From 9932bc76bb05a6c0dae2e9ce5bc2af440eaa3bb3 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 20 Jan 2018 03:31:51 +0100
Subject: use specific version of kubernetes and docker-ce

---
 group_vars/k8s-stream/vars.yml        |  4 ++++
 playbooks/k8s-stream.yaml             |  8 +++++++-
 roles/docker/tasks/main.yaml          |  9 ++++++++-
 roles/kubernetes-base/tasks/main.yaml | 14 ++++++++++++--
 roles/kubernetes-net/tasks/main.yaml  |  7 +++++++
 roles/upgrade/tasks/main.yaml         | 14 ++++++--------
 6 files changed, 44 insertions(+), 12 deletions(-)

diff --git a/group_vars/k8s-stream/vars.yml b/group_vars/k8s-stream/vars.yml
index c295948b..ef5f7a28 100644
--- a/group_vars/k8s-stream/vars.yml
+++ b/group_vars/k8s-stream/vars.yml
@@ -1,4 +1,8 @@
+docker_pkg_version: 17.03.2~ce-0~debian-stretch
+
 kubernetes:
+  pkg_version: 1.9.2-00
+
   pod_ip_range: 172.18.0.0/16
   pod_ip_range_size: 24
   service_ip_range: 172.18.192.0/18
diff --git a/playbooks/k8s-stream.yaml b/playbooks/k8s-stream.yaml
index 6292f24a..ff369435 100644
--- a/playbooks/k8s-stream.yaml
+++ b/playbooks/k8s-stream.yaml
@@ -2,8 +2,14 @@
 - name: install kubernetes and overlay network
   hosts: k8s-stream
   roles:
-  - role: kubernetes-base
+  ## Since `base` has a dependency for docker it would install and start the daemon
+  ## without the docker daemon config file generated by `net`.
+  ## This means that the docker daemon will create a bridge and install iptables rules
+  ## upon first startup (the first time this playbook runs on a specific host).
+  ## Since it is a tedious task to remove the interface and the firewall rules it is much
+  ## easier to just run `net` before `base` as `net` does not need anything from `base`.
   - role: kubernetes-net
+  - role: kubernetes-base
 
 - name: configure kubernetes master
   hosts: k8s-stream-master
diff --git a/roles/docker/tasks/main.yaml b/roles/docker/tasks/main.yaml
index c07888f7..2604dead 100644
--- a/roles/docker/tasks/main.yaml
+++ b/roles/docker/tasks/main.yaml
@@ -39,5 +39,12 @@
 
 - name: install docker
   apt:
-    name: docker-ce
+    name: "docker-ce{% if docker_pkg_version is defined %}={{ docker_pkg_version }}{% endif %}"
     state: present
+    force: yes
+
+- name: disable automatic upgrades for docker package
+  when: docker_pkg_version is defined
+  dpkg_selections:
+    name: docker-ce
+    selection: hold
diff --git a/roles/kubernetes-base/tasks/main.yaml b/roles/kubernetes-base/tasks/main.yaml
index e217b9c1..8badf984 100644
--- a/roles/kubernetes-base/tasks/main.yaml
+++ b/roles/kubernetes-base/tasks/main.yaml
@@ -38,13 +38,23 @@
     filename: kubernetes
 
 - name: install basic kubernetes components
+  with_items:
+  - "kubelet{% if kubernetes.pkg_version is defined %}={{ kubernetes.pkg_version }}{% endif %}"
+  - "kubeadm{% if kubernetes.pkg_version is defined %}={{ kubernetes.pkg_version }}{% endif %}"
+  - "kubectl{% if kubernetes.pkg_version is defined %}={{ kubernetes.pkg_version }}{% endif %}"
+  apt:
+    name: "{{ item }}"
+    state: present
+
+- name: disable automatic upgrades for kubernetes components
+  when: kubernetes.pkg_version is defined
   with_items:
   - kubelet
   - kubeadm
   - kubectl
-  apt:
+  dpkg_selections:
     name: "{{ item }}"
-    state: present
+    selection: hold
 
 - name: add dummy group with gid 998
   group:
diff --git a/roles/kubernetes-net/tasks/main.yaml b/roles/kubernetes-net/tasks/main.yaml
index 13384204..88f50fd8 100644
--- a/roles/kubernetes-net/tasks/main.yaml
+++ b/roles/kubernetes-net/tasks/main.yaml
@@ -1,4 +1,10 @@
 ---
+- name: create docker config directory
+  file:
+    name: /etc/docker
+    state: directory
+    mode: 0700
+
 - name: disable docker iptales and bridge
   copy:
     src: daemon.json
@@ -77,6 +83,7 @@
   template:
     src: kubenet-peer.service.j2
     dest: "/etc/systemd/system/kubenet-peer-{{ item }}.service"
+  # TODO: notify restart for peers that change...
 
 - name: make sure kubenet peer services are started and enabled
   with_items: "{{ kubenet_peers_to_add }}"
diff --git a/roles/upgrade/tasks/main.yaml b/roles/upgrade/tasks/main.yaml
index 60a921b7..df7360de 100644
--- a/roles/upgrade/tasks/main.yaml
+++ b/roles/upgrade/tasks/main.yaml
@@ -4,7 +4,8 @@
     update_cache: yes
 
 - name: List packages to upgrade (1/2)
-  command: aptitude -q -F%p --disable-columns search "~U"
+  command: aptitude -q -F%p --disable-columns search '~U !~ahold'
+  check_mode: no
   register: updates
   changed_when: False
   failed_when: updates.rc != 0 and updates.rc != 1
@@ -16,10 +17,11 @@
 
 - name: Upgrade packages
   apt:
-   upgrade: safe
+    upgrade: safe
 
 - name: List services to restart (1/2)
   shell: checkrestart | grep ^service | awk '{print $2}'
+  check_mode: no
   register: services
   changed_when: False
 
@@ -28,11 +30,7 @@
     msg: "{{ services.stdout_lines | count }} services to restart ({{ services.stdout_lines | join (', ') }})"
   when: services.stdout_lines
 
-- name: clean apt-cache
-  command: apt-get clean
-  args:
-    warn: False
-
-- name: remove stale packages
+- name: clean apt-cache and remove stale packages
   apt:
+    autoclean: yes
     autoremove: yes
-- 
cgit v1.2.3