Kubespray is where Kubernetes meets Ansible. It’s a composition of Ansible playbooks, provisioning tools, and domain knowledge for creating production-ready Kubernetes clusters. Kubespray builds on top of kubeadm. To use kubespray with NGINX Service Mesh, you need to enable some extra flags on the Kubernetes API Server to enable Service Account Token Volume Projection. See Service Account Token Volume Projection section to learn why this is needed.
When creating a new cluster, you need to pass some extra flags to kubespray using group_vars. Add the following to
kube_kubeadm_apiserver_extra_args: service-account-issuer: api service-account-signing-key-file: /etc/kubernetes/ssl/sa.key service-account-api-audiences: api
After making the changes, deploy kubespray as you normally would.
If you have an existing kubespray deployment, you need to create a new cluster. First make the changes in this section and then deploy a new cluster using the same command when you deployed the cluster before. The new cluster will reflect the new configuration. After deploying the new cluster, you can delete the old one.
Kubespray doesn’t set up any persistent storage for you, but it’s required to run NGINX Service Mesh in a production environment. See Persistent Storage for more information.