Merge pull request #3176 from equinix-ms/master

Add option to change the Tiller Deployment namespace.
6 years ago · f82a1933b0
6 changed files with 41 additions and 18 deletions
--- a/roles/kubernetes-apps/helm/defaults/main.yml
+++ b/roles/kubernetes-apps/helm/defaults/main.yml
@ -13,6 +13,9 @@ helm_skip_refresh: false
 # Set URL for stable repository
 # helm_stable_repo_url: "https://kubernetes-charts.storage.googleapis.com"

+# Namespace for the Tiller Deployment.
+tiller_namespace: kube-system
+
 # Set node selector options for Tiller Deployment manifest.
 # tiller_node_selectors: "key1=val1,key2=val2"

--- a/roles/kubernetes-apps/helm/tasks/main.yml
+++ b/roles/kubernetes-apps/helm/tasks/main.yml
@ -7,9 +7,10 @@

 - name: Helm | Lay Down Helm Manifests (RBAC)
  template:
-    src: "{{item.file}}"
+    src: "{{item.file}}.j2"
    dest: "{{kube_config_dir}}/{{item.file}}"
  with_items:
+    - {name: tiller, file: tiller-namespace.yml, type: namespace}
    - {name: tiller, file: tiller-sa.yml, type: sa}
    - {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding}
  register: manifests
@ -18,7 +19,7 @@
 - name: Helm | Apply Helm Manifests (RBAC)
  kube:
    name: "{{item.item.name}}"
-    namespace: "kube-system"
+    namespace: "{{ tiller_namespace }}"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
@ -28,7 +29,7 @@

 - name: Helm | Install/upgrade helm
  command: >
-    {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace=kube-system
+    {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }}
    {% if helm_skip_refresh %} --skip-refresh{% endif %}
    {% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
    {% if rbac_enabled %} --service-account=tiller{% endif %}
--- a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml
+++ b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml
@ -1,14 +0,0 @@
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: tiller
-  namespace: kube-system
-subjects:
-  - kind: ServiceAccount
-    name: tiller
-    namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: cluster-admin
-  apiGroup: rbac.authorization.k8s.io
--- a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2
+++ b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2
@ -0,0 +1,29 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: tiller
+  namespace: {{ tiller_namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: {{ tiller_namespace }}
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+{% if podsecuritypolicy_enabled %}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: psp:tiller
+subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: {{ tiller_namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:privileged
+{% endif %}
--- a/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2
+++ b/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "{{ tiller_namespace}}"
--- a/roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2
+++ b/roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2
@ -3,6 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: tiller
-  namespace: kube-system
+  namespace: {{ tiller_namespace }}
  labels:
    kubernetes.io/cluster-service: "true"