Remove the archived debian apt repository (#11220 )

Signed-off-by: Kay Yan <kay.yan@daocloud.io> Co-authored-by: Kay Yan <kay.yan@daocloud.io>
Fix kube_version in sample inventory (#11026 )
2026-06-02 17:47:57 +00:00 · 2024-05-21 04:28:05 -07:00 · 2024-05-03 02:20:40 -07:00 · 2024-02-06 06:06:16 -08:00 · 2024-02-05 07:46:01 -08:00 · 2024-01-22 17:23:25 +01:00
740 changed files with 15221 additions and 12588 deletions
@@ -7,18 +7,6 @@ skip_list:

  # These rules are intentionally skipped:
  #
-  # [E204]: "Lines should be no longer than 160 chars"
-  # This could be re-enabled with a major rewrite in the future.
-  # For now, there's not enough value gain from strictly limiting line length.
-  # (Disabled in May 2019)
-  - '204'
-
-  # [E701]: "meta/main.yml should contain relevant info"
-  # Roles in Kubespray are not intended to be used/imported by Ansible Galaxy.
-  # While it can be useful to have these metadata available, they are also available in the existing documentation.
-  # (Disabled in May 2019)
-  - '701'
-
  # [role-name] "meta/main.yml" Role name role-name does not match ``^+$`` pattern
  # Meta roles in Kubespray don't need proper names
  # (Disabled in June 2021)
@@ -28,3 +16,23 @@ skip_list:
  # In Kubespray we use variables that use camelCase to match their k8s counterparts
  # (Disabled in June 2021)
  - 'var-naming'
+
+  # [fqcn-builtins]
+  # Roles in kubespray don't need fully qualified collection names
+  # (Disabled in Feb 2023)
+  - 'fqcn-builtins'
+
+  # We use template in names
+  - 'name[template]'
+
+  # No changed-when on commands
+  # (Disabled in June 2023 after ansible upgrade; FIXME)
+  - 'no-changed-when'
+
+  # Disable run-once check with free strategy
+  # (Disabled in June 2023 after ansible upgrade; FIXME)
+  - 'run-once[task]'
+exclude_paths:
+  # Generated files
+  - tests/files/custom_cni/cilium.yaml
+  - venv
@@ -0,0 +1,8 @@
+# This file contains ignores rule violations for ansible-lint
+inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml jinja[spacing]
+roles/kubernetes/control-plane/defaults/main/kube-proxy.yml jinja[spacing]
+roles/kubernetes/control-plane/defaults/main/main.yml jinja[spacing]
+roles/kubernetes/kubeadm/defaults/main.yml jinja[spacing]
+roles/kubernetes/node/defaults/main.yml jinja[spacing]
+roles/kubernetes/preinstall/defaults/main.yml jinja[spacing]
+roles/kubespray-defaults/defaults/main.yaml jinja[spacing]
@@ -11,7 +11,8 @@ contrib/offline/offline-files.tar.gz
 .cache
 *.bak
 *.tfstate
-*.tfstate.backup
+*.tfstate*backup
+*.lock.hcl
 .terraform/
 contrib/terraform/aws/credentials.tfvars
 .terraform.lock.hcl
@@ -113,3 +114,7 @@ roles/**/molecule/**/__pycache__/
 # Temp location used by our scripts
 scripts/tmp/
 tmp.md
+
+# Ansible collection files
+kubernetes_sigs-kubespray*tar.gz
+ansible_collections
@@ -9,7 +9,7 @@ stages:
  - deploy-special

 variables:
-  KUBESPRAY_VERSION: v2.20.0
+  KUBESPRAY_VERSION: v2.22.1
  FAILFASTCI_NAMESPACE: 'kargo-ci'
  GITLAB_REPOSITORY: 'kargo-ci/kubernetes-sigs-kubespray'
  ANSIBLE_FORCE_COLOR: "true"
@@ -33,16 +33,12 @@ variables:
  MITOGEN_ENABLE: "false"
  ANSIBLE_LOG_LEVEL: "-vv"
  RECOVER_CONTROL_PLANE_TEST: "false"
-  RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:],kube_control_plane[1:]"
-  TERRAFORM_VERSION: 1.0.8
-  ANSIBLE_MAJOR_VERSION: "2.11"
+  RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:]:kube_control_plane[1:]"
+  TERRAFORM_VERSION: 1.3.7
  PIPELINE_IMAGE: "$CI_REGISTRY_IMAGE/pipeline:${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}"

 before_script:
  - ./tests/scripts/rebase.sh
-  - update-alternatives --install /usr/bin/python python /usr/bin/python3 1
-  - python -m pip uninstall -y ansible ansible-base ansible-core
-  - python -m pip install -r tests/requirements-${ANSIBLE_MAJOR_VERSION}.txt
  - mkdir -p /.ssh

 .job: &job
@@ -57,6 +53,7 @@ before_script:
 .testcases: &testcases
  <<: *job
  retry: 1
+  interruptible: true
  before_script:
    - update-alternatives --install /usr/bin/python python /usr/bin/python3 1
    - ./tests/scripts/rebase.sh
@@ -1,16 +1,40 @@
 ---
-pipeline image:
+.build:
  stage: build
-  image: docker:20.10.22-cli
+  image:
+    name: moby/buildkit:rootless
+    entrypoint: [""]
  variables:
-    DOCKER_TLS_CERTDIR: ""
-  services:
-    - name: docker:20.10.22-dind
-      # See https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27300 for why this is required
-      command: ["--tls=false"]
+    BUILDKITD_FLAGS: --oci-worker-no-process-sandbox
  before_script:
-    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
+    - mkdir ~/.docker
+    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > ~/.docker/config.json
+
+pipeline image:
+  extends: .build
  script:
-    # DOCKER_HOST is overwritten if we set it as a GitLab variable
-    - DOCKER_HOST=tcp://docker:2375; docker build --network host --file pipeline.Dockerfile --tag $PIPELINE_IMAGE .
-    - docker push $PIPELINE_IMAGE
+    - |
+      buildctl-daemonless.sh build \
+        --frontend=dockerfile.v0 \
+        --local context=. \
+        --local dockerfile=. \
+        --opt filename=./pipeline.Dockerfile \
+        --output type=image,name=$PIPELINE_IMAGE,push=true \
+        --import-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache
+  rules:
+    - if: '$CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH'
+
+pipeline image and build cache:
+  extends: .build
+  script:
+    - |
+      buildctl-daemonless.sh build \
+        --frontend=dockerfile.v0 \
+        --local context=. \
+        --local dockerfile=. \
+        --opt filename=./pipeline.Dockerfile \
+        --output type=image,name=$PIPELINE_IMAGE,push=true \
+        --import-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache \
+        --export-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache,mode=max
+  rules:
+    - if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
@@ -39,21 +39,34 @@ syntax-check:
    ANSIBLE_VERBOSITY: "3"
  script:
    - ansible-playbook --syntax-check cluster.yml
+    - ansible-playbook --syntax-check playbooks/cluster.yml
    - ansible-playbook --syntax-check upgrade-cluster.yml
+    - ansible-playbook --syntax-check playbooks/upgrade_cluster.yml
    - ansible-playbook --syntax-check reset.yml
+    - ansible-playbook --syntax-check playbooks/reset.yml
    - ansible-playbook --syntax-check extra_playbooks/upgrade-only-k8s.yml
  except: ['triggers', 'master']

+collection-build-install-sanity-check:
+  extends: .job
+  stage: unit-tests
+  tags: [light]
+  variables:
+    ANSIBLE_COLLECTIONS_PATH: "./ansible_collections"
+  script:
+    - ansible-galaxy collection build
+    - ansible-galaxy collection install kubernetes_sigs-kubespray-$(grep "^version:" galaxy.yml | awk '{print $2}').tar.gz
+    - ansible-galaxy collection list $(egrep -i '(name:\s+|namespace:\s+)' galaxy.yml | awk '{print $2}' | tr '\n' '.' | sed 's|\.$||g') | grep "^kubernetes_sigs.kubespray"
+    - test -f ansible_collections/kubernetes_sigs/kubespray/playbooks/cluster.yml
+    - test -f ansible_collections/kubernetes_sigs/kubespray/playbooks/reset.yml
+  except: ['triggers', 'master']
+
 tox-inventory-builder:
  stage: unit-tests
  tags: [light]
  extends: .job
  before_script:
    - ./tests/scripts/rebase.sh
-    - apt-get update && apt-get install -y python3-pip
-    - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
-    - python -m pip uninstall -y ansible ansible-base ansible-core
-    - python -m pip install -r tests/requirements.txt
  script:
    - pip3 install tox
    - cd contrib/inventory_builder && tox
@@ -75,6 +88,13 @@ check-readme-versions:
  script:
    - tests/scripts/check_readme_versions.sh

+check-galaxy-version:
+  stage: unit-tests
+  tags: [light]
+  image: python:3
+  script:
+    - tests/scripts/check_galaxy_version.sh
+
 check-typo:
  stage: unit-tests
  tags: [light]
@@ -9,10 +9,6 @@
  stage: deploy-part1
  before_script:
    - tests/scripts/rebase.sh
-    - apt-get update && apt-get install -y python3-pip
-    - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
-    - python -m pip uninstall -y ansible ansible-base ansible-core
-    - python -m pip install -r tests/requirements.txt
    - ./tests/scripts/vagrant_clean.sh
  script:
    - ./tests/scripts/molecule_run.sh
@@ -58,6 +54,7 @@ molecule_cri-o:
  stage: deploy-part2
  script:
    - ./tests/scripts/molecule_run.sh -i container-engine/cri-o
+  allow_failure: true
  when: on_success

 # Stage 3 container engines don't get as much attention so allow them to fail
@@ -23,50 +23,45 @@
  allow_failure: true
  extends: .packet

-# The ubuntu20-calico-aio jobs are meant as early stages to prevent running the full CI if something is horribly broken
-packet_ubuntu20-calico-aio:
+packet_cleanup_old:
+  stage: deploy-part1
+  extends: .packet_periodic
+  script:
+    - cd tests
+    - make cleanup-packet
+  after_script: []
+
+# The ubuntu20-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
+packet_ubuntu20-calico-all-in-one:
  stage: deploy-part1
  extends: .packet_pr
  when: on_success
  variables:
    RESET_CHECK: "true"

-packet_ubuntu20-calico-aio-ansible-2_11:
-  stage: deploy-part1
-  extends: .packet_periodic
-  when: on_success
-  variables:
-    ANSIBLE_MAJOR_VERSION: "2.11"
-    RESET_CHECK: "true"
-
 # ### PR JOBS PART2

-packet_ubuntu18-aio-docker:
+packet_ubuntu20-all-in-one-docker:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success

-packet_ubuntu20-aio-docker:
+packet_ubuntu20-calico-all-in-one-hardening:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success

-packet_ubuntu20-calico-aio-hardening:
+packet_ubuntu22-all-in-one-docker:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success

-packet_ubuntu18-calico-aio:
+packet_ubuntu22-calico-all-in-one:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success

-packet_ubuntu22-aio-docker:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-
-packet_ubuntu22-calico-aio:
+packet_ubuntu22-calico-etcd-datastore:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success
@@ -80,8 +75,9 @@ packet_almalinux8-crio:
  extends: .packet_pr
  stage: deploy-part2
  when: on_success
+  allow_failure: true

-packet_ubuntu18-crio:
+packet_ubuntu20-crio:
  extends: .packet_pr
  stage: deploy-part2
  when: manual
@@ -91,17 +87,7 @@ packet_fedora37-crio:
  stage: deploy-part2
  when: manual

-packet_ubuntu16-canal-ha:
-  stage: deploy-part2
-  extends: .packet_periodic
-  when: on_success
-
-packet_ubuntu16-canal-sep:
-  stage: deploy-special
-  extends: .packet_pr
-  when: manual
-
-packet_ubuntu16-flannel-ha:
+packet_ubuntu20-flannel-ha:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
@@ -131,6 +117,21 @@ packet_debian11-docker:
  extends: .packet_pr
  when: on_success

+packet_debian12-calico:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
+packet_debian12-docker:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: on_success
+
+packet_debian12-cilium:
+  stage: deploy-part2
+  extends: .packet_periodic
+  when: on_success
+
 packet_centos7-calico-ha-once-localhost:
  stage: deploy-part2
  extends: .packet_pr
@@ -143,7 +144,7 @@ packet_centos7-calico-ha-once-localhost:

 packet_almalinux8-kube-ovn:
  stage: deploy-part2
-  extends: .packet_periodic
+  extends: .packet_pr
  when: on_success

 packet_almalinux8-calico:
@@ -179,11 +180,6 @@ packet_fedora38-docker-weave:
  when: on_success
  allow_failure: true

-packet_opensuse-canal:
-  stage: deploy-part2
-  extends: .packet_periodic
-  when: on_success
-
 packet_opensuse-docker-cilium:
  stage: deploy-part2
  extends: .packet_pr
@@ -191,22 +187,17 @@ packet_opensuse-docker-cilium:

 # ### MANUAL JOBS

-packet_ubuntu16-docker-weave-sep:
+packet_ubuntu20-docker-weave-sep:
  stage: deploy-part2
  extends: .packet_pr
  when: manual

-packet_ubuntu18-cilium-sep:
+packet_ubuntu20-cilium-sep:
  stage: deploy-special
  extends: .packet_pr
  when: manual

-packet_ubuntu18-flannel-ha:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-packet_ubuntu18-flannel-ha-once:
+packet_ubuntu20-flannel-ha-once:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
@@ -217,7 +208,7 @@ packet_almalinux8-calico-ha-ebpf:
  extends: .packet_pr
  when: manual

-packet_debian9-macvlan:
+packet_debian10-macvlan:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
@@ -232,11 +223,6 @@ packet_centos7-multus-calico:
  extends: .packet_pr
  when: manual

-packet_centos7-canal-ha:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
 packet_fedora38-docker-calico:
  stage: deploy-part2
  extends: .packet_periodic
@@ -254,7 +240,7 @@ packet_fedora37-calico-swap-selinux:
  extends: .packet_pr
  when: manual

-packet_amazon-linux-2-aio:
+packet_amazon-linux-2-all-in-one:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
@@ -269,6 +255,16 @@ packet_fedora38-kube-ovn:
  extends: .packet_periodic
  when: on_success

+packet_debian11-custom-cni:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: manual
+
+packet_debian11-kubelet-csr-approver:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: manual
+
 # ### PR JOBS PART3
 # Long jobs (45min+)

@@ -319,18 +315,18 @@ packet_debian11-calico-upgrade-once:
  variables:
    UPGRADE_TEST: graceful

-packet_ubuntu18-calico-ha-recover:
+packet_ubuntu20-calico-ha-recover:
  stage: deploy-part3
  extends: .packet_periodic
  when: on_success
  variables:
    RECOVER_CONTROL_PLANE_TEST: "true"
-    RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:],kube_control_plane[1:]"
+    RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:]:kube_control_plane[1:]"

-packet_ubuntu18-calico-ha-recover-noquorum:
+packet_ubuntu20-calico-ha-recover-noquorum:
  stage: deploy-part3
  extends: .packet_periodic
  when: on_success
  variables:
    RECOVER_CONTROL_PLANE_TEST: "true"
-    RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[1:],kube_control_plane[1:]"
+    RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[1:]:kube_control_plane[1:]"
@@ -60,11 +60,11 @@ tf-validate-openstack:
    PROVIDER: openstack
    CLUSTER: $CI_COMMIT_REF_NAME

-tf-validate-metal:
+tf-validate-equinix:
  extends: .terraform_validate
  variables:
    TF_VERSION: $TERRAFORM_VERSION
-    PROVIDER: metal
+    PROVIDER: equinix
    CLUSTER: $CI_COMMIT_REF_NAME

 tf-validate-aws:
@@ -80,6 +80,12 @@ tf-validate-exoscale:
    TF_VERSION: $TERRAFORM_VERSION
    PROVIDER: exoscale

+tf-validate-hetzner:
+  extends: .terraform_validate
+  variables:
+    TF_VERSION: $TERRAFORM_VERSION
+    PROVIDER: hetzner
+
 tf-validate-vsphere:
  extends: .terraform_validate
  variables:
@@ -94,7 +100,13 @@ tf-validate-upcloud:
    PROVIDER: upcloud
    CLUSTER: $CI_COMMIT_REF_NAME

-# tf-packet-ubuntu16-default:
+tf-validate-nifcloud:
+  extends: .terraform_validate
+  variables:
+    TF_VERSION: $TERRAFORM_VERSION
+    PROVIDER: nifcloud
+
+# tf-packet-ubuntu20-default:
 #   extends: .terraform_apply
 #   variables:
 #     TF_VERSION: $TERRAFORM_VERSION
@@ -104,23 +116,9 @@ tf-validate-upcloud:
 #     TF_VAR_number_of_k8s_nodes: "1"
 #     TF_VAR_plan_k8s_masters: t1.small.x86
 #     TF_VAR_plan_k8s_nodes: t1.small.x86
-#     TF_VAR_facility: ewr1
+#     TF_VAR_metro: am
 #     TF_VAR_public_key_path: ""
-#     TF_VAR_operating_system: ubuntu_16_04
-#
-# tf-packet-ubuntu18-default:
-#   extends: .terraform_apply
-#   variables:
-#     TF_VERSION: $TERRAFORM_VERSION
-#     PROVIDER: packet
-#     CLUSTER: $CI_COMMIT_REF_NAME
-#     TF_VAR_number_of_k8s_masters: "1"
-#     TF_VAR_number_of_k8s_nodes: "1"
-#     TF_VAR_plan_k8s_masters: t1.small.x86
-#     TF_VAR_plan_k8s_nodes: t1.small.x86
-#     TF_VAR_facility: ams1
-#     TF_VAR_public_key_path: ""
-#     TF_VAR_operating_system: ubuntu_18_04
+#     TF_VAR_operating_system: ubuntu_20_04

 .ovh_variables: &ovh_variables
  OS_AUTH_URL: https://auth.cloud.ovh.net/v3
@@ -158,7 +156,7 @@ tf-elastx_cleanup:
  script:
    - ./scripts/openstack-cleanup/main.py

-tf-elastx_ubuntu18-calico:
+tf-elastx_ubuntu20-calico:
  extends: .terraform_apply
  stage: deploy-part3
  when: on_success
@@ -188,7 +186,7 @@ tf-elastx_ubuntu18-calico:
    TF_VAR_az_list_node: '["sto1"]'
    TF_VAR_flavor_k8s_master: 3f73fc93-ec61-4808-88df-2580d94c1a9b    # v1-standard-2
    TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
-    TF_VAR_image: ubuntu-18.04-server-latest
+    TF_VAR_image: ubuntu-20.04-server-latest
    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'

 # OVH voucher expired, commenting job until things are sorted  out
@@ -205,7 +203,7 @@ tf-elastx_ubuntu18-calico:
 #  script:
 #    - ./scripts/openstack-cleanup/main.py

-# tf-ovh_ubuntu18-calico:
+# tf-ovh_ubuntu20-calico:
 #  extends: .terraform_apply
 #  when: on_success
 #  environment: ovh
@@ -231,5 +229,5 @@ tf-elastx_ubuntu18-calico:
 #    TF_VAR_network_name: "Ext-Net"
 #    TF_VAR_flavor_k8s_master: "defa64c3-bd46-43b4-858a-d93bbae0a229"    # s1-8
 #    TF_VAR_flavor_k8s_node: "defa64c3-bd46-43b4-858a-d93bbae0a229"      # s1-8
-#    TF_VAR_image: "Ubuntu 18.04"
+#    TF_VAR_image: "Ubuntu 20.04"
 #    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
@@ -13,10 +13,6 @@
  image: $PIPELINE_IMAGE
  services: []
  before_script:
-    - apt-get update && apt-get install -y python3-pip
-    - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
-    - python -m pip uninstall -y ansible ansible-base ansible-core
-    - python -m pip install -r tests/requirements.txt
    - ./tests/scripts/vagrant_clean.sh
  script:
    - ./tests/scripts/testcases_run.sh
@@ -24,17 +20,12 @@
    - chronic ./tests/scripts/testcases_cleanup.sh
  allow_failure: true

-vagrant_ubuntu18-calico-dual-stack:
+vagrant_ubuntu20-calico-dual-stack:
  stage: deploy-part2
  extends: .vagrant
  when: on_success

-vagrant_ubuntu18-flannel:
-  stage: deploy-part2
-  extends: .vagrant
-  when: on_success
-
-vagrant_ubuntu18-weave-medium:
+vagrant_ubuntu20-weave-medium:
  stage: deploy-part2
  extends: .vagrant
  when: manual
@@ -45,13 +36,18 @@ vagrant_ubuntu20-flannel:
  when: on_success
  allow_failure: false

-vagrant_ubuntu16-kube-router-sep:
+vagrant_ubuntu20-flannel-collection:
+  stage: deploy-part2
+  extends: .vagrant
+  when: on_success
+
+vagrant_ubuntu20-kube-router-sep:
  stage: deploy-part2
  extends: .vagrant
  when: manual

 # Service proxy test fails connectivity testing
-vagrant_ubuntu16-kube-router-svc-proxy:
+vagrant_ubuntu20-kube-router-svc-proxy:
  stage: deploy-part2
  extends: .vagrant
  when: manual
@@ -1,5 +1,20 @@
 ---
 repos:
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.4.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-executables-have-shebangs
+      - id: check-xml
+      - id: check-merge-conflict
+      - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: forbid-new-submodules
+      - id: requirements-txt-fixer
+      - id: trailing-whitespace
+
  - repo: https://github.com/adrienverge/yamllint.git
    rev: v1.27.1
    hooks:
@@ -13,6 +28,14 @@ repos:
        args: [ -r, "~MD013,~MD029" ]
        exclude: "^.git"

+  - repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 3.0.0
+    hooks:
+      - id: shellcheck
+        args: [ --severity, "error" ]
+        exclude: "^.git"
+        files: "\\.sh$"
+
  - repo: local
    hooks:
      - id: ansible-lint
@@ -3,6 +3,8 @@ extends: default

 ignore: |
  .git/
+  # Generated file
+  tests/files/custom_cni/cilium.yaml

 rules:
  braces:
@@ -0,0 +1 @@
+# See our release notes on [GitHub](https://github.com/kubernetes-sigs/kubespray/releases)
@@ -1 +1 @@
-kubespray.io
+kubespray.io
@@ -12,6 +12,7 @@ To install development dependencies you can set up a python virtual env with the
 virtualenv venv
 source venv/bin/activate
 pip install -r tests/requirements.txt
+ansible-galaxy install -r tests/requirements.yml
 ```

 #### Linting
@@ -1,38 +1,45 @@
-# Use imutable image tags rather than mutable tags (like ubuntu:20.04)
-FROM ubuntu:focal-20220531
-
-ARG ARCH=amd64
-ARG TZ=Etc/UTC
-RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
-
-RUN apt update -y \
-    && apt install -y \
-    curl python3 python3-pip sshpass rsync \
-    && rm -rf /var/lib/apt/lists/*
-
+# Use imutable image tags rather than mutable tags (like ubuntu:22.04)
+FROM ubuntu:jammy-20230308
 # Some tools like yamllint need this
 # Pip needs this as well at the moment to install ansible
 # (and potentially other packages)
 # See: https://github.com/pypa/pip/issues/10219
-ENV LANG=C.UTF-8
-
+ENV LANG=C.UTF-8 \
+    DEBIAN_FRONTEND=noninteractive \
+    PYTHONDONTWRITEBYTECODE=1
 WORKDIR /kubespray
-COPY *yml /kubespray/
-COPY roles /kubespray/roles
-COPY inventory /kubespray/inventory
-COPY library /kubespray/library
-COPY extra_playbooks /kubespray/extra_playbooks
+COPY *.yml ./
+COPY *.cfg ./
+COPY roles ./roles
+COPY contrib ./contrib
+COPY inventory ./inventory
+COPY library ./library
+COPY extra_playbooks ./extra_playbooks
+COPY playbooks ./playbooks
+COPY plugins ./plugins

-RUN python3 -m pip install --no-cache-dir \
-    ansible==5.7.1 \
-    ansible-core==2.12.5 \
-    cryptography==3.4.8 \
-    jinja2==2.11.3 \
-    netaddr==0.7.19 \
-    jmespath==1.0.1 \
-    MarkupSafe==1.1.1 \
-    ruamel.yaml==0.17.21 \
+RUN apt update -q \
+    && apt install -yq --no-install-recommends \
+       curl \
+       python3 \
+       python3-pip \
+       sshpass \
+       vim \
+       rsync \
+       openssh-client \
+    && pip install --no-compile --no-cache-dir \
+       ansible==7.6.0 \
+       ansible-core==2.14.6 \
+       cryptography==41.0.1 \
+       jinja2==3.1.2 \
+       netaddr==0.8.0 \
+       jmespath==1.0.1 \
+       MarkupSafe==2.1.3 \
+       ruamel.yaml==0.17.21 \
+       passlib==1.7.4 \
    && KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main.yaml) \
-    && curl -LO https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/$ARCH/kubectl \
-    && chmod a+x kubectl \
-    && mv kubectl /usr/local/bin/kubectl
+    && curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && chmod a+x /usr/local/bin/kubectl \
+    && rm -rf /var/lib/apt/lists/* /var/log/* \
+    && find /usr -type d -name '*__pycache__' -prune -exec rm -rf {} \;
@@ -187,7 +187,7 @@
      identification within third-party archives.

   Copyright 2016 Kubespray
-   
+
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
@@ -5,4 +5,4 @@ approvers:
 reviewers:
  - kubespray-reviewers
 emeritus_approvers:
-  - kubespray-emeritus_approvers
+  - kubespray-emeritus_approvers
@@ -10,6 +10,7 @@ aliases:
    - cristicalin
    - liupeng0518
    - yankay
+    - mzaian
  kubespray-reviewers:
    - holmsten
    - bozzo
@@ -21,6 +22,8 @@ aliases:
    - yankay
    - cyclinder
    - mzaian
+    - mrfreezeex
+    - erikjiang
  kubespray-emeritus_approvers:
    - riverzhang
    - atoms
@@ -34,6 +34,13 @@ CONFIG_FILE=inventory/mycluster/hosts.yaml python3 contrib/inventory_builder/inv
 cat inventory/mycluster/group_vars/all/all.yml
 cat inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml

+# Clean up old Kubernetes cluster with Ansible Playbook - run the playbook as root
+# The option `--become` is required, as for example cleaning up SSL keys in /etc/,
+# uninstalling old packages and interacting with various systemd daemons.
+# Without --become the playbook will fail to run!
+# And be mind it will remove the current kubernetes cluster (if it's running)!
+ansible-playbook -i inventory/mycluster/hosts.yaml  --become --become-user=root reset.yml
+
 # Deploy Kubespray with Ansible Playbook - run the playbook as root
 # The option `--become` is required, as for example writing SSL keys in /etc/,
 # installing packages and interacting with various systemd daemons.
@@ -45,7 +52,7 @@ Note: When Ansible is already installed via system packages on the control node,
 Python packages installed via `sudo pip install -r requirements.txt` will go to
 a different directory tree (e.g. `/usr/local/lib/python2.7/dist-packages` on
 Ubuntu) from Ansible's (e.g. `/usr/lib/python2.7/dist-packages/ansible` still on
-buntu). As a consequence, the `ansible-playbook` command will fail with:
+Ubuntu). As a consequence, the `ansible-playbook` command will fail with:

 ```raw
 ERROR! no action detected in task. This often indicates a misspelled module name, or incorrect module path.
@@ -68,15 +75,19 @@ You will then need to use [bind mounts](https://docs.docker.com/storage/bind-mou
 to access the inventory and SSH key in the container, like this:

 ```ShellSession
-git checkout v2.20.0
-docker pull quay.io/kubespray/kubespray:v2.20.0
+git checkout v2.23.3
+docker pull quay.io/kubespray/kubespray:v2.23.3
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
  --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.20.0 bash
+  quay.io/kubespray/kubespray:v2.23.3 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```

+#### Collection
+
+See [here](docs/ansible_collection.md) if you wish to use this repository as an Ansible collection
+
 ### Vagrant

 For Vagrant we need to install Python dependencies for provisioning tasks.
@@ -131,8 +142,8 @@ vagrant up
 ## Supported Linux Distributions

 - **Flatcar Container Linux by Kinvolk**
- **Debian** Bullseye, Buster, Jessie, Stretch
- **Ubuntu** 16.04, 18.04, 20.04, 22.04
+- **Debian** Bookworm, Bullseye, Buster
+- **Ubuntu** 20.04, 22.04
 - **CentOS/RHEL** 7, [8, 9](docs/centos.md#centos-8)
 - **Fedora** 37, 38
 - **Fedora CoreOS** (see [fcos Note](docs/fcos.md))
@@ -150,30 +161,29 @@ Note: Upstart/SysV init based OS types are not supported.
 ## Supported Components

 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.25.6
-  - [etcd](https://github.com/etcd-io/etcd) v3.5.6
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.27.10
+  - [etcd](https://github.com/etcd-io/etcd) v3.5.10
  - [docker](https://www.docker.com/) v20.10 (see note)
-  - [containerd](https://containerd.io/) v1.6.15
-  - [cri-o](http://cri-o.io/) v1.24 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [containerd](https://containerd.io/) v1.7.13
+  - [cri-o](http://cri-o.io/) v1.27 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
  - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
-  - [calico](https://github.com/projectcalico/calico) v3.24.5
-  - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-  - [cilium](https://github.com/cilium/cilium) v1.12.1
-  - [flannel](https://github.com/flannel-io/flannel) v0.20.2
-  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.10.7
+  - [calico](https://github.com/projectcalico/calico) v3.25.2
+  - [cilium](https://github.com/cilium/cilium) v1.13.4
+  - [flannel](https://github.com/flannel-io/flannel) v0.22.0
+  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.11.5
  - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.5.1
-  - [multus](https://github.com/intel/multus-cni) v3.8
+  - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) v3.8
  - [weave](https://github.com/weaveworks/weave) v2.8.1
-  - [kube-vip](https://github.com/kube-vip/kube-vip) v0.5.5
+  - [kube-vip](https://github.com/kube-vip/kube-vip) v0.5.12
 - Application
-  - [cert-manager](https://github.com/jetstack/cert-manager) v1.11.0
-  - [coredns](https://github.com/coredns/coredns) v1.9.3
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.5.1
-  - [krew](https://github.com/kubernetes-sigs/krew) v0.4.3
-  - [argocd](https://argoproj.github.io/) v2.5.7
-  - [helm](https://helm.sh/) v3.10.3
-  - [metallb](https://metallb.universe.tf/)  v0.12.1
+  - [cert-manager](https://github.com/jetstack/cert-manager) v1.11.1
+  - [coredns](https://github.com/coredns/coredns) v1.10.1
+  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.8.1
+  - [krew](https://github.com/kubernetes-sigs/krew) v0.4.4
+  - [argocd](https://argoproj.github.io/) v2.8.0
+  - [helm](https://helm.sh/) v3.12.3
+  - [metallb](https://metallb.universe.tf/)  v0.13.9
  - [registry](https://github.com/distribution/distribution) v2.8.1
 - Storage Plugin
  - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
@@ -181,25 +191,25 @@ Note: Upstart/SysV init based OS types are not supported.
  - [aws-ebs-csi-plugin](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) v0.5.0
  - [azure-csi-plugin](https://github.com/kubernetes-sigs/azuredisk-csi-driver) v1.10.0
  - [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.22.0
-  - [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.4.0
-  - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.22
+  - [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.9.2
+  - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.24
  - [local-volume-provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) v2.5.0

 ## Container Runtime Notes

- Supported Docker versions are 18.09, 19.03 and 20.10. The *recommended* Docker version is 20.10. `Kubelet` might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. the YUM  ``versionlock`` plugin or ``apt pin``).
+- Supported Docker versions are 18.09, 19.03, 20.10, 23.0 and 24.0. The *recommended* Docker version is 20.10 (except on Debian bookworm which without supporting for 20.10 and below any more). `Kubelet` might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. the YUM  ``versionlock`` plugin or ``apt pin``).
 - The cri-o version should be aligned with the respective kubernetes version (i.e. kube_version=1.20.x, crio_version=1.20)

 ## Requirements

- **Minimum required version of Kubernetes is v1.23**
- **Ansible v2.11+, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands**
+- **Minimum required version of Kubernetes is v1.25**
+- **Ansible v2.14+, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands**
 - The target servers must have **access to the Internet** in order to pull docker images. Otherwise, additional configuration is required (See [Offline Environment](docs/offline-environment.md))
 - The target servers are configured to allow **IPv4 forwarding**.
 - If using IPv6 for pods and services, the target servers are configured to allow **IPv6 forwarding**.
 - The **firewalls are not managed**, you'll need to implement your own rules the way you used to.
    in order to avoid any issue during deployment you should disable your firewall.
- If kubespray is ran from non-root user account, correct privilege escalation method
+- If kubespray is run from non-root user account, correct privilege escalation method
    should be configured in the target servers. Then the `ansible_become` flag
    or command parameters `--become or -b` should be specified.

@@ -217,13 +227,11 @@ You can choose among ten network plugins. (default: `calico`, except Vagrant use

 - [flannel](docs/flannel.md): gre/vxlan (layer 2) networking.

- [Calico](https://docs.projectcalico.org/latest/introduction/) is a networking and network policy provider. Calico supports a flexible set of networking options
+- [Calico](https://docs.tigera.io/calico/latest/about/) is a networking and network policy provider. Calico supports a flexible set of networking options
    designed to give you the most efficient networking across a range of situations, including non-overlay
    and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts,
    pods, and (if using Istio and Envoy) applications at the service mesh layer.

- [canal](https://github.com/projectcalico/canal): a composition of calico and flannel plugins.
-
 - [cilium](http://docs.cilium.io/en/latest/): layer 3/4 networking (as well as layer 7 to protect and secure application protocols), supports dynamic insertion of BPF bytecode into the Linux kernel to implement security services, networking and visibility logic.

 - [weave](docs/weave.md): Weave is a lightweight container overlay network that doesn't require an external K/V database cluster.
@@ -240,6 +248,9 @@ You can choose among ten network plugins. (default: `calico`, except Vagrant use

 - [multus](docs/multus.md): Multus is a meta CNI plugin that provides multiple network interface support to pods. For each interface Multus delegates CNI calls to secondary CNI plugins such as Calico, macvlan, etc.

+- [custom_cni](roles/network-plugin/custom_cni/) : You can specify some manifests that will be applied to the clusters to bring you own CNI and use non-supported ones by Kubespray.
+  See `tests/files/custom_cni/README.md` and `tests/files/custom_cni/values.yaml`for an example with a CNI provided by a Helm Chart.
+
 The network plugin to use is defined by the variable `kube_network_plugin`. There is also an
 option to leverage built-in cloud provider networking instead.
 See also [Network checker](docs/netcheck.md).
@@ -265,7 +276,7 @@ See also [Network checker](docs/netcheck.md).

 ## CI Tests

-[![Build graphs](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/badges/master/pipeline.svg)](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/pipelines)
+[![Build graphs](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/badges/master/pipeline.svg)](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/-/pipelines)

 CI/end-to-end tests sponsored by: [CNCF](https://cncf.io), [Equinix Metal](https://metal.equinix.com/), [OVHcloud](https://www.ovhcloud.com/), [ELASTX](https://elastx.se/).

@@ -60,7 +60,7 @@ release-notes --start-sha <The start commit-id> --end-sha <The end commit-id> --
 ```

 If the release note file(/tmp/kubespray-release-note) contains "### Uncategorized" pull requests, those pull requests don't have a valid kind label(`kind/feature`, etc.).
-It is necessary to put a valid label on each pull request and run the above release-notes command again to get a better release note)
+It is necessary to put a valid label on each pull request and run the above release-notes command again to get a better release note

 ## Container image creation

@@ -19,9 +19,8 @@ SUPPORTED_OS = {
  "flatcar-beta"        => {box: "flatcar-beta",               user: "core", box_url: FLATCAR_URL_TEMPLATE % ["beta"]},
  "flatcar-alpha"       => {box: "flatcar-alpha",              user: "core", box_url: FLATCAR_URL_TEMPLATE % ["alpha"]},
  "flatcar-edge"        => {box: "flatcar-edge",               user: "core", box_url: FLATCAR_URL_TEMPLATE % ["edge"]},
-  "ubuntu1604"          => {box: "generic/ubuntu1604",         user: "vagrant"},
-  "ubuntu1804"          => {box: "generic/ubuntu1804",         user: "vagrant"},
  "ubuntu2004"          => {box: "generic/ubuntu2004",         user: "vagrant"},
+  "ubuntu2204"          => {box: "generic/ubuntu2204",         user: "vagrant"},
  "centos"              => {box: "centos/7",                   user: "vagrant"},
  "centos-bento"        => {box: "bento/centos-7.6",           user: "vagrant"},
  "centos8"             => {box: "centos/8",                   user: "vagrant"},
@@ -53,16 +52,16 @@ $shared_folders ||= {}
 $forwarded_ports ||= {}
 $subnet ||= "172.18.8"
 $subnet_ipv6 ||= "fd3c:b398:0698:0756"
-$os ||= "ubuntu1804"
+$os ||= "ubuntu2004"
 $network_plugin ||= "flannel"
-# Setting multi_networking to true will install Multus: https://github.com/intel/multus-cni
+# Setting multi_networking to true will install Multus: https://github.com/k8snetworkplumbingwg/multus-cni
 $multi_networking ||= "False"
 $download_run_once ||= "True"
 $download_force_cache ||= "False"
 # The first three nodes are etcd servers
-$etcd_instances ||= $num_instances
+$etcd_instances ||= [$num_instances, 3].min
 # The first two nodes are kube masters
-$kube_master_instances ||= $num_instances == 1 ? $num_instances : ($num_instances - 1)
+$kube_master_instances ||= [$num_instances, 2].min
 # All nodes are kube nodes
 $kube_node_instances ||= $num_instances
 # The following only works when using the libvirt provider
@@ -82,6 +81,13 @@ $playbook ||= "cluster.yml"

 host_vars = {}

+# throw error if os is not supported
+if ! SUPPORTED_OS.key?($os)
+  puts "Unsupported OS: #{$os}"
+  puts "Supported OS are: #{SUPPORTED_OS.keys.join(', ')}"
+  exit 1
+end
+
 $box = SUPPORTED_OS[$os][:box]
 # if $inventory is not set, try to use example
 $inventory = "inventory/sample" if ! $inventory
@@ -212,8 +218,8 @@ Vagrant.configure("2") do |config|
      # Disable swap for each vm
      node.vm.provision "shell", inline: "swapoff -a"

-      # ubuntu1804 and ubuntu2004 have IPv6 explicitly disabled. This undoes that.
-      if ["ubuntu1804", "ubuntu2004"].include? $os
+      # ubuntu2004 and ubuntu2204 have IPv6 explicitly disabled. This undoes that.
+      if ["ubuntu2004", "ubuntu2204"].include? $os
        node.vm.provision "shell", inline: "rm -f /etc/modprobe.d/local.conf"
        node.vm.provision "shell", inline: "sed -i '/net.ipv6.conf.all.disable_ipv6/d' /etc/sysctl.d/99-sysctl.conf /etc/sysctl.conf"
      end
@@ -227,7 +233,7 @@ Vagrant.configure("2") do |config|
      end

      # Disable firewalld on oraclelinux/redhat vms
-      if ["oraclelinux","oraclelinux8","rhel7","rhel8"].include? $os
+      if ["oraclelinux","oraclelinux8","rhel7","rhel8","rockylinux8"].include? $os
        node.vm.provision "shell", inline: "systemctl stop firewalld; systemctl disable firewalld"
      end

@@ -1,131 +1,3 @@
 ---
- name: Check ansible version
-  import_playbook: ansible_version.yml
-
- name: Ensure compatibility with old groups
-  import_playbook: legacy_groups.yml
-
- hosts: bastion[0]
-  gather_facts: False
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - { role: bastion-ssh-config, tags: ["localhost", "bastion"] }
-
- hosts: k8s_cluster:etcd
-  strategy: linear
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  gather_facts: false
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - { role: bootstrap-os, tags: bootstrap-os}
-
- name: Gather facts
-  tags: always
-  import_playbook: facts.yml
-
- hosts: k8s_cluster:etcd
-  gather_facts: False
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - { role: kubernetes/preinstall, tags: preinstall }
-    - { role: "container-engine", tags: "container-engine", when: deploy_container_engine }
-    - { role: download, tags: download, when: "not skip_downloads" }
-
- hosts: etcd:kube_control_plane
-  gather_facts: False
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - role: etcd
-      tags: etcd
-      vars:
-        etcd_cluster_setup: true
-        etcd_events_cluster_setup: "{{ etcd_events_cluster_enabled }}"
-      when: etcd_deployment_type != "kubeadm"
-
- hosts: k8s_cluster
-  gather_facts: False
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - role: etcd
-      tags: etcd
-      vars:
-        etcd_cluster_setup: false
-        etcd_events_cluster_setup: false
-      when:
-        - etcd_deployment_type != "kubeadm"
-        - kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
-        - kube_network_plugin != "calico" or calico_datastore == "etcd"
-
- hosts: k8s_cluster
-  gather_facts: False
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - { role: kubernetes/node, tags: node }
-
- hosts: kube_control_plane
-  gather_facts: False
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - { role: kubernetes/control-plane, tags: master }
-    - { role: kubernetes/client, tags: client }
-    - { role: kubernetes-apps/cluster_roles, tags: cluster-roles }
-
- hosts: k8s_cluster
-  gather_facts: False
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - { role: kubernetes/kubeadm, tags: kubeadm}
-    - { role: kubernetes/node-label, tags: node-label }
-    - { role: network_plugin, tags: network }
-
- hosts: calico_rr
-  gather_facts: False
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - { role: network_plugin/calico/rr, tags: ['network', 'calico_rr'] }
-
- hosts: kube_control_plane[0]
-  gather_facts: False
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"] }
-
- hosts: kube_control_plane
-  gather_facts: False
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - { role: kubernetes-apps/external_cloud_controller, tags: external-cloud-controller }
-    - { role: kubernetes-apps/network_plugin, tags: network }
-    - { role: kubernetes-apps/policy_controller, tags: policy-controller }
-    - { role: kubernetes-apps/ingress_controller, tags: ingress-controller }
-    - { role: kubernetes-apps/external_provisioner, tags: external-provisioner }
-    - { role: kubernetes-apps, tags: apps }
-
- name: Apply resolv.conf changes now that cluster DNS is up
-  hosts: k8s_cluster
-  gather_facts: False
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf, dns_late: true }
+- name: Install Kubernetes
+  ansible.builtin.import_playbook: playbooks/cluster.yml
@@ -39,7 +39,7 @@ class SearchEC2Tags(object):
      hosts[group] = []
      tag_key = "kubespray-role"
      tag_value = ["*"+group+"*"]
-      region = os.environ['REGION']
+      region = os.environ['AWS_REGION']

      ec2 = boto3.resource('ec2', region)
      filters = [{'Name': 'tag:'+tag_key, 'Values': tag_value}, {'Name': 'instance-state-name', 'Values': ['running']}]
@@ -67,6 +67,11 @@ class SearchEC2Tags(object):
        if node_labels_tag:
          ansible_host['node_labels'] = dict([ label.strip().split('=') for label in node_labels_tag[0]['Value'].split(',') ])

+        ##Set when instance actually has node_taints
+        node_taints_tag = list(filter(lambda t: t['Key'] == 'kubespray-node-taints', instance.tags))
+        if node_taints_tag:
+          ansible_host['node_taints'] = list([ taint.strip() for taint in node_taints_tag[0]['Value'].split(',') ])
+
        hosts[group].append(dns_name)
        hosts['_meta']['hostvars'][dns_name] = ansible_host

@@ -1 +1 @@
-boto3  # Apache-2.0
+boto3  # Apache-2.0
@@ -1,2 +1,2 @@
 .generated
-/inventory
+/inventory
@@ -1,5 +1,6 @@
 ---
- hosts: localhost
+- name: Generate Azure inventory
+  hosts: localhost
  gather_facts: False
  roles:
    - generate-inventory
@@ -1,5 +1,6 @@
 ---
- hosts: localhost
+- name: Generate Azure inventory
+  hosts: localhost
  gather_facts: False
  roles:
    - generate-inventory_2
@@ -1,5 +1,6 @@
 ---
- hosts: localhost
+- name: Generate Azure templates
+  hosts: localhost
  gather_facts: False
  roles:
    - generate-templates
@@ -1,6 +1,6 @@
 ---

- name: Query Azure VMs  # noqa 301
+- name: Query Azure VMs
  command: azure vm list-ip-address --json {{ azure_resource_group }}
  register: vm_list_cmd

@@ -1,14 +1,14 @@
 ---

- name: Query Azure VMs IPs  # noqa 301
+- name: Query Azure VMs IPs
  command: az vm list-ip-addresses -o json --resource-group {{ azure_resource_group }}
  register: vm_ip_list_cmd

- name: Query Azure VMs Roles  # noqa 301
+- name: Query Azure VMs Roles
  command: az vm list -o json --resource-group {{ azure_resource_group }}
  register: vm_list_cmd

- name: Query Azure Load Balancer Public IP  # noqa 301
+- name: Query Azure Load Balancer Public IP
  command: az network public-ip show -o json -g {{ azure_resource_group }} -n kubernetes-api-pubip
  register: lb_pubip_cmd

@@ -31,4 +31,3 @@
 [k8s_cluster:children]
 kube_node
 kube_control_plane
-
@@ -24,14 +24,14 @@ bastionIPAddressName: bastion-pubip

 disablePasswordAuthentication: true

-sshKeyPath: "/home/{{admin_username}}/.ssh/authorized_keys"
+sshKeyPath: "/home/{{ admin_username }}/.ssh/authorized_keys"

 imageReference:
  publisher: "OpenLogic"
  offer: "CentOS"
  sku: "7.5"
  version: "latest"
-imageReferenceJson: "{{imageReference|to_json}}"
+imageReferenceJson: "{{ imageReference | to_json }}"

-storageAccountName: "sa{{nameSuffix | replace('-', '')}}"
+storageAccountName: "sa{{ nameSuffix | replace('-', '') }}"
 storageAccountType: "{{ azure_storage_account_type | default('Standard_LRS') }}"
@@ -27,4 +27,4 @@
      }
    }
  ]
-}
+}
@@ -103,4 +103,4 @@
    }
    {% endif %}
  ]
-}
+}
@@ -5,4 +5,4 @@
  "variables": {},
  "resources": [],
  "outputs": {}
-}
+}
@@ -16,4 +16,4 @@
      }
    }
  ]
-}
+}
@@ -1,9 +1,11 @@
 ---
- hosts: localhost
+- name: Create nodes as docker containers
+  hosts: localhost
  gather_facts: False
  roles:
    - { role: dind-host }

- hosts: containers
+- name: Customize each node containers
+  hosts: containers
  roles:
    - { role: dind-cluster }
@@ -1,9 +1,9 @@
 ---
- name: set_fact distro_setup
+- name: Set_fact distro_setup
  set_fact:
    distro_setup: "{{ distro_settings[node_distro] }}"

- name: set_fact other distro settings
+- name: Set_fact other distro settings
  set_fact:
    distro_user: "{{ distro_setup['user'] }}"
    distro_ssh_service: "{{ distro_setup['ssh_service'] }}"
@@ -43,7 +43,7 @@
  package:
    name: "{{ item }}"
    state: present
-  with_items: "{{ distro_extra_packages }} + [ 'rsyslog', 'openssh-server' ]"
+  with_items: "{{ distro_extra_packages + ['rsyslog', 'openssh-server'] }}"

 - name: Start needed services
  service:
@@ -66,8 +66,8 @@
    dest: "/etc/sudoers.d/{{ distro_user }}"
    mode: 0640

- name: Add my pubkey to "{{ distro_user }}" user authorized keys
-  authorized_key:
+- name: "Add my pubkey to {{ distro_user }} user authorized keys"
+  ansible.posix.authorized_key:
    user: "{{ distro_user }}"
    state: present
-    key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
+    key: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/id_rsa.pub') }}"
@@ -1,9 +1,9 @@
 ---
- name: set_fact distro_setup
+- name: Set_fact distro_setup
  set_fact:
    distro_setup: "{{ distro_settings[node_distro] }}"

- name: set_fact other distro settings
+- name: Set_fact other distro settings
  set_fact:
    distro_image: "{{ distro_setup['image'] }}"
    distro_init: "{{ distro_setup['init'] }}"
@@ -13,7 +13,7 @@
    distro_agetty_svc: "{{ distro_setup['agetty_svc'] }}"

 - name: Create dind node containers from "containers" inventory section
-  docker_container:
+  community.docker.docker_container:
    image: "{{ distro_image }}"
    name: "{{ item }}"
    state: started
@@ -53,7 +53,7 @@
    {{ distro_raw_setup_done }}  && echo SKIPPED && exit 0
    until [ "$(readlink /proc/1/exe)" = "{{ distro_pid1_exe }}" ] ; do sleep 1; done
    {{ distro_raw_setup }}
-  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
+  delegate_to: "{{ item._ansible_item_label | default(item.item) }}"
  with_items: "{{ containers.results }}"
  register: result
  changed_when: result.stdout.find("SKIPPED") < 0
@@ -63,26 +63,25 @@
    until test -S /var/run/dbus/system_bus_socket; do sleep 1; done
    systemctl disable {{ distro_agetty_svc }}
    systemctl stop {{ distro_agetty_svc }}
-  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
+  delegate_to: "{{ item._ansible_item_label | default(item.item) }}"
  with_items: "{{ containers.results }}"
  changed_when: false

 # Running systemd-machine-id-setup doesn't create a unique id for each node container on Debian,
 # handle manually
- name: Re-create unique machine-id (as we may just get what comes in the docker image), needed by some CNIs for mac address seeding (notably weave)  # noqa 301
+- name: Re-create unique machine-id (as we may just get what comes in the docker image), needed by some CNIs for mac address seeding (notably weave)
  raw: |
    echo {{ item | hash('sha1') }} > /etc/machine-id.new
    mv -b /etc/machine-id.new /etc/machine-id
    cmp /etc/machine-id /etc/machine-id~ || true
    systemctl daemon-reload
-  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
+  delegate_to: "{{ item._ansible_item_label | default(item.item) }}"
  with_items: "{{ containers.results }}"

 - name: Early hack image install to adapt for DIND
-  # noqa 302 - this task uses the raw module intentionally
  raw: |
    rm -fv /usr/bin/udevadm /usr/sbin/udevadm
-  delegate_to: "{{ item._ansible_item_label|default(item.item) }}"
+  delegate_to: "{{ item._ansible_item_label | default(item.item) }}"
  with_items: "{{ containers.results }}"
  register: result
  changed_when: result.stdout.find("removed") >= 0
@@ -1,3 +1,3 @@
 configparser>=3.3.0
-ruamel.yaml>=0.15.88
 ipaddress
+ruamel.yaml>=0.15.88
@@ -1,3 +1,3 @@
 hacking>=0.10.2
-pytest>=2.8.0
 mock>=1.3.0
+pytest>=2.8.0
@@ -1,21 +1,27 @@
 [tox]
 minversion = 1.6
 skipsdist = True
-envlist = pep8, py33
+envlist = pep8

 [testenv]
-whitelist_externals = py.test
+allowlist_externals = py.test
 usedevelop = True
 deps =
    -r{toxinidir}/requirements.txt
    -r{toxinidir}/test-requirements.txt
 setenv = VIRTUAL_ENV={envdir}
-passenv = http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY
+passenv =
+    http_proxy
+    HTTP_PROXY
+    https_proxy
+    HTTPS_PROXY
+    no_proxy
+    NO_PROXY
 commands = pytest -vv #{posargs:./tests}

 [testenv:pep8]
 usedevelop = False
-whitelist_externals = bash
+allowlist_externals = bash
 commands =
    bash -c "find {toxinidir}/* -type f -name '*.py' -print0 | xargs -0 flake8"

@@ -1,3 +1,2 @@
 #k8s_deployment_user: kubespray
 #k8s_deployment_user_pkey_path: /tmp/ssh_rsa
-
@@ -1,8 +1,9 @@
 ---
- hosts: localhost
+- name: Prepare Hypervisor to later install kubespray VMs
+  hosts: localhost
  gather_facts: False
  become: yes
  vars:
-    - bootstrap_os: none
+    bootstrap_os: none
  roles:
-    - kvm-setup
+    - { role: kvm-setup }
@@ -22,9 +22,9 @@
    - ntp
  when: ansible_os_family == "Debian"

-# Create deployment user if required
- include: user.yml
+- name: Create deployment user if required
+  include_tasks: user.yml
  when: k8s_deployment_user is defined

-# Set proper sysctl values
- include: sysctl.yml
+- name: Set proper sysctl values
+  import_tasks: sysctl.yml
@@ -1,6 +1,6 @@
 ---
 - name: Load br_netfilter module
-  modprobe:
+  community.general.modprobe:
    name: br_netfilter
    state: present
  register: br_netfilter
@@ -25,7 +25,7 @@


 - name: Enable net.ipv4.ip_forward in sysctl
-  sysctl:
+  ansible.posix.sysctl:
    name: net.ipv4.ip_forward
    value: 1
    sysctl_file: "{{ sysctl_file_path }}"
@@ -33,7 +33,7 @@
    reload: yes

 - name: Set bridge-nf-call-{arptables,iptables} to 0
-  sysctl:
+  ansible.posix.sysctl:
    name: "{{ item }}"
    state: present
    value: 0
@@ -1,8 +1,9 @@
 ---
 - name: Check ansible version
-  import_playbook: ansible_version.yml
+  import_playbook: kubernetes_sigs.kubespray.ansible_version

- hosts: localhost
+- name: Install mitogen
+  hosts: localhost
  strategy: linear
  vars:
    mitogen_version: 0.3.2
@@ -19,24 +20,25 @@
        - "{{ playbook_dir }}/plugins/mitogen"
        - "{{ playbook_dir }}/dist"

-    - name: download mitogen release
+    - name: Download mitogen release
      get_url:
        url: "{{ mitogen_url }}"
        dest: "{{ playbook_dir }}/dist/mitogen_{{ mitogen_version }}.tar.gz"
        validate_certs: true
+        mode: 0644

-    - name: extract archive
+    - name: Extract archive
      unarchive:
        src: "{{ playbook_dir }}/dist/mitogen_{{ mitogen_version }}.tar.gz"
        dest: "{{ playbook_dir }}/dist/"

-    - name: copy plugin
-      synchronize:
+    - name: Copy plugin
+      ansible.posix.synchronize:
        src: "{{ playbook_dir }}/dist/mitogen-{{ mitogen_version }}/"
        dest: "{{ playbook_dir }}/plugins/mitogen"

-    - name: add strategy to ansible.cfg
-      ini_file:
+    - name: Add strategy to ansible.cfg
+      community.general.ini_file:
        path: ansible.cfg
        mode: 0644
        section: "{{ item.section | d('defaults') }}"
@@ -1,24 +1,29 @@
 ---
- hosts: gfs-cluster
+- name: Bootstrap hosts
+  hosts: gfs-cluster
  gather_facts: false
  vars:
    ansible_ssh_pipelining: false
  roles:
    - { role: bootstrap-os, tags: bootstrap-os}

- hosts: all
+- name: Gather facts
+  hosts: all
  gather_facts: true

- hosts: gfs-cluster
+- name: Install glusterfs server
+  hosts: gfs-cluster
  vars:
    ansible_ssh_pipelining: true
  roles:
    - { role: glusterfs/server }

- hosts: k8s_cluster
+- name: Install glusterfs servers
+  hosts: k8s_cluster
  roles:
    - { role: glusterfs/client }

- hosts: kube_control_plane[0]
+- name: Configure Kubernetes to use glusterfs
+  hosts: kube_control_plane[0]
  roles:
    - { role: kubernetes-pv }
@@ -41,4 +41,3 @@

 # [network-storage:children]
 # gfs-cluster
-
@@ -6,12 +6,12 @@ galaxy_info:
  description: GlusterFS installation for Linux.
  company: "Midwestern Mac, LLC"
  license: "license (BSD, MIT)"
-  min_ansible_version: 2.0
+  min_ansible_version: "2.0"
  platforms:
  - name: EL
    versions:
-    - 6
-    - 7
+    - "6"
+    - "7"
  - name: Ubuntu
    versions:
    - precise
@@ -3,14 +3,19 @@
 # hyperkube and needs to be installed as part of the system.

 # Setup/install tasks.
- include: setup-RedHat.yml
+- name: Setup RedHat distros for glusterfs
+  include_tasks: setup-RedHat.yml
  when: ansible_os_family == 'RedHat' and groups['gfs-cluster'] is defined

- include: setup-Debian.yml
+- name: Setup Debian distros for glusterfs
+  include_tasks: setup-Debian.yml
  when: ansible_os_family == 'Debian' and groups['gfs-cluster'] is defined

 - name: Ensure Gluster mount directories exist.
-  file: "path={{ item }} state=directory mode=0775"
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0775
  with_items:
    - "{{ gluster_mount_dir }}"
  when: ansible_os_family in ["Debian","RedHat"] and groups['gfs-cluster'] is defined
@@ -7,7 +7,7 @@
  register: glusterfs_ppa_added
  when: glusterfs_ppa_use

- name: Ensure GlusterFS client will reinstall if the PPA was just added.  # noqa 503
+- name: Ensure GlusterFS client will reinstall if the PPA was just added.  # noqa no-handler
  apt:
    name: "{{ item }}"
    state: absent
@@ -1,10 +1,14 @@
 ---
 - name: Install Prerequisites
-  package: name={{ item }}  state=present
+  package:
+    name: "{{ item }}"
+    state: present
  with_items:
    - "centos-release-gluster{{ glusterfs_default_release }}"

 - name: Install Packages
-  package: name={{ item }}  state=present
+  package:
+    name: "{{ item }}"
+    state: present
  with_items:
    - glusterfs-client
@@ -6,12 +6,12 @@ galaxy_info:
  description: GlusterFS installation for Linux.
  company: "Midwestern Mac, LLC"
  license: "license (BSD, MIT)"
-  min_ansible_version: 2.0
+  min_ansible_version: "2.0"
  platforms:
  - name: EL
    versions:
-    - 6
-    - 7
+    - "6"
+    - "7"
  - name: Ubuntu
    versions:
    - precise
@@ -4,78 +4,97 @@
  include_vars: "{{ ansible_os_family }}.yml"

 # Install xfs package
- name: install xfs Debian
-  apt: name=xfsprogs state=present
+- name: Install xfs Debian
+  apt:
+    name: xfsprogs
+    state: present
  when: ansible_os_family == "Debian"

- name: install xfs RedHat
-  package: name=xfsprogs state=present
+- name: Install xfs RedHat
+  package:
+    name: xfsprogs
+    state: present
  when: ansible_os_family == "RedHat"

 # Format external volumes in xfs
 - name: Format volumes in xfs
-  filesystem: "fstype=xfs dev={{ disk_volume_device_1 }}"
+  community.general.filesystem:
+    fstype: xfs
+    dev: "{{ disk_volume_device_1 }}"

 # Mount external volumes
- name: mounting new xfs filesystem
-  mount: "name={{ gluster_volume_node_mount_dir }} src={{ disk_volume_device_1 }} fstype=xfs state=mounted"
+- name: Mounting new xfs filesystem
+  ansible.posix.mount:
+    name: "{{ gluster_volume_node_mount_dir }}"
+    src: "{{ disk_volume_device_1 }}"
+    fstype: xfs
+    state: mounted

 # Setup/install tasks.
- include: setup-RedHat.yml
+- name: Setup RedHat distros for glusterfs
+  include_tasks: setup-RedHat.yml
  when: ansible_os_family == 'RedHat'

- include: setup-Debian.yml
+- name: Setup Debian distros for glusterfs
+  include_tasks: setup-Debian.yml
  when: ansible_os_family == 'Debian'

 - name: Ensure GlusterFS is started and enabled at boot.
-  service: "name={{ glusterfs_daemon }} state=started enabled=yes"
+  service:
+    name: "{{ glusterfs_daemon }}"
+    state: started
+    enabled: yes

 - name: Ensure Gluster brick and mount directories exist.
-  file: "path={{ item }} state=directory mode=0775"
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0775
  with_items:
    - "{{ gluster_brick_dir }}"
    - "{{ gluster_mount_dir }}"

 - name: Configure Gluster volume with replicas
-  gluster_volume:
+  gluster.gluster.gluster_volume:
    state: present
    name: "{{ gluster_brick_name }}"
    brick: "{{ gluster_brick_dir }}"
    replicas: "{{ groups['gfs-cluster'] | length }}"
-    cluster: "{% for item in groups['gfs-cluster'] -%}{{ hostvars[item]['ip']|default(hostvars[item].ansible_default_ipv4['address']) }}{% if not loop.last %},{% endif %}{%- endfor %}"
+    cluster: "{% for item in groups['gfs-cluster'] -%}{{ hostvars[item]['ip'] | default(hostvars[item].ansible_default_ipv4['address']) }}{% if not loop.last %},{% endif %}{%- endfor %}"
    host: "{{ inventory_hostname }}"
    force: yes
  run_once: true
-  when: groups['gfs-cluster']|length > 1
+  when: groups['gfs-cluster'] | length > 1

 - name: Configure Gluster volume without replicas
-  gluster_volume:
+  gluster.gluster.gluster_volume:
    state: present
    name: "{{ gluster_brick_name }}"
    brick: "{{ gluster_brick_dir }}"
-    cluster: "{% for item in groups['gfs-cluster'] -%}{{ hostvars[item]['ip']|default(hostvars[item].ansible_default_ipv4['address']) }}{% if not loop.last %},{% endif %}{%- endfor %}"
+    cluster: "{% for item in groups['gfs-cluster'] -%}{{ hostvars[item]['ip'] | default(hostvars[item].ansible_default_ipv4['address']) }}{% if not loop.last %},{% endif %}{%- endfor %}"
    host: "{{ inventory_hostname }}"
    force: yes
  run_once: true
-  when: groups['gfs-cluster']|length <= 1
+  when: groups['gfs-cluster'] | length <= 1

 - name: Mount glusterfs to retrieve disk size
-  mount:
+  ansible.posix.mount:
    name: "{{ gluster_mount_dir }}"
-    src: "{{ ip|default(ansible_default_ipv4['address']) }}:/gluster"
+    src: "{{ ip | default(ansible_default_ipv4['address']) }}:/gluster"
    fstype: glusterfs
    opts: "defaults,_netdev"
    state: mounted
  when: groups['gfs-cluster'] is defined and inventory_hostname == groups['gfs-cluster'][0]

 - name: Get Gluster disk size
-  setup: filter=ansible_mounts
+  setup:
+    filter: ansible_mounts
  register: mounts_data
  when: groups['gfs-cluster'] is defined and inventory_hostname == groups['gfs-cluster'][0]

 - name: Set Gluster disk size to variable
  set_fact:
-    gluster_disk_size_gb: "{{ (mounts_data.ansible_facts.ansible_mounts | selectattr('mount', 'equalto', gluster_mount_dir) | map(attribute='size_total') | first | int / (1024*1024*1024)) | int }}"
+    gluster_disk_size_gb: "{{ (mounts_data.ansible_facts.ansible_mounts | selectattr('mount', 'equalto', gluster_mount_dir) | map(attribute='size_total') | first | int / (1024 * 1024 * 1024)) | int }}"
  when: groups['gfs-cluster'] is defined and inventory_hostname == groups['gfs-cluster'][0]

 - name: Create file on GlusterFS
@@ -86,9 +105,9 @@
  when: groups['gfs-cluster'] is defined and inventory_hostname == groups['gfs-cluster'][0]

 - name: Unmount glusterfs
-  mount:
+  ansible.posix.mount:
    name: "{{ gluster_mount_dir }}"
    fstype: glusterfs
-    src: "{{ ip|default(ansible_default_ipv4['address']) }}:/gluster"
+    src: "{{ ip | default(ansible_default_ipv4['address']) }}:/gluster"
    state: unmounted
  when: groups['gfs-cluster'] is defined and inventory_hostname == groups['gfs-cluster'][0]
@@ -7,7 +7,7 @@
  register: glusterfs_ppa_added
  when: glusterfs_ppa_use

- name: Ensure GlusterFS will reinstall if the PPA was just added.  # noqa 503
+- name: Ensure GlusterFS will reinstall if the PPA was just added.  # noqa no-handler
  apt:
    name: "{{ item }}"
    state: absent
@@ -1,11 +1,15 @@
 ---
 - name: Install Prerequisites
-  package: name={{ item }}  state=present
+  package:
+    name: "{{ item }}"
+    state: present
  with_items:
    - "centos-release-gluster{{ glusterfs_default_release }}"

 - name: Install Packages
-  package: name={{ item }}  state=present
+  package:
+    name: "{{ item }}"
+    state: present
  with_items:
    - glusterfs-server
    - glusterfs-client
@@ -18,6 +18,6 @@
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item.item.type }}"
    filename: "{{ kube_config_dir }}/{{ item.item.dest }}"
-    state: "{{ item.changed | ternary('latest','present') }}"
+    state: "{{ item.changed | ternary('latest', 'present') }}"
  with_items: "{{ gluster_pv.results }}"
  when: inventory_hostname == groups['kube_control_plane'][0] and groups['gfs-cluster'] is defined
@@ -21,4 +21,3 @@
    {% endfor %}
  ]
 }
-
@@ -1,9 +1,11 @@
 ---
- hosts: kube_control_plane[0]
+- name: Tear down heketi
+  hosts: kube_control_plane[0]
  roles:
    - { role: tear-down }

- hosts: heketi-node
+- name: Teardown disks in heketi
+  hosts: heketi-node
  become: yes
  roles:
    - { role: tear-down-disks }
@@ -1,9 +1,11 @@
 ---
- hosts: heketi-node
+- name: Prepare heketi install
+  hosts: heketi-node
  roles:
    - { role: prepare }

- hosts: kube_control_plane[0]
+- name: Provision heketi
+  hosts: kube_control_plane[0]
  tags:
    - "provision"
  roles:
@@ -5,7 +5,7 @@
    - "dm_snapshot"
    - "dm_mirror"
    - "dm_thin_pool"
-  modprobe:
+  community.general.modprobe:
    name: "{{ item }}"
    state: "present"

@@ -1,3 +1,3 @@
 ---
- name: "stop port forwarding"
+- name: "Stop port forwarding"
  command: "killall "
@@ -7,9 +7,9 @@

 - name: "Bootstrap heketi."
  when:
-    - "(initial_heketi_state.stdout|from_json|json_query(\"items[?kind=='Service']\"))|length == 0"
-    - "(initial_heketi_state.stdout|from_json|json_query(\"items[?kind=='Deployment']\"))|length == 0"
-    - "(initial_heketi_state.stdout|from_json|json_query(\"items[?kind=='Pod']\"))|length == 0"
+    - "(initial_heketi_state.stdout | from_json | json_query(\"items[?kind=='Service']\")) | length == 0"
+    - "(initial_heketi_state.stdout | from_json | json_query(\"items[?kind=='Deployment']\")) | length == 0"
+    - "(initial_heketi_state.stdout | from_json | json_query(\"items[?kind=='Pod']\")) | length == 0"
  include_tasks: "bootstrap/deploy.yml"

 # Prepare heketi topology
@@ -20,11 +20,11 @@

 - name: "Ensure heketi bootstrap pod is up."
  assert:
-    that: "(initial_heketi_pod.stdout|from_json|json_query('items[*]'))|length == 1"
+    that: "(initial_heketi_pod.stdout | from_json | json_query('items[*]')) | length == 1"

 - name: Store the initial heketi pod name
  set_fact:
-    initial_heketi_pod_name: "{{ initial_heketi_pod.stdout|from_json|json_query(\"items[*].metadata.name|[0]\") }}"
+    initial_heketi_pod_name: "{{ initial_heketi_pod.stdout | from_json | json_query(\"items[*].metadata.name | [0]\") }}"

 - name: "Test heketi topology."
  changed_when: false
@@ -32,7 +32,7 @@
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology info --json"

 - name: "Load heketi topology."
-  when: "heketi_topology.stdout|from_json|json_query(\"clusters[*].nodes[*]\")|flatten|length == 0"
+  when: "heketi_topology.stdout | from_json | json_query(\"clusters[*].nodes[*]\") | flatten | length == 0"
  include_tasks: "bootstrap/topology.yml"

 # Provision heketi database volume
@@ -58,7 +58,7 @@
    service_query: "items[?metadata.name=='heketi-storage-endpoints' && kind=='Service']"
    job_query: "items[?metadata.name=='heketi-storage-copy-job' && kind=='Job']"
  when:
-    - "heketi_storage_state.stdout|from_json|json_query(secret_query)|length == 0"
-    - "heketi_storage_state.stdout|from_json|json_query(endpoints_query)|length == 0"
-    - "heketi_storage_state.stdout|from_json|json_query(service_query)|length == 0"
-    - "heketi_storage_state.stdout|from_json|json_query(job_query)|length == 0"
+    - "heketi_storage_state.stdout | from_json | json_query(secret_query) | length == 0"
+    - "heketi_storage_state.stdout | from_json | json_query(endpoints_query) | length == 0"
+    - "heketi_storage_state.stdout | from_json | json_query(service_query) | length == 0"
+    - "heketi_storage_state.stdout | from_json | json_query(job_query) | length == 0"
@@ -17,11 +17,11 @@
  register: "initial_heketi_state"
  vars:
    initial_heketi_state: { stdout: "{}" }
-    pods_query: "items[?kind=='Pod'].status.conditions|[0][?type=='Ready'].status|[0]"
-    deployments_query: "items[?kind=='Deployment'].status.conditions|[0][?type=='Available'].status|[0]"
+    pods_query: "items[?kind=='Pod'].status.conditions | [0][?type=='Ready'].status | [0]"
+    deployments_query: "items[?kind=='Deployment'].status.conditions | [0][?type=='Available'].status | [0]"
  command: "{{ bin_dir }}/kubectl get services,deployments,pods --selector=deploy-heketi --output=json"
  until:
-    - "initial_heketi_state.stdout|from_json|json_query(pods_query) == 'True'"
-    - "initial_heketi_state.stdout|from_json|json_query(deployments_query) == 'True'"
+    - "initial_heketi_state.stdout | from_json | json_query(pods_query) == 'True'"
+    - "initial_heketi_state.stdout | from_json | json_query(deployments_query) == 'True'"
  retries: 60
  delay: 5
@@ -15,10 +15,10 @@
    service_query: "items[?metadata.name=='heketi-storage-endpoints' && kind=='Service']"
    job_query: "items[?metadata.name=='heketi-storage-copy-job' && kind=='Job']"
  when:
-    - "heketi_storage_state.stdout|from_json|json_query(secret_query)|length == 0"
-    - "heketi_storage_state.stdout|from_json|json_query(endpoints_query)|length == 0"
-    - "heketi_storage_state.stdout|from_json|json_query(service_query)|length == 0"
-    - "heketi_storage_state.stdout|from_json|json_query(job_query)|length == 0"
+    - "heketi_storage_state.stdout | from_json | json_query(secret_query) | length == 0"
+    - "heketi_storage_state.stdout | from_json | json_query(endpoints_query) | length == 0"
+    - "heketi_storage_state.stdout | from_json | json_query(service_query) | length == 0"
+    - "heketi_storage_state.stdout | from_json | json_query(job_query) | length == 0"
  register: "heketi_storage_result"
 - name: "Get state of heketi database copy job."
  command: "{{ bin_dir }}/kubectl get jobs --output=json"
@@ -28,6 +28,6 @@
    heketi_storage_state: { stdout: "{}" }
    job_query: "items[?metadata.name=='heketi-storage-copy-job' && kind=='Job' && status.succeeded==1]"
  until:
-    - "heketi_storage_state.stdout|from_json|json_query(job_query)|length == 1"
+    - "heketi_storage_state.stdout | from_json | json_query(job_query) | length == 1"
  retries: 60
  delay: 5
@@ -5,10 +5,10 @@
  changed_when: false
 - name: "Delete bootstrap Heketi."
  command: "{{ bin_dir }}/kubectl delete all,service,jobs,deployment,secret --selector=\"deploy-heketi\""
-  when: "heketi_resources.stdout|from_json|json_query('items[*]')|length > 0"
- name: "Ensure there is nothing left over."  # noqa 301
+  when: "heketi_resources.stdout | from_json | json_query('items[*]') | length > 0"
+- name: "Ensure there is nothing left over."
  command: "{{ bin_dir }}/kubectl get all,service,jobs,deployment,secret --selector=\"deploy-heketi\" -o=json"
  register: "heketi_result"
-  until: "heketi_result.stdout|from_json|json_query('items[*]')|length == 0"
+  until: "heketi_result.stdout | from_json | json_query('items[*]') | length == 0"
  retries: 60
  delay: 5
@@ -14,7 +14,7 @@
 - name: "Copy topology configuration into container."
  changed_when: false
  command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ initial_heketi_pod_name }}:/tmp/topology.json"
- name: "Load heketi topology."  # noqa 503
+- name: "Load heketi topology."  # noqa no-handler
  when: "render.changed"
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology load --json=/tmp/topology.json"
  register: "load_heketi"
@@ -22,6 +22,6 @@
  changed_when: false
  register: "heketi_topology"
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology info --json"
-  until: "heketi_topology.stdout|from_json|json_query(\"clusters[*].nodes[*].devices[?state=='online'].id\")|flatten|length == groups['heketi-node']|length"
+  until: "heketi_topology.stdout | from_json | json_query(\"clusters[*].nodes[*].devices[?state=='online'].id\") | flatten | length == groups['heketi-node'] | length"
  retries: 60
  delay: 5
@@ -6,19 +6,19 @@
 - name: "Get heketi volumes."
  changed_when: false
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} volume info {{ volume_id }} --json"
-  with_items: "{{ heketi_volumes.stdout|from_json|json_query(\"volumes[*]\") }}"
+  with_items: "{{ heketi_volumes.stdout | from_json | json_query(\"volumes[*]\") }}"
  loop_control: { loop_var: "volume_id" }
  register: "volumes_information"
 - name: "Test heketi database volume."
  set_fact: { heketi_database_volume_exists: true }
  with_items: "{{ volumes_information.results }}"
  loop_control: { loop_var: "volume_information" }
-  vars: { volume: "{{ volume_information.stdout|from_json }}" }
+  vars: { volume: "{{ volume_information.stdout | from_json }}" }
  when: "volume.name == 'heketidbstorage'"
 - name: "Provision database volume."
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} setup-openshift-heketi-storage"
  when: "heketi_database_volume_exists is undefined"
- name: "Copy configuration from pod."  # noqa 301
+- name: "Copy configuration from pod."
  become: true
  command: "{{ bin_dir }}/kubectl cp {{ initial_heketi_pod_name }}:/heketi-storage.json {{ kube_config_dir }}/heketi-storage-bootstrap.json"
 - name: "Get heketi volume ids."
@@ -28,14 +28,14 @@
 - name: "Get heketi volumes."
  changed_when: false
  command: "{{ bin_dir }}/kubectl exec {{ initial_heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} volume info {{ volume_id }} --json"
-  with_items: "{{ heketi_volumes.stdout|from_json|json_query(\"volumes[*]\") }}"
+  with_items: "{{ heketi_volumes.stdout | from_json | json_query(\"volumes[*]\") }}"
  loop_control: { loop_var: "volume_id" }
  register: "volumes_information"
 - name: "Test heketi database volume."
  set_fact: { heketi_database_volume_created: true }
  with_items: "{{ volumes_information.results }}"
  loop_control: { loop_var: "volume_information" }
-  vars: { volume: "{{ volume_information.stdout|from_json }}" }
+  vars: { volume: "{{ volume_information.stdout | from_json }}" }
  when: "volume.name == 'heketidbstorage'"
 - name: "Ensure heketi database volume exists."
  assert: { that: "heketi_database_volume_created is defined", msg: "Heketi database volume does not exist." }
@@ -23,8 +23,8 @@
  changed_when: false
  vars:
    daemonset_state: { stdout: "{}" }
-    ready: "{{ daemonset_state.stdout|from_json|json_query(\"status.numberReady\") }}"
-    desired: "{{ daemonset_state.stdout|from_json|json_query(\"status.desiredNumberScheduled\") }}"
+    ready: "{{ daemonset_state.stdout | from_json | json_query(\"status.numberReady\") }}"
+    desired: "{{ daemonset_state.stdout | from_json | json_query(\"status.desiredNumberScheduled\") }}"
  until: "ready | int >= 3"
  retries: 60
  delay: 5
@@ -5,7 +5,7 @@
  changed_when: false

 - name: "Assign storage label"
-  when: "label_present.stdout_lines|length == 0"
+  when: "label_present.stdout_lines | length == 0"
  command: "{{ bin_dir }}/kubectl label node {{ node }} storagenode=glusterfs"

 - name: Get storage nodes again
@@ -15,5 +15,5 @@

 - name: Ensure the label has been set
  assert:
-    that: "label_present|length > 0"
+    that: "label_present | length > 0"
    msg: "Node {{ node }} has not been assigned with label storagenode=glusterfs."
@@ -24,11 +24,11 @@
    deployments_query: "items[?kind=='Deployment'].status.conditions|[0][?type=='Available'].status|[0]"
  command: "{{ bin_dir }}/kubectl get deployments,pods --selector=glusterfs --output=json"
  until:
-    - "heketi_state.stdout|from_json|json_query(pods_query) == 'True'"
-    - "heketi_state.stdout|from_json|json_query(deployments_query) == 'True'"
+    - "heketi_state.stdout | from_json | json_query(pods_query) == 'True'"
+    - "heketi_state.stdout | from_json | json_query(deployments_query) == 'True'"
  retries: 60
  delay: 5

 - name: Set the Heketi pod name
  set_fact:
-    heketi_pod_name: "{{ heketi_state.stdout|from_json|json_query(\"items[?kind=='Pod'].metadata.name|[0]\") }}"
+    heketi_pod_name: "{{ heketi_state.stdout | from_json | json_query(\"items[?kind=='Pod'].metadata.name|[0]\") }}"
@@ -12,7 +12,7 @@
 - name: "Render storage class configuration."
  become: true
  vars:
-    endpoint_address: "{{ (heketi_service.stdout|from_json).spec.clusterIP }}"
+    endpoint_address: "{{ (heketi_service.stdout | from_json).spec.clusterIP }}"
  template:
    src: "storageclass.yml.j2"
    dest: "{{ kube_config_dir }}/storageclass.yml"
@@ -11,16 +11,16 @@
    src: "topology.json.j2"
    dest: "{{ kube_config_dir }}/topology.json"
    mode: 0644
- name: "Copy topology configuration into container."  # noqa 503
+- name: "Copy topology configuration into container."  # noqa no-handler
  when: "rendering.changed"
  command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ heketi_pod_name }}:/tmp/topology.json"
- name: "Load heketi topology."  # noqa 503
+- name: "Load heketi topology."  # noqa no-handler
  when: "rendering.changed"
  command: "{{ bin_dir }}/kubectl exec {{ heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology load --json=/tmp/topology.json"
 - name: "Get heketi topology."
  register: "heketi_topology"
  changed_when: false
  command: "{{ bin_dir }}/kubectl exec {{ heketi_pod_name }} -- heketi-cli --user admin --secret {{ heketi_admin_key }} topology info --json"
-  until: "heketi_topology.stdout|from_json|json_query(\"clusters[*].nodes[*].devices[?state=='online'].id\")|flatten|length == groups['heketi-node']|length"
+  until: "heketi_topology.stdout | from_json | json_query(\"clusters[*].nodes[*].devices[?state=='online'].id\") | flatten | length == groups['heketi-node'] | length"
  retries: 60
  delay: 5
@@ -22,7 +22,7 @@
  ignore_errors: true   # noqa ignore-errors
  changed_when: false

- name: "Remove volume groups."  # noqa 301
+- name: "Remove volume groups."
  environment:
    PATH: "{{ ansible_env.PATH }}:/sbin"  # Make sure we can workaround RH / CentOS conservative path management
  become: true
@@ -30,7 +30,7 @@
  with_items: "{{ volume_groups.stdout_lines }}"
  loop_control: { loop_var: "volume_group" }

- name: "Remove physical volume from cluster disks."  # noqa 301
+- name: "Remove physical volume from cluster disks."
  environment:
    PATH: "{{ ansible_env.PATH }}:/sbin"  # Make sure we can workaround RH / CentOS conservative path management
  become: true
@@ -1,43 +1,43 @@
 ---
- name: Remove storage class.  # noqa 301
+- name: Remove storage class.
  command: "{{ bin_dir }}/kubectl delete storageclass gluster"
  ignore_errors: true  # noqa ignore-errors
- name: Tear down heketi.  # noqa 301
+- name: Tear down heketi.
  command: "{{ bin_dir }}/kubectl delete all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-pod\""
  ignore_errors: true  # noqa ignore-errors
- name: Tear down heketi.  # noqa 301
+- name: Tear down heketi.
  command: "{{ bin_dir }}/kubectl delete all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-deployment\""
  ignore_errors: true  # noqa ignore-errors
 - name: Tear down bootstrap.
  include_tasks: "../../provision/tasks/bootstrap/tear-down.yml"
- name: Ensure there is nothing left over.  # noqa 301
+- name: Ensure there is nothing left over.
  command: "{{ bin_dir }}/kubectl get all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-pod\" -o=json"
  register: "heketi_result"
-  until: "heketi_result.stdout|from_json|json_query('items[*]')|length == 0"
+  until: "heketi_result.stdout | from_json | json_query('items[*]') | length == 0"
  retries: 60
  delay: 5
- name: Ensure there is nothing left over.  # noqa 301
+- name: Ensure there is nothing left over.
  command: "{{ bin_dir }}/kubectl get all,service,jobs,deployment,secret --selector=\"glusterfs=heketi-deployment\" -o=json"
  register: "heketi_result"
-  until: "heketi_result.stdout|from_json|json_query('items[*]')|length == 0"
+  until: "heketi_result.stdout | from_json | json_query('items[*]') | length == 0"
  retries: 60
  delay: 5
- name: Tear down glusterfs.  # noqa 301
+- name: Tear down glusterfs.
  command: "{{ bin_dir }}/kubectl delete daemonset.extensions/glusterfs"
  ignore_errors: true  # noqa ignore-errors
- name: Remove heketi storage service.  # noqa 301
+- name: Remove heketi storage service.
  command: "{{ bin_dir }}/kubectl delete service heketi-storage-endpoints"
  ignore_errors: true  # noqa ignore-errors
- name: Remove heketi gluster role binding  # noqa 301
+- name: Remove heketi gluster role binding
  command: "{{ bin_dir }}/kubectl delete clusterrolebinding heketi-gluster-admin"
  ignore_errors: true  # noqa ignore-errors
- name: Remove heketi config secret  # noqa 301
+- name: Remove heketi config secret
  command: "{{ bin_dir }}/kubectl delete secret heketi-config-secret"
  ignore_errors: true  # noqa ignore-errors
- name: Remove heketi db backup  # noqa 301
+- name: Remove heketi db backup
  command: "{{ bin_dir }}/kubectl delete secret heketi-db-backup"
  ignore_errors: true  # noqa ignore-errors
- name: Remove heketi service account  # noqa 301
+- name: Remove heketi service account
  command: "{{ bin_dir }}/kubectl delete serviceaccount heketi-service-account"
  ignore_errors: true  # noqa ignore-errors
 - name: Get secrets
@@ -46,6 +46,6 @@
  changed_when: false
 - name: Remove heketi storage secret
  vars: { storage_query: "items[?metadata.annotations.\"kubernetes.io/service-account.name\"=='heketi-service-account'].metadata.name|[0]" }
-  command: "{{ bin_dir }}/kubectl delete secret {{ secrets.stdout|from_json|json_query(storage_query) }}"
+  command: "{{ bin_dir }}/kubectl delete secret {{ secrets.stdout | from_json | json_query(storage_query) }}"
  when: "storage_query is defined"
  ignore_errors: true  # noqa ignore-errors
@@ -27,7 +27,7 @@ manage-offline-container-images.sh   register

 ## generate_list.sh

-This script generates the list of downloaded files and the list of container images by `roles/download/defaults/main.yml` file.
+This script generates the list of downloaded files and the list of container images by `roles/download/defaults/main/main.yml` file.

 Run this script will execute `generate_list.yml` playbook in kubespray root directory and generate four files,
 all downloaded files url in files.list, all container images in images.list, jinja2 templates in *.template.
@@ -5,7 +5,7 @@ CURRENT_DIR=$(cd $(dirname $0); pwd)
 TEMP_DIR="${CURRENT_DIR}/temp"
 REPO_ROOT_DIR="${CURRENT_DIR%/contrib/offline}"

-: ${DOWNLOAD_YML:="roles/download/defaults/main.yml"}
+: ${DOWNLOAD_YML:="roles/download/defaults/main/main.yml"}

 mkdir -p ${TEMP_DIR}

@@ -19,7 +19,7 @@ sed -n '/^downloads:/,/download_defaults:/p' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
    | sed 'N;s#\n# #g' | tr ' ' ':' | sed 's/\"//g' > ${TEMP_DIR}/images.list.template

 # add kube-* images to images list template
-# Those container images are downloaded by kubeadm, then roles/download/defaults/main.yml
+# Those container images are downloaded by kubeadm, then roles/download/defaults/main/main.yml
 # doesn't contain those images. That is reason why here needs to put those images into the
 # list separately.
 KUBE_IMAGES="kube-apiserver kube-controller-manager kube-scheduler kube-proxy"
@@ -1,5 +1,6 @@
 ---
- hosts: localhost
+- name: Collect container images for offline deployment
+  hosts: localhost
  become: no

  roles:
@@ -11,9 +12,11 @@

  tasks:
    # Generate files.list and images.list files from templates.
-    - template:
+    - name: Collect container images for offline deployment
+      template:
        src: ./contrib/offline/temp/{{ item }}.list.template
        dest: ./contrib/offline/temp/{{ item }}.list
+        mode: 0644
      with_items:
        - files
        - images
@@ -39,6 +39,6 @@ if [ $? -ne 0 ]; then
    sudo "${runtime}" run \
        --restart=always -d -p ${NGINX_PORT}:80 \
        --volume "${OFFLINE_FILES_DIR}:/usr/share/nginx/html/download" \
-        --volume "$(pwd)"/nginx.conf:/etc/nginx/nginx.conf \
+        --volume "${CURRENT_DIR}"/nginx.conf:/etc/nginx/nginx.conf \
        --name nginx nginx:alpine
 fi
@@ -1,4 +1,5 @@
 ---
- hosts: all
+- name: Disable firewalld/ufw
+  hosts: all
  roles:
    - { role: prepare }
@@ -1,5 +1,8 @@
 ---
- block:
+- name: Disable firewalld and ufw
+  when:
+  - disable_service_firewall is defined and disable_service_firewall
+  block:
  - name: List services
    service_facts:

@@ -9,7 +12,7 @@
      state: stopped
      enabled: no
    when:
-      "'firewalld.service' in services"
+      "'firewalld.service' in services and services['firewalld.service'].status != 'not-found'"

  - name: Disable service ufw
    systemd:
@@ -17,7 +20,4 @@
      state: stopped
      enabled: no
    when:
-      "'ufw.service' in services"
-
-  when:
-  - disable_service_firewall is defined and disable_service_firewall
+      "'ufw.service' in services and services['ufw.service'].status != 'not-found'"
@@ -12,7 +12,7 @@ This will install a Kubernetes cluster on Equinix Metal. It should work in all l
 The terraform configuration inspects variables found in
 [variables.tf](variables.tf) to create resources in your Equinix Metal project.
 There is a [python script](../terraform.py) that reads the generated`.tfstate`
-file to generate a dynamic inventory that is consumed by [cluster.yml](../../..//cluster.yml)
+file to generate a dynamic inventory that is consumed by [cluster.yml](../../../cluster.yml)
 to actually install Kubernetes with Kubespray.

 ### Kubernetes Nodes
@@ -60,16 +60,16 @@ Terraform will be used to provision all of the Equinix Metal resources with base
 Create an inventory directory for your cluster by copying the existing sample and linking the `hosts` script (used to build the inventory based on Terraform state):

 ```ShellSession
-cp -LRp contrib/terraform/metal/sample-inventory inventory/$CLUSTER
+cp -LRp contrib/terraform/equinix/sample-inventory inventory/$CLUSTER
 cd inventory/$CLUSTER
-ln -s ../../contrib/terraform/metal/hosts
+ln -s ../../contrib/terraform/equinix/hosts
 ```

 This will be the base for subsequent Terraform commands.

 #### Equinix Metal API access

-Your Equinix Metal API key must be available in the `PACKET_AUTH_TOKEN` environment variable.
+Your Equinix Metal API key must be available in the `METAL_AUTH_TOKEN` environment variable.
 This key is typically stored outside of the code repo since it is considered secret.
 If someone gets this key, they can startup/shutdown hosts in your project!

@@ -80,10 +80,12 @@ The Equinix Metal Project ID associated with the key will be set later in `clust

 For more information about the API, please see [Equinix Metal API](https://metal.equinix.com/developers/api/).

+For more information about terraform provider authentication, please see [the equinix provider documentation](https://registry.terraform.io/providers/equinix/equinix/latest/docs).
+
 Example:

 ```ShellSession
-export PACKET_AUTH_TOKEN="Example-API-Token"
+export METAL_AUTH_TOKEN="Example-API-Token"
 ```

 Note that to deploy several clusters within the same project you need to use [terraform workspace](https://www.terraform.io/docs/state/workspaces.html#using-workspaces).
@@ -101,7 +103,7 @@ This helps when identifying which hosts are associated with each cluster.
 While the defaults in variables.tf will successfully deploy a cluster, it is recommended to set the following values:

 - cluster_name = the name of the inventory directory created above as $CLUSTER
- metal_project_id = the Equinix Metal Project ID associated with the Equinix Metal API token above
+- equinix_metal_project_id = the Equinix Metal Project ID associated with the Equinix Metal API token above

 #### Enable localhost access

@@ -119,12 +121,13 @@ Once the Kubespray playbooks are run, a Kubernetes configuration file will be wr

 In the cluster's inventory folder, the following files might be created (either by Terraform
 or manually), to prevent you from pushing them accidentally they are in a
-`.gitignore` file in the `terraform/metal` directory :
+`.gitignore` file in the `contrib/terraform/equinix` directory :

 - `.terraform`
 - `.tfvars`
 - `.tfstate`
 - `.tfstate.backup`
+- `.lock.hcl`

 You can still add them manually if you want to.

@@ -135,7 +138,7 @@ plugins. This is accomplished as follows:

 ```ShellSession
 cd inventory/$CLUSTER
-terraform init ../../contrib/terraform/metal
+terraform -chdir=../../contrib/terraform/metal init -var-file=cluster.tfvars
 ```

 This should finish fairly quickly telling you Terraform has successfully initialized and loaded necessary modules.
@@ -146,7 +149,7 @@ You can apply the Terraform configuration to your cluster with the following com
 issued from your cluster's inventory directory (`inventory/$CLUSTER`):

 ```ShellSession
-terraform apply -var-file=cluster.tfvars ../../contrib/terraform/metal
+terraform -chdir=../../contrib/terraform/equinix apply -var-file=cluster.tfvars
 export ANSIBLE_HOST_KEY_CHECKING=False
 ansible-playbook -i hosts ../../cluster.yml
 ```
@@ -156,7 +159,7 @@ ansible-playbook -i hosts ../../cluster.yml
 You can destroy your new cluster with the following command issued from the cluster's inventory directory:

 ```ShellSession
-terraform destroy -var-file=cluster.tfvars ../../contrib/terraform/metal
+terraform -chdir=../../contrib/terraform/equinix destroy -var-file=cluster.tfvars
 ```

 If you've started the Ansible run, it may also be a good idea to do some manual cleanup:
@@ -1,62 +1,57 @@
-# Configure the Equinix Metal Provider
-provider "metal" {
-}
-
-resource "metal_ssh_key" "k8s" {
+resource "equinix_metal_ssh_key" "k8s" {
  count      = var.public_key_path != "" ? 1 : 0
  name       = "kubernetes-${var.cluster_name}"
  public_key = chomp(file(var.public_key_path))
 }

-resource "metal_device" "k8s_master" {
-  depends_on = [metal_ssh_key.k8s]
+resource "equinix_metal_device" "k8s_master" {
+  depends_on = [equinix_metal_ssh_key.k8s]

  count            = var.number_of_k8s_masters
  hostname         = "${var.cluster_name}-k8s-master-${count.index + 1}"
  plan             = var.plan_k8s_masters
-  facilities       = [var.facility]
+  metro            = var.metro
  operating_system = var.operating_system
  billing_cycle    = var.billing_cycle
-  project_id       = var.metal_project_id
+  project_id       = var.equinix_metal_project_id
  tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_control_plane", "etcd", "kube_node"]
 }

-resource "metal_device" "k8s_master_no_etcd" {
-  depends_on = [metal_ssh_key.k8s]
+resource "equinix_metal_device" "k8s_master_no_etcd" {
+  depends_on = [equinix_metal_ssh_key.k8s]

  count            = var.number_of_k8s_masters_no_etcd
  hostname         = "${var.cluster_name}-k8s-master-${count.index + 1}"
  plan             = var.plan_k8s_masters_no_etcd
-  facilities       = [var.facility]
+  metro            = var.metro
  operating_system = var.operating_system
  billing_cycle    = var.billing_cycle
-  project_id       = var.metal_project_id
+  project_id       = var.equinix_metal_project_id
  tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_control_plane"]
 }

-resource "metal_device" "k8s_etcd" {
-  depends_on = [metal_ssh_key.k8s]
+resource "equinix_metal_device" "k8s_etcd" {
+  depends_on = [equinix_metal_ssh_key.k8s]

  count            = var.number_of_etcd
  hostname         = "${var.cluster_name}-etcd-${count.index + 1}"
  plan             = var.plan_etcd
-  facilities       = [var.facility]
+  metro            = var.metro
  operating_system = var.operating_system
  billing_cycle    = var.billing_cycle
-  project_id       = var.metal_project_id
+  project_id       = var.equinix_metal_project_id
  tags             = ["cluster-${var.cluster_name}", "etcd"]
 }

-resource "metal_device" "k8s_node" {
-  depends_on = [metal_ssh_key.k8s]
+resource "equinix_metal_device" "k8s_node" {
+  depends_on = [equinix_metal_ssh_key.k8s]

  count            = var.number_of_k8s_nodes
  hostname         = "${var.cluster_name}-k8s-node-${count.index + 1}"
  plan             = var.plan_k8s_nodes
-  facilities       = [var.facility]
+  metro            = var.metro
  operating_system = var.operating_system
  billing_cycle    = var.billing_cycle
-  project_id       = var.metal_project_id
+  project_id       = var.equinix_metal_project_id
  tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_node"]
 }
-
@@ -0,0 +1,15 @@
+output "k8s_masters" {
+  value = equinix_metal_device.k8s_master.*.access_public_ipv4
+}
+
+output "k8s_masters_no_etc" {
+  value = equinix_metal_device.k8s_master_no_etcd.*.access_public_ipv4
+}
+
+output "k8s_etcds" {
+  value = equinix_metal_device.k8s_etcd.*.access_public_ipv4
+}
+
+output "k8s_nodes" {
+  value = equinix_metal_device.k8s_node.*.access_public_ipv4
+}
@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  provider_meta "equinix" {
+    module_name = "kubespray"
+  }
+  required_providers {
+    equinix = {
+      source  = "equinix/equinix"
+      version = "~> 1.14"
+    }
+  }
+}
+
+# Configure the Equinix Metal Provider
+provider "equinix" {
+}
@@ -1,16 +1,19 @@
 # your Kubernetes cluster name here
 cluster_name = "mycluster"

-# Your Equinix Metal project ID. See hhttps://metal.equinix.com/developers/docs/accounts/
-metal_project_id = "Example-API-Token"
+# Your Equinix Metal project ID. See https://metal.equinix.com/developers/docs/accounts/
+equinix_metal_project_id = "Example-Project-Id"

 # The public SSH key to be uploaded into authorized_keys in bare metal Equinix Metal nodes provisioned
 # leave this value blank if the public key is already setup in the Equinix Metal project
 # Terraform will complain if the public key is setup in Equinix Metal
 public_key_path = "~/.ssh/id_rsa.pub"

-# cluster location
-facility = "ewr1"
+# Equinix interconnected bare metal across our global metros.
+metro = "da"
+
+# operating_system
+operating_system = "ubuntu_22_04"

 # standalone etcds
 number_of_etcd = 0
@@ -2,12 +2,12 @@ variable "cluster_name" {
  default = "kubespray"
 }

-variable "metal_project_id" {
+variable "equinix_metal_project_id" {
  description = "Your Equinix Metal project ID. See https://metal.equinix.com/developers/docs/accounts/"
 }

 variable "operating_system" {
-  default = "ubuntu_20_04"
+  default = "ubuntu_22_04"
 }

 variable "public_key_path" {
@@ -19,8 +19,8 @@ variable "billing_cycle" {
  default = "hourly"
 }

-variable "facility" {
-  default = "dfw2"
+variable "metro" {
+  default = "da"
 }

 variable "plan_k8s_masters" {
@@ -54,4 +54,3 @@ variable "number_of_etcd" {
 variable "number_of_k8s_nodes" {
  default = 1
 }
-
@@ -1,6 +1,6 @@
-prefix = "default"
-zone   = "hel1"
-network_zone = "eu-central"
+prefix         = "default"
+zone           = "hel1"
+network_zone   = "eu-central"
 inventory_file = "inventory.ini"

 ssh_public_keys = [
@@ -15,17 +15,17 @@ machines = {
  "master-0" : {
    "node_type" : "master",
    "size" : "cx21",
-    "image" : "ubuntu-20.04",
+    "image" : "ubuntu-22.04",
  },
  "worker-0" : {
    "node_type" : "worker",
    "size" : "cx21",
-    "image" : "ubuntu-20.04",
+    "image" : "ubuntu-22.04",
  },
  "worker-1" : {
    "node_type" : "worker",
    "size" : "cx21",
-    "image" : "ubuntu-20.04",
+    "image" : "ubuntu-22.04",
  }
 }

@@ -2,7 +2,7 @@ provider "hcloud" {}

 module "kubernetes" {
  source = "./modules/kubernetes-cluster"
-  #source = "./modules/kubernetes-cluster-flatcar"
+  # source = "./modules/kubernetes-cluster-flatcar"

  prefix = var.prefix

@@ -14,7 +14,7 @@ module "kubernetes" {
  #ssh_private_key_path = var.ssh_private_key_path

  ssh_public_keys = var.ssh_public_keys
-  network_zone = var.network_zone
+  network_zone    = var.network_zone

  ssh_whitelist        = var.ssh_whitelist
  api_server_whitelist = var.api_server_whitelist
@@ -26,31 +26,32 @@ module "kubernetes" {
 # Generate ansible inventory
 #

-data "template_file" "inventory" {
-  template = file("${path.module}/templates/inventory.tpl")
-
-  vars = {
-    connection_strings_master = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s etcd_member_name=etcd%d",
-      keys(module.kubernetes.master_ip_addresses),
-      values(module.kubernetes.master_ip_addresses).*.public_ip,
-      values(module.kubernetes.master_ip_addresses).*.private_ip,
-    range(1, length(module.kubernetes.master_ip_addresses) + 1)))
-    connection_strings_worker = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s",
-      keys(module.kubernetes.worker_ip_addresses),
-      values(module.kubernetes.worker_ip_addresses).*.public_ip,
-    values(module.kubernetes.worker_ip_addresses).*.private_ip))
-    list_master = join("\n", keys(module.kubernetes.master_ip_addresses))
-    list_worker = join("\n", keys(module.kubernetes.worker_ip_addresses))
-    network_id = module.kubernetes.network_id
-  }
+locals {
+  inventory = templatefile(
+    "${path.module}/templates/inventory.tpl",
+    {
+      connection_strings_master = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s etcd_member_name=etcd%d",
+        keys(module.kubernetes.master_ip_addresses),
+        values(module.kubernetes.master_ip_addresses).*.public_ip,
+        values(module.kubernetes.master_ip_addresses).*.private_ip,
+      range(1, length(module.kubernetes.master_ip_addresses) + 1)))
+      connection_strings_worker = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s",
+        keys(module.kubernetes.worker_ip_addresses),
+        values(module.kubernetes.worker_ip_addresses).*.public_ip,
+      values(module.kubernetes.worker_ip_addresses).*.private_ip))
+      list_master = join("\n", keys(module.kubernetes.master_ip_addresses))
+      list_worker = join("\n", keys(module.kubernetes.worker_ip_addresses))
+      network_id  = module.kubernetes.network_id
+    }
+  )
 }

 resource "null_resource" "inventories" {
  provisioner "local-exec" {
-    command = "echo '${data.template_file.inventory.rendered}' > ${var.inventory_file}"
+    command = "echo '${local.inventory}' > ${var.inventory_file}"
  }

  triggers = {
-    template = data.template_file.inventory.rendered
+    template = local.inventory
  }
-}
+}
@@ -15,12 +15,12 @@ resource "hcloud_ssh_key" "first" {
  public_key = var.ssh_public_keys.0
 }

-resource "hcloud_server" "master" {
+resource "hcloud_server" "machine" {
  for_each = {
    for name, machine in var.machines :
    name => machine
-    if machine.node_type == "master"
  }
+
  name     = "${var.prefix}-${each.key}"
  ssh_keys = [hcloud_ssh_key.first.id]
  # boot into rescue OS
@@ -30,11 +30,11 @@ resource "hcloud_server" "master" {
  server_type = each.value.size
  location    = var.zone
  connection {
-    host    = self.ipv4_address
-    timeout = "5m"
+    host        = self.ipv4_address
+    timeout     = "5m"
    private_key = file(var.ssh_private_key_path)
  }
-  firewall_ids = [hcloud_firewall.machine.id]
+  firewall_ids = each.value.node_type == "master" ? [hcloud_firewall.master.id] : [hcloud_firewall.worker.id]
  provisioner "file" {
    content     = data.ct_config.machine-ignitions[each.key].rendered
    destination = "/root/ignition.json"
@@ -45,9 +45,9 @@ resource "hcloud_server" "master" {
      "set -ex",
      "apt update",
      "apt install -y gawk",
-      "curl -fsSLO --retry-delay 1 --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 https://raw.githubusercontent.com/kinvolk/init/flatcar-master/bin/flatcar-install",
+      "curl -fsSLO --retry-delay 1 --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 https://raw.githubusercontent.com/flatcar/init/flatcar-master/bin/flatcar-install",
      "chmod +x flatcar-install",
-      "./flatcar-install -s -i /root/ignition.json",
+      "./flatcar-install -s -i /root/ignition.json -C stable",
      "shutdown -r +1",
    ]
  }
@@ -55,9 +55,10 @@ resource "hcloud_server" "master" {
  # optional:
  provisioner "remote-exec" {
    connection {
-      host    = self.ipv4_address
-      timeout = "3m"
-      user    = var.user_flatcar
+      host        = self.ipv4_address
+      private_key = file(var.ssh_private_key_path)
+      timeout     = "3m"
+      user        = var.user_flatcar
    }

    inline = [
@@ -66,65 +67,11 @@ resource "hcloud_server" "master" {
  }
 }

-resource "hcloud_server_network" "master" {
-  for_each = hcloud_server.master
-  server_id = each.value.id
-  subnet_id = hcloud_network_subnet.kubernetes.id
-}
-
-resource "hcloud_server" "worker" {
+resource "hcloud_server_network" "machine" {
  for_each = {
    for name, machine in var.machines :
-    name => machine
-    if machine.node_type == "worker"
+    name => hcloud_server.machine[name]
  }
-  name     = "${var.prefix}-${each.key}"
-  ssh_keys = [hcloud_ssh_key.first.id]
-  # boot into rescue OS
-  rescue = "linux64"
-  # dummy value for the OS because Flatcar is not available
-  image       = each.value.image
-  server_type = each.value.size
-  location    = var.zone
-  connection {
-    host    = self.ipv4_address
-    timeout = "5m"
-    private_key = file(var.ssh_private_key_path)
-  }
-  firewall_ids = [hcloud_firewall.machine.id]
-  provisioner "file" {
-    content     = data.ct_config.machine-ignitions[each.key].rendered
-    destination = "/root/ignition.json"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "set -ex",
-      "apt update",
-      "apt install -y gawk",
-      "curl -fsSLO --retry-delay 1 --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 https://raw.githubusercontent.com/kinvolk/init/flatcar-master/bin/flatcar-install",
-      "chmod +x flatcar-install",
-      "./flatcar-install -s -i /root/ignition.json",
-      "shutdown -r +1",
-    ]
-  }
-
-  # optional:
-  provisioner "remote-exec" {
-    connection {
-      host    = self.ipv4_address
-      timeout = "3m"
-      user    = var.user_flatcar
-    }
-
-    inline = [
-      "sudo hostnamectl set-hostname ${self.name}",
-    ]
-  }
-}
-
-resource "hcloud_server_network" "worker" {
-  for_each = hcloud_server.worker
  server_id = each.value.id
  subnet_id = hcloud_network_subnet.kubernetes.id
 }
@@ -134,38 +81,33 @@ data "ct_config" "machine-ignitions" {
    for name, machine in var.machines :
    name => machine
  }
-  content  = data.template_file.machine-configs[each.key].rendered
+
+  strict = false
+  content = templatefile(
+    "${path.module}/templates/machine.yaml.tmpl",
+    {
+      ssh_keys     = jsonencode(var.ssh_public_keys)
+      user_flatcar = var.user_flatcar
+      name         = each.key
+    }
+  )
 }

-data "template_file" "machine-configs" {
-  for_each = {
-    for name, machine in var.machines :
-    name => machine
-  }
-  template = file("${path.module}/templates/machine.yaml.tmpl")
-
-  vars = {
-    ssh_keys = jsonencode(var.ssh_public_keys)
-    user_flatcar = jsonencode(var.user_flatcar)
-    name     = each.key
-  }
-}
-
-resource "hcloud_firewall" "machine" {
-  name = "${var.prefix}-machine-firewall"
+resource "hcloud_firewall" "master" {
+  name = "${var.prefix}-master-firewall"

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "22"
-   source_ips = var.ssh_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "22"
+    source_ips = var.ssh_whitelist
  }

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "6443"
-   source_ips = var.api_server_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "6443"
+    source_ips = var.api_server_whitelist
  }
 }

@@ -173,30 +115,30 @@ resource "hcloud_firewall" "worker" {
  name = "${var.prefix}-worker-firewall"

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "22"
-   source_ips = var.ssh_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "22"
+    source_ips = var.ssh_whitelist
  }

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "80"
-   source_ips = var.ingress_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "80"
+    source_ips = var.ingress_whitelist
  }

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "443"
-   source_ips = var.ingress_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "443"
+    source_ips = var.ingress_whitelist
  }

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "30000-32767"
-   source_ips = var.nodeport_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "30000-32767"
+    source_ips = var.nodeport_whitelist
  }
 }
@@ -1,20 +1,22 @@
 output "master_ip_addresses" {
  value = {
-    for key, instance in hcloud_server.master :
-    instance.name => {
-      "private_ip" = hcloud_server_network.master[key].ip
-      "public_ip"  = hcloud_server.master[key].ipv4_address
-    }
+    for name, machine in var.machines :
+      name => {
+        "private_ip" = hcloud_server_network.machine[name].ip
+        "public_ip"  = hcloud_server.machine[name].ipv4_address
+      }
+      if machine.node_type == "master"
  }
 }

 output "worker_ip_addresses" {
  value = {
-    for key, instance in hcloud_server.worker :
-    instance.name => {
-      "private_ip" = hcloud_server_network.worker[key].ip
-      "public_ip"  = hcloud_server.worker[key].ipv4_address
-    }
+    for name, machine in var.machines :
+      name => {
+        "private_ip" = hcloud_server_network.machine[name].ip
+        "public_ip"  = hcloud_server.machine[name].ipv4_address
+      }
+      if machine.node_type == "worker"
  }
 }

@@ -24,4 +26,4 @@ output "cluster_private_network_cidr" {

 output "network_id" {
  value = hcloud_network.kubernetes.id
-}
+}
@@ -1,8 +1,11 @@
---
+variant: flatcar
+version: 1.0.0
+
 passwd:
  users:
    - name: ${user_flatcar}
      ssh_authorized_keys: ${ssh_keys}
+
 storage:
  files:
    - path: /home/core/works
@@ -13,4 +16,4 @@ storage:
          #!/bin/bash
          set -euo pipefail
          hostname="$(hostname)"
-          echo My name is ${name} and the hostname is $${hostname}
+          echo My name is ${name} and the hostname is $${hostname}
@@ -1,6 +1,6 @@

 variable "zone" {
-  type = string
+  type    = string
  default = "fsn1"
 }

@@ -9,7 +9,7 @@ variable "prefix" {
 }

 variable "user_flatcar" {
-  type = string
+  type    = string
  default = "core"
 }

@@ -1,13 +1,14 @@
 terraform {
  required_providers {
    hcloud = {
-      source  = "hetznercloud/hcloud"
+      source = "hetznercloud/hcloud"
    }
    ct = {
      source  = "poseidon/ct"
+      version = "0.11.0"
    }
    null = {
-      source  = "hashicorp/null"
+      source = "hashicorp/null"
    }
  }
-}
+}
@@ -75,17 +75,17 @@ resource "hcloud_firewall" "master" {
  name = "${var.prefix}-master-firewall"

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "22"
-   source_ips = var.ssh_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "22"
+    source_ips = var.ssh_whitelist
  }

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "6443"
-   source_ips = var.api_server_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "6443"
+    source_ips = var.api_server_whitelist
  }
 }

@@ -93,30 +93,30 @@ resource "hcloud_firewall" "worker" {
  name = "${var.prefix}-worker-firewall"

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "22"
-   source_ips = var.ssh_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "22"
+    source_ips = var.ssh_whitelist
  }

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "80"
-   source_ips = var.ingress_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "80"
+    source_ips = var.ingress_whitelist
  }

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "443"
-   source_ips = var.ingress_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "443"
+    source_ips = var.ingress_whitelist
  }

  rule {
-   direction = "in"
-   protocol = "tcp"
-   port = "30000-32767"
-   source_ips = var.nodeport_whitelist
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "30000-32767"
+    source_ips = var.nodeport_whitelist
  }
 }
@@ -24,4 +24,4 @@ output "cluster_private_network_cidr" {

 output "network_id" {
  value = hcloud_network.kubernetes.id
-}
+}
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`# See our release notes on [GitHub](https://github.com/kubernetes-sigs/kubespray/releases)`