Revert "Use K8s 1.14 and add kubeadm experimental control plane mode (k…

…ubernetes-sigs#4317)" (kubernetes-sigs#4510)

This reverts commit 3165086.

README.md

@@ -108,7 +108,7 @@ Supported Components
 --------------------
 
 -   Core
-    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.14.0
+    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.13.5
     -   [etcd](https://github.com/coreos/etcd) v3.2.26
     -   [docker](https://www.docker.com/) v18.06 (see note)
     -   [rkt](https://github.com/rkt/rkt) v1.21.0 (see Note 2)

inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml

@@ -20,7 +20,7 @@ kube_users_dir: "{{ kube_config_dir }}/users"
 kube_api_anonymous_auth: true
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.14.0
+kube_version: v1.13.5
 
 # kubernetes image repo define
 kube_image_repo: "gcr.io/google-containers"

roles/download/defaults/main.yml

@@ -35,7 +35,7 @@ download_delegate: "{% if download_localhost %}localhost{% else %}{{groups['kube
 image_arch: "{{host_architecture | default('amd64')}}"
 
 # Versions
-kube_version: v1.14.0
+kube_version: v1.13.5
 kubeadm_version: "{{ kube_version }}"
 etcd_version: v3.2.26
 

roles/kubernetes/client/tasks/main.yml

@@ -40,35 +40,18 @@
   run_once: yes
   when: kubeconfig_localhost|default(false)
 
-# NOTE(mattymo): Please forgive this workaround
 - name: Generate admin kubeconfig with external api endpoint
   shell: >-
-    {% if kubeadm_version is version('v1.14.0', '>=') %}
-    mkdir -p {{ kube_config_dir }}/external_kubeconfig &&
+    {{ bin_dir }}/kubeadm alpha
+    {% if kubeadm_version is version('v1.13.0', '<') %}
+    phase
     {% endif %}
-    {{ bin_dir }}/kubeadm
-    {% if kubeadm_version is version('v1.14.0', '>=') %}
-    init phase
-    {% elif kubeadm_version is version('v1.13.0', '>=') %}
-    alpha
-    {% else %}
-    alpha phase
-    {% endif %}
-    {% if kubeadm_version is version('v1.14.0', '>=') %}
-    kubeconfig admin
-    --kubeconfig-dir {{ kube_config_dir }}/external_kubeconfig
-    {% else %}
     kubeconfig user
     --client-name kubernetes-admin
     --org system:masters
-    {% endif %}
     --cert-dir {{ kube_config_dir }}/ssl
     --apiserver-advertise-address {{ external_apiserver_address }}
     --apiserver-bind-port {{ external_apiserver_port }}
-    {% if kubeadm_version is version('v1.14.0', '>=') %}
-    && cat {{ kube_config_dir }}/external_kubeconfig/admin.conf &&
-    rm -rf {{ kube_config_dir }}/external_kubeconfig
-    {% endif %}
   environment: "{{ proxy_env }}"
   run_once: yes
   register: admin_kubeconfig

roles/kubernetes/kubeadm/tasks/main.yml

@@ -26,12 +26,6 @@
   run_once: true
   register: temp_token
   delegate_to: "{{ groups['kube-master'][0] }}"
-  when: kubeadm_token is not defined
-
-- name: Set kubeadm_token to generated token
-  set_fact:
-    kubeadm_token: "{{ temp_token.stdout }}"
-  when: kubeadm_token is not defined
 
 - name: gets the kubeadm version
   command: "{{ bin_dir }}/kubeadm version -o short"
@@ -67,6 +61,8 @@
     dest: "{{ kube_config_dir }}/kubeadm-client.conf"
     backup: yes
   when: not is_kube_master
+  vars:
+    kubeadm_token: "{{ temp_token.stdout }}"
 
 - name: Join to cluster if needed
   environment:
@@ -126,21 +122,23 @@
     {{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf get configmap kube-proxy -n kube-system -o yaml
     | sed 's#server:.*#server:\ {{ kube_apiserver_endpoint }}#g'
     | {{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf replace -f -
+  delegate_to: "{{groups['kube-master']|first}}"
   run_once: true
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kubeadm_config_api_fqdn is not defined
+    - is_kube_master
     - kubeadm_discovery_address != kube_apiserver_endpoint
     - not kube_proxy_remove
   tags:
     - kube-proxy
 
 - name: Restart all kube-proxy pods to ensure that they load the new configmap
   shell: "{{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf delete pod -n kube-system -l k8s-app=kube-proxy --force --grace-period=0"
+  delegate_to: "{{groups['kube-master']|first}}"
   run_once: true
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kubeadm_config_api_fqdn is not defined
+    - is_kube_master
     - kubeadm_discovery_address != kube_apiserver_endpoint
     - not kube_proxy_remove
   tags:
@@ -161,10 +159,11 @@
 # is fixed
 - name: Delete kube-proxy daemonset if kube_proxy_remove set, e.g. kube_network_plugin providing proxy services
   shell: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf delete daemonset -n kube-system kube-proxy"
+  delegate_to: "{{groups['kube-master']|first}}"
   run_once: true
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kube_proxy_remove
+    - is_kube_master
     - kubeadm_discovery_address != kube_apiserver_endpoint
   tags:
     - kube-proxy

roles/kubernetes/master/defaults/main/kube-proxy.yml

@@ -107,4 +107,4 @@ kube_proxy_resource_container: /kube-proxy
 
 # udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s').
 # Must be greater than 0. Only applicable for proxyMode=userspace.
-kube_proxy_udp_idle_timeout: 250ms
+kube_proxy_udp_idle_timeout: 250ms

roles/kubernetes/master/defaults/main/main.yml

@@ -23,18 +23,11 @@ kube_apiserver_storage_backend: etcd3
 # By default, force back to etcd2. Set to true to force etcd3 (experimental!)
 force_etcd3: false
 
-kube_etcd_cacert_file: ca.pem
-kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
-kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
-
 # Associated interfaces must be reachable by the rest of the cluster, and by
 # CLI/web clients.
 kube_controller_manager_bind_address: 0.0.0.0
 kube_scheduler_bind_address: 0.0.0.0
 
-# discovery_timeout modifies the discovery timeout
-discovery_timeout: 5m0s
-
 # audit support
 kubernetes_audit: false
 # path to audit log file
@@ -85,6 +78,7 @@ kube_apiserver_request_timeout: "1m0s"
 
 # 1.9 and below Admission control plug-ins
 kube_apiserver_admission_control:
+  - Initializers
   - NamespaceLifecycle
   - LimitRanger
   - ServiceAccount
@@ -105,7 +99,8 @@ kube_apiserver_enable_admission_plugins: []
 kube_apiserver_disable_admission_plugins: []
 
 # extra runtime config
-kube_api_runtime_config: []
+kube_api_runtime_config:
+  - admissionregistration.k8s.io/v1alpha1
 
 ## Enable/Disable Kube API Server Authentication Methods
 kube_basic_auth: false

roles/kubernetes/master/tasks/kubeadm-certificate.yml

@@ -12,3 +12,33 @@
     - {src: front-proxy-client.crt, dest: front-proxy-client.crt.old}
     - {src: front-proxy-client.key, dest: front-proxy-client.key.old}
   ignore_errors: yes
+
+- name: Remove old certs and keys
+  file:
+    path: "{{ kube_cert_dir }}/{{ item }}"
+    state: absent
+  with_items:
+    - apiserver.crt
+    - apiserver.key
+    - apiserver-kubelet-client.crt
+    - apiserver-kubelet-client.key
+    - front-proxy-client.crt
+    - front-proxy-client.key
+
+- name: Generate new certs and keys
+  command: "{{ bin_dir }}/kubeadm init phase certs {{ item }} --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  environment: "{{ proxy_env }}"
+  with_items:
+    - apiserver
+    - apiserver-kubelet-client
+    - front-proxy-client
+  when: inventory_hostname == groups['kube-master']|first and kubeadm_version is version('v1.13.0', '>=')
+
+- name: Generate new certs and keys
+  command: "{{ bin_dir }}/kubeadm alpha phase certs {{ item }} --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  environment: "{{ proxy_env }}"
+  with_items:
+    - apiserver
+    - apiserver-kubelet-client
+    - front-proxy-client
+  when: inventory_hostname == groups['kube-master']|first and kubeadm_version is version('v1.13.0', '<')

roles/kubernetes/master/tasks/kubeadm-kubeconfig.yml

@@ -0,0 +1,34 @@
+---
+- name: Backup old configuration files
+  copy:
+    src: "{{ kube_config_dir }}/{{ item.src }}"
+    dest: "{{ kube_config_dir }}/{{ item.dest }}"
+    remote_src: yes
+  with_items:
+    - {src: admin.conf, dest: admin.conf.old}
+    - {src: kubelet.conf, dest: kubelet.conf.old}
+    - {src: controller-manager.conf, dest: controller-manager.conf.old}
+    - {src: scheduler.conf, dest: scheduler.conf.old}
+  ignore_errors: yes
+
+- name: Remove old configuration files
+  file:
+    path: "{{ kube_config_dir }}/{{ item }}"
+    state: absent
+  with_items:
+    - admin.conf
+    - kubelet.conf
+    - controller-manager.conf
+    - scheduler.conf
+
+- name: Generate new configuration files
+  command: "{{ bin_dir }}/kubeadm init phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  environment: "{{ proxy_env }}"
+  when: kubeadm_version is version('v1.13.0', '>=')
+  ignore_errors: yes
+
+- name: Generate new configuration files
+  command: "{{ bin_dir }}/kubeadm alpha phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  environment: "{{ proxy_env }}"
+  when: kubeadm_version is version('v1.13.0', '<')
+  ignore_errors: yes

roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml

@@ -15,6 +15,6 @@
     - {src: front-proxy-client-key.pem, dest: front-proxy-client.key}
     - {src: service-account-key.pem, dest: sa.pub}
     - {src: service-account-key.pem, dest: sa.key}
-    - {src: "node-{{ inventory_hostname }}.pem", dest: apiserver-kubelet-client.crt}
-    - {src: "node-{{ inventory_hostname }}-key.pem", dest: apiserver-kubelet-client.key}
+    - {src: "node-{{ inventory_hostname }}.pem", dest: apiserver-kubelet-client.crt }
+    - {src: "node-{{ inventory_hostname }}-key.pem", dest: apiserver-kubelet-client.key }
   register: kubeadm_copy_old_certs