mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2026-02-28 09:39:12 +03:00
Helm v3 only (#6846)
* Fix etcd download dest Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> * Only support Helm v3, cleanup install Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This commit is contained in:
Etienne Champetier
committed by
GitHub
GitHub
parent
4f7a760a94
commit
68b96bdf1a
@@ -1,53 +1,2 @@
|
||||
---
|
||||
helm_enabled: false
|
||||
|
||||
# specify a dir and attach it to helm for HELM_HOME.
|
||||
helm_home_dir: "/root/.helm"
|
||||
|
||||
# Deployment mode: host or docker
|
||||
helm_deployment_type: host
|
||||
|
||||
# Wait until Tiller is running and ready to receive requests
|
||||
tiller_wait: false
|
||||
|
||||
# Do not download the local repository cache on helm init
|
||||
helm_skip_refresh: false
|
||||
|
||||
# Secure Tiller installation with TLS
|
||||
tiller_enable_tls: false
|
||||
helm_config_dir: "{{ kube_config_dir }}/helm"
|
||||
helm_script_dir: "{{ bin_dir }}/helm-scripts"
|
||||
|
||||
# Store tiller release information as Secret instead of a ConfigMap
|
||||
tiller_secure_release_info: false
|
||||
|
||||
# Where private root key will be secured for TLS
|
||||
helm_tiller_cert_dir: "{{ helm_config_dir }}/ssl"
|
||||
tiller_tls_cert: "{{ helm_tiller_cert_dir }}/tiller.pem"
|
||||
tiller_tls_key: "{{ helm_tiller_cert_dir }}/tiller-key.pem"
|
||||
tiller_tls_ca_cert: "{{ helm_tiller_cert_dir }}/ca.pem"
|
||||
|
||||
# Permission owner and group for helm client cert. Will be dependent on the helm_home_dir
|
||||
helm_cert_group: root
|
||||
helm_cert_owner: root
|
||||
|
||||
# Set URL for stable repository
|
||||
# helm_stable_repo_url: "https://charts.helm.sh/stable"
|
||||
|
||||
# Namespace for the Tiller Deployment.
|
||||
tiller_namespace: kube-system
|
||||
|
||||
# Set node selector options for Tiller Deployment manifest.
|
||||
# tiller_node_selectors: "key1=val1,key2=val2"
|
||||
|
||||
# Override values for the Tiller Deployment manifest.
|
||||
# tiller_override: "key1=val1,key2=val2"
|
||||
|
||||
# Limit the maximum number of revisions saved per release. Use 0 for no limit.
|
||||
# tiller_max_history: 0
|
||||
|
||||
# The name of the tiller service account
|
||||
tiller_service_account: tiller
|
||||
|
||||
# The number of tiller pod replicas. If not defined, tiller defaults to a single replica
|
||||
# tiller_replicas: 1
|
||||
|
||||
@@ -1,110 +0,0 @@
|
||||
---
|
||||
- name: "Gen_helm_tiller_certs | Create helm config directory (on {{ groups['kube-master'][0] }})"
|
||||
run_once: yes
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
file:
|
||||
path: "{{ helm_config_dir }}"
|
||||
state: directory
|
||||
owner: kube
|
||||
|
||||
- name: "Gen_helm_tiller_certs | Create helm script directory (on {{ groups['kube-master'][0] }})"
|
||||
run_once: yes
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
file:
|
||||
path: "{{ helm_script_dir }}"
|
||||
state: directory
|
||||
owner: kube
|
||||
|
||||
- name: Gen_helm_tiller_certs | Copy certs generation script
|
||||
run_once: yes
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
template:
|
||||
src: "helm-make-ssl.sh.j2"
|
||||
dest: "{{ helm_script_dir }}/helm-make-ssl.sh"
|
||||
mode: 0700
|
||||
|
||||
- name: "Check_helm_certs | check if helm client certs have already been generated on first master (on {{ groups['kube-master'][0] }})"
|
||||
find:
|
||||
paths: "{{ helm_home_dir }}"
|
||||
patterns: "*.pem"
|
||||
get_checksum: true
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
register: helmcert_master
|
||||
run_once: true
|
||||
|
||||
- name: Gen_helm_tiller_certs | run cert generation script # noqa 301
|
||||
run_once: yes
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
command: "{{ helm_script_dir }}/helm-make-ssl.sh -e {{ helm_home_dir }} -d {{ helm_tiller_cert_dir }}"
|
||||
|
||||
- name: Check_helm_client_certs | Set helm_client_certs
|
||||
set_fact:
|
||||
helm_client_certs: ['ca.pem', 'cert.pem', 'key.pem']
|
||||
|
||||
- name: "Check_helm_client_certs | check if a cert already exists on master node"
|
||||
find:
|
||||
paths: "{{ helm_home_dir }}"
|
||||
patterns: "*.pem"
|
||||
get_checksum: true
|
||||
register: helmcert_node
|
||||
when: inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: "Check_helm_client_certs | Set 'sync_helm_certs' to true on masters"
|
||||
set_fact:
|
||||
sync_helm_certs: (not item in helmcert_node.files | map(attribute='path') | map("basename") | list or helmcert_node.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != helmcert_master.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
|
||||
when:
|
||||
- inventory_hostname != groups['kube-master'][0]
|
||||
with_items:
|
||||
- "{{ helm_client_certs }}"
|
||||
|
||||
- name: Gen_helm_tiller_certs | Gather helm client certs
|
||||
# noqa 303 - tar is called intentionally here, but maybe this should be done with the slurp module
|
||||
shell: "set -o pipefail && tar cfz - -C {{ helm_home_dir }} {{ helm_client_certs|join(' ') }} | base64 --wrap=0"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
no_log: true
|
||||
register: helm_client_cert_data
|
||||
check_mode: no
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Use tempfile for unpacking certs on masters
|
||||
tempfile:
|
||||
state: file
|
||||
path: /tmp
|
||||
prefix: helmcertsXXXXX
|
||||
suffix: tar.gz
|
||||
register: helm_cert_tempfile
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Write helm client certs to tempfile
|
||||
copy:
|
||||
content: "{{ helm_client_cert_data.stdout }}"
|
||||
dest: "{{ helm_cert_tempfile.path }}"
|
||||
owner: root
|
||||
mode: "0600"
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Unpack helm certs on
|
||||
shell: "set -o pipefail && base64 -d < {{ helm_cert_tempfile.path }} | tar xz -C {{ helm_home_dir }}"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
no_log: true
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Cleanup tempfile on masters
|
||||
file:
|
||||
path: "{{ helm_cert_tempfile.path }}"
|
||||
state: absent
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_certs | check certificate permissions
|
||||
file:
|
||||
path: "{{ helm_home_dir }}"
|
||||
group: "{{ helm_cert_group }}"
|
||||
state: directory
|
||||
owner: "{{ helm_cert_owner }}"
|
||||
mode: "u=rwX,g-rwx,o-rwx"
|
||||
recurse: yes
|
||||
@@ -1,8 +0,0 @@
|
||||
---
|
||||
- name: Helm | Set up helm docker launcher
|
||||
template:
|
||||
src: helm-container.j2
|
||||
dest: "{{ bin_dir }}/helm"
|
||||
owner: root
|
||||
mode: 0755
|
||||
register: helm_container
|
||||
@@ -1,42 +0,0 @@
|
||||
---
|
||||
- name: Helm | Set commands for helm host tasks
|
||||
set_fact:
|
||||
helm_compare_command: >-
|
||||
{%- if container_manager in ['docker', 'crio'] %}
|
||||
{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir --entrypoint /usr/bin/cmp {{ helm_image_repo }}:{{ helm_image_tag }} /usr/local/bin/helm /systembindir/helm
|
||||
{%- elif container_manager == "containerd" %}
|
||||
ctr run --rm --mount type=bind,src={{ bin_dir }},dst=/systembindir,options=rbind:rw {{ helm_image_repo }}:{{ helm_image_tag }} helm-compare sh -c 'cmp /usr/local/bin/helm /systembindir/helm'
|
||||
{%- endif %}
|
||||
helm_copy_command: >-
|
||||
{%- if container_manager in ['docker', 'crio'] %}
|
||||
{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir --entrypoint /bin/cp {{ helm_image_repo }}:{{ helm_image_tag }} -f /usr/local/bin/helm /systembindir/helm
|
||||
{%- elif container_manager == "containerd" %}
|
||||
ctr run --rm --mount type=bind,src={{ bin_dir }},dst=/systembindir,options=rbind:rw {{ helm_image_repo }}:{{ helm_image_tag }} helm-copy sh -c '/bin/cp -f /usr/local/bin/helm /systembindir/helm'
|
||||
{%- endif %}
|
||||
|
||||
- name: Helm | ensure helm container is pulled for containerd
|
||||
command: "ctr i pull {{ helm_image_repo }}:{{ helm_image_tag }}"
|
||||
when: container_manager == "containerd"
|
||||
|
||||
- name: Helm | Compare host helm with helm container
|
||||
command: "{{ helm_compare_command }}"
|
||||
register: helm_task_compare_result
|
||||
until: helm_task_compare_result.rc in [0,1,2]
|
||||
retries: 4
|
||||
delay: "{{ retry_stagger | random + 3 }}"
|
||||
changed_when: false
|
||||
failed_when: "helm_task_compare_result.rc not in [0,1,2]"
|
||||
|
||||
- name: Helm | Copy helm from helm container
|
||||
command: "{{ helm_copy_command }}"
|
||||
when: helm_task_compare_result.rc != 0
|
||||
register: helm_task_result
|
||||
until: helm_task_result.rc == 0
|
||||
retries: 4
|
||||
delay: "{{ retry_stagger | random + 3 }}"
|
||||
|
||||
- name: Helm | Copy socat wrapper for Flatcar Container Linux by Kinvolk
|
||||
command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/opt/bin {{ install_socat_image_repo }}:{{ install_socat_image_tag }}"
|
||||
args:
|
||||
creates: "{{ bin_dir }}/socat"
|
||||
when: ansible_os_family in ['Flatcar Container Linux by Kinvolk']
|
||||
@@ -1,131 +1,34 @@
|
||||
---
|
||||
- name: Helm | Make sure HELM_HOME directory exists
|
||||
file: path={{ helm_home_dir }} state=directory
|
||||
- name: Helm | Download helm
|
||||
include_tasks: "../../../download/tasks/download_file.yml"
|
||||
vars:
|
||||
download: "{{ download_defaults | combine(downloads.helm) }}"
|
||||
|
||||
- name: Helm | Set up helm launcher
|
||||
include_tasks: "install_{{ helm_deployment_type }}.yml"
|
||||
- name: Copy helm binary from download dir
|
||||
synchronize:
|
||||
src: "{{ local_release_dir }}/helm-{{ helm_version }}/linux-{{ image_arch }}/helm"
|
||||
dest: "{{ bin_dir }}/helm"
|
||||
compress: no
|
||||
perms: yes
|
||||
owner: no
|
||||
group: no
|
||||
delegate_to: "{{ inventory_hostname }}"
|
||||
|
||||
- name: Helm | Lay Down Helm Manifests (RBAC)
|
||||
template:
|
||||
src: "{{ item.file }}.j2"
|
||||
dest: "{{ kube_config_dir }}/{{ item.file }}"
|
||||
with_items:
|
||||
- {name: tiller, file: tiller-namespace.yml, type: namespace}
|
||||
- {name: tiller, file: tiller-sa.yml, type: sa}
|
||||
- {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding}
|
||||
register: manifests
|
||||
when:
|
||||
- dns_mode != 'none'
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
- name: Check if bash_completion.d folder exists # noqa 503
|
||||
stat:
|
||||
path: "/etc/bash_completion.d/"
|
||||
register: stat_result
|
||||
|
||||
- name: Helm | Apply Helm Manifests (RBAC)
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "{{ tiller_namespace }}"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ kube_config_dir }}/{{ item.item.file }}"
|
||||
state: "latest"
|
||||
with_items: "{{ manifests.results }}"
|
||||
when:
|
||||
- dns_mode != 'none'
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
- name: Get helm completion
|
||||
command: "{{ bin_dir }}/helm completion bash"
|
||||
changed_when: False
|
||||
register: helm_completion
|
||||
check_mode: False
|
||||
when: stat_result.stat.exists
|
||||
|
||||
# Generate necessary certs for securing Helm and Tiller connection with TLS
|
||||
- name: Helm | Set up TLS
|
||||
include_tasks: "gen_helm_tiller_certs.yml"
|
||||
when:
|
||||
- tiller_enable_tls
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
|
||||
- name: Helm | Install client on all masters
|
||||
command: >
|
||||
{{ bin_dir }}/helm init --tiller-namespace={{ tiller_namespace }}
|
||||
{% if helm_skip_refresh %} --skip-refresh{% endif %}
|
||||
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
|
||||
--client-only
|
||||
environment: "{{ proxy_env }}"
|
||||
changed_when: false
|
||||
when:
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
|
||||
# FIXME: https://github.com/helm/helm/issues/6374
|
||||
- name: Helm | Install/upgrade helm
|
||||
shell: >
|
||||
set -o pipefail &&
|
||||
{{ bin_dir }}/helm init --tiller-namespace={{ tiller_namespace }}
|
||||
{% if helm_skip_refresh %} --skip-refresh{% endif %}
|
||||
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
|
||||
--upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }}
|
||||
{% if rbac_enabled %} --service-account={{ tiller_service_account }}{% endif %}
|
||||
{% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %}
|
||||
--override spec.template.spec.priorityClassName={% if tiller_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}
|
||||
{% if tiller_override is defined and tiller_override %} --override {{ tiller_override }}{% endif %}
|
||||
{% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %}
|
||||
{% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %}
|
||||
{% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %}
|
||||
--override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm'
|
||||
{% if tiller_wait %} --wait{% endif %}
|
||||
{% if tiller_replicas is defined %} --replicas {{ tiller_replicas | int }}{% endif %}
|
||||
--output yaml
|
||||
| sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@'
|
||||
| {{ bin_dir }}/kubectl apply -f -
|
||||
args:
|
||||
executable: /bin/bash
|
||||
register: install_helm
|
||||
when:
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
changed_when: false
|
||||
environment: "{{ proxy_env }}"
|
||||
|
||||
# FIXME: https://github.com/helm/helm/issues/4063
|
||||
- name: Helm | Force apply tiller overrides if necessary
|
||||
shell: >
|
||||
set -o pipefail &&
|
||||
{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }}
|
||||
{% if helm_skip_refresh %} --skip-refresh{% endif %}
|
||||
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
|
||||
{% if rbac_enabled %} --service-account={{ tiller_service_account }}{% endif %}
|
||||
{% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %}
|
||||
--override spec.template.spec.priorityClassName={% if tiller_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}
|
||||
{% if tiller_override is defined and tiller_override %} --override {{ tiller_override }}{% endif %}
|
||||
{% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %}
|
||||
{% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %}
|
||||
{% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %}
|
||||
--override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm'
|
||||
{% if tiller_wait %} --wait{% endif %}
|
||||
{% if tiller_replicas is defined %} --replicas {{ tiller_replicas | int }}{% endif %}
|
||||
--output yaml
|
||||
| sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@'
|
||||
| {{ bin_dir }}/kubectl apply -f -
|
||||
args:
|
||||
executable: /bin/bash
|
||||
changed_when: false
|
||||
when:
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
environment: "{{ proxy_env }}"
|
||||
|
||||
- name: Helm | Add/update stable repo on all masters
|
||||
command: "{{ bin_dir }}/helm repo add stable {{ helm_stable_repo_url }}"
|
||||
environment: "{{ proxy_env }}"
|
||||
when:
|
||||
- helm_version is version('v3.0.0', '>=')
|
||||
- helm_stable_repo_url is defined
|
||||
|
||||
- name: Make sure bash_completion.d folder exists # noqa 503
|
||||
file:
|
||||
name: "/etc/bash_completion.d/"
|
||||
state: directory
|
||||
when:
|
||||
- ((helm_container is defined and helm_container.changed) or (helm_task_result is defined and helm_task_result.changed))
|
||||
- ansible_os_family in ["ClearLinux"]
|
||||
|
||||
- name: Helm | Set up bash completion # noqa 503
|
||||
shell: "umask 022 && {{ bin_dir }}/helm completion bash >/etc/bash_completion.d/helm.sh"
|
||||
when:
|
||||
- ((helm_container is defined and helm_container.changed) or (helm_task_result is defined and helm_task_result.changed))
|
||||
- not ansible_os_family in ["Flatcar Container Linux by Kinvolk"]
|
||||
- name: Install helm completion
|
||||
copy:
|
||||
dest: /etc/bash_completion.d/helm.sh
|
||||
content: "{{ helm_completion.stdout }}"
|
||||
become: True
|
||||
when: stat_result.stat.exists
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
#!/bin/bash
|
||||
{{ docker_bin_dir }}/docker run --rm \
|
||||
--net=host \
|
||||
--name=helm \
|
||||
-v {{ ansible_env.HOME | default('/root') }}/.kube:/root/.kube:ro \
|
||||
-v /etc/ssl:/etc/ssl:ro \
|
||||
-v {{ helm_home_dir }}:{{ helm_home_dir }}:rw \
|
||||
{% for dir in ssl_ca_dirs -%}
|
||||
-v {{ dir }}:{{ dir }}:ro \
|
||||
{% endfor -%}
|
||||
{% if http_proxy is defined or https_proxy is defined -%}
|
||||
-e http_proxy="{{proxy_env.http_proxy}}" \
|
||||
-e https_proxy="{{proxy_env.https_proxy}}" \
|
||||
-e no_proxy="{{proxy_env.no_proxy}}" \
|
||||
{% endif -%}
|
||||
{{ helm_image_repo }}:{{ helm_image_tag}} \
|
||||
"$@"
|
||||
@@ -1,76 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -o errexit
|
||||
set -o pipefail
|
||||
|
||||
usage()
|
||||
{
|
||||
cat << EOF
|
||||
Create self signed certificates
|
||||
|
||||
Usage : $(basename $0) -f <config> [-d <ssldir>]
|
||||
-h | --help : Show this message
|
||||
-e | --helm-home : Helm home directory
|
||||
-d | --ssldir : Directory where the certificates will be installed
|
||||
EOF
|
||||
}
|
||||
|
||||
# Options parsing
|
||||
while (($#)); do
|
||||
case "$1" in
|
||||
-h | --help) usage; exit 0;;
|
||||
-e | --helm-home) HELM_HOME="${2}"; shift 2;;
|
||||
-d | --ssldir) SSLDIR="${2}"; shift 2;;
|
||||
*)
|
||||
usage
|
||||
echo "ERROR : Unknown option"
|
||||
exit 3
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -z ${SSLDIR} ]; then
|
||||
SSLDIR="/etc/kubernetes/helm/ssl"
|
||||
fi
|
||||
|
||||
tmpdir=$(mktemp -d /tmp/helm_cacert.XXXXXX)
|
||||
trap 'rm -rf "${tmpdir}"' EXIT
|
||||
cd "${tmpdir}"
|
||||
|
||||
mkdir -p "${SSLDIR}"
|
||||
|
||||
# Root CA
|
||||
if [ -e "$SSLDIR/ca-key.pem" ]; then
|
||||
# Reuse existing CA
|
||||
cp $SSLDIR/{ca.pem,ca-key.pem} .
|
||||
else
|
||||
openssl genrsa -out ca-key.pem 4096 > /dev/null 2>&1
|
||||
openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
gen_key_and_cert() {
|
||||
local name=$1
|
||||
local subject=$2
|
||||
openssl genrsa -out ${name}-key.pem 4096 > /dev/null 2>&1
|
||||
openssl req -new -key ${name}-key.pem -sha256 -out ${name}.csr -subj "${subject}" > /dev/null 2>&1
|
||||
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} > /dev/null 2>&1
|
||||
}
|
||||
|
||||
#Generate cert and key for Tiller if they don't exist
|
||||
if ! [ -e "$SSLDIR/tiller.pem" ]; then
|
||||
gen_key_and_cert "tiller" "/CN=tiller-server"
|
||||
fi
|
||||
|
||||
#Generate cert and key for Helm client if they don't exist
|
||||
if ! [ -e "$SSLDIR/helm.pem" ]; then
|
||||
gen_key_and_cert "helm" "/CN=helm-client"
|
||||
fi
|
||||
|
||||
# Secure certs to first master
|
||||
mv *.pem ${SSLDIR}/
|
||||
|
||||
# Install Helm client certs to first master
|
||||
# Copy using Helm default names for convenience
|
||||
cp ${SSLDIR}/ca.pem ${HELM_HOME}/ca.pem
|
||||
cp ${SSLDIR}/helm.pem ${HELM_HOME}/cert.pem
|
||||
cp ${SSLDIR}/helm-key.pem ${HELM_HOME}/key.pem
|
||||
@@ -1,29 +0,0 @@
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: tiller
|
||||
namespace: {{ tiller_namespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ tiller_service_account }}
|
||||
namespace: {{ tiller_namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{% if podsecuritypolicy_enabled %}
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: psp:tiller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ tiller_service_account }}
|
||||
namespace: {{ tiller_namespace }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: psp:privileged
|
||||
{% endif %}
|
||||
@@ -1,4 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: "{{ tiller_namespace}}"
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ tiller_service_account }}
|
||||
namespace: {{ tiller_namespace }}
|
||||
Reference in New Issue
Block a user