Changes after review

hitachienergy · Feb 10, 2022 · dada652 · dada652
1 parent 23fa6fc
commit dada652
Show file tree

Hide file tree

Showing 15 changed files with 54 additions and 47 deletions.
diff --git a/ansible/playbooks/roles/containerd/defaults/main.yml b/ansible/playbooks/roles/containerd/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+containerd_version: "1.4.12"
diff --git a/ansible/playbooks/roles/containerd/handlers/main.yml b/ansible/playbooks/roles/containerd/handlers/main.yml
@@ -1,4 +1,4 @@
-- name: Restart Containerd
+- name: Restart containerd
   systemd:
     name: containerd
     state: restarted

diff --git a/ansible/playbooks/roles/containerd/tasks/configure-containerd.yml b/ansible/playbooks/roles/containerd/tasks/configure-containerd.yml
@@ -1,18 +1,18 @@
 ---
-- name: Create Containerd dir
+- name: Create containerd dir
   file:
     path: /etc/containerd
     state: directory
     owner: root
     group: root
     mode: u=rw,go=r
 
-- name: Provide Containerd config
+- name: Provide containerd config
   template:
     src: config.toml.j2
     dest: /etc/containerd/config.toml
     mode: u=rw,go=
     owner: root
     group: root
   notify:
-    - Restart Containerd
+    - Restart containerd
diff --git a/ansible/playbooks/roles/containerd/tasks/configure-prerequisites.yml b/ansible/playbooks/roles/containerd/tasks/configure-prerequisites.yml
@@ -8,7 +8,9 @@
     mode: u=rw,go=
 
 - name: Load modules
-  command: modprobe {{ item }}
+  modprobe:
+    name: "{{ item }}"
+    state: present
   loop:
     - overlay
     - br_netfilter
diff --git a/ansible/playbooks/roles/containerd/tasks/main.yml b/ansible/playbooks/roles/containerd/tasks/main.yml
@@ -1,4 +1,8 @@
 ---
+- name: Get information on installed packages
+  package_facts:
+  when: ansible_facts.packages is undefined
+
 - name: Remove Docker
   block:
   - name: Stop Kubelet before Docker removal
@@ -15,20 +19,28 @@
   when:
     - is_upgrade_run
     - inventory_hostname not in groups.image_registry
+    - ansible_facts.packages['docker-ce'] is defined
 
-- name: Install Containerd package
+- name: Install containerd package
   package:
-    name: containerd.io
+    name: "{{ _packages[ansible_os_family] }}"
     state: present
+  vars:
+    _packages:
+      Debian:
+        - containerd.io={{ containerd_version }}-*
+      RedHat:
+        - containerd.io-{{ containerd_version }}
   module_defaults:
     yum: { lock_timeout: "{{ yum_lock_timeout }}" }
 
 - name: Configure prerequisites
   include_tasks: configure-prerequisites.yml
 
-- name: Configure Containerd
+- name: Configure containerd
   include_tasks: configure-containerd.yml
 
+# To be replaced by filter plugin (https://github.com/epiphany-platform/epiphany/issues/2943)
 - name: Reconfigure kubelet args
   when: is_upgrade_run
   block:

diff --git a/ansible/playbooks/roles/containerd/templates/config.toml.j2 b/ansible/playbooks/roles/containerd/templates/config.toml.j2
@@ -55,7 +55,7 @@ oom_score = 0
     stream_idle_timeout = "4h0m0s"
     enable_selinux = false
     selinux_category_range = 1024
-    sandbox_image = "k8s.gcr.io/pause:3.2"
+    sandbox_image = "{{ image_registry_address }}/k8s.gcr.io/pause:3.5"
     stats_collect_period = 10
     systemd_cgroup = false
     enable_tls_streaming = false

diff --git a/ansible/playbooks/roles/filebeat/tasks/configure-filebeat.yml b/ansible/playbooks/roles/filebeat/tasks/configure-filebeat.yml
@@ -26,12 +26,13 @@
   register: modify_filebeat_yml
 
 - name: Append new field definition
+  when: k8s_as_cloud_service is not defined
   blockinfile:
     path: /etc/filebeat/fields.yml
     backup: true
     block: |2
       - key: containerd
-        title: "Containerd"
+        title: "containerd"
         description: >
           Reading data from containerd log filepath.
         short_config: true
@@ -41,13 +42,13 @@
             description: >
               Contains extra fields for containerd logs.
             fields:
-              - name: container.pod.name
+              - name: kubernetes.pod.name
                 type: text
                 format: string
-              - name: container.uuid
+              - name: kubernetes.namespace
                 type: text
                 format: string
-              - name: container.namespace
+              - name: container.id
                 type: text
                 format: string
 

diff --git a/ansible/playbooks/roles/filebeat/tasks/main.yml b/ansible/playbooks/roles/filebeat/tasks/main.yml
@@ -8,19 +8,13 @@
     name: opendistro_for_logging_vars
   when: groups.logging is defined
 
-- name: Filebeat as DaemonSet
+- name: Include installation tasks for Filebeat as DaemonSet for "k8s as cloud service"
+  include_tasks: install-filebeat-as-daemonset.yml
   when:
     - k8s_as_cloud_service is defined
     - k8s_as_cloud_service
     - groups.logging is defined
     - groups.logging | length > 0
-  block:
-    - name: Include installation tasks for Filebeat as DaemonSet for "k8s as cloud service"
-      include_tasks: install-filebeat-as-daemonset.yml
-
-    - name: Set fact filebeat_as_daemonset
-      set_fact:
-        filebeat_as_daemonset: true
 
 - name: Include auditd configuration tasks
   include_tasks: configure-auditd.yml

diff --git a/ansible/playbooks/roles/filebeat/templates/custom-chart-values.yml.j2 b/ansible/playbooks/roles/filebeat/templates/custom-chart-values.yml.j2
@@ -64,12 +64,10 @@ filebeatConfig:
 
       processors:
         - add_kubernetes_metadata:
-            in_cluster: {{ 'true' if filebeat_as_daemonset is defined else 'false' }}
-        - dissect:
-            tokenizer: "/var/log/containers/%{container.pod.name}_%{container.namespace}_%{container.uuid}.log"
-            field: "log.file.path"
-            target_prefix: ""
-            overwrite_keys: true
+          in_cluster: true
+          matchers:
+          - logs_path:
+              logs_path: "/var/log/containers/"
 {% endif %}
 
 {# -------------------------- Filebeat modules -------------------------- #}

diff --git a/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 b/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2
@@ -123,10 +123,8 @@ filebeat.inputs:
   {% endif %}
 
   processors:
-    - add_kubernetes_metadata:
-        in_cluster: {{ 'true' if filebeat_as_daemonset is defined else 'false' }}
     - dissect:
-        tokenizer: "/var/log/containers/%{container.pod.name}_%{container.namespace}_%{container.uuid}.log"
+        tokenizer: "/var/log/containers/%{kubernetes.pod.name}_%{kubernetes.namespace}_%{container.id}.log"
         field: "log.file.path"
         target_prefix: ""
         overwrite_keys: true

diff --git a/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml b/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml
@@ -212,7 +212,7 @@
 - name: Restart systemd services
   when:
     - services_to_restart is defined
-    - services_to_restart | difference(['docker', 'kubelet']) | length == 0
+    - services_to_restart | difference(['containerd', 'kubelet']) | length == 0
   block:
     - name: Restart services
       systemd:

diff --git a/ansible/playbooks/roles/kubernetes_master/tasks/main.yml b/ansible/playbooks/roles/kubernetes_master/tasks/main.yml
@@ -86,10 +86,8 @@
         - name: Restart apiserver
           shell: |-
             set -o pipefail && \
-            docker ps \
-              --filter 'name=kube-apiserver_kube-apiserver' \
-              --format '{{ "{{.ID}}" }}' \
-            | xargs --no-run-if-empty docker kill
+            crictl ps --name='kube-apiserver' -q \
+            | xargs --no-run-if-empty crictl stop --timeout=0
           args:
             executable: /bin/bash
 
@@ -109,7 +107,7 @@
       vars:
         valid_days: "{{ specification.advanced.certificates.expiration_days }}"
         services_to_restart:
-          - docker
+          - containerd
       include_tasks: generate-certificates.yml
 
 # kubeadm-config.yml can appear not only on 'automation_designated_master' in 2 cases:

diff --git a/ansible/playbooks/roles/kubernetes_promote/handlers/main.yml b/ansible/playbooks/roles/kubernetes_promote/handlers/main.yml
@@ -1,16 +1,16 @@
 ---
 - name: Restart controller-manager
-  shell: |
-    crictl ps \
-      --name='kube-controller-manager' -q \
+  shell: >-
+    set -o pipefail &&
+    crictl ps --name='kube-controller-manager' -q \
     | xargs --no-run-if-empty crictl stop --timeout=0
   args:
     executable: /bin/bash
 
 - name: Restart scheduler
-  shell: |
-    crictl ps \
-      --name='kube-scheduler' -q \
+  shell: >-
+    set -o pipefail &&
+    crictl ps --name='kube-scheduler' -q \
     | xargs --no-run-if-empty crictl stop --timeout=0
   args:
     executable: /bin/bash
@@ -21,10 +21,10 @@
     state: restarted
 
 - name: Restart kube-proxy
-  shell: |
-    crictl ps \
-      --name='kube-proxy' -q \
-      | xargs --no-run-if-empty crictl stop --timeout=0
+  shell: >-
+    set -o pipefail &&
+    crictl ps --name='kube-proxy' -q \
+    | xargs --no-run-if-empty crictl stop --timeout=0
   args:
     executable: /bin/bash
 

diff --git a/docs/changelogs/CHANGELOG-2.0.md b/docs/changelogs/CHANGELOG-2.0.md
@@ -49,5 +49,7 @@
 ### Breaking changes
 
 - Upgrade of Terraform components in issue [#2825](https://github.com/epiphany-platform/epiphany/issues/2825) and [#2853](https://github.com/epiphany-platform/epiphany/issues/2853) will make running re-apply with infrastructure break on existing 1.x clusters. The advice is to deploy a new cluster and migrate data. If needed a manual upgrade path is described [here.](../home/howto/UPGRADE.md#terraform-upgrade-from-epiphany-1.x-to-2.x)
+- Kubernetes container runtime changed. Dockershim and Docker are no longer on Kubernetes hosts.
+- Filebeat docker input replaced by container input. New field provided for Filebeat as system service installation: container.id. Field kubernetes.container.name is no longer valid.
 
 ### Known issues
diff --git a/docs/home/COMPONENTS.md b/docs/home/COMPONENTS.md
@@ -9,7 +9,7 @@ Note that versions are default versions and can be changed in certain cases thro
 | Kubernetes                 | 1.22.4   | https://github.com/kubernetes/kubernetes              | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) |
 | Kubernetes Dashboard       | 2.3.1    | https://github.com/kubernetes/dashboard               | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) |
 | Kubernetes metrics-scraper | 1.0.7    | https://github.com/kubernetes-sigs/dashboard-metrics-scraper | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) |
-| Containerd                 | 1.4.12   | https://github.com/containerd/containerd | [Apache License 2.0](https://github.com/containerd/containerd/blob/main/LICENSE) |
+| containerd                 | 1.4.12   | https://github.com/containerd/containerd | [Apache License 2.0](https://github.com/containerd/containerd/blob/main/LICENSE) |
 | Calico                     | 3.20.3   | https://github.com/projectcalico/calico               | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) |
 | Flannel                    | 0.14.0   | https://github.com/coreos/flannel/                    | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)     |
 | Canal                      | 3.20.3   | https://github.com/projectcalico/calico               | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) |