This service is needed to install CA certificates for the overcloud. We
need it because the plan is to enable public TLS by default. And without
this it won't work.
Some work is being done in I46fce28926cb5a881f7384948480266712ae75e3
to secure SNMP on a specific network but until then we need to stop
opening the services so cloud providers won't report any security issue
for TripleO jobs.
We have swap enabled in CI, by default Kubespray refuses to run with
swap, and so does Kubelet. Make this behavior configurable and allow
swap in the Kubespray scenario env file. It should be fine to run with
swap for development/testing .
By setting loadbalancer_apiserver_localhost to false we tell the
kubelets to register with 1st master rather than assuming there's an
API proxy running on each host.
Also Kubespray expects a specific format of inventory because it tries
to enforce that hostname matches the invenotry name of the node. This
previously resulted in incorrect hostnames being set.
And we also open the necessary firewall ports to allow the cluster to
Add external_deploy_tasks for Kubespray installation. This makes
Kubespray installation work with the config download mechanism.
If the undercloud doesn't already contain /usr/share/kubespray
directory, it will be git-cloned. This is to bridge a gap before we
figure out where we get Kubespray RPM from.
Co-Authored-By: Flavio Percoco <firstname.lastname@example.org>