Remove Vault (#3684)
* Remove Vault * Remove reference to 'kargo' in the doc * change check orderpull/3692/head
parent
b2b421840c
commit
3dcb914607
|
@ -316,14 +316,6 @@ before_script:
|
|||
# stage: deploy-part1
|
||||
MOVED_TO_GROUP_VARS: "true"
|
||||
|
||||
.ubuntu_vault_sep_variables: &ubuntu_vault_sep_variables
|
||||
# stage: deploy-part1
|
||||
MOVED_TO_GROUP_VARS: "true"
|
||||
|
||||
.coreos_vault_upgrade_variables: &coreos_vault_upgrade_variables
|
||||
# stage: deploy-part1
|
||||
UPGRADE_TEST: "basic"
|
||||
|
||||
.ubuntu_flannel_variables: &ubuntu_flannel_variables
|
||||
# stage: deploy-special
|
||||
MOVED_TO_GROUP_VARS: "true"
|
||||
|
@ -698,28 +690,6 @@ gce_ubuntu-rkt-sep:
|
|||
except: ['triggers']
|
||||
only: ['master', /^pr-.*$/]
|
||||
|
||||
gce_ubuntu-vault-sep:
|
||||
stage: deploy-part2
|
||||
<<: *job
|
||||
<<: *gce
|
||||
variables:
|
||||
<<: *gce_variables
|
||||
<<: *ubuntu_vault_sep_variables
|
||||
when: manual
|
||||
except: ['triggers']
|
||||
only: ['master', /^pr-.*$/]
|
||||
|
||||
gce_coreos-vault-upgrade:
|
||||
stage: deploy-part2
|
||||
<<: *job
|
||||
<<: *gce
|
||||
variables:
|
||||
<<: *gce_variables
|
||||
<<: *coreos_vault_upgrade_variables
|
||||
when: manual
|
||||
except: ['triggers']
|
||||
only: ['master', /^pr-.*$/]
|
||||
|
||||
gce_ubuntu-flannel-sep:
|
||||
stage: deploy-special
|
||||
<<: *job
|
||||
|
|
14
cluster.yml
14
cluster.yml
|
@ -51,13 +51,6 @@
|
|||
- { role: download, tags: download, when: "not skip_downloads" }
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
- hosts: etcd:k8s-cluster:vault:calico-rr
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
- { role: kubespray-defaults, when: "cert_management == 'vault'" }
|
||||
- { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
- hosts: etcd
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
|
@ -70,13 +63,6 @@
|
|||
- { role: kubespray-defaults}
|
||||
- { role: etcd, tags: etcd, etcd_cluster_setup: false, etcd_events_cluster_setup: false }
|
||||
|
||||
- hosts: etcd:k8s-cluster:vault:calico-rr
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
- { role: kubespray-defaults}
|
||||
- { role: vault, tags: vault, when: "cert_management == 'vault'"}
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
- hosts: k8s-cluster
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
vault_deployment_type: docker
|
||||
vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
|
||||
vault_version: 0.10.1
|
||||
vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
|
||||
vault_image_repo: "vault"
|
||||
vault_image_tag: "{{ vault_version }}"
|
||||
vault_downloads:
|
||||
vault:
|
||||
enabled: "{{ cert_management == 'vault' }}"
|
||||
container: "{{ vault_deployment_type != 'host' }}"
|
||||
file: "{{ vault_deployment_type == 'host' }}"
|
||||
dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
|
||||
mode: "0755"
|
||||
owner: "vault"
|
||||
repo: "{{ vault_image_repo }}"
|
||||
sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
|
||||
tag: "{{ vault_image_tag }}"
|
||||
unarchive: true
|
||||
url: "{{ vault_download_url }}"
|
||||
version: "{{ vault_version }}"
|
||||
groups:
|
||||
- vault
|
||||
|
||||
# Vault data dirs.
|
||||
vault_base_dir: /etc/vault
|
||||
vault_cert_dir: "{{ vault_base_dir }}/ssl"
|
||||
vault_config_dir: "{{ vault_base_dir }}/config"
|
||||
vault_roles_dir: "{{ vault_base_dir }}/roles"
|
||||
vault_secrets_dir: "{{ vault_base_dir }}/secrets"
|
||||
kube_vault_mount_path: "/kube"
|
||||
etcd_vault_mount_path: "/etcd"
|
|
@ -0,0 +1 @@
|
|||
ansible-modules-hashivault>=3.9.4
|
|
@ -1,3 +1,6 @@
|
|||
# /!\ The vault role have been retired from the main playbook.
|
||||
# This role probably requires a LOT of changes in order to work again
|
||||
|
||||
Hashicorp Vault Role
|
||||
====================
|
||||
|
||||
|
@ -8,7 +11,7 @@ The Vault role is a two-step process:
|
|||
|
||||
1. Bootstrap
|
||||
|
||||
You cannot start your certificate management service securely with SSL (and
|
||||
You cannot start your certificate management service securely with SSL (and
|
||||
the datastore behind it) without having the certificates in-hand already. This
|
||||
presents an unfortunate chicken and egg scenario, with one requiring the other.
|
||||
To solve for this, the Bootstrap step was added.
|
||||
|
@ -80,7 +83,7 @@ Additional Notes:
|
|||
|
||||
- ``groups.vault|first`` is considered the source of truth for Vault variables
|
||||
- ``vault_leader_url`` is used as pointer for the current running Vault
|
||||
- Each service should have its own role and credentials. Currently those
|
||||
- Each service should have its own role and credentials. Currently those
|
||||
credentials are saved to ``/etc/vault/roles/<role>/``. The service will
|
||||
need to read in those credentials, if they want to interact with Vault.
|
||||
|
|
@ -1,12 +1,12 @@
|
|||
# Kubespray (kargo) in own ansible playbooks repo
|
||||
# Kubespray (kubespray) in own ansible playbooks repo
|
||||
|
||||
1. Fork [kubespray repo](https://github.com/kubernetes-incubator/kubespray) to your personal/organisation account on github.
|
||||
1. Fork [kubespray repo](https://github.com/kubernetes-incubator/kubespray) to your personal/organisation account on github.
|
||||
Note:
|
||||
* All forked public repos at github will be also public, so **never commit sensitive data to your public forks**.
|
||||
* All forked public repos at github will be also public, so **never commit sensitive data to your public forks**.
|
||||
* List of all forked repos could be retrieved from github page of original project.
|
||||
|
||||
2. Add **forked repo** as submodule to desired folder in your existent ansible repo(for example 3d/kubespray):
|
||||
```git submodule add https://github.com/YOUR_GITHUB/kubespray.git kubespray```
|
||||
2. Add **forked repo** as submodule to desired folder in your existent ansible repo(for example 3d/kubespray):
|
||||
```git submodule add https://github.com/YOUR_GITHUB/kubespray.git kubespray```
|
||||
Git will create _.gitmodules_ file in your existent ansible repo:
|
||||
```
|
||||
[submodule "3d/kubespray"]
|
||||
|
@ -14,22 +14,22 @@
|
|||
url = https://github.com/YOUR_GITHUB/kubespray.git
|
||||
```
|
||||
|
||||
3. Configure git to show submodule status:
|
||||
3. Configure git to show submodule status:
|
||||
```git config --global status.submoduleSummary true```
|
||||
|
||||
4. Add *original* kubespray repo as upstream:
|
||||
4. Add *original* kubespray repo as upstream:
|
||||
```git remote add upstream https://github.com/kubernetes-incubator/kubespray.git```
|
||||
|
||||
5. Sync your master branch with upstream:
|
||||
5. Sync your master branch with upstream:
|
||||
```
|
||||
git checkout master
|
||||
git fetch upstream
|
||||
git merge upstream/master
|
||||
git push origin master
|
||||
```
|
||||
|
||||
6. Create a new branch which you will use in your working environment:
|
||||
```git checkout -b work```
|
||||
|
||||
6. Create a new branch which you will use in your working environment:
|
||||
```git checkout -b work```
|
||||
***Never*** use master branch of your repository for your commits.
|
||||
|
||||
7. Modify path to library and roles in your ansible.cfg file (role naming should be uniq, you may have to rename your existent roles if they have same names as kubespray project):
|
||||
|
@ -43,42 +43,39 @@
|
|||
8. Copy and modify configs from kubespray `group_vars` folder to corresponging `group_vars` folder in your existent project.
|
||||
You could rename *all.yml* config to something else, i.e. *kubespray.yml* and create corresponding group in your inventory file, which will include all hosts groups related to kubernetes setup.
|
||||
|
||||
9. Modify your ansible inventory file by adding mapping of your existent groups (if any) to kubespray naming.
|
||||
9. Modify your ansible inventory file by adding mapping of your existent groups (if any) to kubespray naming.
|
||||
For example:
|
||||
```
|
||||
...
|
||||
#Kargo groups:
|
||||
[kube-node:children]
|
||||
kubenode
|
||||
|
||||
|
||||
[k8s-cluster:children]
|
||||
kubernetes
|
||||
|
||||
|
||||
[etcd:children]
|
||||
kubemaster
|
||||
kubemaster-ha
|
||||
|
||||
|
||||
[kube-master:children]
|
||||
kubemaster
|
||||
kubemaster-ha
|
||||
|
||||
[vault:children]
|
||||
kube-master
|
||||
|
||||
|
||||
[kubespray:children]
|
||||
kubernetes
|
||||
```
|
||||
* Last entry here needed to apply kubespray.yml config file, renamed from all.yml of kubespray project.
|
||||
|
||||
10. Now you can include kargo tasks in you existent playbooks by including cluster.yml file:
|
||||
10. Now you can include kubespray tasks in you existent playbooks by including cluster.yml file:
|
||||
```
|
||||
- name: Include kargo tasks
|
||||
- name: Include kubespray tasks
|
||||
include: 3d/kubespray/cluster.yml
|
||||
```
|
||||
```
|
||||
Or your could copy separate tasks from cluster.yml into your ansible repository.
|
||||
|
||||
11. Commit changes to your ansible repo. Keep in mind, that submodule folder is just a link to the git commit hash of your forked repo.
|
||||
When you update your "work" branch you need to commit changes to ansible repo as well.
|
||||
11. Commit changes to your ansible repo. Keep in mind, that submodule folder is just a link to the git commit hash of your forked repo.
|
||||
When you update your "work" branch you need to commit changes to ansible repo as well.
|
||||
Other members of your team should use ```git submodule sync```, ```git submodule update --init``` to get actual code from submodule.
|
||||
|
||||
# Contributing
|
||||
|
@ -88,8 +85,8 @@ If you made useful changes or fixed a bug in existent kubespray repo, use this f
|
|||
|
||||
1. Change working directory to git submodule directory (3d/kubespray).
|
||||
|
||||
2. Setup desired user.name and user.email for submodule.
|
||||
If kubespray is only one submodule in your repo you could use something like:
|
||||
2. Setup desired user.name and user.email for submodule.
|
||||
If kubespray is only one submodule in your repo you could use something like:
|
||||
```git submodule foreach --recursive 'git config user.name "First Last" && git config user.email "your-email-addres@used.for.cncf"'```
|
||||
|
||||
3. Sync with upstream master:
|
||||
|
@ -98,24 +95,24 @@ If kubespray is only one submodule in your repo you could use something like:
|
|||
git merge upstream/master
|
||||
git push origin master
|
||||
```
|
||||
4. Create new branch for the specific fixes that you want to contribute:
|
||||
```git checkout -b fixes-name-date-index```
|
||||
4. Create new branch for the specific fixes that you want to contribute:
|
||||
```git checkout -b fixes-name-date-index```
|
||||
Branch name should be self explaining to you, adding date and/or index will help you to track/delete your old PRs.
|
||||
|
||||
5. Find git hash of your commit in "work" repo and apply it to newly created "fix" repo:
|
||||
```
|
||||
git cherry-pick <COMMIT_HASH>
|
||||
```
|
||||
6. If your have several temporary-stage commits - squash them using [```git rebase -i```](http://eli.thegreenplace.net/2014/02/19/squashing-github-pull-requests-into-a-single-commit)
|
||||
6. If your have several temporary-stage commits - squash them using [```git rebase -i```](http://eli.thegreenplace.net/2014/02/19/squashing-github-pull-requests-into-a-single-commit)
|
||||
Also you could use interactive rebase (```git rebase -i HEAD~10```) to delete commits which you don't want to contribute into original repo.
|
||||
|
||||
7. When your changes is in place, you need to check upstream repo one more time because it could be changed during your work.
|
||||
Check that you're on correct branch:
|
||||
```git status```
|
||||
And pull changes from upstream (if any):
|
||||
7. When your changes is in place, you need to check upstream repo one more time because it could be changed during your work.
|
||||
Check that you're on correct branch:
|
||||
```git status```
|
||||
And pull changes from upstream (if any):
|
||||
```git pull --rebase upstream master```
|
||||
|
||||
8. Now push your changes to your **fork** repo with ```git push```. If your branch doesn't exists on github, git will propose you to use something like ```git push --set-upstream origin fixes-name-date-index```.
|
||||
|
||||
9. Open you forked repo in browser, on the main page you will see proposition to create pull request for your newly created branch. Check proposed diff of your PR. If something is wrong you could safely delete "fix" branch on github using ```git push origin --delete fixes-name-date-index```, ```git branch -D fixes-name-date-index``` and start whole process from the beginning.
|
||||
9. Open you forked repo in browser, on the main page you will see proposition to create pull request for your newly created branch. Check proposed diff of your PR. If something is wrong you could safely delete "fix" branch on github using ```git push origin --delete fixes-name-date-index```, ```git branch -D fixes-name-date-index``` and start whole process from the beginning.
|
||||
If everything is fine - add description about your changes (what they do and why they're needed) and confirm pull request creation.
|
||||
|
|
|
@ -64,9 +64,10 @@ bin_dir: /usr/local/bin
|
|||
#additional_no_proxy: ""
|
||||
|
||||
## Certificate Management
|
||||
## This setting determines whether certs are generated via scripts or whether a
|
||||
## cluster of Hashicorp's Vault is started to issue certificates (using etcd
|
||||
## as a backend). Options are "script" or "vault"
|
||||
## This setting determines whether certs are generated via scripts.
|
||||
## Chose 'none' if you provide your own certificates.
|
||||
## Option is "script", "none"
|
||||
## note: vault is removed
|
||||
#cert_management: script
|
||||
|
||||
## Set to true to allow pre-checks to fail and continue deployment
|
||||
|
|
|
@ -132,7 +132,6 @@ container_manager: docker
|
|||
## Settings for containerized control plane (etcd/kubelet/secrets)
|
||||
etcd_deployment_type: docker
|
||||
kubelet_deployment_type: host
|
||||
vault_deployment_type: docker
|
||||
helm_deployment_type: host
|
||||
|
||||
# K8s image pull policy (imagePullPolicy)
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
ansible_ssh_pipelining: true
|
||||
gather_facts: true
|
||||
|
||||
- hosts: "{{ node | default('etcd:k8s-cluster:vault:calico-rr') }}"
|
||||
- hosts: "{{ node | default('etcd:k8s-cluster:calico-rr') }}"
|
||||
vars_prompt:
|
||||
name: "delete_nodes_confirmation"
|
||||
prompt: "Are you sure you want to delete nodes state? Type 'yes' to delete nodes."
|
||||
|
|
|
@ -2,5 +2,4 @@ ansible>=2.5.0,!=2.7.0
|
|||
jinja2>=2.9.6
|
||||
netaddr
|
||||
pbr>=1.6
|
||||
ansible-modules-hashivault>=3.9.4
|
||||
hvac
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
- hosts: all
|
||||
gather_facts: true
|
||||
|
||||
- hosts: etcd:k8s-cluster:vault:calico-rr
|
||||
- hosts: etcd:k8s-cluster:calico-rr
|
||||
vars_prompt:
|
||||
name: "reset_confirmation"
|
||||
prompt: "Are you sure you want to reset cluster state? Type 'yes' to reset your cluster."
|
||||
|
|
|
@ -53,7 +53,7 @@ calico_rr_version: "v0.6.1"
|
|||
flannel_version: "v0.10.0"
|
||||
flannel_cni_version: "v0.3.0"
|
||||
|
||||
vault_version: 0.10.1
|
||||
|
||||
weave_version: "2.4.1"
|
||||
pod_infra_version: 3.1
|
||||
contiv_version: 1.2.1
|
||||
|
@ -63,7 +63,6 @@ multus_version: "v3.1.autoconf"
|
|||
|
||||
# Download URLs
|
||||
kubeadm_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/{{ image_arch }}/kubeadm"
|
||||
vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
|
||||
etcd_download_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
|
||||
hyperkube_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kube_version }}/bin/linux/amd64/hyperkube"
|
||||
|
||||
|
@ -104,7 +103,7 @@ kubeadm_checksums:
|
|||
v1.10.0: ebbac985834289037b544523c3e2f39bb44bea938aca9d9e88ef7e880fb8472f
|
||||
|
||||
etcd_binary_checksum: 947849dbcfa13927c81236fb76a7c01d587bbab42ab1e807184cd91b026ebed7
|
||||
vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
|
||||
|
||||
hyperkube_binary_checksum: "{{ hyperkube_checksums[kube_version] }}"
|
||||
kubeadm_binary_checksum: "{{ kubeadm_checksums[kubeadm_version] }}"
|
||||
|
||||
|
@ -196,8 +195,7 @@ helm_image_repo: "lachlanevenson/k8s-helm"
|
|||
helm_image_tag: "{{ helm_version }}"
|
||||
tiller_image_repo: "gcr.io/kubernetes-helm/tiller"
|
||||
tiller_image_tag: "{{ helm_version }}"
|
||||
vault_image_repo: "vault"
|
||||
vault_image_tag: "{{ vault_version }}"
|
||||
|
||||
registry_image_repo: "registry"
|
||||
registry_image_tag: "2.6"
|
||||
registry_proxy_image_repo: "gcr.io/google_containers/kube-registry-proxy"
|
||||
|
@ -534,22 +532,6 @@ downloads:
|
|||
groups:
|
||||
- kube-node
|
||||
|
||||
vault:
|
||||
enabled: "{{ cert_management == 'vault' }}"
|
||||
container: "{{ vault_deployment_type != 'host' }}"
|
||||
file: "{{ vault_deployment_type == 'host' }}"
|
||||
dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
|
||||
mode: "0755"
|
||||
owner: "vault"
|
||||
repo: "{{ vault_image_repo }}"
|
||||
sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
|
||||
tag: "{{ vault_image_tag }}"
|
||||
unarchive: true
|
||||
url: "{{ vault_download_url }}"
|
||||
version: "{{ vault_version }}"
|
||||
groups:
|
||||
- vault
|
||||
|
||||
registry:
|
||||
enabled: "{{ registry_enabled }}"
|
||||
container: true
|
||||
|
|
|
@ -57,8 +57,6 @@ etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr',
|
|||
|
||||
etcd_compaction_retention: "8"
|
||||
|
||||
etcd_vault_mount_path: "/etcd"
|
||||
|
||||
# Force clients like etcdctl to use TLS certs (different than peer security)
|
||||
etcd_secure_client: true
|
||||
|
||||
|
|
|
@ -3,5 +3,3 @@ dependencies:
|
|||
- role: adduser
|
||||
user: "{{ addusers.etcd }}"
|
||||
when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic)
|
||||
|
||||
# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"
|
||||
|
|
|
@ -5,7 +5,9 @@
|
|||
- etcd-secrets
|
||||
- facts
|
||||
|
||||
- include_tasks: "gen_certs_{{ cert_management }}.yml"
|
||||
- include_tasks: "gen_certs_script.yml"
|
||||
when:
|
||||
- cert_management |d('script') == "script"
|
||||
tags:
|
||||
- etcd-secrets
|
||||
|
||||
|
|
|
@ -188,11 +188,17 @@
|
|||
when: kube_proxy_mode is defined
|
||||
run_once: true
|
||||
|
||||
- name: Stop if vault is chose
|
||||
assert:
|
||||
that: cert_management != 'vault'
|
||||
msg: "Support for vault have been removed, please use 'script' or 'none'"
|
||||
when: cert_management is defined
|
||||
run_once: true
|
||||
|
||||
- name: Stop if unknown cert_management
|
||||
assert:
|
||||
that: cert_management in ['script', 'vault']
|
||||
msg: "cert_management can only be 'script' or 'vault'"
|
||||
when: cert_management is defined
|
||||
that: cert_management|d('script') in ['script', 'none']
|
||||
msg: "cert_management can only be 'script' or 'none'"
|
||||
run_once: true
|
||||
|
||||
- name: Stop if unknown resolvconf_mode
|
||||
|
|
|
@ -1,3 +1,2 @@
|
|||
---
|
||||
kube_cert_group: kube-cert
|
||||
kube_vault_mount_path: "/kube"
|
||||
|
|
|
@ -1,2 +1 @@
|
|||
---
|
||||
# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"
|
||||
|
|
|
@ -69,7 +69,9 @@
|
|||
delegate_to: "{{groups['kube-master'][0]}}"
|
||||
when: gen_tokens|default(false)
|
||||
|
||||
- include_tasks: "gen_certs_{{ cert_management }}.yml"
|
||||
- include_tasks: "gen_certs_script.yml"
|
||||
when:
|
||||
- cert_management |d('script') == 'script'
|
||||
tags:
|
||||
- k8s-secrets
|
||||
- k8s-gen-certs
|
||||
|
|
|
@ -224,7 +224,7 @@ docker_options: >-
|
|||
etcd_deployment_type: docker
|
||||
kubelet_deployment_type: docker
|
||||
cert_management: script
|
||||
vault_deployment_type: docker
|
||||
|
||||
helm_deployment_type: host
|
||||
|
||||
# Enable kubeadm deployment (experimental)
|
||||
|
@ -303,13 +303,6 @@ kube_feature_gates: |-
|
|||
{{ feature_gate_v1_12 }}
|
||||
{%- endif %}
|
||||
|
||||
# Vault data dirs.
|
||||
vault_base_dir: /etc/vault
|
||||
vault_cert_dir: "{{ vault_base_dir }}/ssl"
|
||||
vault_config_dir: "{{ vault_base_dir }}/config"
|
||||
vault_roles_dir: "{{ vault_base_dir }}/roles"
|
||||
vault_secrets_dir: "{{ vault_base_dir }}/secrets"
|
||||
|
||||
# Local volume provisioner storage classes
|
||||
local_volume_provisioner_storage_classes:
|
||||
- name: "{{ local_volume_provisioner_storage_class | default('local-storage') }}"
|
||||
|
|
|
@ -51,7 +51,6 @@
|
|||
- { role: container-engine, tags: "container-engine"}
|
||||
- { role: download, tags: download, when: "not skip_downloads" }
|
||||
- { role: etcd, tags: etcd, etcd_cluster_setup: false }
|
||||
- { role: vault, tags: vault, when: "cert_management == 'vault'"}
|
||||
- { role: kubernetes/node, tags: node }
|
||||
- { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
|
||||
- { role: network_plugin, tags: network }
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
# Instance settings
|
||||
cloud_machine_type: "n1-standard-1"
|
||||
cloud_image_family: coreos-stable
|
||||
cloud_region: us-central1-b
|
||||
mode: aio
|
||||
|
||||
# Instance settings
|
||||
cert_management: vault
|
||||
kube_network_plugin: flannel
|
||||
deploy_netchecker: true
|
||||
kubedns_min_replicas: 1
|
||||
cloud_provider: gce
|
|
@ -1,12 +0,0 @@
|
|||
# Instance settings
|
||||
cloud_machine_type: "n1-standard-1"
|
||||
cloud_image_family: ubuntu-1604-lts
|
||||
cloud_region: us-central1-b
|
||||
mode: separate
|
||||
|
||||
# Instance settings
|
||||
cert_management: vault
|
||||
kube_network_plugin: canal
|
||||
deploy_netchecker: true
|
||||
kubedns_min_replicas: 1
|
||||
cloud_provider: gce
|
|
@ -52,13 +52,6 @@
|
|||
- { role: download, tags: download, when: "not skip_downloads" }
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
- hosts: etcd:k8s-cluster:vault
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
- { role: kubespray-defaults, when: "cert_management == 'vault'" }
|
||||
- { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
- hosts: etcd
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
|
@ -71,13 +64,6 @@
|
|||
- { role: kubespray-defaults}
|
||||
- { role: etcd, tags: etcd, etcd_cluster_setup: false }
|
||||
|
||||
- hosts: etcd:k8s-cluster:vault
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
- { role: kubespray-defaults, when: "cert_management == 'vault'"}
|
||||
- { role: vault, tags: vault, when: "cert_management == 'vault'"}
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
#Handle upgrades to master components first to maintain backwards compat.
|
||||
- hosts: kube-master
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
|
|
Loading…
Reference in New Issue