Remove Vault (#3684)

* Remove Vault

* Remove reference to 'kargo' in the doc

* change check order

.gitlab-ci.yml

@@ -316,14 +316,6 @@ before_script:
 # stage: deploy-part1
   MOVED_TO_GROUP_VARS: "true"
 
-.ubuntu_vault_sep_variables: &ubuntu_vault_sep_variables
-# stage: deploy-part1
-  MOVED_TO_GROUP_VARS: "true"
-
-.coreos_vault_upgrade_variables: &coreos_vault_upgrade_variables
-# stage: deploy-part1
-  UPGRADE_TEST: "basic"
-
 .ubuntu_flannel_variables: &ubuntu_flannel_variables
 # stage: deploy-special
   MOVED_TO_GROUP_VARS: "true"
@@ -698,28 +690,6 @@ gce_ubuntu-rkt-sep:
   except: ['triggers']
   only: ['master', /^pr-.*$/]
 
-gce_ubuntu-vault-sep:
-  stage: deploy-part2
-  <<: *job
-  <<: *gce
-  variables:
-    <<: *gce_variables
-    <<: *ubuntu_vault_sep_variables
-  when: manual
-  except: ['triggers']
-  only: ['master', /^pr-.*$/]
-
-gce_coreos-vault-upgrade:
-  stage: deploy-part2
-  <<: *job
-  <<: *gce
-  variables:
-    <<: *gce_variables
-    <<: *coreos_vault_upgrade_variables
-  when: manual
-  except: ['triggers']
-  only: ['master', /^pr-.*$/]
-
 gce_ubuntu-flannel-sep:
   stage: deploy-special
   <<: *job

cluster.yml

@@ -51,13 +51,6 @@
     - { role: download, tags: download, when: "not skip_downloads" }
   environment: "{{proxy_env}}"
 
-- hosts: etcd:k8s-cluster:vault:calico-rr
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults, when: "cert_management == 'vault'" }
-    - { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
-  environment: "{{proxy_env}}"
-
 - hosts: etcd
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
@@ -70,13 +63,6 @@
     - { role: kubespray-defaults}
     - { role: etcd, tags: etcd, etcd_cluster_setup: false, etcd_events_cluster_setup: false }
 
-- hosts: etcd:k8s-cluster:vault:calico-rr
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults}
-    - { role: vault, tags: vault, when: "cert_management == 'vault'"}
-  environment: "{{proxy_env}}"
-
 - hosts: k8s-cluster
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:

contrib/vault/groups_vars/vault.yaml

@@ -0,0 +1,31 @@
+vault_deployment_type: docker
+vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
+vault_version: 0.10.1
+vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
+vault_image_repo: "vault"
+vault_image_tag: "{{ vault_version }}"
+vault_downloads:
+  vault:
+    enabled: "{{ cert_management == 'vault' }}"
+    container: "{{ vault_deployment_type != 'host' }}"
+    file: "{{ vault_deployment_type == 'host' }}"
+    dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
+    mode: "0755"
+    owner: "vault"
+    repo: "{{ vault_image_repo }}"
+    sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
+    tag: "{{ vault_image_tag }}"
+    unarchive: true
+    url: "{{ vault_download_url }}"
+    version: "{{ vault_version }}"
+    groups:
+      - vault
+
+# Vault data dirs.
+vault_base_dir: /etc/vault
+vault_cert_dir: "{{ vault_base_dir }}/ssl"
+vault_config_dir: "{{ vault_base_dir }}/config"
+vault_roles_dir: "{{ vault_base_dir }}/roles"
+vault_secrets_dir: "{{ vault_base_dir }}/secrets"
+kube_vault_mount_path: "/kube"
+etcd_vault_mount_path: "/etcd"

contrib/vault/requirements.txt

@@ -0,0 +1 @@
+ansible-modules-hashivault>=3.9.4

contrib/vault/vault.md

@@ -1,3 +1,6 @@
+# /!\ The vault role have been retired from the main playbook.
+# This role probably requires a LOT of changes in order to work again
+
 Hashicorp Vault Role
 ====================
 
@@ -8,7 +11,7 @@ The Vault role is a two-step process:
 
 1. Bootstrap
 
-You cannot start your certificate management service securely with SSL (and 
+You cannot start your certificate management service securely with SSL (and
 the datastore behind it) without having the certificates in-hand already. This
 presents an unfortunate chicken and egg scenario, with one requiring the other.
 To solve for this, the Bootstrap step was added.
@@ -80,7 +83,7 @@ Additional Notes:
 
 - ``groups.vault|first`` is considered the source of truth for Vault variables
 - ``vault_leader_url`` is used as pointer for the current running Vault
-- Each service should have its own role and credentials. Currently those 
+- Each service should have its own role and credentials. Currently those
   credentials are saved to ``/etc/vault/roles/<role>/``. The service will
   need to read in those credentials, if they want to interact with Vault.
 

docs/integration.md

@@ -1,12 +1,12 @@
-# Kubespray (kargo) in own ansible playbooks repo
+# Kubespray (kubespray) in own ansible playbooks repo
 
-1. Fork [kubespray repo](https://github.com/kubernetes-incubator/kubespray) to your personal/organisation account on github.  
+1. Fork [kubespray repo](https://github.com/kubernetes-incubator/kubespray) to your personal/organisation account on github.
    Note:
-     * All forked public repos at github will be also public, so **never commit sensitive data to your public forks**. 
+     * All forked public repos at github will be also public, so **never commit sensitive data to your public forks**.
    * List of all forked repos could be retrieved from github page of original project.
 
-2. Add **forked repo** as submodule to desired folder in your existent ansible repo(for example 3d/kubespray): 
+2. Add **forked repo** as submodule to desired folder in your existent ansible repo(for example 3d/kubespray):
-  ```git submodule add https://github.com/YOUR_GITHUB/kubespray.git kubespray```  
+  ```git submodule add https://github.com/YOUR_GITHUB/kubespray.git kubespray```
   Git will create _.gitmodules_ file in your existent ansible repo:
    ```
    [submodule "3d/kubespray"]
@@ -14,22 +14,22 @@
          url = https://github.com/YOUR_GITHUB/kubespray.git
    ```
 
-3. Configure git to show submodule status:  
+3. Configure git to show submodule status:
 ```git config --global status.submoduleSummary true```
 
-4. Add *original* kubespray repo as upstream:  
+4. Add *original* kubespray repo as upstream:
 ```git remote add upstream https://github.com/kubernetes-incubator/kubespray.git```
 
-5. Sync your master branch with upstream: 
+5. Sync your master branch with upstream:
    ```
       git checkout master
       git fetch upstream
       git merge upstream/master
       git push origin master
    ```
- 
+
-6. Create a new branch which you will use in your working environment:  
+6. Create a new branch which you will use in your working environment:
-```git checkout -b work```  
+```git checkout -b work```
     ***Never*** use master branch of your repository for your commits.
 
 7. Modify path to library and roles in your ansible.cfg file (role naming should be uniq, you may have to rename your existent roles if they have same names as kubespray project):
@@ -43,42 +43,39 @@
 8. Copy and modify configs from kubespray `group_vars` folder to corresponging `group_vars` folder in your existent project.
 You could rename *all.yml* config to something else, i.e. *kubespray.yml* and create corresponding group in your inventory file, which will include all hosts groups related to kubernetes setup.
 
-9. Modify your ansible inventory file by adding mapping of your existent groups (if any) to kubespray naming.  
+9. Modify your ansible inventory file by adding mapping of your existent groups (if any) to kubespray naming.
    For example:
    ```
      ...
      #Kargo groups:
      [kube-node:children]
      kubenode
-     
+
      [k8s-cluster:children]
      kubernetes
-     
+
      [etcd:children]
      kubemaster
      kubemaster-ha
-     
+
      [kube-master:children]
      kubemaster
      kubemaster-ha
-     
+
-     [vault:children]
-     kube-master
-     
      [kubespray:children]
      kubernetes
      ```
      * Last entry here needed to apply kubespray.yml config file, renamed from all.yml of kubespray project.
 
-10. Now you can include kargo tasks in you existent playbooks by including cluster.yml file: 
+10. Now you can include kubespray tasks in you existent playbooks by including cluster.yml file:
      ```
-     - name: Include kargo tasks
+     - name: Include kubespray tasks
        include: 3d/kubespray/cluster.yml
-     ``` 
+     ```
      Or your could copy separate tasks from cluster.yml into your ansible repository.
 
-11. Commit changes to your ansible repo. Keep in mind, that submodule folder is just a link to the git commit hash of your forked repo.  
+11. Commit changes to your ansible repo. Keep in mind, that submodule folder is just a link to the git commit hash of your forked repo.
-When you update your "work" branch you need to commit changes to ansible repo as well.  
+When you update your "work" branch you need to commit changes to ansible repo as well.
 Other members of your team should use ```git submodule sync```, ```git submodule update --init``` to get actual code from submodule.
 
 # Contributing
@@ -88,8 +85,8 @@ If you made useful changes or fixed a bug in existent kubespray repo, use this f
 
 1. Change working directory to git submodule directory (3d/kubespray).
 
-2. Setup desired user.name and user.email for submodule.  
+2. Setup desired user.name and user.email for submodule.
-If kubespray is only one submodule in your repo you could use something like:  
+If kubespray is only one submodule in your repo you could use something like:
 ```git submodule foreach --recursive 'git config user.name "First Last" && git config user.email "your-email-addres@used.for.cncf"'```
 
 3. Sync with upstream master:
@@ -98,24 +95,24 @@ If kubespray is only one submodule in your repo you could use something like:
     git merge upstream/master
     git push origin master
      ```
-4. Create new branch for the specific fixes that you want to contribute:  
+4. Create new branch for the specific fixes that you want to contribute:
-```git checkout -b fixes-name-date-index```  
+```git checkout -b fixes-name-date-index```
 Branch name should be self explaining to you, adding date and/or index will help you to track/delete your old PRs.
 
 5. Find git hash of your commit in "work" repo and apply it to newly created "fix" repo:
      ```
      git cherry-pick <COMMIT_HASH>
      ```
-6. If your have several temporary-stage commits - squash them using [```git rebase -i```](http://eli.thegreenplace.net/2014/02/19/squashing-github-pull-requests-into-a-single-commit) 
+6. If your have several temporary-stage commits - squash them using [```git rebase -i```](http://eli.thegreenplace.net/2014/02/19/squashing-github-pull-requests-into-a-single-commit)
 Also you could use interactive rebase (```git rebase -i HEAD~10```) to delete commits which you don't want to contribute into original repo.
 
-7. When your changes is in place, you need to check upstream repo one more time because it could be changed during your work.  
+7. When your changes is in place, you need to check upstream repo one more time because it could be changed during your work.
-Check that you're on correct branch:  
+Check that you're on correct branch:
-```git status```  
+```git status```
-And pull changes from upstream (if any):  
+And pull changes from upstream (if any):
 ```git pull --rebase upstream master```
 
 8. Now push your changes to your **fork** repo with ```git push```. If your branch doesn't exists on github, git will propose you to use something like ```git push --set-upstream origin fixes-name-date-index```.
 
-9. Open you forked repo in browser, on the main page you will see proposition to create pull request for your newly created branch. Check proposed diff of your PR. If something is wrong you could safely delete "fix" branch on github using ```git push origin --delete fixes-name-date-index```, ```git branch -D fixes-name-date-index``` and start whole process from the beginning.  
+9. Open you forked repo in browser, on the main page you will see proposition to create pull request for your newly created branch. Check proposed diff of your PR. If something is wrong you could safely delete "fix" branch on github using ```git push origin --delete fixes-name-date-index```, ```git branch -D fixes-name-date-index``` and start whole process from the beginning.
 If everything is fine - add description about your changes (what they do and why they're needed) and confirm pull request creation.

inventory/sample/group_vars/all/all.yml

@@ -64,9 +64,10 @@ bin_dir: /usr/local/bin
 #additional_no_proxy: ""
 
 ## Certificate Management
-## This setting determines whether certs are generated via scripts or whether a
+## This setting determines whether certs are generated via scripts.
-## cluster of Hashicorp's Vault is started to issue certificates (using etcd
+## Chose 'none' if you provide your own certificates.
-## as a backend). Options are "script" or "vault"
+## Option is  "script", "none"
+## note: vault is removed
 #cert_management: script
 
 ## Set to true to allow pre-checks to fail and continue deployment

inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml

@@ -132,7 +132,6 @@ container_manager: docker
 ## Settings for containerized control plane (etcd/kubelet/secrets)
 etcd_deployment_type: docker
 kubelet_deployment_type: host
-vault_deployment_type: docker
 helm_deployment_type: host
 
 # K8s image pull policy (imagePullPolicy)

remove-node.yml

@@ -17,7 +17,7 @@
     ansible_ssh_pipelining: true
   gather_facts: true
 
-- hosts: "{{ node | default('etcd:k8s-cluster:vault:calico-rr') }}"
+- hosts: "{{ node | default('etcd:k8s-cluster:calico-rr') }}"
   vars_prompt:
     name: "delete_nodes_confirmation"
     prompt: "Are you sure you want to delete nodes state? Type 'yes' to delete nodes."

requirements.txt

@@ -2,5 +2,4 @@ ansible>=2.5.0,!=2.7.0
 jinja2>=2.9.6
 netaddr
 pbr>=1.6
-ansible-modules-hashivault>=3.9.4
 hvac

reset.yml

@@ -15,7 +15,7 @@
 - hosts: all
   gather_facts: true
 
-- hosts: etcd:k8s-cluster:vault:calico-rr
+- hosts: etcd:k8s-cluster:calico-rr
   vars_prompt:
     name: "reset_confirmation"
     prompt: "Are you sure you want to reset cluster state? Type 'yes' to reset your cluster."

roles/download/defaults/main.yml

@@ -53,7 +53,7 @@ calico_rr_version: "v0.6.1"
 flannel_version: "v0.10.0"
 flannel_cni_version: "v0.3.0"
 
-vault_version: 0.10.1
+
 weave_version: "2.4.1"
 pod_infra_version: 3.1
 contiv_version: 1.2.1
@@ -63,7 +63,6 @@ multus_version: "v3.1.autoconf"
 
 # Download URLs
 kubeadm_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/{{ image_arch }}/kubeadm"
-vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
 etcd_download_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
 hyperkube_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kube_version }}/bin/linux/amd64/hyperkube"
 
@@ -104,7 +103,7 @@ kubeadm_checksums:
   v1.10.0: ebbac985834289037b544523c3e2f39bb44bea938aca9d9e88ef7e880fb8472f
 
 etcd_binary_checksum: 947849dbcfa13927c81236fb76a7c01d587bbab42ab1e807184cd91b026ebed7
-vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
+
 hyperkube_binary_checksum: "{{ hyperkube_checksums[kube_version] }}"
 kubeadm_binary_checksum: "{{ kubeadm_checksums[kubeadm_version] }}"
 
@@ -196,8 +195,7 @@ helm_image_repo: "lachlanevenson/k8s-helm"
 helm_image_tag: "{{ helm_version }}"
 tiller_image_repo: "gcr.io/kubernetes-helm/tiller"
 tiller_image_tag: "{{ helm_version }}"
-vault_image_repo: "vault"
+
-vault_image_tag: "{{ vault_version }}"
 registry_image_repo: "registry"
 registry_image_tag: "2.6"
 registry_proxy_image_repo: "gcr.io/google_containers/kube-registry-proxy"
@@ -534,22 +532,6 @@ downloads:
     groups:
       - kube-node
 
-  vault:
-    enabled: "{{ cert_management == 'vault' }}"
-    container: "{{ vault_deployment_type != 'host' }}"
-    file: "{{ vault_deployment_type == 'host' }}"
-    dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
-    mode: "0755"
-    owner: "vault"
-    repo: "{{ vault_image_repo }}"
-    sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
-    tag: "{{ vault_image_tag }}"
-    unarchive: true
-    url: "{{ vault_download_url }}"
-    version: "{{ vault_version }}"
-    groups:
-      - vault
-
   registry:
     enabled: "{{ registry_enabled }}"
     container: true

roles/etcd/defaults/main.yml

@@ -57,8 +57,6 @@ etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr',
 
 etcd_compaction_retention: "8"
 
-etcd_vault_mount_path: "/etcd"
-
 # Force clients like etcdctl to use TLS certs (different than peer security)
 etcd_secure_client: true
 

roles/etcd/meta/main.yml

@@ -3,5 +3,3 @@ dependencies:
   - role: adduser
     user: "{{ addusers.etcd }}"
     when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic)
-
-# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"

roles/etcd/tasks/main.yml

@@ -5,7 +5,9 @@
     - etcd-secrets
     - facts
 
-- include_tasks: "gen_certs_{{ cert_management }}.yml"
+- include_tasks: "gen_certs_script.yml"
+  when:
+    - cert_management |d('script') == "script"
   tags:
     - etcd-secrets
 

roles/kubernetes/preinstall/tasks/0020-verify-settings.yml

@@ -188,11 +188,17 @@
   when: kube_proxy_mode is defined
   run_once: true
 
+- name: Stop if vault is chose
+  assert:
+    that: cert_management != 'vault'
+    msg: "Support for vault have been removed, please use 'script' or 'none'"
+  when: cert_management is defined
+  run_once: true
+
 - name: Stop if unknown cert_management
   assert:
-    that: cert_management in ['script', 'vault']
+    that: cert_management|d('script') in ['script', 'none']
-    msg: "cert_management can only be 'script' or 'vault'"
+    msg: "cert_management can only be 'script' or 'none'"
-  when: cert_management is defined
   run_once: true
 
 - name: Stop if unknown resolvconf_mode

roles/kubernetes/secrets/defaults/main.yml

@@ -1,3 +1,2 @@
 ---
 kube_cert_group: kube-cert
-kube_vault_mount_path: "/kube"

roles/kubernetes/secrets/meta/main.yml

@@ -1,2 +1 @@
 ---
-# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"

roles/kubernetes/secrets/tasks/main.yml

@@ -69,7 +69,9 @@
   delegate_to: "{{groups['kube-master'][0]}}"
   when: gen_tokens|default(false)
 
-- include_tasks: "gen_certs_{{ cert_management }}.yml"
+- include_tasks: "gen_certs_script.yml"
+  when:
+    - cert_management |d('script') == 'script'
   tags:
     - k8s-secrets
     - k8s-gen-certs

roles/kubespray-defaults/defaults/main.yaml

@@ -224,7 +224,7 @@ docker_options: >-
 etcd_deployment_type: docker
 kubelet_deployment_type: docker
 cert_management: script
-vault_deployment_type: docker
+
 helm_deployment_type: host
 
 # Enable kubeadm deployment (experimental)
@@ -303,13 +303,6 @@ kube_feature_gates: |-
   {{ feature_gate_v1_12 }}
   {%- endif %}
 
-# Vault data dirs.
-vault_base_dir: /etc/vault
-vault_cert_dir: "{{ vault_base_dir }}/ssl"
-vault_config_dir: "{{ vault_base_dir }}/config"
-vault_roles_dir: "{{ vault_base_dir }}/roles"
-vault_secrets_dir: "{{ vault_base_dir }}/secrets"
-
 # Local volume provisioner storage classes
 local_volume_provisioner_storage_classes:
   - name: "{{ local_volume_provisioner_storage_class | default('local-storage') }}"

scale.yml

@@ -51,7 +51,6 @@
     - { role: container-engine, tags: "container-engine"}
     - { role: download, tags: download, when: "not skip_downloads" }
     - { role: etcd, tags: etcd, etcd_cluster_setup: false }
-    - { role: vault, tags: vault, when: "cert_management == 'vault'"}
     - { role: kubernetes/node, tags: node }
     - { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
     - { role: network_plugin, tags: network }

tests/files/gce_coreos-vault-upgrade.yml

@@ -1,12 +0,0 @@
-# Instance settings
-cloud_machine_type: "n1-standard-1"
-cloud_image_family: coreos-stable
-cloud_region: us-central1-b
-mode: aio
-
-# Instance settings
-cert_management: vault
-kube_network_plugin: flannel
-deploy_netchecker: true
-kubedns_min_replicas: 1
-cloud_provider: gce

tests/files/gce_ubuntu-vault-sep.yml

@@ -1,12 +0,0 @@
-# Instance settings
-cloud_machine_type: "n1-standard-1"
-cloud_image_family: ubuntu-1604-lts
-cloud_region: us-central1-b
-mode: separate
-
-# Instance settings
-cert_management: vault
-kube_network_plugin: canal
-deploy_netchecker: true
-kubedns_min_replicas: 1
-cloud_provider: gce

upgrade-cluster.yml

@@ -52,13 +52,6 @@
     - { role: download, tags: download, when: "not skip_downloads" }
   environment: "{{proxy_env}}"
 
-- hosts: etcd:k8s-cluster:vault
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults, when: "cert_management == 'vault'" }
-    - { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
-  environment: "{{proxy_env}}"
-
 - hosts: etcd
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
@@ -71,13 +64,6 @@
     - { role: kubespray-defaults}
     - { role: etcd, tags: etcd, etcd_cluster_setup: false }
 
-- hosts: etcd:k8s-cluster:vault
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults, when: "cert_management == 'vault'"}
-    - { role: vault, tags: vault, when: "cert_management == 'vault'"}
-  environment: "{{proxy_env}}"
-
 #Handle upgrades to master components first to maintain backwards compat.
 - hosts: kube-master
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"