epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-03-09 03:37:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

add option to secure helm tiller with tls

Browse Source
This commit is contained in:
georgejdli
2018-09-06 10:14:18 -05:00
committed by Li, George (gl741q)
parent 7bf09945f2
commit b891d77679
4 changed files with 212 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
roles/kubernetes-apps/helm/tasks/main.yml
View File

@@ -27,6 +27,11 @@
with_items: "{{ manifests.results }}"
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
# Generate necessary certs for securing Helm and Tiller connection with TLS
- name: Helm | Set up TLS
include_tasks: "gen_helm_tiller_certs.yml"
when: tiller_enable_tls
- name: Helm | Install/upgrade helm
command: >
{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }}
@@ -36,8 +41,11 @@
{% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %}
{% if tiller_override is defined %} --override {{ tiller_override }}{% endif %}
{% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %}
{% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %}
{% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %}
register: install_helm
changed_when: false
environment: "{{proxy_env}}"
# FIXME: https://github.com/helm/helm/issues/4063
- name: Helm | Force apply tiller overrides if necessary
@@ -49,9 +57,12 @@
{% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %}
{% if tiller_override is defined %} --override {{ tiller_override }}{% endif %}
{% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %}
{% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %}
{% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %}
| kubectl apply -f -
changed_when: false
when: tiller_override is defined
environment: "{{proxy_env}}"
- name: Helm | Set up bash completion
shell: "umask 022 && {{ bin_dir }}/helm completion bash >/etc/bash_completion.d/helm.sh"