diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index de4285c90576f26b97da8418ea4a5e54787778ba..3325fdc351c292f00e8aea42a807710875a16e5c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -316,14 +316,6 @@ before_script:
# stage: deploy-part1
MOVED_TO_GROUP_VARS: "true"
-.ubuntu_vault_sep_variables: &ubuntu_vault_sep_variables
-# stage: deploy-part1
- MOVED_TO_GROUP_VARS: "true"
-
-.coreos_vault_upgrade_variables: &coreos_vault_upgrade_variables
-# stage: deploy-part1
- UPGRADE_TEST: "basic"
-
.ubuntu_flannel_variables: &ubuntu_flannel_variables
# stage: deploy-special
MOVED_TO_GROUP_VARS: "true"
@@ -698,28 +690,6 @@ gce_ubuntu-rkt-sep:
except: ['triggers']
only: ['master', /^pr-.*$/]
-gce_ubuntu-vault-sep:
- stage: deploy-part2
- <<: *job
- <<: *gce
- variables:
- <<: *gce_variables
- <<: *ubuntu_vault_sep_variables
- when: manual
- except: ['triggers']
- only: ['master', /^pr-.*$/]
-
-gce_coreos-vault-upgrade:
- stage: deploy-part2
- <<: *job
- <<: *gce
- variables:
- <<: *gce_variables
- <<: *coreos_vault_upgrade_variables
- when: manual
- except: ['triggers']
- only: ['master', /^pr-.*$/]
-
gce_ubuntu-flannel-sep:
stage: deploy-special
<<: *job
diff --git a/cluster.yml b/cluster.yml
index 1436579063b56e00c242b750a787cb56f3144f84..125d79338de9469ebba28e37a21382a73a5b1ed3 100644
--- a/cluster.yml
+++ b/cluster.yml
@@ -51,13 +51,6 @@
- { role: download, tags: download, when: "not skip_downloads" }
environment: "{{proxy_env}}"
-- hosts: etcd:k8s-cluster:vault:calico-rr
- any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
- roles:
- - { role: kubespray-defaults, when: "cert_management == 'vault'" }
- - { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
- environment: "{{proxy_env}}"
-
- hosts: etcd
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
roles:
@@ -70,13 +63,6 @@
- { role: kubespray-defaults}
- { role: etcd, tags: etcd, etcd_cluster_setup: false, etcd_events_cluster_setup: false }
-- hosts: etcd:k8s-cluster:vault:calico-rr
- any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
- roles:
- - { role: kubespray-defaults}
- - { role: vault, tags: vault, when: "cert_management == 'vault'"}
- environment: "{{proxy_env}}"
-
- hosts: k8s-cluster
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
roles:
diff --git a/contrib/vault/groups_vars/vault.yaml b/contrib/vault/groups_vars/vault.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c59c123b2c80eed2207cd59a9747816cbbd77d4b
--- /dev/null
+++ b/contrib/vault/groups_vars/vault.yaml
@@ -0,0 +1,31 @@
+vault_deployment_type: docker
+vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
+vault_version: 0.10.1
+vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
+vault_image_repo: "vault"
+vault_image_tag: "{{ vault_version }}"
+vault_downloads:
+ vault:
+ enabled: "{{ cert_management == 'vault' }}"
+ container: "{{ vault_deployment_type != 'host' }}"
+ file: "{{ vault_deployment_type == 'host' }}"
+ dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
+ mode: "0755"
+ owner: "vault"
+ repo: "{{ vault_image_repo }}"
+ sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
+ tag: "{{ vault_image_tag }}"
+ unarchive: true
+ url: "{{ vault_download_url }}"
+ version: "{{ vault_version }}"
+ groups:
+ - vault
+
+# Vault data dirs.
+vault_base_dir: /etc/vault
+vault_cert_dir: "{{ vault_base_dir }}/ssl"
+vault_config_dir: "{{ vault_base_dir }}/config"
+vault_roles_dir: "{{ vault_base_dir }}/roles"
+vault_secrets_dir: "{{ vault_base_dir }}/secrets"
+kube_vault_mount_path: "/kube"
+etcd_vault_mount_path: "/etcd"
diff --git a/contrib/vault/requirements.txt b/contrib/vault/requirements.txt
new file mode 100644
index 0000000000000000000000000000000000000000..a2aa127e3cc810be088d0f40e3a19518a361746d
--- /dev/null
+++ b/contrib/vault/requirements.txt
@@ -0,0 +1 @@
+ansible-modules-hashivault>=3.9.4
diff --git a/roles/etcd/tasks/gen_certs_vault.yml b/contrib/vault/roles/etcd/vault/tasks/gen_certs_vault.yml
similarity index 100%
rename from roles/etcd/tasks/gen_certs_vault.yml
rename to contrib/vault/roles/etcd/vault/tasks/gen_certs_vault.yml
diff --git a/roles/etcd/tasks/sync_etcd_master_certs.yml b/contrib/vault/roles/etcd/vault/tasks/sync_etcd_master_certs.yml
similarity index 100%
rename from roles/etcd/tasks/sync_etcd_master_certs.yml
rename to contrib/vault/roles/etcd/vault/tasks/sync_etcd_master_certs.yml
diff --git a/roles/etcd/tasks/sync_etcd_node_certs.yml b/contrib/vault/roles/etcd/vault/tasks/sync_etcd_node_certs.yml
similarity index 100%
rename from roles/etcd/tasks/sync_etcd_node_certs.yml
rename to contrib/vault/roles/etcd/vault/tasks/sync_etcd_node_certs.yml
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml b/contrib/vault/roles/kubernetes/vault-secrets/tasks/gen_certs_vault.yml
similarity index 100%
rename from roles/kubernetes/secrets/tasks/gen_certs_vault.yml
rename to contrib/vault/roles/kubernetes/vault-secrets/tasks/gen_certs_vault.yml
diff --git a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml b/contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_master_certs.yml
similarity index 100%
rename from roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
rename to contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_master_certs.yml
diff --git a/roles/kubernetes/secrets/tasks/sync_kube_node_certs.yml b/contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_node_certs.yml
similarity index 100%
rename from roles/kubernetes/secrets/tasks/sync_kube_node_certs.yml
rename to contrib/vault/roles/kubernetes/vault-secrets/tasks/sync_kube_node_certs.yml
diff --git a/roles/vault/defaults/main.yml b/contrib/vault/roles/vault/defaults/main.yml
similarity index 100%
rename from roles/vault/defaults/main.yml
rename to contrib/vault/roles/vault/defaults/main.yml
diff --git a/roles/vault/handlers/main.yml b/contrib/vault/roles/vault/handlers/main.yml
similarity index 100%
rename from roles/vault/handlers/main.yml
rename to contrib/vault/roles/vault/handlers/main.yml
diff --git a/roles/vault/meta/main.yml b/contrib/vault/roles/vault/meta/main.yml
similarity index 100%
rename from roles/vault/meta/main.yml
rename to contrib/vault/roles/vault/meta/main.yml
diff --git a/roles/vault/tasks/bootstrap/ca_trust.yml b/contrib/vault/roles/vault/tasks/bootstrap/ca_trust.yml
similarity index 100%
rename from roles/vault/tasks/bootstrap/ca_trust.yml
rename to contrib/vault/roles/vault/tasks/bootstrap/ca_trust.yml
diff --git a/roles/vault/tasks/bootstrap/create_mounts.yml b/contrib/vault/roles/vault/tasks/bootstrap/create_mounts.yml
similarity index 100%
rename from roles/vault/tasks/bootstrap/create_mounts.yml
rename to contrib/vault/roles/vault/tasks/bootstrap/create_mounts.yml
diff --git a/roles/vault/tasks/bootstrap/create_roles.yml b/contrib/vault/roles/vault/tasks/bootstrap/create_roles.yml
similarity index 100%
rename from roles/vault/tasks/bootstrap/create_roles.yml
rename to contrib/vault/roles/vault/tasks/bootstrap/create_roles.yml
diff --git a/roles/vault/tasks/bootstrap/gen_vault_certs.yml b/contrib/vault/roles/vault/tasks/bootstrap/gen_vault_certs.yml
similarity index 100%
rename from roles/vault/tasks/bootstrap/gen_vault_certs.yml
rename to contrib/vault/roles/vault/tasks/bootstrap/gen_vault_certs.yml
diff --git a/roles/vault/tasks/bootstrap/main.yml b/contrib/vault/roles/vault/tasks/bootstrap/main.yml
similarity index 100%
rename from roles/vault/tasks/bootstrap/main.yml
rename to contrib/vault/roles/vault/tasks/bootstrap/main.yml
diff --git a/roles/vault/tasks/bootstrap/start_vault_temp.yml b/contrib/vault/roles/vault/tasks/bootstrap/start_vault_temp.yml
similarity index 100%
rename from roles/vault/tasks/bootstrap/start_vault_temp.yml
rename to contrib/vault/roles/vault/tasks/bootstrap/start_vault_temp.yml
diff --git a/roles/vault/tasks/bootstrap/sync_etcd_certs.yml b/contrib/vault/roles/vault/tasks/bootstrap/sync_etcd_certs.yml
similarity index 100%
rename from roles/vault/tasks/bootstrap/sync_etcd_certs.yml
rename to contrib/vault/roles/vault/tasks/bootstrap/sync_etcd_certs.yml
diff --git a/roles/vault/tasks/bootstrap/sync_secrets.yml b/contrib/vault/roles/vault/tasks/bootstrap/sync_secrets.yml
similarity index 100%
rename from roles/vault/tasks/bootstrap/sync_secrets.yml
rename to contrib/vault/roles/vault/tasks/bootstrap/sync_secrets.yml
diff --git a/roles/vault/tasks/bootstrap/sync_vault_certs.yml b/contrib/vault/roles/vault/tasks/bootstrap/sync_vault_certs.yml
similarity index 100%
rename from roles/vault/tasks/bootstrap/sync_vault_certs.yml
rename to contrib/vault/roles/vault/tasks/bootstrap/sync_vault_certs.yml
diff --git a/roles/vault/tasks/cluster/binary.yml b/contrib/vault/roles/vault/tasks/cluster/binary.yml
similarity index 100%
rename from roles/vault/tasks/cluster/binary.yml
rename to contrib/vault/roles/vault/tasks/cluster/binary.yml
diff --git a/roles/vault/tasks/cluster/configure.yml b/contrib/vault/roles/vault/tasks/cluster/configure.yml
similarity index 100%
rename from roles/vault/tasks/cluster/configure.yml
rename to contrib/vault/roles/vault/tasks/cluster/configure.yml
diff --git a/roles/vault/tasks/cluster/create_mounts.yml b/contrib/vault/roles/vault/tasks/cluster/create_mounts.yml
similarity index 100%
rename from roles/vault/tasks/cluster/create_mounts.yml
rename to contrib/vault/roles/vault/tasks/cluster/create_mounts.yml
diff --git a/roles/vault/tasks/cluster/create_roles.yml b/contrib/vault/roles/vault/tasks/cluster/create_roles.yml
similarity index 100%
rename from roles/vault/tasks/cluster/create_roles.yml
rename to contrib/vault/roles/vault/tasks/cluster/create_roles.yml
diff --git a/roles/vault/tasks/cluster/init.yml b/contrib/vault/roles/vault/tasks/cluster/init.yml
similarity index 100%
rename from roles/vault/tasks/cluster/init.yml
rename to contrib/vault/roles/vault/tasks/cluster/init.yml
diff --git a/roles/vault/tasks/cluster/main.yml b/contrib/vault/roles/vault/tasks/cluster/main.yml
similarity index 100%
rename from roles/vault/tasks/cluster/main.yml
rename to contrib/vault/roles/vault/tasks/cluster/main.yml
diff --git a/roles/vault/tasks/cluster/systemd.yml b/contrib/vault/roles/vault/tasks/cluster/systemd.yml
similarity index 100%
rename from roles/vault/tasks/cluster/systemd.yml
rename to contrib/vault/roles/vault/tasks/cluster/systemd.yml
diff --git a/roles/vault/tasks/cluster/unseal.yml b/contrib/vault/roles/vault/tasks/cluster/unseal.yml
similarity index 100%
rename from roles/vault/tasks/cluster/unseal.yml
rename to contrib/vault/roles/vault/tasks/cluster/unseal.yml
diff --git a/roles/vault/tasks/main.yml b/contrib/vault/roles/vault/tasks/main.yml
similarity index 100%
rename from roles/vault/tasks/main.yml
rename to contrib/vault/roles/vault/tasks/main.yml
diff --git a/roles/vault/tasks/shared/auth_backend.yml b/contrib/vault/roles/vault/tasks/shared/auth_backend.yml
similarity index 100%
rename from roles/vault/tasks/shared/auth_backend.yml
rename to contrib/vault/roles/vault/tasks/shared/auth_backend.yml
diff --git a/roles/vault/tasks/shared/cert_auth_mount.yml b/contrib/vault/roles/vault/tasks/shared/cert_auth_mount.yml
similarity index 100%
rename from roles/vault/tasks/shared/cert_auth_mount.yml
rename to contrib/vault/roles/vault/tasks/shared/cert_auth_mount.yml
diff --git a/roles/vault/tasks/shared/check_etcd.yml b/contrib/vault/roles/vault/tasks/shared/check_etcd.yml
similarity index 100%
rename from roles/vault/tasks/shared/check_etcd.yml
rename to contrib/vault/roles/vault/tasks/shared/check_etcd.yml
diff --git a/roles/vault/tasks/shared/check_vault.yml b/contrib/vault/roles/vault/tasks/shared/check_vault.yml
similarity index 100%
rename from roles/vault/tasks/shared/check_vault.yml
rename to contrib/vault/roles/vault/tasks/shared/check_vault.yml
diff --git a/roles/vault/tasks/shared/config_ca.yml b/contrib/vault/roles/vault/tasks/shared/config_ca.yml
similarity index 100%
rename from roles/vault/tasks/shared/config_ca.yml
rename to contrib/vault/roles/vault/tasks/shared/config_ca.yml
diff --git a/roles/vault/tasks/shared/create_mount.yml b/contrib/vault/roles/vault/tasks/shared/create_mount.yml
similarity index 100%
rename from roles/vault/tasks/shared/create_mount.yml
rename to contrib/vault/roles/vault/tasks/shared/create_mount.yml
diff --git a/roles/vault/tasks/shared/create_role.yml b/contrib/vault/roles/vault/tasks/shared/create_role.yml
similarity index 100%
rename from roles/vault/tasks/shared/create_role.yml
rename to contrib/vault/roles/vault/tasks/shared/create_role.yml
diff --git a/roles/vault/tasks/shared/find_leader.yml b/contrib/vault/roles/vault/tasks/shared/find_leader.yml
similarity index 100%
rename from roles/vault/tasks/shared/find_leader.yml
rename to contrib/vault/roles/vault/tasks/shared/find_leader.yml
diff --git a/roles/vault/tasks/shared/gen_ca.yml b/contrib/vault/roles/vault/tasks/shared/gen_ca.yml
similarity index 100%
rename from roles/vault/tasks/shared/gen_ca.yml
rename to contrib/vault/roles/vault/tasks/shared/gen_ca.yml
diff --git a/roles/vault/tasks/shared/gen_userpass.yml b/contrib/vault/roles/vault/tasks/shared/gen_userpass.yml
similarity index 100%
rename from roles/vault/tasks/shared/gen_userpass.yml
rename to contrib/vault/roles/vault/tasks/shared/gen_userpass.yml
diff --git a/roles/vault/tasks/shared/issue_cert.yml b/contrib/vault/roles/vault/tasks/shared/issue_cert.yml
similarity index 100%
rename from roles/vault/tasks/shared/issue_cert.yml
rename to contrib/vault/roles/vault/tasks/shared/issue_cert.yml
diff --git a/roles/vault/tasks/shared/pki_mount.yml b/contrib/vault/roles/vault/tasks/shared/pki_mount.yml
similarity index 100%
rename from roles/vault/tasks/shared/pki_mount.yml
rename to contrib/vault/roles/vault/tasks/shared/pki_mount.yml
diff --git a/roles/vault/tasks/shared/sync.yml b/contrib/vault/roles/vault/tasks/shared/sync.yml
similarity index 100%
rename from roles/vault/tasks/shared/sync.yml
rename to contrib/vault/roles/vault/tasks/shared/sync.yml
diff --git a/roles/vault/tasks/shared/sync_auth_certs.yml b/contrib/vault/roles/vault/tasks/shared/sync_auth_certs.yml
similarity index 100%
rename from roles/vault/tasks/shared/sync_auth_certs.yml
rename to contrib/vault/roles/vault/tasks/shared/sync_auth_certs.yml
diff --git a/roles/vault/tasks/shared/sync_file.yml b/contrib/vault/roles/vault/tasks/shared/sync_file.yml
similarity index 100%
rename from roles/vault/tasks/shared/sync_file.yml
rename to contrib/vault/roles/vault/tasks/shared/sync_file.yml
diff --git a/roles/vault/templates/docker.service.j2 b/contrib/vault/roles/vault/templates/docker.service.j2
similarity index 100%
rename from roles/vault/templates/docker.service.j2
rename to contrib/vault/roles/vault/templates/docker.service.j2
diff --git a/roles/vault/templates/host.service.j2 b/contrib/vault/roles/vault/templates/host.service.j2
similarity index 100%
rename from roles/vault/templates/host.service.j2
rename to contrib/vault/roles/vault/templates/host.service.j2
diff --git a/roles/vault/templates/http-proxy.conf.j2 b/contrib/vault/roles/vault/templates/http-proxy.conf.j2
similarity index 100%
rename from roles/vault/templates/http-proxy.conf.j2
rename to contrib/vault/roles/vault/templates/http-proxy.conf.j2
diff --git a/roles/vault/templates/rkt.service.j2 b/contrib/vault/roles/vault/templates/rkt.service.j2
similarity index 100%
rename from roles/vault/templates/rkt.service.j2
rename to contrib/vault/roles/vault/templates/rkt.service.j2
diff --git a/docs/vault.md b/contrib/vault/vault.md
similarity index 96%
rename from docs/vault.md
rename to contrib/vault/vault.md
index 2923cfd451308fae91349aba608bb425b76e7cb0..014cf02519e7541e0e2350249d523930b75d1bad 100644
--- a/docs/vault.md
+++ b/contrib/vault/vault.md
@@ -1,3 +1,6 @@
+# /!\ The vault role have been retired from the main playbook.
+# This role probably requires a LOT of changes in order to work again
+
Hashicorp Vault Role
====================
@@ -8,7 +11,7 @@ The Vault role is a two-step process:
1. Bootstrap
-You cannot start your certificate management service securely with SSL (and
+You cannot start your certificate management service securely with SSL (and
the datastore behind it) without having the certificates in-hand already. This
presents an unfortunate chicken and egg scenario, with one requiring the other.
To solve for this, the Bootstrap step was added.
@@ -80,7 +83,7 @@ Additional Notes:
- ``groups.vault|first`` is considered the source of truth for Vault variables
- ``vault_leader_url`` is used as pointer for the current running Vault
-- Each service should have its own role and credentials. Currently those
+- Each service should have its own role and credentials. Currently those
credentials are saved to ``/etc/vault/roles/<role>/``. The service will
need to read in those credentials, if they want to interact with Vault.
diff --git a/docs/integration.md b/docs/integration.md
index 4661afdf39929d4ea338fbd136a77a1c4aa9232b..5b385aa4bda1da676d6be68bf113a9bcad0d6ab5 100644
--- a/docs/integration.md
+++ b/docs/integration.md
@@ -1,12 +1,12 @@
-# Kubespray (kargo) in own ansible playbooks repo
+# Kubespray (kubespray) in own ansible playbooks repo
-1. Fork [kubespray repo](https://github.com/kubernetes-incubator/kubespray) to your personal/organisation account on github.
+1. Fork [kubespray repo](https://github.com/kubernetes-incubator/kubespray) to your personal/organisation account on github.
Note:
- * All forked public repos at github will be also public, so **never commit sensitive data to your public forks**.
+ * All forked public repos at github will be also public, so **never commit sensitive data to your public forks**.
* List of all forked repos could be retrieved from github page of original project.
-2. Add **forked repo** as submodule to desired folder in your existent ansible repo(for example 3d/kubespray):
- ```git submodule add https://github.com/YOUR_GITHUB/kubespray.git kubespray```
+2. Add **forked repo** as submodule to desired folder in your existent ansible repo(for example 3d/kubespray):
+ ```git submodule add https://github.com/YOUR_GITHUB/kubespray.git kubespray```
Git will create _.gitmodules_ file in your existent ansible repo:
```
[submodule "3d/kubespray"]
@@ -14,22 +14,22 @@
url = https://github.com/YOUR_GITHUB/kubespray.git
```
-3. Configure git to show submodule status:
+3. Configure git to show submodule status:
```git config --global status.submoduleSummary true```
-4. Add *original* kubespray repo as upstream:
+4. Add *original* kubespray repo as upstream:
```git remote add upstream https://github.com/kubernetes-incubator/kubespray.git```
-5. Sync your master branch with upstream:
+5. Sync your master branch with upstream:
```
git checkout master
git fetch upstream
git merge upstream/master
git push origin master
```
-
-6. Create a new branch which you will use in your working environment:
-```git checkout -b work```
+
+6. Create a new branch which you will use in your working environment:
+```git checkout -b work```
***Never*** use master branch of your repository for your commits.
7. Modify path to library and roles in your ansible.cfg file (role naming should be uniq, you may have to rename your existent roles if they have same names as kubespray project):
@@ -43,42 +43,39 @@
8. Copy and modify configs from kubespray `group_vars` folder to corresponging `group_vars` folder in your existent project.
You could rename *all.yml* config to something else, i.e. *kubespray.yml* and create corresponding group in your inventory file, which will include all hosts groups related to kubernetes setup.
-9. Modify your ansible inventory file by adding mapping of your existent groups (if any) to kubespray naming.
+9. Modify your ansible inventory file by adding mapping of your existent groups (if any) to kubespray naming.
For example:
```
...
#Kargo groups:
[kube-node:children]
kubenode
-
+
[k8s-cluster:children]
kubernetes
-
+
[etcd:children]
kubemaster
kubemaster-ha
-
+
[kube-master:children]
kubemaster
kubemaster-ha
-
- [vault:children]
- kube-master
-
+
[kubespray:children]
kubernetes
```
* Last entry here needed to apply kubespray.yml config file, renamed from all.yml of kubespray project.
-10. Now you can include kargo tasks in you existent playbooks by including cluster.yml file:
+10. Now you can include kubespray tasks in you existent playbooks by including cluster.yml file:
```
- - name: Include kargo tasks
+ - name: Include kubespray tasks
include: 3d/kubespray/cluster.yml
- ```
+ ```
Or your could copy separate tasks from cluster.yml into your ansible repository.
-11. Commit changes to your ansible repo. Keep in mind, that submodule folder is just a link to the git commit hash of your forked repo.
-When you update your "work" branch you need to commit changes to ansible repo as well.
+11. Commit changes to your ansible repo. Keep in mind, that submodule folder is just a link to the git commit hash of your forked repo.
+When you update your "work" branch you need to commit changes to ansible repo as well.
Other members of your team should use ```git submodule sync```, ```git submodule update --init``` to get actual code from submodule.
# Contributing
@@ -88,8 +85,8 @@ If you made useful changes or fixed a bug in existent kubespray repo, use this f
1. Change working directory to git submodule directory (3d/kubespray).
-2. Setup desired user.name and user.email for submodule.
-If kubespray is only one submodule in your repo you could use something like:
+2. Setup desired user.name and user.email for submodule.
+If kubespray is only one submodule in your repo you could use something like:
```git submodule foreach --recursive 'git config user.name "First Last" && git config user.email "your-email-addres@used.for.cncf"'```
3. Sync with upstream master:
@@ -98,24 +95,24 @@ If kubespray is only one submodule in your repo you could use something like:
git merge upstream/master
git push origin master
```
-4. Create new branch for the specific fixes that you want to contribute:
-```git checkout -b fixes-name-date-index```
+4. Create new branch for the specific fixes that you want to contribute:
+```git checkout -b fixes-name-date-index```
Branch name should be self explaining to you, adding date and/or index will help you to track/delete your old PRs.
5. Find git hash of your commit in "work" repo and apply it to newly created "fix" repo:
```
git cherry-pick <COMMIT_HASH>
```
-6. If your have several temporary-stage commits - squash them using [```git rebase -i```](http://eli.thegreenplace.net/2014/02/19/squashing-github-pull-requests-into-a-single-commit)
+6. If your have several temporary-stage commits - squash them using [```git rebase -i```](http://eli.thegreenplace.net/2014/02/19/squashing-github-pull-requests-into-a-single-commit)
Also you could use interactive rebase (```git rebase -i HEAD~10```) to delete commits which you don't want to contribute into original repo.
-7. When your changes is in place, you need to check upstream repo one more time because it could be changed during your work.
-Check that you're on correct branch:
-```git status```
-And pull changes from upstream (if any):
+7. When your changes is in place, you need to check upstream repo one more time because it could be changed during your work.
+Check that you're on correct branch:
+```git status```
+And pull changes from upstream (if any):
```git pull --rebase upstream master```
8. Now push your changes to your **fork** repo with ```git push```. If your branch doesn't exists on github, git will propose you to use something like ```git push --set-upstream origin fixes-name-date-index```.
-9. Open you forked repo in browser, on the main page you will see proposition to create pull request for your newly created branch. Check proposed diff of your PR. If something is wrong you could safely delete "fix" branch on github using ```git push origin --delete fixes-name-date-index```, ```git branch -D fixes-name-date-index``` and start whole process from the beginning.
+9. Open you forked repo in browser, on the main page you will see proposition to create pull request for your newly created branch. Check proposed diff of your PR. If something is wrong you could safely delete "fix" branch on github using ```git push origin --delete fixes-name-date-index```, ```git branch -D fixes-name-date-index``` and start whole process from the beginning.
If everything is fine - add description about your changes (what they do and why they're needed) and confirm pull request creation.
diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml
index dbe608faae820d909d0ac2d6f92f66a43001d291..368b9444815b84dbe29daf2eb73b4d96dcb31672 100644
--- a/inventory/sample/group_vars/all/all.yml
+++ b/inventory/sample/group_vars/all/all.yml
@@ -64,9 +64,10 @@ bin_dir: /usr/local/bin
#additional_no_proxy: ""
## Certificate Management
-## This setting determines whether certs are generated via scripts or whether a
-## cluster of Hashicorp's Vault is started to issue certificates (using etcd
-## as a backend). Options are "script" or "vault"
+## This setting determines whether certs are generated via scripts.
+## Chose 'none' if you provide your own certificates.
+## Option is "script", "none"
+## note: vault is removed
#cert_management: script
## Set to true to allow pre-checks to fail and continue deployment
diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
index 920dc96bcb8b66f445779830ae5746af66f9e08e..88592e399a069b138d8f62032d5b252b4d8c4b74 100644
--- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -132,7 +132,6 @@ container_manager: docker
## Settings for containerized control plane (etcd/kubelet/secrets)
etcd_deployment_type: docker
kubelet_deployment_type: host
-vault_deployment_type: docker
helm_deployment_type: host
# K8s image pull policy (imagePullPolicy)
diff --git a/remove-node.yml b/remove-node.yml
index 2b2dacbabf1c3816b5413b999c93e8bfa5e30426..7678989cada6966539f96557d46aae2aef26817c 100644
--- a/remove-node.yml
+++ b/remove-node.yml
@@ -17,7 +17,7 @@
ansible_ssh_pipelining: true
gather_facts: true
-- hosts: "{{ node | default('etcd:k8s-cluster:vault:calico-rr') }}"
+- hosts: "{{ node | default('etcd:k8s-cluster:calico-rr') }}"
vars_prompt:
name: "delete_nodes_confirmation"
prompt: "Are you sure you want to delete nodes state? Type 'yes' to delete nodes."
diff --git a/requirements.txt b/requirements.txt
index 1e3300434fb7bec18e30e2e909f88367d1a0b3c4..e36ab79d4db2bc5e5302f46c5817c16e545331cb 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,5 +2,4 @@ ansible>=2.5.0,!=2.7.0
jinja2>=2.9.6
netaddr
pbr>=1.6
-ansible-modules-hashivault>=3.9.4
hvac
diff --git a/reset.yml b/reset.yml
index a416dd7ee7d1d9d458ac606a60eb033830b31b1f..02f2b14c9642e1dcfd3fed7fd96d7b0bc63f9240 100644
--- a/reset.yml
+++ b/reset.yml
@@ -15,7 +15,7 @@
- hosts: all
gather_facts: true
-- hosts: etcd:k8s-cluster:vault:calico-rr
+- hosts: etcd:k8s-cluster:calico-rr
vars_prompt:
name: "reset_confirmation"
prompt: "Are you sure you want to reset cluster state? Type 'yes' to reset your cluster."
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index c28dcd2e3361c58c6ac93c8edda739ca72ac4d0e..85acb3bcd244a96a67ab941bf687e5a07d3d1c83 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -53,7 +53,7 @@ calico_rr_version: "v0.6.1"
flannel_version: "v0.10.0"
flannel_cni_version: "v0.3.0"
-vault_version: 0.10.1
+
weave_version: "2.4.1"
pod_infra_version: 3.1
contiv_version: 1.2.1
@@ -63,7 +63,6 @@ multus_version: "v3.1.autoconf"
# Download URLs
kubeadm_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/{{ image_arch }}/kubeadm"
-vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
etcd_download_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
hyperkube_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kube_version }}/bin/linux/amd64/hyperkube"
@@ -104,7 +103,7 @@ kubeadm_checksums:
v1.10.0: ebbac985834289037b544523c3e2f39bb44bea938aca9d9e88ef7e880fb8472f
etcd_binary_checksum: 947849dbcfa13927c81236fb76a7c01d587bbab42ab1e807184cd91b026ebed7
-vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
+
hyperkube_binary_checksum: "{{ hyperkube_checksums[kube_version] }}"
kubeadm_binary_checksum: "{{ kubeadm_checksums[kubeadm_version] }}"
@@ -196,8 +195,7 @@ helm_image_repo: "lachlanevenson/k8s-helm"
helm_image_tag: "{{ helm_version }}"
tiller_image_repo: "gcr.io/kubernetes-helm/tiller"
tiller_image_tag: "{{ helm_version }}"
-vault_image_repo: "vault"
-vault_image_tag: "{{ vault_version }}"
+
registry_image_repo: "registry"
registry_image_tag: "2.6"
registry_proxy_image_repo: "gcr.io/google_containers/kube-registry-proxy"
@@ -534,22 +532,6 @@ downloads:
groups:
- kube-node
- vault:
- enabled: "{{ cert_management == 'vault' }}"
- container: "{{ vault_deployment_type != 'host' }}"
- file: "{{ vault_deployment_type == 'host' }}"
- dest: "{{local_release_dir}}/vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
- mode: "0755"
- owner: "vault"
- repo: "{{ vault_image_repo }}"
- sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
- tag: "{{ vault_image_tag }}"
- unarchive: true
- url: "{{ vault_download_url }}"
- version: "{{ vault_version }}"
- groups:
- - vault
-
registry:
enabled: "{{ registry_enabled }}"
container: true
diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml
index 57e1bc078c0926484afa038aadfdb7c40fad6d79..48a68b61cec5e74e03488567e19efcc5af237271 100644
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -57,8 +57,6 @@ etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr',
etcd_compaction_retention: "8"
-etcd_vault_mount_path: "/etcd"
-
# Force clients like etcdctl to use TLS certs (different than peer security)
etcd_secure_client: true
diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml
index c59df8af00ccf31bbc52670f7005c0ddfb59c73a..62ece6e99d43315202555df5c147a406e491037a 100644
--- a/roles/etcd/meta/main.yml
+++ b/roles/etcd/meta/main.yml
@@ -3,5 +3,3 @@ dependencies:
- role: adduser
user: "{{ addusers.etcd }}"
when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic)
-
-# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index 1d2d6ef805907ac9b287f8f0f11138416102a806..966c555d54a29e1a7d1f0030fd1d78ff5931d549 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -5,7 +5,9 @@
- etcd-secrets
- facts
-- include_tasks: "gen_certs_{{ cert_management }}.yml"
+- include_tasks: "gen_certs_script.yml"
+ when:
+ - cert_management |d('script') == "script"
tags:
- etcd-secrets
diff --git a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
index 1b92896ab281fcc96b2cb4ef41f4be80bc80e6a4..15c188d1cbd415360149a47c6b13d715674637c8 100644
--- a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
@@ -188,13 +188,19 @@
when: kube_proxy_mode is defined
run_once: true
-- name: Stop if unknown cert_management
+- name: Stop if vault is chose
assert:
- that: cert_management in ['script', 'vault']
- msg: "cert_management can only be 'script' or 'vault'"
+ that: cert_management != 'vault'
+ msg: "Support for vault have been removed, please use 'script' or 'none'"
when: cert_management is defined
run_once: true
+- name: Stop if unknown cert_management
+ assert:
+ that: cert_management|d('script') in ['script', 'none']
+ msg: "cert_management can only be 'script' or 'none'"
+ run_once: true
+
- name: Stop if unknown resolvconf_mode
assert:
that: resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
diff --git a/roles/kubernetes/secrets/defaults/main.yml b/roles/kubernetes/secrets/defaults/main.yml
index 34c42bc204b2bdc23e1f16b579bd83e56b4cab8f..e6177857e33b46a30919ceffcd12fe5cec11011b 100644
--- a/roles/kubernetes/secrets/defaults/main.yml
+++ b/roles/kubernetes/secrets/defaults/main.yml
@@ -1,3 +1,2 @@
---
kube_cert_group: kube-cert
-kube_vault_mount_path: "/kube"
diff --git a/roles/kubernetes/secrets/meta/main.yml b/roles/kubernetes/secrets/meta/main.yml
index dca73457525a046819a40dcfc57af09133fa3661..ed97d539c095cf1413af30cc23dea272095b97dd 100644
--- a/roles/kubernetes/secrets/meta/main.yml
+++ b/roles/kubernetes/secrets/meta/main.yml
@@ -1,2 +1 @@
---
-# NOTE: Dynamic task dependency on Vault Role if cert_management == "vault"
diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml
index 232474f67a849f8a7bb087c0cf266cb55da6a5ef..abc850cbb111ef18ef7d7f7e736ba110d9aeff2a 100644
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -69,7 +69,9 @@
delegate_to: "{{groups['kube-master'][0]}}"
when: gen_tokens|default(false)
-- include_tasks: "gen_certs_{{ cert_management }}.yml"
+- include_tasks: "gen_certs_script.yml"
+ when:
+ - cert_management |d('script') == 'script'
tags:
- k8s-secrets
- k8s-gen-certs
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 19f3ac59f61d59ef0ab270c7d7bc995465d40e31..673fe2c682d7a68ac83af47f45ec5ee771c12c18 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -224,7 +224,7 @@ docker_options: >-
etcd_deployment_type: docker
kubelet_deployment_type: docker
cert_management: script
-vault_deployment_type: docker
+
helm_deployment_type: host
# Enable kubeadm deployment (experimental)
@@ -303,13 +303,6 @@ kube_feature_gates: |-
{{ feature_gate_v1_12 }}
{%- endif %}
-# Vault data dirs.
-vault_base_dir: /etc/vault
-vault_cert_dir: "{{ vault_base_dir }}/ssl"
-vault_config_dir: "{{ vault_base_dir }}/config"
-vault_roles_dir: "{{ vault_base_dir }}/roles"
-vault_secrets_dir: "{{ vault_base_dir }}/secrets"
-
# Local volume provisioner storage classes
local_volume_provisioner_storage_classes:
- name: "{{ local_volume_provisioner_storage_class | default('local-storage') }}"
diff --git a/scale.yml b/scale.yml
index fa1f91ed9df486a0943f70811ca07bcb60ab37a6..47a4933ba43bb642dbc6e893820a4ececebf9db5 100644
--- a/scale.yml
+++ b/scale.yml
@@ -51,7 +51,6 @@
- { role: container-engine, tags: "container-engine"}
- { role: download, tags: download, when: "not skip_downloads" }
- { role: etcd, tags: etcd, etcd_cluster_setup: false }
- - { role: vault, tags: vault, when: "cert_management == 'vault'"}
- { role: kubernetes/node, tags: node }
- { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
- { role: network_plugin, tags: network }
diff --git a/tests/files/gce_coreos-vault-upgrade.yml b/tests/files/gce_coreos-vault-upgrade.yml
deleted file mode 100644
index e0c2ac7d5a28ef84a32467d30e76f6f0278c75ac..0000000000000000000000000000000000000000
--- a/tests/files/gce_coreos-vault-upgrade.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-# Instance settings
-cloud_machine_type: "n1-standard-1"
-cloud_image_family: coreos-stable
-cloud_region: us-central1-b
-mode: aio
-
-# Instance settings
-cert_management: vault
-kube_network_plugin: flannel
-deploy_netchecker: true
-kubedns_min_replicas: 1
-cloud_provider: gce
diff --git a/tests/files/gce_ubuntu-vault-sep.yml b/tests/files/gce_ubuntu-vault-sep.yml
deleted file mode 100644
index c09be7c3822a5e53417593d686d333aaaf5bec56..0000000000000000000000000000000000000000
--- a/tests/files/gce_ubuntu-vault-sep.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-# Instance settings
-cloud_machine_type: "n1-standard-1"
-cloud_image_family: ubuntu-1604-lts
-cloud_region: us-central1-b
-mode: separate
-
-# Instance settings
-cert_management: vault
-kube_network_plugin: canal
-deploy_netchecker: true
-kubedns_min_replicas: 1
-cloud_provider: gce
diff --git a/upgrade-cluster.yml b/upgrade-cluster.yml
index 76d1a28e732f7eadef115d3bbe02a30ead59de85..d35b25812d4b06863b0cdf9686aa024f3487db0a 100644
--- a/upgrade-cluster.yml
+++ b/upgrade-cluster.yml
@@ -52,13 +52,6 @@
- { role: download, tags: download, when: "not skip_downloads" }
environment: "{{proxy_env}}"
-- hosts: etcd:k8s-cluster:vault
- any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
- roles:
- - { role: kubespray-defaults, when: "cert_management == 'vault'" }
- - { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }
- environment: "{{proxy_env}}"
-
- hosts: etcd
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
roles:
@@ -71,13 +64,6 @@
- { role: kubespray-defaults}
- { role: etcd, tags: etcd, etcd_cluster_setup: false }
-- hosts: etcd:k8s-cluster:vault
- any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
- roles:
- - { role: kubespray-defaults, when: "cert_management == 'vault'"}
- - { role: vault, tags: vault, when: "cert_management == 'vault'"}
- environment: "{{proxy_env}}"
-
#Handle upgrades to master components first to maintain backwards compat.
- hosts: kube-master
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"