Integrate jetstack/cert-manager 0.2.3 to Kubespray
This commit is contained in:
parent
d9418b1dc4
commit
195d6d791a
19 changed files with 268 additions and 5 deletions
|
@ -207,6 +207,10 @@ ingress_nginx_enabled: false
|
|||
# ingress_nginx_configmap_udp_services:
|
||||
# 53: "kube-system/kube-dns:53"
|
||||
|
||||
# Cert manager deployment
|
||||
cert_manager_enabled: false
|
||||
# cert_manager_namespace: "cert-manager"
|
||||
|
||||
# Add Persistent Volumes Storage Class for corresponding cloud provider ( OpenStack is only supported now )
|
||||
persistent_volumes_enabled: false
|
||||
|
||||
|
|
|
@ -124,7 +124,6 @@ fluentd_image_tag: "{{ fluentd_version }}"
|
|||
kibana_version: "v4.6.1"
|
||||
kibana_image_repo: "gcr.io/google_containers/kibana"
|
||||
kibana_image_tag: "{{ kibana_version }}"
|
||||
|
||||
helm_version: "v2.8.1"
|
||||
helm_image_repo: "lachlanevenson/k8s-helm"
|
||||
helm_image_tag: "{{ helm_version }}"
|
||||
|
@ -132,6 +131,11 @@ tiller_image_repo: "gcr.io/kubernetes-helm/tiller"
|
|||
tiller_image_tag: "{{ helm_version }}"
|
||||
vault_image_repo: "vault"
|
||||
vault_image_tag: "{{ vault_version }}"
|
||||
cert_manager_version: "v0.2.3"
|
||||
cert_manager_controller_image_repo: "quay.io/jetstack/cert-manager-controller"
|
||||
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
||||
cert_manager_ingress_shim_image_repo: "quay.io/jetstack/cert-manager-ingress-shim"
|
||||
cert_manager_ingress_shim_image_tag: "{{ cert_manager_version }}"
|
||||
|
||||
downloads:
|
||||
netcheck_server:
|
||||
|
@ -422,6 +426,22 @@ downloads:
|
|||
version: "{{ vault_version }}"
|
||||
groups:
|
||||
- vault
|
||||
cert_manager_controller:
|
||||
enabled: "{{ cert_manager_enabled }}"
|
||||
container: true
|
||||
repo: "{{ cert_manager_controller_image_repo }}"
|
||||
tag: "{{ cert_manager_controller_image_tag }}"
|
||||
sha256: "{{ cert_manager_controller_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
cert_manager_ingress_shim:
|
||||
enabled: "{{ cert_manager_enabled }}"
|
||||
container: true
|
||||
repo: "{{ cert_manager_ingress_shim_image_repo }}"
|
||||
tag: "{{ cert_manager_ingress_shim_image_tag }}"
|
||||
sha256: "{{ cert_manager_ingress_shim_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
|
||||
download_defaults:
|
||||
container: false
|
||||
|
|
|
@ -22,12 +22,12 @@ etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
|
|||
etcd_heartbeat_interval: "250"
|
||||
etcd_election_timeout: "5000"
|
||||
|
||||
#etcd_snapshot_count: "10000"
|
||||
# etcd_snapshot_count: "10000"
|
||||
|
||||
# Parameters for ionice
|
||||
# -c takes an integer between 0 and 3 or one of the strings none, realtime, best-effort or idle.
|
||||
# -n takes an integer between 0 (highest priority) and 7 (lowest priority)
|
||||
#etcd_ionice: "-c2 -n0"
|
||||
# etcd_ionice: "-c2 -n0"
|
||||
|
||||
etcd_metrics: "basic"
|
||||
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
Deployment files
|
||||
================
|
||||
|
||||
This directory contains example deployment manifests for cert-manager that can
|
||||
be used in place of the official Helm chart.
|
||||
|
||||
This is useful if you are deploying cert-manager into an environment without
|
||||
Helm, or want to inspect a 'bare minimum' deployment.
|
||||
|
||||
Where do these come from?
|
||||
-------------------------
|
||||
|
||||
The manifests in these subdirectories are generated from the Helm chart
|
||||
automatically. The `values.yaml` files used to configure cert-manager can be
|
||||
found in [`hack/deploy`](../../hack/deploy/).
|
||||
|
||||
They are automatically generated by running `./hack/update-deploy-gen.sh`.
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
cert_manager_namespace: "cert-manager"
|
||||
cert_manager_cpu_requests: 10m
|
||||
cert_manager_cpu_limits: 30m
|
||||
cert_manager_memory_requests: 32Mi
|
||||
cert_manager_memory_limits: 200Mi
|
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
|
||||
- name: Cert Manager | Create addon dir
|
||||
file:
|
||||
path: "{{ kube_config_dir }}/addons/cert_manager"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: Cert Manager | Create manifests
|
||||
template:
|
||||
src: "{{ item.file }}.j2"
|
||||
dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
|
||||
with_items:
|
||||
- { name: cert-manager-ns, file: cert-manager-ns.yml, type: ns }
|
||||
- { name: cert-manager-sa, file: cert-manager-sa.yml, type: sa }
|
||||
- { name: cert-manager-clusterrole, file: cert-manager-clusterrole.yml, type: clusterrole }
|
||||
- { name: cert-manager-clusterrolebinding, file: cert-manager-clusterrolebinding.yml, type: clusterrolebinding }
|
||||
- { name: cert-manager-issuer-crd, file: cert-manager-issuer-crd.yml, type: crd }
|
||||
- { name: cert-manager-clusterissuer-crd, file: cert-manager-clusterissuer-crd.yml, type: crd }
|
||||
- { name: cert-manager-certificate-crd, file: cert-manager-certificate-crd.yml, type: crd }
|
||||
- { name: cert-manager-deploy, file: cert-manager-deploy.yml, type: deploy }
|
||||
register: cert_manager_manifests
|
||||
when:
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Cert Manager | Apply manifests
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "{{ cert_manager_namespace }}"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}"
|
||||
state: "latest"
|
||||
with_items: "{{ cert_manager_manifests.results }}"
|
||||
when:
|
||||
- inventory_hostname == groups['kube-master'][0]
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: certificates.certmanager.k8s.io
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
spec:
|
||||
group: certmanager.k8s.io
|
||||
version: v1alpha1
|
||||
scope: Namespaced
|
||||
names:
|
||||
kind: Certificate
|
||||
plural: certificates
|
||||
shortNames:
|
||||
- cert
|
||||
- certs
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: clusterissuers.certmanager.k8s.io
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
spec:
|
||||
group: certmanager.k8s.io
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: ClusterIssuer
|
||||
plural: clusterissuers
|
||||
scope: Cluster
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
rules:
|
||||
- apiGroups: ["certmanager.k8s.io"]
|
||||
resources: ["certificates", "issuers", "clusterissuers"]
|
||||
verbs: ["*"]
|
||||
- apiGroups: [""]
|
||||
# TODO: remove endpoints once 0.4 is released. We include it here in case
|
||||
# users use the 'master' version of the Helm chart with a 0.2.x release of
|
||||
# cert-manager that still performs leader election with Endpoint resources.
|
||||
# We advise users don't do this, but some will anyway and this will reduce
|
||||
# friction.
|
||||
resources: ["endpoints", "configmaps", "secrets", "events", "services", "pods"]
|
||||
verbs: ["*"]
|
||||
- apiGroups: ["extensions"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["*"]
|
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
kind: ServiceAccount
|
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
apiVersion: apps/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
spec:
|
||||
replicas: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: cert-manager
|
||||
release: cert-manager
|
||||
annotations:
|
||||
spec:
|
||||
serviceAccountName: cert-manager
|
||||
containers:
|
||||
- name: cert-manager
|
||||
image: {{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
args:
|
||||
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
resources:
|
||||
requests:
|
||||
cpu: {{ cert_manager_cpu_requests }}
|
||||
memory: {{ cert_manager_memory_requests }}
|
||||
limits:
|
||||
cpu: {{ cert_manager_cpu_limits }}
|
||||
memory: {{ cert_manager_memory_limits }}
|
||||
|
||||
- name: ingress-shim
|
||||
image: {{ cert_manager_ingress_shim_image_repo }}:{{ cert_manager_ingress_shim_image_tag }}
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
resources:
|
||||
requests:
|
||||
cpu: {{ cert_manager_cpu_requests }}
|
||||
memory: {{ cert_manager_memory_requests }}
|
||||
limits:
|
||||
cpu: {{ cert_manager_cpu_limits }}
|
||||
memory: {{ cert_manager_memory_limits }}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: issuers.certmanager.k8s.io
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
spec:
|
||||
group: certmanager.k8s.io
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: Issuer
|
||||
plural: issuers
|
||||
scope: Namespaced
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
name: {{ cert_manager_namespace }}
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-0.2.5
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
|
@ -6,3 +6,10 @@ dependencies:
|
|||
- apps
|
||||
- ingress-nginx
|
||||
- ingress-controller
|
||||
|
||||
- role: kubernetes-apps/ingress_controller/cert_manager
|
||||
when: cert_manager_enabled
|
||||
tags:
|
||||
- apps
|
||||
- cert-manager
|
||||
- ingress-controller
|
||||
|
|
|
@ -96,4 +96,5 @@ volume_cross_zone_attachment: false
|
|||
## Encrypting Secret Data at Rest
|
||||
kube_encrypt_secret_data: false
|
||||
kube_encrypt_token: "{{ lookup('password', inventory_dir + '/credentials/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
|
||||
kube_encryption_algorithm: "aescbc" # Must be either: aescbc, secretbox or aesgcm
|
||||
# Must be either: aescbc, secretbox or aesgcm
|
||||
kube_encryption_algorithm: "aescbc"
|
||||
|
|
|
@ -174,6 +174,7 @@ local_volume_provisioner_enabled: "{{ local_volumes_enabled | default('false') }
|
|||
persistent_volumes_enabled: false
|
||||
cephfs_provisioner_enabled: false
|
||||
ingress_nginx_enabled: false
|
||||
cert_manager_enabled: false
|
||||
|
||||
## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (Fixed in 1.9: https://github.com/kubernetes/kubernetes/issues/50461)
|
||||
# openstack_blockstorage_version: "v1/v2/auto (default)"
|
||||
|
|
|
@ -50,4 +50,4 @@ rbac_resources:
|
|||
# * can-reach=DESTINATION
|
||||
# * interface=INTERFACE-REGEX
|
||||
# see https://docs.projectcalico.org/v3.0/reference/node/configuration#ip-autodetection-methods
|
||||
#calico_ip_auto_method: "interface=eth.*"
|
||||
# calico_ip_auto_method: "interface=eth.*"
|
||||
|
|
|
@ -16,3 +16,5 @@ deploy_netchecker: true
|
|||
kubedns_min_replicas: 1
|
||||
cloud_provider: gce
|
||||
kube_encrypt_secret_data: true
|
||||
ingress_nginx_enabled: true
|
||||
cert_manager_enabled: true
|
||||
|
|
Loading…
Reference in a new issue