Remove Vault (#3684)
* Remove Vault * Remove reference to 'kargo' in the doc * change check order
This commit is contained in:
parent
b2b421840c
commit
3dcb914607
70 changed files with 93 additions and 166 deletions
|
@ -316,14 +316,6 @@ before_script:
|
|||
# stage: deploy-part1
|
||||
MOVED_TO_GROUP_VARS: "true"
|
||||
|
||||
.ubuntu_vault_sep_variables: &ubuntu_vault_sep_variables
|
||||
# stage: deploy-part1
|
||||
MOVED_TO_GROUP_VARS: "true"
|
||||
|
||||
.coreos_vault_upgrade_variables: &coreos_vault_upgrade_variables
|
||||
# stage: deploy-part1
|
||||
UPGRADE_TEST: "basic"
|
||||
|
||||
.ubuntu_flannel_variables: &ubuntu_flannel_variables
|
||||
# stage: deploy-special
|
||||
MOVED_TO_GROUP_VARS: "true"
|
||||
|
@ -698,28 +690,6 @@ gce_ubuntu-rkt-sep:
|
|||
except: ['triggers']
|
||||
only: ['master', /^pr-.*$/]
|
||||
|
||||
gce_ubuntu-vault-sep:
|
||||
stage: deploy-part2
|
||||
<<: *job
|
||||
<<: *gce
|
||||
variables:
|
||||
<<: *gce_variables
|
||||
<<: *ubuntu_vault_sep_variables
|
||||
when: manual
|
||||
except: ['triggers']
|
||||
only: ['master', /^pr-.*$/]
|
||||
|
||||
gce_coreos-vault-upgrade:
|
||||
stage: deploy-part2
|
||||
<<: *job
|
||||
<<: *gce
|
||||
variables:
|
||||
<<: *gce_variables
|
||||
<<: *coreos_vault_upgrade_variables
|
||||
when: manual
|
||||
except: ['triggers']
|
||||
only: ['master', /^pr-.*$/]
|
||||
|
||||
gce_ubuntu-flannel-sep:
|
||||
stage: deploy-special
|
||||
<<: *job
|
||||
|
|
14
cluster.yml
14
cluster.yml
|
@ -51,13 +51,6 @@
|
|||
- { role: download, tags: download, when: "not skip_downloads" }
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
- hosts: etcd:k8s-cluster:vault:calico-rr
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
- { role: kubespray-defaults, when: "cert_management == 'vault'" }
|
||||
- { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
- hosts: etcd
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
|
@ -70,13 +63,6 @@
|
|||
- { role: kubespray-defaults}
|
||||
- { role: etcd, tags: etcd, etcd_cluster_setup: false, etcd_events_cluster_setup: false }
|
||||
|
||||
- hosts: etcd:k8s-cluster:vault:calico-rr
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
- { role: kubespray-defaults}
|
||||
- { role: vault, tags: vault, when: "cert_management == 'vault'"}
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
- hosts: k8s-cluster
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
|
|
31
contrib/vault/groups_vars/vault.yaml
Normal file
31
contrib/vault/groups_vars/vault.yaml
Normal file
|
@ -0,0 +1,31 @@
|
|||
vault_deployment_type: docker
|
||||
vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
|
||||
vault_version: 0.10.1
|
||||
vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
|
||||
vault_image_repo: "vault"
|
||||
vault_image_tag: "{{ vault_version }}"
|
||||
vault_downloads:
|
||||
vault:
|
||||
enabled: "{{ cert_management == 'vault' }}"
|
||||
container: "{{ vault_deployment_type != 'host' }}"
|
||||
file: "{{ vault_deployment_type == 'host' }}"
|
||||
dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
|
||||
mode: "0755"
|
||||
owner: "vault"
|
||||
repo: "{{ vault_image_repo }}"
|
||||
sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
|
||||
tag: "{{ vault_image_tag }}"
|
||||
unarchive: true
|
||||
url: "{{ vault_download_url }}"
|
||||
version: "{{ vault_version }}"
|
||||
groups:
|
||||
- vault
|
||||
|
||||
# Vault data dirs.
|
||||
vault_base_dir: /etc/vault
|
||||
vault_cert_dir: "{{ vault_base_dir }}/ssl"
|
||||
vault_config_dir: "{{ vault_base_dir }}/config"
|
||||
vault_roles_dir: "{{ vault_base_dir }}/roles"
|
||||
vault_secrets_dir: "{{ vault_base_dir }}/secrets"
|
||||
kube_vault_mount_path: "/kube"
|
||||
etcd_vault_mount_path: "/etcd"
|
1
contrib/vault/requirements.txt
Normal file
1
contrib/vault/requirements.txt
Normal file
|
@ -0,0 +1 @@
|
|||
ansible-modules-hashivault>=3.9.4
|
|
@ -1,3 +1,6 @@
|
|||
# /!\ The vault role have been retired from the main playbook.
|
||||
# This role probably requires a LOT of changes in order to work again
|
||||
|
||||
Hashicorp Vault Role
|
||||
====================
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
# Kubespray (kargo) in own ansible playbooks repo
|
||||
# Kubespray (kubespray) in own ansible playbooks repo
|
||||
|
||||
1. Fork [kubespray repo](https://github.com/kubernetes-incubator/kubespray) to your personal/organisation account on github.
|
||||
Note:
|
||||
|
@ -62,17 +62,14 @@ You could rename *all.yml* config to something else, i.e. *kubespray.yml* and cr
|
|||
kubemaster
|
||||
kubemaster-ha
|
||||
|
||||
[vault:children]
|
||||
kube-master
|
||||
|
||||
[kubespray:children]
|
||||
kubernetes
|
||||
```
|
||||
* Last entry here needed to apply kubespray.yml config file, renamed from all.yml of kubespray project.
|
||||
|
||||
10. Now you can include kargo tasks in you existent playbooks by including cluster.yml file:
|
||||
10. Now you can include kubespray tasks in you existent playbooks by including cluster.yml file:
|
||||
```
|
||||
- name: Include kargo tasks
|
||||
- name: Include kubespray tasks
|
||||
include: 3d/kubespray/cluster.yml
|
||||
```
|
||||
Or your could copy separate tasks from cluster.yml into your ansible repository.
|
||||
|
|
|
@ -64,9 +64,10 @@ bin_dir: /usr/local/bin
|
|||
#additional_no_proxy: ""
|
||||
|
||||
## Certificate Management
|
||||
## This setting determines whether certs are generated via scripts or whether a
|
||||
## cluster of Hashicorp's Vault is started to issue certificates (using etcd
|
||||
## as a backend). Options are "script" or "vault"
|
||||
## This setting determines whether certs are generated via scripts.
|
||||
## Chose 'none' if you provide your own certificates.
|
||||
## Option is "script", "none"
|
||||
## note: vault is removed
|
||||
#cert_management: script
|
||||
|
||||
## Set to true to allow pre-checks to fail and continue deployment
|
||||
|
|
|
@ -132,7 +132,6 @@ container_manager: docker
|
|||
## Settings for containerized control plane (etcd/kubelet/secrets)
|
||||
etcd_deployment_type: docker
|
||||
kubelet_deployment_type: host
|
||||
vault_deployment_type: docker
|
||||
helm_deployment_type: host
|
||||
|
||||
# K8s image pull policy (imagePullPolicy)
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
ansible_ssh_pipelining: true
|
||||
gather_facts: true
|
||||
|
||||
- hosts: "{{ node | default('etcd:k8s-cluster:vault:calico-rr') }}"
|
||||
- hosts: "{{ node | default('etcd:k8s-cluster:calico-rr') }}"
|
||||
vars_prompt:
|
||||
name: "delete_nodes_confirmation"
|
||||
prompt: "Are you sure you want to delete nodes state? Type 'yes' to delete nodes."
|
||||
|
|
|
@ -2,5 +2,4 @@ ansible>=2.5.0,!=2.7.0
|
|||
jinja2>=2.9.6
|
||||
netaddr
|
||||
pbr>=1.6
|
||||
ansible-modules-hashivault>=3.9.4
|
||||
hvac
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
- hosts: all
|
||||
gather_facts: true
|
||||
|
||||
- hosts: etcd:k8s-cluster:vault:calico-rr
|
||||
- hosts: etcd:k8s-cluster:calico-rr
|
||||
vars_prompt:
|
||||
name: "reset_confirmation"
|
||||
prompt: "Are you sure you want to reset cluster state? Type 'yes' to reset your cluster."
|
||||
|
|
|
@ -53,7 +53,7 @@ calico_rr_version: "v0.6.1"
|
|||
flannel_version: "v0.10.0"
|
||||
flannel_cni_version: "v0.3.0"
|
||||
|
||||
vault_version: 0.10.1
|
||||
|
||||
weave_version: "2.4.1"
|
||||
pod_infra_version: 3.1
|
||||
contiv_version: 1.2.1
|
||||
|
@ -63,7 +63,6 @@ multus_version: "v3.1.autoconf"
|
|||
|
||||
# Download URLs
|
||||
kubeadm_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/{{ image_arch }}/kubeadm"
|
||||
vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
|
||||
etcd_download_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
|
||||
hyperkube_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kube_version }}/bin/linux/amd64/hyperkube"
|
||||
|
||||
|
@ -104,7 +103,7 @@ kubeadm_checksums:
|
|||
v1.10.0: ebbac985834289037b544523c3e2f39bb44bea938aca9d9e88ef7e880fb8472f
|
||||
|
||||
etcd_binary_checksum: 947849dbcfa13927c81236fb76a7c01d587bbab42ab1e807184cd91b026ebed7
|
||||
vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
|
||||
|
||||
hyperkube_binary_checksum: "{{ hyperkube_checksums[kube_version] }}"
|
||||
kubeadm_binary_checksum: "{{ kubeadm_checksums[kubeadm_version] }}"
|
||||
|
||||
|
@ -196,8 +195,7 @@ helm_image_repo: "lachlanevenson/k8s-helm"
|
|||
helm_image_tag: "{{ helm_version }}"
|
||||
tiller_image_repo: "gcr.io/kubernetes-helm/tiller"
|
||||
tiller_image_tag: "{{ helm_version }}"
|
||||
vault_image_repo: "vault"
|
||||
vault_image_tag: "{{ vault_version }}"
|
||||
|
||||
registry_image_repo: "registry"
|
||||
registry_image_tag: "2.6"
|
||||
registry_proxy_image_repo: "gcr.io/google_containers/kube-registry-proxy"
|
||||
|
@ -534,22 +532,6 @@ downloads:
|
|||
groups:
|
||||
- kube-node
|
||||
|
||||
vault:
|
||||
enabled: "{{ cert_management == 'vault' }}"
|
||||
container: "{{ vault_deployment_type != 'host' }}"
|
||||
file: "{{ vault_deployment_type == 'host' }}"
|
||||
dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
|
||||
mode: "0755"
|
||||
owner: "vault"
|
||||
repo: "{{ vault_image_repo }}"
|
||||
sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
|
||||
tag: "{{ vault_image_tag }}"
|
||||
unarchive: true
|
||||
url: "{{ vault_download_url }}"
|
||||
version: "{{ vault_version }}"
|
||||
groups:
|
||||
- vault
|
||||
|
||||
registry:
|
||||
enabled: "{{ registry_enabled }}"
|
||||
container: true
|
||||
|
|
|
@ -57,8 +57,6 @@ etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr',
|
|||
|
||||
etcd_compaction_retention: "8"
|
||||
|
||||
etcd_vault_mount_path: "/etcd"
|
||||
|
||||
# Force clients like etcdctl to use TLS certs (different than peer security)
|
||||
etcd_secure_client: true
|
||||
|
||||
|
|
|
@ -3,5 +3,3 @@ dependencies:
|
|||
- role: adduser
|
||||
user: "{{ addusers.etcd }}"
|
||||
when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic)
|
||||
|
||||
# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"
|
||||
|
|
|
@ -5,7 +5,9 @@
|
|||
- etcd-secrets
|
||||
- facts
|
||||
|
||||
- include_tasks: "gen_certs_{{ cert_management }}.yml"
|
||||
- include_tasks: "gen_certs_script.yml"
|
||||
when:
|
||||
- cert_management |d('script') == "script"
|
||||
tags:
|
||||
- etcd-secrets
|
||||
|
||||
|
|
|
@ -188,11 +188,17 @@
|
|||
when: kube_proxy_mode is defined
|
||||
run_once: true
|
||||
|
||||
- name: Stop if vault is chose
|
||||
assert:
|
||||
that: cert_management != 'vault'
|
||||
msg: "Support for vault have been removed, please use 'script' or 'none'"
|
||||
when: cert_management is defined
|
||||
run_once: true
|
||||
|
||||
- name: Stop if unknown cert_management
|
||||
assert:
|
||||
that: cert_management in ['script', 'vault']
|
||||
msg: "cert_management can only be 'script' or 'vault'"
|
||||
when: cert_management is defined
|
||||
that: cert_management|d('script') in ['script', 'none']
|
||||
msg: "cert_management can only be 'script' or 'none'"
|
||||
run_once: true
|
||||
|
||||
- name: Stop if unknown resolvconf_mode
|
||||
|
|
|
@ -1,3 +1,2 @@
|
|||
---
|
||||
kube_cert_group: kube-cert
|
||||
kube_vault_mount_path: "/kube"
|
||||
|
|
|
@ -1,2 +1 @@
|
|||
---
|
||||
# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"
|
||||
|
|
|
@ -69,7 +69,9 @@
|
|||
delegate_to: "{{groups['kube-master'][0]}}"
|
||||
when: gen_tokens|default(false)
|
||||
|
||||
- include_tasks: "gen_certs_{{ cert_management }}.yml"
|
||||
- include_tasks: "gen_certs_script.yml"
|
||||
when:
|
||||
- cert_management |d('script') == 'script'
|
||||
tags:
|
||||
- k8s-secrets
|
||||
- k8s-gen-certs
|
||||
|
|
|
@ -224,7 +224,7 @@ docker_options: >-
|
|||
etcd_deployment_type: docker
|
||||
kubelet_deployment_type: docker
|
||||
cert_management: script
|
||||
vault_deployment_type: docker
|
||||
|
||||
helm_deployment_type: host
|
||||
|
||||
# Enable kubeadm deployment (experimental)
|
||||
|
@ -303,13 +303,6 @@ kube_feature_gates: |-
|
|||
{{ feature_gate_v1_12 }}
|
||||
{%- endif %}
|
||||
|
||||
# Vault data dirs.
|
||||
vault_base_dir: /etc/vault
|
||||
vault_cert_dir: "{{ vault_base_dir }}/ssl"
|
||||
vault_config_dir: "{{ vault_base_dir }}/config"
|
||||
vault_roles_dir: "{{ vault_base_dir }}/roles"
|
||||
vault_secrets_dir: "{{ vault_base_dir }}/secrets"
|
||||
|
||||
# Local volume provisioner storage classes
|
||||
local_volume_provisioner_storage_classes:
|
||||
- name: "{{ local_volume_provisioner_storage_class | default('local-storage') }}"
|
||||
|
|
|
@ -51,7 +51,6 @@
|
|||
- { role: container-engine, tags: "container-engine"}
|
||||
- { role: download, tags: download, when: "not skip_downloads" }
|
||||
- { role: etcd, tags: etcd, etcd_cluster_setup: false }
|
||||
- { role: vault, tags: vault, when: "cert_management == 'vault'"}
|
||||
- { role: kubernetes/node, tags: node }
|
||||
- { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
|
||||
- { role: network_plugin, tags: network }
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
# Instance settings
|
||||
cloud_machine_type: "n1-standard-1"
|
||||
cloud_image_family: coreos-stable
|
||||
cloud_region: us-central1-b
|
||||
mode: aio
|
||||
|
||||
# Instance settings
|
||||
cert_management: vault
|
||||
kube_network_plugin: flannel
|
||||
deploy_netchecker: true
|
||||
kubedns_min_replicas: 1
|
||||
cloud_provider: gce
|
|
@ -1,12 +0,0 @@
|
|||
# Instance settings
|
||||
cloud_machine_type: "n1-standard-1"
|
||||
cloud_image_family: ubuntu-1604-lts
|
||||
cloud_region: us-central1-b
|
||||
mode: separate
|
||||
|
||||
# Instance settings
|
||||
cert_management: vault
|
||||
kube_network_plugin: canal
|
||||
deploy_netchecker: true
|
||||
kubedns_min_replicas: 1
|
||||
cloud_provider: gce
|
|
@ -52,13 +52,6 @@
|
|||
- { role: download, tags: download, when: "not skip_downloads" }
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
- hosts: etcd:k8s-cluster:vault
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
- { role: kubespray-defaults, when: "cert_management == 'vault'" }
|
||||
- { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
- hosts: etcd
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
|
@ -71,13 +64,6 @@
|
|||
- { role: kubespray-defaults}
|
||||
- { role: etcd, tags: etcd, etcd_cluster_setup: false }
|
||||
|
||||
- hosts: etcd:k8s-cluster:vault
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
- { role: kubespray-defaults, when: "cert_management == 'vault'"}
|
||||
- { role: vault, tags: vault, when: "cert_management == 'vault'"}
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
#Handle upgrades to master components first to maintain backwards compat.
|
||||
- hosts: kube-master
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
|
|
Loading…
Reference in a new issue