Browse Source
Helm v3 only (#6846)
Helm v3 only (#6846)
* Fix etcd download dest Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> * Only support Helm v3, cleanup install Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>pull/6980/head
Etienne Champetier
4 years ago
committed by
GitHub
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 57 additions and 517 deletions
Split View
Diff Options
-
4docs/offline-environment.md
-
3docs/vars.md
-
2inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
-
3inventory/sample/group_vars/k8s-cluster/offline.yml
-
38roles/download/defaults/main.yml
-
51roles/kubernetes-apps/helm/defaults/main.yml
-
110roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml
-
8roles/kubernetes-apps/helm/tasks/install_docker.yml
-
42roles/kubernetes-apps/helm/tasks/install_host.yml
-
163roles/kubernetes-apps/helm/tasks/main.yml
-
17roles/kubernetes-apps/helm/templates/helm-container.j2
-
76roles/kubernetes-apps/helm/templates/helm-make-ssl.sh.j2
-
29roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2
-
4roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2
-
6roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2
-
13roles/kubernetes-apps/ingress_controller/ingress_nginx/README.md
-
2roles/kubespray-defaults/defaults/main.yaml
-
3tests/files/packet_centos7-calico-ha.yml
@ -1,53 +1,2 @@ |
|||
--- |
|||
helm_enabled: false |
|||
|
|||
# specify a dir and attach it to helm for HELM_HOME. |
|||
helm_home_dir: "/root/.helm" |
|||
|
|||
# Deployment mode: host or docker |
|||
helm_deployment_type: host |
|||
|
|||
# Wait until Tiller is running and ready to receive requests |
|||
tiller_wait: false |
|||
|
|||
# Do not download the local repository cache on helm init |
|||
helm_skip_refresh: false |
|||
|
|||
# Secure Tiller installation with TLS |
|||
tiller_enable_tls: false |
|||
helm_config_dir: "{{ kube_config_dir }}/helm" |
|||
helm_script_dir: "{{ bin_dir }}/helm-scripts" |
|||
|
|||
# Store tiller release information as Secret instead of a ConfigMap |
|||
tiller_secure_release_info: false |
|||
|
|||
# Where private root key will be secured for TLS |
|||
helm_tiller_cert_dir: "{{ helm_config_dir }}/ssl" |
|||
tiller_tls_cert: "{{ helm_tiller_cert_dir }}/tiller.pem" |
|||
tiller_tls_key: "{{ helm_tiller_cert_dir }}/tiller-key.pem" |
|||
tiller_tls_ca_cert: "{{ helm_tiller_cert_dir }}/ca.pem" |
|||
|
|||
# Permission owner and group for helm client cert. Will be dependent on the helm_home_dir |
|||
helm_cert_group: root |
|||
helm_cert_owner: root |
|||
|
|||
# Set URL for stable repository |
|||
# helm_stable_repo_url: "https://charts.helm.sh/stable" |
|||
|
|||
# Namespace for the Tiller Deployment. |
|||
tiller_namespace: kube-system |
|||
|
|||
# Set node selector options for Tiller Deployment manifest. |
|||
# tiller_node_selectors: "key1=val1,key2=val2" |
|||
|
|||
# Override values for the Tiller Deployment manifest. |
|||
# tiller_override: "key1=val1,key2=val2" |
|||
|
|||
# Limit the maximum number of revisions saved per release. Use 0 for no limit. |
|||
# tiller_max_history: 0 |
|||
|
|||
# The name of the tiller service account |
|||
tiller_service_account: tiller |
|||
|
|||
# The number of tiller pod replicas. If not defined, tiller defaults to a single replica |
|||
# tiller_replicas: 1 |
|||
@ -1,110 +0,0 @@ |
|||
--- |
|||
- name: "Gen_helm_tiller_certs | Create helm config directory (on {{ groups['kube-master'][0] }})" |
|||
run_once: yes |
|||
delegate_to: "{{ groups['kube-master'][0] }}" |
|||
file: |
|||
path: "{{ helm_config_dir }}" |
|||
state: directory |
|||
owner: kube |
|||
|
|||
- name: "Gen_helm_tiller_certs | Create helm script directory (on {{ groups['kube-master'][0] }})" |
|||
run_once: yes |
|||
delegate_to: "{{ groups['kube-master'][0] }}" |
|||
file: |
|||
path: "{{ helm_script_dir }}" |
|||
state: directory |
|||
owner: kube |
|||
|
|||
- name: Gen_helm_tiller_certs | Copy certs generation script |
|||
run_once: yes |
|||
delegate_to: "{{ groups['kube-master'][0] }}" |
|||
template: |
|||
src: "helm-make-ssl.sh.j2" |
|||
dest: "{{ helm_script_dir }}/helm-make-ssl.sh" |
|||
mode: 0700 |
|||
|
|||
- name: "Check_helm_certs | check if helm client certs have already been generated on first master (on {{ groups['kube-master'][0] }})" |
|||
find: |
|||
paths: "{{ helm_home_dir }}" |
|||
patterns: "*.pem" |
|||
get_checksum: true |
|||
delegate_to: "{{ groups['kube-master'][0] }}" |
|||
register: helmcert_master |
|||
run_once: true |
|||
|
|||
- name: Gen_helm_tiller_certs | run cert generation script # noqa 301 |
|||
run_once: yes |
|||
delegate_to: "{{ groups['kube-master'][0] }}" |
|||
command: "{{ helm_script_dir }}/helm-make-ssl.sh -e {{ helm_home_dir }} -d {{ helm_tiller_cert_dir }}" |
|||
|
|||
- name: Check_helm_client_certs | Set helm_client_certs |
|||
set_fact: |
|||
helm_client_certs: ['ca.pem', 'cert.pem', 'key.pem'] |
|||
|
|||
- name: "Check_helm_client_certs | check if a cert already exists on master node" |
|||
find: |
|||
paths: "{{ helm_home_dir }}" |
|||
patterns: "*.pem" |
|||
get_checksum: true |
|||
register: helmcert_node |
|||
when: inventory_hostname != groups['kube-master'][0] |
|||
|
|||
- name: "Check_helm_client_certs | Set 'sync_helm_certs' to true on masters" |
|||
set_fact: |
|||
sync_helm_certs: (not item in helmcert_node.files | map(attribute='path') | map("basename") | list or helmcert_node.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != helmcert_master.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default('')) |
|||
when: |
|||
- inventory_hostname != groups['kube-master'][0] |
|||
with_items: |
|||
- "{{ helm_client_certs }}" |
|||
|
|||
- name: Gen_helm_tiller_certs | Gather helm client certs |
|||
# noqa 303 - tar is called intentionally here, but maybe this should be done with the slurp module |
|||
shell: "set -o pipefail && tar cfz - -C {{ helm_home_dir }} {{ helm_client_certs|join(' ') }} | base64 --wrap=0" |
|||
args: |
|||
executable: /bin/bash |
|||
no_log: true |
|||
register: helm_client_cert_data |
|||
check_mode: no |
|||
delegate_to: "{{ groups['kube-master'][0] }}" |
|||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0] |
|||
|
|||
- name: Gen_helm_tiller_certs | Use tempfile for unpacking certs on masters |
|||
tempfile: |
|||
state: file |
|||
path: /tmp |
|||
prefix: helmcertsXXXXX |
|||
suffix: tar.gz |
|||
register: helm_cert_tempfile |
|||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0] |
|||
|
|||
- name: Gen_helm_tiller_certs | Write helm client certs to tempfile |
|||
copy: |
|||
content: "{{ helm_client_cert_data.stdout }}" |
|||
dest: "{{ helm_cert_tempfile.path }}" |
|||
owner: root |
|||
mode: "0600" |
|||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0] |
|||
|
|||
- name: Gen_helm_tiller_certs | Unpack helm certs on |
|||
shell: "set -o pipefail && base64 -d < {{ helm_cert_tempfile.path }} | tar xz -C {{ helm_home_dir }}" |
|||
args: |
|||
executable: /bin/bash |
|||
no_log: true |
|||
changed_when: false |
|||
check_mode: no |
|||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0] |
|||
|
|||
- name: Gen_helm_tiller_certs | Cleanup tempfile on masters |
|||
file: |
|||
path: "{{ helm_cert_tempfile.path }}" |
|||
state: absent |
|||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0] |
|||
|
|||
- name: Gen_certs | check certificate permissions |
|||
file: |
|||
path: "{{ helm_home_dir }}" |
|||
group: "{{ helm_cert_group }}" |
|||
state: directory |
|||
owner: "{{ helm_cert_owner }}" |
|||
mode: "u=rwX,g-rwx,o-rwx" |
|||
recurse: yes |
|||
@ -1,8 +0,0 @@ |
|||
--- |
|||
- name: Helm | Set up helm docker launcher |
|||
template: |
|||
src: helm-container.j2 |
|||
dest: "{{ bin_dir }}/helm" |
|||
owner: root |
|||
mode: 0755 |
|||
register: helm_container |
|||
@ -1,42 +0,0 @@ |
|||
--- |
|||
- name: Helm | Set commands for helm host tasks |
|||
set_fact: |
|||
helm_compare_command: >- |
|||
{%- if container_manager in ['docker', 'crio'] %} |
|||
{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir --entrypoint /usr/bin/cmp {{ helm_image_repo }}:{{ helm_image_tag }} /usr/local/bin/helm /systembindir/helm |
|||
{%- elif container_manager == "containerd" %} |
|||
ctr run --rm --mount type=bind,src={{ bin_dir }},dst=/systembindir,options=rbind:rw {{ helm_image_repo }}:{{ helm_image_tag }} helm-compare sh -c 'cmp /usr/local/bin/helm /systembindir/helm' |
|||
{%- endif %} |
|||
helm_copy_command: >- |
|||
{%- if container_manager in ['docker', 'crio'] %} |
|||
{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir --entrypoint /bin/cp {{ helm_image_repo }}:{{ helm_image_tag }} -f /usr/local/bin/helm /systembindir/helm |
|||
{%- elif container_manager == "containerd" %} |
|||
ctr run --rm --mount type=bind,src={{ bin_dir }},dst=/systembindir,options=rbind:rw {{ helm_image_repo }}:{{ helm_image_tag }} helm-copy sh -c '/bin/cp -f /usr/local/bin/helm /systembindir/helm' |
|||
{%- endif %} |
|||
|
|||
- name: Helm | ensure helm container is pulled for containerd |
|||
command: "ctr i pull {{ helm_image_repo }}:{{ helm_image_tag }}" |
|||
when: container_manager == "containerd" |
|||
|
|||
- name: Helm | Compare host helm with helm container |
|||
command: "{{ helm_compare_command }}" |
|||
register: helm_task_compare_result |
|||
until: helm_task_compare_result.rc in [0,1,2] |
|||
retries: 4 |
|||
delay: "{{ retry_stagger | random + 3 }}" |
|||
changed_when: false |
|||
failed_when: "helm_task_compare_result.rc not in [0,1,2]" |
|||
|
|||
- name: Helm | Copy helm from helm container |
|||
command: "{{ helm_copy_command }}" |
|||
when: helm_task_compare_result.rc != 0 |
|||
register: helm_task_result |
|||
until: helm_task_result.rc == 0 |
|||
retries: 4 |
|||
delay: "{{ retry_stagger | random + 3 }}" |
|||
|
|||
- name: Helm | Copy socat wrapper for Flatcar Container Linux by Kinvolk |
|||
command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/opt/bin {{ install_socat_image_repo }}:{{ install_socat_image_tag }}" |
|||
args: |
|||
creates: "{{ bin_dir }}/socat" |
|||
when: ansible_os_family in ['Flatcar Container Linux by Kinvolk'] |
|||
@ -1,131 +1,34 @@ |
|||
--- |
|||
- name: Helm | Make sure HELM_HOME directory exists |
|||
file: path={{ helm_home_dir }} state=directory |
|||
|
|||
- name: Helm | Set up helm launcher |
|||
include_tasks: "install_{{ helm_deployment_type }}.yml" |
|||
|
|||
- name: Helm | Lay Down Helm Manifests (RBAC) |
|||
template: |
|||
src: "{{ item.file }}.j2" |
|||
dest: "{{ kube_config_dir }}/{{ item.file }}" |
|||
with_items: |
|||
- {name: tiller, file: tiller-namespace.yml, type: namespace} |
|||
- {name: tiller, file: tiller-sa.yml, type: sa} |
|||
- {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding} |
|||
register: manifests |
|||
when: |
|||
- dns_mode != 'none' |
|||
- inventory_hostname == groups['kube-master'][0] |
|||
- helm_version is version('v3.0.0', '<') |
|||
|
|||
- name: Helm | Apply Helm Manifests (RBAC) |
|||
kube: |
|||
name: "{{ item.item.name }}" |
|||
namespace: "{{ tiller_namespace }}" |
|||
kubectl: "{{ bin_dir }}/kubectl" |
|||
resource: "{{ item.item.type }}" |
|||
filename: "{{ kube_config_dir }}/{{ item.item.file }}" |
|||
state: "latest" |
|||
with_items: "{{ manifests.results }}" |
|||
when: |
|||
- dns_mode != 'none' |
|||
- inventory_hostname == groups['kube-master'][0] |
|||
- helm_version is version('v3.0.0', '<') |
|||
|
|||
# Generate necessary certs for securing Helm and Tiller connection with TLS |
|||
- name: Helm | Set up TLS |
|||
include_tasks: "gen_helm_tiller_certs.yml" |
|||
when: |
|||
- tiller_enable_tls |
|||
- helm_version is version('v3.0.0', '<') |
|||
|
|||
- name: Helm | Install client on all masters |
|||
command: > |
|||
{{ bin_dir }}/helm init --tiller-namespace={{ tiller_namespace }} |
|||
{% if helm_skip_refresh %} --skip-refresh{% endif %} |
|||
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %} |
|||
--client-only |
|||
environment: "{{ proxy_env }}" |
|||
changed_when: false |
|||
when: |
|||
- helm_version is version('v3.0.0', '<') |
|||
|
|||
# FIXME: https://github.com/helm/helm/issues/6374 |
|||
- name: Helm | Install/upgrade helm |
|||
shell: > |
|||
set -o pipefail && |
|||
{{ bin_dir }}/helm init --tiller-namespace={{ tiller_namespace }} |
|||
{% if helm_skip_refresh %} --skip-refresh{% endif %} |
|||
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %} |
|||
--upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} |
|||
{% if rbac_enabled %} --service-account={{ tiller_service_account }}{% endif %} |
|||
{% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %} |
|||
--override spec.template.spec.priorityClassName={% if tiller_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %} |
|||
{% if tiller_override is defined and tiller_override %} --override {{ tiller_override }}{% endif %} |
|||
{% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %} |
|||
{% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %} |
|||
{% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %} |
|||
--override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm' |
|||
{% if tiller_wait %} --wait{% endif %} |
|||
{% if tiller_replicas is defined %} --replicas {{ tiller_replicas | int }}{% endif %} |
|||
--output yaml |
|||
| sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@' |
|||
| {{ bin_dir }}/kubectl apply -f - |
|||
args: |
|||
executable: /bin/bash |
|||
register: install_helm |
|||
when: |
|||
- inventory_hostname == groups['kube-master'][0] |
|||
- helm_version is version('v3.0.0', '<') |
|||
changed_when: false |
|||
environment: "{{ proxy_env }}" |
|||
|
|||
# FIXME: https://github.com/helm/helm/issues/4063 |
|||
- name: Helm | Force apply tiller overrides if necessary |
|||
shell: > |
|||
set -o pipefail && |
|||
{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }} |
|||
{% if helm_skip_refresh %} --skip-refresh{% endif %} |
|||
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %} |
|||
{% if rbac_enabled %} --service-account={{ tiller_service_account }}{% endif %} |
|||
{% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %} |
|||
--override spec.template.spec.priorityClassName={% if tiller_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %} |
|||
{% if tiller_override is defined and tiller_override %} --override {{ tiller_override }}{% endif %} |
|||
{% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %} |
|||
{% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %} |
|||
{% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %} |
|||
--override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm' |
|||
{% if tiller_wait %} --wait{% endif %} |
|||
{% if tiller_replicas is defined %} --replicas {{ tiller_replicas | int }}{% endif %} |
|||
--output yaml |
|||
| sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@' |
|||
| {{ bin_dir }}/kubectl apply -f - |
|||
args: |
|||
executable: /bin/bash |
|||
changed_when: false |
|||
when: |
|||
- inventory_hostname == groups['kube-master'][0] |
|||
- helm_version is version('v3.0.0', '<') |
|||
environment: "{{ proxy_env }}" |
|||
|
|||
- name: Helm | Add/update stable repo on all masters |
|||
command: "{{ bin_dir }}/helm repo add stable {{ helm_stable_repo_url }}" |
|||
environment: "{{ proxy_env }}" |
|||
when: |
|||
- helm_version is version('v3.0.0', '>=') |
|||
- helm_stable_repo_url is defined |
|||
|
|||
- name: Make sure bash_completion.d folder exists # noqa 503 |
|||
file: |
|||
name: "/etc/bash_completion.d/" |
|||
state: directory |
|||
when: |
|||
- ((helm_container is defined and helm_container.changed) or (helm_task_result is defined and helm_task_result.changed)) |
|||
- ansible_os_family in ["ClearLinux"] |
|||
|
|||
- name: Helm | Set up bash completion # noqa 503 |
|||
shell: "umask 022 && {{ bin_dir }}/helm completion bash >/etc/bash_completion.d/helm.sh" |
|||
when: |
|||
- ((helm_container is defined and helm_container.changed) or (helm_task_result is defined and helm_task_result.changed)) |
|||
- not ansible_os_family in ["Flatcar Container Linux by Kinvolk"] |
|||
- name: Helm | Download helm |
|||
include_tasks: "../../../download/tasks/download_file.yml" |
|||
vars: |
|||
download: "{{ download_defaults | combine(downloads.helm) }}" |
|||
|
|||
- name: Copy helm binary from download dir |
|||
synchronize: |
|||
src: "{{ local_release_dir }}/helm-{{ helm_version }}/linux-{{ image_arch }}/helm" |
|||
dest: "{{ bin_dir }}/helm" |
|||
compress: no |
|||
perms: yes |
|||
owner: no |
|||
group: no |
|||
delegate_to: "{{ inventory_hostname }}" |
|||
|
|||
- name: Check if bash_completion.d folder exists # noqa 503 |
|||
stat: |
|||
path: "/etc/bash_completion.d/" |
|||
register: stat_result |
|||
|
|||
- name: Get helm completion |
|||
command: "{{ bin_dir }}/helm completion bash" |
|||
changed_when: False |
|||
register: helm_completion |
|||
check_mode: False |
|||
when: stat_result.stat.exists |
|||
|
|||
- name: Install helm completion |
|||
copy: |
|||
dest: /etc/bash_completion.d/helm.sh |
|||
content: "{{ helm_completion.stdout }}" |
|||
become: True |
|||
when: stat_result.stat.exists |
|||
@ -1,17 +0,0 @@ |
|||
#!/bin/bash |
|||
{{ docker_bin_dir }}/docker run --rm \ |
|||
--net=host \ |
|||
--name=helm \ |
|||
-v {{ ansible_env.HOME | default('/root') }}/.kube:/root/.kube:ro \ |
|||
-v /etc/ssl:/etc/ssl:ro \ |
|||
-v {{ helm_home_dir }}:{{ helm_home_dir }}:rw \ |
|||
{% for dir in ssl_ca_dirs -%} |
|||
-v {{ dir }}:{{ dir }}:ro \ |
|||
{% endfor -%} |
|||
{% if http_proxy is defined or https_proxy is defined -%} |
|||
-e http_proxy="{{proxy_env.http_proxy}}" \ |
|||
-e https_proxy="{{proxy_env.https_proxy}}" \ |
|||
-e no_proxy="{{proxy_env.no_proxy}}" \ |
|||
{% endif -%} |
|||
{{ helm_image_repo }}:{{ helm_image_tag}} \ |
|||
"$@" |
|||
@ -1,76 +0,0 @@ |
|||
#!/bin/bash |
|||
|
|||
set -o errexit |
|||
set -o pipefail |
|||
|
|||
usage() |
|||
{ |
|||
cat << EOF |
|||
Create self signed certificates |
|||
|
|||
Usage : $(basename $0) -f <config> [-d <ssldir>] |
|||
-h | --help : Show this message |
|||
-e | --helm-home : Helm home directory |
|||
-d | --ssldir : Directory where the certificates will be installed |
|||
EOF |
|||
} |
|||
|
|||
# Options parsing |
|||
while (($#)); do |
|||
case "$1" in |
|||
-h | --help) usage; exit 0;; |
|||
-e | --helm-home) HELM_HOME="${2}"; shift 2;; |
|||
-d | --ssldir) SSLDIR="${2}"; shift 2;; |
|||
*) |
|||
usage |
|||
echo "ERROR : Unknown option" |
|||
exit 3 |
|||
;; |
|||
esac |
|||
done |
|||
|
|||
if [ -z ${SSLDIR} ]; then |
|||
SSLDIR="/etc/kubernetes/helm/ssl" |
|||
fi |
|||
|
|||
tmpdir=$(mktemp -d /tmp/helm_cacert.XXXXXX) |
|||
trap 'rm -rf "${tmpdir}"' EXIT |
|||
cd "${tmpdir}" |
|||
|
|||
mkdir -p "${SSLDIR}" |
|||
|
|||
# Root CA |
|||
if [ -e "$SSLDIR/ca-key.pem" ]; then |
|||
# Reuse existing CA |
|||
cp $SSLDIR/{ca.pem,ca-key.pem} . |
|||
else |
|||
openssl genrsa -out ca-key.pem 4096 > /dev/null 2>&1 |
|||
openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1 |
|||
fi |
|||
|
|||
gen_key_and_cert() { |
|||
local name=$1 |
|||
local subject=$2 |
|||
openssl genrsa -out ${name}-key.pem 4096 > /dev/null 2>&1 |
|||
openssl req -new -key ${name}-key.pem -sha256 -out ${name}.csr -subj "${subject}" > /dev/null 2>&1 |
|||
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} > /dev/null 2>&1 |
|||
} |
|||
|
|||
#Generate cert and key for Tiller if they don't exist |
|||
if ! [ -e "$SSLDIR/tiller.pem" ]; then |
|||
gen_key_and_cert "tiller" "/CN=tiller-server" |
|||
fi |
|||
|
|||
#Generate cert and key for Helm client if they don't exist |
|||
if ! [ -e "$SSLDIR/helm.pem" ]; then |
|||
gen_key_and_cert "helm" "/CN=helm-client" |
|||
fi |
|||
|
|||
# Secure certs to first master |
|||
mv *.pem ${SSLDIR}/ |
|||
|
|||
# Install Helm client certs to first master |
|||
# Copy using Helm default names for convenience |
|||
cp ${SSLDIR}/ca.pem ${HELM_HOME}/ca.pem |
|||
cp ${SSLDIR}/helm.pem ${HELM_HOME}/cert.pem |
|||
cp ${SSLDIR}/helm-key.pem ${HELM_HOME}/key.pem |
|||
@ -1,29 +0,0 @@ |
|||
--- |
|||
kind: ClusterRoleBinding |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: tiller |
|||
namespace: {{ tiller_namespace }} |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: {{ tiller_service_account }} |
|||
namespace: {{ tiller_namespace }} |
|||
roleRef: |
|||
kind: ClusterRole |
|||
name: cluster-admin |
|||
apiGroup: rbac.authorization.k8s.io |
|||
{% if podsecuritypolicy_enabled %} |
|||
--- |
|||
kind: ClusterRoleBinding |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: psp:tiller |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: {{ tiller_service_account }} |
|||
namespace: {{ tiller_namespace }} |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: psp:privileged |
|||
{% endif %} |
|||
@ -1,4 +0,0 @@ |
|||
apiVersion: v1 |
|||
kind: Namespace |
|||
metadata: |
|||
name: "{{ tiller_namespace}}" |
|||
@ -1,6 +0,0 @@ |
|||
--- |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: {{ tiller_service_account }} |
|||
namespace: {{ tiller_namespace }} |
|||
Write
Preview
Loading…
Cancel
Save