From e1219afe91e96dea7bb4cecc7b5829053456a390 Mon Sep 17 00:00:00 2001 From: Tomasz Arendt Date: Mon, 20 Jul 2020 13:33:46 +0200 Subject: [PATCH 01/37] Workarund restart rabbitmq pods during patching #1395 --- .../kubernetes/reconfigure-rabbitmq-app.yml | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml index 17cc3d10a9..07f654c2ac 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml @@ -3,3 +3,74 @@ include_tasks: utils/patch-statefulset.yml vars: image_regexp: 'rabbitmq:.*' +- name: Change rabbitmq stateful set to use {{ image_registry_address }} + block: + - name: upgrade-master | Get rabbitmq statefulset name + environment: + KUBECONFIG: /home/{{ admin_user.name }}/.kube/config + shell: |- + kubectl get statefulsets.apps --all-namespaces -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.template.spec.containers[].image}{"\n"}{end}'| + grep -i rabbitmq | + awk '{print $1}' + changed_when: false + register: rabbit_mq_ss_name + args: + executable: /bin/bash + - name: upgrade-master | Get rabbitmq namespace + environment: + KUBECONFIG: /home/{{ admin_user.name }}/.kube/config + shell: |- + kubectl get statefulsets.apps --all-namespaces -o=jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.spec.template.spec.containers[].image}{"\n"}{end}'| + grep -i rabbitmq | + awk '{print $1}' + changed_when: false + register: rabbit_mq_namespace + args: + executable: /bin/bash + - name: upgrade-master | Get rabbitmq image + environment: + KUBECONFIG: /home/{{ admin_user.name }}/.kube/config + shell: |- + kubectl get statefulsets.apps {{ rabbit_mq_ss_name.stdout }} -n {{ rabbit_mq_namespace.stdout }} -o=jsonpath='{$.spec.template.spec.containers[:1].image}' + changed_when: false + register: rabbit_mq_repository + args: + executable: /bin/bash + when: + - not rabbit_mq_namespace.stdout == "" + - name: upgrade-master | Patch rabbitmq to use {{ image_registry_address }} + environment: + KUBECONFIG: /home/{{ admin_user.name }}/.kube/config + shell: |- + set -o pipefail && + kubectl patch statefulsets.apps {{ rabbit_mq_ss_name.stdout }} -n {{ rabbit_mq_namespace.stdout }} --patch '{"spec": {"template": { "spec": { "containers": [ { "image": "{{ image_registry_address }}/{{ rabbit_mq_repository.stdout }}", "name": "{{ rabbit_mq_ss_name.stdout }}" }]}}}}' + args: + executable: /bin/bash + when: + - not rabbit_mq_namespace.stdout == "" + - not image_registry_address in rabbit_mq_repository.stdout + - name: upgrade-master | Get rabbitmq pod names + environment: + KUBECONFIG: /home/{{ admin_user.name }}/.kube/config + shell: |- + set -o pipefail && + kubectl get pod -n {{ rabbit_mq_namespace.stdout }} -o=jsonpath='{range .items[*]}{.metadata.name}{"\n"}' + changed_when: false + register: rabbit_mq_pod_names + args: + executable: /bin/bash + when: + - not rabbit_mq_namespace.stdout == "" + - name: upgrade-master | Delete rabbitmq pods + environment: + KUBECONFIG: /home/{{ admin_user.name }}/.kube/config + shell: |- + set -o pipefail && + kubectl delete pod --namespace {{ rabbit_mq_namespace.stdout }} {{ item }} + changed_when: false + args: + executable: /bin/bash + loop: "{{ rabbit_mq_pod_names.stdout_lines }}" + when: + - not rabbit_mq_namespace.stdout == "" + - not rabbit_mq_pod_names.stdout == "" From 2d530743bd79e643ee42276afa4f5bc5592db4be Mon Sep 17 00:00:00 2001 From: Tomasz Arendt Date: Fri, 31 Jul 2020 10:23:36 +0200 Subject: [PATCH 02/37] fix due to review --- .../tasks/kubernetes/reconfigure-rabbitmq-app.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml index 07f654c2ac..eb415dfe38 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml @@ -52,24 +52,16 @@ - name: upgrade-master | Get rabbitmq pod names environment: KUBECONFIG: /home/{{ admin_user.name }}/.kube/config - shell: |- - set -o pipefail && - kubectl get pod -n {{ rabbit_mq_namespace.stdout }} -o=jsonpath='{range .items[*]}{.metadata.name}{"\n"}' + command: kubectl get pod -n {{ rabbit_mq_namespace.stdout }} -o=jsonpath='{range .items[*]}{.metadata.name}{"\n"}' changed_when: false register: rabbit_mq_pod_names - args: - executable: /bin/bash when: - not rabbit_mq_namespace.stdout == "" - name: upgrade-master | Delete rabbitmq pods environment: KUBECONFIG: /home/{{ admin_user.name }}/.kube/config - shell: |- - set -o pipefail && - kubectl delete pod --namespace {{ rabbit_mq_namespace.stdout }} {{ item }} + command: kubectl delete pod --namespace {{ rabbit_mq_namespace.stdout }} {{ item }} changed_when: false - args: - executable: /bin/bash loop: "{{ rabbit_mq_pod_names.stdout_lines }}" when: - not rabbit_mq_namespace.stdout == "" From f7fb93c5754f2ffa9c97080e5255b09a9e774253 Mon Sep 17 00:00:00 2001 From: Tomasz Arendt Date: Thu, 6 Aug 2020 20:10:03 +0200 Subject: [PATCH 03/37] fixes after review, remove redundant code --- .../kubernetes/reconfigure-rabbitmq-app.yml | 52 +++---------------- 1 file changed, 8 insertions(+), 44 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml index eb415dfe38..cb6fe298c2 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml @@ -1,65 +1,29 @@ --- - name: k8s/master | Patch rabbitmq's statefulset include_tasks: utils/patch-statefulset.yml - vars: - image_regexp: 'rabbitmq:.*' -- name: Change rabbitmq stateful set to use {{ image_registry_address }} +- name: Delete rabbitmq pods after patching block: - - name: upgrade-master | Get rabbitmq statefulset name + - name: after-patching | Get rabbitmq namespace environment: - KUBECONFIG: /home/{{ admin_user.name }}/.kube/config - shell: |- - kubectl get statefulsets.apps --all-namespaces -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.template.spec.containers[].image}{"\n"}{end}'| - grep -i rabbitmq | - awk '{print $1}' - changed_when: false - register: rabbit_mq_ss_name - args: - executable: /bin/bash - - name: upgrade-master | Get rabbitmq namespace - environment: - KUBECONFIG: /home/{{ admin_user.name }}/.kube/config + KUBECONFIG: &KUBECONFIG /etc/kubernetes/admin.conf shell: |- kubectl get statefulsets.apps --all-namespaces -o=jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.spec.template.spec.containers[].image}{"\n"}{end}'| - grep -i rabbitmq | - awk '{print $1}' + awk '/rabbitmq/ {print $1}' changed_when: false register: rabbit_mq_namespace args: executable: /bin/bash - - name: upgrade-master | Get rabbitmq image - environment: - KUBECONFIG: /home/{{ admin_user.name }}/.kube/config - shell: |- - kubectl get statefulsets.apps {{ rabbit_mq_ss_name.stdout }} -n {{ rabbit_mq_namespace.stdout }} -o=jsonpath='{$.spec.template.spec.containers[:1].image}' - changed_when: false - register: rabbit_mq_repository - args: - executable: /bin/bash - when: - - not rabbit_mq_namespace.stdout == "" - - name: upgrade-master | Patch rabbitmq to use {{ image_registry_address }} - environment: - KUBECONFIG: /home/{{ admin_user.name }}/.kube/config - shell: |- - set -o pipefail && - kubectl patch statefulsets.apps {{ rabbit_mq_ss_name.stdout }} -n {{ rabbit_mq_namespace.stdout }} --patch '{"spec": {"template": { "spec": { "containers": [ { "image": "{{ image_registry_address }}/{{ rabbit_mq_repository.stdout }}", "name": "{{ rabbit_mq_ss_name.stdout }}" }]}}}}' - args: - executable: /bin/bash - when: - - not rabbit_mq_namespace.stdout == "" - - not image_registry_address in rabbit_mq_repository.stdout - - name: upgrade-master | Get rabbitmq pod names + - name: after-patching | Get rabbitmq pod names environment: - KUBECONFIG: /home/{{ admin_user.name }}/.kube/config + KUBECONFIG: *KUBECONFIG command: kubectl get pod -n {{ rabbit_mq_namespace.stdout }} -o=jsonpath='{range .items[*]}{.metadata.name}{"\n"}' changed_when: false register: rabbit_mq_pod_names when: - not rabbit_mq_namespace.stdout == "" - - name: upgrade-master | Delete rabbitmq pods + - name: after-patching | Delete rabbitmq pods environment: - KUBECONFIG: /home/{{ admin_user.name }}/.kube/config + KUBECONFIG: *KUBECONFIG command: kubectl delete pod --namespace {{ rabbit_mq_namespace.stdout }} {{ item }} changed_when: false loop: "{{ rabbit_mq_pod_names.stdout_lines }}" From a04d35b6877a3830bdc78eb22b84d543bbc1c5f8 Mon Sep 17 00:00:00 2001 From: rafzei <13080132+rafzei@users.noreply.github.com> Date: Thu, 6 Aug 2020 20:25:36 +0200 Subject: [PATCH 04/37] Upgrade Filebeat to version 7.8.1 --- .../roles/filebeat/defaults/main.yml | 2 +- .../roles/filebeat/templates/filebeat.yml.j2 | 104 ++++++++++++++---- .../centos-7/requirements.txt | 2 +- .../redhat-7/requirements.txt | 2 +- .../ubuntu-18.04/requirements.txt | 2 +- .../roles/upgrade/tasks/filebeat.yml | 38 ++----- .../data/common/ansible/playbooks/upgrade.yml | 16 ++- .../defaults/configuration/filebeat.yml | 2 +- 8 files changed, 103 insertions(+), 65 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml index 469837f5d4..b3f2ea449d 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml @@ -1,3 +1,3 @@ --- specification: - filebeat_version: "6.8.5" \ No newline at end of file + filebeat_version: "7.8.1" \ No newline at end of file diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 index 357905a5f4..28868c237f 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 @@ -19,7 +19,7 @@ filebeat.inputs: - type: log enabled: true - # Paths (in alphabetical order) that should be crawled and fetched. Glob based paths. + # Paths that should be crawled and fetched. Glob based paths. paths: # - /var/log/audit/audit.log - /var/log/auth.log @@ -34,7 +34,7 @@ filebeat.inputs: - /var/log/secure - /var/log/syslog - # Exclude lines. A list of regular expressions to match. It drops the lines that are + # Exclude lines. A list of regular expressions to match. It drops the lines that are # matching any regular expression from the list. #exclude_lines: ['^DBG'] @@ -67,9 +67,10 @@ filebeat.inputs: # that was (not) matched before or after or as long as a pattern is not matched based on negate. # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash #multiline.match: after + {% if 'postgresql' in group_names %} -#--- PostgreSQL --- +# ============================== PostgreSQL ============================== # Filebeat postgresql module doesn't support custom log_line_prefix (without patching), see https://discuss.elastic.co/t/filebeats-with-postgresql-module-custom-log-line-prefix/204457 # Dedicated configuration to handle log messages spanning multiple lines. @@ -85,9 +86,10 @@ filebeat.inputs: negate: true match: after {% endif %} + {% if 'kubernetes_master' in group_names or 'kubernetes_node' in group_names %} -#--- Kubernetes --- +# ============================== Kubernetes ============================== # K8s metadata are fetched from Docker labels to not make Filebeat on worker nodes dependent on K8s master # since Filebeat should start even if K8s master is not available. @@ -112,7 +114,7 @@ filebeat.inputs: - docker # Drop all fields added by 'add_docker_metadata' that were not renamed {% endif %} -#============================= Filebeat modules =============================== +# ============================== Filebeat modules ============================== filebeat.config.modules: # Glob pattern for configuration loading @@ -124,14 +126,14 @@ filebeat.config.modules: # Period on which files under path should be checked for changes #reload.period: 10s -#==================== Elasticsearch template setting ========================== +# ======================= Elasticsearch template setting ======================= setup.template.settings: index.number_of_shards: 3 #index.codec: best_compression #_source.enabled: false -#================================ General ===================================== +# ================================== General =================================== # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. @@ -147,11 +149,11 @@ setup.template.settings: # env: staging -#============================== Dashboards ===================================== +# ================================= Dashboards ================================= # These settings control loading the sample dashboards to the Kibana index. Loading # the dashboards is disabled by default and can be enabled either by setting the -# options here, or by using the `-setup` CLI flag or the `setup` command. -#setup.dashboards.enabled: true +# options here or by using the `setup` command. +#setup.dashboards.enabled: false # The URL from where to download the dashboards archive. By default this URL # has a value which is computed based on the Beat name and version. For released @@ -159,6 +161,42 @@ setup.template.settings: # website. #setup.dashboards.url: +# ====================== Index Lifecycle Management (ILM) ====================== + +# Configure index lifecycle management (ILM). These settings create a write +# alias and add additional settings to the index template. When ILM is enabled, +# output.elasticsearch.index is ignored, and the write alias is used to set the +# index name. + +# Enable ILM support. Valid values are true, false, and auto. When set to auto +# (the default), the Beat uses index lifecycle management when it connects to a +# cluster that supports ILM; otherwise, it creates daily indices. +# Disabled because ILM is not enabled by default in Epiphany +setup.ilm.enabled: false + +# Set the prefix used in the index lifecycle write alias name. The default alias +# name is 'filebeat-%{[agent.version]}'. +#setup.ilm.rollover_alias: 'filebeat' + +# Set the rollover index pattern. The default is "%{now/d}-000001". +#setup.ilm.pattern: "{now/d}-000001" + +# Set the lifecycle policy name. The default policy name is +# 'beatname'. +#setup.ilm.policy_name: "mypolicy" + +# The path to a JSON file that contains a lifecycle policy configuration. Used +# to load your own lifecycle policy. +#setup.ilm.policy_file: + +# Disable the check for an existing lifecycle policy. The default is true. If +# you disable this check, set setup.ilm.overwrite: true so the lifecycle policy +# can be installed. +#setup.ilm.check_exists: true + +# Overwrite the lifecycle policy at startup. The default is false. +#setup.ilm.overwrite: false + #============================== Kibana ===================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. @@ -182,9 +220,9 @@ setup.template.settings: # the Default Space will be used. #space.id: -#============================= Elastic Cloud ================================== +# =============================== Elastic Cloud ================================ -# These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/). +# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/). # The cloud.id setting overwrites the `output.elasticsearch.hosts` and # `setup.kibana.host` options. @@ -210,19 +248,24 @@ output.elasticsearch: - "https://{{hostvars[host]['ansible_hostname']}}:9200" {% endfor %} + # Protocol - either `http` (default) or `https`. protocol: "https" ssl.verification_mode: none username: logstash password: logstash {% else %} hosts: [] + # Protocol - either `http` (default) or `https`. #protocol: "https" + #ssl.verification_mode: none + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" #username: "elastic" #password: "changeme" {% endif %} -#----------------------------- Logstash output -------------------------------- +# ------------------------------ Logstash Output ------------------------------- #output.logstash: # The Logstash hosts #hosts: ["localhost:5044"] @@ -237,15 +280,17 @@ output.elasticsearch: # Client Certificate Key #ssl.key: "/etc/pki/client/cert.key" -#================================ Processors ===================================== +# ================================= Processors ================================= # Configure processors to enhance or manipulate events generated by the beat. processors: #- add_host_metadata: ~ - add_cloud_metadata: ~ + #- add_docker_metadata: ~ + #- add_kubernetes_metadata: ~ -#================================ Logging ===================================== +# ================================== Logging =================================== # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug @@ -256,17 +301,30 @@ processors: # "publish", "service". #logging.selectors: ["*"] -#============================== Xpack Monitoring =============================== -# filebeat can export internal metrics to a central Elasticsearch monitoring +# ============================= X-Pack Monitoring ============================== +# Filebeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The # reporting is disabled by default. # Set to true to enable the monitoring reporter. -#xpack.monitoring.enabled: false +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: # Uncomment to send the metrics to Elasticsearch. Most settings from the -# Elasticsearch output are accepted here as well. Any setting that is not set is -# automatically inherited from the Elasticsearch output configuration, so if you -# have the Elasticsearch output configured, you can simply uncomment the -# following line. -#xpack.monitoring.elasticsearch: +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + +# ================================= Migration ================================== + +# Enable the compatibility layer for Elastic Common Schema (ECS) fields. +# This allows to enable 6 > 7 migration aliases. +#migration.6_to_7.enabled: true \ No newline at end of file diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt index ceb76a1c4c..d81c7d75ea 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt @@ -36,7 +36,7 @@ elasticsearch-oss-6.8.5 elasticsearch-oss-7.3.2 # Open Distro for Elasticsearch erlang-21.3.8.7 ethtool -filebeat-6.8.5 # actually it's filebeat-oss +filebeat-7.8.1 # actually it's filebeat-oss firewalld fontconfig # for grafana fping diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt index 7dfd9cd12c..425ec0570d 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt @@ -35,7 +35,7 @@ elasticsearch-oss-6.8.5 elasticsearch-oss-7.3.2 # Open Distro for Elasticsearch erlang-21.3.8.7 ethtool -filebeat-6.8.5 # actually it's filebeat-oss +filebeat-7.8.1 # actually it's filebeat-oss firewalld fontconfig # for grafana fping diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt index b90528cf33..33131ecaad 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt @@ -17,7 +17,7 @@ elasticsearch-oss 6.8.5 elasticsearch-oss 7.3.2 erlang-nox ethtool -filebeat 6.8.5 +filebeat 7.8.1 firewalld fping gnupg2 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml index e15bbb1e79..28968937c6 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml @@ -1,16 +1,16 @@ --- -- name: Get information about installed packages as facts +- name: Filebeat | Get information about installed packages as facts package_facts: manager: auto when: ansible_facts.packages is undefined -- name: Test if filebeat package is installed +- name: Filebeat | Test if filebeat package is installed assert: that: ansible_facts.packages['filebeat'] is defined fail_msg: filebeat package not found, nothing to update quiet: true -- name: Print filebeat versions +- name: Filebeat | Print versions debug: msg: - "Installed version: {{ ansible_facts.packages['filebeat'][0].version }}" @@ -18,29 +18,11 @@ - name: Update Filebeat block: - - name: Get values for filebeat.yml template from existing configuration - block: - - name: Load /etc/filebeat/filebeat.yml - slurp: - src: /etc/filebeat/filebeat.yml - register: filebeat_config_yml - - - name: Set filebeat.yml content as fact - set_fact: - filebeat_exisitng_config: "{{ filebeat_config_yml.content | b64decode | from_yaml }}" - - - name: Set value for output.elasticsearch.hosts - set_fact: - output_elasticsearch_hosts: "{{ filebeat_exisitng_config['output.elasticsearch'].hosts }}" - when: - - filebeat_exisitng_config['output.elasticsearch'].hosts is defined - - filebeat_exisitng_config['output.elasticsearch'].hosts | length > 0 - - - name: Set value for setup.kibana.host - set_fact: - setup_kibana_host: "{{ filebeat_exisitng_config['setup.kibana'].host }}" - when: - - filebeat_exisitng_config['setup.kibana'].host is defined + - name: Filebeat | Backup configuration file (filebeat.yml) + copy: + remote_src: yes + src: /etc/filebeat/filebeat.yml + dest: /etc/filebeat/filebeat.yml.bak_{{ ansible_facts.packages['filebeat'][0].version }} - import_role: name: filebeat @@ -52,6 +34,6 @@ - import_role: name: filebeat - tasks_from: configure-filebeat + tasks_from: configure-filebeat when: - - specification.filebeat_version is version(ansible_facts.packages['filebeat'][0].version, '>=') \ No newline at end of file + - specification.filebeat_version is version(ansible_facts.packages['filebeat'][0].version, '>=') diff --git a/core/src/epicli/data/common/ansible/playbooks/upgrade.yml b/core/src/epicli/data/common/ansible/playbooks/upgrade.yml index 2226c4a7d9..7f1b447064 100644 --- a/core/src/epicli/data/common/ansible/playbooks/upgrade.yml +++ b/core/src/epicli/data/common/ansible/playbooks/upgrade.yml @@ -89,15 +89,13 @@ name: upgrade tasks_from: elasticsearch-curator -# Disabling Filebeat upgrade. This will be included in future releases. -# -# - hosts: filebeat -# become: true -# become_method: sudo -# tasks: -# - import_role: -# name: upgrade -# tasks_from: filebeat +- hosts: filebeat + become: true + become_method: sudo + tasks: + - import_role: + name: upgrade + tasks_from: filebeat - hosts: kafka serial: 1 diff --git a/core/src/epicli/data/common/defaults/configuration/filebeat.yml b/core/src/epicli/data/common/defaults/configuration/filebeat.yml index ad28e73d98..c5157d3178 100644 --- a/core/src/epicli/data/common/defaults/configuration/filebeat.yml +++ b/core/src/epicli/data/common/defaults/configuration/filebeat.yml @@ -2,4 +2,4 @@ kind: configuration/filebeat title: Filebeat name: default specification: - filebeat_version: "6.8.5" + filebeat_version: "7.8.1" From 3eacc516d1bfa986bd0e1dab75eafb796b2c014b Mon Sep 17 00:00:00 2001 From: rafzei <13080132+rafzei@users.noreply.github.com> Date: Thu, 6 Aug 2020 20:25:36 +0200 Subject: [PATCH 05/37] Upgrade Filebeat to version 7.8.1 --- .../roles/filebeat/defaults/main.yml | 2 +- .../roles/filebeat/templates/filebeat.yml.j2 | 104 ++++++++++++++---- .../centos-7/requirements.txt | 2 +- .../redhat-7/requirements.txt | 2 +- .../ubuntu-18.04/requirements.txt | 2 +- .../roles/upgrade/tasks/filebeat.yml | 38 ++----- .../data/common/ansible/playbooks/upgrade.yml | 16 ++- .../defaults/configuration/filebeat.yml | 2 +- 8 files changed, 103 insertions(+), 65 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml index 469837f5d4..b3f2ea449d 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml @@ -1,3 +1,3 @@ --- specification: - filebeat_version: "6.8.5" \ No newline at end of file + filebeat_version: "7.8.1" \ No newline at end of file diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 index 357905a5f4..28868c237f 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 @@ -19,7 +19,7 @@ filebeat.inputs: - type: log enabled: true - # Paths (in alphabetical order) that should be crawled and fetched. Glob based paths. + # Paths that should be crawled and fetched. Glob based paths. paths: # - /var/log/audit/audit.log - /var/log/auth.log @@ -34,7 +34,7 @@ filebeat.inputs: - /var/log/secure - /var/log/syslog - # Exclude lines. A list of regular expressions to match. It drops the lines that are + # Exclude lines. A list of regular expressions to match. It drops the lines that are # matching any regular expression from the list. #exclude_lines: ['^DBG'] @@ -67,9 +67,10 @@ filebeat.inputs: # that was (not) matched before or after or as long as a pattern is not matched based on negate. # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash #multiline.match: after + {% if 'postgresql' in group_names %} -#--- PostgreSQL --- +# ============================== PostgreSQL ============================== # Filebeat postgresql module doesn't support custom log_line_prefix (without patching), see https://discuss.elastic.co/t/filebeats-with-postgresql-module-custom-log-line-prefix/204457 # Dedicated configuration to handle log messages spanning multiple lines. @@ -85,9 +86,10 @@ filebeat.inputs: negate: true match: after {% endif %} + {% if 'kubernetes_master' in group_names or 'kubernetes_node' in group_names %} -#--- Kubernetes --- +# ============================== Kubernetes ============================== # K8s metadata are fetched from Docker labels to not make Filebeat on worker nodes dependent on K8s master # since Filebeat should start even if K8s master is not available. @@ -112,7 +114,7 @@ filebeat.inputs: - docker # Drop all fields added by 'add_docker_metadata' that were not renamed {% endif %} -#============================= Filebeat modules =============================== +# ============================== Filebeat modules ============================== filebeat.config.modules: # Glob pattern for configuration loading @@ -124,14 +126,14 @@ filebeat.config.modules: # Period on which files under path should be checked for changes #reload.period: 10s -#==================== Elasticsearch template setting ========================== +# ======================= Elasticsearch template setting ======================= setup.template.settings: index.number_of_shards: 3 #index.codec: best_compression #_source.enabled: false -#================================ General ===================================== +# ================================== General =================================== # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. @@ -147,11 +149,11 @@ setup.template.settings: # env: staging -#============================== Dashboards ===================================== +# ================================= Dashboards ================================= # These settings control loading the sample dashboards to the Kibana index. Loading # the dashboards is disabled by default and can be enabled either by setting the -# options here, or by using the `-setup` CLI flag or the `setup` command. -#setup.dashboards.enabled: true +# options here or by using the `setup` command. +#setup.dashboards.enabled: false # The URL from where to download the dashboards archive. By default this URL # has a value which is computed based on the Beat name and version. For released @@ -159,6 +161,42 @@ setup.template.settings: # website. #setup.dashboards.url: +# ====================== Index Lifecycle Management (ILM) ====================== + +# Configure index lifecycle management (ILM). These settings create a write +# alias and add additional settings to the index template. When ILM is enabled, +# output.elasticsearch.index is ignored, and the write alias is used to set the +# index name. + +# Enable ILM support. Valid values are true, false, and auto. When set to auto +# (the default), the Beat uses index lifecycle management when it connects to a +# cluster that supports ILM; otherwise, it creates daily indices. +# Disabled because ILM is not enabled by default in Epiphany +setup.ilm.enabled: false + +# Set the prefix used in the index lifecycle write alias name. The default alias +# name is 'filebeat-%{[agent.version]}'. +#setup.ilm.rollover_alias: 'filebeat' + +# Set the rollover index pattern. The default is "%{now/d}-000001". +#setup.ilm.pattern: "{now/d}-000001" + +# Set the lifecycle policy name. The default policy name is +# 'beatname'. +#setup.ilm.policy_name: "mypolicy" + +# The path to a JSON file that contains a lifecycle policy configuration. Used +# to load your own lifecycle policy. +#setup.ilm.policy_file: + +# Disable the check for an existing lifecycle policy. The default is true. If +# you disable this check, set setup.ilm.overwrite: true so the lifecycle policy +# can be installed. +#setup.ilm.check_exists: true + +# Overwrite the lifecycle policy at startup. The default is false. +#setup.ilm.overwrite: false + #============================== Kibana ===================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. @@ -182,9 +220,9 @@ setup.template.settings: # the Default Space will be used. #space.id: -#============================= Elastic Cloud ================================== +# =============================== Elastic Cloud ================================ -# These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/). +# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/). # The cloud.id setting overwrites the `output.elasticsearch.hosts` and # `setup.kibana.host` options. @@ -210,19 +248,24 @@ output.elasticsearch: - "https://{{hostvars[host]['ansible_hostname']}}:9200" {% endfor %} + # Protocol - either `http` (default) or `https`. protocol: "https" ssl.verification_mode: none username: logstash password: logstash {% else %} hosts: [] + # Protocol - either `http` (default) or `https`. #protocol: "https" + #ssl.verification_mode: none + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" #username: "elastic" #password: "changeme" {% endif %} -#----------------------------- Logstash output -------------------------------- +# ------------------------------ Logstash Output ------------------------------- #output.logstash: # The Logstash hosts #hosts: ["localhost:5044"] @@ -237,15 +280,17 @@ output.elasticsearch: # Client Certificate Key #ssl.key: "/etc/pki/client/cert.key" -#================================ Processors ===================================== +# ================================= Processors ================================= # Configure processors to enhance or manipulate events generated by the beat. processors: #- add_host_metadata: ~ - add_cloud_metadata: ~ + #- add_docker_metadata: ~ + #- add_kubernetes_metadata: ~ -#================================ Logging ===================================== +# ================================== Logging =================================== # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug @@ -256,17 +301,30 @@ processors: # "publish", "service". #logging.selectors: ["*"] -#============================== Xpack Monitoring =============================== -# filebeat can export internal metrics to a central Elasticsearch monitoring +# ============================= X-Pack Monitoring ============================== +# Filebeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The # reporting is disabled by default. # Set to true to enable the monitoring reporter. -#xpack.monitoring.enabled: false +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: # Uncomment to send the metrics to Elasticsearch. Most settings from the -# Elasticsearch output are accepted here as well. Any setting that is not set is -# automatically inherited from the Elasticsearch output configuration, so if you -# have the Elasticsearch output configured, you can simply uncomment the -# following line. -#xpack.monitoring.elasticsearch: +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + +# ================================= Migration ================================== + +# Enable the compatibility layer for Elastic Common Schema (ECS) fields. +# This allows to enable 6 > 7 migration aliases. +#migration.6_to_7.enabled: true \ No newline at end of file diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt index fd4dfbc139..996dd8f2da 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt @@ -36,7 +36,7 @@ elasticsearch-oss-6.8.5 elasticsearch-oss-7.3.2 # Open Distro for Elasticsearch erlang-21.3.8.7 ethtool -filebeat-6.8.5 # actually it's filebeat-oss +filebeat-7.8.1 # actually it's filebeat-oss firewalld fontconfig # for grafana fping diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt index ebb731c231..f527d4f20b 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt @@ -35,7 +35,7 @@ elasticsearch-oss-6.8.5 elasticsearch-oss-7.3.2 # Open Distro for Elasticsearch erlang-21.3.8.7 ethtool -filebeat-6.8.5 # actually it's filebeat-oss +filebeat-7.8.1 # actually it's filebeat-oss firewalld fontconfig # for grafana fping diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt index 1bd5ae303b..3cd962a281 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt @@ -17,7 +17,7 @@ elasticsearch-oss 6.8.5 elasticsearch-oss 7.3.2 erlang-nox ethtool -filebeat 6.8.5 +filebeat 7.8.1 firewalld fping gnupg2 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml index e15bbb1e79..28968937c6 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml @@ -1,16 +1,16 @@ --- -- name: Get information about installed packages as facts +- name: Filebeat | Get information about installed packages as facts package_facts: manager: auto when: ansible_facts.packages is undefined -- name: Test if filebeat package is installed +- name: Filebeat | Test if filebeat package is installed assert: that: ansible_facts.packages['filebeat'] is defined fail_msg: filebeat package not found, nothing to update quiet: true -- name: Print filebeat versions +- name: Filebeat | Print versions debug: msg: - "Installed version: {{ ansible_facts.packages['filebeat'][0].version }}" @@ -18,29 +18,11 @@ - name: Update Filebeat block: - - name: Get values for filebeat.yml template from existing configuration - block: - - name: Load /etc/filebeat/filebeat.yml - slurp: - src: /etc/filebeat/filebeat.yml - register: filebeat_config_yml - - - name: Set filebeat.yml content as fact - set_fact: - filebeat_exisitng_config: "{{ filebeat_config_yml.content | b64decode | from_yaml }}" - - - name: Set value for output.elasticsearch.hosts - set_fact: - output_elasticsearch_hosts: "{{ filebeat_exisitng_config['output.elasticsearch'].hosts }}" - when: - - filebeat_exisitng_config['output.elasticsearch'].hosts is defined - - filebeat_exisitng_config['output.elasticsearch'].hosts | length > 0 - - - name: Set value for setup.kibana.host - set_fact: - setup_kibana_host: "{{ filebeat_exisitng_config['setup.kibana'].host }}" - when: - - filebeat_exisitng_config['setup.kibana'].host is defined + - name: Filebeat | Backup configuration file (filebeat.yml) + copy: + remote_src: yes + src: /etc/filebeat/filebeat.yml + dest: /etc/filebeat/filebeat.yml.bak_{{ ansible_facts.packages['filebeat'][0].version }} - import_role: name: filebeat @@ -52,6 +34,6 @@ - import_role: name: filebeat - tasks_from: configure-filebeat + tasks_from: configure-filebeat when: - - specification.filebeat_version is version(ansible_facts.packages['filebeat'][0].version, '>=') \ No newline at end of file + - specification.filebeat_version is version(ansible_facts.packages['filebeat'][0].version, '>=') diff --git a/core/src/epicli/data/common/ansible/playbooks/upgrade.yml b/core/src/epicli/data/common/ansible/playbooks/upgrade.yml index 2226c4a7d9..7f1b447064 100644 --- a/core/src/epicli/data/common/ansible/playbooks/upgrade.yml +++ b/core/src/epicli/data/common/ansible/playbooks/upgrade.yml @@ -89,15 +89,13 @@ name: upgrade tasks_from: elasticsearch-curator -# Disabling Filebeat upgrade. This will be included in future releases. -# -# - hosts: filebeat -# become: true -# become_method: sudo -# tasks: -# - import_role: -# name: upgrade -# tasks_from: filebeat +- hosts: filebeat + become: true + become_method: sudo + tasks: + - import_role: + name: upgrade + tasks_from: filebeat - hosts: kafka serial: 1 diff --git a/core/src/epicli/data/common/defaults/configuration/filebeat.yml b/core/src/epicli/data/common/defaults/configuration/filebeat.yml index ad28e73d98..c5157d3178 100644 --- a/core/src/epicli/data/common/defaults/configuration/filebeat.yml +++ b/core/src/epicli/data/common/defaults/configuration/filebeat.yml @@ -2,4 +2,4 @@ kind: configuration/filebeat title: Filebeat name: default specification: - filebeat_version: "6.8.5" + filebeat_version: "7.8.1" From fcfbe39d0f68056473bc0fc2d67c508f3fef7846 Mon Sep 17 00:00:00 2001 From: TolikT Date: Fri, 7 Aug 2020 14:00:30 +0200 Subject: [PATCH 06/37] Named demo configuration the same as generated one --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a96d8ecbbb..59c4c6bf8a 100644 --- a/README.md +++ b/README.md @@ -50,10 +50,10 @@ This minimum file definition is fine to start with, if you need more control ove epicli init -p aws -n demo --full ``` -You will need to modify a few values (like your AWS secrets, directory path for SSH keys). Once you are done with `demo.yaml` you can start cluster deployment by executing: +You will need to modify a few values (like your AWS secrets, directory path for SSH keys). Once you are done with `demo.yml` you can start cluster deployment by executing: ```shell -epicli apply -f demo.yaml +epicli apply -f demo.yml ``` You will be asked for a password that will be used for encryption of some of build artifacts. More information [here](docs/home/howto/SECURITY.md#how-to-run-epicli-with-password) From 3f94597589d1906bc23786c0ac265130a36763fe Mon Sep 17 00:00:00 2001 From: TolikT Date: Fri, 7 Aug 2020 14:06:43 +0200 Subject: [PATCH 07/37] Added deletion step description --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 59c4c6bf8a..d85eb43fa0 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,11 @@ epicli backup -f -b epicli recovery -f -b ``` +To delete all deployed components following command should be used + +```shell +epicli delete -b +``` Find more information using table of contents below - especially the [How-to guides](docs/home/HOWTO.md). From 5cc61bfc456f51d61cf49adb04eda7caea984eeb Mon Sep 17 00:00:00 2001 From: TolikT Date: Fri, 7 Aug 2020 14:38:36 +0200 Subject: [PATCH 08/37] Added a note related to versions for upgrades --- docs/home/howto/UPGRADE.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/home/howto/UPGRADE.md b/docs/home/howto/UPGRADE.md index 48812f6279..946d35efab 100644 --- a/docs/home/howto/UPGRADE.md +++ b/docs/home/howto/UPGRADE.md @@ -4,10 +4,14 @@ From Epicli 0.4.2 and up the CLI has the ability to perform upgrades on certain components on a cluster. The components it currently can upgrade and will add are: +*Note: Since v0.7.0 Epiphany does not support K8s version uprades older than 1.14.6 (Epiphany v0.4.4). +There is an assertion to check whether K8s version is supported before running upgrade, +but upgrade for v0.3.1 is not possible due to the open [issue](https://github.com/epiphany-platform/epiphany/issues/1491).* + - Kubernetes (master and nodes): starting from version 1.14.6 to 1.18.6 -- common: Upgrades all common configurations to match them to Epiphany 0.4.2 -- repository: Adds the repository role needed for component installation in Epiphany 0.4.2 -- image_registry: Adds the image_registry role needed for offline installation in Epiphany 0.4.2 +- common: Upgrades all common configurations to match them to current Epiphany version +- repository: Adds the repository role needed for component installation in current Epiphany version +- image_registry: Adds the image_registry role needed for offline installation in current Epiphany version *Note: The component upgrade takes the existing Ansible build output and based on that performs the upgrade of the currently supported components. If you need to upgrade your entire Epiphany cluster a **manual** upgrade of the input yaml is needed to the latest specification which then should be applied with `epicli apply...` after the offline upgrade which is described here.* From fd7d82ae8f5b2b384c9554e581e34cc1dbfa6cd7 Mon Sep 17 00:00:00 2001 From: TolikT Date: Fri, 7 Aug 2020 14:40:20 +0200 Subject: [PATCH 09/37] Fixed syntax errors --- docs/home/howto/UPGRADE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/home/howto/UPGRADE.md b/docs/home/howto/UPGRADE.md index 946d35efab..766a6bc5ed 100644 --- a/docs/home/howto/UPGRADE.md +++ b/docs/home/howto/UPGRADE.md @@ -4,7 +4,7 @@ From Epicli 0.4.2 and up the CLI has the ability to perform upgrades on certain components on a cluster. The components it currently can upgrade and will add are: -*Note: Since v0.7.0 Epiphany does not support K8s version uprades older than 1.14.6 (Epiphany v0.4.4). +*Note: Since v0.7.0 Epiphany does not support k8s version upgrades older than 1.14.6 (Epiphany v0.4.4). There is an assertion to check whether K8s version is supported before running upgrade, but upgrade for v0.3.1 is not possible due to the open [issue](https://github.com/epiphany-platform/epiphany/issues/1491).* From 619a6a4b59de426c0cae0ab06543aab3b581c3e0 Mon Sep 17 00:00:00 2001 From: TolikT Date: Fri, 7 Aug 2020 14:47:07 +0200 Subject: [PATCH 10/37] Added prerequisites section in upgrade doc --- docs/home/howto/UPGRADE.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/home/howto/UPGRADE.md b/docs/home/howto/UPGRADE.md index 766a6bc5ed..2b0af18d9a 100644 --- a/docs/home/howto/UPGRADE.md +++ b/docs/home/howto/UPGRADE.md @@ -1,5 +1,12 @@ ## Upgrade +### Prerequisites + +Before k8s version upgrade make sure that deprecated API versions are not used: + +1. [v1.17](https://v1-17.docs.kubernetes.io/docs/setup/release/notes/#deprecations-and-removals) +2. [v1.18](https://v1-18.docs.kubernetes.io/docs/setup/release/notes/#deprecation) + ### Introduction From Epicli 0.4.2 and up the CLI has the ability to perform upgrades on certain components on a cluster. The components it currently can upgrade and will add are: From 01488cbba4f0683f6662b5c5e25726c3cce3fd30 Mon Sep 17 00:00:00 2001 From: TolikT Date: Fri, 7 Aug 2020 14:57:20 +0200 Subject: [PATCH 11/37] Added key encoding troubleshooting info --- docs/home/TROUBLESHOOTING.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/home/TROUBLESHOOTING.md b/docs/home/TROUBLESHOOTING.md index a5e7769889..09736bc621 100644 --- a/docs/home/TROUBLESHOOTING.md +++ b/docs/home/TROUBLESHOOTING.md @@ -6,12 +6,12 @@ When running the Epicli container on Windows you might get such errors when tryi Azure: ``` -12:28:39 INFO cli.engine.terraform.TerraformCommand - Error: Error reading queue properties for AzureRM Storage Account "cluster": queues.Client#GetServiceProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: error response cannot be parsed: "\ufeffAuthenticationFailedServer failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:cba2935f-1003-006f-071d-db55f6000000\nTime:2020-02-04T05:38:45.4268197ZRequest date header too old: 'Fri, 31 Jan 2020 12:28:37 GMT'" error: invalid character 'ï' looking for beginning of value +INFO cli.engine.terraform.TerraformCommand - Error: Error reading queue properties for AzureRM Storage Account "cluster": queues.Client#GetServiceProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: error response cannot be parsed: "\ufeffAuthenticationFailedServer failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:cba2935f-1003-006f-071d-db55f6000000\nTime:2020-02-04T05:38:45.4268197ZRequest date header too old: 'Fri, 31 Jan 2020 12:28:37 GMT'" error: invalid character 'ï' looking for beginning of value ``` AWS: ``` -19:50:14 ERROR epicli - An error occurred (AuthFailure) when calling the DescribeImages operation: AWS was not able to validate the provided access credentials +ERROR epicli - An error occurred (AuthFailure) when calling the DescribeImages operation: AWS was not able to validate the provided access credentials ``` These issues might occur when the host machine you are running the Epicli container on was put to sleep or hybernated for an extended period of time. Hyper-V might have issues syncing the time between the container and the host after it wakes up or is resumed. You can confirm this by checking the date and time in your container by running: @@ -28,6 +28,15 @@ Get-VMIntegrationService -VMName DockerDesktopVM -Name "Time Synchronization" | Get-VMIntegrationService -VMName DockerDesktopVM -Name "Time Synchronization" | Enable-VMIntegrationService ``` +Common: + +When public key is created by `ssh-keygen` sometimes it's necessary to convert it to utf-8 encoding. +Otherwise such error occurs: + +```text +ERROR epicli - 'utf-8' codec can't decode byte 0xff in position 0: invalid start byte +``` + ## Kafka When running the Ansible automation there is a verification script called `kafka_producer_consumer.py` which creates a topic, produces messages and consumes messages. If the script fails for whatever reason then Ansible verification will report it as an error. An example of an issue is as follows: From c3295a087da096040d81114c17db65eb9b0e0b8e Mon Sep 17 00:00:00 2001 From: przemyslavic <43173646+przemyslavic@users.noreply.github.com> Date: Mon, 10 Aug 2020 12:40:28 +0200 Subject: [PATCH 12/37] Test fixes for RabbitMQ 3.8.3 (#1533) --- .../spec/applications/rabbitmq/rabbitmq.rb | 26 +++++++++++++------ .../tests/spec/rabbitmq/rabbitmq_spec.rb | 21 ++++++++++----- 2 files changed, 33 insertions(+), 14 deletions(-) diff --git a/core/src/epicli/data/common/tests/spec/applications/rabbitmq/rabbitmq.rb b/core/src/epicli/data/common/tests/spec/applications/rabbitmq/rabbitmq.rb index 660e38cc71..8888ba54ef 100644 --- a/core/src/epicli/data/common/tests/spec/applications/rabbitmq/rabbitmq.rb +++ b/core/src/epicli/data/common/tests/spec/applications/rabbitmq/rabbitmq.rb @@ -14,6 +14,7 @@ def callRabbitMQDeploymentTests service_namespace = readDataYaml("configuration/applications")["specification"]["applications"].detect {|i| i["name"] == 'rabbitmq'}["service"]["namespace"] service_name = readDataYaml("configuration/applications")["specification"]["applications"].detect {|i| i["name"] == 'rabbitmq'}["service"]["name"] plugins = readDataYaml("configuration/applications")["specification"]["applications"].detect {|i| i["name"] == 'rabbitmq'}["rabbitmq"]["plugins"] + version = readDataYaml("configuration/applications")["specification"]["applications"].detect {|i| i["name"] == 'rabbitmq'}["image_path"].split(':').last if !readDataYaml("configuration/applications")["specification"]["applications"].detect {|i| i["name"] == 'rabbitmq'}["rabbitmq"]["amqp_port"].nil? rabbitmq_amqp_port = readDataYaml("configuration/applications")["specification"]["applications"].detect {|i| i["name"] == 'rabbitmq'}["rabbitmq"]["amqp_port"] @@ -44,6 +45,15 @@ def callRabbitMQDeploymentTests end end + describe 'Checking RabbitMQ version' do + service_replicas.times do |i| + describe command("kubectl exec --namespace=#{service_namespace} #{service_name}-#{i} -- rabbitmqctl version") do + its(:stdout) { should match /^#{version}$/ } + its(:exit_status) { should eq 0 } + end + end + end + describe 'Checking RabbitMQ ping' do service_replicas.times do |i| describe command("kubectl exec --namespace=#{service_namespace} #{service_name}-#{i} -- rabbitmqctl ping") do @@ -68,7 +78,7 @@ def callRabbitMQDeploymentTests its(:exit_status) { should eq 0 } end describe command("kubectl exec --namespace=#{service_namespace} #{service_name}-#{i} -- rabbitmqctl cluster_status \ - | awk '/running_nodes/,/}/' | grep -o rabbit@ | wc -l") do + | sed -n '/Running Nodes/,/Versions/{/rabbit/p}' | wc -l") do it "is expected to be equal" do expect(subject.stdout.to_i).to eq service_replicas end @@ -100,9 +110,9 @@ def callRabbitMQDeploymentTests end end end - end + end -# # Tests to be run only when RabbitMQ Management Plugin is enabled + # Tests to be run only when RabbitMQ Management Plugin is enabled if plugins.include? "rabbitmq_management" @@ -114,20 +124,20 @@ def callRabbitMQDeploymentTests describe command("kubectl describe service #{service_name} --namespace=#{service_namespace} | grep TargetPort") do its(:stdout) { should match /#{rabbitmq_http_port}/ } end - end + end describe 'Checking node health using RabbitMQ API' do service_replicas.times do |i| describe command("curl -o /dev/null -s -w '%{http_code}' -u #{user}#{i}:#{pass} \ #{host_inventory['hostname']}:#{service_management_port}/api/healthchecks/node/rabbit@$(kubectl describe pods rabbitmq-cluster-#{i} \ - --namespace=#{service_namespace} | grep ^IP: | awk '{print $2}')") do + --namespace=#{service_namespace} | awk '/^IP:/ {print $2}')") do it "is expected to be equal" do expect(subject.stdout.to_i).to eq 200 end end describe command("curl -u #{user}#{i}:#{pass} \ #{host_inventory['hostname']}:#{service_management_port}/api/healthchecks/node/rabbit@$(kubectl describe pods rabbitmq-cluster-#{i} \ - --namespace=#{service_namespace} | grep ^IP: | awk '{print $2}')") do + --namespace=#{service_namespace} | awk '/^IP:/ {print $2}')") do its(:stdout_as_json) { should include('status' => /ok/) } its(:stdout_as_json) { should_not include('status' => /failed/) } its(:exit_status) { should eq 0 } @@ -139,7 +149,7 @@ def callRabbitMQDeploymentTests end end end - end + end describe 'Cleaning up' do service_replicas.times do |i| @@ -150,4 +160,4 @@ def callRabbitMQDeploymentTests end end -end +end diff --git a/core/src/epicli/data/common/tests/spec/rabbitmq/rabbitmq_spec.rb b/core/src/epicli/data/common/tests/spec/rabbitmq/rabbitmq_spec.rb index 35469dc54e..1499d9c6c3 100644 --- a/core/src/epicli/data/common/tests/spec/rabbitmq/rabbitmq_spec.rb +++ b/core/src/epicli/data/common/tests/spec/rabbitmq/rabbitmq_spec.rb @@ -6,6 +6,7 @@ rabbitmq_node_port = rabbitmq_port + 20000 rabbitmq_api_port = 15672 clustered = readDataYaml("configuration/rabbitmq")["specification"]["cluster"]["is_clustered"] +version = readDataYaml("configuration/rabbitmq")["specification"]["version"] user = 'testuser' + SecureRandom.hex(5) pass = SecureRandom.hex @@ -40,7 +41,15 @@ describe port(rabbitmq_node_port) do it { should be_listening } end -end +end + +describe 'Checking RabbitMQ version' do + describe command("rabbitmqctl version") do + let(:disable_sudo) { false } + its(:stdout) { should match /^#{version}$/ } + its(:exit_status) { should eq 0 } + end +end describe 'Checking RabbitMQ ping' do describe command("rabbitmqctl ping") do @@ -48,7 +57,7 @@ its(:stdout) { should match /^Ping succeeded$/ } its(:exit_status) { should eq 0 } end -end +end describe 'Checking the health of the target nodes' do let(:disable_sudo) { false } @@ -76,13 +85,13 @@ if clustered listInventoryHosts("rabbitmq").each do |val| val = val.split(".")[0] - describe command("rabbitmqctl cluster_status | awk '/running_nodes/,/}/'") do + describe command("rabbitmqctl cluster_status | awk '/Running Nodes/,/Versions/'") do its(:stdout) { should match /rabbit@#{val}/ } its(:exit_status) { should eq 0 } end end else - describe command("rabbitmqctl cluster_status | awk '/running_nodes/,/}/'") do + describe command("rabbitmqctl cluster_status | awk '/Running Nodes/,/Versions/'") do its(:stdout) { should match /rabbit@#{host_inventory['hostname']}/ } its(:exit_status) { should eq 0 } end @@ -112,7 +121,7 @@ its(:exit_status) { should eq 0 } end end -end +end # Tests to be run only when RabbitMQ Management Plugin is enabled @@ -123,7 +132,7 @@ describe port(rabbitmq_api_port) do it { should be_listening } end - end + end describe 'Checking nodes health using RabbitMQ API' do let(:disable_sudo) { false } From 6801b3eb899261f93f95cbc6ce0d9f2fe2f652ea Mon Sep 17 00:00:00 2001 From: Tomasz Arendt Date: Mon, 10 Aug 2020 16:32:09 +0200 Subject: [PATCH 13/37] fix missing variable image rabbitmq --- .../roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml index cb6fe298c2..27577f93f5 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/kubernetes/reconfigure-rabbitmq-app.yml @@ -1,6 +1,8 @@ --- - name: k8s/master | Patch rabbitmq's statefulset include_tasks: utils/patch-statefulset.yml + vars: + image_regexp: 'rabbitmq:.*' - name: Delete rabbitmq pods after patching block: - name: after-patching | Get rabbitmq namespace From 9ffa891529f7f8ed0616afb1594c0082913f2138 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Zeidler?= <13080132+rafzei@users.noreply.github.com> Date: Tue, 11 Aug 2020 11:30:44 +0200 Subject: [PATCH 14/37] Add Kubernetes Dashboard to COMPONENTS.md (#1546) --- docs/home/COMPONENTS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/home/COMPONENTS.md b/docs/home/COMPONENTS.md index 822ab79c27..4bbe4043bb 100644 --- a/docs/home/COMPONENTS.md +++ b/docs/home/COMPONENTS.md @@ -7,6 +7,7 @@ Note that versions are default versions and can be changed in certain cases thro | Component | Version | Repo/Website | License | | ------------------------- | ------- | ----------------------------------------------------- | ----------------------------------------------------------------- | | Kubernetes | 1.18.6 | https://github.com/kubernetes/kubernetes | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) | +| Kubernetes Dashboard | 2.0.3 | https://github.com/kubernetes/dashboard | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) | | Calico | 3.15.0 | https://github.com/projectcalico/calico | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) | | Flannel | 0.12.0 | https://github.com/coreos/flannel/ | [Apache License](https://www.apache.org/licenses/LICENSE-1.0) | | Canal | 3.15.0 | https://github.com/projectcalico/calico | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) | From 2e4ce10ec4c900f73057bac144690e95ec6fa0a7 Mon Sep 17 00:00:00 2001 From: Luuk van Venrooij <11056665+seriva@users.noreply.github.com> Date: Tue, 11 Aug 2020 11:35:18 +0200 Subject: [PATCH 15/37] Update CHANGELOG-0.7.md Minor changes to changelog before release. --- CHANGELOG-0.7.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/CHANGELOG-0.7.md b/CHANGELOG-0.7.md index 4b4ad0658c..7b904524aa 100644 --- a/CHANGELOG-0.7.md +++ b/CHANGELOG-0.7.md @@ -1,11 +1,13 @@ # Changelog 0.7 -## [0.7.1] 2020-07-xx +## [0.7.1] 2020-08-xx ### Added - Minor logging improvements added while fixing issue [#1424](https://github.com/epiphany-platform/epiphany/issues/1424) - [#1438](https://github.com/epiphany-platform/epiphany/pull/1438) - Rename Terraform plugin vendor in VSCode recommendations +- [#1413](https://github.com/epiphany-platform/epiphany/issues/1413) - Set protocol for Vault only in one place in configuration +- [#1423](https://github.com/epiphany-platform/epiphany/issues/1423) - Error reading generated service principal ### Updated @@ -28,11 +30,6 @@ - [#1336](https://github.com/epiphany-platform/epiphany/issues/1336) - Deployment of version 0.7.0 failed on-prem (spec.hostname) - [#1394](https://github.com/epiphany-platform/epiphany/issues/1394) - Cannot access Kubernetes dashboard after upgrading -### Added - -- [#1413](https://github.com/epiphany-platform/epiphany/issues/1413) - Set protocol for Vault only in one place in configuration -- [#1423](https://github.com/epiphany-platform/epiphany/issues/1423) - Error reading generated service principal - ## [0.7.0] 2020-06-30 ### Added From 795a0ac19f11f0f45c47f7268961bd88ea1f3368 Mon Sep 17 00:00:00 2001 From: TolikT Date: Tue, 11 Aug 2020 14:36:43 +0200 Subject: [PATCH 16/37] Modified kubeadm config template with extra certificate SANs --- .../roles/kubernetes_master/templates/kubeadm-config.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 index c1f6f65cc2..805b82de7b 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 @@ -9,6 +9,8 @@ controlPlaneEndpoint: "localhost:3446" apiServer: timeoutForControlPlane: 4m0s + certSANs: + - {{ ansible_host }} extraArgs: # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ {% if specification.advanced.etcd_args.encrypted | bool %} encryption-provider-config: /etc/kubernetes/pki/etcd/etc-encryption.conf From 038133b49307acf4a82e19a0230ffe801716dd63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Zeidler?= <13080132+rafzei@users.noreply.github.com> Date: Wed, 12 Aug 2020 10:37:57 +0200 Subject: [PATCH 17/37] CHANGELOG-0.7.md update v0.7.1 release date (#1552) --- CHANGELOG-0.7.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG-0.7.md b/CHANGELOG-0.7.md index 7b904524aa..82643ea152 100644 --- a/CHANGELOG-0.7.md +++ b/CHANGELOG-0.7.md @@ -1,6 +1,6 @@ # Changelog 0.7 -## [0.7.1] 2020-08-xx +## [0.7.1] 2020-08-12 ### Added From 6b8a96e9d83d13c65fa8d79f1d9444bc5f9c3c0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Zeidler?= <13080132+rafzei@users.noreply.github.com> Date: Wed, 12 Aug 2020 16:20:53 +0200 Subject: [PATCH 18/37] Increment version string to 0.7.1 (#1554) --- core/src/epicli/cli/version.txt.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/epicli/cli/version.txt.py b/core/src/epicli/cli/version.txt.py index bcaffe19b5..7deb86fee4 100644 --- a/core/src/epicli/cli/version.txt.py +++ b/core/src/epicli/cli/version.txt.py @@ -1 +1 @@ -0.7.0 \ No newline at end of file +0.7.1 \ No newline at end of file From aa478555532900b68fb95dec5e716d0a905e5c8b Mon Sep 17 00:00:00 2001 From: TolikT Date: Tue, 11 Aug 2020 14:56:23 +0200 Subject: [PATCH 19/37] Moved certificates related tasks into separate file --- .../tasks/apiserver-generate-certificates.yml | 30 +++++++++++++++++++ .../tasks/update-master.yml | 30 ++----------------- 2 files changed, 32 insertions(+), 28 deletions(-) create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/apiserver-generate-certificates.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/apiserver-generate-certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/apiserver-generate-certificates.yml new file mode 100644 index 0000000000..30dd8faaf3 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/apiserver-generate-certificates.yml @@ -0,0 +1,30 @@ +--- + +- name: Copy /etc/kubernetes/pki/apiserver.{crt,key} + copy: + dest: "{{ item }}.OLD" + src: "{{ item }}" + remote_src: true + loop: + - /etc/kubernetes/pki/apiserver.crt + - /etc/kubernetes/pki/apiserver.key + +- name: Delete /etc/kubernetes/pki/apiserver.{crt,key} + file: + path: "{{ item }}" + state: absent + loop: + - /etc/kubernetes/pki/apiserver.crt + - /etc/kubernetes/pki/apiserver.key + +- name: Render new certificates /etc/kubernetes/pki/apiserver.{crt,key} + shell: | + kubeadm init phase certs apiserver \ + --config /etc/kubeadm/kubeadm-config.yml + args: + executable: /bin/bash + creates: /etc/kubernetes/pki/apiserver.key + notify: + - Restart apiserver + +- meta: flush_handlers diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml index 04a0f6b0a9..6cbe614651 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml @@ -41,34 +41,8 @@ content: >- {{ kubeadm_config | to_nice_yaml }} - - name: Copy /etc/kubernetes/pki/apiserver.{crt,key} - copy: - dest: "{{ item }}.OLD" - src: "{{ item }}" - remote_src: true - loop: - - /etc/kubernetes/pki/apiserver.crt - - /etc/kubernetes/pki/apiserver.key - - - name: Delete /etc/kubernetes/pki/apiserver.{crt,key} - file: - path: "{{ item }}" - state: absent - loop: - - /etc/kubernetes/pki/apiserver.crt - - /etc/kubernetes/pki/apiserver.key - - - name: Render new certificates /etc/kubernetes/pki/apiserver.{crt,key} - shell: | - kubeadm init phase certs apiserver \ - --config /etc/kubeadm/kubeadm-config.yml - args: - executable: /bin/bash - creates: /etc/kubernetes/pki/apiserver.key - notify: - - Restart apiserver - - - meta: flush_handlers + - name: Backup and generate apiserver certificates + include_tasks: apiserver-generate-certificates.yml - name: Update in-cluster configuration shell: | From b4fec6780aaae4573d1ccf183fc1ff9aa0970982 Mon Sep 17 00:00:00 2001 From: TolikT Date: Tue, 11 Aug 2020 15:08:02 +0200 Subject: [PATCH 20/37] Moved apiserver certificates part into separate role --- .../kubernetes_apiserver_certificates/handlers/main.yml | 9 +++++++++ .../tasks/main.yml} | 3 --- .../playbooks/roles/kubernetes_promote/handlers/main.yml | 9 --------- .../roles/kubernetes_promote/tasks/update-master.yml | 3 ++- 4 files changed, 11 insertions(+), 13 deletions(-) create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/handlers/main.yml rename core/src/epicli/data/common/ansible/playbooks/roles/{kubernetes_promote/tasks/apiserver-generate-certificates.yml => kubernetes_apiserver_certificates/tasks/main.yml} (96%) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/handlers/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/handlers/main.yml new file mode 100644 index 0000000000..c7cdd368eb --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: Restart apiserver + shell: | + docker ps \ + --filter 'name=kube-apiserver_kube-apiserver' \ + --format '{{ "{{.ID}}" }}' \ + | xargs --no-run-if-empty docker kill + args: + executable: /bin/bash diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/apiserver-generate-certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/tasks/main.yml similarity index 96% rename from core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/apiserver-generate-certificates.yml rename to core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/tasks/main.yml index 30dd8faaf3..e4e7121bba 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/apiserver-generate-certificates.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/tasks/main.yml @@ -1,5 +1,4 @@ --- - - name: Copy /etc/kubernetes/pki/apiserver.{crt,key} copy: dest: "{{ item }}.OLD" @@ -26,5 +25,3 @@ creates: /etc/kubernetes/pki/apiserver.key notify: - Restart apiserver - -- meta: flush_handlers diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/handlers/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/handlers/main.yml index e080ddb5f5..eda1a4eeb0 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/handlers/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/handlers/main.yml @@ -1,13 +1,4 @@ --- -- name: Restart apiserver - shell: | - docker ps \ - --filter 'name=kube-apiserver_kube-apiserver' \ - --format '{{ "{{.ID}}" }}' \ - | xargs --no-run-if-empty docker kill - args: - executable: /bin/bash - - name: Restart controller-manager shell: | docker ps \ diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml index 6cbe614651..051fad127e 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml @@ -42,7 +42,8 @@ {{ kubeadm_config | to_nice_yaml }} - name: Backup and generate apiserver certificates - include_tasks: apiserver-generate-certificates.yml + include_role: + name: kubernetes_apiserver_certificates - name: Update in-cluster configuration shell: | From b39ca7cc895289a974c95db3df3cc5febed80ba5 Mon Sep 17 00:00:00 2001 From: TolikT Date: Tue, 11 Aug 2020 15:23:13 +0200 Subject: [PATCH 21/37] Apply new certificates if cluster was initially created without additional SANs --- .../playbooks/roles/kubernetes_master/tasks/master-init.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml index 4cf122caf0..33ec4fae74 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml @@ -43,6 +43,11 @@ kubernetes_common: >- {{ kubernetes_common | default({}) | combine(set_fact, recursive=true) }} +- name: Backup and generate apiserver certificates + include_role: + name: kubernetes_apiserver_certificates + when: stat_kube_apiserver_yaml.stat.exists + - name: Include kubelet configuration tasks include_role: name: kubernetes_common From e392356acd406e6dcb3eb8035f2aadd9d6f1529a Mon Sep 17 00:00:00 2001 From: TolikT Date: Tue, 11 Aug 2020 15:26:12 +0200 Subject: [PATCH 22/37] Apply new certificates if promote_to_ha but cluster was initially created without additional SANs --- .../playbooks/roles/kubernetes_promote/tasks/update-master.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml index 051fad127e..33fc797d4c 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml @@ -34,6 +34,7 @@ certSANs: - localhost - 127.0.0.1 + - {{ ansible_host }} - name: Render /etc/kubeadm/kubeadm-config.yml copy: From a58aad4d4adb0551856ffbb96f6bfa5414981210 Mon Sep 17 00:00:00 2001 From: TolikT Date: Wed, 12 Aug 2020 09:13:12 +0200 Subject: [PATCH 23/37] Added quotes for Ansible var --- .../playbooks/roles/kubernetes_promote/tasks/update-master.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml index 33fc797d4c..db3774b686 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml @@ -34,7 +34,7 @@ certSANs: - localhost - 127.0.0.1 - - {{ ansible_host }} + - "{{ ansible_host }}" - name: Render /etc/kubeadm/kubeadm-config.yml copy: From eab76c697dc733e490db77ec8598b0c4eecc4e50 Mon Sep 17 00:00:00 2001 From: TolikT Date: Wed, 12 Aug 2020 09:58:17 +0200 Subject: [PATCH 24/37] Process all k8s master addresses --- .../roles/kubernetes_master/templates/kubeadm-config.yml.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 index 805b82de7b..92dcfdf2b9 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 @@ -10,7 +10,9 @@ controlPlaneEndpoint: "localhost:3446" apiServer: timeoutForControlPlane: 4m0s certSANs: - - {{ ansible_host }} +{% for host in groups['kubernetes_master'] %} + - {{ hostvars[host]['ansible_host'] }} +{% endfor %} extraArgs: # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ {% if specification.advanced.etcd_args.encrypted | bool %} encryption-provider-config: /etc/kubernetes/pki/etcd/etc-encryption.conf From 2e60eb01bcb0f9a11cf1830782762f14246f3657 Mon Sep 17 00:00:00 2001 From: TolikT Date: Wed, 12 Aug 2020 13:16:19 +0200 Subject: [PATCH 25/37] Update kubeadm config before new certificates generation --- .../kubernetes_master/tasks/master-init.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml index 33ec4fae74..826a2002b2 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml @@ -43,10 +43,21 @@ kubernetes_common: >- {{ kubernetes_common | default({}) | combine(set_fact, recursive=true) }} -- name: Backup and generate apiserver certificates - include_role: - name: kubernetes_apiserver_certificates + +- name: Regenerate apiserver certificates when: stat_kube_apiserver_yaml.stat.exists + block: + - name: Render kubeadm config + become: true + template: + src: kubeadm-config.yml.j2 + dest: /etc/kubeadm/kubeadm-config.yml + owner: root + group: root + mode: u=rw,go=r + - name: Backup and generate apiserver certificates + include_role: + name: kubernetes_apiserver_certificates - name: Include kubelet configuration tasks include_role: From 46589eaa3ce599c2af76396053d0f45c10066882 Mon Sep 17 00:00:00 2001 From: TolikT Date: Wed, 12 Aug 2020 14:39:07 +0200 Subject: [PATCH 26/37] Moved k8s apiserver role to common role tasks --- .../handlers/main.yml | 9 --------- .../tasks/apiserver_certificates.yml} | 11 +++++++++-- .../roles/kubernetes_master/tasks/master-init.yml | 3 ++- .../roles/kubernetes_promote/tasks/update-master.yml | 3 ++- 4 files changed, 13 insertions(+), 13 deletions(-) delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/handlers/main.yml rename core/src/epicli/data/common/ansible/playbooks/roles/{kubernetes_apiserver_certificates/tasks/main.yml => kubernetes_common/tasks/apiserver_certificates.yml} (75%) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/handlers/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/handlers/main.yml deleted file mode 100644 index c7cdd368eb..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Restart apiserver - shell: | - docker ps \ - --filter 'name=kube-apiserver_kube-apiserver' \ - --format '{{ "{{.ID}}" }}' \ - | xargs --no-run-if-empty docker kill - args: - executable: /bin/bash diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml similarity index 75% rename from core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/tasks/main.yml rename to core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml index e4e7121bba..f2bcf3a9c4 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_apiserver_certificates/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml @@ -23,5 +23,12 @@ args: executable: /bin/bash creates: /etc/kubernetes/pki/apiserver.key - notify: - - Restart apiserver + +- name: Restart apiserver + shell: | + docker ps \ + --filter 'name=kube-apiserver_kube-apiserver' \ + --format '{{ "{{.ID}}" }}' \ + | xargs --no-run-if-empty docker kill + args: + executable: /bin/bash \ No newline at end of file diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml index 826a2002b2..92888b0515 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml @@ -57,7 +57,8 @@ mode: u=rw,go=r - name: Backup and generate apiserver certificates include_role: - name: kubernetes_apiserver_certificates + name: kubernetes_common + tasks_from: apiserver_certificates - name: Include kubelet configuration tasks include_role: diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml index db3774b686..56c910dd6b 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml @@ -44,7 +44,8 @@ - name: Backup and generate apiserver certificates include_role: - name: kubernetes_apiserver_certificates + name: kubernetes_common + tasks_from: apiserver_certificates - name: Update in-cluster configuration shell: | From e01ae5feb93c65bee2b2e11fa5cc692be51e5e92 Mon Sep 17 00:00:00 2001 From: TolikT Date: Wed, 12 Aug 2020 16:50:49 +0200 Subject: [PATCH 27/37] Update in-cluster kubeadm config each time certs generatad --- .../tasks/apiserver_certificates.yml | 13 ++++++++++++- .../kubernetes_promote/tasks/update-master.yml | 11 ----------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml index f2bcf3a9c4..8dc22bbb75 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml @@ -31,4 +31,15 @@ --format '{{ "{{.ID}}" }}' \ | xargs --no-run-if-empty docker kill args: - executable: /bin/bash \ No newline at end of file + executable: /bin/bash + +- name: Update in-cluster configuration + shell: | + kubeadm init phase upload-config kubeadm \ + --config /etc/kubeadm/kubeadm-config.yml + args: + executable: /bin/bash + register: upload_config + until: upload_config is succeeded + retries: 30 + delay: 10 \ No newline at end of file diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml index 56c910dd6b..07a9134c8b 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml @@ -47,17 +47,6 @@ name: kubernetes_common tasks_from: apiserver_certificates - - name: Update in-cluster configuration - shell: | - kubeadm init phase upload-config kubeadm \ - --config /etc/kubeadm/kubeadm-config.yml - args: - executable: /bin/bash - register: upload_config - until: upload_config is succeeded - retries: 30 - delay: 10 - - name: Update /etc/kubernetes/{controller-manager,scheduler,admin}.conf replace: path: "/etc/kubernetes/{{ item }}" From 21aa743f2a592e9fc3a11d2fad25825d67f0cca8 Mon Sep 17 00:00:00 2001 From: TolikT Date: Wed, 12 Aug 2020 22:26:32 +0200 Subject: [PATCH 28/37] Placed in-cluster update to separate file in common role --- .../tasks/apiserver_certificates.yml | 11 ----------- .../tasks/update-in-cluster-config.yml | 11 +++++++++++ .../roles/kubernetes_master/tasks/master-init.yml | 4 ++++ .../roles/kubernetes_promote/tasks/update-master.yml | 5 +++++ 4 files changed, 20 insertions(+), 11 deletions(-) create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/update-in-cluster-config.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml index 8dc22bbb75..16adcf26ca 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml @@ -32,14 +32,3 @@ | xargs --no-run-if-empty docker kill args: executable: /bin/bash - -- name: Update in-cluster configuration - shell: | - kubeadm init phase upload-config kubeadm \ - --config /etc/kubeadm/kubeadm-config.yml - args: - executable: /bin/bash - register: upload_config - until: upload_config is succeeded - retries: 30 - delay: 10 \ No newline at end of file diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/update-in-cluster-config.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/update-in-cluster-config.yml new file mode 100644 index 0000000000..c408baa11a --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/update-in-cluster-config.yml @@ -0,0 +1,11 @@ +--- +- name: Update in-cluster configuration + shell: | + kubeadm init phase upload-config kubeadm \ + --config /etc/kubeadm/kubeadm-config.yml + args: + executable: /bin/bash + register: upload_config + until: upload_config is succeeded + retries: 30 + delay: 10 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml index 92888b0515..74c04b16cc 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml @@ -59,6 +59,10 @@ include_role: name: kubernetes_common tasks_from: apiserver_certificates + - name: Update in-cluster configuration + include_role: + name: kubernetes_common + tasks_from: update-in-cluster-config - name: Include kubelet configuration tasks include_role: diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml index 07a9134c8b..dd9834019d 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml @@ -47,6 +47,11 @@ name: kubernetes_common tasks_from: apiserver_certificates + - name: Update in-cluster configuration + include_role: + name: kubernetes_common + tasks_from: update-in-cluster-config + - name: Update /etc/kubernetes/{controller-manager,scheduler,admin}.conf replace: path: "/etc/kubernetes/{{ item }}" From f68f6569b63f89b763419f219d78e0319f10b7b1 Mon Sep 17 00:00:00 2001 From: TolikT Date: Wed, 12 Aug 2020 22:30:00 +0200 Subject: [PATCH 29/37] Added localhost to apiserver certificate san --- .../roles/kubernetes_master/templates/kubeadm-config.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 index 92dcfdf2b9..716fc9417e 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/templates/kubeadm-config.yml.j2 @@ -10,6 +10,8 @@ controlPlaneEndpoint: "localhost:3446" apiServer: timeoutForControlPlane: 4m0s certSANs: + - localhost + - 127.0.0.1 {% for host in groups['kubernetes_master'] %} - {{ hostvars[host]['ansible_host'] }} {% endfor %} From fb911d4d6dc9278aa89bd84d8f085b15ce17cfa0 Mon Sep 17 00:00:00 2001 From: TolikT Date: Wed, 12 Aug 2020 22:34:17 +0200 Subject: [PATCH 30/37] Renamed apiserver certificates tasks file name according to common practice --- .../{apiserver_certificates.yml => apiserver-certificates.yml} | 0 .../playbooks/roles/kubernetes_master/tasks/master-init.yml | 2 +- .../playbooks/roles/kubernetes_promote/tasks/update-master.yml | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) rename core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/{apiserver_certificates.yml => apiserver-certificates.yml} (100%) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver-certificates.yml similarity index 100% rename from core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver_certificates.yml rename to core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/apiserver-certificates.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml index 74c04b16cc..f04694a154 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml @@ -58,7 +58,7 @@ - name: Backup and generate apiserver certificates include_role: name: kubernetes_common - tasks_from: apiserver_certificates + tasks_from: apiserver-certificates - name: Update in-cluster configuration include_role: name: kubernetes_common diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml index dd9834019d..b92a6d343f 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml @@ -45,7 +45,7 @@ - name: Backup and generate apiserver certificates include_role: name: kubernetes_common - tasks_from: apiserver_certificates + tasks_from: apiserver-certificates - name: Update in-cluster configuration include_role: From 0afe894b26e3159d87ead9c07eae5938a17ac613 Mon Sep 17 00:00:00 2001 From: TolikT Date: Thu, 13 Aug 2020 01:49:51 +0200 Subject: [PATCH 31/37] Update certifiates for non-designated automation masters --- .../kubernetes_master/tasks/master-join.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-join.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-join.yml index 0d874c482d..08d540efc0 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-join.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-join.yml @@ -37,6 +37,32 @@ set_fact: master_already_joined: true +- name: Regenerate apiserver certificates + when: kubernetes_common.master_already_joined + block: + - name: Retrieve latest kubeadm configmap content + shell: >- + kubectl -n kube-system + get configmap kubeadm-config + -o jsonpath='{.data.ClusterConfiguration}' + environment: + KUBECONFIG: /etc/kubernetes/admin.conf + args: + executable: /bin/bash + register: kubeadm_config + - name: Create kubeadm config + become: true + copy: + content: "{{ kubeadm_config.stdout }}" + dest: /etc/kubeadm/kubeadm-config.yml + owner: root + group: root + mode: u=rw,go=r + - name: Backup and generate apiserver certificates + include_role: + name: kubernetes_common + tasks_from: apiserver-certificates + - name: Include kubelet configuration tasks include_role: name: kubernetes_common From 881881160a3f74a1ae1db61d572b6e6025a2c190 Mon Sep 17 00:00:00 2001 From: TolikT Date: Thu, 13 Aug 2020 12:10:55 +0200 Subject: [PATCH 32/37] Added certificate update part in HA promotion --- .../roles/kubernetes_promote/tasks/update-master.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml index b92a6d343f..0caddc8ab5 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml @@ -25,16 +25,16 @@ set_fact: kubeadm_config: >- {{ original | combine(update, recursive=true) }} + apiserver_cert_san: >- + {{ groups['kubernetes_master'] | map('extract', hostvars, ['ansible_host']) | list + [ 'localhost', '127.0.0.1' ] }} vars: original: >- {{ kubeadm_config.stdout | from_yaml }} update: controlPlaneEndpoint: localhost:3446 apiServer: - certSANs: - - localhost - - 127.0.0.1 - - "{{ ansible_host }}" + certSANs: >- + {{ apiserver_cert_san }} - name: Render /etc/kubeadm/kubeadm-config.yml copy: From 5e163df3223b4ca538bb7a47264d28abed0c6f36 Mon Sep 17 00:00:00 2001 From: TolikT Date: Thu, 13 Aug 2020 15:52:02 +0200 Subject: [PATCH 33/37] Removed duplicated parts and left a comment --- .../roles/kubernetes_master/tasks/main.yml | 29 ++++++++++++++++++- .../kubernetes_master/tasks/master-init.yml | 21 -------------- .../kubernetes_master/tasks/master-join.yml | 26 ----------------- .../tasks/update-master.yml | 10 ------- 4 files changed, 28 insertions(+), 58 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml index 6777864189..1fcc67f10f 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml @@ -15,7 +15,8 @@ - import_tasks: registry-secrets.yml - import_tasks: copy-kubernetes-pki.yml -- when: use_ha_control_plane +- name: Join Kubernetes master + when: use_ha_control_plane block: - name: Join Kubernetes HA master when: kubernetes_common.automation_designated_master != inventory_hostname @@ -23,6 +24,32 @@ - import_tasks: copy-kubernetes-pki.yml - import_tasks: master-join.yml +- name: Regenerate apiserver certificates +# It's always necessary to regenerate certificates for designated and non-designated masters +# because of a few points: +# a. Update certificates for old clusters have to be supported +# b. Execution order is not defined, so when cluster is promoted to HA, +# non-designated masters may join cluster before designated master's certificate update + block: + - name: Render kubeadm config + become: true + template: + src: kubeadm-config.yml.j2 + dest: /etc/kubeadm/kubeadm-config.yml + owner: root + group: root + mode: u=rw,go=r + - name: Backup and generate apiserver certificates + include_role: + name: kubernetes_common + tasks_from: apiserver-certificates + +- name: Update in-cluster configuration + when: kubernetes_common.automation_designated_master == inventory_hostname + include_role: + name: kubernetes_common + tasks_from: update-in-cluster-config + - import_tasks: master-untaint.yml - include_tasks: "{{ specification.provider }}/kubernetes-storage.yml" diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml index f04694a154..4cf122caf0 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml @@ -43,27 +43,6 @@ kubernetes_common: >- {{ kubernetes_common | default({}) | combine(set_fact, recursive=true) }} - -- name: Regenerate apiserver certificates - when: stat_kube_apiserver_yaml.stat.exists - block: - - name: Render kubeadm config - become: true - template: - src: kubeadm-config.yml.j2 - dest: /etc/kubeadm/kubeadm-config.yml - owner: root - group: root - mode: u=rw,go=r - - name: Backup and generate apiserver certificates - include_role: - name: kubernetes_common - tasks_from: apiserver-certificates - - name: Update in-cluster configuration - include_role: - name: kubernetes_common - tasks_from: update-in-cluster-config - - name: Include kubelet configuration tasks include_role: name: kubernetes_common diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-join.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-join.yml index 08d540efc0..0d874c482d 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-join.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-join.yml @@ -37,32 +37,6 @@ set_fact: master_already_joined: true -- name: Regenerate apiserver certificates - when: kubernetes_common.master_already_joined - block: - - name: Retrieve latest kubeadm configmap content - shell: >- - kubectl -n kube-system - get configmap kubeadm-config - -o jsonpath='{.data.ClusterConfiguration}' - environment: - KUBECONFIG: /etc/kubernetes/admin.conf - args: - executable: /bin/bash - register: kubeadm_config - - name: Create kubeadm config - become: true - copy: - content: "{{ kubeadm_config.stdout }}" - dest: /etc/kubeadm/kubeadm-config.yml - owner: root - group: root - mode: u=rw,go=r - - name: Backup and generate apiserver certificates - include_role: - name: kubernetes_common - tasks_from: apiserver-certificates - - name: Include kubelet configuration tasks include_role: name: kubernetes_common diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml index 0caddc8ab5..29102e2df1 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml @@ -25,16 +25,11 @@ set_fact: kubeadm_config: >- {{ original | combine(update, recursive=true) }} - apiserver_cert_san: >- - {{ groups['kubernetes_master'] | map('extract', hostvars, ['ansible_host']) | list + [ 'localhost', '127.0.0.1' ] }} vars: original: >- {{ kubeadm_config.stdout | from_yaml }} update: controlPlaneEndpoint: localhost:3446 - apiServer: - certSANs: >- - {{ apiserver_cert_san }} - name: Render /etc/kubeadm/kubeadm-config.yml copy: @@ -42,11 +37,6 @@ content: >- {{ kubeadm_config | to_nice_yaml }} - - name: Backup and generate apiserver certificates - include_role: - name: kubernetes_common - tasks_from: apiserver-certificates - - name: Update in-cluster configuration include_role: name: kubernetes_common From 5900f51e7b290e41e0a630344d2d0cad915d8ece Mon Sep 17 00:00:00 2001 From: TolikT Date: Sat, 15 Aug 2020 01:44:14 +0200 Subject: [PATCH 34/37] Use current kubeadm config instead of template processing --- .../tasks/extend-kubeadm-config.yml | 29 +++++++++++++++++++ .../roles/kubernetes_master/tasks/main.yml | 26 +++++++++++------ .../kubernetes_master/tasks/master-init.yml | 4 +++ .../tasks/update-master.yml | 29 ++----------------- 4 files changed, 53 insertions(+), 35 deletions(-) create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/extend-kubeadm-config.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/extend-kubeadm-config.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/extend-kubeadm-config.yml new file mode 100644 index 0000000000..140722fb6e --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/extend-kubeadm-config.yml @@ -0,0 +1,29 @@ +--- +- name: Collect kubeadm-config + shell: | + kubectl get configmap kubeadm-config \ + --namespace kube-system \ + --output jsonpath={{ jsonpath }} + vars: + jsonpath: >- + '{.data.ClusterConfiguration}' + environment: + KUBECONFIG: /etc/kubernetes/admin.conf + args: + executable: /bin/bash + register: kubeadm_config + changed_when: false + +- name: Extend kubeadm config + set_fact: + kubeadm_config: >- + {{ original | combine(update, recursive=true) }} + vars: + original: >- + {{ kubeadm_config.stdout | from_yaml }} + +- name: Render /etc/kubeadm/kubeadm-config.yml + copy: + dest: /etc/kubeadm/kubeadm-config.yml + content: >- + {{ kubeadm_config | to_nice_yaml }} diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml index 1fcc67f10f..993669f456 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Set is_first_deployment fact + set_fact: + is_first_deployment: false + - when: use_ha_control_plane block: - name: Configure internal load-balancer (HAProxy) @@ -25,20 +29,24 @@ - import_tasks: master-join.yml - name: Regenerate apiserver certificates -# It's always necessary to regenerate certificates for designated and non-designated masters + when: kubernetes_common.automation_designated_master != inventory_hostname or not is_first_deployment +# It's almost always necessary to regenerate certificates for designated and non-designated masters # because of a few points: # a. Update certificates for old clusters have to be supported # b. Execution order is not defined, so when cluster is promoted to HA, # non-designated masters may join cluster before designated master's certificate update block: - - name: Render kubeadm config - become: true - template: - src: kubeadm-config.yml.j2 - dest: /etc/kubeadm/kubeadm-config.yml - owner: root - group: root - mode: u=rw,go=r + - name: Extend kubeadm config + vars: + update: + apiServer: + certSANs: >- + {{ groups['kubernetes_master'] | map('extract', hostvars, ['ansible_host']) | list + + [ 'localhost', '127.0.0.1' ] }} + include_role: + name: kubernetes_common + tasks_from: extend-kubeadm-config + - name: Backup and generate apiserver certificates include_role: name: kubernetes_common diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml index 4cf122caf0..2fefbe0628 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/master-init.yml @@ -11,6 +11,10 @@ - when: not stat_kube_apiserver_yaml.stat.exists block: + - name: Set is_first_deployment fact + set_fact: + is_first_deployment: true + - name: Ensure /etc/kubeadm/ directory exists file: path: /etc/kubeadm/ diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml index 29102e2df1..2b046fd8fb 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_promote/tasks/update-master.yml @@ -6,36 +6,13 @@ - when: promote_to_ha and (not kubernetes_promote.kubernetes_already_ha) block: - - name: Collect kubeadm-config - shell: | - kubectl get configmap kubeadm-config \ - --namespace kube-system \ - --output jsonpath={{ jsonpath }} - vars: - jsonpath: >- - '{.data.ClusterConfiguration}' - environment: - KUBECONFIG: /etc/kubernetes/admin.conf - args: - executable: /bin/bash - register: kubeadm_config - changed_when: false - - name: Extend kubeadm config - set_fact: - kubeadm_config: >- - {{ original | combine(update, recursive=true) }} vars: - original: >- - {{ kubeadm_config.stdout | from_yaml }} update: controlPlaneEndpoint: localhost:3446 - - - name: Render /etc/kubeadm/kubeadm-config.yml - copy: - dest: /etc/kubeadm/kubeadm-config.yml - content: >- - {{ kubeadm_config | to_nice_yaml }} + include_role: + name: kubernetes_common + tasks_from: extend-kubeadm-config - name: Update in-cluster configuration include_role: From 577bd6722f352ca77579169f6083367bd5411a49 Mon Sep 17 00:00:00 2001 From: rafzei <13080132+rafzei@users.noreply.github.com> Date: Thu, 6 Aug 2020 20:25:36 +0200 Subject: [PATCH 35/37] Upgrade Filebeat to version 7.8.1 --- .../roles/filebeat/defaults/main.yml | 2 +- .../roles/filebeat/templates/filebeat.yml.j2 | 104 ++++++++++++++---- .../centos-7/requirements.txt | 2 +- .../redhat-7/requirements.txt | 2 +- .../ubuntu-18.04/requirements.txt | 2 +- .../roles/upgrade/tasks/filebeat.yml | 38 ++----- .../data/common/ansible/playbooks/upgrade.yml | 16 ++- .../defaults/configuration/filebeat.yml | 2 +- 8 files changed, 103 insertions(+), 65 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml index 469837f5d4..b3f2ea449d 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml @@ -1,3 +1,3 @@ --- specification: - filebeat_version: "6.8.5" \ No newline at end of file + filebeat_version: "7.8.1" \ No newline at end of file diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 index 357905a5f4..28868c237f 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 @@ -19,7 +19,7 @@ filebeat.inputs: - type: log enabled: true - # Paths (in alphabetical order) that should be crawled and fetched. Glob based paths. + # Paths that should be crawled and fetched. Glob based paths. paths: # - /var/log/audit/audit.log - /var/log/auth.log @@ -34,7 +34,7 @@ filebeat.inputs: - /var/log/secure - /var/log/syslog - # Exclude lines. A list of regular expressions to match. It drops the lines that are + # Exclude lines. A list of regular expressions to match. It drops the lines that are # matching any regular expression from the list. #exclude_lines: ['^DBG'] @@ -67,9 +67,10 @@ filebeat.inputs: # that was (not) matched before or after or as long as a pattern is not matched based on negate. # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash #multiline.match: after + {% if 'postgresql' in group_names %} -#--- PostgreSQL --- +# ============================== PostgreSQL ============================== # Filebeat postgresql module doesn't support custom log_line_prefix (without patching), see https://discuss.elastic.co/t/filebeats-with-postgresql-module-custom-log-line-prefix/204457 # Dedicated configuration to handle log messages spanning multiple lines. @@ -85,9 +86,10 @@ filebeat.inputs: negate: true match: after {% endif %} + {% if 'kubernetes_master' in group_names or 'kubernetes_node' in group_names %} -#--- Kubernetes --- +# ============================== Kubernetes ============================== # K8s metadata are fetched from Docker labels to not make Filebeat on worker nodes dependent on K8s master # since Filebeat should start even if K8s master is not available. @@ -112,7 +114,7 @@ filebeat.inputs: - docker # Drop all fields added by 'add_docker_metadata' that were not renamed {% endif %} -#============================= Filebeat modules =============================== +# ============================== Filebeat modules ============================== filebeat.config.modules: # Glob pattern for configuration loading @@ -124,14 +126,14 @@ filebeat.config.modules: # Period on which files under path should be checked for changes #reload.period: 10s -#==================== Elasticsearch template setting ========================== +# ======================= Elasticsearch template setting ======================= setup.template.settings: index.number_of_shards: 3 #index.codec: best_compression #_source.enabled: false -#================================ General ===================================== +# ================================== General =================================== # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. @@ -147,11 +149,11 @@ setup.template.settings: # env: staging -#============================== Dashboards ===================================== +# ================================= Dashboards ================================= # These settings control loading the sample dashboards to the Kibana index. Loading # the dashboards is disabled by default and can be enabled either by setting the -# options here, or by using the `-setup` CLI flag or the `setup` command. -#setup.dashboards.enabled: true +# options here or by using the `setup` command. +#setup.dashboards.enabled: false # The URL from where to download the dashboards archive. By default this URL # has a value which is computed based on the Beat name and version. For released @@ -159,6 +161,42 @@ setup.template.settings: # website. #setup.dashboards.url: +# ====================== Index Lifecycle Management (ILM) ====================== + +# Configure index lifecycle management (ILM). These settings create a write +# alias and add additional settings to the index template. When ILM is enabled, +# output.elasticsearch.index is ignored, and the write alias is used to set the +# index name. + +# Enable ILM support. Valid values are true, false, and auto. When set to auto +# (the default), the Beat uses index lifecycle management when it connects to a +# cluster that supports ILM; otherwise, it creates daily indices. +# Disabled because ILM is not enabled by default in Epiphany +setup.ilm.enabled: false + +# Set the prefix used in the index lifecycle write alias name. The default alias +# name is 'filebeat-%{[agent.version]}'. +#setup.ilm.rollover_alias: 'filebeat' + +# Set the rollover index pattern. The default is "%{now/d}-000001". +#setup.ilm.pattern: "{now/d}-000001" + +# Set the lifecycle policy name. The default policy name is +# 'beatname'. +#setup.ilm.policy_name: "mypolicy" + +# The path to a JSON file that contains a lifecycle policy configuration. Used +# to load your own lifecycle policy. +#setup.ilm.policy_file: + +# Disable the check for an existing lifecycle policy. The default is true. If +# you disable this check, set setup.ilm.overwrite: true so the lifecycle policy +# can be installed. +#setup.ilm.check_exists: true + +# Overwrite the lifecycle policy at startup. The default is false. +#setup.ilm.overwrite: false + #============================== Kibana ===================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. @@ -182,9 +220,9 @@ setup.template.settings: # the Default Space will be used. #space.id: -#============================= Elastic Cloud ================================== +# =============================== Elastic Cloud ================================ -# These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/). +# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/). # The cloud.id setting overwrites the `output.elasticsearch.hosts` and # `setup.kibana.host` options. @@ -210,19 +248,24 @@ output.elasticsearch: - "https://{{hostvars[host]['ansible_hostname']}}:9200" {% endfor %} + # Protocol - either `http` (default) or `https`. protocol: "https" ssl.verification_mode: none username: logstash password: logstash {% else %} hosts: [] + # Protocol - either `http` (default) or `https`. #protocol: "https" + #ssl.verification_mode: none + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" #username: "elastic" #password: "changeme" {% endif %} -#----------------------------- Logstash output -------------------------------- +# ------------------------------ Logstash Output ------------------------------- #output.logstash: # The Logstash hosts #hosts: ["localhost:5044"] @@ -237,15 +280,17 @@ output.elasticsearch: # Client Certificate Key #ssl.key: "/etc/pki/client/cert.key" -#================================ Processors ===================================== +# ================================= Processors ================================= # Configure processors to enhance or manipulate events generated by the beat. processors: #- add_host_metadata: ~ - add_cloud_metadata: ~ + #- add_docker_metadata: ~ + #- add_kubernetes_metadata: ~ -#================================ Logging ===================================== +# ================================== Logging =================================== # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug @@ -256,17 +301,30 @@ processors: # "publish", "service". #logging.selectors: ["*"] -#============================== Xpack Monitoring =============================== -# filebeat can export internal metrics to a central Elasticsearch monitoring +# ============================= X-Pack Monitoring ============================== +# Filebeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The # reporting is disabled by default. # Set to true to enable the monitoring reporter. -#xpack.monitoring.enabled: false +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: # Uncomment to send the metrics to Elasticsearch. Most settings from the -# Elasticsearch output are accepted here as well. Any setting that is not set is -# automatically inherited from the Elasticsearch output configuration, so if you -# have the Elasticsearch output configured, you can simply uncomment the -# following line. -#xpack.monitoring.elasticsearch: +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + +# ================================= Migration ================================== + +# Enable the compatibility layer for Elastic Common Schema (ECS) fields. +# This allows to enable 6 > 7 migration aliases. +#migration.6_to_7.enabled: true \ No newline at end of file diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt index fd4dfbc139..996dd8f2da 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt @@ -36,7 +36,7 @@ elasticsearch-oss-6.8.5 elasticsearch-oss-7.3.2 # Open Distro for Elasticsearch erlang-21.3.8.7 ethtool -filebeat-6.8.5 # actually it's filebeat-oss +filebeat-7.8.1 # actually it's filebeat-oss firewalld fontconfig # for grafana fping diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt index ebb731c231..f527d4f20b 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt @@ -35,7 +35,7 @@ elasticsearch-oss-6.8.5 elasticsearch-oss-7.3.2 # Open Distro for Elasticsearch erlang-21.3.8.7 ethtool -filebeat-6.8.5 # actually it's filebeat-oss +filebeat-7.8.1 # actually it's filebeat-oss firewalld fontconfig # for grafana fping diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt index 1bd5ae303b..3cd962a281 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt @@ -17,7 +17,7 @@ elasticsearch-oss 6.8.5 elasticsearch-oss 7.3.2 erlang-nox ethtool -filebeat 6.8.5 +filebeat 7.8.1 firewalld fping gnupg2 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml index e15bbb1e79..28968937c6 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/upgrade/tasks/filebeat.yml @@ -1,16 +1,16 @@ --- -- name: Get information about installed packages as facts +- name: Filebeat | Get information about installed packages as facts package_facts: manager: auto when: ansible_facts.packages is undefined -- name: Test if filebeat package is installed +- name: Filebeat | Test if filebeat package is installed assert: that: ansible_facts.packages['filebeat'] is defined fail_msg: filebeat package not found, nothing to update quiet: true -- name: Print filebeat versions +- name: Filebeat | Print versions debug: msg: - "Installed version: {{ ansible_facts.packages['filebeat'][0].version }}" @@ -18,29 +18,11 @@ - name: Update Filebeat block: - - name: Get values for filebeat.yml template from existing configuration - block: - - name: Load /etc/filebeat/filebeat.yml - slurp: - src: /etc/filebeat/filebeat.yml - register: filebeat_config_yml - - - name: Set filebeat.yml content as fact - set_fact: - filebeat_exisitng_config: "{{ filebeat_config_yml.content | b64decode | from_yaml }}" - - - name: Set value for output.elasticsearch.hosts - set_fact: - output_elasticsearch_hosts: "{{ filebeat_exisitng_config['output.elasticsearch'].hosts }}" - when: - - filebeat_exisitng_config['output.elasticsearch'].hosts is defined - - filebeat_exisitng_config['output.elasticsearch'].hosts | length > 0 - - - name: Set value for setup.kibana.host - set_fact: - setup_kibana_host: "{{ filebeat_exisitng_config['setup.kibana'].host }}" - when: - - filebeat_exisitng_config['setup.kibana'].host is defined + - name: Filebeat | Backup configuration file (filebeat.yml) + copy: + remote_src: yes + src: /etc/filebeat/filebeat.yml + dest: /etc/filebeat/filebeat.yml.bak_{{ ansible_facts.packages['filebeat'][0].version }} - import_role: name: filebeat @@ -52,6 +34,6 @@ - import_role: name: filebeat - tasks_from: configure-filebeat + tasks_from: configure-filebeat when: - - specification.filebeat_version is version(ansible_facts.packages['filebeat'][0].version, '>=') \ No newline at end of file + - specification.filebeat_version is version(ansible_facts.packages['filebeat'][0].version, '>=') diff --git a/core/src/epicli/data/common/ansible/playbooks/upgrade.yml b/core/src/epicli/data/common/ansible/playbooks/upgrade.yml index 2226c4a7d9..7f1b447064 100644 --- a/core/src/epicli/data/common/ansible/playbooks/upgrade.yml +++ b/core/src/epicli/data/common/ansible/playbooks/upgrade.yml @@ -89,15 +89,13 @@ name: upgrade tasks_from: elasticsearch-curator -# Disabling Filebeat upgrade. This will be included in future releases. -# -# - hosts: filebeat -# become: true -# become_method: sudo -# tasks: -# - import_role: -# name: upgrade -# tasks_from: filebeat +- hosts: filebeat + become: true + become_method: sudo + tasks: + - import_role: + name: upgrade + tasks_from: filebeat - hosts: kafka serial: 1 diff --git a/core/src/epicli/data/common/defaults/configuration/filebeat.yml b/core/src/epicli/data/common/defaults/configuration/filebeat.yml index ad28e73d98..c5157d3178 100644 --- a/core/src/epicli/data/common/defaults/configuration/filebeat.yml +++ b/core/src/epicli/data/common/defaults/configuration/filebeat.yml @@ -2,4 +2,4 @@ kind: configuration/filebeat title: Filebeat name: default specification: - filebeat_version: "6.8.5" + filebeat_version: "7.8.1" From 3c4d35572ee1882738574f55a44a8af59d14f0a9 Mon Sep 17 00:00:00 2001 From: rafzei <13080132+rafzei@users.noreply.github.com> Date: Wed, 19 Aug 2020 08:32:53 +0200 Subject: [PATCH 36/37] Add CHANGELOG-0.8.md --- CHANGELOG-0.8.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 CHANGELOG-0.8.md diff --git a/CHANGELOG-0.8.md b/CHANGELOG-0.8.md new file mode 100644 index 0000000000..56198c5a68 --- /dev/null +++ b/CHANGELOG-0.8.md @@ -0,0 +1,11 @@ +# Changelog 0.8 + +## [0.8.0] 2020-09-xx + +### Added + +### Updated + +- [#846](https://github.com/epiphany-platform/epiphany/issues/846) - Update Filebeat to v7.8.1 + +### Fixed From 0da7fc2c7e290de8c357bcea974fc4a64a381ef3 Mon Sep 17 00:00:00 2001 From: rafzei <13080132+rafzei@users.noreply.github.com> Date: Wed, 19 Aug 2020 08:38:41 +0200 Subject: [PATCH 37/37] Changes after review --- .../common/ansible/playbooks/roles/filebeat/defaults/main.yml | 2 +- .../ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 | 2 +- .../files/download-requirements/centos-7/requirements.txt | 2 +- .../files/download-requirements/redhat-7/requirements.txt | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml index b3f2ea449d..f2b363d11a 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/defaults/main.yml @@ -1,3 +1,3 @@ --- specification: - filebeat_version: "7.8.1" \ No newline at end of file + filebeat_version: "7.8.1" diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 index 28868c237f..f77aa5da33 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 @@ -327,4 +327,4 @@ processors: # Enable the compatibility layer for Elastic Common Schema (ECS) fields. # This allows to enable 6 > 7 migration aliases. -#migration.6_to_7.enabled: true \ No newline at end of file +#migration.6_to_7.enabled: true diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt index 996dd8f2da..48596b6f7e 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt @@ -36,7 +36,7 @@ elasticsearch-oss-6.8.5 elasticsearch-oss-7.3.2 # Open Distro for Elasticsearch erlang-21.3.8.7 ethtool -filebeat-7.8.1 # actually it's filebeat-oss +filebeat-7.8.1 firewalld fontconfig # for grafana fping diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt index f527d4f20b..9c8785f036 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt @@ -35,7 +35,7 @@ elasticsearch-oss-6.8.5 elasticsearch-oss-7.3.2 # Open Distro for Elasticsearch erlang-21.3.8.7 ethtool -filebeat-7.8.1 # actually it's filebeat-oss +filebeat-7.8.1 firewalld fontconfig # for grafana fping