* Add kube dashboard, enabled by default

Also add rbac role for kube user

* Update main.yml

* Refactor downloads

Add prefixes to tasks (file vs container)
Remove some delegates
Clean up some conditions

* Update ansible.cfg

Store vault users passwords to credentials dir. Create vault and etcd roles after start vault cluster (#1632)

Removed unnecessary root user

This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started

the uploads.yml playbook was broken with checksum mismatch errors in
various kubespray commits, for example, 3bfad5ca
which updated the version from 3.0.6 to 3.0.17 without updating the
corresponding checksums.

Due to various occasional docker bugs, removing a container will sometimes fail. This can often be mitigated by trying again.

* Fix an error with Canal when RBAC are disabled

* Update using same rbac strategy used elsewhere

This allows the node authorization plugin to function correctly

  * using separated vault roles for generate certs with different `O` (Organization) subject field;
  * configure vault roles for issuing certificates with different `CN` (Common name) subject field;
  * set `CN` and `O` to `kubernetes` and `etcd` certificates;
  * vault/defaults vars definition was simplified;
  * vault dirs variables defined in kubernetes-defaults foles for using
  shared tasks in etcd and kubernetes/secrets roles;
  * upgrade vault to 0.8.1;
  * generate random vault user password for each role by default;
  * fix `serial` file name for vault certs;
  * move vault auth request to issue_cert tasks;
  * enable `RBAC` in vault CI;

lost executable path

* Use kubectl apply instead of create/replace

Disable checks for existing resources to speed up execution.

* Fix non-rbac deployment of resources as a list

* Fix autoscaler tolerations field

* set all kube resources to state=latest

* Update netchecker and weave

Canal will be covered by a separate PR

* Drop legacy calico logic

* add calico as a daemonset

Refactored how rbac_enabled is set
Added RBAC to ubuntu-canal-ha CI job
Added rbac for calico policy controller

* Add RBAC policies to dnsmasq

* fix merge conflict

* yamllint

* use .j2 extension for dnsmasq autoscaler

* Include /opt/bin in PATH for host deployed kubelet on CoreOS

* Removing conditional check for CoreOS

* Added update CA trust step for etcd and kube/secrets roles

* Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os.

* Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube.

* Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd.

* Fixed different certificates set for vault cert_managment

* Update doc/vault.md

* Fixed condition create vault CA, wrong group

* Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts

* Removed wrong when condition in create etcd role vault tasks.

Fixes #1573

update calico releases link

* Updates Controller Manager/Kubelet with Flannel's required configuration for CNI
* Removes old Flannel installation
* Install CNI enabled Flannel DaemonSet/ConfigMap/CNI bins and config (with portmap plugin) on host
* Uses RBAC if enabled
* Fixed an issue that could occur if br_netfilter is not a module and net.bridge.bridge-nf-call-iptables sysctl was not set

* Added private key file to ssh bastion conf

* Used regular if condition insted of inline conditional

Added toleration to DNS, netchecker, fluentd, canal, and
calico policy.

Also small fixes to make yamllint pass.