# Input files
A number of files are required to be present on the Ansible controller before the playbooks can be used to deploy the solution.
# Location of input files
The location of the secrets directory, where the input files are stored, is typically located at /home/ubuntu/anthos_secrets.
It is recommended that the default location is used but it can be configured using the following combination of variables:
| Variable | File | Description |
|---|---|---|
local_user_home | inventory/group_vars/all/all.yml | Set to $HOME |
secrets_directory | inventory/group_vars/all/all.yml | The directory on the ansible controller. Defaults to 'anthos_secrets' |
secrets_path | inventory/group_vars/all/all.yml | Set to <<local_user_home>>/<<secrets_directory>> |
Using the default values, the secrets directory (secrets_path) will be /home/ubuntu/anthos_secrets.
# Required input files
The following files must be present in the secrets directory:
- SSH keypair - deployed to GKE Admin Workstation
vsphere_workstationvsphere_workstation.pub
- Whitelisted key
whitelisted-key.json
- Other GCP service account keys
connect-register-key.jsonconnect-agent-key.jsonaudit-logging-key.jsonlogging-monitoring-key.jsonusage-metering-key.json(optional - used for user cluster resource metering.)
- Primary vCenter SSL certificate
vcenter.pem
- Alternative vCenter SSL certificate - if you are deploying the admin workstation on a separate vCenter
gkeadm_alt_vcenter.pem
- Docker registry certificate (optional)
private_reg_cert
# SSH keypair
The private key to connect to the admin workstation is currently a user created key and is not the autogenerated key in the Anthos 1.4 GKE install.
Use the ssh-keygen command on the Ansible controller to generate the SSH key pair. For example:
ssh-keygen -t rsa -f ~/anthos_secrets/vsphere_workstation -N ""
Generating public/private rsa key pair.
Your identification has been saved in /root/anthos_secrets/vsphere_workstation.
Your public key has been saved in /root/anthos_secrets/vsphere_workstation.pub.
...
Ensure the key has proper access:
chmod 600 <<anthos_secrets>>/vsphere_workstation
# vCenter SSL certificate(s)
See the section Generating the vcenter.pem file in the page for vCenter configuration for details on how to generate the vCenter SSL certificate file.
If you are deploying the admin workstation to a separate vCenter, you will need to generate a second .pem file
and save it to the secrets directory. The file name can be specified using the gke_admin_workstation.alt_vcenter.cacert
field.
# Whitelisted account and key
To install GKE on-prem, you must have an Anthos subscription and:
- Create a Google Cloud project.
- In your Google Cloud project, create a service account and arrange for your service account to be whitelisted.
See the relevant Google documentation at Configuring your Google Cloud project on how to generate the whitelisted key.
| Variable | File | Description |
|---|---|---|
gke_whitelisted_key | inventory/group_vars/all/all.yml | Defaults to whitelisted-key.json |
# Other service accounts and keys
Other Google Cloud service accounts and keys are required when installing Anthos GKE on-prem. You can create these keys manually using the Google documentation at Service accounts and keys.
Alternatively, you can run the optional Ansible playbook playbooks/gcp_key_create.yml to create the
keys, as described in the section Create GCP keys (optional).
# Docker
If you are using a private Docker registry (for example, in an Air Gap install), you must configure the registry and store the appropriate cert in the secrets directory. For more information, see the section on Docker configuration.
# File names
The following table gathers together the variables used to specify the names of these files:
| Variable | File | Description |
|---|---|---|
gke_admin_workstation.ssh_private_key | inventory/group_vars/all/all.yml | The name of the generated SSH private key file. Defaults to vsphere_workstation |
gke_whitelisted_key | inventory/group_vars/all/all.yml | The name of the file containing the whitelisted key. Defaults to whitelisted-key.json |
vcenter.cacert | inventory/group_vars/all/all.yml | The name of the file containing the primary vCenter ssl certificate. Defaults to vcenter.pem |
gke_admin_workstation.alt_vcenter.cacert | inventory/group_vars/all/all.yml | The name of the second SSL certificate file, if you are using an alternative vCenter for the admin workstation. Defaults to gkeadm_alt_vcenter.pem |
private_reg_cert | inventory/group_vars/all/all.yml | The name of the certificat, if you are using a private Docker registry. Defaults to registry.crt |