Remove Vault (#3684)

* Remove Vault

* Remove reference to 'kargo' in the doc

* change check order

.gitlab-ci.yml

@@ -316,14 +316,6 @@ before_script:
 # stage: deploy-part1
   MOVED_TO_GROUP_VARS: "true"
 
-.ubuntu_vault_sep_variables: &ubuntu_vault_sep_variables
-# stage: deploy-part1
-  MOVED_TO_GROUP_VARS: "true"
-
-.coreos_vault_upgrade_variables: &coreos_vault_upgrade_variables
-# stage: deploy-part1
-  UPGRADE_TEST: "basic"
-
 .ubuntu_flannel_variables: &ubuntu_flannel_variables
 # stage: deploy-special
   MOVED_TO_GROUP_VARS: "true"
@@ -698,28 +690,6 @@ gce_ubuntu-rkt-sep:
   except: ['triggers']
   only: ['master', /^pr-.*$/]
 
-gce_ubuntu-vault-sep:
-  stage: deploy-part2
-  <<: *job
-  <<: *gce
-  variables:
-    <<: *gce_variables
-    <<: *ubuntu_vault_sep_variables
-  when: manual
-  except: ['triggers']
-  only: ['master', /^pr-.*$/]
-
-gce_coreos-vault-upgrade:
-  stage: deploy-part2
-  <<: *job
-  <<: *gce
-  variables:
-    <<: *gce_variables
-    <<: *coreos_vault_upgrade_variables
-  when: manual
-  except: ['triggers']
-  only: ['master', /^pr-.*$/]
-
 gce_ubuntu-flannel-sep:
   stage: deploy-special
   <<: *job

cluster.yml

@@ -51,13 +51,6 @@
     - { role: download, tags: download, when: "not skip_downloads" }
   environment: "{{proxy_env}}"
 
-- hosts: etcd:k8s-cluster:vault:calico-rr
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults, when: "cert_management == 'vault'" }
-    - { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
-  environment: "{{proxy_env}}"
-
 - hosts: etcd
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
@@ -70,13 +63,6 @@
     - { role: kubespray-defaults}
     - { role: etcd, tags: etcd, etcd_cluster_setup: false, etcd_events_cluster_setup: false }
 
-- hosts: etcd:k8s-cluster:vault:calico-rr
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults}
-    - { role: vault, tags: vault, when: "cert_management == 'vault'"}
-  environment: "{{proxy_env}}"
-
 - hosts: k8s-cluster
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:

contrib/vault/groups_vars/vault.yaml

@@ -0,0 +1,31 @@
+vault_deployment_type: docker
+vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
+vault_version: 0.10.1
+vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
+vault_image_repo: "vault"
+vault_image_tag: "{{ vault_version }}"
+vault_downloads:
+  vault:
+    enabled: "{{ cert_management == 'vault' }}"
+    container: "{{ vault_deployment_type != 'host' }}"
+    file: "{{ vault_deployment_type == 'host' }}"
+    dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
+    mode: "0755"
+    owner: "vault"
+    repo: "{{ vault_image_repo }}"
+    sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
+    tag: "{{ vault_image_tag }}"
+    unarchive: true
+    url: "{{ vault_download_url }}"
+    version: "{{ vault_version }}"
+    groups:
+      - vault
+
+# Vault data dirs.
+vault_base_dir: /etc/vault
+vault_cert_dir: "{{ vault_base_dir }}/ssl"
+vault_config_dir: "{{ vault_base_dir }}/config"
+vault_roles_dir: "{{ vault_base_dir }}/roles"
+vault_secrets_dir: "{{ vault_base_dir }}/secrets"
+kube_vault_mount_path: "/kube"
+etcd_vault_mount_path: "/etcd"

contrib/vault/requirements.txt

@@ -0,0 +1 @@
+ansible-modules-hashivault>=3.9.4

contrib/vault/vault.md

@@ -1,3 +1,6 @@
+# /!\ The vault role have been retired from the main playbook.
+# This role probably requires a LOT of changes in order to work again
+
 Hashicorp Vault Role
 ====================
 

docs/integration.md

@@ -1,4 +1,4 @@
-# Kubespray (kargo) in own ansible playbooks repo
+# Kubespray (kubespray) in own ansible playbooks repo
 
 1. Fork [kubespray repo](https://github.com/kubernetes-incubator/kubespray) to your personal/organisation account on github.
    Note:
@@ -62,17 +62,14 @@ You could rename *all.yml* config to something else, i.e. *kubespray.yml* and cr
      kubemaster
      kubemaster-ha
 
-     [vault:children]
-     kube-master
-     
      [kubespray:children]
      kubernetes
      ```
      * Last entry here needed to apply kubespray.yml config file, renamed from all.yml of kubespray project.
 
-10. Now you can include kargo tasks in you existent playbooks by including cluster.yml file: 
+10. Now you can include kubespray tasks in you existent playbooks by including cluster.yml file:
      ```
-     - name: Include kargo tasks
+     - name: Include kubespray tasks
        include: 3d/kubespray/cluster.yml
      ```
      Or your could copy separate tasks from cluster.yml into your ansible repository.

inventory/sample/group_vars/all/all.yml

@@ -64,9 +64,10 @@ bin_dir: /usr/local/bin
 #additional_no_proxy: ""
 
 ## Certificate Management
-## This setting determines whether certs are generated via scripts or whether a
+## This setting determines whether certs are generated via scripts.
-## cluster of Hashicorp's Vault is started to issue certificates (using etcd
+## Chose 'none' if you provide your own certificates.
-## as a backend). Options are "script" or "vault"
+## Option is  "script", "none"
+## note: vault is removed
 #cert_management: script
 
 ## Set to true to allow pre-checks to fail and continue deployment

inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml

@@ -132,7 +132,6 @@ container_manager: docker
 ## Settings for containerized control plane (etcd/kubelet/secrets)
 etcd_deployment_type: docker
 kubelet_deployment_type: host
-vault_deployment_type: docker
 helm_deployment_type: host
 
 # K8s image pull policy (imagePullPolicy)

remove-node.yml

@@ -17,7 +17,7 @@
     ansible_ssh_pipelining: true
   gather_facts: true
 
-- hosts: "{{ node | default('etcd:k8s-cluster:vault:calico-rr') }}"
+- hosts: "{{ node | default('etcd:k8s-cluster:calico-rr') }}"
   vars_prompt:
     name: "delete_nodes_confirmation"
     prompt: "Are you sure you want to delete nodes state? Type 'yes' to delete nodes."

requirements.txt

@@ -2,5 +2,4 @@ ansible>=2.5.0,!=2.7.0
 jinja2>=2.9.6
 netaddr
 pbr>=1.6
-ansible-modules-hashivault>=3.9.4
 hvac

reset.yml

@@ -15,7 +15,7 @@
 - hosts: all
   gather_facts: true
 
-- hosts: etcd:k8s-cluster:vault:calico-rr
+- hosts: etcd:k8s-cluster:calico-rr
   vars_prompt:
     name: "reset_confirmation"
     prompt: "Are you sure you want to reset cluster state? Type 'yes' to reset your cluster."

roles/download/defaults/main.yml

@@ -53,7 +53,7 @@ calico_rr_version: "v0.6.1"
 flannel_version: "v0.10.0"
 flannel_cni_version: "v0.3.0"
 
-vault_version: 0.10.1
+
 weave_version: "2.4.1"
 pod_infra_version: 3.1
 contiv_version: 1.2.1
@@ -63,7 +63,6 @@ multus_version: "v3.1.autoconf"
 
 # Download URLs
 kubeadm_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/{{ image_arch }}/kubeadm"
-vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
 etcd_download_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
 hyperkube_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kube_version }}/bin/linux/amd64/hyperkube"
 
@@ -104,7 +103,7 @@ kubeadm_checksums:
   v1.10.0: ebbac985834289037b544523c3e2f39bb44bea938aca9d9e88ef7e880fb8472f
 
 etcd_binary_checksum: 947849dbcfa13927c81236fb76a7c01d587bbab42ab1e807184cd91b026ebed7
-vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
+
 hyperkube_binary_checksum: "{{ hyperkube_checksums[kube_version] }}"
 kubeadm_binary_checksum: "{{ kubeadm_checksums[kubeadm_version] }}"
 
@@ -196,8 +195,7 @@ helm_image_repo: "lachlanevenson/k8s-helm"
 helm_image_tag: "{{ helm_version }}"
 tiller_image_repo: "gcr.io/kubernetes-helm/tiller"
 tiller_image_tag: "{{ helm_version }}"
-vault_image_repo: "vault"
+
-vault_image_tag: "{{ vault_version }}"
 registry_image_repo: "registry"
 registry_image_tag: "2.6"
 registry_proxy_image_repo: "gcr.io/google_containers/kube-registry-proxy"
@@ -534,22 +532,6 @@ downloads:
     groups:
       - kube-node
 
-  vault:
-    enabled: "{{ cert_management == 'vault' }}"
-    container: "{{ vault_deployment_type != 'host' }}"
-    file: "{{ vault_deployment_type == 'host' }}"
-    dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
-    mode: "0755"
-    owner: "vault"
-    repo: "{{ vault_image_repo }}"
-    sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
-    tag: "{{ vault_image_tag }}"
-    unarchive: true
-    url: "{{ vault_download_url }}"
-    version: "{{ vault_version }}"
-    groups:
-      - vault
-
   registry:
     enabled: "{{ registry_enabled }}"
     container: true

roles/etcd/defaults/main.yml

@@ -57,8 +57,6 @@ etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr',
 
 etcd_compaction_retention: "8"
 
-etcd_vault_mount_path: "/etcd"
-
 # Force clients like etcdctl to use TLS certs (different than peer security)
 etcd_secure_client: true
 

roles/etcd/meta/main.yml

@@ -3,5 +3,3 @@ dependencies:
   - role: adduser
     user: "{{ addusers.etcd }}"
     when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic)
-
-# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"

roles/etcd/tasks/main.yml

@@ -5,7 +5,9 @@
     - etcd-secrets
     - facts
 
-- include_tasks: "gen_certs_{{ cert_management }}.yml"
+- include_tasks: "gen_certs_script.yml"
+  when:
+    - cert_management |d('script') == "script"
   tags:
     - etcd-secrets
 

roles/kubernetes/preinstall/tasks/0020-verify-settings.yml

@@ -188,11 +188,17 @@
   when: kube_proxy_mode is defined
   run_once: true
 
+- name: Stop if vault is chose
+  assert:
+    that: cert_management != 'vault'
+    msg: "Support for vault have been removed, please use 'script' or 'none'"
+  when: cert_management is defined
+  run_once: true
+
 - name: Stop if unknown cert_management
   assert:
-    that: cert_management in ['script', 'vault']
+    that: cert_management|d('script') in ['script', 'none']
-    msg: "cert_management can only be 'script' or 'vault'"
+    msg: "cert_management can only be 'script' or 'none'"
-  when: cert_management is defined
   run_once: true
 
 - name: Stop if unknown resolvconf_mode

roles/kubernetes/secrets/defaults/main.yml

@@ -1,3 +1,2 @@
 ---
 kube_cert_group: kube-cert
-kube_vault_mount_path: "/kube"

roles/kubernetes/secrets/meta/main.yml

@@ -1,2 +1 @@
 ---
-# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"

roles/kubernetes/secrets/tasks/main.yml

@@ -69,7 +69,9 @@
   delegate_to: "{{groups['kube-master'][0]}}"
   when: gen_tokens|default(false)
 
-- include_tasks: "gen_certs_{{ cert_management }}.yml"
+- include_tasks: "gen_certs_script.yml"
+  when:
+    - cert_management |d('script') == 'script'
   tags:
     - k8s-secrets
     - k8s-gen-certs

roles/kubespray-defaults/defaults/main.yaml

@@ -224,7 +224,7 @@ docker_options: >-
 etcd_deployment_type: docker
 kubelet_deployment_type: docker
 cert_management: script
-vault_deployment_type: docker
+
 helm_deployment_type: host
 
 # Enable kubeadm deployment (experimental)
@@ -303,13 +303,6 @@ kube_feature_gates: |-
   {{ feature_gate_v1_12 }}
   {%- endif %}
 
-# Vault data dirs.
-vault_base_dir: /etc/vault
-vault_cert_dir: "{{ vault_base_dir }}/ssl"
-vault_config_dir: "{{ vault_base_dir }}/config"
-vault_roles_dir: "{{ vault_base_dir }}/roles"
-vault_secrets_dir: "{{ vault_base_dir }}/secrets"
-
 # Local volume provisioner storage classes
 local_volume_provisioner_storage_classes:
   - name: "{{ local_volume_provisioner_storage_class | default('local-storage') }}"

scale.yml

@@ -51,7 +51,6 @@
     - { role: container-engine, tags: "container-engine"}
     - { role: download, tags: download, when: "not skip_downloads" }
     - { role: etcd, tags: etcd, etcd_cluster_setup: false }
-    - { role: vault, tags: vault, when: "cert_management == 'vault'"}
     - { role: kubernetes/node, tags: node }
     - { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
     - { role: network_plugin, tags: network }

tests/files/gce_coreos-vault-upgrade.yml

@@ -1,12 +0,0 @@
-# Instance settings
-cloud_machine_type: "n1-standard-1"
-cloud_image_family: coreos-stable
-cloud_region: us-central1-b
-mode: aio
-
-# Instance settings
-cert_management: vault
-kube_network_plugin: flannel
-deploy_netchecker: true
-kubedns_min_replicas: 1
-cloud_provider: gce

tests/files/gce_ubuntu-vault-sep.yml

@@ -1,12 +0,0 @@
-# Instance settings
-cloud_machine_type: "n1-standard-1"
-cloud_image_family: ubuntu-1604-lts
-cloud_region: us-central1-b
-mode: separate
-
-# Instance settings
-cert_management: vault
-kube_network_plugin: canal
-deploy_netchecker: true
-kubedns_min_replicas: 1
-cloud_provider: gce

upgrade-cluster.yml

@@ -52,13 +52,6 @@
     - { role: download, tags: download, when: "not skip_downloads" }
   environment: "{{proxy_env}}"
 
-- hosts: etcd:k8s-cluster:vault
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults, when: "cert_management == 'vault'" }
-    - { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
-  environment: "{{proxy_env}}"
-
 - hosts: etcd
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
@@ -71,13 +64,6 @@
     - { role: kubespray-defaults}
     - { role: etcd, tags: etcd, etcd_cluster_setup: false }
 
-- hosts: etcd:k8s-cluster:vault
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults, when: "cert_management == 'vault'"}
-    - { role: vault, tags: vault, when: "cert_management == 'vault'"}
-  environment: "{{proxy_env}}"
-
 #Handle upgrades to master components first to maintain backwards compat.
 - hosts: kube-master
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"