved by pull request [1] [1] kubernetes-sigs#4341 * Fix supplementary_addresses rendering error (kubernetes-sigs#4403) * Corrected cloud name (kubernetes-sigs#4316) The correct name is Packet, not Packet Host. * adapt inventory script to python 2.7 version (kubernetes-sigs#4407) * Calico felix - Fix jinja2 boolean condition (kubernetes-sigs#4348) * Fix jinja2 boolean condition * Convert all felix variable to booleans instead.

* Raspberry configuration : ARM is to rollback kubernetes v1.12.5 Note that flannel works on amd64, arm, arm64 and ppc64le. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/ Create setup_playbook.sh for ansible-architecture armv7l (RasPi) * Trusted Ansible repository * etcdctl must be manually installed on node from github.com/etcd-io/etcd/tree/release-3.1 * Update README.md * checksums * Bastion PI Readme FAQ * armv7l -> arm64 compatibility mode with Pi3 * Git releases search for architectures binaries * declare PI=pi # replace 'pi' with 'ubuntu' or any other user * SSH permit root login Development convenience script : $ curl -fsSL https://get.docker.com -o get-docker.sh $ sudo sh get-docker.sh * Update README.md * Classic server configuration kubernetes-sigs/kubesrpay/issues/4293 * Bastion sudoers * Update README.md * - Package preinstall tasks sudo -> become: yes | no - Python 3 sudo pip3 install -r requirements.txt * Ignore APT cache update errors [concurency lock issue](ansible/ansible#47322) * kubernetes-sigs#2767 * Update setup_playbook.sh * Bionic python3-dev * Pip3 * Update master (#8) (#9) * fix(contrib/metallb): adds missing become: true in role (kubernetes-sigs#4356) On CoreOS, without this, it fails to kubectl apply MetalLB due to lack of privileges. * Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354) * Use sample inventory file in doc (kubernetes-sigs#4052) * Revert "Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354)" (kubernetes-sigs#4369) This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters. * Fix support for ansible 2.7.9 (kubernetes-sigs#4375) * Use wide for netchecker debug output (kubernetes-sigs#4383) * Added support of bastion host for reset.yaml (kubernetes-sigs#4359) * Added support of bastion host for reset.yaml * Empty commit to triger CI * Use proxy_env with kubeadm phase commands (kubernetes-sigs#4325) * clarify that kubespray now supports kubeadm (fixes kubernetes-sigs#4089) (kubernetes-sigs#4366) * Reduce jinja2 filters in coredns templates (kubernetes-sigs#4390) * Upgrade to k8s 1.13.5 * Increase CPU flavor for CI (kubernetes-sigs#4389) * Fix CA cert environment variable for ectd v3 (kubernetes-sigs#4381) * Added livenessProbe for local nginx apiserver proxy liveness probe (kubernetes-sigs#4222) * Added configurable local apiserver proxy liveness probe * Enable API LB healthcheck by default * Fix template spacing and moved healthz location to nginx http section * Fix healthcheck listen address to allow kubelet request healthcheck * Default values for variable dns_servers and dns_domain are set in two files: (kubernetes-sigs#3999) values from inventory in roles/kubespray-defaults/defaults/main.yml hardcoded values in roles/container-engine/defaults/main.yml dns_servers set empty in roles/container-engine/defaults/main.yml and skydns_server not set in docker_dns_servers variables also set default value for manual_dns_serve another variables in roles/container-engine/defaults not need to set * Fix bootsrap-os role, failing to create remote_tmp (kubernetes-sigs#4384) * Fix bootsrap-os role, failing to create remote_tmp * use ansible_remote_tmp hostvar * Use static files in KubeDNS templating task (kubernetes-sigs#4379) This commit adapts the "Lay Down KubeDNS Template" task to use the static files moved by pull request [1] [1] kubernetes-sigs#4341 * Fix supplementary_addresses rendering error (kubernetes-sigs#4403) * Corrected cloud name (kubernetes-sigs#4316) The correct name is Packet, not Packet Host. * adapt inventory script to python 2.7 version (kubernetes-sigs#4407) * Calico felix - Fix jinja2 boolean condition (kubernetes-sigs#4348) * Fix jinja2 boolean condition * Convert all felix variable to booleans instead.

* Update master (#8) * fix(contrib/metallb): adds missing become: true in role (kubernetes-sigs#4356) On CoreOS, without this, it fails to kubectl apply MetalLB due to lack of privileges. * Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354) * Use sample inventory file in doc (kubernetes-sigs#4052) * Revert "Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354)" (kubernetes-sigs#4369) This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters. * Fix support for ansible 2.7.9 (kubernetes-sigs#4375) * Use wide for netchecker debug output (kubernetes-sigs#4383) * Added support of bastion host for reset.yaml (kubernetes-sigs#4359) * Added support of bastion host for reset.yaml * Empty commit to triger CI * Use proxy_env with kubeadm phase commands (kubernetes-sigs#4325) * clarify that kubespray now supports kubeadm (fixes kubernetes-sigs#4089) (kubernetes-sigs#4366) * Reduce jinja2 filters in coredns templates (kubernetes-sigs#4390) * Upgrade to k8s 1.13.5 * Increase CPU flavor for CI (kubernetes-sigs#4389) * Fix CA cert environment variable for ectd v3 (kubernetes-sigs#4381) * Added livenessProbe for local nginx apiserver proxy liveness probe (kubernetes-sigs#4222) * Added configurable local apiserver proxy liveness probe * Enable API LB healthcheck by default * Fix template spacing and moved healthz location to nginx http section * Fix healthcheck listen address to allow kubelet request healthcheck * Default values for variable dns_servers and dns_domain are set in two files: (kubernetes-sigs#3999) values from inventory in roles/kubespray-defaults/defaults/main.yml hardcoded values in roles/container-engine/defaults/main.yml dns_servers set empty in roles/container-engine/defaults/main.yml and skydns_server not set in docker_dns_servers variables also set default value for manual_dns_serve another variables in roles/container-engine/defaults not need to set * Fix bootsrap-os role, failing to create remote_tmp (kubernetes-sigs#4384) * Fix bootsrap-os role, failing to create remote_tmp * use ansible_remote_tmp hostvar * Use static files in KubeDNS templating task (kubernetes-sigs#4379) This commit adapts the "Lay Down KubeDNS Template" task to use the static files moved by pull request [1] [1] kubernetes-sigs#4341 * Fix supplementary_addresses rendering error (kubernetes-sigs#4403) * Corrected cloud name (kubernetes-sigs#4316) The correct name is Packet, not Packet Host. * adapt inventory script to python 2.7 version (kubernetes-sigs#4407) * Calico felix - Fix jinja2 boolean condition (kubernetes-sigs#4348) * Fix jinja2 boolean condition * Convert all felix variable to booleans instead. * Development (#10) * Raspberry configuration : ARM is to rollback kubernetes v1.12.5 Note that flannel works on amd64, arm, arm64 and ppc64le. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/ Create setup_playbook.sh for ansible-architecture armv7l (RasPi) * Trusted Ansible repository * etcdctl must be manually installed on node from github.com/etcd-io/etcd/tree/release-3.1 * Update README.md * checksums * Bastion PI Readme FAQ * armv7l -> arm64 compatibility mode with Pi3 * Git releases search for architectures binaries * declare PI=pi # replace 'pi' with 'ubuntu' or any other user * SSH permit root login Development convenience script : $ curl -fsSL https://get.docker.com -o get-docker.sh $ sudo sh get-docker.sh * Update README.md * Classic server configuration kubernetes-sigs/kubesrpay/issues/4293 * Bastion sudoers * Update README.md * - Package preinstall tasks sudo -> become: yes | no - Python 3 sudo pip3 install -r requirements.txt * Ignore APT cache update errors [concurency lock issue](ansible/ansible#47322) * kubernetes-sigs#2767 * Update setup_playbook.sh * Bionic python3-dev * Pip3 * Update master (#8) (#9) * fix(contrib/metallb): adds missing become: true in role (kubernetes-sigs#4356) On CoreOS, without this, it fails to kubectl apply MetalLB due to lack of privileges. * Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354) * Use sample inventory file in doc (kubernetes-sigs#4052) * Revert "Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354)" (kubernetes-sigs#4369) This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters. * Fix support for ansible 2.7.9 (kubernetes-sigs#4375) * Use wide for netchecker debug output (kubernetes-sigs#4383) * Added support of bastion host for reset.yaml (kubernetes-sigs#4359) * Added support of bastion host for reset.yaml * Empty commit to triger CI * Use proxy_env with kubeadm phase commands (kubernetes-sigs#4325) * clarify that kubespray now supports kubeadm (fixes kubernetes-sigs#4089) (kubernetes-sigs#4366) * Reduce jinja2 filters in coredns templates (kubernetes-sigs#4390) * Upgrade to k8s 1.13.5 * Increase CPU flavor for CI (kubernetes-sigs#4389) * Fix CA cert environment variable for ectd v3 (kubernetes-sigs#4381) * Added livenessProbe for local nginx apiserver proxy liveness probe (kubernetes-sigs#4222) * Added configurable local apiserver proxy liveness probe * Enable API LB healthcheck by default * Fix template spacing and moved healthz location to nginx http section * Fix healthcheck listen address to allow kubelet request healthcheck * Default values for variable dns_servers and dns_domain are set in two files: (kubernetes-sigs#3999) values from inventory in roles/kubespray-defaults/defaults/main.yml hardcoded values in roles/container-engine/defaults/main.yml dns_servers set empty in roles/container-engine/defaults/main.yml and skydns_server not set in docker_dns_servers variables also set default value for manual_dns_serve another variables in roles/container-engine/defaults not need to set * Fix bootsrap-os role, failing to create remote_tmp (kubernetes-sigs#4384) * Fix bootsrap-os role, failing to create remote_tmp * use ansible_remote_tmp hostvar * Use static files in KubeDNS templating task (kubernetes-sigs#4379) This commit adapts the "Lay Down KubeDNS Template" task to use the static files moved by pull request [1] [1] kubernetes-sigs#4341 * Fix supplementary_addresses rendering error (kubernetes-sigs#4403) * Corrected cloud name (kubernetes-sigs#4316) The correct name is Packet, not Packet Host. * adapt inventory script to python 2.7 version (kubernetes-sigs#4407) * Calico felix - Fix jinja2 boolean condition (kubernetes-sigs#4348) * Fix jinja2 boolean condition * Convert all felix variable to booleans instead. * Set up k8s-cluster DNS configuration * kube-proxy=iptables initial dns setup=coredns * Update to v1.13.5 checksums * create user priv escalate * weave network ansible * --ask-become-pass * fix up item.item dict object error * Let python unversioned cmd * Update 0060-resolvconf.yml * Update install_host.yml * my cluster configuration using - docker-ce (scale.yml's suppported) - cri-o (light weight as raspberry's) * Update hosts.ini Raspberries 3 B+ and A+

* fix(contrib/metallb): adds missing become: true in role (kubernetes-sigs#4356) On CoreOS, without this, it fails to kubectl apply MetalLB due to lack of privileges. * Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354) * Use sample inventory file in doc (kubernetes-sigs#4052) * Revert "Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354)" (kubernetes-sigs#4369) This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters. * Fix support for ansible 2.7.9 (kubernetes-sigs#4375) * Use wide for netchecker debug output (kubernetes-sigs#4383) * Added support of bastion host for reset.yaml (kubernetes-sigs#4359) * Added support of bastion host for reset.yaml * Empty commit to triger CI * Use proxy_env with kubeadm phase commands (kubernetes-sigs#4325) * clarify that kubespray now supports kubeadm (fixes kubernetes-sigs#4089) (kubernetes-sigs#4366) * Reduce jinja2 filters in coredns templates (kubernetes-sigs#4390) * Upgrade to k8s 1.13.5 * Increase CPU flavor for CI (kubernetes-sigs#4389) * Fix CA cert environment variable for ectd v3 (kubernetes-sigs#4381) * Added livenessProbe for local nginx apiserver proxy liveness probe (kubernetes-sigs#4222) * Added configurable local apiserver proxy liveness probe * Enable API LB healthcheck by default * Fix template spacing and moved healthz location to nginx http section * Fix healthcheck listen address to allow kubelet request healthcheck * Default values for variable dns_servers and dns_domain are set in two files: (kubernetes-sigs#3999) values from inventory in roles/kubespray-defaults/defaults/main.yml hardcoded values in roles/container-engine/defaults/main.yml dns_servers set empty in roles/container-engine/defaults/main.yml and skydns_server not set in docker_dns_servers variables also set default value for manual_dns_serve another variables in roles/container-engine/defaults not need to set * Fix bootsrap-os role, failing to create remote_tmp (kubernetes-sigs#4384) * Fix bootsrap-os role, failing to create remote_tmp * use ansible_remote_tmp hostvar * Use static files in KubeDNS templating task (kubernetes-sigs#4379) This commit adapts the "Lay Down KubeDNS Template" task to use the static files moved by pull request [1] [1] kubernetes-sigs#4341 * Fix supplementary_addresses rendering error (kubernetes-sigs#4403) * Corrected cloud name (kubernetes-sigs#4316) The correct name is Packet, not Packet Host. * adapt inventory script to python 2.7 version (kubernetes-sigs#4407) * Calico felix - Fix jinja2 boolean condition (kubernetes-sigs#4348) * Fix jinja2 boolean condition * Convert all felix variable to booleans instead. * Yamllint fixes (kubernetes-sigs#4410) * Lint everything in the repository with yamllint * yamllint fixes: syntax fixes only * yamllint fixes: move comments to play names * yamllint fixes: indent comments in .gitlab-ci.yml file * add 1.14.0 checksum, remove 1.11.* checksums (kubernetes-sigs#4401) * Remove kubedns and dnsmasq. Move dns_late phase after apps (kubernetes-sigs#4406) Both kubedns and dnsmasq modes are long not maintained. We should run dns_late steps at the end because sshd makes DNS lookups during Ansible run and has 2s timeouts for each failed lookup trying to connect to coredns before it is ready. * Speed up old docker package removal (kubernetes-sigs#4408) Both the `yum` and `apt` modules support a list as input, this allows us avoid the slower `with_items` approach, which can take a long time with a large count of cluster nodes. * Use install_cni init container for cni copy for calico/canal (kubernetes-sigs#4416) * Fixed cleanup-docker-orphans.sh to use docker-containerd-shim and containerd-shim (kubernetes-sigs#4418) * enable kubelet client certificate rotation (kubernetes-sigs#4081) * enable kubelet client certificate rotation * change to variable kubelet_rotate_certificates * remove our config if docker start failed (kubernetes-sigs#4260) * keep compatibility as it was before (kubernetes-sigs#4268) * jmespath is required when re-running cluster.yml (kubernetes-sigs#4426) * Update DNS Autoscaler to 1.4.0 (kubernetes-sigs#4425) * Update DNS Autoscaler * Update downloads too * Fix yamllint * Fix yamllint * Update nodelocaldns cache settings (kubernetes-sigs#4423) * Update CoreDNS to 1.4.0 (kubernetes-sigs#4422) * Update CoreDNS to 1.4.0 * Update readme to reflect CoreDNS update * Use docker.io for calico (kubernetes-sigs#4253) * Add CI for contrib/terraform/ (kubernetes-sigs#4133) * add Cinder allowVolumeExpansion option (kubernetes-sigs#4415) * allow Suse OS family (kubernetes-sigs#4430) * Remove bash-completion (kubernetes-sigs#4431) * Tell git to ignore .terraform directory (kubernetes-sigs#4428) The .terraform directory is populated when modules are downloaded: https://www.terraform.io/docs/commands/get.html "The modules are downloaded into a local .terraform folder. This folder should not be committed to version control." * Fix pep8 warnings (kubernetes-sigs#4368) * Update premoderator to fix Github API throttle (kubernetes-sigs#4424) * Update premoderator to fix Github API throttle * Update premoderator script Add exit codes and document the exit code. * Fix indentation

* fix(contrib/metallb): adds missing become: true in role (kubernetes-sigs#4356) On CoreOS, without this, it fails to kubectl apply MetalLB due to lack of privileges. * Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354) * Use sample inventory file in doc (kubernetes-sigs#4052) * Revert "Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354)" (kubernetes-sigs#4369) This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters. * Fix support for ansible 2.7.9 (kubernetes-sigs#4375) * Use wide for netchecker debug output (kubernetes-sigs#4383) * Added support of bastion host for reset.yaml (kubernetes-sigs#4359) * Added support of bastion host for reset.yaml * Empty commit to triger CI * Use proxy_env with kubeadm phase commands (kubernetes-sigs#4325) * clarify that kubespray now supports kubeadm (fixes kubernetes-sigs#4089) (kubernetes-sigs#4366) * Reduce jinja2 filters in coredns templates (kubernetes-sigs#4390) * Upgrade to k8s 1.13.5 * Increase CPU flavor for CI (kubernetes-sigs#4389) * Fix CA cert environment variable for ectd v3 (kubernetes-sigs#4381) * Added livenessProbe for local nginx apiserver proxy liveness probe (kubernetes-sigs#4222) * Added configurable local apiserver proxy liveness probe * Enable API LB healthcheck by default * Fix template spacing and moved healthz location to nginx http section * Fix healthcheck listen address to allow kubelet request healthcheck * Default values for variable dns_servers and dns_domain are set in two files: (kubernetes-sigs#3999) values from inventory in roles/kubespray-defaults/defaults/main.yml hardcoded values in roles/container-engine/defaults/main.yml dns_servers set empty in roles/container-engine/defaults/main.yml and skydns_server not set in docker_dns_servers variables also set default value for manual_dns_serve another variables in roles/container-engine/defaults not need to set * Fix bootsrap-os role, failing to create remote_tmp (kubernetes-sigs#4384) * Fix bootsrap-os role, failing to create remote_tmp * use ansible_remote_tmp hostvar * Use static files in KubeDNS templating task (kubernetes-sigs#4379) This commit adapts the "Lay Down KubeDNS Template" task to use the static files moved by pull request [1] [1] kubernetes-sigs#4341 * Fix supplementary_addresses rendering error (kubernetes-sigs#4403) * Corrected cloud name (kubernetes-sigs#4316) The correct name is Packet, not Packet Host. * adapt inventory script to python 2.7 version (kubernetes-sigs#4407) * Calico felix - Fix jinja2 boolean condition (kubernetes-sigs#4348) * Fix jinja2 boolean condition * Convert all felix variable to booleans instead. * Yamllint fixes (kubernetes-sigs#4410) * Lint everything in the repository with yamllint * yamllint fixes: syntax fixes only * yamllint fixes: move comments to play names * yamllint fixes: indent comments in .gitlab-ci.yml file * add 1.14.0 checksum, remove 1.11.* checksums (kubernetes-sigs#4401) * Remove kubedns and dnsmasq. Move dns_late phase after apps (kubernetes-sigs#4406) Both kubedns and dnsmasq modes are long not maintained. We should run dns_late steps at the end because sshd makes DNS lookups during Ansible run and has 2s timeouts for each failed lookup trying to connect to coredns before it is ready. * Speed up old docker package removal (kubernetes-sigs#4408) Both the `yum` and `apt` modules support a list as input, this allows us avoid the slower `with_items` approach, which can take a long time with a large count of cluster nodes. * Use install_cni init container for cni copy for calico/canal (kubernetes-sigs#4416) * Fixed cleanup-docker-orphans.sh to use docker-containerd-shim and containerd-shim (kubernetes-sigs#4418) * enable kubelet client certificate rotation (kubernetes-sigs#4081) * enable kubelet client certificate rotation * change to variable kubelet_rotate_certificates * remove our config if docker start failed (kubernetes-sigs#4260) * keep compatibility as it was before (kubernetes-sigs#4268) * jmespath is required when re-running cluster.yml (kubernetes-sigs#4426) * Update DNS Autoscaler to 1.4.0 (kubernetes-sigs#4425) * Update DNS Autoscaler * Update downloads too * Fix yamllint * Fix yamllint * Update nodelocaldns cache settings (kubernetes-sigs#4423) * Update CoreDNS to 1.4.0 (kubernetes-sigs#4422) * Update CoreDNS to 1.4.0 * Update readme to reflect CoreDNS update * Use docker.io for calico (kubernetes-sigs#4253) * Add CI for contrib/terraform/ (kubernetes-sigs#4133) * add Cinder allowVolumeExpansion option (kubernetes-sigs#4415) * allow Suse OS family (kubernetes-sigs#4430) * Remove bash-completion (kubernetes-sigs#4431) * Tell git to ignore .terraform directory (kubernetes-sigs#4428) The .terraform directory is populated when modules are downloaded: https://www.terraform.io/docs/commands/get.html "The modules are downloaded into a local .terraform folder. This folder should not be committed to version control." * Fix pep8 warnings (kubernetes-sigs#4368) * Update premoderator to fix Github API throttle (kubernetes-sigs#4424) * Update premoderator to fix Github API throttle * Update premoderator script Add exit codes and document the exit code. * Fix indentation * Upgrade to Helm 2.13.1 (kubernetes-sigs#4445)

* Development (#10) * Raspberry configuration : ARM is to rollback kubernetes v1.12.5 Note that flannel works on amd64, arm, arm64 and ppc64le. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/ Create setup_playbook.sh for ansible-architecture armv7l (RasPi) * Trusted Ansible repository * etcdctl must be manually installed on node from github.com/etcd-io/etcd/tree/release-3.1 * Update README.md * checksums * Bastion PI Readme FAQ * armv7l -> arm64 compatibility mode with Pi3 * Git releases search for architectures binaries * declare PI=pi # replace 'pi' with 'ubuntu' or any other user * SSH permit root login Development convenience script : $ curl -fsSL https://get.docker.com -o get-docker.sh $ sudo sh get-docker.sh * Classic server configuration kubernetes-sigs/kubesrpay/issues/4293 * Bastion sudoers * Update README.md * - Package preinstall tasks sudo -> become: yes | no - Python 3 sudo pip3 install -r requirements.txt * Ignore APT cache update errors [concurency lock issue](ansible/ansible#47322) * kubernetes-sigs#2767 * Update setup_playbook.sh * Bionic python3-dev Pip3 * Update master (#8) (#9) * fix(contrib/metallb): adds missing become: true in role (kubernetes-sigs#4356) On CoreOS, without this, it fails to kubectl apply MetalLB due to lack of privileges. * Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354) * Use sample inventory file in doc (kubernetes-sigs#4052) * Revert "Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354)" (kubernetes-sigs#4369) This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters. * Fix support for ansible 2.7.9 (kubernetes-sigs#4375) * Use wide for netchecker debug output (kubernetes-sigs#4383) * Added support of bastion host for reset.yaml (kubernetes-sigs#4359) * Empty commit to triger CI * Use proxy_env with kubeadm phase commands (kubernetes-sigs#4325) * clarify that kubespray now supports kubeadm (fixes kubernetes-sigs#4089) (kubernetes-sigs#4366) * Reduce jinja2 filters in coredns templates (kubernetes-sigs#4390) * Upgrade to k8s 1.13.5 * Increase CPU flavor for CI (kubernetes-sigs#4389) * Fix CA cert environment variable for ectd v3 (kubernetes-sigs#4381) * Added livenessProbe for local nginx apiserver proxy liveness probe (kubernetes-sigs#4222) * Added configurable local apiserver proxy liveness probe * Enable API LB healthcheck by default * Fix template spacing and moved healthz location to nginx http section * Fix healthcheck listen address to allow kubelet request healthcheck * Default values for variable dns_servers and dns_domain are set in two files: (kubernetes-sigs#3999) values from inventory in roles/kubespray-defaults/defaults/main.yml hardcoded values in roles/container-engine/defaults/main.yml dns_servers set empty in roles/container-engine/defaults/main.yml and skydns_server not set in docker_dns_servers variables also set default value for manual_dns_serve another variables in roles/container-engine/defaults not need to set * Fix bootsrap-os role, failing to create remote_tmp (kubernetes-sigs#4384) * use ansible_remote_tmp hostvar * Use static files in KubeDNS templating task (kubernetes-sigs#4379) This commit adapts the "Lay Down KubeDNS Template" task to use the static files moved by pull request [1] [1] kubernetes-sigs#4341 * Fix supplementary_addresses rendering error (kubernetes-sigs#4403) * Corrected cloud name (kubernetes-sigs#4316) The correct name is Packet, not Packet Host. * adapt inventory script to python 2.7 version (kubernetes-sigs#4407) * Calico felix - Fix jinja2 boolean condition (kubernetes-sigs#4348) * Fix jinja2 boolean condition * Convert all felix variable to booleans instead. * Set up k8s-cluster DNS configuration * kube-proxy=iptables initial dns setup=coredns * Update to v1.13.5 checksums * create user priv escalate * weave network ansible * --ask-become-pass * fix up item.item dict object error * Let python unversioned cmd * Update 0060-resolvconf.yml * Update install_host.yml * Add PPA repos https://github.com/kubernetes-sigs/cri-o (crio) https://github.com/kubernetes-sigs/cri-tools (crictl) * checksums Raspberries 3 B+ and A+ * rapsi A : mem config * Help files and scripts * Safe Calico Network Get current version of calico cluster version: async time increase, * Quick start scripts Guidelines * WIP Dashboard http://127.0.0.1:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login * Host AP : HOSTAPD service ISC DHCP service IP MASQUERADE ifw rules [Gatewayed] hosts (bastion-ssh-config) internet sharing /bridge * Ubuntu before 1804 Bridge connection Country code selection * Netplan.io manager * Strong encryption keys https://www.ibm.com/developerworks/library/l-wifiencrypthostapd/index.html * Timeouts * Stateful DHCPv6 Don't mix interfaces dhcpd subnet leases. Define subnet for eth0 segment to retrieve expected server addresses. Python3 script bastion host access point * Set up DHCP wi-fi clients, and redeem ip sub-network wired internet (dhclient) Script environment variables and rc.local

This was referenced Mar 16, 2019

Move from /etc/kubernetes/ssl to /etc/kubernetes/pki dir for k8s certs #4353

Closed

Move from /etc/kubernetes/ssl to /etc/kubernetes/pki dir for k8s certs #4354

Merged

dm3ch added a commit to dm3ch/kubespray that referenced this issue Mar 16, 2019

Fix kubernetes-sigs#4237: update kube cert path

dff6fdd

k8s-ci-robot closed this as completed in #4354 Mar 18, 2019

k8s-ci-robot pushed a commit that referenced this issue Mar 18, 2019

Fix #4237: update kube cert path (#4354)

ea7a6f1

mattymo added a commit that referenced this issue Mar 19, 2019

Revert "Fix #4237: update kube cert path (#4354)"

c5d2e05

This reverts commit ea7a6f1.

k8s-ci-robot pushed a commit that referenced this issue Mar 20, 2019

Revert "Fix #4237: update kube cert path (#4354)" (#4369)

ec08303

This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters.

dm3ch added a commit to dm3ch/kubespray that referenced this issue Mar 28, 2019

Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354)

610ac4a

b23prodtm mentioned this issue Mar 31, 2019

Update master (#8) b23prodtm/kubespray#9

Merged

k8s-ci-robot mentioned this issue May 3, 2019

Add helm binary fetching from kubemaster to the ansible controller #4058

Closed

k8s-ci-robot mentioned this issue May 21, 2019

Add http proxy support coreos bootstrap script #3885

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ansible kubespray script looking for /etc/kubernetes/pki directory . unable to load CA certificate /etc/kubernetes/pki/etc/kubernetes/pki/ca.crt #4237

Ansible kubespray script looking for /etc/kubernetes/pki directory . unable to load CA certificate /etc/kubernetes/pki/etc/kubernetes/pki/ca.crt #4237

erdarun commented Feb 14, 2019 •

edited

Loading

jimk-osu commented Feb 21, 2019

Ansible kubespray script looking for /etc/kubernetes/pki directory . unable to load CA certificate /etc/kubernetes/pki/etc/kubernetes/pki/ca.crt #4237

Ansible kubespray script looking for /etc/kubernetes/pki directory . unable to load CA certificate /etc/kubernetes/pki/etc/kubernetes/pki/ca.crt #4237

Comments

erdarun commented Feb 14, 2019 • edited Loading

jimk-osu commented Feb 21, 2019

erdarun commented Feb 14, 2019 •

edited

Loading