Remove dashboard_tls_key and dashboard_tls_cert

roles/kubernetes-apps/ansible/defaults/main.yml

@@ -42,8 +42,6 @@ netchecker_server_memory_requests: 64M
 dashboard_enabled: true
 dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64
 dashboard_image_tag: v1.8.0
-dashboard_init_image_repo: gcr.io/google_containers/kubernetes-dashboard-init-amd64
-dashboard_init_image_tag: v1.0.1
 
 # Limits for dashboard
 dashboard_cpu_limit: 100m
@@ -54,12 +52,6 @@ dashboard_memory_requests: 64M
 # SSL
 etcd_cert_dir: "/etc/ssl/etcd/ssl"
 canal_cert_dir: "/etc/canal/certs"
-# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that
-# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs
-dashboard_use_custom_certs: false
-dashboard_certs_secret_name: kubernetes-dashboard-certs
-dashboard_tls_key_file: dashboard.key
-dashboard_tls_cert_file: dashboard.crt
 
 rbac_resources:
   - sa

roles/kubernetes-apps/ansible/templates/dashboard.yml.j2

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # Configuration to deploy release version of the Dashboard UI compatible with
-# Kubernetes 1.7.
+# Kubernetes 1.8.
 #
 # Example usage: kubectl create -f <this_file>
 
@@ -43,28 +43,41 @@ metadata:
 # ------------------- Dashboard Role & Role Binding ------------------- #
 
 kind: Role
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: kubernetes-dashboard-minimal
   namespace: {{ system_namespace }}
 rules:
-  # Allow Dashboard to create and watch for changes of 'kubernetes-dashboard-key-holder' secret.
+  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
 - apiGroups: [""]
   resources: ["secrets"]
-  verbs: ["create", "watch"]
+  verbs: ["create"]
+  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["create"]
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 - apiGroups: [""]
   resources: ["secrets"]
-  # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret.
   resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
   verbs: ["get", "update", "delete"]
+  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["kubernetes-dashboard-settings"]
+  verbs: ["get", "update"]
   # Allow Dashboard to get metrics from heapster.
 - apiGroups: [""]
   resources: ["services"]
   resourceNames: ["heapster"]
   verbs: ["proxy"]
+- apiGroups: [""]
+  resources: ["services/proxy"]
+  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
+  verbs: ["get"]
 
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: kubernetes-dashboard-minimal
@@ -78,39 +91,11 @@ subjects:
   name: kubernetes-dashboard
   namespace: {{ system_namespace }}
 
----
-# ------------------- Gross Hack For anonymous auth through api proxy ------------------- #
-# Allows users to reach login page and other proxied dashboard URLs
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubernetes-dashboard-anonymous
-rules:
-- apiGroups: [""]
-  resources: ["services/proxy"]
-  resourceNames: ["https:kubernetes-dashboard:"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/{{ system_namespace }}/services/https:kubernetes-dashboard:/proxy/*"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kubernetes-dashboard-anonymous
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubernetes-dashboard-anonymous
-subjects:
-- kind: User
-  name: system:anonymous
-
 ---
 # ------------------- Dashboard Deployment ------------------- #
 
 kind: Deployment
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1beta2
 metadata:
   labels:
     k8s-app: kubernetes-dashboard
@@ -127,18 +112,10 @@ spec:
       labels:
         k8s-app: kubernetes-dashboard
     spec:
-{% if not dashboard_use_custom_certs %}
-      initContainers:
-      - name: kubernetes-dashboard-init
-        image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }}
-        volumeMounts:
-        - name: kubernetes-dashboard-certs
-          mountPath: /certs
-{% endif %}
       containers:
       - name: kubernetes-dashboard
         image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
-        imagePullPolicy: Always
+        imagePullPolicy: {{ k8s_image_pull_policy }}
         resources:
           limits:
             cpu: {{ dashboard_cpu_limit }}
@@ -150,9 +127,7 @@ spec:
         - containerPort: 8443
           protocol: TCP
         args:
-          - --tls-key-file=/certs/{{ dashboard_tls_key_file }}
-          - --tls-cert-file=/certs/{{ dashboard_tls_cert_file }}
-          - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %}
+          - --auto-generate-certificates
           # Uncomment the following line to manually specify Kubernetes API server Host
           # If not specified, Dashboard will attempt to auto discover the API server and connect
           # to it. Uncomment only if the default does not work.
@@ -160,7 +135,6 @@ spec:
         volumeMounts:
         - name: kubernetes-dashboard-certs
           mountPath: /certs
-          readOnly: true
           # Create on-disk volume to store exec logs
         - mountPath: /tmp
           name: tmp-volume
@@ -174,7 +148,7 @@ spec:
       volumes:
       - name: kubernetes-dashboard-certs
         secret:
-          secretName: {{ dashboard_certs_secret_name }}
+          secretName: kubernetes-dashboard-certs
       - name: tmp-volume
         emptyDir: {}
       serviceAccountName: kubernetes-dashboard
@@ -198,4 +172,4 @@ spec:
     - port: 443
       targetPort: 8443
   selector:
-    k8s-app: kubernetes-dashboard
+    k8s-app: kubernetes-dashboard