Merge pull request #3228 from mirwan/credentials_dir

Introducing credentials_dir variable in order to be able to override it
This commit is contained in:
k8s-ci-robot 2018-09-04 04:35:11 -07:00 committed by GitHub
commit ad33f71ac2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 19 additions and 13 deletions

View file

@ -14,4 +14,4 @@ roles_path = roles:$VIRTUAL_ENV/usr/local/share/kubespray/roles:$VIRTUAL_ENV/usr
deprecation_warnings=False deprecation_warnings=False
inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo, .creds inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo, .creds
[inventory] [inventory]
ignore_patterns = artifacts ignore_patterns = artifacts, credentials

View file

@ -89,7 +89,7 @@ authentication. One could generate a kubeconfig based on one installed
kube-master hosts (needs improvement) or connect with a username and password. kube-master hosts (needs improvement) or connect with a username and password.
By default, a user with admin rights is created, named `kube`. By default, a user with admin rights is created, named `kube`.
The password can be viewed after deployment by looking at the file The password can be viewed after deployment by looking at the file
`PATH_TO_KUBESPRAY/credentials/kube_user.creds`. This contains a randomly generated `{{ credentials_dir }}/kube_user.creds` (`credentials_dir` is set to `{{ inventory_dir }}/credentials` by default). This contains a randomly generated
password. If you wish to set your own password, just precreate/modify this password. If you wish to set your own password, just precreate/modify this
file yourself. file yourself.

View file

@ -145,6 +145,6 @@ The possible vars are:
By default, a user with admin rights is created, named `kube`. By default, a user with admin rights is created, named `kube`.
The password can be viewed after deployment by looking at the file The password can be viewed after deployment by looking at the file
`PATH_TO_KUBESPRAY/credentials/kube_user.creds`. This contains a randomly generated `{{ credentials_dir }}/kube_user.creds` (`credentials_dir` is set to `{{ inventory_dir }}/credentials` by default). This contains a randomly generated
password. If you wish to set your own password, just precreate/modify this password. If you wish to set your own password, just precreate/modify this
file yourself or change `kube_api_pwd` var. file yourself or change `kube_api_pwd` var.

View file

@ -34,9 +34,12 @@ kube_cert_group: kube-cert
# Cluster Loglevel configuration # Cluster Loglevel configuration
kube_log_level: 2 kube_log_level: 2
# Directory where credentials will be stored
credentials_dir: "{{ inventory_dir }}/credentials"
# Users to create for basic auth in Kubernetes API via HTTP # Users to create for basic auth in Kubernetes API via HTTP
# Optionally add groups for user # Optionally add groups for user
kube_api_pwd: "{{ lookup('password', inventory_dir + '/credentials/kube_user.creds length=15 chars=ascii_letters,digits') }}" kube_api_pwd: "{{ lookup('password', credentials_dir + '/kube_user.creds length=15 chars=ascii_letters,digits') }}"
kube_users: kube_users:
kube: kube:
pass: "{{kube_api_pwd}}" pass: "{{kube_api_pwd}}"

View file

@ -132,7 +132,7 @@ volume_cross_zone_attachment: false
## Encrypting Secret Data at Rest ## Encrypting Secret Data at Rest
kube_encrypt_secret_data: false kube_encrypt_secret_data: false
kube_encrypt_token: "{{ lookup('password', inventory_dir + '/credentials/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}" kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
# Must be either: aescbc, secretbox or aesgcm # Must be either: aescbc, secretbox or aesgcm
kube_encryption_algorithm: "aescbc" kube_encryption_algorithm: "aescbc"

View file

@ -175,6 +175,9 @@ kubeconfig_localhost: false
# Download kubectl onto the host that runs Ansible in {{ bin_dir }} # Download kubectl onto the host that runs Ansible in {{ bin_dir }}
kubectl_localhost: false kubectl_localhost: false
# Define credentials_dir here so it can be overriden
credentials_dir: "{{ inventory_dir }}/credentials"
# K8s image pull policy (imagePullPolicy) # K8s image pull policy (imagePullPolicy)
k8s_image_pull_policy: IfNotPresent k8s_image_pull_policy: IfNotPresent

View file

@ -122,7 +122,7 @@ vault_pki_mounts:
roles: roles:
- name: userpass - name: userpass
group: userpass group: userpass
password: "{{ lookup('password', inventory_dir + '/credentials/vault/userpass.creds length=15') }}" password: "{{ lookup('password', credentials_dir + '/vault/userpass.creds length=15') }}"
policy_rules: default policy_rules: default
role_options: role_options:
allow_any_name: true allow_any_name: true
@ -136,7 +136,7 @@ vault_pki_mounts:
roles: roles:
- name: vault - name: vault
group: vault group: vault
password: "{{ lookup('password', inventory_dir + '/credentials/vault/vault.creds length=15') }}" password: "{{ lookup('password', credentials_dir + '/vault/vault.creds length=15') }}"
policy_rules: default policy_rules: default
role_options: role_options:
allow_any_name: true allow_any_name: true
@ -149,7 +149,7 @@ vault_pki_mounts:
roles: roles:
- name: etcd - name: etcd
group: etcd group: etcd
password: "{{ lookup('password', inventory_dir + '/credentials/vault/etcd.creds length=15') }}" password: "{{ lookup('password', credentials_dir + '/vault/etcd.creds length=15') }}"
policy_rules: default policy_rules: default
role_options: role_options:
allow_any_name: true allow_any_name: true
@ -164,7 +164,7 @@ vault_pki_mounts:
roles: roles:
- name: kube-master - name: kube-master
group: kube-master group: kube-master
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-master.creds length=15') }}" password: "{{ lookup('password', credentials_dir + '/vault/kube-master.creds length=15') }}"
policy_rules: default policy_rules: default
role_options: role_options:
allow_any_name: true allow_any_name: true
@ -172,7 +172,7 @@ vault_pki_mounts:
organization: "system:masters" organization: "system:masters"
- name: front-proxy-client - name: front-proxy-client
group: kube-master group: kube-master
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}" password: "{{ lookup('password', credentials_dir + '/vault/kube-proxy.creds length=15') }}"
policy_rules: default policy_rules: default
role_options: role_options:
allow_any_name: true allow_any_name: true
@ -180,7 +180,7 @@ vault_pki_mounts:
organization: "system:front-proxy-client" organization: "system:front-proxy-client"
- name: kube-node - name: kube-node
group: k8s-cluster group: k8s-cluster
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-node.creds length=15') }}" password: "{{ lookup('password', credentials_dir + '/vault/kube-node.creds length=15') }}"
policy_rules: default policy_rules: default
role_options: role_options:
allow_any_name: true allow_any_name: true
@ -188,7 +188,7 @@ vault_pki_mounts:
organization: "system:nodes" organization: "system:nodes"
- name: kube-proxy - name: kube-proxy
group: k8s-cluster group: k8s-cluster
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}" password: "{{ lookup('password', credentials_dir + '/vault/kube-proxy.creds length=15') }}"
policy_rules: default policy_rules: default
role_options: role_options:
allow_any_name: true allow_any_name: true

View file

@ -6,7 +6,7 @@
uri: uri:
url: "https://{{ access_ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}/api/v1" url: "https://{{ access_ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}/api/v1"
user: kube user: kube
password: "{{ lookup('password', inventory_dir + '/credentials/kube_user.creds length=15 chars=ascii_letters,digits') }}" password: "{{ lookup('password', credentials_dir + '/kube_user.creds length=15 chars=ascii_letters,digits') }}"
validate_certs: no validate_certs: no
status_code: 200,401 status_code: 200,401
when: not kubeadm_enabled|default(false) when: not kubeadm_enabled|default(false)