Introducing credentials_dir in order to be able to override it
This commit is contained in:
parent
f0af7262b1
commit
a644b7c267
7 changed files with 18 additions and 12 deletions
|
@ -89,7 +89,7 @@ authentication. One could generate a kubeconfig based on one installed
|
||||||
kube-master hosts (needs improvement) or connect with a username and password.
|
kube-master hosts (needs improvement) or connect with a username and password.
|
||||||
By default, a user with admin rights is created, named `kube`.
|
By default, a user with admin rights is created, named `kube`.
|
||||||
The password can be viewed after deployment by looking at the file
|
The password can be viewed after deployment by looking at the file
|
||||||
`PATH_TO_KUBESPRAY/credentials/kube_user.creds`. This contains a randomly generated
|
`{{ credentials_dir }}/kube_user.creds` (`credentials_dir` is set to `{{ inventory_dir }}/credentials` by default). This contains a randomly generated
|
||||||
password. If you wish to set your own password, just precreate/modify this
|
password. If you wish to set your own password, just precreate/modify this
|
||||||
file yourself.
|
file yourself.
|
||||||
|
|
||||||
|
|
|
@ -145,6 +145,6 @@ The possible vars are:
|
||||||
|
|
||||||
By default, a user with admin rights is created, named `kube`.
|
By default, a user with admin rights is created, named `kube`.
|
||||||
The password can be viewed after deployment by looking at the file
|
The password can be viewed after deployment by looking at the file
|
||||||
`PATH_TO_KUBESPRAY/credentials/kube_user.creds`. This contains a randomly generated
|
`{{ credentials_dir }}/kube_user.creds` (`credentials_dir` is set to `{{ inventory_dir }}/credentials` by default). This contains a randomly generated
|
||||||
password. If you wish to set your own password, just precreate/modify this
|
password. If you wish to set your own password, just precreate/modify this
|
||||||
file yourself or change `kube_api_pwd` var.
|
file yourself or change `kube_api_pwd` var.
|
||||||
|
|
|
@ -34,9 +34,12 @@ kube_cert_group: kube-cert
|
||||||
# Cluster Loglevel configuration
|
# Cluster Loglevel configuration
|
||||||
kube_log_level: 2
|
kube_log_level: 2
|
||||||
|
|
||||||
|
# Directory where credentials will be stored
|
||||||
|
credentials_dir: "{{ inventory_dir }}/credentials"
|
||||||
|
|
||||||
# Users to create for basic auth in Kubernetes API via HTTP
|
# Users to create for basic auth in Kubernetes API via HTTP
|
||||||
# Optionally add groups for user
|
# Optionally add groups for user
|
||||||
kube_api_pwd: "{{ lookup('password', inventory_dir + '/credentials/kube_user.creds length=15 chars=ascii_letters,digits') }}"
|
kube_api_pwd: "{{ lookup('password', credentials_dir + '/kube_user.creds length=15 chars=ascii_letters,digits') }}"
|
||||||
kube_users:
|
kube_users:
|
||||||
kube:
|
kube:
|
||||||
pass: "{{kube_api_pwd}}"
|
pass: "{{kube_api_pwd}}"
|
||||||
|
|
|
@ -132,7 +132,7 @@ volume_cross_zone_attachment: false
|
||||||
|
|
||||||
## Encrypting Secret Data at Rest
|
## Encrypting Secret Data at Rest
|
||||||
kube_encrypt_secret_data: false
|
kube_encrypt_secret_data: false
|
||||||
kube_encrypt_token: "{{ lookup('password', inventory_dir + '/credentials/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
|
kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
|
||||||
# Must be either: aescbc, secretbox or aesgcm
|
# Must be either: aescbc, secretbox or aesgcm
|
||||||
kube_encryption_algorithm: "aescbc"
|
kube_encryption_algorithm: "aescbc"
|
||||||
|
|
||||||
|
|
|
@ -175,6 +175,9 @@ kubeconfig_localhost: false
|
||||||
# Download kubectl onto the host that runs Ansible in {{ bin_dir }}
|
# Download kubectl onto the host that runs Ansible in {{ bin_dir }}
|
||||||
kubectl_localhost: false
|
kubectl_localhost: false
|
||||||
|
|
||||||
|
# Define credentials_dir here so it can be overriden
|
||||||
|
credentials_dir: "{{ inventory_dir }}/credentials"
|
||||||
|
|
||||||
# K8s image pull policy (imagePullPolicy)
|
# K8s image pull policy (imagePullPolicy)
|
||||||
k8s_image_pull_policy: IfNotPresent
|
k8s_image_pull_policy: IfNotPresent
|
||||||
|
|
||||||
|
|
|
@ -122,7 +122,7 @@ vault_pki_mounts:
|
||||||
roles:
|
roles:
|
||||||
- name: userpass
|
- name: userpass
|
||||||
group: userpass
|
group: userpass
|
||||||
password: "{{ lookup('password', inventory_dir + '/credentials/vault/userpass.creds length=15') }}"
|
password: "{{ lookup('password', credentials_dir + '/vault/userpass.creds length=15') }}"
|
||||||
policy_rules: default
|
policy_rules: default
|
||||||
role_options:
|
role_options:
|
||||||
allow_any_name: true
|
allow_any_name: true
|
||||||
|
@ -136,7 +136,7 @@ vault_pki_mounts:
|
||||||
roles:
|
roles:
|
||||||
- name: vault
|
- name: vault
|
||||||
group: vault
|
group: vault
|
||||||
password: "{{ lookup('password', inventory_dir + '/credentials/vault/vault.creds length=15') }}"
|
password: "{{ lookup('password', credentials_dir + '/vault/vault.creds length=15') }}"
|
||||||
policy_rules: default
|
policy_rules: default
|
||||||
role_options:
|
role_options:
|
||||||
allow_any_name: true
|
allow_any_name: true
|
||||||
|
@ -149,7 +149,7 @@ vault_pki_mounts:
|
||||||
roles:
|
roles:
|
||||||
- name: etcd
|
- name: etcd
|
||||||
group: etcd
|
group: etcd
|
||||||
password: "{{ lookup('password', inventory_dir + '/credentials/vault/etcd.creds length=15') }}"
|
password: "{{ lookup('password', credentials_dir + '/vault/etcd.creds length=15') }}"
|
||||||
policy_rules: default
|
policy_rules: default
|
||||||
role_options:
|
role_options:
|
||||||
allow_any_name: true
|
allow_any_name: true
|
||||||
|
@ -164,7 +164,7 @@ vault_pki_mounts:
|
||||||
roles:
|
roles:
|
||||||
- name: kube-master
|
- name: kube-master
|
||||||
group: kube-master
|
group: kube-master
|
||||||
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-master.creds length=15') }}"
|
password: "{{ lookup('password', credentials_dir + '/vault/kube-master.creds length=15') }}"
|
||||||
policy_rules: default
|
policy_rules: default
|
||||||
role_options:
|
role_options:
|
||||||
allow_any_name: true
|
allow_any_name: true
|
||||||
|
@ -172,7 +172,7 @@ vault_pki_mounts:
|
||||||
organization: "system:masters"
|
organization: "system:masters"
|
||||||
- name: front-proxy-client
|
- name: front-proxy-client
|
||||||
group: kube-master
|
group: kube-master
|
||||||
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}"
|
password: "{{ lookup('password', credentials_dir + '/vault/kube-proxy.creds length=15') }}"
|
||||||
policy_rules: default
|
policy_rules: default
|
||||||
role_options:
|
role_options:
|
||||||
allow_any_name: true
|
allow_any_name: true
|
||||||
|
@ -180,7 +180,7 @@ vault_pki_mounts:
|
||||||
organization: "system:front-proxy-client"
|
organization: "system:front-proxy-client"
|
||||||
- name: kube-node
|
- name: kube-node
|
||||||
group: k8s-cluster
|
group: k8s-cluster
|
||||||
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-node.creds length=15') }}"
|
password: "{{ lookup('password', credentials_dir + '/vault/kube-node.creds length=15') }}"
|
||||||
policy_rules: default
|
policy_rules: default
|
||||||
role_options:
|
role_options:
|
||||||
allow_any_name: true
|
allow_any_name: true
|
||||||
|
@ -188,7 +188,7 @@ vault_pki_mounts:
|
||||||
organization: "system:nodes"
|
organization: "system:nodes"
|
||||||
- name: kube-proxy
|
- name: kube-proxy
|
||||||
group: k8s-cluster
|
group: k8s-cluster
|
||||||
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}"
|
password: "{{ lookup('password', credentials_dir + '/vault/kube-proxy.creds length=15') }}"
|
||||||
policy_rules: default
|
policy_rules: default
|
||||||
role_options:
|
role_options:
|
||||||
allow_any_name: true
|
allow_any_name: true
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
uri:
|
uri:
|
||||||
url: "https://{{ access_ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}/api/v1"
|
url: "https://{{ access_ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}/api/v1"
|
||||||
user: kube
|
user: kube
|
||||||
password: "{{ lookup('password', inventory_dir + '/credentials/kube_user.creds length=15 chars=ascii_letters,digits') }}"
|
password: "{{ lookup('password', credentials_dir + '/kube_user.creds length=15 chars=ascii_letters,digits') }}"
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
status_code: 200,401
|
status_code: 200,401
|
||||||
when: not kubeadm_enabled|default(false)
|
when: not kubeadm_enabled|default(false)
|
||||||
|
|
Loading…
Reference in a new issue