diff --git a/docs/offline-environment.md b/docs/offline-environment.md index de8a9c8cb..9e743997c 100644 --- a/docs/offline-environment.md +++ b/docs/offline-environment.md @@ -62,9 +62,6 @@ docker_ubuntu_repo_gpgkey: "{{ ubuntu_repo }}/docker-ce/gpg" containerd_ubuntu_repo_base_url: "{{ ubuntu_repo }}/containerd" containerd_ubuntu_repo_gpgkey: "{{ ubuntu_repo }}/containerd/gpg" containerd_ubuntu_repo_repokey: 'YOURREPOKEY' - -# If using helm -helm_stable_repo_url: "{{ helm_registry }}" ``` For the OS specific settings, just define the one matching your OS. @@ -73,7 +70,6 @@ If you use the settings like the one above, you'll need to define in your invent * `registry_host`: Container image registry. If you _don't_ use the same repository path for the container images that the ones defined in [Download's role defaults](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/download/defaults/main.yml), you need to override the `*_image_repo` for these container images. If you want to make your life easier, use the same repository path, you won't have to override anything else. * `files_repo`: HTTP webserver or reverse proxy that is able to serve the files listed above. Path is not important, you can store them anywhere as long as it's accessible by kubespray. It's recommended to use `*_version` in the path so that you don't need to modify this setting everytime kubespray upgrades one of these components. * `yum_repo`/`debian_repo`/`ubuntu_repo`: OS package repository depending of your OS, should point to your internal repository. Adjust the path accordingly. -* `helm_registry`: Helm Registry to use for `stable` Helm Charts if `helm_enabled: true` ## Install Kubespray Python Packages diff --git a/docs/vars.md b/docs/vars.md index 2c40ab0e7..dbcf98713 100644 --- a/docs/vars.md +++ b/docs/vars.md @@ -202,5 +202,4 @@ in the form of dicts of key-value pairs of configuration parameters that will be ## App variables -* *helm_version* - Defaults to v3.x, set to a v2 version (e.g. `v2.16.1` ) to install Helm 2.x (will install Tiller!). -Picking v3 for an existing cluster running Tiller will leave it alone. In that case you will have to remove Tiller manually afterwards. +* *helm_version* - Only supports v3.x. Existing v2 installs (with Tiller) will not be modified and need to be removed manually. diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml index b21892447..71dcd98c5 100644 --- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml +++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml @@ -204,8 +204,6 @@ kata_containers_enabled: false # containerd_untrusted_runtime_engine: '' # containerd_untrusted_runtime_root: '' -helm_deployment_type: host - kubeadm_certificate_key: "{{ lookup('password', credentials_dir + '/kubeadm_certificate_key.creds length=64 chars=hexdigits') | lower }}" # K8s image pull policy (imagePullPolicy) diff --git a/inventory/sample/group_vars/k8s-cluster/offline.yml b/inventory/sample/group_vars/k8s-cluster/offline.yml index 65a85c91a..22f322863 100644 --- a/inventory/sample/group_vars/k8s-cluster/offline.yml +++ b/inventory/sample/group_vars/k8s-cluster/offline.yml @@ -66,6 +66,3 @@ # containerd_ubuntu_repo_base_url: "{{ ubuntu_repo }}/containerd" # containerd_ubuntu_repo_gpgkey: "{{ ubuntu_repo }}/containerd/gpg" # containerd_ubuntu_repo_repokey: 'YOURREPOKEY' - -# [Optiona] Helm: if helm_enabled: true in addons.yml -# helm_stable_repo_url: "{{ helm_registry }}" \ No newline at end of file diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index 068a48bf8..e72229914 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -84,6 +84,7 @@ kube_router_version: "v1.1.0" multus_version: "v3.6" ovn4nfv_ovn_image_version: "v1.0.0" ovn4nfv_k8s_plugin_image_version: "v1.1.0" +helm_version: "v3.3.4" # Get kubernetes major version (i.e. 1.17.4 => 1.17) kube_major_version: "{{ kube_version | regex_replace('^v([0-9])+\\.([0-9]+)\\.[0-9]+', 'v\\1.\\2') }}" @@ -101,6 +102,7 @@ etcd_download_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_ver cni_download_url: "https://github.com/containernetworking/plugins/releases/download/{{ cni_version }}/cni-plugins-linux-{{ image_arch }}-{{ cni_version }}.tgz" calicoctl_download_url: "https://github.com/projectcalico/calicoctl/releases/download/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}" crictl_download_url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/{{ crictl_version }}/crictl-{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz" +helm_download_url: "https://get.helm.sh/helm-{{ helm_version }}-linux-{{ image_arch }}.tar.gz" crictl_checksums: arm: @@ -401,6 +403,11 @@ calicoctl_binary_checksums: v3.16.2: aa5695940ec8a36393725a5ce7b156f776fed8da38b994c0828d7f3a60e59bc6 v3.15.2: 49165f9e4ad55402248b578310fcf68a57363f54e66be04ac24be9714899b4d5 +helm_archive_checksums: + arm: 9da6cc39a796f85b6c4e6d48fd8e4888f1003bfb7a193bb6c427cdd752ad40bb + amd64: b664632683c36446deeb85c406871590d879491e3de18978b426769e43a1e82c + arm64: bdd00b8ff422171b4be5b649a42e5261394a89d7ea57944005fc34d34d1f8160 + etcd_binary_checksum: "{{ etcd_binary_checksums[image_arch] }}" cni_binary_checksum: "{{ cni_binary_checksums[image_arch] }}" kubelet_binary_checksum: "{{ kubelet_checksums[image_arch][kube_version] }}" @@ -408,6 +415,7 @@ kubectl_binary_checksum: "{{ kubectl_checksums[image_arch][kube_version] }}" kubeadm_binary_checksum: "{{ kubeadm_checksums[image_arch][kubeadm_version] }}" calicoctl_binary_checksum: "{{ calicoctl_binary_checksums[image_arch][calico_ctl_version] }}" crictl_binary_checksum: "{{ crictl_checksums[image_arch][crictl_version] }}" +helm_archive_checksum: "{{ helm_archive_checksums[image_arch] }}" # Containers # In some cases, we need a way to set --registry-mirror or --insecure-registry for docker, @@ -480,11 +488,6 @@ dnsautoscaler_image_repo: "{{ kube_image_repo }}/cpa/cluster-proportional-autosc dnsautoscaler_image_tag: "{{ dnsautoscaler_version }}" test_image_repo: "{{ kube_image_repo }}/busybox" test_image_tag: latest -helm_version: "v3.2.4" -helm_image_repo: "{{ docker_image_repo }}/lachlanevenson/k8s-helm" -helm_image_tag: "{{ helm_version }}" -tiller_image_repo: "{{ gcr_image_repo }}/kubernetes-helm/tiller" -tiller_image_tag: "{{ helm_version }}" registry_image_repo: "{{ docker_image_repo }}/library/registry" registry_image_tag: "2.7.1" @@ -598,7 +601,7 @@ downloads: file: "{{ etcd_deployment_type == 'host' }}" enabled: true version: "{{ etcd_version }}" - dest: "{{ local_release_dir }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz" + dest: "{{ local_release_dir }}/etcd-{{ etcd_version }}-linux-{{ image_arch }}.tar.gz" repo: "{{ etcd_image_repo }}" tag: "{{ etcd_image_tag }}" sha256: >- @@ -887,21 +890,16 @@ downloads: helm: enabled: "{{ helm_enabled }}" - container: true - repo: "{{ helm_image_repo }}" - tag: "{{ helm_image_tag }}" - sha256: "{{ helm_digest_checksum|default(None) }}" - groups: - - kube-node - - tiller: - enabled: "{{ helm_enabled and helm_version is version('v3.0.0', '<') }}" - container: true - repo: "{{ tiller_image_repo }}" - tag: "{{ tiller_image_tag }}" - sha256: "{{ tiller_digest_checksum|default(None) }}" + file: true + version: "{{ helm_version }}" + dest: "{{ local_release_dir }}/helm-{{ helm_version }}/helm-{{ helm_version }}-linux-{{ image_arch }}.tar.gz" + sha256: "{{ helm_archive_checksum }}" + url: "{{ helm_download_url }}" + unarchive: true + owner: "root" + mode: "0755" groups: - - kube-node + - kube-master registry: enabled: "{{ registry_enabled }}" diff --git a/roles/kubernetes-apps/helm/defaults/main.yml b/roles/kubernetes-apps/helm/defaults/main.yml index 5820fc21f..4dc1ccaa0 100644 --- a/roles/kubernetes-apps/helm/defaults/main.yml +++ b/roles/kubernetes-apps/helm/defaults/main.yml @@ -1,53 +1,2 @@ --- helm_enabled: false - -# specify a dir and attach it to helm for HELM_HOME. -helm_home_dir: "/root/.helm" - -# Deployment mode: host or docker -helm_deployment_type: host - -# Wait until Tiller is running and ready to receive requests -tiller_wait: false - -# Do not download the local repository cache on helm init -helm_skip_refresh: false - -# Secure Tiller installation with TLS -tiller_enable_tls: false -helm_config_dir: "{{ kube_config_dir }}/helm" -helm_script_dir: "{{ bin_dir }}/helm-scripts" - -# Store tiller release information as Secret instead of a ConfigMap -tiller_secure_release_info: false - -# Where private root key will be secured for TLS -helm_tiller_cert_dir: "{{ helm_config_dir }}/ssl" -tiller_tls_cert: "{{ helm_tiller_cert_dir }}/tiller.pem" -tiller_tls_key: "{{ helm_tiller_cert_dir }}/tiller-key.pem" -tiller_tls_ca_cert: "{{ helm_tiller_cert_dir }}/ca.pem" - -# Permission owner and group for helm client cert. Will be dependent on the helm_home_dir -helm_cert_group: root -helm_cert_owner: root - -# Set URL for stable repository -# helm_stable_repo_url: "https://charts.helm.sh/stable" - -# Namespace for the Tiller Deployment. -tiller_namespace: kube-system - -# Set node selector options for Tiller Deployment manifest. -# tiller_node_selectors: "key1=val1,key2=val2" - -# Override values for the Tiller Deployment manifest. -# tiller_override: "key1=val1,key2=val2" - -# Limit the maximum number of revisions saved per release. Use 0 for no limit. -# tiller_max_history: 0 - -# The name of the tiller service account -tiller_service_account: tiller - -# The number of tiller pod replicas. If not defined, tiller defaults to a single replica -# tiller_replicas: 1 diff --git a/roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml b/roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml deleted file mode 100644 index f7b18f152..000000000 --- a/roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml +++ /dev/null @@ -1,110 +0,0 @@ ---- -- name: "Gen_helm_tiller_certs | Create helm config directory (on {{ groups['kube-master'][0] }})" - run_once: yes - delegate_to: "{{ groups['kube-master'][0] }}" - file: - path: "{{ helm_config_dir }}" - state: directory - owner: kube - -- name: "Gen_helm_tiller_certs | Create helm script directory (on {{ groups['kube-master'][0] }})" - run_once: yes - delegate_to: "{{ groups['kube-master'][0] }}" - file: - path: "{{ helm_script_dir }}" - state: directory - owner: kube - -- name: Gen_helm_tiller_certs | Copy certs generation script - run_once: yes - delegate_to: "{{ groups['kube-master'][0] }}" - template: - src: "helm-make-ssl.sh.j2" - dest: "{{ helm_script_dir }}/helm-make-ssl.sh" - mode: 0700 - -- name: "Check_helm_certs | check if helm client certs have already been generated on first master (on {{ groups['kube-master'][0] }})" - find: - paths: "{{ helm_home_dir }}" - patterns: "*.pem" - get_checksum: true - delegate_to: "{{ groups['kube-master'][0] }}" - register: helmcert_master - run_once: true - -- name: Gen_helm_tiller_certs | run cert generation script # noqa 301 - run_once: yes - delegate_to: "{{ groups['kube-master'][0] }}" - command: "{{ helm_script_dir }}/helm-make-ssl.sh -e {{ helm_home_dir }} -d {{ helm_tiller_cert_dir }}" - -- name: Check_helm_client_certs | Set helm_client_certs - set_fact: - helm_client_certs: ['ca.pem', 'cert.pem', 'key.pem'] - -- name: "Check_helm_client_certs | check if a cert already exists on master node" - find: - paths: "{{ helm_home_dir }}" - patterns: "*.pem" - get_checksum: true - register: helmcert_node - when: inventory_hostname != groups['kube-master'][0] - -- name: "Check_helm_client_certs | Set 'sync_helm_certs' to true on masters" - set_fact: - sync_helm_certs: (not item in helmcert_node.files | map(attribute='path') | map("basename") | list or helmcert_node.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != helmcert_master.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default('')) - when: - - inventory_hostname != groups['kube-master'][0] - with_items: - - "{{ helm_client_certs }}" - -- name: Gen_helm_tiller_certs | Gather helm client certs - # noqa 303 - tar is called intentionally here, but maybe this should be done with the slurp module - shell: "set -o pipefail && tar cfz - -C {{ helm_home_dir }} {{ helm_client_certs|join(' ') }} | base64 --wrap=0" - args: - executable: /bin/bash - no_log: true - register: helm_client_cert_data - check_mode: no - delegate_to: "{{ groups['kube-master'][0] }}" - when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0] - -- name: Gen_helm_tiller_certs | Use tempfile for unpacking certs on masters - tempfile: - state: file - path: /tmp - prefix: helmcertsXXXXX - suffix: tar.gz - register: helm_cert_tempfile - when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0] - -- name: Gen_helm_tiller_certs | Write helm client certs to tempfile - copy: - content: "{{ helm_client_cert_data.stdout }}" - dest: "{{ helm_cert_tempfile.path }}" - owner: root - mode: "0600" - when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0] - -- name: Gen_helm_tiller_certs | Unpack helm certs on - shell: "set -o pipefail && base64 -d < {{ helm_cert_tempfile.path }} | tar xz -C {{ helm_home_dir }}" - args: - executable: /bin/bash - no_log: true - changed_when: false - check_mode: no - when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0] - -- name: Gen_helm_tiller_certs | Cleanup tempfile on masters - file: - path: "{{ helm_cert_tempfile.path }}" - state: absent - when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0] - -- name: Gen_certs | check certificate permissions - file: - path: "{{ helm_home_dir }}" - group: "{{ helm_cert_group }}" - state: directory - owner: "{{ helm_cert_owner }}" - mode: "u=rwX,g-rwx,o-rwx" - recurse: yes diff --git a/roles/kubernetes-apps/helm/tasks/install_docker.yml b/roles/kubernetes-apps/helm/tasks/install_docker.yml deleted file mode 100644 index 1fda9d347..000000000 --- a/roles/kubernetes-apps/helm/tasks/install_docker.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Helm | Set up helm docker launcher - template: - src: helm-container.j2 - dest: "{{ bin_dir }}/helm" - owner: root - mode: 0755 - register: helm_container diff --git a/roles/kubernetes-apps/helm/tasks/install_host.yml b/roles/kubernetes-apps/helm/tasks/install_host.yml deleted file mode 100644 index e4eb54c43..000000000 --- a/roles/kubernetes-apps/helm/tasks/install_host.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- name: Helm | Set commands for helm host tasks - set_fact: - helm_compare_command: >- - {%- if container_manager in ['docker', 'crio'] %} - {{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir --entrypoint /usr/bin/cmp {{ helm_image_repo }}:{{ helm_image_tag }} /usr/local/bin/helm /systembindir/helm - {%- elif container_manager == "containerd" %} - ctr run --rm --mount type=bind,src={{ bin_dir }},dst=/systembindir,options=rbind:rw {{ helm_image_repo }}:{{ helm_image_tag }} helm-compare sh -c 'cmp /usr/local/bin/helm /systembindir/helm' - {%- endif %} - helm_copy_command: >- - {%- if container_manager in ['docker', 'crio'] %} - {{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir --entrypoint /bin/cp {{ helm_image_repo }}:{{ helm_image_tag }} -f /usr/local/bin/helm /systembindir/helm - {%- elif container_manager == "containerd" %} - ctr run --rm --mount type=bind,src={{ bin_dir }},dst=/systembindir,options=rbind:rw {{ helm_image_repo }}:{{ helm_image_tag }} helm-copy sh -c '/bin/cp -f /usr/local/bin/helm /systembindir/helm' - {%- endif %} - -- name: Helm | ensure helm container is pulled for containerd - command: "ctr i pull {{ helm_image_repo }}:{{ helm_image_tag }}" - when: container_manager == "containerd" - -- name: Helm | Compare host helm with helm container - command: "{{ helm_compare_command }}" - register: helm_task_compare_result - until: helm_task_compare_result.rc in [0,1,2] - retries: 4 - delay: "{{ retry_stagger | random + 3 }}" - changed_when: false - failed_when: "helm_task_compare_result.rc not in [0,1,2]" - -- name: Helm | Copy helm from helm container - command: "{{ helm_copy_command }}" - when: helm_task_compare_result.rc != 0 - register: helm_task_result - until: helm_task_result.rc == 0 - retries: 4 - delay: "{{ retry_stagger | random + 3 }}" - -- name: Helm | Copy socat wrapper for Flatcar Container Linux by Kinvolk - command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/opt/bin {{ install_socat_image_repo }}:{{ install_socat_image_tag }}" - args: - creates: "{{ bin_dir }}/socat" - when: ansible_os_family in ['Flatcar Container Linux by Kinvolk'] diff --git a/roles/kubernetes-apps/helm/tasks/main.yml b/roles/kubernetes-apps/helm/tasks/main.yml index 83bedb38b..f4d2e1904 100644 --- a/roles/kubernetes-apps/helm/tasks/main.yml +++ b/roles/kubernetes-apps/helm/tasks/main.yml @@ -1,131 +1,34 @@ --- -- name: Helm | Make sure HELM_HOME directory exists - file: path={{ helm_home_dir }} state=directory - -- name: Helm | Set up helm launcher - include_tasks: "install_{{ helm_deployment_type }}.yml" - -- name: Helm | Lay Down Helm Manifests (RBAC) - template: - src: "{{ item.file }}.j2" - dest: "{{ kube_config_dir }}/{{ item.file }}" - with_items: - - {name: tiller, file: tiller-namespace.yml, type: namespace} - - {name: tiller, file: tiller-sa.yml, type: sa} - - {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding} - register: manifests - when: - - dns_mode != 'none' - - inventory_hostname == groups['kube-master'][0] - - helm_version is version('v3.0.0', '<') - -- name: Helm | Apply Helm Manifests (RBAC) - kube: - name: "{{ item.item.name }}" - namespace: "{{ tiller_namespace }}" - kubectl: "{{ bin_dir }}/kubectl" - resource: "{{ item.item.type }}" - filename: "{{ kube_config_dir }}/{{ item.item.file }}" - state: "latest" - with_items: "{{ manifests.results }}" - when: - - dns_mode != 'none' - - inventory_hostname == groups['kube-master'][0] - - helm_version is version('v3.0.0', '<') - -# Generate necessary certs for securing Helm and Tiller connection with TLS -- name: Helm | Set up TLS - include_tasks: "gen_helm_tiller_certs.yml" - when: - - tiller_enable_tls - - helm_version is version('v3.0.0', '<') - -- name: Helm | Install client on all masters - command: > - {{ bin_dir }}/helm init --tiller-namespace={{ tiller_namespace }} - {% if helm_skip_refresh %} --skip-refresh{% endif %} - {% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %} - --client-only - environment: "{{ proxy_env }}" - changed_when: false - when: - - helm_version is version('v3.0.0', '<') - -# FIXME: https://github.com/helm/helm/issues/6374 -- name: Helm | Install/upgrade helm - shell: > - set -o pipefail && - {{ bin_dir }}/helm init --tiller-namespace={{ tiller_namespace }} - {% if helm_skip_refresh %} --skip-refresh{% endif %} - {% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %} - --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} - {% if rbac_enabled %} --service-account={{ tiller_service_account }}{% endif %} - {% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %} - --override spec.template.spec.priorityClassName={% if tiller_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %} - {% if tiller_override is defined and tiller_override %} --override {{ tiller_override }}{% endif %} - {% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %} - {% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %} - {% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %} - --override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm' - {% if tiller_wait %} --wait{% endif %} - {% if tiller_replicas is defined %} --replicas {{ tiller_replicas | int }}{% endif %} - --output yaml - | sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@' - | {{ bin_dir }}/kubectl apply -f - - args: - executable: /bin/bash - register: install_helm - when: - - inventory_hostname == groups['kube-master'][0] - - helm_version is version('v3.0.0', '<') - changed_when: false - environment: "{{ proxy_env }}" - -# FIXME: https://github.com/helm/helm/issues/4063 -- name: Helm | Force apply tiller overrides if necessary - shell: > - set -o pipefail && - {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }} - {% if helm_skip_refresh %} --skip-refresh{% endif %} - {% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %} - {% if rbac_enabled %} --service-account={{ tiller_service_account }}{% endif %} - {% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %} - --override spec.template.spec.priorityClassName={% if tiller_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %} - {% if tiller_override is defined and tiller_override %} --override {{ tiller_override }}{% endif %} - {% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %} - {% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %} - {% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %} - --override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm' - {% if tiller_wait %} --wait{% endif %} - {% if tiller_replicas is defined %} --replicas {{ tiller_replicas | int }}{% endif %} - --output yaml - | sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@' - | {{ bin_dir }}/kubectl apply -f - - args: - executable: /bin/bash - changed_when: false - when: - - inventory_hostname == groups['kube-master'][0] - - helm_version is version('v3.0.0', '<') - environment: "{{ proxy_env }}" - -- name: Helm | Add/update stable repo on all masters - command: "{{ bin_dir }}/helm repo add stable {{ helm_stable_repo_url }}" - environment: "{{ proxy_env }}" - when: - - helm_version is version('v3.0.0', '>=') - - helm_stable_repo_url is defined - -- name: Make sure bash_completion.d folder exists # noqa 503 - file: - name: "/etc/bash_completion.d/" - state: directory - when: - - ((helm_container is defined and helm_container.changed) or (helm_task_result is defined and helm_task_result.changed)) - - ansible_os_family in ["ClearLinux"] - -- name: Helm | Set up bash completion # noqa 503 - shell: "umask 022 && {{ bin_dir }}/helm completion bash >/etc/bash_completion.d/helm.sh" - when: - - ((helm_container is defined and helm_container.changed) or (helm_task_result is defined and helm_task_result.changed)) - - not ansible_os_family in ["Flatcar Container Linux by Kinvolk"] +- name: Helm | Download helm + include_tasks: "../../../download/tasks/download_file.yml" + vars: + download: "{{ download_defaults | combine(downloads.helm) }}" + +- name: Copy helm binary from download dir + synchronize: + src: "{{ local_release_dir }}/helm-{{ helm_version }}/linux-{{ image_arch }}/helm" + dest: "{{ bin_dir }}/helm" + compress: no + perms: yes + owner: no + group: no + delegate_to: "{{ inventory_hostname }}" + +- name: Check if bash_completion.d folder exists # noqa 503 + stat: + path: "/etc/bash_completion.d/" + register: stat_result + +- name: Get helm completion + command: "{{ bin_dir }}/helm completion bash" + changed_when: False + register: helm_completion + check_mode: False + when: stat_result.stat.exists + +- name: Install helm completion + copy: + dest: /etc/bash_completion.d/helm.sh + content: "{{ helm_completion.stdout }}" + become: True + when: stat_result.stat.exists diff --git a/roles/kubernetes-apps/helm/templates/helm-container.j2 b/roles/kubernetes-apps/helm/templates/helm-container.j2 deleted file mode 100644 index e760d0056..000000000 --- a/roles/kubernetes-apps/helm/templates/helm-container.j2 +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -{{ docker_bin_dir }}/docker run --rm \ - --net=host \ - --name=helm \ - -v {{ ansible_env.HOME | default('/root') }}/.kube:/root/.kube:ro \ - -v /etc/ssl:/etc/ssl:ro \ - -v {{ helm_home_dir }}:{{ helm_home_dir }}:rw \ - {% for dir in ssl_ca_dirs -%} - -v {{ dir }}:{{ dir }}:ro \ - {% endfor -%} - {% if http_proxy is defined or https_proxy is defined -%} - -e http_proxy="{{proxy_env.http_proxy}}" \ - -e https_proxy="{{proxy_env.https_proxy}}" \ - -e no_proxy="{{proxy_env.no_proxy}}" \ - {% endif -%} - {{ helm_image_repo }}:{{ helm_image_tag}} \ - "$@" diff --git a/roles/kubernetes-apps/helm/templates/helm-make-ssl.sh.j2 b/roles/kubernetes-apps/helm/templates/helm-make-ssl.sh.j2 deleted file mode 100644 index f82d51c9c..000000000 --- a/roles/kubernetes-apps/helm/templates/helm-make-ssl.sh.j2 +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o pipefail - -usage() -{ - cat << EOF -Create self signed certificates - -Usage : $(basename $0) -f [-d ] - -h | --help : Show this message - -e | --helm-home : Helm home directory - -d | --ssldir : Directory where the certificates will be installed -EOF -} - -# Options parsing -while (($#)); do - case "$1" in - -h | --help) usage; exit 0;; - -e | --helm-home) HELM_HOME="${2}"; shift 2;; - -d | --ssldir) SSLDIR="${2}"; shift 2;; - *) - usage - echo "ERROR : Unknown option" - exit 3 - ;; - esac -done - -if [ -z ${SSLDIR} ]; then - SSLDIR="/etc/kubernetes/helm/ssl" -fi - -tmpdir=$(mktemp -d /tmp/helm_cacert.XXXXXX) -trap 'rm -rf "${tmpdir}"' EXIT -cd "${tmpdir}" - -mkdir -p "${SSLDIR}" - -# Root CA -if [ -e "$SSLDIR/ca-key.pem" ]; then - # Reuse existing CA - cp $SSLDIR/{ca.pem,ca-key.pem} . -else - openssl genrsa -out ca-key.pem 4096 > /dev/null 2>&1 - openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1 -fi - -gen_key_and_cert() { - local name=$1 - local subject=$2 - openssl genrsa -out ${name}-key.pem 4096 > /dev/null 2>&1 - openssl req -new -key ${name}-key.pem -sha256 -out ${name}.csr -subj "${subject}" > /dev/null 2>&1 - openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} > /dev/null 2>&1 -} - -#Generate cert and key for Tiller if they don't exist -if ! [ -e "$SSLDIR/tiller.pem" ]; then - gen_key_and_cert "tiller" "/CN=tiller-server" -fi - -#Generate cert and key for Helm client if they don't exist -if ! [ -e "$SSLDIR/helm.pem" ]; then - gen_key_and_cert "helm" "/CN=helm-client" -fi - -# Secure certs to first master -mv *.pem ${SSLDIR}/ - -# Install Helm client certs to first master -# Copy using Helm default names for convenience -cp ${SSLDIR}/ca.pem ${HELM_HOME}/ca.pem -cp ${SSLDIR}/helm.pem ${HELM_HOME}/cert.pem -cp ${SSLDIR}/helm-key.pem ${HELM_HOME}/key.pem diff --git a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2 deleted file mode 100644 index 56af87be7..000000000 --- a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2 +++ /dev/null @@ -1,29 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tiller - namespace: {{ tiller_namespace }} -subjects: - - kind: ServiceAccount - name: {{ tiller_service_account }} - namespace: {{ tiller_namespace }} -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io -{% if podsecuritypolicy_enabled %} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: psp:tiller -subjects: - - kind: ServiceAccount - name: {{ tiller_service_account }} - namespace: {{ tiller_namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: psp:privileged -{% endif %} diff --git a/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2 b/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2 deleted file mode 100644 index 455742185..000000000 --- a/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2 +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: "{{ tiller_namespace}}" diff --git a/roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2 b/roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2 deleted file mode 100644 index 8a17b1972..000000000 --- a/roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2 +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ tiller_service_account }} - namespace: {{ tiller_namespace }} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/README.md b/roles/kubernetes-apps/ingress_controller/ingress_nginx/README.md index 08999c837..3d59dabd2 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/README.md +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/README.md @@ -180,17 +180,14 @@ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --vers ## Using Helm -NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [stable/nginx-ingress](https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress) from the official charts repository. -To install the chart with the release name `my-nginx`: +NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [ingress-nginx/ingress-nginx](https://kubernetes.github.io/ingress-nginx). +Official documentation is [here](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) -```console -helm install stable/nginx-ingress --name my-nginx -``` - -If the kubernetes cluster has RBAC enabled, then run: +To install the chart with the release name `my-nginx`: ```console -helm install stable/nginx-ingress --name my-nginx --set rbac.create=true +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm install my-nginx ingress-nginx/ingress-nginx ``` Detect installed version: diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index aa6cf675e..c5809b9bb 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -303,8 +303,6 @@ containerd_use_systemd_cgroup: false etcd_deployment_type: docker cert_management: script -helm_deployment_type: host - # Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts kubeconfig_localhost: false # Download kubectl onto the host that runs Ansible in {{ bin_dir }} diff --git a/tests/files/packet_centos7-calico-ha.yml b/tests/files/packet_centos7-calico-ha.yml index d0b488dc1..526f12899 100644 --- a/tests/files/packet_centos7-calico-ha.yml +++ b/tests/files/packet_centos7-calico-ha.yml @@ -12,6 +12,3 @@ dns_min_replicas: 1 typha_enabled: true calico_backend: kdd typha_secure: true - -# Test helm 2 install -helm_version: v2.16.7