From a89ee8c4067c1a695b430ff3a731e6a4a17098c2 Mon Sep 17 00:00:00 2001 From: Chad Swenson Date: Mon, 13 Nov 2017 13:59:31 -0600 Subject: [PATCH] Add ability to use custom cert secret instead of init container provisioned self-signed certs --- roles/kubernetes-apps/ansible/defaults/main.yml | 6 ++++++ roles/kubernetes-apps/ansible/tasks/dashboard.yml | 3 ++- roles/kubernetes-apps/ansible/tasks/main.yml | 4 +++- roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 | 8 +++++--- 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index b8f9cc206..5951086e9 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -54,6 +54,12 @@ dashboard_memory_requests: 64M # SSL etcd_cert_dir: "/etc/ssl/etcd/ssl" canal_cert_dir: "/etc/canal/certs" +# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that +# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs +dashboard_use_custom_certs: false +dashboard_certs_secret_name: kubernetes-dashboard-certs +dashboard_tls_key_file: dashboard.key +dashboard_tls_cert_file: dashboard.crt rbac_resources: - sa diff --git a/roles/kubernetes-apps/ansible/tasks/dashboard.yml b/roles/kubernetes-apps/ansible/tasks/dashboard.yml index 530796c21..84816127e 100644 --- a/roles/kubernetes-apps/ansible/tasks/dashboard.yml +++ b/roles/kubernetes-apps/ansible/tasks/dashboard.yml @@ -5,7 +5,8 @@ kubectl: "{{bin_dir}}/kubectl" resource: "{{ item }}" state: absent - with_items: ['ClusterRoleBinding'] + with_items: + - 'ClusterRoleBinding' tags: - upgrade diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index 025b4fab6..7b36d4536 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -15,7 +15,9 @@ kubectl: "{{bin_dir}}/kubectl" resource: "{{ item }}" state: absent - with_items: ['deploy', 'svc'] + with_items: + - 'deploy' + - 'svc' tags: - upgrade diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 index 35415326e..b16ddd467 100644 --- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 @@ -127,12 +127,14 @@ spec: labels: k8s-app: kubernetes-dashboard spec: +{% if not dashboard_use_custom_certs %} initContainers: - name: kubernetes-dashboard-init image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }} volumeMounts: - name: kubernetes-dashboard-certs mountPath: /certs +{% endif %} containers: - name: kubernetes-dashboard image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }} @@ -148,8 +150,8 @@ spec: - containerPort: 8443 protocol: TCP args: - - --tls-key-file=/certs/dashboard.key - - --tls-cert-file=/certs/dashboard.crt + - --tls-key-file=/certs/{{ dashboard_tls_key_file }} + - --tls-cert-file=/certs/{{ dashboard_tls_cert_file }} - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %} # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect @@ -172,7 +174,7 @@ spec: volumes: - name: kubernetes-dashboard-certs secret: - secretName: kubernetes-dashboard-certs + secretName: {{ dashboard_certs_secret_name }} - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard