Cherry-pick changes from the master branch

examples/terraform/azure/main.tf

@@ -85,6 +85,7 @@ resource "azurerm_network_security_group" "sg" {
 
   security_rule {
     name                       = "SSH"
+    description                = "Allow inbound SSH"
     priority                   = 1001
     direction                  = "Inbound"
     access                     = "Allow"
@@ -94,6 +95,20 @@ resource "azurerm_network_security_group" "sg" {
     source_address_prefix      = "*"
     destination_address_prefix = "*"
   }
+
+  security_rule {
+    name                       = "NodePorts"
+    description                = "Allow inbound NodePorts"
+    priority                   = 1010
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "30000-32767"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+
   tags = {
     environment = "kubeone"
     cluster     = var.cluster_name

examples/terraform/azure/variables.tf

@@ -69,13 +69,13 @@ variable "location" {
 
 variable "control_plane_vm_size" {
   description = "VM Size for control plane machines"
-  default     = "Standard_B2s"
+  default     = "Standard_F2"
   type        = string
 }
 
 variable "worker_vm_size" {
   description = "VM Size for worker machines"
-  default     = "Standard_B2s"
+  default     = "Standard_F2"
   type        = string
 }
 

examples/terraform/gce/main.tf

@@ -94,6 +94,21 @@ resource "google_compute_firewall" "internal" {
   ]
 }
 
+resource "google_compute_firewall" "nodeports" {
+  name    = "${var.cluster_name}-nodeports"
+  network = google_compute_network.network.self_link
+
+  allow {
+    protocol = "tcp"
+    ports    = ["30000-32767"]
+  }
+
+  source_ranges = [
+    "0.0.0.0/0",
+  ]
+}
+
+
 resource "google_compute_address" "lb_ip" {
   name = "${var.cluster_name}-lb-ip"
 }
@@ -137,7 +152,7 @@ resource "google_compute_instance" "control_plane" {
   zone         = data.google_compute_zones.available.names[count.index % local.zones_count]
 
   # Changing the machine_type, min_cpu_platform, or service_account on an
-  # instance requires stopping it. To acknowledge this, 
+  # instance requires stopping it. To acknowledge this,
   # allow_stopping_for_update = true is required
   allow_stopping_for_update = true
 

examples/terraform/openstack/main.tf

@@ -81,6 +81,17 @@ resource "openstack_networking_secgroup_rule_v2" "secgroup_ssh" {
   security_group_id = openstack_networking_secgroup_v2.securitygroup.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "nodeports" {
+  description       = "Allow NodePorts"
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 30000
+  port_range_max    = 32767
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.securitygroup.id
+}
+
 resource "openstack_networking_secgroup_rule_v2" "secgroup_apiserver" {
   description       = "Allow kube-apiserver"
   direction         = "ingress"

examples/terraform/openstack/output.tf

@@ -65,10 +65,11 @@ output "kubeone_workers" {
           securityGroups = [openstack_networking_secgroup_v2.securitygroup.name]
           network        = openstack_networking_network_v2.network.name
           subnet         = openstack_networking_subnet_v2.subnet.name
-          # Optional: If set, the rootDisk will be a volume. 
+          floatingIpPool = var.external_network_name
+          # Optional: If set, the rootDisk will be a volume.
           # Otherwise, the rootDisk will be on ephemeral storage and its size will
           # be derived from the flavor
-          rootDiskSizeGB = 50
+          # rootDiskSizeGB = 50
           # Optional: limit how many volumes can be attached to a node
           # nodeVolumeAttachLimit = 25
           tags = {

pkg/scripts/os_amzn.go

@@ -23,7 +23,7 @@ const (
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/os_centos.go

@@ -23,8 +23,7 @@ const (
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmAmazonLinux-force.golden

@@ -4,7 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmAmazonLinux-overwrite_registry.golden

@@ -4,7 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmAmazonLinux-overwrite_registry_insecure.golden

@@ -4,7 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmAmazonLinux-proxy.golden

@@ -4,7 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmAmazonLinux-simple.golden

@@ -4,7 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmAmazonLinux-v1.16.1.golden

@@ -4,7 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmAmazonLinux-with_containerd.golden

@@ -4,7 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmAmazonLinux-with_containerd_with_insecure_registry.golden

@@ -4,7 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmCentOS-force.golden

@@ -4,8 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmCentOS-overwrite_registry.golden

@@ -4,8 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmCentOS-overwrite_registry_insecure.golden

@@ -4,8 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmCentOS-proxy.golden

@@ -4,8 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmCentOS-simple.golden

@@ -4,8 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmCentOS-v1.16.1.golden

@@ -4,8 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmCentOS-with_containerd.golden

@@ -4,8 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestKubeadmCentOS-with_containerd_with_insecure_registry.golden

@@ -4,8 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestUpgradeKubeadmAndCNIAmazonLinux.golden

@@ -4,7 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestUpgradeKubeadmAndCNICentOS.golden

@@ -4,8 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestUpgradeKubeletAndKubectlAmazonLinux.golden

@@ -4,7 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/scripts/testdata/TestUpgradeKubeletAndKubectlCentOS.golden

@@ -4,8 +4,7 @@ export "PATH=$PATH:/sbin:/usr/local/bin:/opt/bin"
 sudo swapoff -a
 sudo sed -i '/.*swap.*/d' /etc/fstab
 sudo setenforce 0 || true
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
+[ -f /etc/selinux/config ] && sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
 sudo systemctl disable --now firewalld || true
 
 source /etc/kubeone/proxy-env

pkg/templates/images/images.go

@@ -116,7 +116,7 @@ func optionalResources() map[Resource]map[string]string {
 		DigitaloceanCCM: {"*": "docker.io/digitalocean/digitalocean-cloud-controller-manager:v0.1.33"},
 
 		// Hetzner CCM
-		HetznerCCM: {"*": "docker.io/hetznercloud/hcloud-cloud-controller-manager:v1.9.1"},
+		HetznerCCM: {"*": "docker.io/hetznercloud/hcloud-cloud-controller-manager:v1.12.0"},
 
 		// Hetzner CSI
 		HetznerCSI: {"*": "docker.io/hetznercloud/hcloud-csi-driver:1.6.0"},