Kubespray: Problem with Vault deployment

Created on 17 May 2018 · 5Comments · Source: kubernetes-sigs/kubespray

BUG REPORT or FEATURE REQUEST?:
Bug

Environment:

Cloud provider or hardware configuration:
VirtualBox 3 VM (2CPU, 4GB RAM, 20GB SSD)

OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"):

Linux 3.10.0-693.21.1.el7.x86_64 x86_64
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Version of Ansible (ansible --version):
ansible 2.4.3.0

Kubespray version (commit) (git rev-parse --short HEAD):
2.5.0

Network plugin used:
calico

Copy of your inventory file:

[all]
kube01   ansible_host=192.168.99.100 ip=192.168.99.100
kube02   ansible_host=192.168.99.101 ip=192.168.99.101
kube03   ansible_host=192.168.99.102 ip=192.168.99.102

[kube-master]
kube01       
kube02       
kube03

[kube-node]
kube01   
kube02   
kube03

[etcd]
kube01   
kube02   
kube03   

[kube-ingress]
kube01   
kube02   
kube03

[calico-rr]

[vault]
kube01   
kube02   
kube03

[k8s-cluster:children]
kube-master
kube-node
kube-ingress

Command used to invoke ansible:

ansible-playbook -i inventory/testcluster/hosts.ini cluster.yml -u root

Output of ansible run:
https://gist.github.com/t33m/432b8f6f35b975d796638a67a8eee8af

TASK [vault : include_tasks] ***************************************************************************************************************************************************************************************************************
Thursday 17 May 2018  15:10:48 +0300 (0:00:00.283)       0:09:09.353 **********
included: /Users/t33m/Documents/A/code/kubespray/roles/vault/tasks/shared/create_role.yml for kube01, kube02, kube03

TASK [vault : create_role | Create a policy for the new role] ******************************************************************************************************************************************************************************
Thursday 17 May 2018  15:10:49 +0300 (0:00:00.632)       0:09:09.985 **********
fatal: [kube02]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'vault_root_token' is undefined\n\nThe error appears to have been in '/Users/t33m/Documents/A/code/kubespray/roles/vault/tasks/shared/create_role.yml': line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: create_role | Create a policy for the new role\n  ^ here\n\nexception type: <class 'ansible.errors.AnsibleUndefinedVariable'>\nexception: 'vault_root_token' is undefined"}
fatal: [kube03]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'vault_root_token' is undefined\n\nThe error appears to have been in '/Users/t33m/Documents/A/code/kubespray/roles/vault/tasks/shared/create_role.yml': line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: create_role | Create a policy for the new role\n  ^ here\n\nexception type: <class 'ansible.errors.AnsibleUndefinedVariable'>\nexception: 'vault_root_token' is undefined"}
changed: [kube01]

NO MORE HOSTS LEFT *************************************************************************************************************************************************************************************************************************
    to retry, use: --limit @/Users/t33m/Documents/A/code/kubespray/cluster.retry

PLAY RECAP *********************************************************************************************************************************************************************************************************************************
kube01                     : ok=284  changed=17   unreachable=0    failed=0
kube02                     : ok=256  changed=3    unreachable=0    failed=1
kube03                     : ok=256  changed=3    unreachable=0    failed=1
localhost                  : ok=2    changed=0    unreachable=0    failed=0

Thursday 17 May 2018  15:10:50 +0300 (0:00:00.882)       0:09:10.868 **********
===============================================================================
kubernetes/preinstall : Update package management cache (YUM) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- 30.24s
bootstrap-os : Assign inventory name to unconfigured hostnames (non-CoreOS and Tumbleweed) ----------------------------------------------------------------------------------------------------------------------------------------- 21.26s
gather facts from all instances ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 20.54s
bootstrap-os : Gather nodes hostnames ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 16.32s
docker : Write docker.service systemd file ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 15.81s
docker : Write docker options systemd drop-in -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 15.76s
bootstrap-os : check if atomic host ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 15.71s
docker : Ensure old versions of Docker are not installed. | RedHat ----------------------------------------------------------------------------------------------------------------------------------------------------------------- 12.24s
vault : sync_file | Check if /etc/vault/secrets/unseal_keys file exists ------------------------------------------------------------------------------------------------------------------------------------------------------------ 11.61s
docker : ensure docker packages are installed -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 11.12s
docker : Configure docker repository on RedHat/CentOS ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 11.08s
vault : shared/mount | Enable /userpass PKI mount ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 11.01s
kubernetes/preinstall : Create kubernetes directories ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 11.00s
docker : Write docker dns systemd drop-in ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 10.90s
bootstrap-os : Remove require tty -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10.69s
download : container_download | Create dest directory for saved/loaded container images -------------------------------------------------------------------------------------------------------------------------------------------- 10.42s
vault : sync_file | Check if /etc/vault/ssl/api.pem file exists -------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10.41s
vault : sync_file | Check if /etc/vault/secrets/root_token file exists ------------------------------------------------------------------------------------------------------------------------------------------------------------- 10.39s
vault : shared/mount | Enable /etcd PKI mount -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10.12s
vault : check_etcd | Check if etcd is up and reachable ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 8.34s

Source

t33m

👍1

Most helpful comment

I have the same problem with Ansible.
I'm running kubespray on several instances inside OpenStack. The Ansible playbook is run inside another instance which has access to those instances. All instances are on ubuntu 16.04.

Adding "kubelet_max_pods: 110" at the end of the inventory's "group_vars/all.yml", the problem was gone.
But this is just a temporary workaround.

hamidhaghshenas on 10 Jul 2018

👍2 🎉1

All 5 comments

Adding "kubelet_max_pods: 110" at the end of the inventory's "group_vars/all.yml", the problem was gone.
But this is just a temporary workaround.

hamidhaghshenas on 10 Jul 2018

👍2 🎉1

Same here, all of the above.

jhuebner79 on 10 Jul 2018

Facing the same issue.
FAILED! => {"failed": true, "msg": "The task includes an option with an undefined variable. The error was: 'vault_root_token' is undefined\n\nThe error appears to have been in '/xxxx/kubespray/roles/vault/tasks/shared/create_role.yml': line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: create_role | Create a policy for the new role\n ^ here\n\nexception type: \nexception: 'vault_root_token' is undefined"}

jyothj on 11 Jul 2018

I solved this by running:

 pip3 install ansible-modules-hashivault

sdemura on 7 Aug 2018

😕2 👍1

vault has been removed

woopstar on 15 Nov 2018

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Issues with client admin.conf in v2.9

bosatsu · 3Comments

Remove node (remove-node.yml) not working in kubespray 2.11

mjlshen · 3Comments

fatal: [node1]: FAILED! => {"changed": false, "cmd": "apt-get update", "failed": true, "msg": "[Errno 2] No such file or directory", "rc": 2}

jonathan-kosgei · 4Comments

using limit tag to add a node into current cluster

zouyee · 3Comments

Pod tiller can not run

IvanBiv · 3Comments