From 03e876690543ae3fa063c0f9f4001aba12b3c860 Mon Sep 17 00:00:00 2001
From: Jiri Stransky <jistr@redhat.com>
Date: Mon, 20 Nov 2017 16:59:03 +0100
Subject: [PATCH] Host access fixes for Kubespray playbook run

We don't do host key checking for any of our current Ansible
executions (validations, ceph-ansible, ...) so let's not do it for
Kubespray either. Having it enabled caused Kubespray to stop and ask
for confirmation, and given that the outer Ansible action wasn't
interactive, it failed.

Also we are now setting the become flag only for overcloud machines,
rather than globally on the whole ansible-playbook run. Kubespray also
accesses localhost for some task, and we won't always run it as a user
who is allowed passwordless privilege escalation (e.g. mistral user
isn't).

Change-Id: Id49b97c2b5d37f6d215132a987a53aa742b4a60f
---
 extraconfig/services/kubernetes-master.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/extraconfig/services/kubernetes-master.yaml b/extraconfig/services/kubernetes-master.yaml
index 189c084d71..1c6ee7f302 100644
--- a/extraconfig/services/kubernetes-master.yaml
+++ b/extraconfig/services/kubernetes-master.yaml
@@ -104,6 +104,7 @@ outputs:
                       {{ hostvars.raw_get(host)['ansible_hostname'] }}:
                         ansible_user: {{ hostvars.raw_get(host)['ansible_user'] | default(hostvars.raw_get(host)['ansible_ssh_user']) | default('root') }}
                         ansible_host: {{ hostvars.raw_get(host)['ansible_host'] | default(host) }}
+                        ansible_become: true
                       {% endfor %}
 
                   kube-node:
@@ -113,6 +114,7 @@ outputs:
                       {{ hostvars.raw_get(host)['ansible_hostname'] }}:
                         ansible_user: {{ hostvars.raw_get(host)['ansible_user'] | default(hostvars.raw_get(host)['ansible_ssh_user']) | default('root') }}
                         ansible_host: {{ hostvars.raw_get(host)['ansible_host'] | default(host) }}
+                        ansible_become: true
                       {% endfor %}
 
                   etcd:
@@ -145,8 +147,8 @@ outputs:
                   {%- if kubespray_command is defined -%}
                   {{kubespray_command}}
                   {%- else -%}
+                  ANSIBLE_HOST_KEY_CHECKING=False
                   ansible-playbook
-                  -b
                   -i '{{playbook_dir}}/kubespray/inventory.yml'
                   --skip-tags docker,bastion-ssh-config
                   --extra-vars '@{{playbook_dir}}/kubespray/global_vars.yml'